]> git.saurik.com Git - apple/security.git/blob - trust/trustd/SecTrustServer.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-59306.41.2.tar.gz
[apple/security.git] / trust / trustd / SecTrustServer.h
1 /*
2 * Copyright (c) 2008-2009,2012-2014,2017 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * SecTrustServer.h - certificate trust evaluation engine
24 *
25 *
26 */
27
28 #ifndef _SECURITY_SECTRUSTSERVER_H_
29 #define _SECURITY_SECTRUSTSERVER_H_
30
31 #include <CoreFoundation/CFString.h>
32
33 #include <Security/SecTrust.h>
34 #include <Security/SecBasePriv.h> /* For errSecWaitForCallback. */
35 #include "trust/trustd/SecCertificateServer.h"
36 #include "trust/trustd/SecCertificateSource.h"
37 #include <mach/port.h>
38
39 __BEGIN_DECLS
40
41 typedef struct SecPathBuilder *SecPathBuilderRef;
42
43 typedef struct OpaqueSecPVC *SecPVCRef;
44
45 struct OpaqueSecPVC {
46 SecPathBuilderRef builder;
47 CFArrayRef policies;
48 CFDictionaryRef callbacks;
49 CFIndex policyIX;
50 bool require_revocation_response;
51
52 CFArrayRef leafDetails;
53 SecTrustResultType leafResult;
54
55 CFArrayRef details;
56 SecTrustResultType result;
57 };
58
59 /* Completion callback. */
60 typedef void(*SecPathBuilderCompleted)(const void *userData,
61 CFArrayRef chain, CFArrayRef details, CFDictionaryRef info,
62 SecTrustResultType result);
63
64 /* Returns a new trust path builder and policy evaluation engine instance. */
65 SecPathBuilderRef SecPathBuilderCreate(dispatch_queue_t builderQueue, CFDataRef clientAuditToken,
66 CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly,
67 bool keychainsAllowed, CFArrayRef policies, CFArrayRef ocspResponse,
68 CFArrayRef signedCertificateTimestamps, CFArrayRef trustedLogs,
69 CFAbsoluteTime verifyTime, CFArrayRef accessGroups, CFArrayRef exceptions,
70 SecPathBuilderCompleted completed, const void *userData);
71
72 /* Returns true if it's ok to perform network operations for this builder. */
73 bool SecPathBuilderCanAccessNetwork(SecPathBuilderRef builder);
74
75 /* Disable or enable network access for this builder if allow is false
76 network access will be disabled. */
77 void SecPathBuilderSetCanAccessNetwork(SecPathBuilderRef builder, bool allow);
78
79 /* Get the stapled SCTs */
80 CFArrayRef SecPathBuilderCopySignedCertificateTimestamps(SecPathBuilderRef builder);
81 CFArrayRef SecPathBuilderCopyOCSPResponses(SecPathBuilderRef builder);
82 CFDictionaryRef SecPathBuilderCopyTrustedLogs(SecPathBuilderRef builder);
83
84 CFSetRef SecPathBuilderGetAllPaths(SecPathBuilderRef builder);
85 SecCertificatePathVCRef SecPathBuilderGetPath(SecPathBuilderRef builder);
86 SecCertificatePathVCRef SecPathBuilderGetBestPath(SecPathBuilderRef builder);
87 CFAbsoluteTime SecPathBuilderGetVerifyTime(SecPathBuilderRef builder);
88 CFIndex SecPathBuilderGetCertificateCount(SecPathBuilderRef builder);
89 SecCertificateRef SecPathBuilderGetCertificateAtIndex(SecPathBuilderRef builder, CFIndex ix);
90 CFArrayRef SecPathBuilderGetExceptions(SecPathBuilderRef builder);
91 bool SecPathBuilderHasTemporalParentChecks(SecPathBuilderRef builder);
92
93 /* Returns the isAnchored status of the path. The path builder sets isAnchored
94 * based solely on whether the terminating cert has some sort of trust setting
95 * on it. This check does NOT reflect whether that anchor is actually trusted,
96 * as trust in an anchor is contextual to the policy being validated. */
97 bool SecPathBuilderIsAnchored(SecPathBuilderRef builder);
98 bool SecPathBuilderIsAnchorSource(SecPathBuilderRef builder, SecCertificateSourceRef source);
99 SecCertificateSourceRef SecPathBuilderGetAppAnchorSource(SecPathBuilderRef builder);
100
101 CFIndex SecPathBuilderGetPVCCount(SecPathBuilderRef builder);
102 SecPVCRef SecPathBuilderGetPVCAtIndex(SecPathBuilderRef builder, CFIndex ix);
103
104 /* Returns the first PVC that passed */
105 SecPVCRef SecPathBuilderGetResultPVC(SecPathBuilderRef builder);
106
107 void SecPathBuilderSetResultInPVCs(SecPathBuilderRef builder, CFStringRef key,
108 CFIndex ix, CFTypeRef result, bool force);
109
110 /* This is an atomic pre-decrement operation */
111 unsigned int SecPathBuilderDecrementAsyncJobCount(SecPathBuilderRef builder);
