trust/SecPolicy.h

   1 /*
   2  * Copyright (c) 2002-2016 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*!
  25      @header SecPolicy
  26      The functions provided in SecPolicy.h provide an interface to various
  27      X.509 certificate trust policies.
  28  */
  29
  30 #ifndef _SECURITY_SECPOLICY_H_
  31 #define _SECURITY_SECPOLICY_H_
  32
  33 #include <CoreFoundation/CFBase.h>
  34 #include <CoreFoundation/CFDictionary.h>
  35 #include <Security/SecBase.h>
  36
  37 __BEGIN_DECLS
  38
  39 CF_ASSUME_NONNULL_BEGIN
  40 CF_IMPLICIT_BRIDGING_ENABLED
  41
  42 /*!
  43      @enum Policy Constants
  44      @discussion Predefined constants used to specify a policy.
  45      @constant kSecPolicyAppleX509Basic
  46      @constant kSecPolicyAppleSSL
  47      @constant kSecPolicyAppleSMIME
  48      @constant kSecPolicyAppleEAP
  49      @constant kSecPolicyAppleiChat
  50      @constant kSecPolicyAppleIPsec
  51      @constant kSecPolicyApplePKINITClient
  52      @constant kSecPolicyApplePKINITServer
  53      @constant kSecPolicyAppleCodeSigning
  54      @constant kSecPolicyMacAppStoreReceipt
  55      @constant kSecPolicyAppleIDValidation
  56      @constant kSecPolicyAppleTimeStamping
  57      @constant kSecPolicyAppleRevocation
  58      @constant kSecPolicyApplePassbookSigning
  59      @constant kSecPolicyApplePayIssuerEncryption
  60  */
  61 extern const CFStringRef kSecPolicyAppleX509Basic
  62     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
  63 extern const CFStringRef kSecPolicyAppleSSL
  64     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
  65 extern const CFStringRef kSecPolicyAppleSMIME
  66     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
  67 extern const CFStringRef kSecPolicyAppleEAP
  68     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
  69 extern const CFStringRef kSecPolicyAppleIPsec
  70     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
  71 #if TARGET_OS_OSX
  72 extern const CFStringRef kSecPolicyAppleiChat
  73     __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
  74 #endif
  75 extern const CFStringRef kSecPolicyApplePKINITClient
  76     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
  77 extern const CFStringRef kSecPolicyApplePKINITServer
  78     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
  79 extern const CFStringRef kSecPolicyAppleCodeSigning
  80     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
  81 extern const CFStringRef kSecPolicyMacAppStoreReceipt
  82     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_9_0);
  83 extern const CFStringRef kSecPolicyAppleIDValidation
  84     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
  85 extern const CFStringRef kSecPolicyAppleTimeStamping
  86     __OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_7_0);
  87 extern const CFStringRef kSecPolicyAppleRevocation
  88     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  89 extern const CFStringRef kSecPolicyApplePassbookSigning
  90     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  91 extern const CFStringRef kSecPolicyApplePayIssuerEncryption
  92     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
  93
  94 /*!
  95     @enum Policy Value Constants
  96     @abstract Predefined property key constants used to get or set values in
  97     a dictionary for a policy instance.
  98     @discussion
  99         All policies will have the following read-only value:
 100             kSecPolicyOid       (the policy object identifier)
 101
 102         Additional policy values which your code can optionally set:
 103             kSecPolicyName      (name which must be matched)
 104             kSecPolicyClient    (evaluate for client, rather than server)
 105             kSecPolicyRevocationFlags   (only valid for a revocation policy)
 106             kSecPolicyTeamIdentifier    (only valid for a Passbook signing policy)
 107
 108     @constant kSecPolicyOid Specifies the policy OID (value is a CFStringRef)
 109     @constant kSecPolicyName Specifies a CFStringRef (or CFArrayRef of same)
 110         containing a name which must be matched in the certificate to satisfy
 111         this policy. For SSL/TLS, EAP, and IPSec policies, this specifies the
 112         server name which must match the common name of the certificate.
 113         For S/MIME, this specifies the RFC822 email address. For Passbook
 114         signing, this specifies the pass signer.
 115     @constant kSecPolicyClient Specifies a CFBooleanRef value that indicates
 116         this evaluation should be for a client certificate. If not set (or
 117         false), the policy evaluates the certificate as a server certificate.
 118     @constant kSecPolicyRevocationFlags Specifies a CFNumberRef that holds a
 119         kCFNumberCFIndexType bitmask value. See "Revocation Policy Constants"
 120         for a description of individual bits in this value.
 121     @constant kSecPolicyTeamIdentifier Specifies a CFStringRef containing a
 122         team identifier which must be matched in the certificate to satisfy
 123         this policy. For the Passbook signing policy, this string must match
 124         the Organizational Unit field of the certificate subject.
