]> git.saurik.com Git - apple/security.git/blob - cdsa/cdsa/cssmapple.h
projects / apple / security.git / blob
? search:


785ac703b9a1f6e66f05078bdd243d1223fca914
[apple/security.git] / cdsa / cdsa / cssmapple.h
1 /*
2 * Copyright (c) 2000-2002 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 /*
20 File: cssmapple.h
21
22 Contains: CSSM features specific to Apple's Implementation
23 */
24
25 #ifndef _CSSMAPPLE_H_
26 #define _CSSMAPPLE_H_ 1
27
28 #include <Security/cssmerr.h>
29 #include <Security/cssmtype.h>
30 #include <Security/x509defs.h> /* for CSSM_APPLE_ROOT_CERT_REQUEST fields */
31 #include <Security/certextensions.h> /* ditto */
32 #include <sys/types.h> /* for the BSD *_t types */
33
34 #ifdef __cplusplus
35 extern "C" {
36 #endif
37
38 /* Guids for standard Apple addin modules. */
39
40 /* {87191ca0-0fc9-11d4-849a-000502b52122} */
41 extern const CSSM_GUID gGuidCssm;
42
43 /* {87191ca1-0fc9-11d4-849a-000502b52122} */
44 extern const CSSM_GUID gGuidAppleFileDL;
45
46 /* {87191ca2-0fc9-11d4-849a-000502b52122} */
47 extern const CSSM_GUID gGuidAppleCSP;
48
49 /* {87191ca3-0fc9-11d4-849a-000502b52122} */
50 extern const CSSM_GUID gGuidAppleCSPDL;
51
52 /* {87191ca4-0fc9-11d4-849a-000502b52122} */
53 extern const CSSM_GUID gGuidAppleX509CL;
54
55 /* {87191ca5-0fc9-11d4-849a-000502b52122} */
56 extern const CSSM_GUID gGuidAppleX509TP;
57
58
59 /* Apple defined WORDID values */
60 enum
61 {
62 CSSM_WORDID_KEYCHAIN_PROMPT = CSSM_WORDID_VENDOR_START,
63 CSSM_WORDID_KEYCHAIN_LOCK,
64 CSSM_WORDID_KEYCHAIN_CHANGE_LOCK,
65 CSSM_WORDID_PROCESS,
66 CSSM_WORDID__RESERVED_1, // was used in 10.2 test seeds; no longer in use
67 CSSM_WORDID__FIRST_UNUSED
68 };
69
70 /* Apple defined ACL subject and credential types */
71 enum
72 {
73 CSSM_ACL_SUBJECT_TYPE_KEYCHAIN_PROMPT = CSSM_WORDID_KEYCHAIN_PROMPT,
74 CSSM_ACL_SUBJECT_TYPE_PROCESS = CSSM_WORDID_PROCESS,
75 CSSM_ACL_SUBJECT_TYPE_CODE_SIGNATURE = CSSM_WORDID_SIGNATURE,
76 CSSM_ACL_SUBJECT_TYPE_COMMENT = CSSM_WORDID_COMMENT
77 };
78
79 enum
80 {
81 CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT = CSSM_WORDID_KEYCHAIN_PROMPT,
82 CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK = CSSM_WORDID_KEYCHAIN_LOCK,
83 CSSM_SAMPLE_TYPE_KEYCHAIN_CHANGE_LOCK = CSSM_WORDID_KEYCHAIN_CHANGE_LOCK,
84 CSSM_SAMPLE_TYPE_PROCESS = CSSM_WORDID_PROCESS,
85 CSSM_SAMPLE_TYPE_COMMENT = CSSM_WORDID_COMMENT,
86 CSSM_SAMPLE_TYPE_RETRY_ID = CSSM_WORDID_PROPAGATE
87 };
88
89
90 /* Apple-defined ACL authorization tags */
91 enum {
92 CSSM_ACL_AUTHORIZATION_CHANGE_ACL = CSSM_ACL_AUTHORIZATION_TAG_VENDOR_DEFINED_START,
93 CSSM_ACL_AUTHORIZATION_CHANGE_OWNER
94 };
95
96
97 /* Parameters and structures for Apple-defined ACL subjects and samples */
98
99 enum { /* types of code signatures - item 1 of CSSM_ACL_SUBJECT_TYPE_CODE_SIGNATURE subjects */
100 CSSM_ACL_CODE_SIGNATURE_INVALID = 0, /* standard OS X code signature */
101 CSSM_ACL_CODE_SIGNATURE_OSX = 1 /* standard OS X code signature */
102 };
103
104 /* ACL subjects of type PROCESS */
105
106 enum { /* PROCESS_SUBJECT mask fields */
107 CSSM_ACL_MATCH_UID = 0x01, /* match userid against uid field */
