OSX/sec/securityd/SecPolicyServer.h

   1 /*
   2  * Copyright (c) 2008-2010,2012-2015 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*!
  25     @header SecPolicyServer
  26     The functions provided in SecPolicyServer.h provide an interface to
  27     trust policies dealing with certificate revocation.
  28 */
  29
  30 #ifndef _SECURITY_SECPOLICYSERVER_H_
  31 #define _SECURITY_SECPOLICYSERVER_H_
  32
  33 #include <Security/SecPolicyInternal.h>
  34 #include <Security/SecTrustSettings.h>
  35
  36 #include <securityd/policytree.h>
  37 #include <securityd/SecTrustServer.h>
  38
  39 __BEGIN_DECLS
  40
  41 typedef struct OpaqueSecPVC *SecPVCRef;
  42
  43 struct OpaqueSecPVC {
  44     SecPathBuilderRef builder;
  45
  46     /* @@@ Duplicated from builder, remove. */
  47         CFArrayRef policies;
  48         CFAbsoluteTime verifyTime;
  49
  50     SecCertificatePathRef path;
  51     CFArrayRef details;
  52     CFMutableDictionaryRef info;
  53     policy_tree_t valid_policy_tree;
  54     CFDictionaryRef callbacks;
  55     CFIndex policyIX;
  56
  57     void *rvcs;
  58     unsigned int asyncJobCount;
  59
  60     CFStringRef check_revocation;
  61     bool response_required;
  62     bool online_revocation;
  63     bool optionally_ev;
  64     bool is_ev;
  65     bool is_ct;
  66     bool is_ct_whitelisted;
  67     bool is_allowlisted;
  68     bool result;
  69 };
  70
  71 void SecPVCInit(SecPVCRef pvc, SecPathBuilderRef builder, CFArrayRef policies,
  72     CFAbsoluteTime verifyTime);
  73 void SecPVCDelete(SecPVCRef pvc);
  74 void SecPVCSetPath(SecPVCRef pvc, SecCertificatePathRef path,
  75     CF_CONSUMED CFArrayRef details);
  76 SecPolicyRef SecPVCGetPolicy(SecPVCRef pv);
  77 CFAbsoluteTime SecPVCGetVerifyTime(SecPVCRef pv);
  78 CFIndex SecPVCGetCertificateCount(SecPVCRef pv);
  79 SecCertificateRef SecPVCGetCertificateAtIndex(SecPVCRef pv, CFIndex ix);
  80 bool SecPVCIsCertificateAtIndexSelfIssued(SecPVCRef pvc, CFIndex ix);
  81 bool SecPVCIsAnchored(SecPVCRef pvc);
  82
  83 /* Set the string result as the reason for the sub policy check key
  84    failing.  The policy check function should continue processing if
  85    this function returns true. */
  86 bool SecPVCSetResult(SecPVCRef pv, CFStringRef key, CFIndex ix,
  87         CFTypeRef result);
  88 bool SecPVCSetResultForced(SecPVCRef pvc,
  89         CFStringRef key, CFIndex ix, CFTypeRef result, bool force);
  90
  91 /* Enable revocation checking if the rest of the policy checks succeed. */
  92 void SecPVCSetCheckRevocation(SecPVCRef pvc, CFStringRef method);
  93
  94 /* Require a revocation response for the leaf certificate. */
  95 void SecPVCSetCheckRevocationResponseRequired(SecPVCRef pvc);
  96
  97 /* Require a online revocation response for the chain. */
  98 void SecPVCSetCheckRevocationOnline(SecPVCRef pvc);
  99
 100 /* Run static leaf checks on the path in pvc. */
 101 bool SecPVCLeafChecks(SecPVCRef pvc);
 102
 103 /* Run static parent checks on the path in pvc. */
 104 bool SecPVCParentCertificateChecks(SecPVCRef pvc, CFIndex ix);
 105
 106 /* Check whether an intermediate certificates key has been blacklisted. */
 107 bool SecPVCBlackListedKeyChecks(SecPVCRef pvc, CFIndex ix);
 108
 109 /* Check whether an intermediate certificates key has been gray listed. */
 110 bool SecPVCGrayListedKeyChecks(SecPVCRef pvc, CFIndex ix);
 111
 112 /* Run dynamic checks on the complete path in pvc.  Return true if the
 113    operation is complete, returns false if an async backgroup request was
 114    scheduled.  Upon completion of the async background job
 115    SecPathBuilderStep() should be called. */
 116 bool SecPVCPathChecks(SecPVCRef pvc);
 117
 118 /* Return 0 if any certs revocation checking failed, the earliest date on
 119    which one of the used revocation validation tokens (ocsp response or
 120    crl) expires.  */
 121 CFAbsoluteTime SecPVCGetEarliestNextUpdate(SecPVCRef pvc);
 122
 123 typedef void (*SecPolicyCheckFunction)(SecPVCRef pv, CFStringRef key);
 124
 125 /*
 126     Used by SecTrust to verify if a particular certificate chain matches
 127         this policy.  Returns true if the policy accepts the certificate chain.
 128 */
 129 bool SecPolicyValidate(SecPolicyRef policy, SecPVCRef pvc, CFStringRef key);
 130
 131 void SecPolicyServerInitalize(void);
 132
 133 /* True iff certificate could be an extended validation (EV) certificate. */
 134 bool SecPolicySubscriberCertificateCouldBeEV(SecCertificateRef certificate);
 135
 136 void SecEVPolicyToAnchorDigestsInit(void);
 137
 138 SecTrustSettingsResult SecPVCGetTrustSettingsResult(SecPVCRef pvc, SecCertificateRef certificate, CFArrayRef constraints);
 139
 140 bool SecPVCCheckUsageConstraints(SecPVCRef pvc);
 141
 142 bool SecPVCCheckIssuerDateConstraints(SecPVCRef pvc);
 143
 144 __END_DECLS
 145
 146 #endif /* !_SECURITY_SECPOLICYSERVER_H_ */