Security/sec/Security/SecPolicyPriv.h

   1 /*
   2  * Copyright (c) 2007-2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*!
  25     @header SecPolicyPriv
  26     The functions provided in SecPolicyPriv provide an interface to various
  27         X.509 certificate trust policies.
  28 */
  29
  30 #ifndef _SECURITY_SECPOLICYPRIV_H_
  31 #define _SECURITY_SECPOLICYPRIV_H_
  32
  33 #include <Security/SecPolicy.h>
  34 #include <Security/SecCertificate.h>
  35 #include <CoreFoundation/CFArray.h>
  36 #include <CoreFoundation/CFString.h>
  37
  38 __BEGIN_DECLS
  39
  40 /*!
  41         @enum Policy Constants (Private)
  42         @discussion Predefined constants used to specify a policy.
  43         @constant kSecPolicyApplePassbookSigning
  44         @constant kSecPolicyAppleMobileStore
  45         @constant kSecPolicyAppleTestMobileStore
  46         @constant kSecPolicyAppleEscrowService
  47         @constant kSecPolicyAppleProfileSigner
  48         @constant kSecPolicyAppleQAProfileSigner
  49         @constant kSecPolicyAppleServerAuthentication
  50         @constant kSecPolicyAppleOTAPKISigner
  51         @constant kSecPolicyAppleTestOTAPKISigner
  52         @constant kSecPolicyAppleIDValidationRecordSigning
  53         @constant kSecPolicyAppleSMPEncryption
  54         @constant kSecPolicyAppleTestSMPEncryption
  55         @constant kSecPolicyApplePCSEscrowService
  56
  57 */
  58 extern CFTypeRef kSecPolicyApplePassbookSigning
  59     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  60 extern CFTypeRef kSecPolicyAppleMobileStore
  61     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  62 extern CFTypeRef kSecPolicyAppleTestMobileStore
  63     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  64 extern CFTypeRef kSecPolicyAppleEscrowService
  65     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  66 extern CFTypeRef kSecPolicyAppleProfileSigner
  67     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  68 extern CFTypeRef kSecPolicyAppleQAProfileSigner
  69     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  70 extern CFTypeRef kSecPolicyAppleServerAuthentication
  71     __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
  72 #if TARGET_OS_IPHONE
  73 extern CFTypeRef kSecPolicyAppleOTAPKISigner
  74     __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
  75 extern CFTypeRef kSecPolicyAppleTestOTAPKISigner
  76     __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
  77 extern CFTypeRef kSecPolicyAppleIDValidationRecordSigningPolicy
  78         __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
  79 extern CFTypeRef kSecPolicyAppleSMPEncryption
  80         __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0);
  81 extern CFTypeRef kSecPolicyAppleTestSMPEncryption
  82         __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0);
  83 #endif
  84 extern CFTypeRef kSecPolicyApplePCSEscrowService
  85     __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_7_0);
  86
  87
  88 /*!
  89     @enum Policy Value Constants
  90     @abstract Predefined property key constants used to get or set values in
  91         a dictionary for a policy instance.
  92     @constant kSecPolicyTeamIdentifier Specifies a CFStringRef containing a
  93         team identifier which must be matched in the certificate to satisfy
  94         this policy. For the Passbook signing policy, this string must match
  95         the Organizational Unit field of the certificate subject.
  96 */
  97 extern CFTypeRef kSecPolicyTeamIdentifier
  98     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  99
 100 /*!
 101     @function SecPolicyCreateiPhoneActivation
 102     @abstract Returns a policy object for verifying iPhone Activation
 103     certificate chains.
 104     @discussion This policy is like the Basic X.509 policy with the additional
 105     requirements that the chain must contain exactly three certificates, the
 106     anchor is the Apple Inc. CA, and the subject of the first intermediate
 107     certificate has "Apple iPhone Certification Authority" as its only
 108     Common Name entry.
 109     @result A policy object. The caller is responsible for calling CFRelease
 110         on this when it is no longer needed.
 111 */
 112 SecPolicyRef SecPolicyCreateiPhoneActivation(void);
 113
 114 /*!
 115     @function SecPolicyCreateiPhoneDeviceCertificate
 116     @abstract Returns a policy object for verifying iPhone Device certificate
 117     chains.
 118     @discussion This policy is like the Basic X.509 policy with the additional
 119     requirements that the chain must contain exactly four certificates, the
 120     anchor is the Apple Inc. CA, and the subject of the first intermediate
 121     certificate has "Apple iPhone Device CA" as its only Common Name entry.
 122     @result A policy object. The caller is responsible for calling CFRelease
 123         on this when it is no longer needed.
 124 */
 125 SecPolicyRef SecPolicyCreateiPhoneDeviceCertificate(void);
 126
 127 /*!
