]> git.saurik.com Git - apple/security.git/blob - cssm/certextensions.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57740.51.3.tar.gz
[apple/security.git] / cssm / certextensions.h
1 /*
2 * Copyright (c) 2000-2009,2011,2012,2014,2016 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * CertExtensions.h -- X.509 Cert Extensions as C structs
24 */
25
26 #ifndef _CERT_EXTENSIONS_H_
27 #define _CERT_EXTENSIONS_H_
28
29 #include <Security/SecBase.h>
30
31 #if SEC_OS_OSX
32
33 #include <Security/cssmtype.h>
34 #pragma clang diagnostic push
35 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
36
37 #else /* SEC_OS_IPHONE */
38
39 #include <stdbool.h>
40 #include <libDER/libDER.h>
41
42 #endif /* SEC_OS_IPHONE */
43
44 /***
45 *** Structs for declaring extension-specific data.
46 ***/
47
48 /*
49 * GeneralName, used in AuthorityKeyID, SubjectAltName, and
50 * IssuerAltName.
51 *
52 * For now, we just provide explicit support for the types which are
53 * represented as IA5Strings, OIDs, and octet strings. Constructed types
54 * such as EDIPartyName and x400Address are not explicitly handled
55 * right now and must be encoded and decoded by the caller. (See exception
56 * for Name and OtherName, below). In those cases the SecECGeneralName.name.Data / CE_GeneralName.name.Data field
57 * represents the BER contents octets; SecCEGeneralName.name.Length / CE_GeneralName.name.Length is the
58 * length of the contents; the tag of the field is not needed - the BER
59 * encoding uses context-specific implicit tagging. The berEncoded field
60 * is set to true / CSSM_TRUE in these case. Simple types have berEncoded = false / CSSM_FALSE.
61 *
62 * In the case of a GeneralName in the form of a Name, we parse the Name
63 * into a CSSM_X509_NAME and place a pointer to the CSSM_X509_NAME in the
64 * CE_GeneralName.name.Data field. SecCEGeneralName.name.Length / CE_GeneralName.name.Length is set to
65 * sizeof(CSSM_X509_NAME). In this case berEncoded is false.
66 *
67 * In the case of a GeneralName in the form of a OtherName, we parse the fields
68 * into a CE_OtherName and place a pointer to the SecCEOtherName / CE_OtherName in the
69 * SecCEGeneralName.name.Data / CE_GeneralName.name.Data field. SecCEGeneralName.name.Length / CE_GeneralName.name.Length is set to
70 * sizeof(SecCEOtherName) / sizeof(CE_OtherName). In this case berEncoded is false.
71 *
72 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
73 *
74 * GeneralName ::= CHOICE {
75 * otherName [0] OtherName
76 * rfc822Name [1] IA5String,
77 * dNSName [2] IA5String,
78 * x400Address [3] ORAddress,
79 * directoryName [4] Name,
80 * ediPartyName [5] EDIPartyName,
81 * uniformResourceIdentifier [6] IA5String,
82 * iPAddress [7] OCTET STRING,
83 * registeredID [8] OBJECT IDENTIFIER}
84 *
85 * OtherName ::= SEQUENCE {
86 * type-id OBJECT IDENTIFIER,
87 * value [0] EXPLICIT ANY DEFINED BY type-id }
88 *
89 * EDIPartyName ::= SEQUENCE {
90 * nameAssigner [0] DirectoryString OPTIONAL,
91 * partyName [1] DirectoryString }
92 */
93 #if SEC_OS_OSX
94 typedef enum __CE_GeneralNameType {
95 GNT_OtherName = 0,
96 GNT_RFC822Name,
97 GNT_DNSName,
98 GNT_X400Address,
99 GNT_DirectoryName,
100 GNT_EdiPartyName,
101 GNT_URI,
102 GNT_IPAddress,
103 GNT_RegisteredID
104 } CE_GeneralNameType;
105
106 #elif SEC_OS_IPHONE
107
108 typedef enum {
109 GNT_OtherName = 0,
110 GNT_RFC822Name,
111 GNT_DNSName,
112 GNT_X400Address,
113 GNT_DirectoryName,
114 GNT_EdiPartyName,
115 GNT_URI,
116 GNT_IPAddress,
117 GNT_RegisteredID
118 } SecCEGeneralNameType;
