]> git.saurik.com Git - apple/security.git/blob - cssm/cssmapple.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-58286.1.32.tar.gz
[apple/security.git] / cssm / cssmapple.h
1 /*
2 * Copyright (c) 2000-2016 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * cssmapple.h -- CSSM features specific to Apple's Implementation
24 */
25
26 #ifndef _CSSMAPPLE_H_
27 #define _CSSMAPPLE_H_ 1
28
29 #include <Security/SecBase.h>
30
31 #if SEC_OS_OSX_INCLUDES
32 #include <Security/cssmerr.h>
33 #include <Security/cssmtype.h>
34 #include <Security/x509defs.h> /* for CSSM_APPLE_TP_CERT_REQUEST fields */
35 #include <Security/certextensions.h> /* ditto */
36 #include <sys/types.h> /* for the BSD *_t types */
37 #include <stdbool.h>
38 #endif /* SEC_OS_OSX */
39
40 #ifdef __cplusplus
41 extern "C" {
42 #endif
43
44 #pragma clang diagnostic push
45 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
46
47 #if SEC_OS_OSX
48 /* Guids for standard Apple addin modules. */
49
50 /* CSSM itself: {87191ca0-0fc9-11d4-849a-000502b52122} */
51 extern const CSSM_GUID gGuidCssm;
52
53 /* File based DL (aka "Keychain DL"): {87191ca1-0fc9-11d4-849a-000502b52122} */
54 extern const CSSM_GUID gGuidAppleFileDL;
55
56 /* Core CSP (local space): {87191ca2-0fc9-11d4-849a-000502b52122} */
57 extern const CSSM_GUID gGuidAppleCSP;
58
59 /* Secure CSP/DL (aka "Keychain CSPDL): {87191ca3-0fc9-11d4-849a-000502b52122} */
60 extern const CSSM_GUID gGuidAppleCSPDL;
61
62 /* X509 Certificate CL: {87191ca4-0fc9-11d4-849a-000502b52122} */
63 extern const CSSM_GUID gGuidAppleX509CL;
64
65 /* X509 Certificate TP: {87191ca5-0fc9-11d4-849a-000502b52122} */
66 extern const CSSM_GUID gGuidAppleX509TP;
67
68 /* DLAP/OpenDirectory access DL: {87191ca6-0fc9-11d4-849a-000502b52122} */
69 extern const CSSM_GUID gGuidAppleLDAPDL;
70
71 /* TP for ".mac" related policies: {87191ca7-0fc9-11d4-849a-000502b52122} */
72 extern const CSSM_GUID gGuidAppleDotMacTP;
73
74 /* Smartcard CSP/DL: {87191ca8-0fc9-11d4-849a-000502b52122} */
75 extern const CSSM_GUID gGuidAppleSdCSPDL;
76
77 /* DL for ".mac" certificate access: {87191ca9-0fc9-11d4-849a-000502b52122} */
78 extern const CSSM_GUID gGuidAppleDotMacDL;
79
80
81 /* Apple defined WORDID values */
82 enum
83 {
84 CSSM_WORDID_KEYCHAIN_PROMPT = CSSM_WORDID_VENDOR_START,
85 CSSM_WORDID_KEYCHAIN_LOCK,
86 CSSM_WORDID_KEYCHAIN_CHANGE_LOCK,
87 CSSM_WORDID_PROCESS,
88 CSSM_WORDID__RESERVED_1, /* was used in 10.2 test seeds; no longer in use */
89 CSSM_WORDID_SYMMETRIC_KEY,
90 CSSM_WORDID_SYSTEM,
91 CSSM_WORDID_KEY,
92 CSSM_WORDID_PIN,
93 CSSM_WORDID_PREAUTH,
94 CSSM_WORDID_PREAUTH_SOURCE,
95 CSSM_WORDID_ASYMMETRIC_KEY,
96 CSSM_WORDID_PARTITION,
97 CSSM_WORDID_KEYBAG_KEY,
98 CSSM_WORDID__FIRST_UNUSED
99 };
100
101 /* Apple defined ACL subject and credential types */
102 enum
103 {
104 CSSM_ACL_SUBJECT_TYPE_KEYCHAIN_PROMPT = CSSM_WORDID_KEYCHAIN_PROMPT,
105 CSSM_ACL_SUBJECT_TYPE_PROCESS = CSSM_WORDID_PROCESS,
106 CSSM_ACL_SUBJECT_TYPE_CODE_SIGNATURE = CSSM_WORDID_SIGNATURE,
107 CSSM_ACL_SUBJECT_TYPE_COMMENT = CSSM_WORDID_COMMENT,
108 CSSM_ACL_SUBJECT_TYPE_SYMMETRIC_KEY = CSSM_WORDID_SYMMETRIC_KEY,
109 CSSM_ACL_SUBJECT_TYPE_PREAUTH = CSSM_WORDID_PREAUTH,
110 CSSM_ACL_SUBJECT_TYPE_PREAUTH_SOURCE = CSSM_WORDID_PREAUTH_SOURCE,
111 CSSM_ACL_SUBJECT_TYPE_ASYMMETRIC_KEY = CSSM_WORDID_ASYMMETRIC_KEY,
112 CSSM_ACL_SUBJECT_TYPE_PARTITION = CSSM_WORDID_PARTITION,
113 };
114
115 enum
116 {
117 CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT = CSSM_WORDID_KEYCHAIN_PROMPT,
118 CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK = CSSM_WORDID_KEYCHAIN_LOCK,
119 CSSM_SAMPLE_TYPE_KEYCHAIN_CHANGE_LOCK = CSSM_WORDID_KEYCHAIN_CHANGE_LOCK,
120 CSSM_SAMPLE_TYPE_PROCESS = CSSM_WORDID_PROCESS,
121 CSSM_SAMPLE_TYPE_COMMENT = CSSM_WORDID_COMMENT,
122 CSSM_SAMPLE_TYPE_RETRY_ID = CSSM_WORDID_PROPAGATE,
123 CSSM_SAMPLE_TYPE_SYMMETRIC_KEY = CSSM_WORDID_SYMMETRIC_KEY,
124 CSSM_SAMPLE_TYPE_PREAUTH = CSSM_WORDID_PREAUTH,
125 CSSM_SAMPLE_TYPE_ASYMMETRIC_KEY = CSSM_WORDID_ASYMMETRIC_KEY,
126 CSSM_SAMPLE_TYPE_KEYBAG_KEY = CSSM_WORDID_KEYBAG_KEY,
127 // there is no CSSM_SAMPLE_TYPE_PREAUTH_SOURCE
128 };
129
130
131 /* Apple-defined ACL authorization tags */
132 enum {
133 CSSM_ACL_AUTHORIZATION_CHANGE_ACL = CSSM_ACL_AUTHORIZATION_TAG_VENDOR_DEFINED_START,
134 CSSM_ACL_AUTHORIZATION_CHANGE_OWNER,
135 CSSM_ACL_AUTHORIZATION_PARTITION_ID,
136 CSSM_ACL_AUTHORIZATION_INTEGRITY,
137
138 // the "pre-auth" tags form a contiguous range of (up to) 64K pre-authorizations
139 CSSM_ACL_AUTHORIZATION_PREAUTH_BASE =
140 CSSM_ACL_AUTHORIZATION_TAG_VENDOR_DEFINED_START + 0x1000000,
141 CSSM_ACL_AUTHORIZATION_PREAUTH_END = CSSM_ACL_AUTHORIZATION_PREAUTH_BASE + 0x10000
142 };
143
144 /* pre-authorization conversions (auth-tag to slot and back) */
145 #define CSSM_ACL_AUTHORIZATION_PREAUTH(slot) \
146 (CSSM_ACL_AUTHORIZATION_PREAUTH_BASE + (slot))
147 #define CSSM_ACL_AUTHORIZATION_PREAUTH_SLOT(auth) \
148 ((auth) - CSSM_ACL_AUTHORIZATION_PREAUTH_BASE)
149 #define CSSM_ACL_AUTHORIZATION_IS_PREAUTH(auth) \
150 ((auth) >= CSSM_ACL_AUTHORIZATION_PREAUTH_BASE && \
151 (auth) < CSSM_ACL_AUTHORIZATION_PREAUTH_END)
152
153
154 /* Parameters and structures for Apple-defined ACL subjects and samples */
155
156 enum { /* types of code signatures - item 1 of CSSM_ACL_SUBJECT_TYPE_CODE_SIGNATURE subjects */
157 CSSM_ACL_CODE_SIGNATURE_INVALID = 0, /* standard OS X code signature */
158 CSSM_ACL_CODE_SIGNATURE_OSX = 1 /* standard OS X code signature */
159 };
160
161 /* ACL subjects of type PROCESS */
162
163 enum { /* PROCESS_SUBJECT mask fields */
164 CSSM_ACL_MATCH_UID = 0x01, /* match userid against uid field */
165 CSSM_ACL_MATCH_GID = 0x02, /* match groupid against gid field */
166 CSSM_ACL_MATCH_HONOR_ROOT = 0x100, /* let root (uid 0) match any userid */
167 CSSM_ACL_MATCH_BITS = CSSM_ACL_MATCH_UID | CSSM_ACL_MATCH_GID
168 };
169
170 enum { /* PROCESS_SUBJECT structure version field */
171 CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION = 0x101
172 };
173
174 typedef struct cssm_acl_process_subject_selector { /* PROCESS_SUBJECT selector */
175 uint16 version; /* version of this selector */
176 uint16 mask; /* active fields mask */
177 uint32 uid; /* effective user id match */
178 uint32 gid; /* effective group id match */
179 } CSSM_ACL_PROCESS_SUBJECT_SELECTOR;
180
181 /* ACL subjects of type KEYCHAIN_PROMPT */
182
183 enum { /* KEYCHAIN_PROMPT structure version field */
184 CSSM_ACL_KEYCHAIN_PROMPT_CURRENT_VERSION = 0x101
