]> git.saurik.com Git - apple/security.git/blob - OSX/sec/securityd/SecCertificateServer.h
Security-58286.1.32.tar.gz
[apple/security.git] / OSX / sec / securityd / SecCertificateServer.h
1 /*
2 * Copyright (c) 2017 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*
25 * SecCertificateServer.h - SecCertificate and SecCertificatePath types
26 * with additonal validation context.
27 */
28
29
30 #ifndef _SECURITY_SECCERTIFICATESERVER_H_
31 #define _SECURITY_SECCERTIFICATESERVER_H_
32
33 #include <CoreFoundation/CoreFoundation.h>
34
35 #include <Security/SecCertificate.h>
36 #include <Security/SecCertificatePath.h>
37
38 #include <securityd/policytree.h>
39
40
41 typedef struct SecCertificateVC *SecCertificateVCRef;
42
43 SecCertificateVCRef SecCertificateVCCreate(SecCertificateRef certificate, CFArrayRef usageContraints);
44
45 typedef struct SecCertificatePathVC *SecCertificatePathVCRef;
46
47 /* Create a new certificate path from an old one. */
48 SecCertificatePathVCRef SecCertificatePathVCCreate(SecCertificatePathVCRef path,
49 SecCertificateRef certificate, CFArrayRef usageConstraints);
50
51 SecCertificatePathVCRef SecCertificatePathVCCopyAddingLeaf(SecCertificatePathVCRef path,
52 SecCertificateRef leaf);
53
54 /* Return a new certificate path without the first skipCount certificates. */
55 SecCertificatePathVCRef SecCertificatePathVCCopyFromParent(SecCertificatePathVCRef path, CFIndex skipCount);
56
57 /* Create an array of SecCertificateRefs from a certificate path. */
58 CFArrayRef SecCertificatePathVCCopyCertificates(SecCertificatePathVCRef path);
59
60 SecCertificatePathRef SecCertificatePathVCCopyCertificatePath(SecCertificatePathVCRef path);
61
62 /* Record the fact that we found our own root cert as our parent
63 certificate. */
64 void SecCertificatePathVCSetSelfIssued(SecCertificatePathVCRef certificatePath);
65 bool SecCertificatePathVCIsCertificateAtIndexSelfIssued(SecCertificatePathVCRef path, CFIndex ix);
66
67 void SecCertificatePathVCSetIsAnchored(SecCertificatePathVCRef certificatePath);
68
69 /* Return the index of the first non anchor certificate in the chain that is
70 self signed counting from the leaf up. Return -1 if there is none. */
71 CFIndex SecCertificatePathVCSelfSignedIndex(SecCertificatePathVCRef certificatePath);
72
73 Boolean SecCertificatePathVCIsAnchored(SecCertificatePathVCRef certificatePath);
74
75 void SecCertificatePathVCSetNextSourceIndex(SecCertificatePathVCRef certificatePath, CFIndex sourceIndex);
76
77 CFIndex SecCertificatePathVCGetNextSourceIndex(SecCertificatePathVCRef certificatePath);
78
79 CFIndex SecCertificatePathVCGetCount(SecCertificatePathVCRef certificatePath);
80
81 SecCertificateRef SecCertificatePathVCGetCertificateAtIndex(SecCertificatePathVCRef certificatePath, CFIndex ix);
82
83 void SecCertificatePathVCForEachCertificate(SecCertificatePathVCRef path, void(^operation)(SecCertificateRef certificate, bool *stop));
84
85 /* Return the index of certificate in path or kCFNotFound if certificate is
86 not in path. */
87 CFIndex SecCertificatePathVCGetIndexOfCertificate(SecCertificatePathVCRef path,
88 SecCertificateRef certificate);
89
90 /* Return the root certificate for certificatePath. Note that root is just
91 the top of the path as far as it is constructed. It may or may not be
