OSX/sec/Security/SecCertificateInternal.h

   1 /*
   2  * Copyright (c) 2007-2019 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*
  25    SecCertificateInternal
  26 */
  27
  28 #ifndef _SECURITY_SECCERTIFICATEINTERNAL_H_
  29 #define _SECURITY_SECCERTIFICATEINTERNAL_H_
  30
  31 #include <TargetConditionals.h>
  32 #include <libDER/DER_Keys.h>
  33
  34 #include <Security/SecBase.h>
  35 #include <Security/SecCertificatePriv.h>
  36
  37 #include <Security/certextensions.h>
  38
  39 // This file can only be included under the ios view of the headers.
  40 // If you're not under that view, we'll forward declare the things you need here.
  41 #if SECURITY_PROJECT_TAPI_HACKS && SEC_OS_OSX
  42 typedef struct {
  43     bool                present;
  44     bool                critical;
  45     bool                isCA;
  46     bool                pathLenConstraintPresent;
  47     uint32_t            pathLenConstraint;
  48 } SecCEBasicConstraints;
  49
  50 typedef struct {
  51     bool                present;
  52     bool                critical;
  53     bool                requireExplicitPolicyPresent;
  54     uint32_t            requireExplicitPolicy;
  55     bool                inhibitPolicyMappingPresent;
  56     uint32_t            inhibitPolicyMapping;
  57 } SecCEPolicyConstraints;
  58
  59 typedef struct {
  60     DERItem policyIdentifier;
  61     DERItem policyQualifiers;
  62 } SecCEPolicyInformation;
  63
  64 typedef struct {
  65     bool                    present;
  66     bool                    critical;
  67     size_t                  numPolicies;            // size of *policies;
  68     SecCEPolicyInformation  *policies;
  69 } SecCECertificatePolicies;
  70
  71 typedef struct {
  72     DERItem issuerDomainPolicy;
  73     DERItem subjectDomainPolicy;
  74 } SecCEPolicyMapping;
  75
  76 typedef struct {
  77     bool                present;
  78     bool                critical;
  79     size_t            numMappings;            // size of *mappings;
  80     SecCEPolicyMapping  *mappings;
  81 } SecCEPolicyMappings;
  82
  83 typedef struct {
  84     bool             present;
  85     bool             critical;
  86     uint32_t         skipCerts;
  87 } SecCEInhibitAnyPolicy;
  88
  89 #endif
  90
  91 __BEGIN_DECLS
  92
  93 SecSignatureHashAlgorithm SecSignatureHashAlgorithmForAlgorithmOid(const DERItem *algOid);
  94
  95 CFDataRef SecCertificateGetAuthorityKeyID(SecCertificateRef certificate);
  96 CFDataRef SecCertificateGetSubjectKeyID(SecCertificateRef certificate);
  97
  98 /* Return an array of CFURLRefs each of which is an crl distribution point for
  99    this certificate. */
 100 CFArrayRef SecCertificateGetCRLDistributionPoints(SecCertificateRef certificate);
 101
 102 /* Return an array of CFURLRefs each of which is an caIssuer for this
 103    certificate. */
 104 CFArrayRef SecCertificateGetCAIssuers(SecCertificateRef certificate);
 105
 106 /* Dump certificate for debugging. */
 107 void SecCertificateShow(SecCertificateRef certificate);
 108
 109 /* Return the normalized name or NULL if it fails to parse */
 110 CFDataRef SecDistinguishedNameCopyNormalizedContent(CFDataRef distinguished_name);
 111
 112 /* Return true iff the certificate has a subject. */
 113 bool SecCertificateHasSubject(SecCertificateRef certificate);
 114 /* Return true iff the certificate has a critical subject alt name. */