185 };
186
187 enum { /* KEYCHAIN_PROMPT operational flags */
188 CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE = 0x0001, /* require re-entering of passphrase */
189 /* the following bits are ignored by 10.4 and earlier */
190 CSSM_ACL_KEYCHAIN_PROMPT_UNSIGNED = 0x0010, /* prompt for unsigned clients */
191 CSSM_ACL_KEYCHAIN_PROMPT_UNSIGNED_ACT = 0x0020, /* UNSIGNED bit overrides system default */
192 CSSM_ACL_KEYCHAIN_PROMPT_INVALID = 0x0040, /* prompt for invalid signed clients */
193 CSSM_ACL_KEYCHAIN_PROMPT_INVALID_ACT = 0x0080, /* INVALID bit overrides system default */
194 };
195
196 typedef struct cssm_acl_keychain_prompt_selector { /* KEYCHAIN_PROMPT selector */
197 uint16 version; /* version of this selector */
198 uint16 flags; /* flag bits */
199 } CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR;
200
201 /* ACL subjects of type CSSM_ACL_SUBJECT_TYPE_PREAUTH_SOURCE */
202 typedef uint32 CSSM_ACL_PREAUTH_TRACKING_STATE;
203 enum { /* preauth tracking state */
204 CSSM_ACL_PREAUTH_TRACKING_COUNT_MASK = 0xff, /* mask for count status */
205 CSSM_ACL_PREAUTH_TRACKING_BLOCKED = 0, /* retries exhausted; the slot is blocked */
206 /* 0 .. 255 is a count of (re)tries remaining */
207
208 /* bits or'ed into any count given */
209 CSSM_ACL_PREAUTH_TRACKING_UNKNOWN = 0x40000000, /* status of slot is unknown (ignore count) */
210 CSSM_ACL_PREAUTH_TRACKING_AUTHORIZED = 0x80000000 /* the slot is currently authorized (or'ed in) */
211 };
212
213
214 /* Apple defined values of a CSSM_DB_ACCESS_TYPE */
215 enum {
216 CSSM_DB_ACCESS_RESET = 0x10000 /* clear pre-authentications (or'ed bit) */
217 };
218
219
220 /* Apple defined algorithm IDs */
221 enum
222 {
223 CSSM_ALGID_APPLE_YARROW = CSSM_ALGID_VENDOR_DEFINED,
224 CSSM_ALGID_AES, /* RijnDael */
225 CSSM_ALGID_FEE, /* FEE Key Generation */
226 CSSM_ALGID_FEE_MD5, /* FEE/ElGamal signature w/ MD5 hash */
227 CSSM_ALGID_FEE_SHA1, /* FEE/ElGamal signature w/ SHA1 hash */
228 CSSM_ALGID_FEED, /* 1:1 FEE asymmetric encryption */
229 CSSM_ALGID_FEEDEXP, /* 2:1 FEE asymmetric encryption */
230 CSSM_ALGID_ASC, /* Apple Secure Compression */
231 CSSM_ALGID_SHA1HMAC_LEGACY, /* HMAC/SHA1, legacy compatible */
232 CSSM_ALGID_KEYCHAIN_KEY, /* derive or manipulate keychain master keys */
233 CSSM_ALGID_PKCS12_PBE_ENCR, /* PKCS12, encrypt/decrypt key */
234 CSSM_ALGID_PKCS12_PBE_MAC, /* PKCS12, MAC key */
235 CSSM_ALGID_SECURE_PASSPHRASE, /* passphrase acquired by SecurityServer */
236 CSSM_ALGID_PBE_OPENSSL_MD5, /* traditional openssl key derivation */
237 CSSM_ALGID_SHA256, /* 256-bit SHA2 */
238 CSSM_ALGID_SHA384, /* 384-bit SHA2 */
239 CSSM_ALGID_SHA512, /* 512-bit SHA2 */
240 CSSM_ALGID_ENTROPY_DEFAULT, /* default entropy source of (CSP) device, if any */
241 CSSM_ALGID_SHA224, /* SHA2, 224 bit */
242 CSSM_ALGID_SHA224WithRSA, /* RSA signature on SHA224 digest */
243 CSSM_ALGID_SHA256WithRSA, /* RSA signature on SHA256 digest */
244 CSSM_ALGID_SHA384WithRSA, /* RSA signature on SHA384 digest */
245 CSSM_ALGID_SHA512WithRSA, /* RSA signature on SHA512 digest */
246 CSSM_ALGID_OPENSSH1, /* OpenSSH v1 RSA key wrapping */
247 CSSM_ALGID_SHA224WithECDSA, /* ECDSA signature on SHA224 digest */
248 CSSM_ALGID_SHA256WithECDSA, /* ECDSA signature on SHA256 digest */
249 CSSM_ALGID_SHA384WithECDSA, /* ECDSA signature on SHA384 digest */
250 CSSM_ALGID_SHA512WithECDSA, /* ECDSA signature on SHA512 digest */
251 CSSM_ALGID_ECDSA_SPECIFIED, /* ECDSA with separate digest algorithm specifier */
252 CSSM_ALGID_ECDH_X963_KDF, /* ECDH with X9.63 key derivation */
253 CSSM_ALGID__FIRST_UNUSED
254 };
255
256 /* Apple defined padding */
257 enum
258 {
259 /* RFC 2246 section E.2 for SSLv2 rollback detection */
260 CSSM_PADDING_APPLE_SSLv2 = CSSM_PADDING_VENDOR_DEFINED
261 };
262
263
264 /* Apple defined keyblob formats */
265 enum {
266 CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED = 0x80000000
267 };
268 enum {
269 /* X509 SubjectPublicKeyInfo */
270 CSSM_KEYBLOB_RAW_FORMAT_X509 = CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED,
271 /* OpenSSH v1 */
272 CSSM_KEYBLOB_RAW_FORMAT_OPENSSH,
273 /* openssl-style DSA private key */
274 CSSM_KEYBLOB_RAW_FORMAT_OPENSSL,
275 /* OpenSSH v2 */
276 CSSM_KEYBLOB_RAW_FORMAT_OPENSSH2
277 };
278
279 /* Apple adds some "common" error codes. CDSA does not define an official start value for this. */
280 enum
281 {
282 CSSM_CUSTOM_COMMON_ERROR_EXTENT = 0x00e0,
283
284 CSSM_ERRCODE_NO_USER_INTERACTION = 0x00e0,
285 CSSM_ERRCODE_USER_CANCELED = 0x00e1,
286 CSSM_ERRCODE_SERVICE_NOT_AVAILABLE = 0x00e2,
287 CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION = 0x00e3,
288 CSSM_ERRCODE_DEVICE_RESET = 0x00e4,
289 CSSM_ERRCODE_DEVICE_FAILED = 0x00e5,
290 CSSM_ERRCODE_IN_DARK_WAKE = 0x00e6
291 };
292
293 enum {
294 CSSMERR_CSSM_NO_USER_INTERACTION = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
295 CSSMERR_AC_NO_USER_INTERACTION = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
296 CSSMERR_CSP_NO_USER_INTERACTION = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
297 CSSMERR_CL_NO_USER_INTERACTION = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
298 CSSMERR_DL_NO_USER_INTERACTION = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
299 CSSMERR_TP_NO_USER_INTERACTION = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
300
301 CSSMERR_CSSM_USER_CANCELED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
302 CSSMERR_AC_USER_CANCELED = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
303 CSSMERR_CSP_USER_CANCELED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
304 CSSMERR_CL_USER_CANCELED = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
305 CSSMERR_DL_USER_CANCELED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
306 CSSMERR_TP_USER_CANCELED = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
307
308 CSSMERR_CSSM_SERVICE_NOT_AVAILABLE = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
309 CSSMERR_AC_SERVICE_NOT_AVAILABLE = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
310 CSSMERR_CSP_SERVICE_NOT_AVAILABLE = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
311 CSSMERR_CL_SERVICE_NOT_AVAILABLE = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
312 CSSMERR_DL_SERVICE_NOT_AVAILABLE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
313 CSSMERR_TP_SERVICE_NOT_AVAILABLE = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
314
315 CSSMERR_CSSM_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION,
