]> git.saurik.com Git - apple/security.git/blob - trust/headers/SecPolicy.h
Security-59754.41.1.tar.gz
[apple/security.git] / trust / headers / SecPolicy.h
1 /*
2 * Copyright (c) 2002-2016 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*!
25 @header SecPolicy
26 The functions provided in SecPolicy.h provide an interface to various
27 X.509 certificate trust policies.
28 */
29
30 #ifndef _SECURITY_SECPOLICY_H_
31 #define _SECURITY_SECPOLICY_H_
32
33 #include <CoreFoundation/CFBase.h>
34 #include <CoreFoundation/CFDictionary.h>
35 #include <Security/SecBase.h>
36
37 __BEGIN_DECLS
38
39 CF_ASSUME_NONNULL_BEGIN
40 CF_IMPLICIT_BRIDGING_ENABLED
41
42 /*!
43 @enum Policy Constants
44 @discussion Predefined constants used to specify a policy.
45 @constant kSecPolicyAppleX509Basic
46 @constant kSecPolicyAppleSSL
47 @constant kSecPolicyAppleSMIME
48 @constant kSecPolicyAppleEAP
49 @constant kSecPolicyAppleiChat
50 @constant kSecPolicyAppleIPsec
51 @constant kSecPolicyApplePKINITClient
52 @constant kSecPolicyApplePKINITServer
53 @constant kSecPolicyAppleCodeSigning
54 @constant kSecPolicyMacAppStoreReceipt
55 @constant kSecPolicyAppleIDValidation
56 @constant kSecPolicyAppleTimeStamping
57 @constant kSecPolicyAppleRevocation
58 @constant kSecPolicyApplePassbookSigning
59 @constant kSecPolicyApplePayIssuerEncryption
60 */
61 extern const CFStringRef kSecPolicyAppleX509Basic
62 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
63 extern const CFStringRef kSecPolicyAppleSSL
64 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
65 extern const CFStringRef kSecPolicyAppleSMIME
66 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
67 extern const CFStringRef kSecPolicyAppleEAP
68 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
69 extern const CFStringRef kSecPolicyAppleIPsec
70 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
71 #if TARGET_OS_OSX
72 extern const CFStringRef kSecPolicyAppleiChat
73 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
74 #endif
75 extern const CFStringRef kSecPolicyApplePKINITClient
76 API_AVAILABLE(macos(10.7)) API_UNAVAILABLE(ios, watchos, tvos, bridgeos, macCatalyst);
77 extern const CFStringRef kSecPolicyApplePKINITServer
78 API_AVAILABLE(macos(10.7)) API_UNAVAILABLE(ios, watchos, tvos, bridgeos, macCatalyst);
79 extern const CFStringRef kSecPolicyAppleCodeSigning
80 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
81 extern const CFStringRef kSecPolicyMacAppStoreReceipt
82 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_9_0);
83 extern const CFStringRef kSecPolicyAppleIDValidation
84 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
85 extern const CFStringRef kSecPolicyAppleTimeStamping
86 __OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_7_0);
87 extern const CFStringRef kSecPolicyAppleRevocation
88 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
89 extern const CFStringRef kSecPolicyApplePassbookSigning
90 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
91 extern const CFStringRef kSecPolicyApplePayIssuerEncryption
92 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
93
94 /*!
95 @enum Policy Value Constants
96 @abstract Predefined property key constants used to get or set values in
97 a dictionary for a policy instance.
98 @discussion
99 All policies will have the following read-only value:
100 kSecPolicyOid (the policy object identifier)
101
102 Additional policy values which your code can optionally set:
103 kSecPolicyName (name which must be matched)
104 kSecPolicyClient (evaluate for client, rather than server)
105 kSecPolicyRevocationFlags (only valid for a revocation policy)
106 kSecPolicyTeamIdentifier (only valid for a Passbook signing policy)
107
108 @constant kSecPolicyOid Specifies the policy OID (value is a CFStringRef)
109 @constant kSecPolicyName Specifies a CFStringRef (or CFArrayRef of same)
110 containing a name which must be matched in the certificate to satisfy
111 this policy. For SSL/TLS, EAP, and IPSec policies, this specifies the
112 server name which must match the common name of the certificate.
113 For S/MIME, this specifies the RFC822 email address. For Passbook
114 signing, this specifies the pass signer.
115 @constant kSecPolicyClient Specifies a CFBooleanRef value that indicates
116 this evaluation should be for a client certificate. If not set (or
117 false), the policy evaluates the certificate as a server certificate.