 115 bool SecCertificateHasCriticalSubjectAltName(SecCertificateRef certificate);
 116
 117 /* Return the contents of the SubjectAltName extension. */
 118 const DERItem * SecCertificateGetSubjectAltName(SecCertificateRef certificate);
 119
 120 /* Return true if certificate contains one or more critical extensions we
 121    are unable to parse. */
 122 bool SecCertificateHasUnknownCriticalExtension(SecCertificateRef certificate);
 123
 124 /* Return an attribute dictionary used to store this item in a keychain. */
 125 CFDictionaryRef SecCertificateCopyAttributeDictionary(
 126         SecCertificateRef certificate);
 127
 128 /* Return a certificate from the attribute dictionary that was used to store
 129    this item in a keychain. */
 130 SecCertificateRef SecCertificateCreateFromAttributeDictionary(
 131         CFDictionaryRef refAttributes);
 132
 133 /* Return a SecKeyRef for the public key embedded in the cert. */
 134 #if TARGET_OS_OSX
 135 SecKeyRef SecCertificateCopyPublicKey_ios(SecCertificateRef certificate)
 136     __OSX_DEPRECATED(__MAC_10_12, __MAC_10_14, "Use SecCertificateCopyKey instead.");
 137 #endif
 138
 139 /* Return the SecCEBasicConstraints extension for this certificate if it
 140    has one. */
 141 const SecCEBasicConstraints *
 142 SecCertificateGetBasicConstraints(SecCertificateRef certificate);
 143
 144 /* Returns array of CFDataRefs containing the generalNames that are
 145    Permitted Subtree Name Constraints for this certificate if it has
 146    any. */
 147 CFArrayRef SecCertificateGetPermittedSubtrees(SecCertificateRef certificate);
 148
 149 /* Returns array of CFDataRefs containing the generalNames that are
 150    Excluded Subtree Name Constraints for this certificate if it has
 151    any. */
 152 CFArrayRef SecCertificateGetExcludedSubtrees(SecCertificateRef certificate);
 153
 154 /* Return the SecCEPolicyConstraints extension for this certificate if it
 155    has one. */
 156 const SecCEPolicyConstraints *
 157 SecCertificateGetPolicyConstraints(SecCertificateRef certificate);
 158
 159 /* Return a dictionary from CFDataRef to CFArrayRef of CFDataRef
 160    representing the policyMapping extension of this certificate. */
 161 const SecCEPolicyMappings *
 162 SecCertificateGetPolicyMappings(SecCertificateRef certificate);
 163
 164 /* Return the SecCECertificatePolicies extension for this certificate if it
 165    has one. */
 166 const SecCECertificatePolicies *
 167 SecCertificateGetCertificatePolicies(SecCertificateRef certificate);
 168
 169 /* Returns UINT32_MAX if InhibitAnyPolicy extension is not present or invalid,
 170    returns the value of the SkipCerts field of the InhibitAnyPolicy extension
 171    otherwise. */
 172 const SecCEInhibitAnyPolicy *
 173 SecCertificateGetInhibitAnyPolicySkipCerts(SecCertificateRef certificate);
 174
 175 /* Return the public key algorithm and parameters for certificate.  */
 176 const DERAlgorithmId *SecCertificateGetPublicKeyAlgorithm(
 177         SecCertificateRef certificate);
 178
 179 /* Return the raw public key data for certificate.  */
 180 const DERItem *SecCertificateGetPublicKeyData(SecCertificateRef certificate);
 181
 182 /* Return legacy property values for use by SecCertificateCopyValues. */
 183 CFArrayRef SecCertificateCopyLegacyProperties(SecCertificateRef certificate);
 184
 185 // MARK: -
 186 // MARK: Certificate Operations
 187
 188 OSStatus SecCertificateIsSignedBy(SecCertificateRef certificate,