316 CSSMERR_AC_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION,
317 CSSMERR_CSP_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION,
318 CSSMERR_CL_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION,
319 CSSMERR_DL_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION,
320 CSSMERR_TP_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION,
321
322 CSSMERR_CSSM_DEVICE_RESET = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET,
323 CSSMERR_AC_DEVICE_RESET = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET,
324 CSSMERR_CSP_DEVICE_RESET = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET,
325 CSSMERR_CL_DEVICE_RESET = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET,
326 CSSMERR_DL_DEVICE_RESET = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET,
327 CSSMERR_TP_DEVICE_RESET = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET,
328
329 CSSMERR_CSSM_DEVICE_FAILED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED,
330 CSSMERR_AC_DEVICE_FAILED = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED,
331 CSSMERR_CSP_DEVICE_FAILED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED,
332 CSSMERR_CL_DEVICE_FAILED = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED,
333 CSSMERR_DL_DEVICE_FAILED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED,
334 CSSMERR_TP_DEVICE_FAILED = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED,
335
336 CSSMERR_CSSM_IN_DARK_WAKE = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE,
337 CSSMERR_AC_IN_DARK_WAKE = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE,
338 CSSMERR_CSP_IN_DARK_WAKE = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE,
339 CSSMERR_CL_IN_DARK_WAKE = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE,
340 CSSMERR_DL_IN_DARK_WAKE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE,
341 CSSMERR_TP_IN_DARK_WAKE = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE
342 };
343
344 /* AppleCSPDL, AppleCSP private error codes. */
345 enum {
346 CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT = CSSM_CSP_PRIVATE_ERROR + 0,
347 /*
348 * An attempt was made to use a public key which is incomplete due to
349 * the lack of algorithm-specific parameters.
350 */
351 CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE = CSSM_CSP_PRIVATE_ERROR + 1,
352
353 /* a code signature match failed */
354 CSSMERR_CSP_APPLE_SIGNATURE_MISMATCH = CSSM_CSP_PRIVATE_ERROR + 2,
355
356 /* Key StartDate/EndDate invalid */
357 CSSMERR_CSP_APPLE_INVALID_KEY_START_DATE = CSSM_CSP_PRIVATE_ERROR + 3,
358 CSSMERR_CSP_APPLE_INVALID_KEY_END_DATE = CSSM_CSP_PRIVATE_ERROR + 4,
359
360 /* Keychain Syncing error codes */
361 CSSMERR_CSPDL_APPLE_DL_CONVERSION_ERROR = CSSM_CSP_PRIVATE_ERROR + 5,
362
363 /* SSLv2 padding check: rollback attack detected */
364 CSSMERR_CSP_APPLE_SSLv2_ROLLBACK = CSSM_CSP_PRIVATE_ERROR + 6
365 };
366
367
368 /* AppleFileDL record types. */
369 enum
370 {
371 CSSM_DL_DB_RECORD_GENERIC_PASSWORD = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 0,
372 CSSM_DL_DB_RECORD_INTERNET_PASSWORD = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 1,
373 CSSM_DL_DB_RECORD_APPLESHARE_PASSWORD = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 2,
374
375 CSSM_DL_DB_RECORD_X509_CERTIFICATE = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 0x1000,
376 CSSM_DL_DB_RECORD_USER_TRUST,
377 CSSM_DL_DB_RECORD_X509_CRL,
378 CSSM_DL_DB_RECORD_UNLOCK_REFERRAL,
379 CSSM_DL_DB_RECORD_EXTENDED_ATTRIBUTE,
380 CSSM_DL_DB_RECORD_METADATA = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 0x8000
381 };
382
383 /* AppleFileDL extentions: passthrough ids */
384 enum {
385 // Toggle whether or not to autocommit after modifying the database.
386 // The input parameter is a CSSM_BOOL, where TRUE turns autocommit on
387 // and FALSE turns it off.
388 CSSM_APPLEFILEDL_TOGGLE_AUTOCOMMIT,
389
390 // Commit any pending changes to the database.
391 CSSM_APPLEFILEDL_COMMIT,
392
393 // Rollback and discard any pending changes to the database.
394 CSSM_APPLEFILEDL_ROLLBACK,
395
396 // Try to take the file lock on the underlying database
397 // Calling commit or rollback will release the lock
398 CSSM_APPLEFILEDL_TAKE_FILE_LOCK,
399
400 // Make a backup of this database in a new file
401 CSSM_APPLEFILEDL_MAKE_BACKUP,
402
403 // Make a copy of this database
404 CSSM_APPLEFILEDL_MAKE_COPY,
405
406 // Delete this database
407 CSSM_APPLEFILEDL_DELETE_FILE,
408 };
409
410 /* UNLOCK_REFERRAL "type" attribute values */
411 enum {
412 CSSM_APPLE_UNLOCK_TYPE_KEY_DIRECT = 1, // master secret key stored directly
413 CSSM_APPLE_UNLOCK_TYPE_WRAPPED_PRIVATE = 2, // master key wrapped by public key
414 CSSM_APPLE_UNLOCK_TYPE_KEYBAG = 3 // master key wrapped via keybag
415 };
416
417 /* Apple DL private error codes. */
418 enum
419 {
420 /* The OpenParameters argument passed to CSSM_DL_DbCreate or CSSM_DL_DbOpen
421 was neither NULL nor a pointer to a valid CSSM_APPLEDL_OPEN_PARAMETERS
422 structure. */
423 CSSMERR_APPLEDL_INVALID_OPEN_PARAMETERS = CSSM_DL_PRIVATE_ERROR + 0,
424
425 /* an operation failed because the disk was full */
426 CSSMERR_APPLEDL_DISK_FULL = CSSM_DL_PRIVATE_ERROR + 1,
427
428 /* an operation failed because a disk quota was exceeded */
429 CSSMERR_APPLEDL_QUOTA_EXCEEDED = CSSM_DL_PRIVATE_ERROR + 2,
430
431 /* an operation failed because a file was too large */
432 CSSMERR_APPLEDL_FILE_TOO_BIG = CSSM_DL_PRIVATE_ERROR + 3,
433
434 /* a keychain database's internal information ("blob") is invalid */
435 CSSMERR_APPLEDL_INVALID_DATABASE_BLOB = CSSM_DL_PRIVATE_ERROR + 4,
436 CSSMERR_APPLEDL_INVALID_KEY_BLOB = CSSM_DL_PRIVATE_ERROR + 5,
437
438 /* the internal data format version for a database's internal information ("blob") is invalid */
439 CSSMERR_APPLEDL_INCOMPATIBLE_DATABASE_BLOB = CSSM_DL_PRIVATE_ERROR + 6,
440 CSSMERR_APPLEDL_INCOMPATIBLE_KEY_BLOB = CSSM_DL_PRIVATE_ERROR + 7,
441 };
442
443 /* Apple X509TP private error codes. */
444 enum
445 {
446 /* Host name mismatch */
447 CSSMERR_APPLETP_HOSTNAME_MISMATCH = CSSM_TP_PRIVATE_ERROR + 0,
448 /* Non-understood extension with Critical flag true */
449 CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN = CSSM_TP_PRIVATE_ERROR + 1,
450 /* Basic Constraints extension required per policy, but not present */
451 CSSMERR_APPLETP_NO_BASIC_CONSTRAINTS = CSSM_TP_PRIVATE_ERROR + 2,
452 /* Invalid BasicConstraints.CA */
453 CSSMERR_APPLETP_INVALID_CA = CSSM_TP_PRIVATE_ERROR + 3,
454 /* Invalid Authority Key ID */
