]> git.saurik.com Git - apple/security.git/blob - Security/libsecurity_cssm/lib/certextensions.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57031.1.35.tar.gz
[apple/security.git] / Security / libsecurity_cssm / lib / certextensions.h
1 /*
2 * Copyright (c) 2000-2004,2011,2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * CertExtensions.h -- X.509 Cert Extensions as C structs
24 */
25
26 #ifndef _CERT_EXTENSIONS_H_
27 #define _CERT_EXTENSIONS_H_
28
29 #include <Security/cssmtype.h>
30
31 /***
32 *** Structs for declaring extension-specific data.
33 ***/
34
35 /*
36 * GeneralName, used in AuthorityKeyID, SubjectAltName, and
37 * IssuerAltName.
38 *
39 * For now, we just provide explicit support for the types which are
40 * represented as IA5Strings, OIDs, and octet strings. Constructed types
41 * such as EDIPartyName and x400Address are not explicitly handled
42 * right now and must be encoded and decoded by the caller. (See exception
43 * for Name and OtherName, below). In those cases the CE_GeneralName.name.Data field
44 * represents the BER contents octets; CE_GeneralName.name.Length is the
45 * length of the contents; the tag of the field is not needed - the BER
46 * encoding uses context-specific implicit tagging. The berEncoded field
47 * is set to CSSM_TRUE in these case. Simple types have berEncoded = CSSM_FALSE.
48 *
49 * In the case of a GeneralName in the form of a Name, we parse the Name
50 * into a CSSM_X509_NAME and place a pointer to the CSSM_X509_NAME in the
51 * CE_GeneralName.name.Data field. CE_GeneralName.name.Length is set to
52 * sizeof(CSSM_X509_NAME). In this case berEncoded is false.
53 *
54 * In the case of a GeneralName in the form of a OtherName, we parse the fields
55 * into a CE_OtherName and place a pointer to the CE_OtherName in the
56 * CE_GeneralName.name.Data field. CE_GeneralName.name.Length is set to
57 * sizeof(CE_OtherName). In this case berEncoded is false.
58 *
59 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
60 *
61 * GeneralName ::= CHOICE {
62 * otherName [0] OtherName
63 * rfc822Name [1] IA5String,
64 * dNSName [2] IA5String,
65 * x400Address [3] ORAddress,
66 * directoryName [4] Name,
67 * ediPartyName [5] EDIPartyName,
68 * uniformResourceIdentifier [6] IA5String,
69 * iPAddress [7] OCTET STRING,
70 * registeredID [8] OBJECT IDENTIFIER}
71 *
72 * OtherName ::= SEQUENCE {
73 * type-id OBJECT IDENTIFIER,
74 * value [0] EXPLICIT ANY DEFINED BY type-id }
75 *
76 * EDIPartyName ::= SEQUENCE {
77 * nameAssigner [0] DirectoryString OPTIONAL,
78 * partyName [1] DirectoryString }
79 */
80 typedef enum __CE_GeneralNameType {
81 GNT_OtherName = 0,
82 GNT_RFC822Name,
83 GNT_DNSName,
84 GNT_X400Address,
85 GNT_DirectoryName,
86 GNT_EdiPartyName,
87 GNT_URI,
88 GNT_IPAddress,
89 GNT_RegisteredID
90 } CE_GeneralNameType;
