]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_keychain/lib/SecPolicyPriv.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57337.50.23.tar.gz
[apple/security.git] / OSX / libsecurity_keychain / lib / SecPolicyPriv.h
1 /*
2 * Copyright (c) 2003-2015 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*!
25 @header SecPolicyPriv
26 Private part of SecPolicy.h
27 */
28
29 #ifndef _SECURITY_SECPOLICYPRIV_H_
30 #define _SECURITY_SECPOLICYPRIV_H_
31
32 #include <Security/SecPolicy.h>
33 #include <CoreFoundation/CFArray.h>
34
35
36 #if defined(__cplusplus)
37 extern "C" {
38 #endif
39
40 /*!
41 @enum Policy Constants (Private)
42 @discussion Predefined constants used to specify a policy.
43 @constant kSecPolicyAppleMobileStore
44 @constant kSecPolicyAppleTestMobileStore
45 @constant kSecPolicyAppleEscrowService
46 @constant kSecPolicyAppleProfileSigner
47 @constant kSecPolicyAppleQAProfileSigner
48 @constant kSecPolicyAppleServerAuthentication
49 @constant kSecPolicyAppleOTAPKISigner
50 @constant kSecPolicyAppleTestOTAPKISigner
51 @constant kSecPolicyAppleIDValidationRecordSigning
52 @constant kSecPolicyAppleSMPEncryption
53 @constant kSecPolicyAppleTestSMPEncryption
54 @constant kSecPolicyApplePCSEscrowService
55 @constant kSecPolicyApplePPQSigning
56 @constant kSecPolicyAppleTestPPQSigning
57 @constant kSecPolicyAppleSWUpdateSigning
58 @constant kSecPolicyAppleATVAppSigning
59 @constant kSecPolicyAppleTestATVAppSigning
60 @constant kSecPolicyAppleOSXProvisioningProfileSigning
61 @constant kSecPolicyAppleATVVPNProfileSigning
62
63 */
64 extern const CFStringRef kSecPolicyAppleMobileStore
65 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
66 extern const CFStringRef kSecPolicyAppleTestMobileStore
67 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
68 extern const CFStringRef kSecPolicyAppleEscrowService
69 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
70 extern const CFStringRef kSecPolicyAppleProfileSigner
71 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
72 extern const CFStringRef kSecPolicyAppleQAProfileSigner
73 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
74 extern const CFStringRef kSecPolicyAppleServerAuthentication
75 __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
76 #if TARGET_OS_IPHONE
77 extern const CFStringRef kSecPolicyAppleOTAPKISigner
78 __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
79 extern const CFStringRef kSecPolicyAppleTestOTAPKISigner
80 __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
81 extern const CFStringRef kSecPolicyAppleIDValidationRecordSigningPolicy
82 __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
83 extern const CFStringRef kSecPolicyAppleSMPEncryption
84 __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0);
85 extern const CFStringRef kSecPolicyAppleTestSMPEncryption
86 __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0);
87 #endif
88 extern const CFStringRef kSecPolicyApplePCSEscrowService
89 __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
90 extern const CFStringRef kSecPolicyApplePPQSigning
91 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
92 extern const CFStringRef kSecPolicyAppleTestPPQSigning
93 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
94 extern const CFStringRef kSecPolicyAppleSWUpdateSigning
95 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
96 extern const CFStringRef kSecPolicyAppleATVAppSigning
97 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
98 extern const CFStringRef kSecPolicyAppleTestATVAppSigning
99 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
100 extern const CFStringRef kSecPolicyAppleOSXProvisioningProfileSigning
101 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
102 extern const CFStringRef kSecPolicyAppleATVVPNProfileSigning
103 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
104 extern const CFStringRef kSecPolicyAppleAST2DiagnosticsServerAuth
105 __OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3);
106
107
108 /*!
109 @function SecPolicyCopy
110 @abstract Returns a copy of a policy reference based on certificate type and OID.
111 @param certificateType A certificate type.
112 @param policyOID The OID of the policy you want to find. This is a required parameter. See oidsalg.h to see a list of policy OIDs.
113 @param policy The returned policy reference. This is a required parameter.
114 @result A result code. See "Security Error Codes" (SecBase.h).
115 @discussion This function is deprecated in Mac OS X 10.7 and later;
116 to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h.
117 */
118 OSStatus SecPolicyCopy(CSSM_CERT_TYPE certificateType, const CSSM_OID *policyOID, SecPolicyRef* policy)
119 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
120
121 /*!
122 @function SecPolicyCopyAll
123 @abstract Returns an array of all known policies based on certificate type.
124 @param certificateType A certificate type. This is a optional parameter. Pass CSSM_CERT_UNKNOWN if the certificate type is unknown.
125 @param policies The returned array of policies. This is a required parameter.
126 @result A result code. See "Security Error Codes" (SecBase.h).
127 @discussion This function is deprecated in Mac OS X 10.7 and later;
128 to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h. (Note: there is normally
129 no reason to iterate over multiple disjointed policies, except to provide a way to edit trust settings for each
130 policy, as is done in certain certificate UI views. In that specific case, your code should call SecPolicyCreateWithOID
131 for each desired policy from the list of supported OID constants in SecPolicy.h.)
