SecurityTests/clxutils/clAppUtils/certVerify.h

   1 #ifndef _CERT_VERIFY_H_
   2 #define _CERT_VERIFY_H_
   3
   4 #include <clAppUtils/BlobList.h>
   5 #include <Security/cssmtype.h>
   6 #include <Security/cssmapple.h>
   7
   8 /* must be C++ since we use BlobList */
   9 extern "C" {
  10
  11 /* Display verify results */
  12 void dumpVfyResult(
  13         const CSSM_TP_VERIFY_CONTEXT_RESULT *vfyResult);
  14
  15 typedef enum {
  16         CVP_Basic = 0,
  17         CVP_SSL,
  18         CVP_SMIME,
  19         CVP_SWUpdateSign,               // was CVP_CodeSigning
  20         CVP_ResourceSigning,
  21         CVP_iChat,
  22         CVP_IPSec,
  23         CVP_PKINIT_Server,
  24         CVP_PKINIT_Client,
  25         CVP_AppleCodeSigning,   // the Leopard version
  26         CVP_PackageSigning
  27 } CertVerifyPolicy;
  28
  29 typedef enum {
  30         CRP_None = 0,
  31         CRP_CRL,
  32         CRP_OCSP,
  33         CRP_CRL_OCSP
  34 } CertRevokePolicy;
  35
  36 /*
  37  * Since I never stop adding args to certVerify(), most of which have reasonable
  38  * defaults, the inputs are now expressed like so.
  39  */
  40 #define CERT_VFY_ARGS_VERS      5               /* increment every time you change this struct */
  41 typedef struct {
  42         int                                             version;                /* must be CERT_VFY_ARGS_VERS */
  43         CSSM_TP_HANDLE                  tpHand;
  44         CSSM_CL_HANDLE                  clHand;
  45         CSSM_CSP_HANDLE                 cspHand;
  46         BlobList                                *certs;
  47         BlobList                                *roots;
  48         BlobList                                *crls;
  49         char                                    *vfyTime;
  50
  51         CSSM_BOOL                               certNetFetchEnable;
  52         CSSM_BOOL                               useSystemAnchors;
  53         CSSM_BOOL                               useTrustSettings;
  54         CSSM_BOOL                               leafCertIsCA;
  55         CSSM_BOOL                               allowExpiredRoot;
  56         CSSM_BOOL                               implicitAnchors;
  57         CSSM_DL_DB_LIST_PTR             dlDbList;               // optional
  58         CertVerifyPolicy                vfyPolicy;
  59
  60         const char                              *sslHost;               // optional; SSL policy
  61         CSSM_BOOL                               sslClient;              // normally server side
  62         const char                              *senderEmail;   // optional, SMIME
  63         CE_KeyUsage                             intendedKeyUse; // optional, SMIME only
  64
  65         /* revocation options */
  66         CertRevokePolicy                revokePolicy;
  67         CSSM_BOOL                               allowUnverified;        // if false, at least one must succeed
  68
  69         /* CRL options */
  70         CSSM_BOOL                               requireCrlIfPresent;
  71         CSSM_BOOL                               requireCrlForAll;
  72         CSSM_BOOL                               crlNetFetchEnable;
  73         CSSM_DL_DB_HANDLE_PTR   crlDlDb;                // obsolete: write CRLs here
  74
  75         /* OCSP options */
  76         const char                              *responderURI;  // optional, OCSP only
  77         const unsigned char             *responderCert; // optional, OCSP only
  78         unsigned                                responderCertLen;// optional, OCSP only
  79         CSSM_BOOL                               disableCache;   // both r and w for now
  80         CSSM_BOOL                               disableOcspNet;
  81         CSSM_BOOL                               requireOcspIfPresent;
  82         CSSM_BOOL                               requireOcspForAll;
  83         CSSM_BOOL                               generateOcspNonce;
  84         CSSM_BOOL                               requireOcspRespNonce;
  85
  86         const char                              *expectedErrStr;// e.g.,
  87                                                                                         // "CSSMERR_APPLETP_CRL_NOT_TRUSTED"
  88
  89         /*
  90          * expected per-cert errors
  91          * format is certNum:errorString
  92          * e.g., "1:CSSMERR_APPLETP_CRL_NOT_TRUSTED"
  93          */
  94         unsigned                                numCertErrors;
  95         const char                              **certErrors;   // per-cert status
  96
  97         /*
  98          * Expected per-cert status (CSSM_TP_APPLE_EVIDENCE_INFO.StatusBits)
  99          * format is certNum:status_in_hex
 100          * e.g., "1:0x18", leading 0x optional
 101          */
 102         unsigned                                numCertStatus;
 103         const char                              **certStatus;
 104         CSSM_BOOL                               quiet;
 105         CSSM_BOOL                               verbose;
 106
 107 } CertVerifyArgs;
 108
 109 /* perform one cert/crl verification */
 110 int certVerify(CertVerifyArgs *args);
 111
 112 /*
 113  * A slightly simplified version of certVerify:
 114  *              -- no CRLs
 115  *              -- no DlDbs
 116  *              -- no net fetch
 117  *              -- time = now
 118  *              -- no trust settings
 119  */
 120 int certVerifySimple(
 121         CSSM_TP_HANDLE                  tpHand,
 122         CSSM_CL_HANDLE                  clHand,
 123         CSSM_CSP_HANDLE                 cspHand,
 124         BlobList                                &certs,
 125         BlobList                                &roots,
 126         CSSM_BOOL                               useSystemAnchors,
 127         CSSM_BOOL                               leafCertIsCA,
 128         CSSM_BOOL                               allowExpiredRoot,
 129         CertVerifyPolicy                vfyPolicy,
 130         const char                              *sslHost,               // optional, SSL policy
 131         CSSM_BOOL                               sslClient,              // normally server side
 132         const char                              *senderEmail,   // optional, SMIME
 133         CE_KeyUsage                             intendedKeyUse, // optional, SMIME only
 134         const char                              *expectedErrStr,// e.g.,
 135         unsigned                                numCertErrors,
 136         const char                              **certErrors,   // per-cert status
 137         unsigned                                numCertStatus,
 138         const char                              **certStatus,
 139         CSSM_BOOL                               useTrustSettings,
 140         CSSM_BOOL                               quiet,
 141         CSSM_BOOL                               verbose);
 142
 143 /* convert ASCII string in hex to unsigned */
 144 unsigned hexToBin(const char *hex);
 145
 146 }   /* extern "C" */
 147
 148 #endif  /* _DO_VERIFY_H_ */