 128     @function SecPolicyCreateFactoryDeviceCertificate
 129     @abstract Returns a policy object for verifying Factory Device certificate
 130     chains.
 131     @discussion This policy is like the Basic X.509 policy with the additional
 132     requirements that the chain must be anchored to the factory device certificate
 133     issuer.
 134     @result A policy object. The caller is responsible for calling CFRelease
 135         on this when it is no longer needed.
 136 */
 137 SecPolicyRef SecPolicyCreateFactoryDeviceCertificate(void);
 138
 139 /*!
 140     @function SecPolicyCreateiAP
 141     @abstract Returns a policy object for verifying iAP certificate chains.
 142     @discussion This policy is like the Basic X.509 policy with these
 143         additional requirements:
 144          * The leaf's NotValidBefore should be greater than 5/31/06 midnight GMT.
 145          * The Common Name of the leaf begins with the characters "IPA_".
 146          * No validity checking is performed for any of the certificates.
 147         The intended use of this policy is that the caller pass in the
 148         intermediates for iAP1 and iAP2 to SecTrustSetAnchorCertificates().
 149     @result A policy object. The caller is responsible for calling CFRelease
 150         on this when it is no longer needed.
 151 */
 152 SecPolicyRef SecPolicyCreateiAP(void);
 153
 154 /*!
 155     @function SecPolicyCreateiTunesStoreURLBag
 156     @abstract Returns a policy object for verifying iTunes Store URL bag
 157     certificates.
 158     @discussion This policy is like the Basic X.509 policy with these
 159         additional requirements:
 160          * The leaf's Organization is Apple Inc.
 161          * The Common Name of the leaf is "iTunes Store URL Bag".
 162     @result A policy object. The caller is responsible for calling CFRelease
 163         on this when it is no longer needed.
 164 */
 165 SecPolicyRef SecPolicyCreateiTunesStoreURLBag(void);
 166
 167 /*!
 168     @function SecPolicyCreateEAP
 169     @abstract Returns a policy object for verifying for 802.1x/EAP certificates.
 170         @param server Passing true for this parameter create a policy for EAP
 171         server certificates.
 172         @param trustedServerNames Optional; if present, the hostname in the leaf
 173     certificate must be in the trustedServerNames list.  Note that contrary
 174     to all other policies the trustedServerNames list entries can have wildcards
 175     whilst the certificate cannot.  This matches the existing deployments.
 176     @result A policy object. The caller is responsible for calling CFRelease
 177         on this when it is no longer needed.
 178 */
 179 SecPolicyRef SecPolicyCreateEAP(Boolean server, CFArrayRef trustedServerNames);
 180
 181 /*!
 182     @function SecPolicyCreateIPSec
 183     @abstract Returns a policy object for evaluating IPSec certificate chains.
 184         @param server Passing true for this parameter create a policy for IPSec
 185         server certificates.
 186         @param hostname Optional; if present, the policy will require the specified
 187         hostname or ip address to match the hostname in the leaf certificate.
 188     @result A policy object. The caller is responsible for calling CFRelease
 189         on this when it is no longer needed.
 190 */
 191 SecPolicyRef SecPolicyCreateIPSec(Boolean server, CFStringRef hostname);
 192
 193 /*!
 194     @function SecPolicyCreateiPhoneApplicationSigning
 195     @abstract Returns a policy object for evaluating signed application
 196     signatures.  This is for apps signed directly by the app store.
 197     @result A policy object. The caller is responsible for calling CFRelease
 198         on this when it is no longer needed.
 199 */
 200 SecPolicyRef SecPolicyCreateiPhoneApplicationSigning(void);
 201
 202 /*!
 203     @function SecPolicyCreateiPhoneProfileApplicationSigning
 204     @abstract Returns a policy object for evaluating signed application
 205     signatures.  This is meant for certificates inside a UPP or regular
 206     profile.  Currently it only checks for experation of the leaf and
 207     revocation status.
 208     @result A policy object. The caller is responsible for calling CFRelease
 209         on this when it is no longer needed.
 210 */
 211 SecPolicyRef SecPolicyCreateiPhoneProfileApplicationSigning(void);
 212
 213 /*!
 214     @function SecPolicyCreateiPhoneProvisioningProfileSigning
 215     @abstract Returns a policy object for evaluating provisioning profile signatures.
 216     @result A policy object. The caller is responsible for calling CFRelease
 217         on this when it is no longer needed.
 218 */
 219 SecPolicyRef SecPolicyCreateiPhoneProvisioningProfileSigning(void);
 220
 221 /*!
 222     @function SecPolicyCreateOCSPSigner
 223     @abstract Returns a policy object for evaluating ocsp response signers.
 224     @result A policy object. The caller is responsible for calling CFRelease
 225         on this when it is no longer needed.
