]> git.saurik.com Git - apple/security.git/blob - OSX/sec/Security/SecTrustSettings.h
Security-57740.31.2.tar.gz
[apple/security.git] / OSX / sec / Security / SecTrustSettings.h
1 /*
2 * Copyright (c) 2007,2012 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*!
25 @header SecTrustSettings
26 The functions and data types in SecTrustSettings implement a way to
27 set and retrive trustability of certificates.
28 */
29
30 #ifndef _SECURITY_SECTRUSTSETTINGS_H_
31 #define _SECURITY_SECTRUSTSETTINGS_H_
32
33 #include <CoreFoundation/CFArray.h>
34 #include <Security/SecCertificate.h>
35
36 #ifdef __cplusplus
37 extern "C" {
38 #endif
39
40 /*
41 * Any certificate (cert) which resides in a keychain can have associated with
42 * it a set of Trust Settings. Trust Settings specify conditions in which a
43 * given cert can be trusted or explicitly distrusted. A "trusted" cert is
44 * either a root (self-signed) cert that, when a cert chain verifies back to that
45 * root, the entire cert chain is trusted; or a non-root cert that does not need
46 * to verify to a trusted root cert (which is normally the case when verifying a
47 * cert chain). An "explicitly distrusted" cert is one which will, when encountered
48 * during the evaluation of a cert chain, cause immediate and unconditional failure
49 * of the verify operation.
50 *
51 * Trust Settings are configurable by the user; they can apply on three levels
52 * (called domains):
53 *
54 * -- Per-user.
55 * -- Locally administered, system-wide. Administrator privileges are required
56 * to make changes to this domain.
57 * -- System. These Trust Settings are immutable and comprise the set of trusted
58 * root certificates supplied in Mac OS X.
59 *
60 * Per-user Trust Settings override locally administered Trust Settings, which
61 * in turn override the System Trust Settings.
62 *
63 * Each cert's Trust Settings are expressed as a CFArray which includes any
64 * number (including zero) of CFDictionaries, each of which comprises one set of
65 * Usage Constraints. Each Usage Constraints dictionary contains zero or one of
66 * each the following components:
67 *
68 * key = kSecTrustSettingsPolicy value = policy OID as CFString
69 * key = kSecTrustSettingsPolicyName value = policy name as CFString
70 * key = kSecTrustSettingsApplication value = SecTrustedApplicationRef
71 * key = kSecTrustSettingsPolicyString value = CFString, policy-specific
72 * key = kSecTrustSettingsKeyUsage value = CFNumber, an SInt32 key usage
73 *
74 * A given Usage Constraints dictionary applies to a given cert if *all* of the
75 * usage constraint components specified in the dictionary match the usage of
76 * the cert being evaluated; when this occurs, the value of the
77 * kSecTrustSettingsResult entry in the dictionary, shown below, is the effective
78 * trust setting for the cert.
79 *
80 * key = kSecTrustSettingsResult value = CFNumber, an SInt32 SecTrustSettingsResult
81 *
82 * The overall Trust Settings of a given cert are the sum of all such Usage
83 * Constraints CFDictionaries: Trust Settings for a given usage apply if *any*
84 * of the CFDictionaries in the cert's Trust Settings array satisfies
85 * the specified usage. Thus, when a cert has multiple Usage Constraints
86 * dictionaries in its Trust Settings array, the overall Trust Settings
87 * for the cert are
88 *
89 * (Usage Constraint 0 component 0 AND Usage Constraint 0 component 1 ...)
90 * -- OR --
91 * (Usage Constraint 1 component 0 AND Usage Constraint 1 component 1 ...)
92 * -- OR --
93 * ...
94 *
95 * Notes on the various Usage Constraints components:
96 *
97 * kSecTrustSettingsPolicy Specifies a cert verification policy, e.g., SSL,
98 * SMIME, etc, using Policy Constants
99 * kSecTrustSettingsPolicyName Specifies a cert verification policy, e.g.,
100 * sslServer, eapClient, etc, using policy names.