108 CSSM_ACL_MATCH_GID = 0x02, /* match groupid against gid field */
109 CSSM_ACL_MATCH_HONOR_ROOT = 0x100, /* let root (uid 0) match any userid */
110 CSSM_ACL_MATCH_BITS = CSSM_ACL_MATCH_UID | CSSM_ACL_MATCH_GID
111 };
112
113 enum { /* PROCESS_SUBJECT structure version field */
114 CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION = 0x101
115 };
116
117 typedef struct cssm_acl_process_subject_selector { /* PROCESS_SUBJECT selector */
118 uint16 version; /* version of this selector */
119 uint16 mask; /* active fields mask */
120 uint32 uid; /* effective user id match */
121 uint32 gid; /* effective group id match */
122 } CSSM_ACL_PROCESS_SUBJECT_SELECTOR;
123
124 /* ACL subjects of type KEYCHAIN_PROMPT */
125
126 enum { /* KEYCHAIN_PROMPT structure version field */
127 CSSM_ACL_KEYCHAIN_PROMPT_CURRENT_VERSION = 0x101
128 };
129
130 enum { /* KEYCHAIN_PROMPT operational flags */
131 CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE = 0x0001 /* require re-entering of passphrase */
132 };
133
134 typedef struct cssm_acl_keychain_prompt_selector { /* KEYCHAIN_PROMPT selector */
135 uint16 version; /* version of this selector */
136 uint16 flags; /* flag bits */
137 } CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR;
138
139
140 /* Apple defined algorithm IDs */
141 enum
142 {
143 CSSM_ALGID_APPLE_YARROW = CSSM_ALGID_VENDOR_DEFINED,
144 CSSM_ALGID_AES, /* RijnDael */
145 CSSM_ALGID_FEE, /* FEE Key Generation */
146 CSSM_ALGID_FEE_MD5, /* FEE/ElGamal signature w/ MD5 hash */
147 CSSM_ALGID_FEE_SHA1, /* FEE/ElGamal signature w/ SHA1 hash */
148 CSSM_ALGID_FEED, /* 1:1 FEE asymmetric encryption */
149 CSSM_ALGID_FEEDEXP, /* 2:1 FEE asymmetric encryption */
150 CSSM_ALGID_ASC, /* Apple Secure Compression */
151 CSSM_ALGID_SHA1HMAC_LEGACY, /* HMAC/SHA1, legacy compatible */
152 CSSM_ALGID__FIRST_UNUSED
153 };
154
155
156 /* Apple adds some "common" error codes. CDSA does not define an official start value for this. */
157 enum
158 {
159 CSSM_CUSTOM_COMMON_ERROR_EXTENT = 0x00e0,
160
161 CSSM_ERRCODE_NO_USER_INTERACTION = 0x00e0,
162 CSSM_ERRCODE_USER_CANCELED = 0x00e1,
163 CSSM_ERRCODE_SERVICE_NOT_AVAILABLE = 0x00e2
164 };
165
166 enum {
167 CSSMERR_CSSM_NO_USER_INTERACTION = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
168 CSSMERR_AC_NO_USER_INTERACTION = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
169 CSSMERR_CSP_NO_USER_INTERACTION = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
170 CSSMERR_CL_NO_USER_INTERACTION = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
171 CSSMERR_DL_NO_USER_INTERACTION = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
172 CSSMERR_TP_NO_USER_INTERACTION = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
173
174 CSSMERR_CSSM_USER_CANCELED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
175 CSSMERR_AC_USER_CANCELED = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
176 CSSMERR_CSP_USER_CANCELED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
177 CSSMERR_CL_USER_CANCELED = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