 125  */
 126 extern const CFStringRef kSecPolicyOid
 127     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
 128 extern const CFStringRef kSecPolicyName
 129     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
 130 extern const CFStringRef kSecPolicyClient
 131     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
 132 extern const CFStringRef kSecPolicyRevocationFlags
 133     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
 134 extern const CFStringRef kSecPolicyTeamIdentifier
 135     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
 136
 137
 138 /*!
 139  @function SecPolicyGetTypeID
 140  @abstract Returns the type identifier of SecPolicy instances.
 141  @result The CFTypeID of SecPolicy instances.
 142  */
 143 CFTypeID SecPolicyGetTypeID(void)
 144     __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0);
 145
 146 /*!
 147  @function SecPolicyCopyProperties
 148  @abstract Returns a dictionary of this policy's properties.
 149  @param policyRef A policy reference.
 150  @result A properties dictionary. See "Policy Value Constants" for a list
 151  of currently defined property keys. It is the caller's responsibility to
 152  CFRelease this reference when it is no longer needed.
 153  @result A result code. See "Security Error Codes" (SecBase.h).
 154  @discussion This function returns the properties for a policy, as set by the
 155  policy's construction function or by a prior call to SecPolicySetProperties.
 156  */
 157 __nullable
 158 CFDictionaryRef SecPolicyCopyProperties(SecPolicyRef policyRef)
 159     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
 160
 161 /*!
 162  @function SecPolicyCreateBasicX509
 163  @abstract Returns a policy object for the default X.509 policy.
 164  @result A policy object. The caller is responsible for calling CFRelease
 165  on this when it is no longer needed.
 166  */
 167 SecPolicyRef SecPolicyCreateBasicX509(void)
 168     __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);
 169
 170 /*!
 171  @function SecPolicyCreateSSL
 172  @abstract Returns a policy object for evaluating SSL certificate chains.
 173  @param server Passing true for this parameter creates a policy for SSL
 174  server certificates.
 175  @param hostname (Optional) If present, the policy will require the specified
 176  hostname to match the hostname in the leaf certificate.
 177  @result A policy object. The caller is responsible for calling CFRelease
 178  on this when it is no longer needed.
 179  */
 180 SecPolicyRef SecPolicyCreateSSL(Boolean server, CFStringRef __nullable hostname)
 181     __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);
 182
 183 /*!
 184      @enum Revocation Policy Constants
 185      @abstract Predefined constants which allow you to specify how revocation
 186      checking will be performed for a trust evaluation.
 187      @constant kSecRevocationOCSPMethod If this flag is set, perform revocation
 188      checking using OCSP (Online Certificate Status Protocol).
 189      @constant kSecRevocationCRLMethod If this flag is set, perform revocation
 190      checking using the CRL (Certificate Revocation List) method.
 191      @constant kSecRevocationPreferCRL If this flag is set, then CRL revocation
 192      checking will be preferred over OCSP (by default, OCSP is preferred.)
 193      Note that this flag only matters if both revocation methods are specified.
 194      @constant kSecRevocationRequirePositiveResponse If this flag is set, then
 195      the policy will fail unless a verified positive response is obtained. If
 196      the flag is not set, revocation checking is done on a "best attempt" basis,
 197      where failure to reach the server is not considered fatal.
 198      @constant kSecRevocationNetworkAccessDisabled If this flag is set, then
 199      no network access is performed; only locally cached replies are consulted.
 200      @constant kSecRevocationUseAnyAvailableMethod Specifies that either
 201      OCSP or CRL may be used, depending on the method(s) specified in the
 202      certificate and the value of kSecRevocationPreferCRL.
 203  */
 204 CF_ENUM(CFOptionFlags) {
 205     kSecRevocationOCSPMethod = (1 << 0),
 206     kSecRevocationCRLMethod = (1 << 1),
 207     kSecRevocationPreferCRL = (1 << 2),
 208     kSecRevocationRequirePositiveResponse = (1 << 3),
 209     kSecRevocationNetworkAccessDisabled = (1 << 4),
 210     kSecRevocationUseAnyAvailableMethod = (kSecRevocationOCSPMethod |
 211                                            kSecRevocationCRLMethod)
 212 };
 213
 214 /*!
 215      @function SecPolicyCreateRevocation
 216      @abstract Returns a policy object for checking revocation of certificates.
 217      @result A policy object. The caller is responsible for calling CFRelease
 218      on this when it is no longer needed.
 219      @param revocationFlags Flags to specify revocation checking options.