132 */
133 OSStatus SecPolicyCopyAll(CSSM_CERT_TYPE certificateType, CFArrayRef* policies)
134 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
135
136 /* Given a unified SecPolicyRef, return a copy with a legacy
137 C++ ItemImpl-based Policy instance. Only for internal use;
138 legacy references cannot be used by SecPolicy API functions. */
139 SecPolicyRef SecPolicyCreateItemImplInstance(SecPolicyRef policy);
140
141 /* Given a CSSM_OID pointer, return a string which can be passed
142 to SecPolicyCreateWithProperties. The return value can be NULL
143 if no supported policy was found for the OID argument. */
144 CFStringRef SecPolicyGetStringForOID(CSSM_OID* oid);
145
146 /*!
147 @function SecPolicyCreateAppleIDSService
148 @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
149 */
150 SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef hostname);
151
152 /*!
153 @function SecPolicyCreateAppleIDSService
154 @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
155 */
156 SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDictionaryRef context);
157
158 /*!
159 @function SecPolicyCreateApplePushService
160 @abstract Ensure we're appropriately pinned to the Push service (SSL + Apple restrictions)
161 */
162 SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryRef context);
163
164 /*!
165 @function SecPolicyCreateApplePushServiceLegacy
166 @abstract Ensure we're appropriately pinned to the Push service (SSL + Apple restrictions)
167 */
168 SecPolicyRef SecPolicyCreateApplePushServiceLegacy(CFStringRef hostname);
169
170 /*!
171 @function SecPolicyCreateAppleMMCSService
172 @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
173 */
174 SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname, CFDictionaryRef context);
175
176 /*!
177 @function SecPolicyCreateAppleGSService
178 @abstract Ensure we're appropriately pinned to the GS service (SSL + Apple restrictions)
179 */
180 SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef context)
181 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
182
183 /*!
184 @function SecPolicyCreateApplePPQService
185 @abstract Ensure we're appropriately pinned to the PPQ service (SSL + Apple restrictions)
186 */
187 SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRef context);
188
189 /*!
190 @function SecPolicyCreateAppleAST2Service
191 @abstract Ensure we're appropriately pinned to the AST2 Diagnostic service (SSL + Apple restrictions)
192 */
193 SecPolicyRef SecPolicyCreateAppleAST2Service(CFStringRef hostname, CFDictionaryRef context)
194 __OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3);
195
196 /*!
197 @function SecPolicyCreateAppleSSLService
198 @abstract Ensure we're appropriately pinned to an Apple server (SSL + Apple restrictions)
199 */
200 SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef hostname);
201
202 /*!
203 @function SecPolicyCreateAppleTimeStampingAndRevocationPolicies
204 @abstract Create timeStamping policy array from a given set of policies by applying identical revocation behavior
205 @param policyOrArray can be a SecPolicyRef or a CFArray of SecPolicyRef
206 */
207 CFArrayRef SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray);
208
209 /*!
210 @function SecPolicyCreateAppleATVAppSigning
211 @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations Certification Authority' by name,
212 and apple anchor.
213 Leaf cert must have Digital Signature usage.
214 Leaf cert must have Apple ATV App Signing marker OID (1.2.840.113635.100.6.1.24).
215 Leaf cert must have 'Apple TVOS Application Signing' common name.
216 */
217 SecPolicyRef SecPolicyCreateAppleATVAppSigning(void)
218 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
219
220 /*!
221 @function SecPolicyCreateTestAppleATVAppSigning
222 @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations Certification Authority' by name,
223 and apple anchor.
224 Leaf cert must have Digital Signature usage.
225 Leaf cert must have Apple ATV App Signing Test marker OID (1.2.840.113635.100.6.1.24.1).
226 Leaf cert must have 'TEST Apple TVOS Application Signing TEST' common name.
227 */
228 SecPolicyRef SecPolicyCreateTestAppleATVAppSigning(void)
229 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
230
231 /*!
232 @function SecPolicyCreateApplePayIssuerEncryption
233 @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations CA - G2' by name,
234 and apple anchor.
235 Leaf cert must have Key Encipherment and Key Agreement usage.
236 Leaf cert must have Apple Pay Issuer Encryption marker OID (1.2.840.113635.100.6.39).
237 */
238 SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void)
239 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
240
241 /*!
242 @function SecPolicyCreateOSXProvisioningProfileSigning
243 @abstract Check for leaf marker OID 1.2.840.113635.100.4.11,
244 intermediate marker OID 1.2.840.113635.100.6.2.1,
245 chains to Apple Root CA
246 */
247 SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void)
248 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
249
250
251 /*!
252 @function SecPolicyCreateAppleATVVPNProfileSigning
253 @abstract Check for leaf marker OID 1.2.840.113635.100.6.43,
254 intermediate marker OID 1.2.840.113635.100.6.2.10,
255 chains to Apple Root CA, path length 3
256 */
257 SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void)
258 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
259
260 /*!
261 @function SecPolicyCreateAppleHomeKitServerAuth
262 @abstract Ensure we're appropriately pinned to the HomeKit service (SSL + Apple restrictions)
263 @param hostname Required; hostname to verify the certificate name against.
264 @discussion This policy uses the Basic X.509 policy with validity check
265 and pinning options:
266 * The chain is anchored to any of the production Apple Root CAs via full certificate
267 comparison. Test Apple Root CAs are permitted only on internal releases with defaults write.
268 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.16
269 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.9.
270 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
271 extension or Common Name.
272 * The leaf is checked against the Black and Gray lists.
273 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
274 * Revocation is checked via CRL.
275 @result A policy object. The caller is responsible for calling CFRelease
276 on this when it is no longer needed.
277 */
278 SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname)
279 __OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3);
280
281 #if defined(__cplusplus)
282 }
283 #endif
284
285 #endif /* !_SECURITY_SECPOLICYPRIV_H_ */
mirror of Security