112 void SecPathBuilderSetAsyncJobCount(SecPathBuilderRef builder, unsigned int jobCount);
113 unsigned int SecPathBuilderGetAsyncJobCount(SecPathBuilderRef builder);
114
115 CFMutableDictionaryRef SecPathBuilderGetInfo(SecPathBuilderRef builder);
116
117 /* Enable revocation checking if the rest of the policy checks succeed. */
118 CFStringRef SecPathBuilderGetRevocationMethod(SecPathBuilderRef builder);
119 void SecPathBuilderSetRevocationMethod(SecPathBuilderRef builder, CFStringRef method);
120
121 /* Require a online revocation response for the chain. */
122 bool SecPathBuilderGetCheckRevocationOnline(SecPathBuilderRef builder);
123 void SecPathBuilderSetCheckRevocationOnline(SecPathBuilderRef builder);
124
125 /* Only do networking for revocation if the chain is trusted */
126 bool SecPathBuilderGetCheckRevocationIfTrusted(SecPathBuilderRef builder);
127 void SecPathBuilderSetCheckRevocationIfTrusted(SecPathBuilderRef builder);
128
129 /* Core of the trust evaluation engine, this will invoke the completed
130 callback and return false if the evaluation completed, or return true if
131 the evaluation is still waiting for some external event (usually the
132 network). */
133 bool SecPathBuilderStep(SecPathBuilderRef builder);
134
135 /* Return the dispatch queue to be used by this builder. */
136 dispatch_queue_t SecPathBuilderGetQueue(SecPathBuilderRef builder);
137
138 /* Return the client audit token associated with this path builder,
139 which caller must release, or NULL if there is no external client. */
140 CFDataRef SecPathBuilderCopyClientAuditToken(SecPathBuilderRef builder);
141
142 /* Evaluate trust and call evaluated when done. */
143 void SecTrustServerEvaluateBlock(dispatch_queue_t builderQueue, CFDataRef clientAuditToken, CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, void (^evaluated)(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, CFArrayRef chain, CFErrorRef error));
144
145 /* Synchronously invoke SecTrustServerEvaluateBlock. */
146 SecTrustResultType SecTrustServerEvaluate(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef *details, CFDictionaryRef *info, CFArrayRef *chain, CFErrorRef *error);
147
148 /* TrustAnalytics builder types */
149 typedef CF_OPTIONS(uint8_t, TA_SCTSource) {
150 TA_SCTEmbedded = 1 << 0,
151 TA_SCT_OCSP = 1 << 1,
152 TA_SCT_TLS = 1 << 2,
153 };
154
155 typedef CF_ENUM(uint8_t, TA_CTFailureReason) {
156 TA_CTNoFailure = 0,
157 TA_CTNoSCTs = 1,
158 TA_CTMissingLogs = 2,
159 TA_CTNoCurrentSCTsUnknownLog = 3,
160 TA_CTNoCurrentSCTsDisqualifiedLog = 4,
161 TA_CTPresentedNotEnoughUnknown = 5,
162 TA_CTPresentedNotEnoughDisqualified = 6,
163 TA_CTPresentedNotEnough = 7,
164 TA_CTEmbeddedNotEnoughUnknown = 8,
165 TA_CTEmbeddedNotEnoughDisqualified = 9,
166 TA_CTEmbeddedNotEnough = 10,
167 };
168
169 typedef CF_OPTIONS(uint8_t, TAValidStatus) {
170 TAValidDefinitelyOK = 1 << 0,
171 TAValidProbablyOK = 1 << 1,
172 TAValidProbablyRevoked = 1 << 2,
173 TAValidDefinitelyRevoked = 1 << 3,
174 TAValidDateConstrainedOK = 1 << 4,
175 TAValidDateConstrainedRevoked = 1 << 5,
176 TAValidPolicyConstrainedOK = 1 << 6,
177 TAValidPolicyConstrainedDenied = 1 << 7,
178 };
179
180 typedef struct {
181 uint64_t start_time;
182 // Certificate Transparency
183 TA_SCTSource sct_sources;
184 uint32_t number_scts;
185 uint32_t number_trusted_scts;
186 TA_CTFailureReason ct_failure_reason;
187 bool ct_one_current;
188 // CAIssuer
189 bool ca_issuer_cache_hit;
190 bool ca_issuer_network;
191 uint32_t ca_issuer_fetches;
192 uint64_t ca_issuer_fetch_time;
193 uint32_t ca_issuer_fetch_failed;
194 bool ca_issuer_unsupported_data;
195 bool ca_issuer_multiple_certs;
196 // OCSP
197 bool ocsp_no_check;
198 bool ocsp_cache_hit;
199 bool ocsp_network;
200 uint32_t ocsp_fetches;
201 uint64_t ocsp_fetch_time;
202 uint32_t ocsp_fetch_failed;
203 bool ocsp_validation_failed;
204 // Valid
205 TAValidStatus valid_status;
206 bool valid_trigger_ocsp;
207 bool valid_require_ct;
208 bool valid_known_intermediates_only;
209 bool valid_unknown_intermediate;
210 } TrustAnalyticsBuilder;
211
212 TrustAnalyticsBuilder *SecPathBuilderGetAnalyticsData(SecPathBuilderRef builder);
213
214 __END_DECLS
215
216 #endif /* !_SECURITY_SECTRUSTSERVER_H_ */
mirror of Security