OSX/sec/Security/SecCertificateInternal.h

   1 /*
   2  * Copyright (c) 2007-2016 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*
  25    SecCertificateInternal
  26 */
  27
  28 #ifndef _SECURITY_SECCERTIFICATEINTERNAL_H_
  29 #define _SECURITY_SECCERTIFICATEINTERNAL_H_
  30
  31 #include <TargetConditionals.h>
  32 #include <libDER/DER_Keys.h>
  33
  34 #include <Security/SecBase.h>
  35 #include <Security/SecCertificatePriv.h>
  36
  37 #include <Security/certextensions.h>
  38
  39 // This file can only be included under the ios view of the headers.
  40 // If you're not under that view, we'll forward declare the things you need here.
  41 #if SECURITY_PROJECT_TAPI_HACKS && SEC_OS_OSX
  42 typedef enum {
  43   NO_ENUM_VALUES,
  44 } SecCEGeneralNameType; // The real enum values are already declared.
  45
  46 typedef struct {} SecCEBasicConstraints;
  47 typedef struct {} SecCEPolicyConstraints;
  48 typedef struct {} SecCEPolicyMapping;
  49 typedef struct {} SecCEPolicyMappings;
  50 typedef struct {} SecCECertificatePolicies;
  51 typedef struct {} SecCEInhibitAnyPolicy;
  52 #endif
  53
  54 __BEGIN_DECLS
  55
  56 CFDataRef SecCertificateGetAuthorityKeyID(SecCertificateRef certificate);
  57 CFDataRef SecCertificateGetSubjectKeyID(SecCertificateRef certificate);
  58
  59 /* Return an array of CFURLRefs each of which is an crl distribution point for
  60    this certificate. */
  61 CFArrayRef SecCertificateGetCRLDistributionPoints(SecCertificateRef certificate);
  62
  63 /* Return an array of CFURLRefs each of which is an ocspResponder for this
  64    certificate. */
  65 CFArrayRef SecCertificateGetOCSPResponders(SecCertificateRef certificate);
  66
  67 /* Return an array of CFURLRefs each of which is an caIssuer for this
  68    certificate. */
  69 CFArrayRef SecCertificateGetCAIssuers(SecCertificateRef certificate);
  70
  71 /* Dump certificate for debugging. */
  72 void SecCertificateShow(SecCertificateRef certificate);
  73
  74 /* Return the normalized name or NULL if it fails to parse */
  75 CFDataRef SecDistinguishedNameCopyNormalizedContent(CFDataRef distinguished_name);
  76
  77 /* Return true iff the certificate has a subject. */
  78 bool SecCertificateHasSubject(SecCertificateRef certificate);
  79 /* Return true iff the certificate has a critical subject alt name. */
  80 bool SecCertificateHasCriticalSubjectAltName(SecCertificateRef certificate);
  81
  82 /* Return the contents of the SubjectAltName extension. */
  83 const DERItem * SecCertificateGetSubjectAltName(SecCertificateRef certificate);
  84
  85 /* Return true if certificate contains one or more critical extensions we
  86    are unable to parse. */
  87 bool SecCertificateHasUnknownCriticalExtension(SecCertificateRef certificate);
  88
  89 /* Return an attribute dictionary used to store this item in a keychain. */
  90 CFDictionaryRef SecCertificateCopyAttributeDictionary(
  91         SecCertificateRef certificate);
  92
  93 /* Return a certificate from the attribute dictionary that was used to store
  94    this item in a keychain. */
  95 SecCertificateRef SecCertificateCreateFromAttributeDictionary(
  96         CFDictionaryRef refAttributes);
  97
  98 /* Return a SecKeyRef for the public key embedded in the cert. */
  99 #if TARGET_OS_OSX
 100 SecKeyRef SecCertificateCopyPublicKey_ios(SecCertificateRef certificate)
 101     __OSX_DEPRECATED(__MAC_10_12, __MAC_10_14, "Use SecCertificateCopyKey instead.");
 102 #endif
 103
 104 /* Return the SecCEBasicConstraints extension for this certificate if it
 105    has one. */
 106 const SecCEBasicConstraints *
 107 SecCertificateGetBasicConstraints(SecCertificateRef certificate);
 108
 109 /* Returns array of CFDataRefs containing the generalNames that are
 110    Permitted Subtree Name Constraints for this certificate if it has
 111    any. */
 112 CFArrayRef SecCertificateGetPermittedSubtrees(SecCertificateRef certificate);
 113
 114 /* Returns array of CFDataRefs containing the generalNames that are
 115    Excluded Subtree Name Constraints for this certificate if it has
 116    any. */
 117 CFArrayRef SecCertificateGetExcludedSubtrees(SecCertificateRef certificate);
 118
 119 /* Return the SecCEPolicyConstraints extension for this certificate if it
 120    has one. */
 121 const SecCEPolicyConstraints *
 122 SecCertificateGetPolicyConstraints(SecCertificateRef certificate);
 123
 124 /* Return a dictionary from CFDataRef to CFArrayRef of CFDataRef
 125    representing the policyMapping extension of this certificate. */
 126 const SecCEPolicyMappings *