455 CSSMERR_APPLETP_INVALID_AUTHORITY_ID = CSSM_TP_PRIVATE_ERROR + 4,
456 /* Invalid Subject Key ID */
457 CSSMERR_APPLETP_INVALID_SUBJECT_ID = CSSM_TP_PRIVATE_ERROR + 5,
458 /* Invalid Key Usage for policy */
459 CSSMERR_APPLETP_INVALID_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 6,
460 /* Invalid Extended Key Usage for policy */
461 CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 7,
462 /* Invalid Subject/Authority Key ID Linkage */
463 CSSMERR_APPLETP_INVALID_ID_LINKAGE = CSSM_TP_PRIVATE_ERROR + 8,
464 /* PathLengthConstraint exceeded */
465 CSSMERR_APPLETP_PATH_LEN_CONSTRAINT = CSSM_TP_PRIVATE_ERROR + 9,
466 /* Cert group terminated at a root cert which did not self-verify */
467 CSSMERR_APPLETP_INVALID_ROOT = CSSM_TP_PRIVATE_ERROR + 10,
468 /* CRL expired/not valid yet */
469 CSSMERR_APPLETP_CRL_EXPIRED = CSSM_TP_PRIVATE_ERROR + 11,
470 CSSMERR_APPLETP_CRL_NOT_VALID_YET = CSSM_TP_PRIVATE_ERROR + 12,
471 /* Cannot find appropriate CRL */
472 CSSMERR_APPLETP_CRL_NOT_FOUND = CSSM_TP_PRIVATE_ERROR + 13,
473 /* specified CRL server down */
474 CSSMERR_APPLETP_CRL_SERVER_DOWN = CSSM_TP_PRIVATE_ERROR + 14,
475 /* illegible CRL distribution point URL */
476 CSSMERR_APPLETP_CRL_BAD_URI = CSSM_TP_PRIVATE_ERROR + 15,
477 /* Unknown critical cert/CRL extension */
478 CSSMERR_APPLETP_UNKNOWN_CERT_EXTEN = CSSM_TP_PRIVATE_ERROR + 16,
479 CSSMERR_APPLETP_UNKNOWN_CRL_EXTEN = CSSM_TP_PRIVATE_ERROR + 17,
480 /* CRL not verifiable to anchor or root */
481 CSSMERR_APPLETP_CRL_NOT_TRUSTED = CSSM_TP_PRIVATE_ERROR + 18,
482 /* CRL verified to untrusted root */
483 CSSMERR_APPLETP_CRL_INVALID_ANCHOR_CERT = CSSM_TP_PRIVATE_ERROR + 19,
484 /* CRL failed policy verification */
485 CSSMERR_APPLETP_CRL_POLICY_FAIL = CSSM_TP_PRIVATE_ERROR + 20,
486 /* IssuingDistributionPoint extension violation */
487 CSSMERR_APPLETP_IDP_FAIL = CSSM_TP_PRIVATE_ERROR + 21,
488 /* Cert not found at specified issuerAltName */
489 CSSMERR_APPLETP_CERT_NOT_FOUND_FROM_ISSUER = CSSM_TP_PRIVATE_ERROR + 22,
490 /* Bad cert obtained from specified issuerAltName */
491 CSSMERR_APPLETP_BAD_CERT_FROM_ISSUER = CSSM_TP_PRIVATE_ERROR + 23,
492 /* S/MIME Email address mismatch */
493 CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND = CSSM_TP_PRIVATE_ERROR + 24,
494 /* Appropriate S/MIME ExtendedKeyUsage not found */
495 CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE = CSSM_TP_PRIVATE_ERROR + 25,
496 /* S/MIME KeyUsage incompatibility */
497 CSSMERR_APPLETP_SMIME_BAD_KEY_USE = CSSM_TP_PRIVATE_ERROR + 26,
498 /* S/MIME, cert with KeyUsage flagged !critical */
499 CSSMERR_APPLETP_SMIME_KEYUSAGE_NOT_CRITICAL = CSSM_TP_PRIVATE_ERROR + 27,
500 /* S/MIME, leaf with empty subject name and no email addrs
501 * in SubjectAltName */
502 CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS = CSSM_TP_PRIVATE_ERROR + 28,
503 /* S/MIME, leaf with empty subject name, SubjectAltName
504 * not critical */
505 CSSMERR_APPLETP_SMIME_SUBJ_ALT_NAME_NOT_CRIT = CSSM_TP_PRIVATE_ERROR + 29,
506 /* Appropriate SSL ExtendedKeyUsage not found */
507 CSSMERR_APPLETP_SSL_BAD_EXT_KEY_USE = CSSM_TP_PRIVATE_ERROR + 30,
508 /* unparseable OCSP response */
509 CSSMERR_APPLETP_OCSP_BAD_RESPONSE = CSSM_TP_PRIVATE_ERROR + 31,
510 /* unparseable OCSP request */
511 CSSMERR_APPLETP_OCSP_BAD_REQUEST = CSSM_TP_PRIVATE_ERROR + 32,
512 /* OCSP service unavailable */
513 CSSMERR_APPLETP_OCSP_UNAVAILABLE = CSSM_TP_PRIVATE_ERROR + 33,
514 /* OCSP status: cert unrecognized */
515 CSSMERR_APPLETP_OCSP_STATUS_UNRECOGNIZED = CSSM_TP_PRIVATE_ERROR + 34,
516 /* revocation check not successful for each cert */
517 CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK = CSSM_TP_PRIVATE_ERROR + 35,
518 /* general network error */
519 CSSMERR_APPLETP_NETWORK_FAILURE = CSSM_TP_PRIVATE_ERROR + 36,
520 /* OCSP response not verifiable to anchor or root */
521 CSSMERR_APPLETP_OCSP_NOT_TRUSTED = CSSM_TP_PRIVATE_ERROR + 37,
522 /* OCSP response verified to untrusted root */
523 CSSMERR_APPLETP_OCSP_INVALID_ANCHOR_CERT = CSSM_TP_PRIVATE_ERROR + 38,
524 /* OCSP response signature error */
525 CSSMERR_APPLETP_OCSP_SIG_ERROR = CSSM_TP_PRIVATE_ERROR + 39,
526 /* No signer for OCSP response found */
527 CSSMERR_APPLETP_OCSP_NO_SIGNER = CSSM_TP_PRIVATE_ERROR + 40,
528 /* OCSP responder status: malformed request */
529 CSSMERR_APPLETP_OCSP_RESP_MALFORMED_REQ = CSSM_TP_PRIVATE_ERROR + 41,
530 /* OCSP responder status: internal error */
531 CSSMERR_APPLETP_OCSP_RESP_INTERNAL_ERR = CSSM_TP_PRIVATE_ERROR + 42,
532 /* OCSP responder status: try later */
533 CSSMERR_APPLETP_OCSP_RESP_TRY_LATER = CSSM_TP_PRIVATE_ERROR + 43,
534 /* OCSP responder status: signature required */
535 CSSMERR_APPLETP_OCSP_RESP_SIG_REQUIRED = CSSM_TP_PRIVATE_ERROR + 44,
536 /* OCSP responder status: unauthorized */
537 CSSMERR_APPLETP_OCSP_RESP_UNAUTHORIZED = CSSM_TP_PRIVATE_ERROR + 45,
538 /* OCSP response nonce did not match request */
539 CSSMERR_APPLETP_OCSP_NONCE_MISMATCH = CSSM_TP_PRIVATE_ERROR + 46,
540 /* Illegal cert chain length for Code Signing */
541 CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH = CSSM_TP_PRIVATE_ERROR + 47,
542 /* Missing Basic Constraints for Code Signing */
543 CSSMERR_APPLETP_CS_NO_BASIC_CONSTRAINTS = CSSM_TP_PRIVATE_ERROR + 48,
544 /* Bad PathLengthConstraint for Code Signing */
545 CSSMERR_APPLETP_CS_BAD_PATH_LENGTH = CSSM_TP_PRIVATE_ERROR + 49,
546 /* Missing ExtendedKeyUsage for Code Signing */
547 CSSMERR_APPLETP_CS_NO_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 50,
548 /* Development style Code Signing Cert Detected */
549 CSSMERR_APPLETP_CODE_SIGN_DEVELOPMENT = CSSM_TP_PRIVATE_ERROR + 51,
550 /* Illegal cert chain length for Resource Signing */
551 CSSMERR_APPLETP_RS_BAD_CERT_CHAIN_LENGTH = CSSM_TP_PRIVATE_ERROR + 52,
552 /* Bad extended key usage for Resource Signing */
553 CSSMERR_APPLETP_RS_BAD_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 53,
554 /* Trust Setting: deny */
555 CSSMERR_APPLETP_TRUST_SETTING_DENY = CSSM_TP_PRIVATE_ERROR + 54,
556 /* Invalid empty SubjectName */
557 CSSMERR_APPLETP_INVALID_EMPTY_SUBJECT = CSSM_TP_PRIVATE_ERROR + 55,
558 /* Unknown critical Qualified Cert Statement ID */
559 CSSMERR_APPLETP_UNKNOWN_QUAL_CERT_STATEMENT = CSSM_TP_PRIVATE_ERROR + 56,
560 /* Missing required extension */
561 CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION = CSSM_TP_PRIVATE_ERROR + 57,
562 /* Extended key usage not marked critical */
563 CSSMERR_APPLETP_EXT_KEYUSAGE_NOT_CRITICAL = CSSM_TP_PRIVATE_ERROR + 58,