101 * This entry can be used to restrict the policy where
102 * the same Policy Constant is used for multiple policyNames.
103 * kSecTrustSettingsApplication Specifies the application performing the cert
104 * verification.
105 * kSecTrustSettingsPolicyString Policy-specific. For the SMIME policy, this is
106 * an email address.
107 * For the SSL policy, this is a host name.
108 * kSecTrustSettingsKeyUsage A bitfield indicating key operations (sign,
109 * encrypt, etc.) for which this Usage Constraint
110 * apply. Values are defined below as the
111 * SecTrustSettingsKeyUsage enum.
112 * kSecTrustSettingsResult The resulting trust value. If not present this has a
113 * default of kSecTrustSettingsResultTrustRoot, meaning
114 * "trust this root cert". Other legal values are:
115 * kSecTrustSettingsResultTrustAsRoot : trust non-root
116 * cert as if it were a trusted root.
117 * kSecTrustSettingsResultDeny : explicitly distrust this
118 * cert.
119 * kSecTrustSettingsResultUnspecified : neither trust nor
120 * distrust; can be used to specify an "Allowed error"
121 * (see below) without assigning trust to a specific
122 * cert.
123 *
124 * Another optional component in a Usage Constraints dictionary is a CSSM_RETURN
125 * which, if encountered during certificate verification, is ignored for that
126 * cert. These "allowed error" values are constrained by Usage Constraints as
127 * described above; a Usage Constraint dictionary with no constraints but with
128 * an Allowed Error value causes that error to always be allowed when the cert
129 * is being evaluated.
130 *
131 * The "allowed error" entry in a Usage Constraints dictionary is formatted
132 * as follows:
133 *
134 * key = kSecTrustSettingsAllowedError value = CFNumber, an SInt32 CSSM_RETURN
135 *
136 * Note that if kSecTrustSettingsResult value of kSecTrustSettingsResultUnspecified
137 * is *not* present for a Usage Constraints dictionary with no Usage
138 * Constraints, the default of kSecTrustSettingsResultTrustRoot is assumed. To
139 * specify a kSecTrustSettingsAllowedError without explicitly trusting (or
140 * distrusting) the associated cert, specify kSecTrustSettingsResultUnspecified
141 * for the kSecTrustSettingsResult component.
142 *
143 * Note that an empty Trust Settings array means "always trust this cert,
144 * with a resulting kSecTrustSettingsResult of kSecTrustSettingsResultTrustRoot".
145 * An empty Trust Settings array is definitely not the same as *no* Trust
146 * Settings, which means "this cert must be verified to a known trusted cert".
147 *
148 * Note the distinction between kSecTrustSettingsResultTrustRoot and
149 * kSecTrustSettingsResultTrustAsRoot; the former can only be applied to
150 * root (self-signed) certs; the latter can only be applied to non-root
151 * certs. This also means that an empty TrustSettings array for a non-root
152 * cert is invalid, since the default value for kSecTrustSettingsResult is
153 * kSecTrustSettingsResultTrustRoot, which is invalid for a non-root cert.
154 *
155 * Authentication
156 * --------------
157 *
158 * When making changes to the per-user Trust Settings, the user will be
159 * prompted with an alert panel asking for authentication via user name a
160 * password (or other credentials normally used for login). This means
161 * that it is not possible to modify per-user Trust Settings when not
162 * running in a GUI environment (i.e. the user is not logged in via
163 * Loginwindow).
164 *
165 * When making changes to the system-wide Trust Settings, the user will be
166 * prompted with an alert panel asking for an administrator's name and
167 * password, unless the calling process is running as root in which case
168 * no futher authentication is needed.
169 */
170
171 /*
172 * The keys in one Usage Constraints dictionary.