119
120 #endif /* SEC_OS_IPHONE */
121
122 #if SEC_OS_OSX
123
124 typedef struct __CE_OtherName {
125 CSSM_OID typeId;
126 CSSM_DATA value; // unparsed, BER-encoded
127 } CE_OtherName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
128
129 typedef struct __CE_GeneralName {
130 CE_GeneralNameType nameType; // GNT_RFC822Name, etc.
131 CSSM_BOOL berEncoded;
132 CSSM_DATA name;
133 } CE_GeneralName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
134
135 typedef struct __CE_GeneralNames {
136 uint32 numNames;
137 CE_GeneralName *generalName;
138 } CE_GeneralNames DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
139
140 #elif SEC_OS_IPHONE
141
142 typedef struct {
143 DERItem typeId;
144 DERItem value; // unparsed, BER-encoded
145 } SecCEOtherName;
146
147 typedef struct {
148 SecCEGeneralNameType nameType; // GNT_RFC822Name, etc.
149 bool berEncoded;
150 DERItem name;
151 } SecCEGeneralName;
152
153 typedef struct {
154 uint32_t numNames;
155 SecCEGeneralName *generalName;
156 } SecCEGeneralNames;
157
158 #endif /* SEC_OS_IPHONE */
159
160 /*
161 * id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
162 *
163 * AuthorityKeyIdentifier ::= SEQUENCE {
164 * keyIdentifier [0] KeyIdentifier OPTIONAL,
165 * authorityCertIssuer [1] GeneralNames OPTIONAL,
166 * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
167 *
168 * KeyIdentifier ::= OCTET STRING
169 *
170 * CSSM OID = CSSMOID_AuthorityKeyIdentifier
171 */
172 #if SEC_OS_OSX
173 typedef struct __CE_AuthorityKeyID {
174 CSSM_BOOL keyIdentifierPresent;
175 CSSM_DATA keyIdentifier;
176 CSSM_BOOL generalNamesPresent;
177 CE_GeneralNames *generalNames;
178 CSSM_BOOL serialNumberPresent;
179 CSSM_DATA serialNumber;
180 } CE_AuthorityKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
181 #elif SEC_OS_IPHONE
182 typedef struct {
183 bool keyIdentifierPresent;
184 DERItem keyIdentifier;
185 bool generalNamesPresent;
186 SecCEGeneralNames *generalNames;
187 bool serialNumberPresent;
188 DERItem serialNumber;
189 } SecCEAuthorityKeyID;
190 #endif /* SEC_OS_IPHONE */
191
192 /*
193 * id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
194 * SubjectKeyIdentifier ::= KeyIdentifier
195 *
196 * CSSM OID = CSSMOID_SubjectKeyIdentifier
197 */
198 #if SEC_OS_OSX
199 typedef CSSM_DATA CE_SubjectKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
200 #elif SEC_OS_IPHONE
201 typedef DERItem SecCESubjectKeyID;
202 #endif /* SEC_OS_IPHONE */
203
204 /*
205 * id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
206 *
207 * KeyUsage ::= BIT STRING {
208 * digitalSignature (0),
209 * nonRepudiation (1),
210 * keyEncipherment (2),
211 * dataEncipherment (3),
212 * keyAgreement (4),
213 * keyCertSign (5),
214 * cRLSign (6),
215 * encipherOnly (7),
216 * decipherOnly (8) }
217 *
218 * CSSM OID = CSSMOID_KeyUsage
219 *
220 */
221 #if SEC_OS_OSX
222 typedef uint16 CE_KeyUsage DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
223 #elif SEC_OS_IPHONE
224 typedef uint16_t SecCEKeyUsage;
225 #endif /* SEC_OS_IPHONE */
226
227 #if SEC_OS_OSX
228 #define CE_KU_DigitalSignature 0x8000
229 #define CE_KU_NonRepudiation 0x4000
230 #define CE_KU_KeyEncipherment 0x2000
231 #define CE_KU_DataEncipherment 0x1000
232 #define CE_KU_KeyAgreement 0x0800
233 #define CE_KU_KeyCertSign 0x0400
234 #define CE_KU_CRLSign 0x0200
235 #define CE_KU_EncipherOnly 0x0100
236 #define CE_KU_DecipherOnly 0x0080
237 #else /* SEC_OS_IPHONE */
238 #define SecCEKU_DigitalSignature 0x8000
239 #define SecCEKU_NonRepudiation 0x4000
240 #define SecCEKU_KeyEncipherment 0x2000
241 #define SecCEKU_DataEncipherment 0x1000
242 #define SecCEKU_KeyAgreement 0x0800