564 /* Required name or identifier not present */
565 CSSMERR_APPLETP_IDENTIFIER_MISSING = CSSM_TP_PRIVATE_ERROR + 59,
566 /* Certificate authority pinning mismatch */
567 CSSMERR_APPLETP_CA_PIN_MISMATCH = CSSM_TP_PRIVATE_ERROR + 60
568 };
569
570 /* Apple .mac TP private error codes. */
571 enum
572 {
573 /* cert request queued */
574 CSSMERR_APPLE_DOTMAC_REQ_QUEUED = CSSM_TP_PRIVATE_ERROR + 100,
575 /* cert request redirected */
576 CSSMERR_APPLE_DOTMAC_REQ_REDIRECT = CSSM_TP_PRIVATE_ERROR + 101,
577 /* general server-reported error */
578 CSSMERR_APPLE_DOTMAC_REQ_SERVER_ERR = CSSM_TP_PRIVATE_ERROR + 102,
579 /* server-reported parameter error */
580 CSSMERR_APPLE_DOTMAC_REQ_SERVER_PARAM = CSSM_TP_PRIVATE_ERROR + 103,
581 /* server-reported authorization error */
582 CSSMERR_APPLE_DOTMAC_REQ_SERVER_AUTH = CSSM_TP_PRIVATE_ERROR + 104,
583 /* server-reported unimplemented */
584 CSSMERR_APPLE_DOTMAC_REQ_SERVER_UNIMPL = CSSM_TP_PRIVATE_ERROR + 105,
585 /* server-reported not available */
586 CSSMERR_APPLE_DOTMAC_REQ_SERVER_NOT_AVAIL = CSSM_TP_PRIVATE_ERROR + 106,
587 /* server-reported already exists */
588 CSSMERR_APPLE_DOTMAC_REQ_SERVER_ALREADY_EXIST = CSSM_TP_PRIVATE_ERROR + 107,
589 /* server-reported service error */
590 CSSMERR_APPLE_DOTMAC_REQ_SERVER_SERVICE_ERROR = CSSM_TP_PRIVATE_ERROR + 108,
591 /* request already pending for specified user */
592 CSSMERR_APPLE_DOTMAC_REQ_IS_PENDING = CSSM_TP_PRIVATE_ERROR + 109,
593 /* no request pending for specified user */
594 CSSMERR_APPLE_DOTMAC_NO_REQ_PENDING = CSSM_TP_PRIVATE_ERROR + 110,
595 /* CSR failed to verify */
596 CSSMERR_APPLE_DOTMAC_CSR_VERIFY_FAIL = CSSM_TP_PRIVATE_ERROR + 111,
597 /* server reported failed consistency check */
598 CSSMERR_APPLE_DOTMAC_FAILED_CONSISTENCY_CHECK = CSSM_TP_PRIVATE_ERROR + 112
599 };
600
601 enum
602 {
603 CSSM_APPLEDL_OPEN_PARAMETERS_VERSION = 1
604 };
605
606 enum cssm_appledl_open_parameters_mask
607 {
608 kCSSM_APPLEDL_MASK_MODE = (1 << 0)
609 };
610
611 /* Pass a CSSM_APPLEDL_OPEN_PARAMETERS_PTR as the OpenParameters argument to
612 CSSM_DL_DbCreate or CSSM_DL_DbOpen. When using this struct, you must zero
613 out the entire struct before setting any additional parameters to ensure
614 forward compatibility. */
615 typedef struct cssm_appledl_open_parameters
616 {
617 uint32 length; /* Should be sizeof(CSSM_APPLEDL_OPEN_PARAMETERS). */
618 uint32 version; /* Should be CSSM_APPLEDL_OPEN_PARAMETERS_VERSION. */
619
620 /* If no OpenParameters are specified, autoCommit is on (!CSSM_FALSE) by default.
621 When autoCommit is on (!CSSM_FALSE), changes made to the Db are written to disk
622 before returning from each function.
623 When autoCommit is off (CSSM_FALSE), changes made to the database are not guaranteed
624 to be written to disk until the Db is closed. This is useful for bulk writes.
625 Be aware that if autoCommit is off, changes made in previous calls to the DL might
626 get rolled back if a new modification operation fails. */
627 CSSM_BOOL autoCommit;
628
629 /* Mask marking which of the following fields are to be used. */
630 uint32 mask;
631
632 /* When calling DbCreate, the initial mode to create the database file with; ignored on DbOpen. You must set the kCSSM_APPLEDL_MASK_MODE bit in mask or mode is ignored. */
633 mode_t mode;
634 } CSSM_APPLEDL_OPEN_PARAMETERS, *CSSM_APPLEDL_OPEN_PARAMETERS_PTR;
635
636
637 /* AppleCSPDL passthough ids */
638 enum
639 {
640 /* Tell the SecurityServer to lock the database specified by the DLDBHandle argument.
641 The InputParams and OutputParams arguments are ignored. */
642 CSSM_APPLECSPDL_DB_LOCK = 0,
643
644 /* Tell the SecurityServer to unlock the database specified by the DLDBHandle argument.
645 The InputParameters argument is a CSSM_DATA_PTR containing the password, or NULL if
646 the SecurityServer should prompt for the password.
647 The OutputParams argument is ignored.
648 The SecurityServer will put up UI (though the SecurityAgent) when this function is called
649 iff InputParameters is NULL. */
650 CSSM_APPLECSPDL_DB_UNLOCK = 1,
651
652 /* Ask the SecurityServer to get the db settings specified for the database
653 specified by the DLDBHandle argument. The settings are returned in the OutputParameters argument.
654 The OutputParameters argument is a pointer to a CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS_PTR.
655 Upon successful completion, the AppleCSPDL will have allocated a
656 CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS structure using the application-specified
657 allocators for the DL attachment specified by the DLDBHandle argument. The structure will contain
658 the current database settings for the specified database. The client should free the
659 CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS_PTR after it has finished using it.
660 The InputParameters argument is ignored.
661 The SecurityServer might put up UI (though the SecurityAgent) when this function is called. */
662 CSSM_APPLECSPDL_DB_GET_SETTINGS = 2,
663
664 /* Tell the SecurityServer to set the db settings specified in InputParameters on the database
665 specified by the DLDBHandle argument.
666 The InputParameters argument is a const CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS * containing
667 the new settings for the specified database.
668 The OutputParams argument is ignored.
669 The SecurityServer might put up UI (though the SecurityAgent) when this function is called. */
670 CSSM_APPLECSPDL_DB_SET_SETTINGS = 3,
671
672 /* Ask the SecurityServer whether the database specified by the DLDBHandle argument is locked.
673 The InputParameters argument is ignored.
674 The OutputParameters argument is a pointer to a CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR.
675 Upon successful completion, the AppleCSPDL will have allocated a
676 CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS structure using the application-specified
677 allocators for the DL attachment specified by the DLDBHandle argument. The structure will contain
678 the current lock status for the specified database. The client should free the
679 CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR after it has finished using it.
680 The SecurityServer will put up UI (though the SecurityAgent) when this function is called. */
681 CSSM_APPLECSPDL_DB_IS_LOCKED = 4,
682
683 /* Tell the SecurityServer to change the password for the database specified by
684 the DLDBHandle.