 220      @discussion Use this function to create a revocation policy with behavior
 221      specified by revocationFlags. See the "Revocation Policy Constants" section
 222      for a description of these flags. Note: it is usually not necessary to
 223      create a revocation policy yourself unless you wish to override default
 224      system behavior (e.g. to force a particular method, or to disable
 225      revocation checking entirely.)
 226  */
 227 __nullable
 228 SecPolicyRef SecPolicyCreateRevocation(CFOptionFlags revocationFlags)
 229     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
 230
 231 /*!
 232      @function SecPolicyCreateWithProperties
 233      @abstract Returns a policy object based on an object identifier for the
 234      policy type. See the "Policy Constants" section for a list of defined
 235      policy object identifiers.
 236      @param policyIdentifier The identifier for the desired policy type.
 237      @param properties (Optional) A properties dictionary. See "Policy Value
 238      Constants" for a list of currently defined property keys.
 239      @result The returned policy reference, or NULL if the policy could not be
 240      created.
 241  */
 242 __nullable
 243 SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier,
 244                                            CFDictionaryRef __nullable properties)
 245     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
 246
 247 CF_IMPLICIT_BRIDGING_DISABLED
 248 CF_ASSUME_NONNULL_END
 249
 250 /*
 251  *  Legacy functions (OS X only)
 252  */
 253 #if TARGET_OS_MAC && !TARGET_OS_IPHONE
 254 #include <Security/cssmtype.h>
 255
 256 CF_ASSUME_NONNULL_BEGIN
 257 CF_IMPLICIT_BRIDGING_ENABLED
 258
 259 /*!
 260     @enum Policy Value Constants (OS X)
 261     @discussion Predefined property key constants used to get or set values in
 262         a dictionary for a policy instance.
 263
 264         Some policy values may specify CFBooleanRef key usage constraints:
 265             kSecPolicyKU_DigitalSignature
 266             kSecPolicyKU_NonRepudiation
 267             kSecPolicyKU_KeyEncipherment
 268             kSecPolicyKU_DataEncipherment
 269             kSecPolicyKU_KeyAgreement
 270             kSecPolicyKU_KeyCertSign
 271             kSecPolicyKU_CRLSign
 272             kSecPolicyKU_EncipherOnly
 273             kSecPolicyKU_DecipherOnly
 274
 275         kSecPolicyKU policy values define certificate-level key purposes,
 276         in contrast to the key-level definitions in SecItem.h
 277
 278         For example, a key in a certificate might be acceptable to use for
 279         signing a CRL, but not for signing another certificate. In either
 280         case, this key would have the ability to sign (i.e. kSecAttrCanSign
 281         is true), but may only sign for specific purposes allowed by these
 282         policy constants. Similarly, a public key might have the capability
 283         to perform encryption or decryption, but the certificate in which it
 284         resides might have a decipher-only certificate policy.
 285
 286         These constants correspond to values defined in RFC 5280, section
 287         4.2.1.3 (Key Usage) which define the purpose of a key contained in a
 288         certificate, in contrast to section 4.1.2.7 which define the uses that
 289         a key is capable of.
 290
 291         Note: these constants are not available on iOS. Your code should
 292         avoid direct reliance on these values for making policy decisions
 293         and use higher level policies where possible.
 294
 295     @constant kSecPolicyKU_DigitalSignature Specifies that the certificate must
 296         have a key usage that allows it to be used for signing.
 297     @constant kSecPolicyKU_NonRepudiation Specifies that the certificate must
 298         have a key usage that allows it to be used for non-repudiation.
 299     @constant kSecPolicyKU_KeyEncipherment Specifies that the certificate must
 300         have a key usage that allows it to be used for key encipherment.
 301     @constant kSecPolicyKU_DataEncipherment Specifies that the certificate must
 302         have a key usage that allows it to be used for data encipherment.
 303     @constant kSecPolicyKU_KeyAgreement Specifies that the certificate must
 304         have a key usage that allows it to be used for key agreement.
 305     @constant kSecPolicyKU_KeyCertSign Specifies that the certificate must
 306         have a key usage that allows it to be used for signing certificates.
 307     @constant kSecPolicyKU_CRLSign Specifies that the certificate must
 308         have a key usage that allows it to be used for signing CRLs.
 309     @constant kSecPolicyKU_EncipherOnly Specifies that the certificate must
 310         have a key usage that permits it to be used for encryption only.
 311     @constant kSecPolicyKU_DecipherOnly Specifies that the certificate must
 312         have a key usage that permits it to be used for decryption only.
