2 * Copyright (c) 2002-2004 Apple Computer, Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 // Trust.h - Trust control wrappers
27 #ifndef _SECURITY_TRUST_H_
28 #define _SECURITY_TRUST_H_
30 #include <CoreFoundation/CoreFoundation.h>
31 #include <security_keychain/StorageManager.h>
32 #include <security_cdsa_client/tpclient.h>
33 #include <security_utilities/cfutilities.h>
34 #include <Security/SecTrust.h>
35 #include <security_keychain/Certificate.h>
36 #include <security_keychain/Policies.h>
37 #include <security_keychain/TrustStore.h>
40 using namespace CssmClient
;
43 namespace KeychainCore
{
47 // The Trust object manages trust-verification workflow.
48 // As such, it represents a somewhat more complex concept than
51 class Trust
: public SecCFObject
55 SECCFFUNCTIONS(Trust
, SecTrustRef
, errSecInvalidItemRef
, gTypes().Trust
)
57 Trust(CFTypeRef certificates
, CFTypeRef policies
);
61 useAnchorsDefault
, // default policy: trust built-in unless passed-in
62 useAnchorsAndBuiltIns
, // SetTrustAnchorCertificatesOnly value = false
63 useAnchorsOnly
// SetTrustAnchorCertificatesOnly value = true
66 // set (or reset) more input parameters
67 void policies(CFTypeRef policies
) { mPolicies
.take(cfArrayize(policies
)); }
68 void action(CSSM_TP_ACTION action
) { mAction
= action
; }
69 void actionData(CFDataRef data
) { mActionData
= data
; }
70 void time(CFDateRef verifyTime
) { mVerifyTime
= verifyTime
; }
71 void anchors(CFArrayRef anchorList
) { mAnchors
.take(cfArrayize(anchorList
)); }
72 void anchorPolicy(AnchorPolicy policy
) { mAnchorPolicy
= policy
; }
74 StorageManager::KeychainList
&searchLibs(bool init
=true);
75 void searchLibs(StorageManager::KeychainList
&libs
);
78 void evaluate(bool disableEV
=false);
80 // get at evaluation results
81 void buildEvidence(CFArrayRef
&certChain
, TPEvidenceInfo
* &statusChain
);
82 CSSM_TP_VERIFY_CONTEXT_RESULT_PTR
cssmResult();
83 void extendedResult(CFDictionaryRef
&extendedResult
);
84 CFArrayRef
properties();
86 SecTrustResultType
result() const { return mResult
; }
87 OSStatus
cssmResultCode() const { return mTpReturn
; }
88 TP
getTPHandle() const { return mTP
; }
89 CFArrayRef
evidence() const { return mEvidenceReturned
; }
90 CFArrayRef
policies() const { return mPolicies
; }
91 CFArrayRef
anchors() const { return mAnchors
; }
92 CFDateRef
time() const { return mVerifyTime
; }
94 // an independent release function for TP evidence results
95 // (yes, we could hand this out to the C layer if desired)
96 static void releaseTPEvidence(TPVerifyResult
&result
, Allocator
&allocator
);
99 SecTrustResultType
diagnoseOutcome();
100 void evaluateUserTrust(const CertGroup
&certs
,
101 const CSSM_TP_APPLE_EVIDENCE_INFO
*info
,
102 CFCopyRef
<CFArrayRef
> anchors
);
105 Keychain
keychainByDLDb(const CSSM_DL_DB_HANDLE
&handle
);
107 /* revocation policy support */
108 CFMutableArrayRef
addSpecifiedRevocationPolicies(uint32
&numAdded
,
110 void freeSpecifiedRevocationPolicies(CFArrayRef policies
,
113 CFMutableArrayRef
addPreferenceRevocationPolicies(uint32
&numAdded
,
115 void freePreferenceRevocationPolicies(CFArrayRef policies
,
118 CFDictionaryRef
defaultRevocationSettings();
120 bool policySpecified(CFArrayRef policies
, const CSSM_OID
&inOid
);
121 bool revocationPolicySpecified(CFArrayRef policies
);
122 void orderRevocationPolicies(CFMutableArrayRef policies
);
123 CFMutableArrayRef
forceRevocationPolicies(uint32
&numAdded
,
125 bool requirePerCert
=false);
130 // input arguments: set up before evaluate()
131 CSSM_TP_ACTION mAction
; // TP action to verify
132 CFRef
<CFDataRef
> mActionData
; // action data
133 CFRef
<CFDateRef
> mVerifyTime
; // verification "now"
134 CFRef
<CFArrayRef
> mCerts
; // certificates to verify (item 1 is subject)
135 CFRef
<CFArrayRef
> mPolicies
; // array of policy objects to control verification
136 CFRef
<CFArrayRef
> mAnchors
; // array of anchor certs
137 StorageManager::KeychainList
*mSearchLibs
; // array of databases to search
138 bool mSearchLibsSet
; // true if mSearchLibs has been initialized
140 // evaluation results: set as a result of evaluate()
141 SecTrustResultType mResult
; // result classification
142 uint32 mResultIndex
; // which result cert made the decision?
143 OSStatus mTpReturn
; // return code from TP Verify
144 TPVerifyResult mTpResult
; // result of latest TP verify
146 vector
< SecPointer
<Certificate
> > mCertChain
; // distilled certificate chain
148 // information returned to caller but owned by us
149 CFRef
<CFArrayRef
> mEvidenceReturned
; // evidence chain returned
150 CFRef
<CFArrayRef
> mAllowedAnchors
; // array of permitted anchor certificates
151 CFRef
<CFArrayRef
> mFilteredCerts
; // array of certificates to verify, post-filtering
152 CFRef
<CFDictionaryRef
> mExtendedResult
; // dictionary of extended results
154 bool mUsingTrustSettings
; // true if built-in anchors will be trusted
155 AnchorPolicy mAnchorPolicy
; // policy for trusting passed-in and/or built-in anchors
158 static ModuleNexus
<TrustStore
> gStore
;
164 } // end namespace KeychainCore
166 } // end namespace Security
168 #endif // !_SECURITY_TRUST_H_
projects / apple / security.git / blob