685
686 The InputParameters argument is a const CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS * containing
687 a CSSM_ACCESS_CREDENTIALS * which determines how the password will be changed. If the
688 accessCredentials are NULL, the SecurityAgent will prompt for the old and the new password for the
689 specified database. If credentials are specified, there should be 2 entries:
690 1. a 3-element list containing:
691 CSSM_WORDID_KEYCHAIN_LOCK, CSSM_SAMPLE_TYPE_PASSWORD, and the old password.
692 2. a 3-element list containing:
693 CSSM_WORDID_KEYCHAIN_CHANGE_LOCK, CSSM_SAMPLE_TYPE_PASSWORD, and the new password.
694
695 The OutputParams argument is ignored.
696 The SecurityServer might put up UI (though the SecurityAgent) when this function is called. */
697 CSSM_APPLECSPDL_DB_CHANGE_PASSWORD =5,
698
699 /* Return the SecurityServer database handle for the database specified by the DLDBHandle */
700 CSSM_APPLECSPDL_DB_GET_HANDLE = 6,
701
702 /* Given a CSSM_KEY for the CSPDL, return the SecurityServer key handle */
703 CSSM_APPLESCPDL_CSP_GET_KEYHANDLE = 7,
704
705 CSSM_APPLE_PRIVATE_CSPDL_CODE_8 = 8,
706 CSSM_APPLE_PRIVATE_CSPDL_CODE_9 = 9,
707 CSSM_APPLE_PRIVATE_CSPDL_CODE_10 = 10,
708 CSSM_APPLE_PRIVATE_CSPDL_CODE_11 = 11,
709 CSSM_APPLE_PRIVATE_CSPDL_CODE_12 = 12,
710 CSSM_APPLE_PRIVATE_CSPDL_CODE_13 = 13,
711 CSSM_APPLE_PRIVATE_CSPDL_CODE_14 = 14,
712 CSSM_APPLE_PRIVATE_CSPDL_CODE_15 = 15,
713 CSSM_APPLE_PRIVATE_CSPDL_CODE_16 = 16,
714 CSSM_APPLE_PRIVATE_CSPDL_CODE_17 = 17,
715 CSSM_APPLE_PRIVATE_CSPDL_CODE_18 = 18,
716 CSSM_APPLE_PRIVATE_CSPDL_CODE_19 = 19,
717 CSSM_APPLE_PRIVATE_CSPDL_CODE_20 = 20,
718 CSSM_APPLE_PRIVATE_CSPDL_CODE_21 = 21,
719 CSSM_APPLE_PRIVATE_CSPDL_CODE_22 = 22,
720 CSSM_APPLE_PRIVATE_CSPDL_CODE_23 = 23,
721 CSSM_APPLE_PRIVATE_CSPDL_CODE_24 = 24,
722 CSSM_APPLE_PRIVATE_CSPDL_CODE_25 = 25,
723 CSSM_APPLE_PRIVATE_CSPDL_CODE_26 = 26,
724 CSSM_APPLE_PRIVATE_CSPDL_CODE_27 = 27,
725
726 /* Given a CSSM_KEY_PTR in any format, obtain the SHA-1 hash of the
727 * associated key blob.
728 * Key is specified in CSSM_CSP_CreatePassThroughContext.
729 * Hash is allocated bythe CSP, in the App's memory, and returned
730 * in *outData. */
731 CSSM_APPLECSP_KEYDIGEST = 0x100
732 };
733
734
735
736 /* AppleCSPDL passthough parameters */
737 typedef struct cssm_applecspdl_db_settings_parameters
738 {
739 uint32 idleTimeout; // seconds idle timeout lock
740 uint8 lockOnSleep; // lock database when system sleeps
741 } CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS, *CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS_PTR;
742
743 /* AppleCSPDL passthough parameters */
744 typedef struct cssm_applecspdl_db_is_locked_parameters
745 {
746 uint8 isLocked; // True iff the database is locked
747 } CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS, *CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR;
748
749 /* AppleCSPDL passthough parameters */
750 typedef struct cssm_applecspdl_db_change_password_parameters
751 {
752 CSSM_ACCESS_CREDENTIALS *accessCredentials;
753 } CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS, *CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS_PTR;
754
755 /* Custom wrapped key formats */
756 enum {
757 CSSM_KEYBLOB_WRAPPED_FORMAT_APPLE_CUSTOM = 100,
758 CSSM_KEYBLOB_WRAPPED_FORMAT_OPENSSL, // traditional openssl
759 CSSM_KEYBLOB_WRAPPED_FORMAT_OPENSSH1 // OpenSSH v1
760 };
761
762 /*
763 * Custom context attributes for AppleCSP.
764 */
765 enum {
766 CSSM_ATTRIBUTE_VENDOR_DEFINED = 0x800000
767 };
768
769 enum {
770 /*
771 * Public Key attribute for use with CSSM_ALGID_FEED.
772 */
773 CSSM_ATTRIBUTE_PUBLIC_KEY =
774 (CSSM_ATTRIBUTE_DATA_KEY | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 0)),
775
776 /*
777 * FEE key attributes.
778 * See CSSM_FEE_PRIME_TYPE_xxx, CSSM_FEE_CURVE_TYPE_xxx enums, below.
779 */
780 CSSM_ATTRIBUTE_FEE_PRIME_TYPE =
781 (CSSM_ATTRIBUTE_DATA_UINT32 | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 1)),
782 CSSM_ATTRIBUTE_FEE_CURVE_TYPE =
783 (CSSM_ATTRIBUTE_DATA_UINT32 | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 2)),
784
785 /*
786 * Apple Secure Compression (ComCryption) optimization.
787 * See CSSM_ASC_OPTIMIZE_xxx, enums, below.
788 */
789 CSSM_ATTRIBUTE_ASC_OPTIMIZATION =
790 (CSSM_ATTRIBUTE_DATA_UINT32 | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 3)),
791
792 /*
793 * RSA blinding. Value is integer, nonzero (blinding on) or zero.
794 */
795 CSSM_ATTRIBUTE_RSA_BLINDING =
796 (CSSM_ATTRIBUTE_DATA_UINT32 | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 4)),
797
798 /*
799 * Additional public key from which to obtain algorithm-specific
800 * parameters.
801 */
802 CSSM_ATTRIBUTE_PARAM_KEY =
803 (CSSM_ATTRIBUTE_DATA_KEY | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 5)),
804
805 /*
806 * Prompt string for CSSM_ALGID_SECURE_PASSPHRASE key acquisition.
807 * Data is a UTF8-encoded external representation of a CFString.
808 */
809 CSSM_ATTRIBUTE_PROMPT =
810 (CSSM_ATTRIBUTE_DATA_CSSM_DATA | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 6)),
811
812 /*
813 * Alert panel title for CSSM_ALGID_SECURE_PASSPHRASE key acquisition.
814 * Data is a UTF8-encoded external representation of a CFString.
815 */
816 CSSM_ATTRIBUTE_ALERT_TITLE =
817 (CSSM_ATTRIBUTE_DATA_CSSM_DATA | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 7)),
818
819 /*
820 * Boolean to specify whether secure passphrase is being used to encrypt or to
821 * recover data. In the former case the user will be prompted to enter the
822 * passphrase twice. Value is integer, nonzero (verify passphrase) or zero.
823 */
824 CSSM_ATTRIBUTE_VERIFY_PASSPHRASE =
825 (CSSM_ATTRIBUTE_DATA_UINT32 | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 8))
826
827 };
828
829 /*
830 * FEE key pair prime modulus types.
831 */
832 enum {
833 CSSM_FEE_PRIME_TYPE_DEFAULT = 0, /* default per key size */
834 CSSM_FEE_PRIME_TYPE_MERSENNE, /* (2 ** q) - 1Ê*/
835 CSSM_FEE_PRIME_TYPE_FEE, /* (2 ** q) - k */
836 CSSM_FEE_PRIME_TYPE_GENERAL /* random prime */
837 };
838
839 /*
840 * FEE curve types. Comments refer to equation
841 *
842 * y**2 = x**3 + c(x**2) + ax + b
843 */
844 enum {
845 CSSM_FEE_CURVE_TYPE_DEFAULT = 0, /* default per key size */
846 CSSM_FEE_CURVE_TYPE_MONTGOMERY, /* a==1, b==0 */
847 CSSM_FEE_CURVE_TYPE_WEIERSTRASS, /* c==0. IEEE P1363 compliant. */
848 CSSM_FEE_CURVE_TYPE_ANSI_X9_62 /* ANSI X9.62 compatible */
849 };
850
851 /*
852 * Apple Secure Compression (ComCryption) optimization attributes.
853 */
854 enum {
855 CSSM_ASC_OPTIMIZE_DEFAULT = 0,
856 CSSM_ASC_OPTIMIZE_SIZE, /* max compression (currently the default) */
857 CSSM_ASC_OPTIMIZE_SECURITY, /* currently not implemented */
858 CSSM_ASC_OPTIMIZE_TIME, /* min runtime */
859 CSSM_ASC_OPTIMIZE_TIME_SIZE, /* implies loss of security */
860 CSSM_ASC_OPTIMIZE_ASCII, /* optimized for ASCC text, not implemented */
861 };
862
863 /*
864 * Apple custom CSSM_KEYATTR_FLAGS.
