OSX/sec/Security/SecCertificateInternal.h

   1 /*
   2  * Copyright (c) 2007-2019 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*
  25    SecCertificateInternal
  26 */
  27
  28 #ifndef _SECURITY_SECCERTIFICATEINTERNAL_H_
  29 #define _SECURITY_SECCERTIFICATEINTERNAL_H_
  30
  31 #include <TargetConditionals.h>
  32 #include <libDER/DER_Keys.h>
  33
  34 #include <Security/SecBase.h>
  35 #include <Security/SecCertificatePriv.h>
  36
  37 #include <Security/certextensions.h>
  38
  39 // This file can only be included under the ios view of the headers.
  40 // If you're not under that view, we'll forward declare the things you need here.
  41 #if SECURITY_PROJECT_TAPI_HACKS && SEC_OS_OSX
  42 typedef struct {
  43     bool                present;
  44     bool                critical;
  45     bool                isCA;
  46     bool                pathLenConstraintPresent;
  47     uint32_t            pathLenConstraint;
  48 } SecCEBasicConstraints;
  49
  50 typedef struct {
  51     bool                present;
  52     bool                critical;
  53     bool                requireExplicitPolicyPresent;
  54     uint32_t            requireExplicitPolicy;
  55     bool                inhibitPolicyMappingPresent;
  56     uint32_t            inhibitPolicyMapping;
  57 } SecCEPolicyConstraints;
  58
  59 typedef struct {
  60     DERItem policyIdentifier;
  61     DERItem policyQualifiers;
  62 } SecCEPolicyInformation;
  63
  64 typedef struct {
  65     bool                    present;
  66     bool                    critical;
  67     size_t                  numPolicies;            // size of *policies;
  68     SecCEPolicyInformation  *policies;
  69 } SecCECertificatePolicies;
  70
  71 typedef struct {
  72     DERItem issuerDomainPolicy;
  73     DERItem subjectDomainPolicy;
  74 } SecCEPolicyMapping;
  75
  76 typedef struct {
  77     bool                present;
  78     bool                critical;
  79     size_t            numMappings;            // size of *mappings;
  80     SecCEPolicyMapping  *mappings;
  81 } SecCEPolicyMappings;
  82
  83 typedef struct {
  84     bool             present;
  85     bool             critical;
  86     uint32_t         skipCerts;
  87 } SecCEInhibitAnyPolicy;
  88
  89 #endif
  90
  91 __BEGIN_DECLS
  92
  93 CFDataRef SecCertificateGetAuthorityKeyID(SecCertificateRef certificate);
  94 CFDataRef SecCertificateGetSubjectKeyID(SecCertificateRef certificate);
  95
  96 /* Return an array of CFURLRefs each of which is an crl distribution point for
  97    this certificate. */
  98 CFArrayRef SecCertificateGetCRLDistributionPoints(SecCertificateRef certificate);
  99
 100 /* Return an array of CFURLRefs each of which is an caIssuer for this
 101    certificate. */
 102 CFArrayRef SecCertificateGetCAIssuers(SecCertificateRef certificate);
 103
 104 /* Dump certificate for debugging. */
 105 void SecCertificateShow(SecCertificateRef certificate);
 106
 107 /* Return the normalized name or NULL if it fails to parse */
 108 CFDataRef SecDistinguishedNameCopyNormalizedContent(CFDataRef distinguished_name);
 109
 110 /* Return true iff the certificate has a subject. */
 111 bool SecCertificateHasSubject(SecCertificateRef certificate);
 112 /* Return true iff the certificate has a critical subject alt name. */
 113 bool SecCertificateHasCriticalSubjectAltName(SecCertificateRef certificate);
 114
 115 /* Return the contents of the SubjectAltName extension. */