118 @constant kSecPolicyRevocationFlags Specifies a CFNumberRef that holds a
119 kCFNumberCFIndexType bitmask value. See "Revocation Policy Constants"
120 for a description of individual bits in this value.
121 @constant kSecPolicyTeamIdentifier Specifies a CFStringRef containing a
122 team identifier which must be matched in the certificate to satisfy
123 this policy. For the Passbook signing policy, this string must match
124 the Organizational Unit field of the certificate subject.
125 */
126 extern const CFStringRef kSecPolicyOid
127 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
128 extern const CFStringRef kSecPolicyName
129 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
130 extern const CFStringRef kSecPolicyClient
131 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
132 extern const CFStringRef kSecPolicyRevocationFlags
133 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
134 extern const CFStringRef kSecPolicyTeamIdentifier
135 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
136
137
138 /*!
139 @function SecPolicyGetTypeID
140 @abstract Returns the type identifier of SecPolicy instances.
141 @result The CFTypeID of SecPolicy instances.
142 */
143 CFTypeID SecPolicyGetTypeID(void)
144 __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0);
145
146 /*!
147 @function SecPolicyCopyProperties
148 @abstract Returns a dictionary of this policy's properties.
149 @param policyRef A policy reference.
150 @result A properties dictionary. See "Policy Value Constants" for a list
151 of currently defined property keys. It is the caller's responsibility to
152 CFRelease this reference when it is no longer needed.
153 @result A result code. See "Security Error Codes" (SecBase.h).
154 @discussion This function returns the properties for a policy, as set by the
155 policy's construction function or by a prior call to SecPolicySetProperties.
156 */
157 __nullable
158 CFDictionaryRef SecPolicyCopyProperties(SecPolicyRef policyRef)
159 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
160
161 /*!
162 @function SecPolicyCreateBasicX509
163 @abstract Returns a policy object for the default X.509 policy.
164 @result A policy object. The caller is responsible for calling CFRelease
165 on this when it is no longer needed.
166 */
167 SecPolicyRef SecPolicyCreateBasicX509(void)
168 __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);
169
170 /*!
171 @function SecPolicyCreateSSL
172 @abstract Returns a policy object for evaluating SSL certificate chains.
173 @param server Passing true for this parameter creates a policy for SSL
174 server certificates.
175 @param hostname (Optional) If present, the policy will require the specified
176 hostname to match the hostname in the leaf certificate.
177 @result A policy object. The caller is responsible for calling CFRelease
178 on this when it is no longer needed.
179 */
180 SecPolicyRef SecPolicyCreateSSL(Boolean server, CFStringRef __nullable hostname)
181 __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);
182
183 /*!
184 @enum Revocation Policy Constants
185 @abstract Predefined constants which allow you to specify how revocation
186 checking will be performed for a trust evaluation.
187 @constant kSecRevocationOCSPMethod If this flag is set, perform revocation
188 checking using OCSP (Online Certificate Status Protocol).
189 @constant kSecRevocationCRLMethod If this flag is set, perform revocation
190 checking using the CRL (Certificate Revocation List) method.
191 @constant kSecRevocationPreferCRL If this flag is set, then CRL revocation
192 checking will be preferred over OCSP (by default, OCSP is preferred.)
193 Note that this flag only matters if both revocation methods are specified.
194 @constant kSecRevocationRequirePositiveResponse If this flag is set, then
195 the policy will fail unless a verified positive response is obtained. If
196 the flag is not set, revocation checking is done on a "best attempt" basis,
197 where failure to reach the server is not considered fatal.
198 @constant kSecRevocationNetworkAccessDisabled If this flag is set, then
199 no network access is performed; only locally cached replies are consulted.
200 This constant disallows network access for both revocation checks and
201 intermediate CA issuer fetching.
202 @constant kSecRevocationUseAnyAvailableMethod Specifies that either
203 OCSP or CRL may be used, depending on the method(s) specified in the
204 certificate and the value of kSecRevocationPreferCRL.
205 */
206 CF_ENUM(CFOptionFlags) {
207 kSecRevocationOCSPMethod = (1 << 0),
208 kSecRevocationCRLMethod = (1 << 1),
209 kSecRevocationPreferCRL = (1 << 2),
210 kSecRevocationRequirePositiveResponse = (1 << 3),
211 kSecRevocationNetworkAccessDisabled = (1 << 4),
212 kSecRevocationUseAnyAvailableMethod = (kSecRevocationOCSPMethod |
213 kSecRevocationCRLMethod)
214 };
215
216 /*!
217 @function SecPolicyCreateRevocation
218 @abstract Returns a policy object for checking revocation of certificates.
