]> git.saurik.com Git - apple/security.git/blob - OSX/sec/Security/SecTrustSettingsPriv.h
Security-57337.50.23.tar.gz
[apple/security.git] / OSX / sec / Security / SecTrustSettingsPriv.h
1 /*
2 * Copyright (c) 2007-2008,2010,2012-2015 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*
25 * SecTrustSettingsPriv.h - TrustSettings SPI functions.
26 */
27
28 #ifndef _SECURITY_SECTRUSTSETTINGSPRIV_H_
29 #define _SECURITY_SECTRUSTSETTINGSPRIV_H_
30
31 #include <CoreFoundation/CoreFoundation.h>
32 #include <Security/SecPolicy.h>
33 #include <Security/SecCertificate.h>
34 #include <Security/SecTrustSettings.h>
35
36 #ifdef __cplusplus
37 extern "C" {
38 #endif
39
40 /*
41 * A TrustSettings Record contains the XML encoding of a CFDictionary. This dictionary
42 * currently contains two name/value pairs:
43 *
44 * key = kTrustRecordVersion, value = SInt32 version number
45 * key = kTrustRecordTrustList, value = CFDictionary
46 *
47 * Each key/value pair of the CFDictionary associated with key kTrustRecordTrustList
48 * consists of:
49 * -- key = the ASCII representation (with alpha characters in upper case) of the
50 * cert's SHA1 digest.
51 * -- value = a CFDictionary representing one cert.
52 *
53 * Key/value pairs in the per-cert dictionary are as follows:
54 *
55 * -- key = kTrustRecordIssuer, value = non-normalized issuer as CFData
56 * -- key = kTrustRecordSerialNumber, value = serial number as CFData
57 * -- key = kTrustRecordModDate, value = CFDateRef of the last modification
58 date of the per-cert entry.
59 * -- key = kTrustRecordTrustSettings, value = array of dictionaries. The
60 * dictionaries are as described in the API in SecUserTrust.h
61 * although we store the values differently (see below).
62 * As written to disk, this key/value is always present although
63 * the usageConstraints array may be empty.
64 *
65 * A usageConstraints dictionary is like so (all elements are optional). These key
66 * strings are defined in SecUserTrust.h.
67 *
68 * key = kSecTrustSettingsPolicy value = policy OID as CFData
69 * key = kSecTrustSettingsApplication value = application path as CFString
70 * key = kSecTrustSettingsPolicyString value = CFString, policy-specific
71 * key = kSecTrustSettingsAllowedError value = CFNumber, an SInt32 CSSM_RETURN
72 * key = kSecTrustSettingsResult value = CFNumber, an SInt32 SecTrustSettingsResult
73 * key = kSecTrustSettingsKeyUsage value = CFNumber, an SInt32 key usage
74 * key = kSecTrustSettingsModifyDate value = CFDate, last modification
75 */
76
77 /*
78 * Keys in the top-level dictionary
79 */
80 #define kTrustRecordVersion CFSTR("trustVersion")
81 #define kTrustRecordTrustList CFSTR("trustList")
82
83 /*
84 * Keys in the per-cert dictionary in the TrustedRootList record.
85 */
86 /* value = non-normalized issuer as CFData */
87 #define kTrustRecordIssuer CFSTR("issuerName")
88
89 /* value = serial number as CFData */
90 #define kTrustRecordSerialNumber CFSTR("serialNumber")
91
92 /* value = CFDateRef representation of modification date */
93 #define kTrustRecordModDate CFSTR("modDate")
94
95 /*
96 * value = array of CFDictionaries as used in public API
97 * Not present for a cert which has no usage Constraints (i.e.
98 * "wide open" unrestricted, kSecTrustSettingsResultTrustRoot as
99 * the default SecTrustSettingsResult).
100 */
101 #define kTrustRecordTrustSettings CFSTR("trustSettings")
102
103 /*
104 * Version of the top-level dictionary.
105 */
106 enum {
107 kSecTrustRecordVersionInvalid = 0, /* should never be seen on disk */
108 kSecTrustRecordVersionCurrent = 1
109 };
110
111 /*
112 * Key for the (optional) default entry in a TrustSettings record. This
113 * appears in place of the cert's hash string, and corresponds to
114 * kSecTrustSettingsDefaultRootCertSetting at the public API.
115 * If you change this, make sure it has characters other than those
116 * appearing in a normal cert hash string (0..9 and A..F).
117 */
118 #define kSecTrustRecordDefaultRootCert CFSTR("kSecTrustRecordDefaultRootCert")
119
120 /*
121 * The location of the system root keychain and its associated TrustSettings.