 127 SecCertificateGetPolicyMappings(SecCertificateRef certificate);
 128
 129 /* Return the SecCECertificatePolicies extension for this certificate if it
 130    has one. */
 131 const SecCECertificatePolicies *
 132 SecCertificateGetCertificatePolicies(SecCertificateRef certificate);
 133
 134 /* Returns UINT32_MAX if InhibitAnyPolicy extension is not present or invalid,
 135    returns the value of the SkipCerts field of the InhibitAnyPolicy extension
 136    otherwise. */
 137 const SecCEInhibitAnyPolicy *
 138 SecCertificateGetInhibitAnyPolicySkipCerts(SecCertificateRef certificate);
 139
 140 /* Return the public key algorithm and parameters for certificate.  */
 141 const DERAlgorithmId *SecCertificateGetPublicKeyAlgorithm(
 142         SecCertificateRef certificate);
 143
 144 /* Return the raw public key data for certificate.  */
 145 const DERItem *SecCertificateGetPublicKeyData(SecCertificateRef certificate);
 146
 147 /* Return legacy property values for use by SecCertificateCopyValues. */
 148 CFArrayRef SecCertificateCopyLegacyProperties(SecCertificateRef certificate);
 149
 150 // MARK: -
 151 // MARK: Certificate Operations
 152
 153 OSStatus SecCertificateIsSignedBy(SecCertificateRef certificate,
 154     SecKeyRef issuerKey);
 155
 156 #ifndef SECURITY_PROJECT_TAPI_HACKS
 157 void appendProperty(CFMutableArrayRef properties, CFStringRef propertyType,
 158     CFStringRef label, CFStringRef localizedLabel, CFTypeRef value, bool localized);
 159 #endif
 160
 161 /* Utility functions. */
 162 CFStringRef SecDERItemCopyOIDDecimalRepresentation(CFAllocatorRef allocator,
 163     const DERItem *oid);
 164
 165 #ifndef SECURITY_PROJECT_TAPI_HACKS
 166 CFDataRef createNormalizedX501Name(CFAllocatorRef allocator,
 167         const DERItem *x501name);
 168 #endif
 169
 170 /* Decode a choice of UTCTime or GeneralizedTime to a CFAbsoluteTime. Return
 171    an absoluteTime if the date was valid and properly decoded.  Return
 172    NULL_TIME otherwise. */
 173 CFAbsoluteTime SecAbsoluteTimeFromDateContent(DERTag tag, const uint8_t *bytes,
 174     size_t length);
 175
 176 bool SecCertificateHasMarkerExtension(SecCertificateRef certificate, CFTypeRef oid);
 177
 178 typedef OSStatus (*parseGeneralNameCallback)(void *context,
 179                                              SecCEGeneralNameType type, const DERItem *value);
 180 OSStatus SecCertificateParseGeneralNameContentProperty(DERTag tag,
 181                                          const DERItem *generalNameContent,
 182                                          void *context, parseGeneralNameCallback callback);
 183
 184 OSStatus SecCertificateParseGeneralNames(const DERItem *generalNames, void *context,
 185                                          parseGeneralNameCallback callback);
 186
 187 CFArrayRef SecCertificateCopyOrganizationFromX501NameContent(const DERItem *nameContent);
 188
 189 bool SecCertificateIsWeakKey(SecCertificateRef certificate);
 190 bool SecCertificateIsAtLeastMinKeySize(SecCertificateRef certificate,
 191                                        CFDictionaryRef keySizes);
 192 bool SecCertificateIsStrongKey(SecCertificateRef certificate);
 193
 194 extern const CFStringRef kSecSignatureDigestAlgorithmUnknown;
 195 #ifndef SECURITY_PROJECT_TAPI_HACKS
 196 extern const CFStringRef kSecSignatureDigestAlgorithmMD2;
 197 extern const CFStringRef kSecSignatureDigestAlgorithmMD4;
 198 extern const CFStringRef kSecSignatureDigestAlgorithmMD5;
 199 extern const CFStringRef kSecSignatureDigestAlgorithmSHA1;
 200 extern const CFStringRef kSecSignatureDigestAlgorithmSHA224;
 201 extern const CFStringRef kSecSignatureDigestAlgorithmSHA256;
 202 extern const CFStringRef kSecSignatureDigestAlgorithmSHA384;
 203 extern const CFStringRef kSecSignatureDigestAlgorithmSHA512;
 204 #endif
 205
 206 bool SecCertificateIsWeakHash(SecCertificateRef certificate);
 207
 208 CFDataRef SecCertificateCreateOidDataFromString(CFAllocatorRef allocator, CFStringRef string);
 209 bool SecCertificateIsOidString(CFStringRef oid);
 210
 211 DERItem *SecCertificateGetExtensionValue(SecCertificateRef certificate, CFTypeRef oid);
 212
 213 CFArrayRef SecCertificateCopyDNSNamesFromSubject(SecCertificateRef certificate);
 214 CFArrayRef SecCertificateCopyIPAddressesFromSubject(SecCertificateRef certificate);
 215 CFArrayRef SecCertificateCopyRFC822NamesFromSubject(SecCertificateRef certificate);
 216
 217 CFArrayRef SecCertificateCopyDNSNamesFromSAN(SecCertificateRef certificate);
 218
 219 __END_DECLS
 220
 221 #endif /* !_SECURITY_SECCERTIFICATEINTERNAL_H_ */