]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_cssm/lib/certextensions.h
projects / apple / security.git / blob
? search:


d215836b428e2ef540a3e48e4dd2125fd8218cf0
[apple/security.git] / OSX / libsecurity_cssm / lib / certextensions.h
1 /*
2 * Copyright (c) 2000-2004,2011,2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * CertExtensions.h -- X.509 Cert Extensions as C structs
24 */
25
26 #ifndef _CERT_EXTENSIONS_H_
27 #define _CERT_EXTENSIONS_H_
28
29 #include <Security/cssmtype.h>
30
31 #pragma clang diagnostic push
32 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
33
34 /***
35 *** Structs for declaring extension-specific data.
36 ***/
37
38 /*
39 * GeneralName, used in AuthorityKeyID, SubjectAltName, and
40 * IssuerAltName.
41 *
42 * For now, we just provide explicit support for the types which are
43 * represented as IA5Strings, OIDs, and octet strings. Constructed types
44 * such as EDIPartyName and x400Address are not explicitly handled
45 * right now and must be encoded and decoded by the caller. (See exception
46 * for Name and OtherName, below). In those cases the CE_GeneralName.name.Data field
47 * represents the BER contents octets; CE_GeneralName.name.Length is the
48 * length of the contents; the tag of the field is not needed - the BER
49 * encoding uses context-specific implicit tagging. The berEncoded field
50 * is set to CSSM_TRUE in these case. Simple types have berEncoded = CSSM_FALSE.
51 *
52 * In the case of a GeneralName in the form of a Name, we parse the Name
53 * into a CSSM_X509_NAME and place a pointer to the CSSM_X509_NAME in the
54 * CE_GeneralName.name.Data field. CE_GeneralName.name.Length is set to
55 * sizeof(CSSM_X509_NAME). In this case berEncoded is false.
56 *
57 * In the case of a GeneralName in the form of a OtherName, we parse the fields
58 * into a CE_OtherName and place a pointer to the CE_OtherName in the
59 * CE_GeneralName.name.Data field. CE_GeneralName.name.Length is set to
60 * sizeof(CE_OtherName). In this case berEncoded is false.
61 *
62 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
63 *
64 * GeneralName ::= CHOICE {
65 * otherName [0] OtherName
66 * rfc822Name [1] IA5String,
67 * dNSName [2] IA5String,
68 * x400Address [3] ORAddress,
69 * directoryName [4] Name,
70 * ediPartyName [5] EDIPartyName,
71 * uniformResourceIdentifier [6] IA5String,
72 * iPAddress [7] OCTET STRING,
73 * registeredID [8] OBJECT IDENTIFIER}
74 *
75 * OtherName ::= SEQUENCE {
76 * type-id OBJECT IDENTIFIER,
77 * value [0] EXPLICIT ANY DEFINED BY type-id }
78 *
79 * EDIPartyName ::= SEQUENCE {
80 * nameAssigner [0] DirectoryString OPTIONAL,
81 * partyName [1] DirectoryString }
82 */
83 typedef enum __CE_GeneralNameType {
84 GNT_OtherName = 0,
85 GNT_RFC822Name,
86 GNT_DNSName,
87 GNT_X400Address,
88 GNT_DirectoryName,
89 GNT_EdiPartyName,
90 GNT_URI,
91 GNT_IPAddress,
92 GNT_RegisteredID
93 } CE_GeneralNameType;