122 * These are immutable; this module never modifies either of them.
123 */
124 #define SYSTEM_ROOT_STORE_PATH "/System/Library/Keychains/SystemRootCertificates.keychain"
125 #define SYSTEM_TRUST_SETTINGS_PATH "/System/Library/Keychains/SystemTrustSettings.plist"
126
127 /*
128 * The local admin cert store.
129 */
130 #define ADMIN_CERT_STORE_PATH "/Library/Keychains/System.keychain"
131
132 /*
133 * Per-user and local admin TrustSettings are stored in this directory.
134 * Per-user settings are of the form <uuid>.plist.
135 */
136 #define TRUST_SETTINGS_PATH "/Library/Trust Settings"
137 #define ADMIN_TRUST_SETTINGS "Admin.plist"
138
139 /*
140 * Additional values for the SecTrustSettingsDomain enum.
141 */
142 enum {
143 /*
144 * This indicates a TrustSettings that exists only in memory; it
145 * can't be written to disk.
146 */
147 kSecTrustSettingsDomainMemory = 100
148 };
149
150 typedef struct __SecTrustSettings *SecTrustSettingsRef;
151
152 CFTypeID SecTrustSettingsGetTypeID(void);
153 OSStatus SecTrustSettingsCreateFromExternal(SecTrustSettingsDomain domain,
154 CFDataRef external, SecTrustSettingsRef *ts);
155 SecTrustSettingsRef SecTrustSettingsCreate(SecTrustSettingsDomain domain,
156 bool create, bool trim);
157 CFDataRef SecTrustSettingsCopyExternal(SecTrustSettingsRef ts);
158 void SecTrustSettingsSet(SecCertificateRef certRef,
159 CFTypeRef trustSettingsDictOrArray);
160
161 /*
162 * Fundamental routine used to ascertain status of one cert.
163 *
164 * Returns true in *foundMatchingEntry if a trust setting matching
165 * specific constraints was found for the cert. Returns true in
166 * *foundAnyEntry if any entry was found for the cert, even if it
167 * did not match the specified constraints. The TP uses this to
168 * optimize for the case where a cert is being evaluated for
169 * one type of usage, and then later for another type. If
170 * foundAnyEntry is false, the second evaluation need not occur.
171 *
172 * Returns the domain in which a setting was found in *foundDomain.
173 *
174 * Allowed errors applying to the specified cert evaluation
175 * are returned in a mallocd array in *allowedErrors and must
176 * be freed by caller.
177 */
178 OSStatus SecTrustSettingsEvaluateCertificate(
179 SecCertificateRef certificate,
180 SecPolicyRef policy,
181 SecTrustSettingsKeyUsage keyUsage, /* optional */
182 bool isSelfSignedCert, /* for checking default setting */
183 /* RETURNED values */
184 SecTrustSettingsDomain *foundDomain,
185 CFArrayRef *allowedErrors, /* RETURNED */
186 SecTrustSettingsResult *resultType, /* RETURNED */
187 bool *foundMatchingEntry,/* RETURNED */
188 bool *foundAnyEntry); /* RETURNED */
189
190 /*
191 * Add a cert's TrustSettings to a non-persistent TrustSettings record.
192 * Primarily intended for use in creating a system TrustSettings record
193 * (which is itself immutable via this module).
194 *
195 * The settingsIn argument is an external representation of a TrustSettings
196 * record, obtianed from this function or from
197 * SecTrustSettingsCreateExternalRepresentation().
198 * If settingsIn is NULL, a new (empty) TrustSettings will be created.
199 *
200 * The certRef and trustSettingsDictOrArray arguments are as in
201 * SecTrustSettingsSetTrustSettings(). May be NULL, when e.g. creating
202 * a new and empty TrustSettings record.
203 *
204 * The external representation is written to the settingOut argument,
205 * which must eventually be CFReleased by the caller.
206 */
207 #if SECTRUST_OSX
208 OSStatus SecTrustSettingsSetTrustSettingsExternal_ios(
209 #else
210 OSStatus SecTrustSettingsSetTrustSettingsExternal(
211 #endif
212 CFDataRef settingsIn, /* optional */
213 SecCertificateRef certRef, /* optional */
214 CFTypeRef trustSettingsDictOrArray, /* optional */
215 CFDataRef *settingsOut); /* RETURNED */
216
217 #ifdef __cplusplus
218 }
219 #endif
220
221 #endif /* _SECURITY_SECTRUSTSETTINGSPRIV_H_ */
222