178 CSSMERR_DL_USER_CANCELED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
179 CSSMERR_TP_USER_CANCELED = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
180
181 CSSMERR_CSSM_SERVICE_NOT_AVAILABLE = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
182 CSSMERR_AC_SERVICE_NOT_AVAILABLE = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
183 CSSMERR_CSP_SERVICE_NOT_AVAILABLE = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
184 CSSMERR_CL_SERVICE_NOT_AVAILABLE = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
185 CSSMERR_DL_SERVICE_NOT_AVAILABLE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
186 CSSMERR_TP_SERVICE_NOT_AVAILABLE = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE
187 };
188
189 /* AppleCSPDL private error codes. */
190 enum {
191 CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT = CSSM_CSP_PRIVATE_ERROR + 0
192 };
193
194
195 /* AppleFileDL record types. */
196 enum
197 {
198 CSSM_DL_DB_RECORD_GENERIC_PASSWORD = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 0,
199 CSSM_DL_DB_RECORD_INTERNET_PASSWORD = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 1,
200 CSSM_DL_DB_RECORD_APPLESHARE_PASSWORD = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 2,
201
202 CSSM_DL_DB_RECORD_X509_CERTIFICATE = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 0x1000,
203 CSSM_DL_DB_RECORD_USER_TRUST,
204
205 CSSM_DL_DB_RECORD_METADATA = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 0x8000
206 };
207
208 /* AppleFileDL extentions: passthrough ids */
209 enum {
210 // Toggle whether or not to autocommit after modifying the database.
211 // The input parameter is a CSSM_BOOL, where TRUE turns autocommit on
212 // and FALSE turns it off.
213 CSSM_APPLEFILEDL_TOGGLE_AUTOCOMMIT,
214
215 // Commit any pending changes to the database.
216 CSSM_APPLEFILEDL_COMMIT,
217
218 // Rollback and discard any pending changes to the database.
219 CSSM_APPLEFILEDL_ROLLBACK
220 };
221
222 /* Apple DL private error codes. */
223 enum
224 {
225 /* The OpenParameters argument passed to CSSM_DL_DbCreate or CSSM_DL_DbOpen
226 was neither NULL nor a pointer to a valid CSSM_APPLEDL_OPEN_PARAMETERS
227 structure. */
228 CSSMERR_APPLEDL_INVALID_OPEN_PARAMETERS = CSSM_DL_PRIVATE_ERROR + 0,
229
230 /* an operation failed because the disk was full */
231 CSSMERR_APPLEDL_DISK_FULL = CSSM_DL_PRIVATE_ERROR + 1,
232
233 /* an operation failed because a disk quote was exceeded */
234 CSSMERR_APPLEDL_QUOTA_EXCEEDED = CSSM_DL_PRIVATE_ERROR + 2,
235
236 /* an operation failed because a file was too large */
237 CSSMERR_APPLEDL_FILE_TOO_BIG = CSSM_DL_PRIVATE_ERROR + 3,
238
239 /* a keychain database's internal information ("blob") is invalid */
240 CSSMERR_APPLEDL_INVALID_DATABASE_BLOB = CSSM_DL_PRIVATE_ERROR + 4,
241 CSSMERR_APPLEDL_INVALID_KEY_BLOB = CSSM_DL_PRIVATE_ERROR + 5,
242
243 /* the internal data format version for a database's internal information ("blob") is invalid */
244 CSSMERR_APPLEDL_INCOMPATIBLE_DATABASE_BLOB = CSSM_DL_PRIVATE_ERROR + 6,
245 CSSMERR_APPLEDL_INCOMPATIBLE_KEY_BLOB = CSSM_DL_PRIVATE_ERROR + 7,
246 };
247
248 /* Apple X509TP private error codes. */