243 #define SecCEKU_KeyCertSign 0x0400
244 #define SecCEKU_CRLSign 0x0200
245 #define SecCEKU_EncipherOnly 0x0100
246 #define SecCEKU_DecipherOnly 0x0080
247 #endif /* SEC_OS_IPHONE */
248
249 /*
250 * id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 }
251 *
252 * -- reasonCode ::= { CRLReason }
253 *
254 * CRLReason ::= ENUMERATED {
255 * unspecified (0),
256 * keyCompromise (1),
257 * cACompromise (2),
258 * affiliationChanged (3),
259 * superseded (4),
260 * cessationOfOperation (5),
261 * certificateHold (6),
262 * removeFromCRL (8) }
263 *
264 * CSSM OID = CSSMOID_CrlReason
265 *
266 */
267 #if SEC_OS_OSX
268 typedef uint32 CE_CrlReason DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
269 #elif SEC_OS_IPHONE
270 typedef uint32_t SecCECrlReason;
271 #endif /* SEC_OS_IPHONE */
272
273 #if SEC_OS_OSX
274 #define CE_CR_Unspecified 0
275 #define CE_CR_KeyCompromise 1
276 #define CE_CR_CACompromise 2
277 #define CE_CR_AffiliationChanged 3
278 #define CE_CR_Superseded 4
279 #define CE_CR_CessationOfOperation 5
280 #define CE_CR_CertificateHold 6
281 #define CE_CR_RemoveFromCRL 8
282 #elif SEC_OS_IPHONE
283 #define SecCECR_Unspecified 0
284 #define SecCECR_KeyCompromise 1
285 #define SecCECR_CACompromise 2
286 #define SecCECR_AffiliationChanged 3
287 #define SecCECR_Superseded 4
288 #define SecCECR_CessationOfOperation 5
289 #define SecCECR_CertificateHold 6
290 #define SecCECR_RemoveFromCRL 8
291 #endif /* SEC_OS_IPHONE */
292
293 /*
294 * id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
295 *
296 * SubjectAltName ::= GeneralNames
297 *
298 * CSSM OID = CSSMOID_SubjectAltName
299 *
300 * GeneralNames defined above.
301 */
302
303 /*
304 * id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
305 *
306 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId*
307 *
308 * KeyPurposeId ::= OBJECT IDENTIFIER
309 *
310 * CSSM OID = CSSMOID_ExtendedKeyUsage
311 */
312 #if SEC_OS_OSX
313 typedef struct __CE_ExtendedKeyUsage {
314 uint32 numPurposes;
315 CSSM_OID_PTR purposes; // in Intel pre-encoded format
316 } CE_ExtendedKeyUsage;
317
318 #elif SEC_OS_IPHONE
319
320 typedef struct {
321 uint32_t numPurposes;
322 DERItem *purposes; // in Intel pre-encoded format
323 } SecCEExtendedKeyUsage;
324 #endif /* SEC_OS_IPHONE */
325
326 /*
327 * id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
328 *
329 * BasicConstraints ::= SEQUENCE {
330 * cA BOOLEAN DEFAULT FALSE,
331 * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
332 *
333 * CSSM OID = CSSMOID_BasicConstraints
334 */
335 #if SEC_OS_OSX
336 typedef struct __CE_BasicConstraints {
337 CSSM_BOOL cA;
338 CSSM_BOOL pathLenConstraintPresent;
339 uint32 pathLenConstraint;
340 } CE_BasicConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
341
342 #elif SEC_OS_IPHONE
343
344 typedef struct {
345 bool present;
346 bool critical;
347 bool isCA;
348 bool pathLenConstraintPresent;
349 uint32_t pathLenConstraint;
350 } SecCEBasicConstraints;
351
352 typedef struct {
353 bool present;
354 bool critical;
355 bool requireExplicitPolicyPresent;
356 uint32_t requireExplicitPolicy;
357 bool inhibitPolicyMappingPresent;
358 uint32_t inhibitPolicyMapping;
359 } SecCEPolicyConstraints;
360 #endif /* SEC_OS_IPHONE */
361
362 /*
363 * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
364 *
365 * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
366 *
367 * PolicyInformation ::= SEQUENCE {
368 * policyIdentifier CertPolicyId,
369 * policyQualifiers SEQUENCE SIZE (1..MAX) OF
370 * PolicyQualifierInfo OPTIONAL }
371 *
372 * CertPolicyId ::= OBJECT IDENTIFIER
373 *
374 * PolicyQualifierInfo ::= SEQUENCE {