219 @result A policy object. The caller is responsible for calling CFRelease
220 on this when it is no longer needed.
221 @param revocationFlags Flags to specify revocation checking options.
222 @discussion Use this function to create a revocation policy with behavior
223 specified by revocationFlags. See the "Revocation Policy Constants" section
224 for a description of these flags. Note: it is usually not necessary to
225 create a revocation policy yourself unless you wish to override default
226 system behavior (e.g. to force a particular method, or to disable
227 revocation checking entirely.)
228 */
229 __nullable
230 SecPolicyRef SecPolicyCreateRevocation(CFOptionFlags revocationFlags)
231 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
232
233 /*!
234 @function SecPolicyCreateWithProperties
235 @abstract Returns a policy object based on an object identifier for the
236 policy type. See the "Policy Constants" section for a list of defined
237 policy object identifiers.
238 @param policyIdentifier The identifier for the desired policy type.
239 @param properties (Optional) A properties dictionary. See "Policy Value
240 Constants" for a list of currently defined property keys.
241 @result The returned policy reference, or NULL if the policy could not be
242 created.
243 */
244 __nullable
245 SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier,
246 CFDictionaryRef __nullable properties)
247 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
248
249 CF_IMPLICIT_BRIDGING_DISABLED
250 CF_ASSUME_NONNULL_END
251
252 /*
253 * Legacy functions (OS X only)
254 */
255 #if TARGET_OS_OSX
256 #include <Security/cssmtype.h>
257
258 CF_ASSUME_NONNULL_BEGIN
259 CF_IMPLICIT_BRIDGING_ENABLED
260
261 /*!
262 @enum Policy Value Constants (OS X)
263 @discussion Predefined property key constants used to get or set values in
264 a dictionary for a policy instance.
265
266 Some policy values may specify CFBooleanRef key usage constraints:
267 kSecPolicyKU_DigitalSignature
268 kSecPolicyKU_NonRepudiation
269 kSecPolicyKU_KeyEncipherment
270 kSecPolicyKU_DataEncipherment
271 kSecPolicyKU_KeyAgreement
272 kSecPolicyKU_KeyCertSign
273 kSecPolicyKU_CRLSign
274 kSecPolicyKU_EncipherOnly
275 kSecPolicyKU_DecipherOnly
276
277 kSecPolicyKU policy values define certificate-level key purposes,
278 in contrast to the key-level definitions in SecItem.h
279
280 For example, a key in a certificate might be acceptable to use for
281 signing a CRL, but not for signing another certificate. In either
282 case, this key would have the ability to sign (i.e. kSecAttrCanSign
283 is true), but may only sign for specific purposes allowed by these
284 policy constants. Similarly, a public key might have the capability
285 to perform encryption or decryption, but the certificate in which it
286 resides might have a decipher-only certificate policy.
287
288 These constants correspond to values defined in RFC 5280, section
289 4.2.1.3 (Key Usage) which define the purpose of a key contained in a
290 certificate, in contrast to section 4.1.2.7 which define the uses that
291 a key is capable of.
292
293 Note: these constants are not available on iOS. Your code should
294 avoid direct reliance on these values for making policy decisions
295 and use higher level policies where possible.
296
297 @constant kSecPolicyKU_DigitalSignature Specifies that the certificate must
298 have a key usage that allows it to be used for signing.
299 @constant kSecPolicyKU_NonRepudiation Specifies that the certificate must
300 have a key usage that allows it to be used for non-repudiation.
301 @constant kSecPolicyKU_KeyEncipherment Specifies that the certificate must
302 have a key usage that allows it to be used for key encipherment.
303 @constant kSecPolicyKU_DataEncipherment Specifies that the certificate must
304 have a key usage that allows it to be used for data encipherment.
305 @constant kSecPolicyKU_KeyAgreement Specifies that the certificate must
306 have a key usage that allows it to be used for key agreement.
307 @constant kSecPolicyKU_KeyCertSign Specifies that the certificate must
308 have a key usage that allows it to be used for signing certificates.
309 @constant kSecPolicyKU_CRLSign Specifies that the certificate must
310 have a key usage that allows it to be used for signing CRLs.
311 @constant kSecPolicyKU_EncipherOnly Specifies that the certificate must
312 have a key usage that permits it to be used for encryption only.
313 @constant kSecPolicyKU_DecipherOnly Specifies that the certificate must
314 have a key usage that permits it to be used for decryption only.
