1 // Copyright (c) 2017-2019 Apple Inc. All Rights Reserved.
2 // This is the list of Policy Checks. To add a new policy check put it in this file with the POLICYCHECKMACRO defined.
3 // Then define a new SEC_TRUST_ERROR string in SecFrameworkStrings.h
4 // Arguments for the POLICYCHECKMACRO in arg order are:
5 // POLICYCHECKMACRO(NAME, TRUSTRESULT, SUBTYPE, LEAFCHECK, PATHCHECK, LEAFONLY, CSSMERR, OSSTATUS)
6 // NAME: the name of the check (both its constant name and string value)
7 // TRUSTRESULT: the trust result this check should produce. R is Recoverable, F is Fatal, D is Deny
8 // SUBTYPE: the type of failure.
9 // N is a name failure, E is expiration, S is key size, H is weak hash, U is usage, P is pinning, V is revocation
10 // T is trust, C is compliance, D is denied, B is blocked
11 // LEAFCHECK: L for checks that happen in the leaf callbacks
12 // PATHCHECK: A for checks that happen in the path callbacks
13 // LEAFONLY: O for checks that are done in leaf-only trust evaluations
14 // CSSMERR: The CSSM error status code for this error. The constant name of this status code follows in a comment.
15 // OSSTATUS: the OSStatus to return for this error
17 /********************************************************
18 ************** Unverified Leaf Checks ******************
19 ********************************************************/
20 POLICYCHECKMACRO(SSLHostname, R, N, L, , O, 0x80012400, errSecHostNameMismatch) //CSSMERR_APPLETP_HOSTNAME_MISMATCH
21 POLICYCHECKMACRO(Email, R, N, L, , O, 0x80012418, errSecSMIMEEmailAddressesNotFound) //CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND
22 POLICYCHECKMACRO(TemporalValidity, R, E, L, A, O, 0x8001210A, errSecCertificateExpired) //CSSMERR_TP_CERT_EXPIRED
23 POLICYCHECKMACRO(WeakKeySize, F, S, L, A, O, 0x80012115, errSecUnsupportedKeySize) //CSSMERR_TP_INVALID_CERTIFICATE
24 POLICYCHECKMACRO(WeakSignature, F, H, L, A, O, 0x80010955, errSecInvalidDigestAlgorithm) //CSSMERR_CSP_INVALID_DIGEST_ALGORITHM
25 POLICYCHECKMACRO(KeyUsage, R, U, L, , O, 0x80012406, errSecInvalidKeyUsageForPolicy) //CSSMERR_APPLETP_INVALID_KEY_USAGE
26 POLICYCHECKMACRO(ExtendedKeyUsage, R, U, L, , O, 0x80012407, errSecInvalidExtendedKeyUsage) //CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE
27 POLICYCHECKMACRO(SubjectCommonName, R, P, L, , O, 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING
28 POLICYCHECKMACRO(SubjectCommonNamePrefix, R, P, L, , O, 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING
29 POLICYCHECKMACRO(SubjectCommonNameTEST, R, P, L, , O, 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING
30 POLICYCHECKMACRO(SubjectOrganization, R, P, L, , O, 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING
31 POLICYCHECKMACRO(SubjectOrganizationalUnit, R, P, L, , O, 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING
32 POLICYCHECKMACRO(NotValidBefore, R, P, L, , O, 0x8001210B, errSecCertificateNotValidYet) //CSSMERR_TP_CERT_NOT_VALID_YET
33 POLICYCHECKMACRO(EAPTrustedServerNames, R, N, L, , O, 0x80012400, errSecHostNameMismatch) //CSSMERR_APPLETP_HOSTNAME_MISMATCH
34 POLICYCHECKMACRO(LeafMarkerOid, R, P, L, , O, 0x80012439, errSecMissingRequiredExtension) //CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION
35 POLICYCHECKMACRO(LeafMarkerOidWithoutValueCheck, R, P, L, , O, 0x80012439, errSecMissingRequiredExtension) //CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION
36 POLICYCHECKMACRO(LeafMarkersProdAndQA, R, P, L, , O, 0x80012439, errSecMissingRequiredExtension) //CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION
37 POLICYCHECKMACRO(BlackListedLeaf, F, B, L, , , 0x8001210C, errSecCertificateRevoked) //CSSMERR_TP_CERT_REVOKED
38 POLICYCHECKMACRO(GrayListedLeaf, R, T, L, , , 0x8001212A, errSecNotTrusted) //CSSMERR_TP_NOT_TRUSTED
40 /********************************************************
41 *********** Unverified Intermediate Checks *************
42 ********************************************************/
43 POLICYCHECKMACRO(IssuerCommonName, R, P, , A, , 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING
44 POLICYCHECKMACRO(BasicConstraints, R, C, , A, , 0x80012402, errSecNoBasicConstraints) //CSSMERR_APPLETP_NO_BASIC_CONSTRAINTS
45 POLICYCHECKMACRO(BasicConstraintsCA, R, C, , , , 0x80012403, errSecNoBasicConstraintsCA) //CSSMERR_APPLETP_INVALID_CA
46 POLICYCHECKMACRO(BasicConstraintsPathLen, R, C, , , , 0x80012409, errSecPathLengthConstraintExceeded) //CSSMERR_APPLETP_PATH_LEN_CONSTRAINT
47 POLICYCHECKMACRO(IntermediateSPKISHA256, R, P, , A, , 0x8001243B, errSecPublicKeyInconsistent) //CSSMERR_APPLETP_IDENTIFIER_MISSING
48 POLICYCHECKMACRO(IntermediateEKU, R, P, , A, , 0x80012407, errSecInvalidExtendedKeyUsage) //CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE
49 POLICYCHECKMACRO(IntermediateMarkerOid, R, P, , A, , 0x80012439, errSecMissingRequiredExtension) //CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION
50 POLICYCHECKMACRO(IntermediateMarkerOidWithoutValueCheck, R, P, , A, , 0x80012439, errSecMissingRequiredExtension) //CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION
51 POLICYCHECKMACRO(IntermediateOrganization, R, P, , A, , 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING
52 POLICYCHECKMACRO(IntermediateCountry, R, P, , A, , 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING
54 /********************************************************
55 ************** Unverified Anchor Checks ****************
56 ********************************************************/
57 POLICYCHECKMACRO(AnchorSHA1, R, P, , A, , 0x8001243C, errSecInvalidRoot) //CSSMERR_APPLETP_CA_PIN_MISMATCH
58 POLICYCHECKMACRO(AnchorSHA256, R, P, , A, , 0x8001243C, errSecInvalidRoot) //CSSMERR_APPLETP_CA_PIN_MISMATCH
59 POLICYCHECKMACRO(AnchorTrusted, R, T, , , , 0x8001212A, errSecNotTrusted) //CSSMERR_TP_NOT_TRUSTED
60 POLICYCHECKMACRO(MissingIntermediate, R, T, , , , 0x8001212A, errSecCreateChainFailed) //CSSMERR_TP_NOT_TRUSTED
61 POLICYCHECKMACRO(AnchorApple, R, P, , A, , 0x8001243C, errSecInvalidRoot) //CSSMERR_APPLETP_CA_PIN_MISMATCH
63 /********************************************************
64 *********** Unverified Certificate Checks **************
65 ********************************************************/
66 POLICYCHECKMACRO(NonEmptySubject, R, C, , A, O, 0x80012437, errSecInvalidSubjectName) //CSSMERR_APPLETP_INVALID_EMPTY_SUBJECT
67 POLICYCHECKMACRO(IdLinkage, R, C, , A, , 0x80012404, errSecInvalidIDLinkage) //CSSMERR_APPLETP_INVALID_AUTHORITY_ID
68 POLICYCHECKMACRO(KeySize, R, P, , A, O, 0x80010918, errSecUnsupportedKeySize) //CSSMERR_CSP_UNSUPPORTED_KEY_SIZE
69 POLICYCHECKMACRO(SignatureHashAlgorithms, R, P, , A, O, 0x80010913, errSecInvalidDigestAlgorithm) //CSSMERR_CSP_ALGID_MISMATCH
70 POLICYCHECKMACRO(CertificatePolicy, R, P, , A, O, 0x80012439, errSecInvalidPolicyIdentifiers) //CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION
71 POLICYCHECKMACRO(ValidRoot, R, E, , , , 0x8001210A, errSecCertificateExpired) //CSSMERR_TP_CERT_EXPIRED
73 /********************************************************
74 **************** Verified Path Checks ******************
75 ********************************************************/
76 POLICYCHECKMACRO(CriticalExtensions, R, C, , A, O, 0x80012401, errSecUnknownCriticalExtensionFlag) //CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN
77 POLICYCHECKMACRO(ChainLength, R, P, , A, , 0x80012409, errSecPathLengthConstraintExceeded) //CSSMERR_APPLETP_PATH_LEN_CONSTRAINT
78 POLICYCHECKMACRO(BasicCertificateProcessing, R, C, , A, , 0x80012115, errSecInvalidCertificateRef) //CSSMERR_TP_INVALID_CERTIFICATE
79 POLICYCHECKMACRO(NameConstraints, R, C, , , , 0x80012115, errSecInvalidName) //CSSMERR_TP_INVALID_CERTIFICATE
80 POLICYCHECKMACRO(PolicyConstraints, R, C, , , , 0x80012115, errSecInvalidPolicyIdentifiers) //CSSMERR_TP_INVALID_CERTIFICATE
81 POLICYCHECKMACRO(GrayListedKey, R, T, , , , 0x8001212A, errSecNotTrusted) //CSSMERR_TP_NOT_TRUSTED
82 POLICYCHECKMACRO(BlackListedKey, F, B, , , , 0x8001210C, errSecCertificateRevoked) //CSSMERR_TP_CERT_REVOKED
83 POLICYCHECKMACRO(UsageConstraints, D, D, , , , 0x80012436, errSecTrustSettingDeny) //CSSMERR_APPLETP_TRUST_SETTING_DENY
84 POLICYCHECKMACRO(SystemTrustedWeakHash, R, C, , A, , 0x80010955, errSecInvalidDigestAlgorithm) //CSSMERR_CSP_INVALID_DIGEST_ALGORITHM
85 POLICYCHECKMACRO(SystemTrustedWeakKey, R, C, , A, , 0x80010918, errSecUnsupportedKeySize) //CSSMERR_CSP_UNSUPPORTED_KEY_SIZE
86 POLICYCHECKMACRO(PinningRequired, R, P, L, , , 0x8001243C, errSecInvalidRoot) //CSSMERR_APPLETP_CA_PIN_MISMATCH
87 POLICYCHECKMACRO(Revocation, F, V, L, , , 0x8001210C, errSecCertificateRevoked) //CSSMERR_TP_CERT_REVOKED
88 POLICYCHECKMACRO(RevocationResponseRequired, R, P, L, , , 0x80012423, errSecIncompleteCertRevocationCheck) //CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK
89 POLICYCHECKMACRO(CTRequired, R, T, , , , 0x8001212A, errSecNotTrusted) //CSSMERR_TP_NOT_TRUSTED
90 POLICYCHECKMACRO(SystemTrustedCTRequired, R, C, , A, , 0x80012114, errSecVerifyActionFailed) //CSSMERR_TP_VERIFY_ACTION_FAILED
91 POLICYCHECKMACRO(IssuerPolicyConstraints, F, B, , , , 0x80012120, errSecCertificatePolicyNotAllowed) //CSSMERR_TP_INVALID_POLICY_IDENTIFIERS
92 POLICYCHECKMACRO(IssuerNameConstraints, F, B, , , , 0x8001211F, errSecCertificateNameNotAllowed) //CSSMERR_TP_INVALID_NAME
93 POLICYCHECKMACRO(ValidityPeriodMaximums, R, C, , A, , 0x8001210D, errSecCertificateValidityPeriodTooLong) //CSSMERR_TP_CERT_SUSPENDED
94 POLICYCHECKMACRO(ServerAuthEKU, R, U, , A, , 0x80012407, errSecInvalidExtendedKeyUsage) //CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE
95 POLICYCHECKMACRO(UnparseableExtension, R, C, , , O, 0x80012410, errSecUnknownCertExtension) //CSSMERR_APPLETP_UNKNOWN_CERT_EXTEN
97 /********************************************************
98 ******************* Feature Toggles *********************
99 ********************************************************/
100 POLICYCHECKMACRO(NoNetworkAccess, , , L, , , , errSecInternal)
101 POLICYCHECKMACRO(ExtendedValidation, , , , , , , errSecInternal)
102 POLICYCHECKMACRO(RevocationOnline, , , L, , , , errSecInternal)
103 POLICYCHECKMACRO(RevocationIfTrusted, , , L, , , , errSecInternal)
projects / apple / security.git / blob