375 * policyQualifierId PolicyQualifierId,
376 * qualifier ANY DEFINED BY policyQualifierId }
377 *
378 * -- policyQualifierIds for Internet policy qualifiers
379 *
380 * id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
381 * id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
382 * id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
383 *
384 * PolicyQualifierId ::=
385 * OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
386 *
387 * Qualifier ::= CHOICE {
388 * cPSuri CPSuri,
389 * userNotice UserNotice }
390 *
391 * CPSuri ::= IA5String
392 *
393 * UserNotice ::= SEQUENCE {
394 * noticeRef NoticeReference OPTIONAL,
395 * explicitText DisplayText OPTIONAL}
396 *
397 * NoticeReference ::= SEQUENCE {
398 * organization DisplayText,
399 * noticeNumbers SEQUENCE OF INTEGER }
400 *
401 * DisplayText ::= CHOICE {
402 * visibleString VisibleString (SIZE (1..200)),
403 * bmpString BMPString (SIZE (1..200)),
404 * utf8String UTF8String (SIZE (1..200)) }
405 *
406 * CSSM OID = CSSMOID_CertificatePolicies
407 *
408 * We only support down to the level of Qualifier, and then only the CPSuri
409 * choice. UserNotice is transmitted to and from this library as a raw
410 * CSSM_DATA containing the BER-encoded UserNotice sequence.
411 */
412 #if SEC_OS_OSX
413
414 typedef struct __CE_PolicyQualifierInfo {
415 CSSM_OID policyQualifierId; // CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE
416 CSSM_DATA qualifier; // CSSMOID_QT_CPS: IA5String contents
417
418 #elif SEC_OS_IPHONE
419 #if 0
420 typedef struct {
421 DERItem policyQualifierId; // CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE
422 DERItem qualifier; // CSSMOID_QT_CPS: IA5String contents
423 } SecCEPolicyQualifierInfo;
424 #endif
425
426 typedef struct {
427 DERItem policyIdentifier;
428 DERItem policyQualifiers;
429 } SecCEPolicyInformation;
430
431 typedef struct {
432 bool present;
433 bool critical;
434 size_t numPolicies; // size of *policies;
435 SecCEPolicyInformation *policies;
436 } SecCECertificatePolicies;
437
438 typedef struct {
439 DERItem issuerDomainPolicy;
440 DERItem subjectDomainPolicy;
441 } SecCEPolicyMapping;
442
443 /*
444 PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
445 issuerDomainPolicy CertPolicyId,
446 subjectDomainPolicy CertPolicyId }
447 */
448 typedef struct {
449 bool present;
450 bool critical;
451 size_t numMappings; // size of *mappings;
452 SecCEPolicyMapping *mappings;
453 } SecCEPolicyMappings;
454
455 /*
456 InhibitAnyPolicy ::= SkipCerts
457 SkipCerts ::= INTEGER (0..MAX)
458 */
459 typedef struct {
460 bool present;
461 bool critical;
462 uint32_t skipCerts;
463 } SecCEInhibitAnyPolicy;
464 #endif /* SEC_OS_IPHONE */
465 // CSSMOID_QT_UNOTICE : Sequence contents
466 #if SEC_OS_OSX
467 } CE_PolicyQualifierInfo DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
468
469 typedef struct __CE_PolicyInformation {
470 CSSM_OID certPolicyId;
471 uint32 numPolicyQualifiers; // size of *policyQualifiers;
472 CE_PolicyQualifierInfo *policyQualifiers;
473 } CE_PolicyInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
474
475 typedef struct __CE_CertPolicies {
476 uint32 numPolicies; // size of *policies;
477 CE_PolicyInformation *policies;
478 } CE_CertPolicies DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
479
480 /*
481 * netscape-cert-type, a bit string.
482 *
483 * CSSM OID = CSSMOID_NetscapeCertType
484 *
485 * Bit fields defined in oidsattr.h: CE_NCT_SSL_Client, etc.
486 */
487 typedef uint16 CE_NetscapeCertType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
488
489 /*
490 * CRLDistributionPoints.