 116 const DERItem * SecCertificateGetSubjectAltName(SecCertificateRef certificate);
 117
 118 /* Return true if certificate contains one or more critical extensions we
 119    are unable to parse. */
 120 bool SecCertificateHasUnknownCriticalExtension(SecCertificateRef certificate);
 121
 122 /* Return an attribute dictionary used to store this item in a keychain. */
 123 CFDictionaryRef SecCertificateCopyAttributeDictionary(
 124         SecCertificateRef certificate);
 125
 126 /* Return a certificate from the attribute dictionary that was used to store
 127    this item in a keychain. */
 128 SecCertificateRef SecCertificateCreateFromAttributeDictionary(
 129         CFDictionaryRef refAttributes);
 130
 131 /* Return a SecKeyRef for the public key embedded in the cert. */
 132 #if TARGET_OS_OSX
 133 SecKeyRef SecCertificateCopyPublicKey_ios(SecCertificateRef certificate)
 134     __OSX_DEPRECATED(__MAC_10_12, __MAC_10_14, "Use SecCertificateCopyKey instead.");
 135 #endif
 136
 137 /* Return the SecCEBasicConstraints extension for this certificate if it
 138    has one. */
 139 const SecCEBasicConstraints *
 140 SecCertificateGetBasicConstraints(SecCertificateRef certificate);
 141
 142 /* Returns array of CFDataRefs containing the generalNames that are
 143    Permitted Subtree Name Constraints for this certificate if it has
 144    any. */
 145 CFArrayRef SecCertificateGetPermittedSubtrees(SecCertificateRef certificate);
 146
 147 /* Returns array of CFDataRefs containing the generalNames that are
 148    Excluded Subtree Name Constraints for this certificate if it has
 149    any. */
 150 CFArrayRef SecCertificateGetExcludedSubtrees(SecCertificateRef certificate);
 151
 152 /* Return the SecCEPolicyConstraints extension for this certificate if it
 153    has one. */
 154 const SecCEPolicyConstraints *
 155 SecCertificateGetPolicyConstraints(SecCertificateRef certificate);
 156
 157 /* Return a dictionary from CFDataRef to CFArrayRef of CFDataRef
 158    representing the policyMapping extension of this certificate. */
 159 const SecCEPolicyMappings *
 160 SecCertificateGetPolicyMappings(SecCertificateRef certificate);
 161
 162 /* Return the SecCECertificatePolicies extension for this certificate if it
 163    has one. */
 164 const SecCECertificatePolicies *
 165 SecCertificateGetCertificatePolicies(SecCertificateRef certificate);
 166
 167 /* Returns UINT32_MAX if InhibitAnyPolicy extension is not present or invalid,
 168    returns the value of the SkipCerts field of the InhibitAnyPolicy extension
 169    otherwise. */
 170 const SecCEInhibitAnyPolicy *
 171 SecCertificateGetInhibitAnyPolicySkipCerts(SecCertificateRef certificate);
 172
 173 /* Return the public key algorithm and parameters for certificate.  */
 174 const DERAlgorithmId *SecCertificateGetPublicKeyAlgorithm(
 175         SecCertificateRef certificate);
 176
 177 /* Return the raw public key data for certificate.  */
 178 const DERItem *SecCertificateGetPublicKeyData(SecCertificateRef certificate);
 179
 180 /* Return legacy property values for use by SecCertificateCopyValues. */
 181 CFArrayRef SecCertificateCopyLegacyProperties(SecCertificateRef certificate);
 182
 183 // MARK: -
 184 // MARK: Certificate Operations
 185
 186 OSStatus SecCertificateIsSignedBy(SecCertificateRef certificate,
 187     SecKeyRef issuerKey);
 188
 189 #ifndef SECURITY_PROJECT_TAPI_HACKS
