OSX/libsecurity_keychain/lib/TrustSettingsSchema.h

   1 /*
   2  * Copyright (c) 2005,2011,2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*
  25  * TrustSettingsSchema.h - Dictionary keys used in on-disk TrustSettings plist.
  26  */
  27
  28 #ifndef _TRUST_SETTINGS_SCHEMA_H_
  29 #define _TRUST_SETTINGS_SCHEMA_H_
  30
  31 #include <CoreFoundation/CFString.h>
  32
  33 /*
  34  * A TrustSettings Record contains the XML encoding of a CFDictionary. This dictionary
  35  * currently contains two name/value pairs:
  36  *
  37  * key = kTrustRecordVersion,   value = SInt32 version number
  38  * key = kTrustRecordTrustList, value = CFDictionary
  39  *
  40  * Each key/value pair of the CFDictionary associated with key kTrustRecordTrustList
  41  * consists of:
  42  * -- key   = the ASCII representation (with alpha characters in upper case) of the
  43  *            cert's SHA1 digest.
  44  * -- value = a CFDictionary representing one cert.
  45  *
  46  * Key/value pairs in the per-cert dictionary are as follows:
  47  *
  48  * -- key = kTrustRecordIssuer, value = non-normalized issuer as CFData
  49  * -- key = kTrustRecordSerialNumber, value = serial number as CFData
  50  * -- key = kTrustRecordModDate, value = CFDateRef of the last modification
  51                         date of the per-cert entry.
  52  * -- key = kTrustRecordTrustSettings, value = array of dictionaries. The
  53  *          dictionaries are as described in the API in SecUserTrust.h
  54  *                      although we store the values differently (see below).
  55  *                      As written to disk, this key/value is always present although
  56  *                      the usageConstraints array may be empty.
  57  *
  58  * A usageConstraints dictionary is like so (all elements are optional). These key
  59  * strings are defined in SecUserTrust.h.
  60  *
  61  * key = kSecTrustSettingsPolicy                value = policy OID as CFData or CFString
  62  * key = kSecTrustSettingsPolicyName    value = policy name as CFString
  63  * key = kSecTrustSettingsApplication   value = application as CFData
  64  * key = kSecTrustSettingsPolicyString  value = CFString, policy-specific
  65  * key = kSecTrustSettingsAllowedError  value = CFNumber, an SInt32 CSSM_RETURN
  66  * key = kSecTrustSettingsResult                value = CFNumber, an SInt32 SecTrustSettingsResult
  67  * key = kSecTrustSettingsKeyUsage              value = CFNumber, an SInt32 key usage
  68  * key = kSecTrustSettingsModifyDate    value = CFDate, last modification
  69  */
  70
  71 /*
  72  * Keys in the top-level dictionary
  73  */
  74 #define kTrustRecordVersion                             CFSTR("trustVersion")
  75 #define kTrustRecordTrustList                   CFSTR("trustList")
  76
  77 #define kSecTrustRecordNumTopDictKeys           2
  78
  79 /*
  80  * Keys in the per-cert dictionary in the TrustedRootList record.
  81  */
  82 /* value = non-normalized issuer as CFData */
  83 #define kTrustRecordIssuer                              CFSTR("issuerName")
  84
  85 /* value = serial number as CFData */
  86 #define kTrustRecordSerialNumber                CFSTR("serialNumber")
  87
  88 /* value = CFDateRef representation of modification date */
  89 #define kTrustRecordModDate                             CFSTR("modDate")
  90
  91 /*
  92  * value = array of CFDictionaries as used in public API
  93  * Not present for a cert which has no usage Constraints (i.e.
  94  * "wide open" unrestricted, kSecTrustSettingsResultTrustRoot as
  95  * the default SecTrustSettingsResult).
  96  */
  97 #define kTrustRecordTrustSettings               CFSTR("trustSettings")
  98
  99 #define kSecTrustRecordNumCertDictKeys  4
 100
 101 /*
 102  * Version of the top-level dictionary.
 103  */
 104 enum {
 105         kSecTrustRecordVersionInvalid   = 0,    /* should never be seen on disk */
 106         kSecTrustRecordVersionCurrent   = 1
 107 };
 108
 109 /*
 110  * Key for the (optional) default entry in a TrustSettings record. This
 111  * appears in place of the cert's hash string, and corresponds to
 112  * kSecTrustSettingsDefaultRootCertSetting at the public API.
 113  * If you change this, make sure it has characters other than those
 114  * appearing in a normal cert hash string (0..9 and A..F).
 115  */
 116 #define kSecTrustRecordDefaultRootCert          CFSTR("kSecTrustRecordDefaultRootCert")
 117
 118 /*
 119  * The location of the system root keychain and its associated TrustSettings.
 120  * These are immutable; this module never modifies either of them.
 121  */
 122 #define SYSTEM_ROOT_STORE_PATH                  "/System/Library/Keychains/SystemRootCertificates.keychain"
 123 #define SYSTEM_TRUST_SETTINGS_PATH              "/System/Library/Keychains/SystemTrustSettings.plist"
 124
 125 /*
 126  * The local admin cert store.
 127  */
 128 #define ADMIN_CERT_STORE_PATH                   "/Library/Keychains/System.keychain"
 129
 130 /*
 131  * Per-user and local admin TrustSettings are stored in this directory.
 132  * Per-user settings are of the form <uuid>.plist.
 133  */
 134 #define TRUST_SETTINGS_PATH                             "/Library/Security/Trust Settings"
 135 #define ADMIN_TRUST_SETTINGS                    "Admin.plist"
 136
 137 /*
 138  * The location of the system intermediate cert store keychain.
 139  */
 140 #define SYSTEM_CERT_STORE_PATH                  "/System/Library/Keychains/SystemCACertificates.keychain"
 141
 142 /*
 143  * The domain and key for the system preference to disable User-level domain TrustSettings.
 144  * If this pref exists in /Library/Preferences, and has a value of true, then
 145  * per-user TrustSettings will be ignored.
 146  */
 147 #define kSecTrustSettingsPrefsDomain                            "com.apple.security"
 148 #define kSecTrustSettingsDisableUserTrustSettings       CFSTR("DisableUserTrustSettings")
 149
 150 #endif  /* _TRUST_SETTINGS_SCHEMA_H_ */
 151