]> git.saurik.com Git - apple/security.git/blob - trust/trustd/SecCertificateServer.h
Security-59754.80.3.tar.gz
[apple/security.git] / trust / trustd / SecCertificateServer.h
1 /*
2 * Copyright (c) 2017-2020 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*
25 * SecCertificateServer.h - SecCertificate and SecCertificatePath types
26 * with additonal validation context.
27 */
28
29
30 #ifndef _SECURITY_SECCERTIFICATESERVER_H_
31 #define _SECURITY_SECCERTIFICATESERVER_H_
32
33 #include <CoreFoundation/CoreFoundation.h>
34
35 #include <Security/SecCertificate.h>
36
37 #include "trust/trustd/policytree.h"
38
39
40 typedef struct SecCertificateVC *SecCertificateVCRef;
41
42 SecCertificateVCRef SecCertificateVCCreate(SecCertificateRef certificate, CFArrayRef usageContraints);
43
44 typedef struct SecCertificatePathVC *SecCertificatePathVCRef;
45
46 /* Create a new certificate path from an old one. */
47 SecCertificatePathVCRef SecCertificatePathVCCreate(SecCertificatePathVCRef path,
48 SecCertificateRef certificate, CFArrayRef usageConstraints);
49
50 SecCertificatePathVCRef SecCertificatePathVCCopyAddingLeaf(SecCertificatePathVCRef path,
51 SecCertificateRef leaf);
52
53 /* Return a new certificate path without the first skipCount certificates. */
54 SecCertificatePathVCRef SecCertificatePathVCCopyFromParent(SecCertificatePathVCRef path, CFIndex skipCount);
55
56 /* Create an array of SecCertificateRefs from a certificate path. */
57 CFArrayRef SecCertificatePathVCCopyCertificates(SecCertificatePathVCRef path);
58
59 /* Create an array of CFDataRefs from a certificate path. */
60 CFArrayRef SecCertificatePathVCCreateSerialized(SecCertificatePathVCRef path);
61
62 /* Record the fact that we found our own root cert as our parent
63 certificate. */
64 void SecCertificatePathVCSetSelfIssued(SecCertificatePathVCRef certificatePath);
65 bool SecCertificatePathVCIsCertificateAtIndexSelfIssued(SecCertificatePathVCRef path, CFIndex ix);
66
67 void SecCertificatePathVCSetIsAnchored(SecCertificatePathVCRef certificatePath);
68
69 /* Return the index of the first non anchor certificate in the chain that is
70 self signed counting from the leaf up. Return -1 if there is none. */
71 CFIndex SecCertificatePathVCSelfSignedIndex(SecCertificatePathVCRef certificatePath);
72
73 Boolean SecCertificatePathVCIsAnchored(SecCertificatePathVCRef certificatePath);
74
75 void SecCertificatePathVCSetNextSourceIndex(SecCertificatePathVCRef certificatePath, CFIndex sourceIndex);
76
77 CFIndex SecCertificatePathVCGetNextSourceIndex(SecCertificatePathVCRef certificatePath);
78
79 CFIndex SecCertificatePathVCGetCount(SecCertificatePathVCRef certificatePath);
80
81 SecCertificateRef SecCertificatePathVCGetCertificateAtIndex(SecCertificatePathVCRef certificatePath, CFIndex ix);
82
83 void SecCertificatePathVCForEachCertificate(SecCertificatePathVCRef path, void(^operation)(SecCertificateRef certificate, bool *stop));
84
85 /* Return the index of certificate in path or kCFNotFound if certificate is
86 not in path. */
87 CFIndex SecCertificatePathVCGetIndexOfCertificate(SecCertificatePathVCRef path,
88 SecCertificateRef certificate);
89
90 /* Return the root certificate for certificatePath. Note that root is just
91 the top of the path as far as it is constructed. It may or may not be
92 trusted or self signed. */
93 SecCertificateRef SecCertificatePathVCGetRoot(SecCertificatePathVCRef certificatePath);
94
95 CFArrayRef SecCertificatePathVCGetUsageConstraintsAtIndex(SecCertificatePathVCRef certificatePath, CFIndex ix);
96
97 void SecCertificatePathVCSetUsageConstraintsAtIndex(SecCertificatePathVCRef certificatePath,
98 CFArrayRef newConstraints, CFIndex ix);
99
100 SecKeyRef SecCertificatePathVCCopyPublicKeyAtIndex(SecCertificatePathVCRef certificatePath, CFIndex ix);
101
102 typedef CFIndex SecPathVerifyStatus;
103 enum {
104 kSecPathVerifiesUnknown = -1,
105 kSecPathVerifySuccess = 0,
106 kSecPathVerifyFailed = 1
107 };
108
109 SecPathVerifyStatus SecCertificatePathVCVerify(SecCertificatePathVCRef certificatePath);
110
111 bool SecCertificatePathVCIsCycleInGraph(SecCertificatePathVCRef path);
112