94
95 typedef struct __CE_OtherName {
96 CSSM_OID typeId;
97 CSSM_DATA value; // unparsed, BER-encoded
98 } CE_OtherName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
99
100 typedef struct __CE_GeneralName {
101 CE_GeneralNameType nameType; // GNT_RFC822Name, etc.
102 CSSM_BOOL berEncoded;
103 CSSM_DATA name;
104 } CE_GeneralName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
105
106 typedef struct __CE_GeneralNames {
107 uint32 numNames;
108 CE_GeneralName *generalName;
109 } CE_GeneralNames DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
110
111 /*
112 * id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
113 *
114 * AuthorityKeyIdentifier ::= SEQUENCE {
115 * keyIdentifier [0] KeyIdentifier OPTIONAL,
116 * authorityCertIssuer [1] GeneralNames OPTIONAL,
117 * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
118 *
119 * KeyIdentifier ::= OCTET STRING
120 *
121 * CSSM OID = CSSMOID_AuthorityKeyIdentifier
122 */
123 typedef struct __CE_AuthorityKeyID {
124 CSSM_BOOL keyIdentifierPresent;
125 CSSM_DATA keyIdentifier;
126 CSSM_BOOL generalNamesPresent;
127 CE_GeneralNames *generalNames;
128 CSSM_BOOL serialNumberPresent;
129 CSSM_DATA serialNumber;
130 } CE_AuthorityKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
131
132 /*
133 * id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
134 * SubjectKeyIdentifier ::= KeyIdentifier
135 *
136 * CSSM OID = CSSMOID_SubjectKeyIdentifier
137 */
138 typedef CSSM_DATA CE_SubjectKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
139
140 /*
141 * id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
142 *
143 * KeyUsage ::= BIT STRING {
144 * digitalSignature (0),
145 * nonRepudiation (1),
146 * keyEncipherment (2),
147 * dataEncipherment (3),
148 * keyAgreement (4),
149 * keyCertSign (5),
150 * cRLSign (6),
151 * encipherOnly (7),
152 * decipherOnly (8) }
153 *
154 * CSSM OID = CSSMOID_KeyUsage
155 *
156 */
157 typedef uint16 CE_KeyUsage DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
158
159 #define CE_KU_DigitalSignature 0x8000
160 #define CE_KU_NonRepudiation 0x4000
161 #define CE_KU_KeyEncipherment 0x2000
162 #define CE_KU_DataEncipherment 0x1000
163 #define CE_KU_KeyAgreement 0x0800
164 #define CE_KU_KeyCertSign 0x0400
165 #define CE_KU_CRLSign 0x0200
166 #define CE_KU_EncipherOnly 0x0100
167 #define CE_KU_DecipherOnly 0x0080
168
169 /*
170 * id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 }
171 *
172 * -- reasonCode ::= { CRLReason }
173 *
174 * CRLReason ::= ENUMERATED {
175 * unspecified (0),
176 * keyCompromise (1),
177 * cACompromise (2),
178 * affiliationChanged (3),
179 * superseded (4),
180 * cessationOfOperation (5),
181 * certificateHold (6),
182 * removeFromCRL (8) }
183 *
184 * CSSM OID = CSSMOID_CrlReason
185 *
186 */
187 typedef uint32 CE_CrlReason DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
188
189 #define CE_CR_Unspecified 0
190 #define CE_CR_KeyCompromise 1
191 #define CE_CR_CACompromise 2
192 #define CE_CR_AffiliationChanged 3
193 #define CE_CR_Superseded 4
194 #define CE_CR_CessationOfOperation 5
195 #define CE_CR_CertificateHold 6
196 #define CE_CR_RemoveFromCRL 8
197
198 /*
199 * id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
200 *
201 * SubjectAltName ::= GeneralNames
202 *
203 * CSSM OID = CSSMOID_SubjectAltName
204 *
205 * GeneralNames defined above.
