2 * Copyright (c) 2017 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 * SecCertificateServer.h - SecCertificate and SecCertificatePath types
26 * with additonal validation context.
30 #ifndef _SECURITY_SECCERTIFICATESERVER_H_
31 #define _SECURITY_SECCERTIFICATESERVER_H_
33 #include <CoreFoundation/CoreFoundation.h>
35 #include <Security/SecCertificate.h>
36 #include <Security/SecCertificatePath.h>
38 #include <securityd/policytree.h>
41 typedef struct SecCertificateVC
*SecCertificateVCRef
;
43 SecCertificateVCRef
SecCertificateVCCreate(SecCertificateRef certificate
, CFArrayRef usageContraints
);
45 typedef struct SecCertificatePathVC
*SecCertificatePathVCRef
;
47 /* Create a new certificate path from an old one. */
48 SecCertificatePathVCRef
SecCertificatePathVCCreate(SecCertificatePathVCRef path
,
49 SecCertificateRef certificate
, CFArrayRef usageConstraints
);
51 SecCertificatePathVCRef
SecCertificatePathVCCopyAddingLeaf(SecCertificatePathVCRef path
,
52 SecCertificateRef leaf
);
54 /* Return a new certificate path without the first skipCount certificates. */
55 SecCertificatePathVCRef
SecCertificatePathVCCopyFromParent(SecCertificatePathVCRef path
, CFIndex skipCount
);
57 /* Create an array of SecCertificateRefs from a certificate path. */
58 CFArrayRef
SecCertificatePathVCCopyCertificates(SecCertificatePathVCRef path
);
60 SecCertificatePathRef
SecCertificatePathVCCopyCertificatePath(SecCertificatePathVCRef path
);
62 /* Record the fact that we found our own root cert as our parent
64 void SecCertificatePathVCSetSelfIssued(SecCertificatePathVCRef certificatePath
);
65 bool SecCertificatePathVCIsCertificateAtIndexSelfIssued(SecCertificatePathVCRef path
, CFIndex ix
);
67 void SecCertificatePathVCSetIsAnchored(SecCertificatePathVCRef certificatePath
);
69 /* Return the index of the first non anchor certificate in the chain that is
70 self signed counting from the leaf up. Return -1 if there is none. */
71 CFIndex
SecCertificatePathVCSelfSignedIndex(SecCertificatePathVCRef certificatePath
);
73 Boolean
SecCertificatePathVCIsAnchored(SecCertificatePathVCRef certificatePath
);
75 void SecCertificatePathVCSetNextSourceIndex(SecCertificatePathVCRef certificatePath
, CFIndex sourceIndex
);
77 CFIndex
SecCertificatePathVCGetNextSourceIndex(SecCertificatePathVCRef certificatePath
);
79 CFIndex
SecCertificatePathVCGetCount(SecCertificatePathVCRef certificatePath
);
81 SecCertificateRef
SecCertificatePathVCGetCertificateAtIndex(SecCertificatePathVCRef certificatePath
, CFIndex ix
);
83 void SecCertificatePathVCForEachCertificate(SecCertificatePathVCRef path
, void(^operation
)(SecCertificateRef certificate
, bool *stop
));
85 /* Return the index of certificate in path or kCFNotFound if certificate is
87 CFIndex
SecCertificatePathVCGetIndexOfCertificate(SecCertificatePathVCRef path
,
88 SecCertificateRef certificate
);
90 /* Return the root certificate for certificatePath. Note that root is just
91 the top of the path as far as it is constructed. It may or may not be
92 trusted or self signed. */
93 SecCertificateRef
SecCertificatePathVCGetRoot(SecCertificatePathVCRef certificatePath
);
95 CFArrayRef
SecCertificatePathVCGetUsageConstraintsAtIndex(SecCertificatePathVCRef certificatePath
, CFIndex ix
);
97 void SecCertificatePathVCSetUsageConstraintsAtIndex(SecCertificatePathVCRef certificatePath
,
98 CFArrayRef newConstraints
, CFIndex ix
);
100 SecKeyRef
SecCertificatePathVCCopyPublicKeyAtIndex(SecCertificatePathVCRef certificatePath
, CFIndex ix
);
102 typedef CFIndex SecPathVerifyStatus
;
104 kSecPathVerifiesUnknown
= -1,
105 kSecPathVerifySuccess
= 0,
106 kSecPathVerifyFailed
= 1
109 SecPathVerifyStatus
SecCertificatePathVCVerify(SecCertificatePathVCRef certificatePath
);
111 bool SecCertificatePathVCIsValid(SecCertificatePathVCRef certificatePath
, CFAbsoluteTime verifyTime
);
113 bool SecCertificatePathVCHasWeakHash(SecCertificatePathVCRef certificatePath
);
115 bool SecCertificatePathVCHasWeakKeySize(SecCertificatePathVCRef certificatePath
);
118 CFIndex
SecCertificatePathVCScore(SecCertificatePathVCRef certificatePath
,
119 CFAbsoluteTime verifyTime
);
120 CFIndex
SecCertificatePathVCGetScore(SecCertificatePathVCRef certificatePath
);
121 void SecCertificatePathVCSetScore(SecCertificatePathVCRef certificatePath
, CFIndex score
); // only sets score if new score is higher
122 void SecCertificatePathVCResetScore(SecCertificatePathVCRef certificatePath
); // reset score to 0
125 bool SecCertificatePathVCIsRevocationDone(SecCertificatePathVCRef certificatePath
);
126 void SecCertificatePathVCAllocateRVCs(SecCertificatePathVCRef certificatePath
, CFIndex certCount
);
127 CFAbsoluteTime
SecCertificatePathVCGetEarliestNextUpdate(SecCertificatePathVCRef path
);
128 void *SecCertificatePathVCGetRVCAtIndex(SecCertificatePathVCRef certificatePath
, CFIndex ix
); // Returns a SecRVCRef
129 bool SecCertificatePathVCIsRevocationRequiredForCertificateAtIndex(SecCertificatePathVCRef certificatePath
,
131 void SecCertificatePathVCSetRevocationRequiredForCertificateAtIndex(SecCertificatePathVCRef certificatePath
,
134 /* Did we already validate this path (setting EV, CT, RVC, etc.) */
135 bool SecCertificatePathVCIsPathValidated(SecCertificatePathVCRef certificatePath
);
136 void SecCertificatePathVCSetPathValidated(SecCertificatePathVCRef certificatePath
);
139 bool SecCertificatePathVCIsEV(SecCertificatePathVCRef certificatePath
);
140 void SecCertificatePathVCSetIsEV(SecCertificatePathVCRef certificatePath
, bool isEV
);
141 bool SecCertificatePathVCIsOptionallyEV(SecCertificatePathVCRef certificatePath
);
144 bool SecCertificatePathVCIsCT(SecCertificatePathVCRef certificatePath
);
145 void SecCertificatePathVCSetIsCT(SecCertificatePathVCRef certificatePath
, bool isCT
);
148 bool SecCertificatePathVCIsAllowlisted(SecCertificatePathVCRef certificatePath
);
149 void SecCertificatePathVCSetIsAllowlisted(SecCertificatePathVCRef certificatePath
, bool isAllowlisted
);
152 bool SecCertificatePathVCVerifyPolicyTree(SecCertificatePathVCRef path
, bool anchor_trusted
);
154 #endif /* _SECURITY_SECCERTIFICATESERVER_H_ */