113 bool SecCertificatePathVCIsValid(SecCertificatePathVCRef certificatePath, CFAbsoluteTime verifyTime);
114
115 bool SecCertificatePathVCHasWeakHash(SecCertificatePathVCRef certificatePath);
116
117 bool SecCertificatePathVCHasWeakKeySize(SecCertificatePathVCRef certificatePath);
118
119 /* Score */
120 CFIndex SecCertificatePathVCScore(SecCertificatePathVCRef certificatePath,
121 CFAbsoluteTime verifyTime);
122 CFIndex SecCertificatePathVCGetScore(SecCertificatePathVCRef certificatePath);
123 void SecCertificatePathVCSetScore(SecCertificatePathVCRef certificatePath, CFIndex score); // only sets score if new score is higher
124 void SecCertificatePathVCResetScore(SecCertificatePathVCRef certificatePath); // reset score to 0
125
126 /* Revocation */
127 void SecCertificatePathVCDeleteRVCs(SecCertificatePathVCRef path);
128 bool SecCertificatePathVCIsRevocationDone(SecCertificatePathVCRef certificatePath);
129 void SecCertificatePathVCAllocateRVCs(SecCertificatePathVCRef certificatePath, CFIndex certCount);
130 CFAbsoluteTime SecCertificatePathVCGetEarliestNextUpdate(SecCertificatePathVCRef path);
131 void *SecCertificatePathVCGetRVCAtIndex(SecCertificatePathVCRef certificatePath, CFIndex ix); // Returns a SecRVCRef
132 bool SecCertificatePathVCRevocationCheckedAllCerts(SecCertificatePathVCRef path);
133 bool SecCertificatePathVCIsRevocationRequiredForCertificateAtIndex(SecCertificatePathVCRef certificatePath,
134 CFIndex ix);
135 void SecCertificatePathVCSetRevocationRequiredForCertificateAtIndex(SecCertificatePathVCRef certificatePath,
136 CFIndex ix);
137 void SecCertificatePathVCSetRevocationReasonForCertificateAtIndex(SecCertificatePathVCRef certificatePath,
138 CFIndex ix, CFNumberRef revocationReason);
139 CFNumberRef SecCertificatePathVCGetRevocationReason(SecCertificatePathVCRef certificatePath); // returns first revocation reason found
140
141 bool SecCertificatePathVCCheckedIssuers(SecCertificatePathVCRef certificatePath);
142 void SecCertificatePathVCSetCheckedIssuers(SecCertificatePathVCRef certificatePath, bool checked);
143 CFIndex SecCertificatePathVCUnknownCAIndex(SecCertificatePathVCRef certificatePath);
144 void SecCertificatePathVCSetUnknownCAIndex(SecCertificatePathVCRef certificatePath, CFIndex index);
145
146 /* Did we already validate this path (setting EV, CT, RVC, etc.) */
147 bool SecCertificatePathVCIsPathValidated(SecCertificatePathVCRef certificatePath);
148 void SecCertificatePathVCSetPathValidated(SecCertificatePathVCRef certificatePath);
149
150 /* EV */
151 bool SecCertificatePathVCIsEV(SecCertificatePathVCRef certificatePath);
152 void SecCertificatePathVCSetIsEV(SecCertificatePathVCRef certificatePath, bool isEV);
153 bool SecCertificatePathVCIsOptionallyEV(SecCertificatePathVCRef certificatePath);
154
155 /* CT */
156 typedef CFIndex SecPathCTPolicy;
157 enum {
158 kSecPathCTNotRequired = 0,
159 kSecPathCTRequiredOverridable = 1,
160 kSecPathCTRequired = 2
161 };
162 bool SecCertificatePathVCIsCT(SecCertificatePathVCRef certificatePath);
163 void SecCertificatePathVCSetIsCT(SecCertificatePathVCRef certificatePath, bool isCT);
164 SecPathCTPolicy SecCertificatePathVCRequiresCT(SecCertificatePathVCRef certificatePath);
165 void SecCertificatePathVCSetRequiresCT(SecCertificatePathVCRef certificatePath, SecPathCTPolicy requiresCT);
166 CFAbsoluteTime SecCertificatePathVCIssuanceTime(SecCertificatePathVCRef certificatePath);
167 void SecCertificatePathVCSetIssuanceTime(SecCertificatePathVCRef certificatePath, CFAbsoluteTime issuanceTime);
168
169 /* CA Revocation Additions */
170 /* Returns the index of the highest issuing CA which has matching key-based
171 * revocation additions in the given path, or kCFNotFound if none is found.
172 */
173 CFIndex SecCertificatePathVCIndexOfCAWithRevocationAdditions(SecCertificatePathVCRef certificatePath);
174
175 /* Allowlist */
176 bool SecCertificatePathVCIsAllowlisted(SecCertificatePathVCRef certificatePath);
177 void SecCertificatePathVCSetIsAllowlisted(SecCertificatePathVCRef certificatePath, bool isAllowlisted);
178
179 /* Policy Tree */
180 bool SecCertificatePathVCVerifyPolicyTree(SecCertificatePathVCRef path, bool anchor_trusted);
181
182 #endif /* _SECURITY_SECCERTIFICATESERVER_H_ */