206 */
207
208 /*
209 * id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
210 *
211 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId*
212 *
213 * KeyPurposeId ::= OBJECT IDENTIFIER
214 *
215 * CSSM OID = CSSMOID_ExtendedKeyUsage
216 */
217 typedef struct __CE_ExtendedKeyUsage {
218 uint32 numPurposes;
219 CSSM_OID_PTR purposes; // in Intel pre-encoded format
220 } CE_ExtendedKeyUsage;
221
222 /*
223 * id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
224 *
225 * BasicConstraints ::= SEQUENCE {
226 * cA BOOLEAN DEFAULT FALSE,
227 * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
228 *
229 * CSSM OID = CSSMOID_BasicConstraints
230 */
231 typedef struct __CE_BasicConstraints {
232 CSSM_BOOL cA;
233 CSSM_BOOL pathLenConstraintPresent;
234 uint32 pathLenConstraint;
235 } CE_BasicConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
236
237 /*
238 * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
239 *
240 * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
241 *
242 * PolicyInformation ::= SEQUENCE {
243 * policyIdentifier CertPolicyId,
244 * policyQualifiers SEQUENCE SIZE (1..MAX) OF
245 * PolicyQualifierInfo OPTIONAL }
246 *
247 * CertPolicyId ::= OBJECT IDENTIFIER
248 *
249 * PolicyQualifierInfo ::= SEQUENCE {
250 * policyQualifierId PolicyQualifierId,
251 * qualifier ANY DEFINED BY policyQualifierId }
252 *
253 * -- policyQualifierIds for Internet policy qualifiers
254 *
255 * id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
256 * id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
257 * id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
258 *
259 * PolicyQualifierId ::=
260 * OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
261 *
262 * Qualifier ::= CHOICE {
263 * cPSuri CPSuri,
264 * userNotice UserNotice }
265 *
266 * CPSuri ::= IA5String
267 *
268 * UserNotice ::= SEQUENCE {
269 * noticeRef NoticeReference OPTIONAL,
270 * explicitText DisplayText OPTIONAL}
271 *
272 * NoticeReference ::= SEQUENCE {
273 * organization DisplayText,
274 * noticeNumbers SEQUENCE OF INTEGER }
275 *
276 * DisplayText ::= CHOICE {
277 * visibleString VisibleString (SIZE (1..200)),
278 * bmpString BMPString (SIZE (1..200)),
279 * utf8String UTF8String (SIZE (1..200)) }
280 *
281 * CSSM OID = CSSMOID_CertificatePolicies
282 *
283 * We only support down to the level of Qualifier, and then only the CPSuri
284 * choice. UserNotice is transmitted to and from this library as a raw
285 * CSSM_DATA containing the BER-encoded UserNotice sequence.
286 */
287
288 typedef struct __CE_PolicyQualifierInfo {
289 CSSM_OID policyQualifierId; // CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE
290 CSSM_DATA qualifier; // CSSMOID_QT_CPS: IA5String contents
291 // CSSMOID_QT_UNOTICE : Sequence contents
292 } CE_PolicyQualifierInfo DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
293
294 typedef struct __CE_PolicyInformation {
295 CSSM_OID certPolicyId;
296 uint32 numPolicyQualifiers; // size of *policyQualifiers;
297 CE_PolicyQualifierInfo *policyQualifiers;
298 } CE_PolicyInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
299
300 typedef struct __CE_CertPolicies {
301 uint32 numPolicies; // size of *policies;
302 CE_PolicyInformation *policies;
303 } CE_CertPolicies DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
304
305 /*
306 * netscape-cert-type, a bit string.
307 *
308 * CSSM OID = CSSMOID_NetscapeCertType
309 *
310 * Bit fields defined in oidsattr.h: CE_NCT_SSL_Client, etc.
311 */
312 typedef uint16 CE_NetscapeCertType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
313
314 /*
315 * CRLDistributionPoints.
316 *
317 * id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 }
318 *
319 * cRLDistributionPoints ::= {
320 * CRLDistPointsSyntax }
321 *
322 * CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
323 *
324 * NOTE: RFC 2459 claims that the tag for the optional DistributionPointName
325 * is IMPLICIT as shown here, but in practice it is EXPLICIT. It has to be -
326 * because the underlying type also uses an implicit tag for distinguish
327 * between CHOICEs.
328 *
329 * DistributionPoint ::= SEQUENCE {
330 * distributionPoint [0] DistributionPointName OPTIONAL,
331 * reasons [1] ReasonFlags OPTIONAL,
332 * cRLIssuer [2] GeneralNames OPTIONAL }
333 *
334 * DistributionPointName ::= CHOICE {
335 * fullName [0] GeneralNames,
336 * nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
337 *
338 * ReasonFlags ::= BIT STRING {
339 * unused (0),
340 * keyCompromise (1),
341 * cACompromise (2),
342 * affiliationChanged (3),
343 * superseded (4),
344 * cessationOfOperation (5),
345 * certificateHold (6) }
346 *
347 * CSSM OID = CSSMOID_CrlDistributionPoints
348 */
349
350 /*
351 * Note that this looks similar to CE_CrlReason, but that's an enum and this
352 * is an OR-able bit string.