 189     SecKeyRef issuerKey);
 190
 191 #ifndef SECURITY_PROJECT_TAPI_HACKS
 192 void appendProperty(CFMutableArrayRef properties, CFStringRef propertyType,
 193     CFStringRef label, CFStringRef localizedLabel, CFTypeRef value, bool localized);
 194 #endif
 195
 196 /* Utility functions. */
 197 CFStringRef SecDERItemCopyOIDDecimalRepresentation(CFAllocatorRef allocator,
 198     const DERItem *oid);
 199
 200 #ifndef SECURITY_PROJECT_TAPI_HACKS
 201 CFDataRef createNormalizedX501Name(CFAllocatorRef allocator,
 202         const DERItem *x501name);
 203 #endif
 204
 205 /* Decode a choice of UTCTime or GeneralizedTime to a CFAbsoluteTime. Return
 206    an absoluteTime if the date was valid and properly decoded.  Return
 207    NULL_TIME otherwise. */
 208 CFAbsoluteTime SecAbsoluteTimeFromDateContent(DERTag tag, const uint8_t *bytes,
 209     size_t length);
 210
 211 bool SecCertificateHasMarkerExtension(SecCertificateRef certificate, CFTypeRef oid);
 212
 213 bool SecCertificateHasOCSPNoCheckMarkerExtension(SecCertificateRef certificate);
 214
 215 typedef OSStatus (*parseGeneralNameCallback)(void *context,
 216                                              SecCEGeneralNameType type, const DERItem *value);
 217 OSStatus SecCertificateParseGeneralNameContentProperty(DERTag tag,
 218                                          const DERItem *generalNameContent,
 219                                          void *context, parseGeneralNameCallback callback);
 220
 221 OSStatus SecCertificateParseGeneralNames(const DERItem *generalNames, void *context,
 222                                          parseGeneralNameCallback callback);
 223
 224 CFArrayRef SecCertificateCopyOrganizationFromX501NameContent(const DERItem *nameContent);
 225
 226 bool SecCertificateIsWeakKey(SecCertificateRef certificate);
 227 bool SecCertificateIsAtLeastMinKeySize(SecCertificateRef certificate,
 228                                        CFDictionaryRef keySizes);
 229 bool SecCertificateIsStrongKey(SecCertificateRef certificate);
 230
 231 extern const CFStringRef kSecSignatureDigestAlgorithmUnknown;
 232 #ifndef SECURITY_PROJECT_TAPI_HACKS
 233 extern const CFStringRef kSecSignatureDigestAlgorithmMD2;
 234 extern const CFStringRef kSecSignatureDigestAlgorithmMD4;
 235 extern const CFStringRef kSecSignatureDigestAlgorithmMD5;
 236 extern const CFStringRef kSecSignatureDigestAlgorithmSHA1;
 237 extern const CFStringRef kSecSignatureDigestAlgorithmSHA224;
 238 extern const CFStringRef kSecSignatureDigestAlgorithmSHA256;
 239 extern const CFStringRef kSecSignatureDigestAlgorithmSHA384;
 240 extern const CFStringRef kSecSignatureDigestAlgorithmSHA512;
 241 #endif
 242
 243 bool SecCertificateIsWeakHash(SecCertificateRef certificate);
 244
 245 CFDataRef SecCertificateCreateOidDataFromString(CFAllocatorRef allocator, CFStringRef string);
 246 bool SecCertificateIsOidString(CFStringRef oid);
 247
 248 DERItem *SecCertificateGetExtensionValue(SecCertificateRef certificate, CFTypeRef oid);
 249
 250 CFArrayRef SecCertificateCopyRFC822NamesFromSubject(SecCertificateRef certificate);
 251 CFArrayRef SecCertificateCopyDNSNamesFromSAN(SecCertificateRef certificate);
 252 CFArrayRef SecCertificateCopyIPAddressDatas(SecCertificateRef certificate);
 253
 254 CFIndex SecCertificateGetUnparseableKnownExtension(SecCertificateRef certificate);
 255
 256 __END_DECLS
 257
 258 #endif /* !_SECURITY_SECCERTIFICATEINTERNAL_H_ */