173 */
174 #define kSecTrustSettingsPolicy CFSTR("kSecTrustSettingsPolicy")
175 #define kSecTrustSettingsPolicyName CFSTR("kSecTrustSettingsPolicyName")
176 #define kSecTrustSettingsApplication CFSTR("kSecTrustSettingsApplication")
177 #define kSecTrustSettingsPolicyString CFSTR("kSecTrustSettingsPolicyString")
178 #define kSecTrustSettingsKeyUsage CFSTR("kSecTrustSettingsKeyUsage")
179 #define kSecTrustSettingsAllowedError CFSTR("kSecTrustSettingsAllowedError")
180 #define kSecTrustSettingsResult CFSTR("kSecTrustSettingsResult")
181
182 /*
183 * Key usage bits, the value for Usage Constraints key kSecTrustSettingsKeyUsage.
184 */
185 typedef CF_OPTIONS(uint32_t, SecTrustSettingsKeyUsage) {
186 /* sign/verify data */
187 kSecTrustSettingsKeyUseSignature = 0x00000001,
188 /* bulk encryption */
189 kSecTrustSettingsKeyUseEnDecryptData = 0x00000002,
190 /* key wrap/unwrap */
191 kSecTrustSettingsKeyUseEnDecryptKey = 0x00000004,
192 /* sign/verify cert */
193 kSecTrustSettingsKeyUseSignCert = 0x00000008,
194 /* sign/verify CRL and OCSP */
195 kSecTrustSettingsKeyUseSignRevocation = 0x00000010,
196 /* key exchange, e.g., Diffie-Hellman */
197 kSecTrustSettingsKeyUseKeyExchange = 0x00000020,
198 /* any usage (the default if this value is not specified) */
199 kSecTrustSettingsKeyUseAny = 0xffffffff
200 };
201
202 /*!
203 @enum SecTrustSettingsResult
204 @abstract Result of a trust settings evaluation.
205 */
206 typedef CF_ENUM(uint32_t, SecTrustSettingsResult) {
207 kSecTrustSettingsResultInvalid = 0, /* Never valid in a Trust Settings array or
208 * in an API call. */
209 kSecTrustSettingsResultTrustRoot, /* Root cert is explicitly trusted */
210 kSecTrustSettingsResultTrustAsRoot, /* Non-root cert is explicitly trusted */
211 kSecTrustSettingsResultDeny, /* Cert is explicitly distrusted */
212 kSecTrustSettingsResultUnspecified /* Neither trusted nor distrusted; evaluation
213 * proceeds as usual */
214 };
215
216 /*
217 * Specify user, local administrator, or system domain Trust Properties.
218 * Note that kSecTrustSettingsDomainSystem settings are read-only, even by
219 * root.
220 */
221 typedef CF_ENUM(uint32_t, SecTrustSettingsDomain) {
222 kSecTrustSettingsDomainUser = 0,
223 kSecTrustSettingsDomainAdmin,
224 kSecTrustSettingsDomainSystem
225 };
226
227 /*
228 * SecCertificateRef value indicating the default Root Certificate Trust Settings
229 * for a given domain. When evaluating Trust Settings for a root cert in
230 * a given domain, *and* no matching explicit Trust Settings exists for the
231 * root cert in questions, *and* default Root Cert Trust Settings exist
232 * in that domain which matches the evaluation condition, then the
233 * SecTrustSettingsResult for that default Trust Setting (if not
234 * kSecTrustSettingsResultUnspecified) will apply.
235 *
236 * This can be used e.g. by a system administrator to explicilty distrust all
237 * of the root certs in the (immutable) system domain for a specific policy.
238 *
239 * This const is passed as the 'SecCertificateRef certRef' argument to
240 * SecTrustSettingsCopyTrustSettings(), SecTrustSettingsSetTrustSettings(),
241 * and SecTrustSettingsRemoveTrustSettings(), and
242 * SecTrustSettingsCopyModificationDate().
243 */
244 #define kSecTrustSettingsDefaultRootCertSetting ((SecCertificateRef)-1)
245
246 #ifdef __cplusplus
247 }
248 #endif
249
250 #endif /* _SECURITY_SECTRUSTSETTINGS_H_ */