315 */
316 extern const CFStringRef kSecPolicyKU_DigitalSignature
317 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
318 extern const CFStringRef kSecPolicyKU_NonRepudiation
319 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
320 extern const CFStringRef kSecPolicyKU_KeyEncipherment
321 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
322 extern const CFStringRef kSecPolicyKU_DataEncipherment
323 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
324 extern const CFStringRef kSecPolicyKU_KeyAgreement
325 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
326 extern const CFStringRef kSecPolicyKU_KeyCertSign
327 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
328 extern const CFStringRef kSecPolicyKU_CRLSign
329 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
330 extern const CFStringRef kSecPolicyKU_EncipherOnly
331 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
332 extern const CFStringRef kSecPolicyKU_DecipherOnly
333 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
334
335 /*!
336 @function SecPolicyCreateWithOID
337 @abstract Returns a policy object based on an object identifier for the
338 policy type. See the "Policy Constants" section for a list of defined
339 policy object identifiers.
340 @param policyOID The OID of the desired policy.
341 @result The returned policy reference, or NULL if the policy could not be
342 created.
343 @discussion This function is deprecated in Mac OS X 10.9 and later;
344 use SecPolicyCreateWithProperties (or a more specific policy creation
345 function) instead.
346 */
347 __nullable
348 SecPolicyRef SecPolicyCreateWithOID(CFTypeRef policyOID)
349 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
350
351 /*!
352 @function SecPolicyGetOID
353 @abstract Returns a policy's object identifier.
354 @param policyRef A policy reference.
355 @param oid On return, a pointer to the policy's object identifier.
356 @result A result code. See "Security Error Codes" (SecBase.h).
357 @discussion This function is deprecated in Mac OS X 10.7 and later;
358 use SecPolicyCopyProperties instead.
359 */
360 OSStatus SecPolicyGetOID(SecPolicyRef policyRef, CSSM_OID *oid)
361 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
362
363 /*!
364 @function SecPolicyGetValue
365 @abstract Returns a policy's value.
366 @param policyRef A policy reference.
367 @param value On return, a pointer to the policy's value.
368 @result A result code. See "Security Error Codes" (SecBase.h).
369 @discussion This function is deprecated in Mac OS X 10.7 and later;
370 use SecPolicyCopyProperties instead.
371 */
372 OSStatus SecPolicyGetValue(SecPolicyRef policyRef, CSSM_DATA *value)
373 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
374
375 /*!
376 @function SecPolicySetValue
377 @abstract Sets a policy's value.
378 @param policyRef A policy reference.
379 @param value The value to be set into the policy object, replacing any
380 previous value.
381 @result A result code. See "Security Error Codes" (SecBase.h).
382 @discussion This function is deprecated in Mac OS X 10.7 and later. Policy
383 instances should be considered read-only; in cases where your code would
384 consider changing properties of a policy, it should instead create a new
385 policy instance with the desired properties.
386 */
387 OSStatus SecPolicySetValue(SecPolicyRef policyRef, const CSSM_DATA *value)
388 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
389
390 /*!
391 @function SecPolicySetProperties
392 @abstract Sets a policy's properties.
393 @param policyRef A policy reference.
394 @param properties A properties dictionary. See "Policy Value Constants"
395 for a list of currently defined property keys. This dictionary replaces the
396 policy's existing properties, if any. Note that the policy OID (specified
397 by kSecPolicyOid) is a read-only property of the policy and cannot be set.
398 @result A result code. See "Security Error Codes" (SecBase.h).
399 @discussion This function is deprecated in Mac OS X 10.9 and later. Policy
400 instances should be considered read-only; in cases where your code would
401 consider changing properties of a policy, it should instead create a new
402 policy instance with the desired properties.
403 */
404 OSStatus SecPolicySetProperties(SecPolicyRef policyRef,
405 CFDictionaryRef properties)
406 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
407
408 /*!
409 @function SecPolicyGetTPHandle
410 @abstract Returns the CSSM trust policy handle for the given policy.
411 @param policyRef A policy reference.
412 @param tpHandle On return, a pointer to a value of type CSSM_TP_HANDLE.
413 @result A result code. See "Security Error Codes" (SecBase.h).
414 @discussion This function is deprecated in Mac OS X 10.7 and later.
415 */
416 OSStatus SecPolicyGetTPHandle(SecPolicyRef policyRef, CSSM_TP_HANDLE *tpHandle)
417 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
418
419 CF_IMPLICIT_BRIDGING_DISABLED
420 CF_ASSUME_NONNULL_END
421
422 #endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */
423
424 __END_DECLS
425
426 #endif /* !_SECURITY_SECPOLICY_H_ */