OSX/sec/Security/SecCertificateInternal.h

   1 /*
   2  * Copyright (c) 2007-2016 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*
  25    SecCertificateInternal
  26 */
  27
  28 #ifndef _SECURITY_SECCERTIFICATEINTERNAL_H_
  29 #define _SECURITY_SECCERTIFICATEINTERNAL_H_
  30
  31 #include <TargetConditionals.h>
  32 #include <libDER/DER_Keys.h>
  33
  34 #include <Security/SecBase.h>
  35 #include <Security/SecCertificatePriv.h>
  36
  37 #include <Security/certextensions.h>
  38
  39 // This file can only be included under the ios view of the headers.
  40 // If you're not under that view, we'll forward declare the things you need here.
  41 #if SECURITY_PROJECT_TAPI_HACKS && SEC_OS_OSX
  42 typedef enum {
  43   NO_ENUM_VALUES,
  44 } SecCEGeneralNameType; // The real enum values are already declared.
  45
  46 typedef struct {} SecCEBasicConstraints;
  47 typedef struct {} SecCEPolicyConstraints;
  48 typedef struct {} SecCEPolicyMapping;
  49 typedef struct {} SecCEPolicyMappings;
  50 typedef struct {} SecCECertificatePolicies;
  51 typedef struct {} SecCEInhibitAnyPolicy;
  52 #endif
  53
  54 __BEGIN_DECLS
  55
  56 CFDataRef SecCertificateGetAuthorityKeyID(SecCertificateRef certificate);
  57 CFDataRef SecCertificateGetSubjectKeyID(SecCertificateRef certificate);
  58
  59 /* Return an array of CFURLRefs each of which is an crl distribution point for
  60    this certificate. */
  61 CFArrayRef SecCertificateGetCRLDistributionPoints(SecCertificateRef certificate);
  62
  63 /* Return an array of CFURLRefs each of which is an ocspResponder for this
  64    certificate. */
  65 CFArrayRef SecCertificateGetOCSPResponders(SecCertificateRef certificate);
  66
  67 /* Return an array of CFURLRefs each of which is an caIssuer for this
  68    certificate. */
  69 CFArrayRef SecCertificateGetCAIssuers(SecCertificateRef certificate);
  70
  71 /* Dump certificate for debugging. */
  72 void SecCertificateShow(SecCertificateRef certificate);
  73
  74 /* Return the normalized name or NULL if it fails to parse */
  75 CFDataRef SecDistinguishedNameCopyNormalizedContent(CFDataRef distinguished_name);
  76
  77 /* Return true iff the certificate has a subject. */
  78 bool SecCertificateHasSubject(SecCertificateRef certificate);
  79 /* Return true iff the certificate has a critical subject alt name. */
  80 bool SecCertificateHasCriticalSubjectAltName(SecCertificateRef certificate);
  81
  82 /* Return the contents of the SubjectAltName extension. */
  83 const DERItem * SecCertificateGetSubjectAltName(SecCertificateRef certificate);
  84
  85 /* Return true if certificate contains one or more critical extensions we
  86    are unable to parse. */
  87 bool SecCertificateHasUnknownCriticalExtension(SecCertificateRef certificate);
  88
  89 /* Return an attribute dictionary used to store this item in a keychain. */
  90 CFDictionaryRef SecCertificateCopyAttributeDictionary(
  91         SecCertificateRef certificate);
  92
  93 /* Return a certificate from the attribute dictionary that was used to store
  94    this item in a keychain. */
  95 SecCertificateRef SecCertificateCreateFromAttributeDictionary(
  96         CFDictionaryRef refAttributes);
  97
  98 /* Return the SecCEBasicConstraints extension for this certificate if it
  99    has one. */
 100 const SecCEBasicConstraints *
 101 SecCertificateGetBasicConstraints(SecCertificateRef certificate);
 102
 103 /* Returns array of CFDataRefs containing the generalNames that are
 104    Permitted Subtree Name Constraints for this certificate if it has
 105    any. */
 106 CFArrayRef SecCertificateGetPermittedSubtrees(SecCertificateRef certificate);
 107
 108 /* Returns array of CFDataRefs containing the generalNames that are
 109    Excluded Subtree Name Constraints for this certificate if it has
 110    any. */
 111 CFArrayRef SecCertificateGetExcludedSubtrees(SecCertificateRef certificate);
 112
 113 /* Return the SecCEPolicyConstraints extension for this certificate if it
 114    has one. */
 115 const SecCEPolicyConstraints *
 116 SecCertificateGetPolicyConstraints(SecCertificateRef certificate);
 117
 118 /* Return a dictionary from CFDataRef to CFArrayRef of CFDataRef
 119    representing the policyMapping extension of this certificate. */
 120 const SecCEPolicyMappings *
 121 SecCertificateGetPolicyMappings(SecCertificateRef certificate);
 122