249 enum
250 {
251 /* mismatch between Cert's common name and app-specified host name */
252 CSSMERR_APPLETP_HOSTNAME_MISMATCH = CSSM_TP_PRIVATE_ERROR + 0,
253 /* Non-understood extension with Critical flag true */
254 CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN = CSSM_TP_PRIVATE_ERROR + 1,
255 /* Basic Constraints extension required per policy, but not present */
256 CSSMERR_APPLETP_NO_BASIC_CONSTRAINTS = CSSM_TP_PRIVATE_ERROR + 2,
257 /* Invalid BasicConstraints.CA */
258 CSSMERR_APPLETP_INVALID_CA = CSSM_TP_PRIVATE_ERROR + 3,
259 /* Invalid Authority Key ID */
260 CSSMERR_APPLETP_INVALID_AUTHORITY_ID = CSSM_TP_PRIVATE_ERROR + 4,
261 /* Invalid Subject Key ID */
262 CSSMERR_APPLETP_INVALID_SUBJECT_ID = CSSM_TP_PRIVATE_ERROR + 5,
263 /* Invalid Key Usage for policy */
264 CSSMERR_APPLETP_INVALID_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 6,
265 /* Invalid Extended Key Usage for policy */
266 CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 7,
267 /* Invalid Subject/Authority Key ID Linkage */
268 CSSMERR_APPLETP_INVALID_ID_LINKAGE = CSSM_TP_PRIVATE_ERROR + 8,
269 /* PathLengthConstraint exceeded */
270 CSSMERR_APPLETP_PATH_LEN_CONSTRAINT = CSSM_TP_PRIVATE_ERROR + 9,
271 };
272
273 enum
274 {
275 CSSM_APPLEDL_OPEN_PARAMETERS_VERSION = 0
276 };
277
278 /* Pass a CSSM_APPLEDL_OPEN_PARAMETERS_PTR as the OpenParameters argument to
279 CSSM_DL_DbCreate or CSSM_DL_DbOpen. */
280 typedef struct cssm_appledl_open_parameters
281 {
282 uint32 length; /* Should be sizeof(CSSM_APPLEDL_OPEN_PARAMETERS). */
283 uint32 version; /* Should be CSSM_APPLEDL_OPEN_PARAMETERS_VERSION. */
284
285 /* If no OpenParameters are specified autoCommit is on (!CSSM_FALSE) by default.
286 When autoCommit is on (!CSSM_FALSE) changes made to the Db are written to disk
287 before returning from each function.
288 When autoCommit is off (CSSM_FALSE) changes made to the database are not guaranteed
289 to be written to disk until the Db is closed. This is useful for bulk writes.
290 Beware that if autoCommit is off changes made in previous calls to the DL might
291 get rolled back if a new modification operation fails. */
292 CSSM_BOOL autoCommit;
293 } CSSM_APPLEDL_OPEN_PARAMETERS, *CSSM_APPLEDL_OPEN_PARAMETERS_PTR;
294
295
296 /* AppleCSPDL passthough ids */
297 enum
298 {
299 /* Tell the SecurityServer to lock the database specified by the DLDBHandle argument.
300 The InputParams and OutputParams arguments are ignored. */
301 CSSM_APPLECSPDL_DB_LOCK = 0,
302
303 /* Tell the SecurityServer to unlock the database specified by the DLDBHandle argument.
304 The InputParameters argument is a CSSM_DATA_PTR containing the password. Or NULL if
305 the SecurityServer should prompt for the password.
306 The OutputParams argument is ignored.
307 The SecurityServer will put up UI (though the SecurityAgent) when this function is called
308 iff InputParameters is NULL. */
309 CSSM_APPLECSPDL_DB_UNLOCK = 1,
310
311 /* Ask the SecurityServer to get the db settings specified for the database
312 specified by the DLDBHandle argument. The settings are returned in the OutputParameters argument.