 226 */
 227 SecPolicyRef SecPolicyCreateOCSPSigner(void);
 228
 229
 230 enum {
 231     kSecSignSMIMEUsage = (1 << 0),
 232     kSecKeyEncryptSMIMEUsage = (1 << 1),
 233     kSecDataEncryptSMIMEUsage = (1 << 2),
 234     kSecKeyExchangeDecryptSMIMEUsage = (1 << 3),
 235     kSecKeyExchangeEncryptSMIMEUsage = (1 << 4),
 236     kSecKeyExchangeBothSMIMEUsage = (1 << 5),
 237     kSecAnyEncryptSMIME = kSecKeyEncryptSMIMEUsage | kSecDataEncryptSMIMEUsage |
 238         kSecKeyExchangeDecryptSMIMEUsage | kSecKeyExchangeEncryptSMIMEUsage
 239 };
 240
 241 /*!
 242     @function SecPolicyCreateSMIME
 243     @abstract Returns a policy object for evaluating S/MIME certificate chains.
 244         @param smimeUsage Pass the bitwise or of one or more kSecXXXSMIMEUsage
 245     flags, to indicated the intended usage of this certificate.  A certificate which allows
 246         @param email Optional; if present, the policy will require the specified
 247         email to match the email in the leaf certificate.
 248     @result A policy object. The caller is responsible for calling CFRelease
 249         on this when it is no longer needed.
 250 */
 251 SecPolicyRef SecPolicyCreateSMIME(CFIndex smimeUsage, CFStringRef email);
 252
 253 /*!
 254     @function SecPolicyCreateCodeSigning
 255     @abstract Returns a policy object for evaluating code signing certificate chains.
 256     @result A policy object. The caller is responsible for calling CFRelease
 257         on this when it is no longer needed.
 258 */
 259 SecPolicyRef SecPolicyCreateCodeSigning(void);
 260
 261 /*!
 262     @function SecPolicyCreateLockdownPairing
 263     @abstract basic x509 policy for checking lockdown pairing certificate chains.
 264         It explicitly allows for empty subjects
 265 */
 266 SecPolicyRef SecPolicyCreateLockdownPairing(void);
 267
 268 /*!
 269  @function SecPolicyCreateURLBag
 270  @abstract check for private CA, eku codesigning and certificate policy that
 271  pertains to signing of URL bags.
 272  */
 273 SecPolicyRef SecPolicyCreateURLBag(void);
 274
 275 /*!
 276  @function SecPolicyCreateOTATasking
 277  @abstract check for 3 long chain through Apple Certification Policy with common name
 278            "OTA Task Signing".
 279  */
 280 SecPolicyRef SecPolicyCreateOTATasking(void);
 281
 282 /*!
 283  @function SecPolicyCreateMobileAsset
 284  @abstract check for 3 long chain through Apple Certification Policy with common name
 285            "Asset Manifest Signing".
 286  */
 287 SecPolicyRef SecPolicyCreateMobileAsset(void);
 288
 289 /*!
 290  @function SecPolicyCreateAppleIDAuthorityPolicy
 291  @abstract check for an Apple ID identity per marker in the leaf and marker in the intermediate, rooted in the Apple CA.
 292  */
 293 SecPolicyRef SecPolicyCreateAppleIDAuthorityPolicy(void);
 294
 295 /*!
 296  @function SecPolicyCreatePassbookCardSigner
 297  @abstract check rooted in the Apple CA, eku shoebox, marker shoebox and name matching
 298  @param cardIssuer Required; must match name in marker extension.
 299  @param teamIdentifier Optional; if present, the policy will require the specified
 300  team ID to match the organizationalUnit field in the leaf certificate's subject.
 301  @result A policy object. The caller is responsible for calling CFRelease
 302         on this when it is no longer needed.
 303  */
 304 SecPolicyRef SecPolicyCreatePassbookCardSigner(CFStringRef cardIssuer,
 305         CFStringRef teamIdentifier);
 306
 307 /*!
 308  @function SecPolicyCreateShoeboxCardSigner
 309  @abstract Deprecated; use SecPolicyCreatePassbookCardSigner instead
 310  */
 311 SecPolicyRef SecPolicyCreateShoeboxCardSigner(CFStringRef cardIssuer);
 312
 313 /*!
 314  @function SecPolicyCreateMobileStoreSigner
 315  @abstract Check for key usage of digital signature,
 316         check for 3 long chain through Apple System Integration 2 Certification Authority
 317         with a certificate policy OID of 1.2.840.113635.100.5.12 that roots to the
 318         Apple root
 319  */
 320 SecPolicyRef SecPolicyCreateMobileStoreSigner(void);
 321
 322 /*!
 323  @function SecPolicyCreateTestMobileStoreSigner
 324  @abstract Check for key usage of digital signature,
 325         check for 3 long chain through Apple System Integration 2 Certification Authority
 326         with a certificate policy OID of 1.2.840.113635.100.5.12.1 that roots to the
 327         Apple root
 328  */
 329 SecPolicyRef SecPolicyCreateTestMobileStoreSigner(void);
 330
 331 /*!