353 */
354 typedef uint8 CE_CrlDistReasonFlags DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
355
356 #define CE_CD_Unspecified 0x80
357 #define CE_CD_KeyCompromise 0x40
358 #define CE_CD_CACompromise 0x20
359 #define CE_CD_AffiliationChanged 0x10
360 #define CE_CD_Superseded 0x08
361 #define CE_CD_CessationOfOperation 0x04
362 #define CE_CD_CertificateHold 0x02
363
364 typedef enum __CE_CrlDistributionPointNameType {
365 CE_CDNT_FullName,
366 CE_CDNT_NameRelativeToCrlIssuer
367 } CE_CrlDistributionPointNameType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
368
369 typedef struct __CE_DistributionPointName {
370 CE_CrlDistributionPointNameType nameType;
371 union {
372 CE_GeneralNames *fullName;
373 CSSM_X509_RDN_PTR rdn;
374 } dpn;
375 } CE_DistributionPointName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
376
377 /*
378 * The top-level CRLDistributionPoint.
379 * All fields are optional; NULL pointers indicate absence.
380 */
381 typedef struct __CE_CRLDistributionPoint {
382 CE_DistributionPointName *distPointName;
383 CSSM_BOOL reasonsPresent;
384 CE_CrlDistReasonFlags reasons;
385 CE_GeneralNames *crlIssuer;
386 } CE_CRLDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
387
388 typedef struct __CE_CRLDistPointsSyntax {
389 uint32 numDistPoints;
390 CE_CRLDistributionPoint *distPoints;
391 } CE_CRLDistPointsSyntax DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
392
393 /*
394 * Authority Information Access and Subject Information Access.
395 *
396 * CSSM OID = CSSMOID_AuthorityInfoAccess
397 * CSSM OID = CSSMOID_SubjectInfoAccess
398 *
399 * SubjAuthInfoAccessSyntax ::=
400 * SEQUENCE SIZE (1..MAX) OF AccessDescription
401 *
402 * AccessDescription ::= SEQUENCE {
403 * accessMethod OBJECT IDENTIFIER,
404 * accessLocation GeneralName }
405 */
406 typedef struct __CE_AccessDescription {
407 CSSM_OID accessMethod;
408 CE_GeneralName accessLocation;
409 } CE_AccessDescription DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
410
411 typedef struct __CE_AuthorityInfoAccess {
412 uint32 numAccessDescriptions;
413 CE_AccessDescription *accessDescriptions;
414 } CE_AuthorityInfoAccess DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
415
416 /*
417 * Qualified Certificate Statement support, per RFC 3739.
418 *
419 * First, NameRegistrationAuthorities, a component of
420 * SemanticsInformation; it's the same as a GeneralNames -
421 * a sequence of GeneralName.
422 */
423 typedef CE_GeneralNames CE_NameRegistrationAuthorities DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
424
425 /*
426 * SemanticsInformation, identified as the qcType field
427 * of a CE_QC_Statement for statementId value id-qcs-pkixQCSyntax-v2.
428 * Both fields optional; at least one must be present.
429 */
430 typedef struct __CE_SemanticsInformation {
431 CSSM_OID *semanticsIdentifier;
432 CE_NameRegistrationAuthorities *nameRegistrationAuthorities;
433 } CE_SemanticsInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
434
435 /*
436 * One Qualified Certificate Statement.
437 * The statementId OID is required; zero or one of {semanticsInfo,
438 * otherInfo} can be valid, depending on the value of statementId.
439 * For statementId id-qcs-pkixQCSyntax-v2 (CSSMOID_OID_QCS_SYNTAX_V2),
440 * the semanticsInfo field may be present; otherwise, DER-encoded
441 * information may be present in otherInfo. Both semanticsInfo and
442 * otherInfo are optional.