 123 /* Return the SecCECertificatePolicies extension for this certificate if it
 124    has one. */
 125 const SecCECertificatePolicies *
 126 SecCertificateGetCertificatePolicies(SecCertificateRef certificate);
 127
 128 /* Returns UINT32_MAX if InhibitAnyPolicy extension is not present or invalid,
 129    returns the value of the SkipCerts field of the InhibitAnyPolicy extension
 130    otherwise. */
 131 const SecCEInhibitAnyPolicy *
 132 SecCertificateGetInhibitAnyPolicySkipCerts(SecCertificateRef certificate);
 133
 134 /* Return the public key algorithm and parameters for certificate.  */
 135 const DERAlgorithmId *SecCertificateGetPublicKeyAlgorithm(
 136         SecCertificateRef certificate);
 137
 138 /* Return the raw public key data for certificate.  */
 139 const DERItem *SecCertificateGetPublicKeyData(SecCertificateRef certificate);
 140
 141 /* Return legacy property values for use by SecCertificateCopyValues. */
 142 CFArrayRef SecCertificateCopyLegacyProperties(SecCertificateRef certificate);
 143
 144 // MARK: -
 145 // MARK: Certificate Operations
 146
 147 OSStatus SecCertificateIsSignedBy(SecCertificateRef certificate,
 148     SecKeyRef issuerKey);
 149
 150 #ifndef SECURITY_PROJECT_TAPI_HACKS
 151 void appendProperty(CFMutableArrayRef properties, CFStringRef propertyType,
 152     CFStringRef label, CFStringRef localizedLabel, CFTypeRef value, bool localized);
 153 #endif
 154
 155 /* Utility functions. */
 156 CFStringRef SecDERItemCopyOIDDecimalRepresentation(CFAllocatorRef allocator,
 157     const DERItem *oid);
 158
 159 #ifndef SECURITY_PROJECT_TAPI_HACKS
 160 CFDataRef createNormalizedX501Name(CFAllocatorRef allocator,
 161         const DERItem *x501name);
 162 #endif
 163
 164 /* Decode a choice of UTCTime or GeneralizedTime to a CFAbsoluteTime. Return
 165    an absoluteTime if the date was valid and properly decoded.  Return
 166    NULL_TIME otherwise. */
 167 CFAbsoluteTime SecAbsoluteTimeFromDateContent(DERTag tag, const uint8_t *bytes,
 168     size_t length);
 169
 170 bool SecCertificateHasMarkerExtension(SecCertificateRef certificate, CFTypeRef oid);
 171
 172 typedef OSStatus (*parseGeneralNameCallback)(void *context,
 173                                              SecCEGeneralNameType type, const DERItem *value);
 174 OSStatus SecCertificateParseGeneralNameContentProperty(DERTag tag,
 175                                          const DERItem *generalNameContent,
 176                                          void *context, parseGeneralNameCallback callback);
 177
 178 OSStatus SecCertificateParseGeneralNames(const DERItem *generalNames, void *context,
 179                                          parseGeneralNameCallback callback);
 180
 181 bool SecCertificateIsWeakKey(SecCertificateRef certificate);
 182 bool SecCertificateIsAtLeastMinKeySize(SecCertificateRef certificate,
 183                                        CFDictionaryRef keySizes);
 184 bool SecCertificateIsStrongKey(SecCertificateRef certificate);
 185
 186 extern const CFStringRef kSecSignatureDigestAlgorithmUnknown;
 187 #ifndef SECURITY_PROJECT_TAPI_HACKS
 188 extern const CFStringRef kSecSignatureDigestAlgorithmMD2;
 189 extern const CFStringRef kSecSignatureDigestAlgorithmMD4;
 190 extern const CFStringRef kSecSignatureDigestAlgorithmMD5;
 191 extern const CFStringRef kSecSignatureDigestAlgorithmSHA1;
 192 extern const CFStringRef kSecSignatureDigestAlgorithmSHA224;
 193 extern const CFStringRef kSecSignatureDigestAlgorithmSHA256;
 194 extern const CFStringRef kSecSignatureDigestAlgorithmSHA384;
 195 extern const CFStringRef kSecSignatureDigestAlgorithmSHA512;
 196 #endif
 197
 198 bool SecCertificateIsWeakHash(SecCertificateRef certificate);
 199
 200 CFDataRef SecCertificateCreateOidDataFromString(CFAllocatorRef allocator, CFStringRef string);
 201 bool SecCertificateIsOidString(CFStringRef oid);
 202
 203 DERItem *SecCertificateGetExtensionValue(SecCertificateRef certificate, CFTypeRef oid);
 204
 205 CFArrayRef SecCertificateCopyDNSNamesFromSubject(SecCertificateRef certificate);
 206 CFArrayRef SecCertificateCopyIPAddressesFromSubject(SecCertificateRef certificate);
 207 CFArrayRef SecCertificateCopyRFC822NamesFromSubject(SecCertificateRef certificate);
 208
 209 CFArrayRef SecCertificateCopyDNSNamesFromSAN(SecCertificateRef certificate);
 210
 211 __END_DECLS
 212
 213 #endif /* !_SECURITY_SECCERTIFICATEINTERNAL_H_ */