 332  @function SecPolicyCreateEscrowServiceSigner
 333  @abstract Check for key usage of digital signature, has a leaf marker OID of
 334          1.2.840.113635.100.6.23.1 and roots to the production Escrow Root
 335  */
 336 SecPolicyRef SecPolicyCreateEscrowServiceSigner(void);
 337
 338 /*!
 339  @function SecPolicyCreatePCSEscrowServiceSigner
 340  @abstract Check for key usage of digital signature, has a leaf marker OID of
 341          1.2.840.113635.100.6.23.1 and roots to the production PCS Escrow Root
 342  */
 343 SecPolicyRef SecPolicyCreatePCSEscrowServiceSigner(void);
 344
 345 /*!
 346  @function SecPolicyCopyEscrowRootCertificate
 347  @abstract Return back the Root certificate for the Escrow service
 348 */
 349 SecCertificateRef SecPolicyCopyEscrowRootCertificate(void);
 350
 351 /*!
 352  @function SecPolicyCreateConfigurationProfileSigner
 353  @abstract Check for key usage of digital signature, has a EKU OID of
 354      1.2.840.113635.100.4.16 and
 355     roots to Apple Application Integration 2 Certification Authority
 356 */
 357 SecPolicyRef SecPolicyCreateConfigurationProfileSigner(void);
 358
 359 /*!
 360  @function SecPolicyCreateQAConfigurationProfileSigner
 361  @abstract Check for key usage of digital signature, has a EKU OID of
 362     1.2.840.113635.100.4.17 and
 363     roots to Apple Application Integration 2 Certification Authority
 364 */
 365 SecPolicyRef SecPolicyCreateQAConfigurationProfileSigner(void);
 366
 367 #if TARGET_OS_IPHONE
 368 /*!
 369  @function SecPolicyCreateOTAPKISigner
 370  @abstract Check for key usage of digital signature, and
 371     roots to Apple PKI Settings Root Certification Authority
 372 */
 373 SecPolicyRef SecPolicyCreateOTAPKISigner(void);
 374
 375 /*!
 376  @function SecPolicyCreateTestOTAPKISigner
 377  @abstract Check for key usage of digital signature, and
 378     roots to Apple PKI Settings Root - TESTING
 379 */
 380 SecPolicyRef SecPolicyCreateTestOTAPKISigner(void);
 381
 382 /*!
 383  @function SecPolicyCreateAppleIDValidationRecordSigningPolicy
 384  @abstract Check for leaf certificate contains the
 385         appleIDValidationRecordSigning (1 2 840 113635 100 6 25), and
 386         intermediate certificate contains
 387         appleCertificateExtensionApplicationIntegrationIntermediate
 388         (1 2 840 113635 100 6 2 3) and
 389         appleCertificateExtensionSystemIntegration2Intermediate
 390         (1 2 840 113635 100 6 2 10) and roots to the Apple root
 391 */
 392 SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void);
 393
 394 /*!
 395  @function SecPolicyCreateAppleSMPEncryption
 396  @abstract Check for intermediate certificate 'Apple System Integration CA - ECC' by name,
 397     and root certificate 'Apple Root CA - ECC' by hash.
 398     Leaf cert must have Key Encipherment usage. Other checks TBD.
 399  */
 400 SecPolicyRef SecPolicyCreateAppleSMPEncryption(void);
 401
 402 /*!
 403  @function SecPolicyCreateTestAppleSMPEncryption
 404  @abstract Check for intermediate certificate 'Test Apple System Integration CA - ECC' by name,
 405     and root certificate 'Test Apple Root CA - ECC' by hash.
 406     Leaf cert must have Key Encipherment usage. Other checks TBD.
 407  */
 408 SecPolicyRef SecPolicyCreateTestAppleSMPEncryption(void);
 409
 410
 411 #endif
 412
 413 /*!
 414  @function SecPolicyCreateAppleIDSService
 415  @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
 416  */
 417 SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef hostname);
 418
 419 /*!
 420  @function SecPolicyCreateApplePushService
 421  @abstract Ensure we're appropriately pinned to the Push service (SSL + Apple restrictions)
 422  */
 423 SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname);
 424
 425 /*!
 426  @function SecPolicyCreateAppleMMCSService
 427  @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
 428  */
 429 SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname);
 430
 431 /*!
 432  @function SecPolicyCreateAppleSSLService
 433  @abstract Ensure we're appropriately pinned to an Apple server (SSL + Apple restrictions)
 434  */
 435 SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef hostname);
 436
 437 __END_DECLS
 438
 439 #endif /* !_SECURITY_SECPOLICYPRIV_H_ */