443 */
444 typedef struct __CE_QC_Statement {
445 CSSM_OID statementId;
446 CE_SemanticsInformation *semanticsInfo;
447 CSSM_DATA *otherInfo;
448 } CE_QC_Statement DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
449
450 /*
451 * The top-level Qualified Certificate Statements extension.
452 */
453 typedef struct __CE_QC_Statements {
454 uint32 numQCStatements;
455 CE_QC_Statement *qcStatements;
456 } CE_QC_Statements DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
457
458 /*** CRL extensions ***/
459
460 /*
461 * cRLNumber, an integer.
462 *
463 * CSSM OID = CSSMOID_CrlNumber
464 */
465 typedef uint32 CE_CrlNumber;
466
467 /*
468 * deltaCRLIndicator, an integer.
469 *
470 * CSSM OID = CSSMOID_DeltaCrlIndicator
471 */
472 typedef uint32 CE_DeltaCrl;
473
474 /*
475 * IssuingDistributionPoint
476 *
477 * id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
478 *
479 * issuingDistributionPoint ::= SEQUENCE {
480 * distributionPoint [0] DistributionPointName OPTIONAL,
481 * onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
482 * onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
483 * onlySomeReasons [3] ReasonFlags OPTIONAL,
484 * indirectCRL [4] BOOLEAN DEFAULT FALSE }
485 *
486 * CSSM OID = CSSMOID_IssuingDistributionPoint
487 */
488 typedef struct __CE_IssuingDistributionPoint {
489 CE_DistributionPointName *distPointName; // optional
490 CSSM_BOOL onlyUserCertsPresent;
491 CSSM_BOOL onlyUserCerts;
492 CSSM_BOOL onlyCACertsPresent;
493 CSSM_BOOL onlyCACerts;
494 CSSM_BOOL onlySomeReasonsPresent;
495 CE_CrlDistReasonFlags onlySomeReasons;
496 CSSM_BOOL indirectCrlPresent;
497 CSSM_BOOL indirectCrl;
498 } CE_IssuingDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
499
500 /*
501 * NameConstraints
502 *
503 * id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
504 *
505 * NameConstraints ::= SEQUENCE {
506 * permittedSubtrees [0] GeneralSubtrees OPTIONAL,
507 * excludedSubtrees [1] GeneralSubtrees OPTIONAL }
508 *
509 * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
510 *
511 * GeneralSubtree ::= SEQUENCE {
512 * base GeneralName,
513 * minimum [0] BaseDistance DEFAULT 0,
514 * maximum [1] BaseDistance OPTIONAL }
515 *
516 * BaseDistance ::= INTEGER (0..MAX)
517 */
518 typedef struct __CE_GeneralSubtree {
519 CE_GeneralNames *base;
520 uint32 minimum; // default=0
521 CSSM_BOOL maximumPresent;
522 uint32 maximum; // optional
523 } CE_GeneralSubtree DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
524
525 typedef struct __CE_GeneralSubtrees {
526 uint32 numSubtrees;
527 CE_GeneralSubtree *subtrees;
528 } CE_GeneralSubtrees DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
529
530 typedef struct __CE_NameConstraints {
531 CE_GeneralSubtrees *permitted; // optional
532 CE_GeneralSubtrees *excluded; // optional
533 } CE_NameConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
534
535 /*
536 * PolicyMappings
537 *
538 * id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 }
539 *
540 * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
541 * issuerDomainPolicy CertPolicyId,
542 * subjectDomainPolicy CertPolicyId }
543 *
544 * Note that both issuer and subject policy OIDs are required,
545 * and are stored by value in this structure.