491 *
492 * id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 }
493 *
494 * cRLDistributionPoints ::= {
495 * CRLDistPointsSyntax }
496 *
497 * CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
498 *
499 * NOTE: RFC 2459 claims that the tag for the optional DistributionPointName
500 * is IMPLICIT as shown here, but in practice it is EXPLICIT. It has to be -
501 * because the underlying type also uses an implicit tag for distinguish
502 * between CHOICEs.
503 *
504 * DistributionPoint ::= SEQUENCE {
505 * distributionPoint [0] DistributionPointName OPTIONAL,
506 * reasons [1] ReasonFlags OPTIONAL,
507 * cRLIssuer [2] GeneralNames OPTIONAL }
508 *
509 * DistributionPointName ::= CHOICE {
510 * fullName [0] GeneralNames,
511 * nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
512 *
513 * ReasonFlags ::= BIT STRING {
514 * unused (0),
515 * keyCompromise (1),
516 * cACompromise (2),
517 * affiliationChanged (3),
518 * superseded (4),
519 * cessationOfOperation (5),
520 * certificateHold (6) }
521 *
522 * CSSM OID = CSSMOID_CrlDistributionPoints
523 */
524
525 /*
526 * Note that this looks similar to CE_CrlReason, but that's an enum and this
527 * is an OR-able bit string.
528 */
529 typedef uint8 CE_CrlDistReasonFlags DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
530
531 #define CE_CD_Unspecified 0x80
532 #define CE_CD_KeyCompromise 0x40
533 #define CE_CD_CACompromise 0x20
534 #define CE_CD_AffiliationChanged 0x10
535 #define CE_CD_Superseded 0x08
536 #define CE_CD_CessationOfOperation 0x04
537 #define CE_CD_CertificateHold 0x02
538
539 typedef enum __CE_CrlDistributionPointNameType {
540 CE_CDNT_FullName,
541 CE_CDNT_NameRelativeToCrlIssuer
542 } CE_CrlDistributionPointNameType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
543
544 typedef struct __CE_DistributionPointName {
545 CE_CrlDistributionPointNameType nameType;
546 union {
547 CE_GeneralNames *fullName;
548 CSSM_X509_RDN_PTR rdn;
549 } dpn;
550 } CE_DistributionPointName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
551
552 /*
553 * The top-level CRLDistributionPoint.
554 * All fields are optional; NULL pointers indicate absence.
555 */
556 typedef struct __CE_CRLDistributionPoint {
557 CE_DistributionPointName *distPointName;
558 CSSM_BOOL reasonsPresent;
559 CE_CrlDistReasonFlags reasons;
560 CE_GeneralNames *crlIssuer;
561 } CE_CRLDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
562
563 typedef struct __CE_CRLDistPointsSyntax {
564 uint32 numDistPoints;
565 CE_CRLDistributionPoint *distPoints;
566 } CE_CRLDistPointsSyntax DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
567
568 /*
569 * Authority Information Access and Subject Information Access.
570 *
571 * CSSM OID = CSSMOID_AuthorityInfoAccess
572 * CSSM OID = CSSMOID_SubjectInfoAccess
573 *
574 * SubjAuthInfoAccessSyntax ::=
575 * SEQUENCE SIZE (1..MAX) OF AccessDescription
576 *
577 * AccessDescription ::= SEQUENCE {
578 * accessMethod OBJECT IDENTIFIER,
579 * accessLocation GeneralName }
580 */
581 typedef struct __CE_AccessDescription {
582 CSSM_OID accessMethod;
583 CE_GeneralName accessLocation;
584 } CE_AccessDescription DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
585
586 typedef struct __CE_AuthorityInfoAccess {
587 uint32 numAccessDescriptions;
588 CE_AccessDescription *accessDescriptions;
589 } CE_AuthorityInfoAccess DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
590
591 /*
592 * Qualified Certificate Statement support, per RFC 3739.
593 *
594 * First, NameRegistrationAuthorities, a component of
595 * SemanticsInformation; it's the same as a GeneralNames -
596 * a sequence of GeneralName.
597 */
598 typedef CE_GeneralNames CE_NameRegistrationAuthorities DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
599
600 /*
601 * SemanticsInformation, identified as the qcType field
602 * of a CE_QC_Statement for statementId value id-qcs-pkixQCSyntax-v2.
603 * Both fields optional; at least one must be present.