92 trusted or self signed. */
93 SecCertificateRef SecCertificatePathVCGetRoot(SecCertificatePathVCRef certificatePath);
94
95 CFArrayRef SecCertificatePathVCGetUsageConstraintsAtIndex(SecCertificatePathVCRef certificatePath, CFIndex ix);
96
97 void SecCertificatePathVCSetUsageConstraintsAtIndex(SecCertificatePathVCRef certificatePath,
98 CFArrayRef newConstraints, CFIndex ix);
99
100 SecKeyRef SecCertificatePathVCCopyPublicKeyAtIndex(SecCertificatePathVCRef certificatePath, CFIndex ix);
101
102 typedef CFIndex SecPathVerifyStatus;
103 enum {
104 kSecPathVerifiesUnknown = -1,
105 kSecPathVerifySuccess = 0,
106 kSecPathVerifyFailed = 1
107 };
108
109 SecPathVerifyStatus SecCertificatePathVCVerify(SecCertificatePathVCRef certificatePath);
110
111 bool SecCertificatePathVCIsValid(SecCertificatePathVCRef certificatePath, CFAbsoluteTime verifyTime);
112
113 bool SecCertificatePathVCHasWeakHash(SecCertificatePathVCRef certificatePath);
114
115 bool SecCertificatePathVCHasWeakKeySize(SecCertificatePathVCRef certificatePath);
116
117 /* Score */
118 CFIndex SecCertificatePathVCScore(SecCertificatePathVCRef certificatePath,
119 CFAbsoluteTime verifyTime);
120 CFIndex SecCertificatePathVCGetScore(SecCertificatePathVCRef certificatePath);
121 void SecCertificatePathVCSetScore(SecCertificatePathVCRef certificatePath, CFIndex score); // only sets score if new score is higher
122 void SecCertificatePathVCResetScore(SecCertificatePathVCRef certificatePath); // reset score to 0
123
124 /* Revocation */
125 bool SecCertificatePathVCIsRevocationDone(SecCertificatePathVCRef certificatePath);
126 void SecCertificatePathVCAllocateRVCs(SecCertificatePathVCRef certificatePath, CFIndex certCount);
127 CFAbsoluteTime SecCertificatePathVCGetEarliestNextUpdate(SecCertificatePathVCRef path);
128 void *SecCertificatePathVCGetRVCAtIndex(SecCertificatePathVCRef certificatePath, CFIndex ix); // Returns a SecRVCRef
129 bool SecCertificatePathVCIsRevocationRequiredForCertificateAtIndex(SecCertificatePathVCRef certificatePath,
130 CFIndex ix);
131 void SecCertificatePathVCSetRevocationRequiredForCertificateAtIndex(SecCertificatePathVCRef certificatePath,
132 CFIndex ix);
133
134 /* Did we already validate this path (setting EV, CT, RVC, etc.) */
135 bool SecCertificatePathVCIsPathValidated(SecCertificatePathVCRef certificatePath);
136 void SecCertificatePathVCSetPathValidated(SecCertificatePathVCRef certificatePath);
137
138 /* EV */
139 bool SecCertificatePathVCIsEV(SecCertificatePathVCRef certificatePath);
140 void SecCertificatePathVCSetIsEV(SecCertificatePathVCRef certificatePath, bool isEV);
141 bool SecCertificatePathVCIsOptionallyEV(SecCertificatePathVCRef certificatePath);
142
143 /* CT */
144 bool SecCertificatePathVCIsCT(SecCertificatePathVCRef certificatePath);
145 void SecCertificatePathVCSetIsCT(SecCertificatePathVCRef certificatePath, bool isCT);
146
147 /* Allowlist */
148 bool SecCertificatePathVCIsAllowlisted(SecCertificatePathVCRef certificatePath);
149 void SecCertificatePathVCSetIsAllowlisted(SecCertificatePathVCRef certificatePath, bool isAllowlisted);
150
151 /* Policy Tree */
152 bool SecCertificatePathVCVerifyPolicyTree(SecCertificatePathVCRef path, bool anchor_trusted);
153
154 #endif /* _SECURITY_SECCERTIFICATESERVER_H_ */