313 The OutputParameters argument is a pointer to a CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS_PTR.
314 Upon successful completion the AppleCSPDL will have allocated a
315 CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS structure using the application specified
316 allocators for the DL attachment specified by the DLDBHandle argument. The structure will contain
317 the current database settings for the specified database. The client should free the
318 CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS_PTR after it has finished using it.
319 The InputParameters argument is ignored.
320 The SecurityServer might put up UI (though the SecurityAgent) when this function is called. */
321 CSSM_APPLECSPDL_DB_GET_SETTINGS = 2,
322
323 /* Tell the SecurityServer to set the db settings specified in InputParameters on the database
324 specified by the DLDBHandle argument.
325 The InputParameters argument is a const CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS * containing
326 the new settings for the specified database.
327 The OutputParams argument is ignored.
328 The SecurityServer might put up UI (though the SecurityAgent) when this function is called. */
329 CSSM_APPLECSPDL_DB_SET_SETTINGS = 3,
330
331 /* Ask the SecurityServer whether the database specified by the DLDBHandle argument is locked.
332 The InputParameters argument is ignored.
333 The OutputParameters argument is a pointer to a CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR.
334 Upon successful completion the AppleCSPDL will have allocated a
335 CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS structure using the application specified
336 allocators for the DL attachment specified by the DLDBHandle argument. The structure will contain
337 the current lock status for the specified database. The client should free the
338 CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR after it has finished using it.
339 The SecurityServer will put up UI (though the SecurityAgent) when this function is called. */
340 CSSM_APPLECSPDL_DB_IS_LOCKED = 4,
341
342 /* Tell the SecurityServer to change the password for the database specified by
343 the DLDBHandle.
344
345 The InputParameters argument is a const CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS * containing
346 a CSSM_ACCESS_CREDENTIALS * which determines how the password will be changed. If the
347 accessCredentials are NULL the SecurityAgent will prompt for the old and the new password for the
348 specified database. If credentials are specified there should be 2 entries. First a 3 element
349 list containing:
350 CSSM_WORDID_KEYCHAIN_LOCK, CSSM_SAMPLE_TYPE_PASSWORD, and the old password.
351 Second a 3 element list containing:
352 CSSM_WORDID_KEYCHAIN_CHANGE_LOCK, CSSM_SAMPLE_TYPE_PASSWORD, and the new password.
353
354 The OutputParams argument is ignored.
355 The SecurityServer might put up UI (though the SecurityAgent) when this function is called. */
356 CSSM_APPLECSPDL_DB_CHANGE_PASSWORD =5,
357
358
359 /* Given a CSSM_KEY_PTR in any format, obtain the SHA-1 hash of the
360 * associated key blob.
361 * Key is specified in CSSM_CSP_CreatePassThroughContext.
362 * Hash is allocated bythe CSP, in the App's memory, and returned
363 * in *outData. */
364 CSSM_APPLECSP_KEYDIGEST = 0x100
365 };
366
367 /* AppleCSPDL passthough parameters */
368 typedef struct cssm_applecspdl_db_settings_parameters
369 {
370 uint32 idleTimeout; // seconds idle timeout lock
371 uint8 lockOnSleep; // lock database when system sleeps
372 } CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS, *CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS_PTR;
373
374 /* AppleCSPDL passthough parameters */
375 typedef struct cssm_applecspdl_db_is_locked_parameters
376 {
377 uint8 isLocked; // True iff the database is locked
378 } CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS, *CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR;
379
380 /* AppleCSPDL passthough parameters */
381 typedef struct cssm_applecspdl_db_change_password_parameters
382 {
383 CSSM_ACCESS_CREDENTIALS *accessCredentials;
384 } CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS, *CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS_PTR;
385
386 /* Custom wrapped key format */
387 enum {
388 CSSM_KEYBLOB_WRAPPED_FORMAT_APPLE_CUSTOM = 100
389 };
390
391 /*
392 * Custom context attributes for AppleCSP.
393 */
394 enum {
395 CSSM_ATTRIBUTE_VENDOR_DEFINED = 0x800000
396 };
397
398 enum {
399 /*
400 * Public Key attribute for use with CSSM_ALGID_FEED.