604 */
605 typedef struct __CE_SemanticsInformation {
606 CSSM_OID *semanticsIdentifier;
607 CE_NameRegistrationAuthorities *nameRegistrationAuthorities;
608 } CE_SemanticsInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
609
610 /*
611 * One Qualified Certificate Statement.
612 * The statementId OID is required; zero or one of {semanticsInfo,
613 * otherInfo} can be valid, depending on the value of statementId.
614 * For statementId id-qcs-pkixQCSyntax-v2 (CSSMOID_OID_QCS_SYNTAX_V2),
615 * the semanticsInfo field may be present; otherwise, DER-encoded
616 * information may be present in otherInfo. Both semanticsInfo and
617 * otherInfo are optional.
618 */
619 typedef struct __CE_QC_Statement {
620 CSSM_OID statementId;
621 CE_SemanticsInformation *semanticsInfo;
622 CSSM_DATA *otherInfo;
623 } CE_QC_Statement DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
624
625 /*
626 * The top-level Qualified Certificate Statements extension.
627 */
628 typedef struct __CE_QC_Statements {
629 uint32 numQCStatements;
630 CE_QC_Statement *qcStatements;
631 } CE_QC_Statements DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
632
633 /*** CRL extensions ***/
634
635 /*
636 * cRLNumber, an integer.
637 *
638 * CSSM OID = CSSMOID_CrlNumber
639 */
640 typedef uint32 CE_CrlNumber;
641
642 /*
643 * deltaCRLIndicator, an integer.
644 *
645 * CSSM OID = CSSMOID_DeltaCrlIndicator
646 */
647 typedef uint32 CE_DeltaCrl;
648
649 /*
650 * IssuingDistributionPoint
651 *
652 * id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
653 *
654 * issuingDistributionPoint ::= SEQUENCE {
655 * distributionPoint [0] DistributionPointName OPTIONAL,
656 * onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
657 * onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
658 * onlySomeReasons [3] ReasonFlags OPTIONAL,
659 * indirectCRL [4] BOOLEAN DEFAULT FALSE }
660 *
661 * CSSM OID = CSSMOID_IssuingDistributionPoint
662 */
663 typedef struct __CE_IssuingDistributionPoint {
664 CE_DistributionPointName *distPointName; // optional
665 CSSM_BOOL onlyUserCertsPresent;
666 CSSM_BOOL onlyUserCerts;
667 CSSM_BOOL onlyCACertsPresent;
668 CSSM_BOOL onlyCACerts;
669 CSSM_BOOL onlySomeReasonsPresent;
670 CE_CrlDistReasonFlags onlySomeReasons;
671 CSSM_BOOL indirectCrlPresent;
672 CSSM_BOOL indirectCrl;
673 } CE_IssuingDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
674
675 /*
676 * NameConstraints
677 *
678 * id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
679 *
680 * NameConstraints ::= SEQUENCE {
681 * permittedSubtrees [0] GeneralSubtrees OPTIONAL,
682 * excludedSubtrees [1] GeneralSubtrees OPTIONAL }
683 *
684 * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
685 *
686 * GeneralSubtree ::= SEQUENCE {
687 * base GeneralName,
688 * minimum [0] BaseDistance DEFAULT 0,
689 * maximum [1] BaseDistance OPTIONAL }
690 *
691 * BaseDistance ::= INTEGER (0..MAX)
692 */
693 typedef struct __CE_GeneralSubtree {
694 CE_GeneralNames *base;
695 uint32 minimum; // default=0
696 CSSM_BOOL maximumPresent;
697 uint32 maximum; // optional
698 } CE_GeneralSubtree DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
699
700 typedef struct __CE_GeneralSubtrees {
701 uint32 numSubtrees;
702 CE_GeneralSubtree *subtrees;
703 } CE_GeneralSubtrees DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
704
705 typedef struct __CE_NameConstraints {
706 CE_GeneralSubtrees *permitted; // optional
707 CE_GeneralSubtrees *excluded; // optional
708 } CE_NameConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
709
710 /*
711 * PolicyMappings
712 *
713 * id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 }
714 *
715 * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
716 * issuerDomainPolicy CertPolicyId,
717 * subjectDomainPolicy CertPolicyId }
718 *
719 * Note that both issuer and subject policy OIDs are required,
720 * and are stored by value in this structure.