865 */
866 enum {
867 /*
868 * When set, indicates a public key which is incomplete (though
869 * still valid) due to the lack of algorithm-specific parameters.
870 */
871 CSSM_KEYATTR_PARTIAL = 0x00010000,
872
873 /*
874 * When set, public keys are stored encrypted. Default is to store
875 * public keys in the clear. AppleCSPDL only.
876 */
877 CSSM_KEYATTR_PUBLIC_KEY_ENCRYPT = 0x00020000
878 };
879
880 /*
881 * Name/OID pair used in CSSM_APPLE_TP_CERT_REQUEST
882 */
883 typedef struct {
884 const char *string;
885 const CSSM_OID *oid;
886 } CSSM_APPLE_TP_NAME_OID;
887
888 /*
889 * Certificate request passed to CSSM_TP_SubmitCredRequest() in the
890 * CSSM_TP_AUTHORITY_REQUEST_TYPE.Requests field. Used for requesting
891 * both locally-generated certs (CSSMOID_APPLE_TP_LOCAL_CERT_GEN) and
892 * cert signing requests (CSSMOID_APPLE_TP_CSR_GEN).
893 */
894 typedef struct {
895 CSSM_CSP_HANDLE cspHand; // sign with this CSP
896 CSSM_CL_HANDLE clHand; // and this CL
897 uint32 serialNumber;
898 uint32 numSubjectNames;// size subjectNames[]
899 CSSM_APPLE_TP_NAME_OID *subjectNames;
900
901 /*
902 * Issuer name can be expressed in the simplified CSSM_APPLE_TP_NAME_OID
903 * array, as is the subject name, or as an CSSM_X509_NAME, which is
904 * typically obtained from a signing cert.
905 * Exactly one of {issuerNames, issuerNameX509} must be non-NULL.
906 */
907 uint32 numIssuerNames; // size issuerNames[]
908 CSSM_APPLE_TP_NAME_OID *issuerNames; // optional; NULL implies root
909 // (signer == subject)
910 CSSM_X509_NAME_PTR issuerNameX509;
911 const CSSM_KEY *certPublicKey;
912 const CSSM_KEY *issuerPrivateKey;
913
914 /* Unfortunately there is no practical way to map any algorithm
915 * to its appropriate OID, and we need both.... */
916 CSSM_ALGORITHMS signatureAlg; // e.g., CSSM_ALGID_SHA1WithRSA
917 CSSM_OID signatureOid; // e.g., CSSMOID_SHA1WithRSA
918 uint32 notBefore; // relative to "now"
919 uint32 notAfter;
920 uint32 numExtensions;
921 CE_DataAndType *extensions; // optional
922
923 /*
924 * Optional challenge string for CSSMOID_APPLE_TP_CSR_GEN.
925 */
926 const char *challengeString;
927 } CSSM_APPLE_TP_CERT_REQUEST;
928
929 /*
930 * Options for X509TP's CSSM_TP_CertGroupVerify for policy CSSMOID_APPLE_TP_SSL.
931 * A pointer to, and length of, one of these is optionally placed in
932 * CSSM_TP_VERIFY_CONTEXT.Cred->Policy.PolicyIds[n].FieldValue.
933 */
934 #define CSSM_APPLE_TP_SSL_OPTS_VERSION 1
935
936 /*
937 * Values for CSSM_APPLE_TP_SSL_OPTIONS.flags.
938 *
939 * Set this flag when evaluating a client cert.
940 */
941 #define CSSM_APPLE_TP_SSL_CLIENT 0x00000001
942
943 typedef struct {
944 uint32 Version; // CSSM_APPLE_TP_SSL_OPTS_VERSION
945
946 /*
947 * The domain name of the server (e.g., "store.apple.com".) In the
948 * SSL and TLS protocols, this must match the common name of the
949 * subject cert. Expressed as a C string, optionally NULL terminated
950 * if it is NULL terminated, the length field should include the NULL).
951 */
952 uint32 ServerNameLen;
953 const char *ServerName; // optional
954
955 /* new fields for struct version 1 */
956 uint32 Flags;
957 } CSSM_APPLE_TP_SSL_OPTIONS;
958
959 /*
960 * Options for X509TP's CSSM_TP_CertGroupVerify for policy
961 * CSSMOID_APPLE_TP_REVOCATION_CRL. A pointer to, and length of, one
962 * of these is optionally placed in
963 * CSSM_TP_VERIFY_CONTEXT.Cred->Policy.PolicyIds[n].FieldValue.
964 */
965 #define CSSM_APPLE_TP_CRL_OPTS_VERSION 0
966
967 typedef uint32 CSSM_APPLE_TP_CRL_OPT_FLAGS;
968 enum {
969 // require CRL verification for each cert; default is "try"
970 CSSM_TP_ACTION_REQUIRE_CRL_PER_CERT = 0x00000001,
971 // enable fetch from network
972 CSSM_TP_ACTION_FETCH_CRL_FROM_NET = 0x00000002,
973 // if set and positive CRL verify for given cert, no further revocation
974 // checking need be done on that cert
975 CSSM_TP_ACTION_CRL_SUFFICIENT = 0x00000004,
976 // require CRL verification for certs which claim a CRL provider
977 CSSM_TP_ACTION_REQUIRE_CRL_IF_PRESENT = 0x00000008
978 };
979
980 typedef struct {
981 uint32 Version; // CSSM_APPLE_TP_CRL_OPTS_VERSION
982 CSSM_APPLE_TP_CRL_OPT_FLAGS CrlFlags;
983
984 /*
985 * When non-NULL, store CRLs fetched from net here.
986 * This is most likely a pointer to one of the
987 * CSSM_TP_CALLERAUTH_CONTEXT.DBList entries but that
988 * is not a strict requirement.
989 */
990 CSSM_DL_DB_HANDLE_PTR crlStore;
991 } CSSM_APPLE_TP_CRL_OPTIONS;
992
993 /*
994 * Options for X509TP's CSSM_TP_CertGroupVerify for policy
995 * CSSMOID_APPLE_TP_SMIME. A pointer to, and length of, one
996 * of these is optionally placed in
997 * CSSM_TP_VERIFY_CONTEXT.Cred->Policy.PolicyIds[n].FieldValue.
998 */
999 #define CSSM_APPLE_TP_SMIME_OPTS_VERSION 0
1000 typedef struct {
1001 uint32 Version; // CSSM_APPLE_TP_SMIME_OPTS_VERSION
1002
1003 /*
1004 * Intended usage of the leaf cert. The cert's KeyUsage extension,
1005 * if present, must be a superset of this.
1006 */
1007 CE_KeyUsage IntendedUsage;
1008
1009 /*
1010 * The email address of the sender. If there is an email address
1011 * in the sender's cert, that email address must match this one.
1012 * Both (email address in the cert, and this one) are optional.
1013 * Expressed as a C string, optionally NULL terminated (i.e.,
1014 * SenderEmail[SenderEmailLen - 1] may or may not be NULL).
1015 */
1016 uint32 SenderEmailLen;
1017 const char *SenderEmail; // optional
1018 } CSSM_APPLE_TP_SMIME_OPTIONS;
1019
1020
1021 /*
1022 * Optional ActionData for all X509TP CertGroupVerify policies.
1023 * A pointer to, and length of, one of these is optionally placed in
1024 * CSSM_TP_VERIFY_CONTEXT.ActionData.
1025 */
1026 typedef uint32 CSSM_APPLE_TP_ACTION_FLAGS;
1027 enum {
1028 CSSM_TP_ACTION_ALLOW_EXPIRED = 0x00000001, // allow expired certs
1029 CSSM_TP_ACTION_LEAF_IS_CA = 0x00000002, // first cert is a CA
1030 CSSM_TP_ACTION_FETCH_CERT_FROM_NET = 0x00000004, // enable net fetch of CA cert
1031 CSSM_TP_ACTION_ALLOW_EXPIRED_ROOT = 0x00000008, // allow expired roots
1032 CSSM_TP_ACTION_REQUIRE_REV_PER_CERT = 0x00000010, // require positive revocation
1033 // check per cert
1034 CSSM_TP_ACTION_TRUST_SETTINGS = 0x00000020, // use TrustSettings instead of
1035 // anchors
1036 CSSM_TP_ACTION_IMPLICIT_ANCHORS = 0x00000040 // properly self-signed certs are
1037 // treated as anchors implicitly
1038 };
1039
1040 #define CSSM_APPLE_TP_ACTION_VERSION 0
1041 typedef struct {
1042 uint32 Version; // CSSM_APPLE_TP_ACTION_VERSION
1043 CSSM_APPLE_TP_ACTION_FLAGS ActionFlags; // CSSM_TP_ACTION_ALLOW_EXPIRED, etc.
1044 } CSSM_APPLE_TP_ACTION_DATA;
1045
1046 /*
1047 * Per-cert evidence returned from CSSM_TP_CertGroupVerify.