 313  */
 314 extern const CFStringRef kSecPolicyKU_DigitalSignature
 315     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
 316 extern const CFStringRef kSecPolicyKU_NonRepudiation
 317     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
 318 extern const CFStringRef kSecPolicyKU_KeyEncipherment
 319     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
 320 extern const CFStringRef kSecPolicyKU_DataEncipherment
 321     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
 322 extern const CFStringRef kSecPolicyKU_KeyAgreement
 323     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
 324 extern const CFStringRef kSecPolicyKU_KeyCertSign
 325     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
 326 extern const CFStringRef kSecPolicyKU_CRLSign
 327     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
 328 extern const CFStringRef kSecPolicyKU_EncipherOnly
 329     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
 330 extern const CFStringRef kSecPolicyKU_DecipherOnly
 331     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
 332
 333 /*!
 334      @function SecPolicyCreateWithOID
 335      @abstract Returns a policy object based on an object identifier for the
 336      policy type. See the "Policy Constants" section for a list of defined
 337      policy object identifiers.
 338      @param policyOID The OID of the desired policy.
 339      @result The returned policy reference, or NULL if the policy could not be
 340      created.
 341      @discussion This function is deprecated in Mac OS X 10.9 and later;
 342      use SecPolicyCreateWithProperties (or a more specific policy creation
 343      function) instead.
 344  */
 345 __nullable
 346 SecPolicyRef SecPolicyCreateWithOID(CFTypeRef policyOID)
 347     __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
 348
 349 /*!
 350      @function SecPolicyGetOID
 351      @abstract Returns a policy's object identifier.
 352      @param policyRef A policy reference.
 353      @param oid On return, a pointer to the policy's object identifier.
 354      @result A result code. See "Security Error Codes" (SecBase.h).
 355      @discussion This function is deprecated in Mac OS X 10.7 and later;
 356      use SecPolicyCopyProperties instead.
 357  */
 358 OSStatus SecPolicyGetOID(SecPolicyRef policyRef, CSSM_OID *oid)
 359     __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
 360
 361 /*!
 362      @function SecPolicyGetValue
 363      @abstract Returns a policy's value.
 364      @param policyRef A policy reference.
 365      @param value On return, a pointer to the policy's value.
 366      @result A result code. See "Security Error Codes" (SecBase.h).
 367      @discussion This function is deprecated in Mac OS X 10.7 and later;
 368      use SecPolicyCopyProperties instead.
 369  */
 370 OSStatus SecPolicyGetValue(SecPolicyRef policyRef, CSSM_DATA *value)
 371     __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
 372
 373 /*!
 374      @function SecPolicySetValue
 375      @abstract Sets a policy's value.
 376      @param policyRef A policy reference.
 377      @param value The value to be set into the policy object, replacing any
 378      previous value.
 379      @result A result code. See "Security Error Codes" (SecBase.h).
 380      @discussion This function is deprecated in Mac OS X 10.7 and later. Policy
 381      instances should be considered read-only; in cases where your code would
 382      consider changing properties of a policy, it should instead create a new
 383      policy instance with the desired properties.
 384  */
 385 OSStatus SecPolicySetValue(SecPolicyRef policyRef, const CSSM_DATA *value)
 386     __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
 387
 388 /*!
 389      @function SecPolicySetProperties
 390      @abstract Sets a policy's properties.
 391      @param policyRef A policy reference.
 392      @param properties A properties dictionary. See "Policy Value Constants"
 393      for a list of currently defined property keys. This dictionary replaces the
 394      policy's existing properties, if any. Note that the policy OID (specified
 395      by kSecPolicyOid) is a read-only property of the policy and cannot be set.
 396      @result A result code. See "Security Error Codes" (SecBase.h).
 397      @discussion This function is deprecated in Mac OS X 10.9 and later. Policy
 398      instances should be considered read-only; in cases where your code would
 399      consider changing properties of a policy, it should instead create a new
 400      policy instance with the desired properties.
 401  */
 402 OSStatus SecPolicySetProperties(SecPolicyRef policyRef,
 403                                 CFDictionaryRef properties)
 404     __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
 405
 406 /*!
 407      @function SecPolicyGetTPHandle
 408      @abstract Returns the CSSM trust policy handle for the given policy.
 409      @param policyRef A policy reference.
 410      @param tpHandle On return, a pointer to a value of type CSSM_TP_HANDLE.
 411      @result A result code. See "Security Error Codes" (SecBase.h).
 412      @discussion This function is deprecated in Mac OS X 10.7 and later.
 413  */
 414 OSStatus SecPolicyGetTPHandle(SecPolicyRef policyRef, CSSM_TP_HANDLE *tpHandle)
 415     __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
 416
 417 CF_IMPLICIT_BRIDGING_DISABLED
 418 CF_ASSUME_NONNULL_END
 419
 420 #endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */
 421
 422 __END_DECLS
 423
 424 #endif /* !_SECURITY_SECPOLICY_H_ */