 190 void appendProperty(CFMutableArrayRef properties, CFStringRef propertyType,
 191     CFStringRef label, CFStringRef localizedLabel, CFTypeRef value, bool localized);
 192 #endif
 193
 194 /* Utility functions. */
 195 CFStringRef SecDERItemCopyOIDDecimalRepresentation(CFAllocatorRef allocator,
 196     const DERItem *oid);
 197
 198 #ifndef SECURITY_PROJECT_TAPI_HACKS
 199 CFDataRef createNormalizedX501Name(CFAllocatorRef allocator,
 200         const DERItem *x501name);
 201 #endif
 202
 203 /* Decode a choice of UTCTime or GeneralizedTime to a CFAbsoluteTime. Return
 204    an absoluteTime if the date was valid and properly decoded.  Return
 205    NULL_TIME otherwise. */
 206 CFAbsoluteTime SecAbsoluteTimeFromDateContent(DERTag tag, const uint8_t *bytes,
 207     size_t length);
 208
 209 bool SecCertificateHasMarkerExtension(SecCertificateRef certificate, CFTypeRef oid);
 210
 211 bool SecCertificateHasOCSPNoCheckMarkerExtension(SecCertificateRef certificate);
 212
 213 typedef OSStatus (*parseGeneralNameCallback)(void *context,
 214                                              SecCEGeneralNameType type, const DERItem *value);
 215 OSStatus SecCertificateParseGeneralNameContentProperty(DERTag tag,
 216                                          const DERItem *generalNameContent,
 217                                          void *context, parseGeneralNameCallback callback);
 218
 219 OSStatus SecCertificateParseGeneralNames(const DERItem *generalNames, void *context,
 220                                          parseGeneralNameCallback callback);
 221
 222 CFArrayRef SecCertificateCopyOrganizationFromX501NameContent(const DERItem *nameContent);
 223
 224 bool SecCertificateIsWeakKey(SecCertificateRef certificate);
 225 bool SecCertificateIsAtLeastMinKeySize(SecCertificateRef certificate,
 226                                        CFDictionaryRef keySizes);
 227 bool SecCertificateIsStrongKey(SecCertificateRef certificate);
 228
 229 extern const CFStringRef kSecSignatureDigestAlgorithmUnknown;
 230 #ifndef SECURITY_PROJECT_TAPI_HACKS
 231 extern const CFStringRef kSecSignatureDigestAlgorithmMD2;
 232 extern const CFStringRef kSecSignatureDigestAlgorithmMD4;
 233 extern const CFStringRef kSecSignatureDigestAlgorithmMD5;
 234 extern const CFStringRef kSecSignatureDigestAlgorithmSHA1;
 235 extern const CFStringRef kSecSignatureDigestAlgorithmSHA224;
 236 extern const CFStringRef kSecSignatureDigestAlgorithmSHA256;
 237 extern const CFStringRef kSecSignatureDigestAlgorithmSHA384;
 238 extern const CFStringRef kSecSignatureDigestAlgorithmSHA512;
 239 #endif
 240
 241 bool SecCertificateIsWeakHash(SecCertificateRef certificate);
 242
 243 CFDataRef SecCertificateCreateOidDataFromString(CFAllocatorRef allocator, CFStringRef string);
 244 bool SecCertificateIsOidString(CFStringRef oid);
 245
 246 DERItem *SecCertificateGetExtensionValue(SecCertificateRef certificate, CFTypeRef oid);
 247
 248 CFArrayRef SecCertificateCopyDNSNamesFromSubject(SecCertificateRef certificate);
 249 CFArrayRef SecCertificateCopyIPAddressesFromSubject(SecCertificateRef certificate);
 250 CFArrayRef SecCertificateCopyRFC822NamesFromSubject(SecCertificateRef certificate);
 251
 252 CFArrayRef SecCertificateCopyDNSNamesFromSAN(SecCertificateRef certificate);
 253
 254 CFIndex SecCertificateGetUnparseableKnownExtension(SecCertificateRef certificate);
 255
 256 __END_DECLS
 257
 258 #endif /* !_SECURITY_SECCERTIFICATEINTERNAL_H_ */