401 */
402 CSSM_ATTRIBUTE_PUBLIC_KEY =
403 (CSSM_ATTRIBUTE_DATA_KEY | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 0)),
404
405 /*
406 * FEE key attributes.
407 * See CSSM_FEE_PRIME_TYPE_xxx, CSSM_FEE_CURVE_TYPE_xxx enums, below.
408 */
409 CSSM_ATTRIBUTE_FEE_PRIME_TYPE =
410 (CSSM_ATTRIBUTE_DATA_UINT32 | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 1)),
411 CSSM_ATTRIBUTE_FEE_CURVE_TYPE =
412 (CSSM_ATTRIBUTE_DATA_UINT32 | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 2)),
413
414 /*
415 * Apple Secure Compression (ComCryption) optimization.
416 * See CSSM_ASC_OPTIMIZE_xxx, enums, below.
417 */
418 CSSM_ATTRIBUTE_ASC_OPTIMIZATION =
419 (CSSM_ATTRIBUTE_DATA_UINT32 | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 3)),
420 };
421
422 /*
423 * FEE key pair prime modulus types.
424 */
425 enum {
426 CSSM_FEE_PRIME_TYPE_DEFAULT = 0, /* default per key size */
427 CSSM_FEE_PRIME_TYPE_MERSENNE, /* (2 ** q) - 1Ê*/
428 CSSM_FEE_PRIME_TYPE_FEE, /* (2 ** q) - k */
429 CSSM_FEE_PRIME_TYPE_GENERAL /* random prime */
430 };
431
432 /*
433 * FEE curve types. Comments refer to equation
434 *
435 * y**2 = x**3 + c(x**2) + ax + b
436 */
437 enum {
438 CSSM_FEE_CURVE_TYPE_DEFAULT = 0, /* default per key size */
439 CSSM_FEE_CURVE_TYPE_MONTGOMERY, /* a==1, b==0 */
440 CSSM_FEE_CURVE_TYPE_WEIERSTRASS /* c==0. IEEE P1363 compliant. */
441 };
442
443 /*
444 * Apple Secure Compression (ComCryption) optimization attributes.
445 */
446 enum {
447 CSSM_ASC_OPTIMIZE_DEFAULT = 0,
448 CSSM_ASC_OPTIMIZE_SIZE, /* max compression (currently the default) */
449 CSSM_ASC_OPTIMIZE_SECURITY, /* currently not implemented */
450 CSSM_ASC_OPTIMIZE_TIME, /* min runtime */
451 CSSM_ASC_OPTIMIZE_TIME_SIZE, /* implies loss of security */
452 CSSM_ASC_OPTIMIZE_ASCII, /* optimized for ASCC text, not implemented */
453 };
454
455 /*
456 * Name/OID pair used in CSSM_APPLE_TP_CERT_REQUEST
457 */
458 typedef struct {
459 const char *string;
460 const CSSM_OID *oid;
461 } CSSM_APPLE_TP_NAME_OID;
462
463 /*
464 * Certificate request passed to CSSM_TP_SubmitCredRequest() in the
465 * CSSM_TP_AUTHORITY_REQUEST_TYPE.Requests field. Used for requesting
466 * both locally-generated certs (CSSMOID_APPLE_TP_LOCAL_CERT_GEN) and
467 * cert signing requests (CSSMOID_APPLE_TP_CSR_GEN).
468 */
469 typedef struct {
470 CSSM_CSP_HANDLE cspHand; // sign with this CSP
471 CSSM_CL_HANDLE clHand; // and this CL
472 uint32 serialNumber;
473 uint32 numSubjectNames;// size subjectNames[]
474 CSSM_APPLE_TP_NAME_OID *subjectNames; // from certextensions.h
475
476 /*
477 * Issuer name can be expressed in the simplified CSSM_APPLE_TP_NAME_OID
478 * array, as is the subject name, or as an CSSM_X509_NAME, which is
479 * typically obtained from a signing cert.
480 * Exactly one of {issuerNames, issuerNameX509} must be non-NULL.