546 */
547 typedef struct __CE_PolicyMapping {
548 CSSM_OID issuerDomainPolicy;
549 CSSM_OID subjectDomainPolicy;
550 } CE_PolicyMapping DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
551
552 typedef struct __CE_PolicyMappings {
553 uint32 numPolicyMappings;
554 CE_PolicyMapping *policyMappings;
555 } CE_PolicyMappings DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
556
557 /*
558 * PolicyConstraints
559 *
560 * id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 }
561 *
562 * PolicyConstraints ::= SEQUENCE {
563 * requireExplicitPolicy [0] SkipCerts OPTIONAL,
564 * inhibitPolicyMapping [1] SkipCerts OPTIONAL }
565 *
566 * SkipCerts ::= INTEGER (0..MAX)
567 */
568 typedef struct __CE_PolicyConstraints {
569 CSSM_BOOL requireExplicitPolicyPresent;
570 uint32 requireExplicitPolicy; // optional
571 CSSM_BOOL inhibitPolicyMappingPresent;
572 uint32 inhibitPolicyMapping; // optional
573 } CE_PolicyConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
574
575 /*
576 * InhibitAnyPolicy, an integer.
577 *
578 * CSSM OID = CSSMOID_InhibitAnyPolicy
579 */
580 typedef uint32 CE_InhibitAnyPolicy DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
581
582 /*
583 * An enumerated list identifying one of the above per-extension
584 * structs.
585 */
586 typedef enum __CE_DataType {
587 DT_AuthorityKeyID, // CE_AuthorityKeyID
588 DT_SubjectKeyID, // CE_SubjectKeyID
589 DT_KeyUsage, // CE_KeyUsage
590 DT_SubjectAltName, // implies CE_GeneralName
591 DT_IssuerAltName, // implies CE_GeneralName
592 DT_ExtendedKeyUsage, // CE_ExtendedKeyUsage
593 DT_BasicConstraints, // CE_BasicConstraints
594 DT_CertPolicies, // CE_CertPolicies
595 DT_NetscapeCertType, // CE_NetscapeCertType
596 DT_CrlNumber, // CE_CrlNumber
597 DT_DeltaCrl, // CE_DeltaCrl
598 DT_CrlReason, // CE_CrlReason
599 DT_CrlDistributionPoints, // CE_CRLDistPointsSyntax
600 DT_IssuingDistributionPoint,// CE_IssuingDistributionPoint
601 DT_AuthorityInfoAccess, // CE_AuthorityInfoAccess
602 DT_Other, // unknown, raw data as a CSSM_DATA
603 DT_QC_Statements, // CE_QC_Statements
604 DT_NameConstraints, // CE_NameConstraints
605 DT_PolicyMappings, // CE_PolicyMappings
606 DT_PolicyConstraints, // CE_PolicyConstraints
607 DT_InhibitAnyPolicy // CE_InhibitAnyPolicy
608 } CE_DataType;
609
610 /*
611 * One unified representation of all the cert and CRL extensions we know about.
612 */
613 typedef union {
614 CE_AuthorityKeyID authorityKeyID;
615 CE_SubjectKeyID subjectKeyID;
616 CE_KeyUsage keyUsage;
617 CE_GeneralNames subjectAltName;
618 CE_GeneralNames issuerAltName;
619 CE_ExtendedKeyUsage extendedKeyUsage;
620 CE_BasicConstraints basicConstraints;
621 CE_CertPolicies certPolicies;
622 CE_NetscapeCertType netscapeCertType;
623 CE_CrlNumber crlNumber;
624 CE_DeltaCrl deltaCrl;
625 CE_CrlReason crlReason;
626 CE_CRLDistPointsSyntax crlDistPoints;
627 CE_IssuingDistributionPoint issuingDistPoint;
628 CE_AuthorityInfoAccess authorityInfoAccess;
629 CE_QC_Statements qualifiedCertStatements;
630 CE_NameConstraints nameConstraints;
631 CE_PolicyMappings policyMappings;
632 CE_PolicyConstraints policyConstraints;
633 CE_InhibitAnyPolicy inhibitAnyPolicy;
634 CSSM_DATA rawData; // unknown, not decoded
635 } CE_Data DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
636
637 typedef struct __CE_DataAndType {
638 CE_DataType type;
639 CE_Data extension;
640 CSSM_BOOL critical;
641 } CE_DataAndType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
642
643 #pragma clang diagnostic pop
644
645 #endif /* _CERT_EXTENSIONS_H_ */
mirror of Security