2 * Copyright (c) 2006-2008,2010 Apple Inc. All Rights Reserved.
5 #ifndef _SSLS_APP_UTILS_H_
6 #define _SSLS_APP_UTILS_H_ 1
8 #include <Security/SecBase.h>
9 #include <Security/SecureTransport.h>
10 #include <Security/SecureTransportPriv.h>
11 #include <CoreFoundation/CFArray.h>
13 #include <Security/SecCertificate.h>
19 #if ! SEC_OS_OSX_INCLUDES
20 typedef struct OpaqueSecKeychainRef
*SecKeychainRef
;
23 /* disable some Panther-only features */
24 #define JAGUAR_BUILD 0
26 const char *sslGetCipherSuiteString(SSLCipherSuite cs
);
27 const char *sslGetProtocolVersionString(SSLProtocol prot
);
28 const char *sslGetSSLErrString(OSStatus err
);
29 void printSslErrStr(const char *op
, OSStatus err
);
30 const char *sslGetClientCertStateString(SSLClientCertificateState state
);
31 const char *sslGetClientAuthTypeString(SSLClientAuthenticationType authType
);
33 CFArrayRef
getSslCerts(
34 const char *kcName
, // may be NULL, i.e., use default
36 bool completeCertChain
,
37 const char *anchorFile
, // optional trusted anchor
38 SecKeychainRef
*pKcRef
); // RETURNED
39 OSStatus
sslCompleteCertChain(
40 SecIdentityRef identity
,
41 SecCertificateRef trustedAnchor
, // optional additional trusted anchor
42 bool includeRoot
, // include the root in outArray
43 // const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL
44 CFArrayRef
*outArray
); // created and RETURNED
45 CFArrayRef
sslKcRefToCertArray(
48 bool completeCertChain
,
49 // const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL policy to complete
50 const char *trustedAnchorFile
);
52 OSStatus
addTrustedSecCert(
54 SecCertificateRef secCert
,
56 OSStatus
sslReadAnchor(
57 const char *anchorFile
,
58 SecCertificateRef
*certRef
);
59 OSStatus
sslAddTrustedRoot(
61 const char *anchorFile
,
65 * Assume incoming identity contains a root (e.g., created by
66 * certtool) and add that cert to ST's trusted anchors. This
67 * enables ST's verify of the incoming chain to succeed without
68 * a kludgy "AllowAnyRoot" specification.
70 OSStatus
addIdentityAsTrustedRoot(
72 CFArrayRef identArray
);
74 OSStatus
sslAddTrustedRoots(
76 SecKeychainRef keychain
,
82 * Lists of SSLCipherSuites used in sslSetCipherRestrictions.
84 extern const SSLCipherSuite suites40
[];
85 extern const SSLCipherSuite suitesDES
[];
86 extern const SSLCipherSuite suitesDES40
[];
87 extern const SSLCipherSuite suites3DES
[];
88 extern const SSLCipherSuite suitesRC4
[];
89 extern const SSLCipherSuite suitesRC4_40
[];
90 extern const SSLCipherSuite suitesRC2
[];
91 extern const SSLCipherSuite suitesAES128
[];
92 extern const SSLCipherSuite suitesAES256
[];
93 extern const SSLCipherSuite suitesDH
[];
94 extern const SSLCipherSuite suitesDHAnon
[];
95 extern const SSLCipherSuite suitesDH_RSA
[];
96 extern const SSLCipherSuite suitesDH_DSS
[];
97 extern const SSLCipherSuite suites_SHA1
[];
98 extern const SSLCipherSuite suites_MD5
[];
99 extern const SSLCipherSuite suites_ECDHE
[];
100 extern const SSLCipherSuite suites_ECDH
[];
103 * Given an SSLContextRef and an array of SSLCipherSuites, terminated by
104 * SSL_NO_SUCH_CIPHERSUITE, select those SSLCipherSuites which the library
105 * supports and do a SSLSetEnabledCiphers() specifying those.
107 OSStatus
sslSetEnabledCiphers(
109 const SSLCipherSuite
*ciphers
);
112 * Specify restricted sets of cipherspecs and protocols.
114 OSStatus
sslSetCipherRestrictions(
116 char cipherRestrict
);
119 OSStatus
sslSetProtocols(
121 const char *acceptedProts
,
122 SSLProtocol tryVersion
); // only used if acceptedProts NULL
126 const char *whichSide
, // "client" or "server"
129 int sslVerifyProtVers(
130 const char *whichSide
, // "client" or "server"
131 SSLProtocol expectProt
,
132 SSLProtocol gotProt
);
133 int sslVerifyClientCertState(
134 const char *whichSide
, // "client" or "server"
135 SSLClientCertificateState expectState
,
136 SSLClientCertificateState gotState
);
138 const char *whichSide
, // "client" or "server"
139 SSLCipherSuite expectCipher
,
140 SSLCipherSuite gotCipher
);
144 * Wrapper for sslIdentPicker, with optional trusted anchor specified as a filename.
146 OSStatus
sslIdentityPicker(
147 SecKeychainRef kcRef
, // NULL means use default list
148 const char *trustedAnchor
, // optional additional trusted anchor
149 bool includeRoot
, // true --> root is appended to outArray
150 // false --> root not included
151 // const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL
152 CFArrayRef
*outArray
); // created and RETURNED
154 void sslKeychainPath(
156 char *kcPath
); // allocd by caller, MAXPATHLEN
158 /* Verify presence of required file. Returns nonzero if not found. */
159 int sslCheckFile(const char *path
);
161 /* Stringify a SSL_ECDSA_NamedCurve */
162 extern const char *sslCurveString(
163 SSL_ECDSA_NamedCurve namedCurve
);
165 SecKeyRef
create_private_key_from_der(bool ecdsa
, const unsigned char *pkey_der
, size_t pkey_der_len
);
166 CFArrayRef
chain_from_der(bool ecdsa
, const unsigned char *pkey_der
, size_t pkey_der_len
, const unsigned char *cert_der
, size_t cert_der_len
);
172 #endif /* _SSLS_APP_UTILS_H_ */