721 */
722 typedef struct __CE_PolicyMapping {
723 CSSM_OID issuerDomainPolicy;
724 CSSM_OID subjectDomainPolicy;
725 } CE_PolicyMapping DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
726
727 typedef struct __CE_PolicyMappings {
728 uint32 numPolicyMappings;
729 CE_PolicyMapping *policyMappings;
730 } CE_PolicyMappings DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
731
732 /*
733 * PolicyConstraints
734 *
735 * id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 }
736 *
737 * PolicyConstraints ::= SEQUENCE {
738 * requireExplicitPolicy [0] SkipCerts OPTIONAL,
739 * inhibitPolicyMapping [1] SkipCerts OPTIONAL }
740 *
741 * SkipCerts ::= INTEGER (0..MAX)
742 */
743 typedef struct __CE_PolicyConstraints {
744 CSSM_BOOL requireExplicitPolicyPresent;
745 uint32 requireExplicitPolicy; // optional
746 CSSM_BOOL inhibitPolicyMappingPresent;
747 uint32 inhibitPolicyMapping; // optional
748 } CE_PolicyConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
749
750 /*
751 * InhibitAnyPolicy, an integer.
752 *
753 * CSSM OID = CSSMOID_InhibitAnyPolicy
754 */
755 typedef uint32 CE_InhibitAnyPolicy DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
756
757 /*
758 * An enumerated list identifying one of the above per-extension
759 * structs.
760 */
761 typedef enum __CE_DataType {
762 DT_AuthorityKeyID, // CE_AuthorityKeyID
763 DT_SubjectKeyID, // CE_SubjectKeyID
764 DT_KeyUsage, // CE_KeyUsage
765 DT_SubjectAltName, // implies CE_GeneralName
766 DT_IssuerAltName, // implies CE_GeneralName
767 DT_ExtendedKeyUsage, // CE_ExtendedKeyUsage
768 DT_BasicConstraints, // CE_BasicConstraints
769 DT_CertPolicies, // CE_CertPolicies
770 DT_NetscapeCertType, // CE_NetscapeCertType
771 DT_CrlNumber, // CE_CrlNumber
772 DT_DeltaCrl, // CE_DeltaCrl
773 DT_CrlReason, // CE_CrlReason
774 DT_CrlDistributionPoints, // CE_CRLDistPointsSyntax
775 DT_IssuingDistributionPoint,// CE_IssuingDistributionPoint
776 DT_AuthorityInfoAccess, // CE_AuthorityInfoAccess
777 DT_Other, // unknown, raw data as a CSSM_DATA
778 DT_QC_Statements, // CE_QC_Statements
779 DT_NameConstraints, // CE_NameConstraints
780 DT_PolicyMappings, // CE_PolicyMappings
781 DT_PolicyConstraints, // CE_PolicyConstraints
782 DT_InhibitAnyPolicy // CE_InhibitAnyPolicy
783 } CE_DataType;
784
785 /*
786 * One unified representation of all the cert and CRL extensions we know about.
787 */
788 typedef union {
789 CE_AuthorityKeyID authorityKeyID;
790 CE_SubjectKeyID subjectKeyID;
791 CE_KeyUsage keyUsage;
792 CE_GeneralNames subjectAltName;
793 CE_GeneralNames issuerAltName;
794 CE_ExtendedKeyUsage extendedKeyUsage;
795 CE_BasicConstraints basicConstraints;
796 CE_CertPolicies certPolicies;
797 CE_NetscapeCertType netscapeCertType;
798 CE_CrlNumber crlNumber;
799 CE_DeltaCrl deltaCrl;
800 CE_CrlReason crlReason;
801 CE_CRLDistPointsSyntax crlDistPoints;
802 CE_IssuingDistributionPoint issuingDistPoint;
803 CE_AuthorityInfoAccess authorityInfoAccess;
804 CE_QC_Statements qualifiedCertStatements;
805 CE_NameConstraints nameConstraints;
806 CE_PolicyMappings policyMappings;
807 CE_PolicyConstraints policyConstraints;
808 CE_InhibitAnyPolicy inhibitAnyPolicy;
809 CSSM_DATA rawData; // unknown, not decoded
810 } CE_Data DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
811
812 typedef struct __CE_DataAndType {
813 CE_DataType type;
814 CE_Data extension;
815 CSSM_BOOL critical;
816 } CE_DataAndType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
817
818 #endif /* SEC_OS_OSX */
819
820 #if SEC_OS_OSX
821 #pragma clang diagnostic pop
822 #endif
823
824 #endif /* _CERT_EXTENSIONS_H_ */
mirror of Security