481 */
482 uint32 numIssuerNames; // size issuerNames[]
483 CSSM_APPLE_TP_NAME_OID *issuerNames; // optional; NULL implies root
484 // (signer == subject)
485 CSSM_X509_NAME_PTR issuerNameX509;
486 const CSSM_KEY *certPublicKey;
487 const CSSM_KEY *issuerPrivateKey;
488
489 /* Unfortunately there is no practical way to map any algorithm
490 * to its appropriate OID, and we need both.... */
491 CSSM_ALGORITHMS signatureAlg; // e.g., CSSM_ALGID_SHA1WithRSA
492 CSSM_OID signatureOid; // e.g., CSSMOID_SHA1WithRSA
493 uint32 notBefore; // relative to "now"
494 uint32 notAfter;
495 uint32 numExtensions;
496 CE_DataAndType *extensions; // optional
497
498 /*
499 * Optional challenge string for CSSMOID_APPLE_TP_CSR_GEN.
500 */
501 const char *challengeString;
502 } CSSM_APPLE_TP_CERT_REQUEST;
503
504 /*
505 * Options for X509TP's CSSM_TP_CertGroupVerify for policy CSSMOID_APPLE_TP_SSL.
506 * A pointer to, and length of, one of these is optionally placed in
507 * CSSM_TP_VERIFY_CONTEXT.Cred->Policy.PolicyIds[n].FieldValue.
508 */
509 #define CSSM_APPLE_TP_SSL_OPTS_VERSION 0
510 typedef struct {
511 uint32 Version; // CSSM_APPLE_TP_SSL_OPTS_VERSION
512
513 /*
514 * The domain name of the server (e.g., "store.apple.com".) In the
515 * SSL and TLS protocols, this must match the common name of the
516 * subject cert. Expressed as a C string, optionally NULL terminated
517 * if it is NULL terminated, the length field should include the NULL).
518 */
519 uint32 ServerNameLen;
520 const char *ServerName; // optional
521 } CSSM_APPLE_TP_SSL_OPTIONS;
522
523 /*
524 * Optional ActionData for all X509TP CertGroupVerify policies.
525 * A pointer to, and length of, one of these is optionally placed in
526 * CSSM_TP_VERIFY_CONTEXT.ActionData.
527 */
528 typedef uint32 CSSM_APPLE_TP_ACTION_FLAGS;
529 enum {
530 CSSM_TP_ACTION_ALLOW_EXPIRED = 0x00000001, // allow expired certs
531 /* other flags TBD */
532 };
533
534 #define CSSM_APPLE_TP_ACTION_VERSION 0
535 typedef struct {
536 uint32 Version; // CSSM_APPLE_TP_ACTION_VERSION
537 CSSM_APPLE_TP_ACTION_FLAGS ActionFlags; // CSSM_TP_ACTION_ALLOW_EXPIRED, etc.
538 } CSSM_APPLE_TP_ACTION_DATA;
539
540 /*
541 * Per-cert evidence returned from CSSM_TP_CertGroupVerify.
542 * An array of these is presented in CSSM_TP_VERIFY_CONTEXT_RESULT.Evidence[2].
543 * Same number of these as in the cert group in Evidence[1].
544 */
545
546 /* First, an array of bits indicating various status of the cert. */
547 typedef uint32 CSSM_TP_APPLE_CERT_STATUS;
548 enum
549 {
550 CSSM_CERT_STATUS_EXPIRED = 0x00000001,
551 CSSM_CERT_STATUS_NOT_VALID_YET = 0x00000002,
552 CSSM_CERT_STATUS_IS_IN_INPUT_CERTS = 0x00000004,
553 CSSM_CERT_STATUS_IS_IN_ANCHORS = 0x00000008,
554 CSSM_CERT_STATUS_IS_ROOT = 0x00000010
555 };
556
557 typedef struct {
558 CSSM_TP_APPLE_CERT_STATUS StatusBits;
559 uint32 NumStatusCodes;
560 CSSM_RETURN *StatusCodes;
561
562 /* index into raw cert group or AnchorCerts depending on IS_IN_ANCHORS */
563 uint32 Index;
564
565 /* nonzero if cert came from a DLDB */
566 CSSM_DL_DB_HANDLE DlDbHandle;
567 CSSM_DB_UNIQUE_RECORD_PTR UniqueRecord;
568 } CSSM_TP_APPLE_EVIDENCE_INFO;
569
570 /*
571 * CSSM_TP_VERIFY_CONTEXT_RESULT.Evidence[0], basically defines which version/flavor
572 * of remaining evidence is.