1048 * An array of these is presented in CSSM_TP_VERIFY_CONTEXT_RESULT.Evidence[2].
1049 * Same number of these as in the cert group in Evidence[1].
1050 */
1051
1052 #endif /* SEC_OS_OSX */
1053
1054 /* First, an array of bits indicating various status of the cert. */
1055 typedef uint32 CSSM_TP_APPLE_CERT_STATUS;
1056 enum
1057 {
1058 CSSM_CERT_STATUS_EXPIRED = 0x00000001,
1059 CSSM_CERT_STATUS_NOT_VALID_YET = 0x00000002,
1060 CSSM_CERT_STATUS_IS_IN_INPUT_CERTS = 0x00000004,
1061 CSSM_CERT_STATUS_IS_IN_ANCHORS = 0x00000008,
1062 CSSM_CERT_STATUS_IS_ROOT = 0x00000010,
1063 CSSM_CERT_STATUS_IS_FROM_NET = 0x00000020,
1064 /* settings found in per-user Trust Settings */
1065 CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_USER = 0x00000040,
1066 /* settings found in Admin Trust Settings */
1067 CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_ADMIN = 0x00000080,
1068 /* settings found in System Trust Settings */
1069 CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_SYSTEM = 0x00000100,
1070 /* Trust Settings result = Trust */
1071 CSSM_CERT_STATUS_TRUST_SETTINGS_TRUST = 0x00000200,
1072 /* Trust Settings result = Deny */
1073 CSSM_CERT_STATUS_TRUST_SETTINGS_DENY = 0x00000400,
1074 /* Per-cert error ignored due to Trust Settings */
1075 CSSM_CERT_STATUS_TRUST_SETTINGS_IGNORED_ERROR = 0x00000800
1076 };
1077
1078 typedef struct {
1079 CSSM_TP_APPLE_CERT_STATUS StatusBits;
1080 uint32 NumStatusCodes;
1081 CSSM_RETURN *StatusCodes;
1082
1083 /* index into raw cert group or AnchorCerts depending on IS_IN_ANCHORS */
1084 uint32 Index;
1085
1086 /* nonzero if cert came from a DLDB */
1087 CSSM_DL_DB_HANDLE DlDbHandle;
1088 CSSM_DB_UNIQUE_RECORD_PTR UniqueRecord;
1089
1090 #if SEC_OS_IPHONE
1091 /* CRLReason code if cert is revoked */
1092 sint32 CrlReason;
1093 #endif /* SEC_OS_IPHONE */
1094 } CSSM_TP_APPLE_EVIDENCE_INFO;
1095
1096 #if SEC_OS_OSX
1097
1098 /*
1099 * CSSM_TP_VERIFY_CONTEXT_RESULT.Evidence[0], basically defines which version/flavor
1100 * of remaining evidence is.
1101 */
1102 #define CSSM_TP_APPLE_EVIDENCE_VERSION 0
1103 typedef struct
1104 {
1105 uint32 Version;
1106 } CSSM_TP_APPLE_EVIDENCE_HEADER;
1107
1108
1109 /*
1110 * Apple-specific CSSM_EVIDENCE_FORM values
1111 *
1112 * The form of the evidence returns from CSSM_TP_CertGroupVerify is:
1113 *
1114 * EvidenceForm contents of *Evidence
1115 * ------------ ---------------------
1116 * CSSM_EVIDENCE_FORM_APPLE_HEADER CSSM_TP_APPLE_EVIDENCE_HEADER
1117 * CSSM_EVIDENCE_FORM_APPLE_CERTGROUP CSSM_CERTGROUP
1118 * CSSM_EVIDENCE_FORM_APPLE_CERT_INFO array of CSSM_TP_APPLE_EVIDENCE_INFO, size
1119 * CSSM_CERTGROUP.NumCerts
1120 */
1121
1122 #define CSSM_EVIDENCE_FORM_APPLE_CUSTOM 0x80000000
1123 enum
1124 {
1125 CSSM_EVIDENCE_FORM_APPLE_HEADER = CSSM_EVIDENCE_FORM_APPLE_CUSTOM + 0,
1126 CSSM_EVIDENCE_FORM_APPLE_CERTGROUP = CSSM_EVIDENCE_FORM_APPLE_CUSTOM + 1,
1127 CSSM_EVIDENCE_FORM_APPLE_CERT_INFO = CSSM_EVIDENCE_FORM_APPLE_CUSTOM + 2
1128 };
1129
1130 /* AppleX509CL extensions: passthrough ids */
1131 enum {
1132 /*
1133 * Obtain a signed Certificate Signing Request.
1134 * Input = CSSM_APPLE_CL_CSR_REQUEST
1135 * Output = allocated CSSM_DATA which points to a DER-encoded CSR.
1136 */
1137 CSSM_APPLEX509CL_OBTAIN_CSR,
1138
1139 /*
1140 * Perform signature verify of a CSR.
1141 * Input: CSSM_DATA referring to a DER-encoded CSR.
1142 * Output: Nothing, returns CSSMERR_CL_VERIFICATION_FAILURE on
1143 * on failure.
1144 */
1145 CSSM_APPLEX509CL_VERIFY_CSR
1146 };
1147
1148 /*
1149 * Used in CL's CSSM_APPLEX509_OBTAIN_CSR Passthrough. This is the
1150 * input; the output is a CSSM_DATA * containing the signed and
1151 * DER-encoded CSR.
1152 */
1153 typedef struct {
1154 CSSM_X509_NAME_PTR subjectNameX509;
1155
1156 /* Unfortunately there is no practical way to map any algorithm
1157 * to its appropriate OID, and we need both.... */
1158 CSSM_ALGORITHMS signatureAlg; // e.g., CSSM_ALGID_SHA1WithRSA
1159 CSSM_OID signatureOid; // e.g., CSSMOID_SHA1WithRSA
1160
1161 CSSM_CSP_HANDLE cspHand; // sign with this CSP
1162 const CSSM_KEY *subjectPublicKey;
1163 const CSSM_KEY *subjectPrivateKey;
1164
1165 /*
1166 * Optional challenge string.
1167 */
1168 const char *challengeString;
1169 } CSSM_APPLE_CL_CSR_REQUEST;
1170
1171 /*
1172 * When a CRL with no NextUpdate field is encountered, we use this time
1173 * as the NextUpdate attribute when storing in a DB. It represents the
1174 * virtual end of time in CSSM_TIMESTRING form.
1175 */
1176 #define CSSM_APPLE_CRL_END_OF_TIME "99991231235959"
1177
1178 /*
1179 * Default filesystem names and locations for SecurityServer features
1180 * (included here for lack of a better place)
1181 */
1182 #define kKeychainSuffix ".keychain"
1183 #define kKeychainDbSuffix ".keychain-db"
1184 #define kSystemKeychainName "System.keychain"
1185 #define kSystemKeychainDir "/Library/Keychains/"
1186 #define kSystemUnlockFile "/var/db/SystemKey"
1187
1188 /*
1189 * CSSM ACL tags used to store partition/integrity data in ACLs
1190 */
1191 #define CSSM_APPLE_ACL_TAG_PARTITION_ID "___PARTITION___"
1192 #define CSSM_APPLE_ACL_TAG_INTEGRITY "___INTEGRITY___"
1193
1194
1195 void cssmPerror(const char *how, CSSM_RETURN error);
1196
1197 /* Convert between CSSM_OID and CSSM_ALGORITHMS */
1198 bool cssmOidToAlg(const CSSM_OID *oid, CSSM_ALGORITHMS *alg);
1199 const CSSM_OID *cssmAlgToOid(CSSM_ALGORITHMS algId);
1200
1201 /*
1202 * The MacOS OSStatus space has an embedding for UNIX errno values, similar to
1203 * the way we embed CSSM_RETURN values in OSStatus. These are the base and limit
1204 * values for this embedding.
1205 */
1206 #define errSecErrnoBase 100000
1207 #define errSecErrnoLimit 100255
1208
1209 #endif /* SEC_OS_OSX */
1210
1211 #pragma clang diagnostic pop
1212
1213 #ifdef __cplusplus
1214 }
1215 #endif // __cplusplus
1216
1217 #endif /* _CSSMAPPLE_H_ */
mirror of Security