573 */
574 #define CSSM_TP_APPLE_EVIDENCE_VERSION 0
575 typedef struct
576 {
577 uint32 Version;
578 } CSSM_TP_APPLE_EVIDENCE_HEADER;
579
580
581 /*
582 * Apple-specific CSSM_EVIDENCE_FORM values
583 *
584 * The form of the evidence returns from CSSM_TP_CertGroupVerify is:
585 *
586 * EvidenceForm contents of *Evidence
587 * ------------ ---------------------
588 * CSSM_EVIDENCE_FORM_APPLE_HEADER CSSM_TP_APPLE_EVIDENCE_HEADER
589 * CSSM_EVIDENCE_FORM_APPLE_CERTGROUP CSSM_CERTGROUP
590 * CSSM_EVIDENCE_FORM_APPLE_CERT_INFO array of CSSM_TP_APPLE_EVIDENCE_INFO, size
591 * CSSM_CERTGROUP.NumCerts
592 */
593
594 #define CSSM_EVIDENCE_FORM_APPLE_CUSTOM 0x80000000
595 enum
596 {
597 CSSM_EVIDENCE_FORM_APPLE_HEADER = CSSM_EVIDENCE_FORM_APPLE_CUSTOM + 0,
598 CSSM_EVIDENCE_FORM_APPLE_CERTGROUP = CSSM_EVIDENCE_FORM_APPLE_CUSTOM + 1,
599 CSSM_EVIDENCE_FORM_APPLE_CERT_INFO = CSSM_EVIDENCE_FORM_APPLE_CUSTOM + 2
600 };
601
602 /* AppleX509CL extensions: passthrough ids */
603 enum {
604 /*
605 * Obtain a signed Certificate Signing Request.
606 * Input = CSSM_APPLE_CL_CSR_REQUEST
607 * Output = allocated CSSM_DATA which points to a DER-encoded CSR.
608 */
609 CSSM_APPLEX509CL_OBTAIN_CSR,
610
611 /*
612 * Perform signature verify of a CSR.
613 * Input: CSSM_DATA referring to a DER-encoded CSR.
614 * Output: Nothing, returns CSSMERR_CL_VERIFICATION_FAILURE on
615 * on failure.
616 */
617 CSSM_APPLEX509CL_VERIFY_CSR
618 };
619
620 /*
621 * Used in CL's CSSM_APPLEX509_OBTAIN_CSR Passthrough. This is the
622 * input; the output is a CSSM_DATA * containing the signed and
623 * PEM-encoded CSR.
624 */
625 typedef struct {
626 CSSM_X509_NAME_PTR subjectNameX509;
627
628 /* Unfortunately there is no practical way to map any algorithm
629 * to its appropriate OID, and we need both.... */
630 CSSM_ALGORITHMS signatureAlg; // e.g., CSSM_ALGID_SHA1WithRSA
631 CSSM_OID signatureOid; // e.g., CSSMOID_SHA1WithRSA
632
633 CSSM_CSP_HANDLE cspHand; // sign with this CSP
634 const CSSM_KEY *subjectPublicKey;
635 const CSSM_KEY *subjectPrivateKey;
636
637 /*
638 * Optional challenge string.
639 */
640 const char *challengeString;
641 } CSSM_APPLE_CL_CSR_REQUEST;
642
643
644 void cssmPerror(const char *how, CSSM_RETURN error);
645
646 #ifdef __cplusplus
647 }
648 #endif // __cplusplus
649
650 #endif /* _CSSMAPPLE_H_ */
mirror of Security