91
92 typedef struct __CE_OtherName {
93 CSSM_OID typeId;
94 CSSM_DATA value; // unparsed, BER-encoded
95 } CE_OtherName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
96
97 typedef struct __CE_GeneralName {
98 CE_GeneralNameType nameType; // GNT_RFC822Name, etc.
99 CSSM_BOOL berEncoded;
100 CSSM_DATA name;
101 } CE_GeneralName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
102
103 typedef struct __CE_GeneralNames {
104 uint32 numNames;
105 CE_GeneralName *generalName;
106 } CE_GeneralNames DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
107
108 /*
109 * id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
110 *
111 * AuthorityKeyIdentifier ::= SEQUENCE {
112 * keyIdentifier [0] KeyIdentifier OPTIONAL,
113 * authorityCertIssuer [1] GeneralNames OPTIONAL,
114 * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
115 *
116 * KeyIdentifier ::= OCTET STRING
117 *
118 * CSSM OID = CSSMOID_AuthorityKeyIdentifier
119 */
120 typedef struct __CE_AuthorityKeyID {
121 CSSM_BOOL keyIdentifierPresent;
122 CSSM_DATA keyIdentifier;
123 CSSM_BOOL generalNamesPresent;
124 CE_GeneralNames *generalNames;
125 CSSM_BOOL serialNumberPresent;
126 CSSM_DATA serialNumber;
127 } CE_AuthorityKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
128
129 /*
130 * id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
131 * SubjectKeyIdentifier ::= KeyIdentifier
132 *
133 * CSSM OID = CSSMOID_SubjectKeyIdentifier
134 */
135 typedef CSSM_DATA CE_SubjectKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
136
137 /*
138 * id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
139 *
140 * KeyUsage ::= BIT STRING {
141 * digitalSignature (0),
142 * nonRepudiation (1),
143 * keyEncipherment (2),
144 * dataEncipherment (3),
145 * keyAgreement (4),
146 * keyCertSign (5),
147 * cRLSign (6),
148 * encipherOnly (7),
149 * decipherOnly (8) }
150 *
151 * CSSM OID = CSSMOID_KeyUsage
152 *
153 */
154 typedef uint16 CE_KeyUsage DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
155
156 #define CE_KU_DigitalSignature 0x8000
157 #define CE_KU_NonRepudiation 0x4000
158 #define CE_KU_KeyEncipherment 0x2000
159 #define CE_KU_DataEncipherment 0x1000
160 #define CE_KU_KeyAgreement 0x0800
161 #define CE_KU_KeyCertSign 0x0400
162 #define CE_KU_CRLSign 0x0200
163 #define CE_KU_EncipherOnly 0x0100
164 #define CE_KU_DecipherOnly 0x0080
165
166 /*
167 * id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 }
168 *
169 * -- reasonCode ::= { CRLReason }
170 *
171 * CRLReason ::= ENUMERATED {
172 * unspecified (0),
173 * keyCompromise (1),
174 * cACompromise (2),
175 * affiliationChanged (3),
176 * superseded (4),
177 * cessationOfOperation (5),
178 * certificateHold (6),
179 * removeFromCRL (8) }
180 *
181 * CSSM OID = CSSMOID_CrlReason
182 *
183 */
184 typedef uint32 CE_CrlReason DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
185
186 #define CE_CR_Unspecified 0
187 #define CE_CR_KeyCompromise 1
188 #define CE_CR_CACompromise 2
189 #define CE_CR_AffiliationChanged 3
190 #define CE_CR_Superseded 4
191 #define CE_CR_CessationOfOperation 5
192 #define CE_CR_CertificateHold 6
193 #define CE_CR_RemoveFromCRL 8
194
195 /*
196 * id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
197 *
198 * SubjectAltName ::= GeneralNames
199 *
200 * CSSM OID = CSSMOID_SubjectAltName
201 *
202 * GeneralNames defined above.
203 */
204
205 /*
206 * id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
207 *
208 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId*
209 *
210 * KeyPurposeId ::= OBJECT IDENTIFIER
211 *
212 * CSSM OID = CSSMOID_ExtendedKeyUsage
213 */
214 typedef struct __CE_ExtendedKeyUsage {
215 uint32 numPurposes;
216 CSSM_OID_PTR purposes; // in Intel pre-encoded format
217 } CE_ExtendedKeyUsage;
218
219 /*
220 * id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
221 *
222 * BasicConstraints ::= SEQUENCE {
223 * cA BOOLEAN DEFAULT FALSE,
224 * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
225 *
226 * CSSM OID = CSSMOID_BasicConstraints
227 */
228 typedef struct __CE_BasicConstraints {
229 CSSM_BOOL cA;
230 CSSM_BOOL pathLenConstraintPresent;
231 uint32 pathLenConstraint;
232 } CE_BasicConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
233
234 /*
235 * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
236 *
237 * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
238 *
239 * PolicyInformation ::= SEQUENCE {
240 * policyIdentifier CertPolicyId,
241 * policyQualifiers SEQUENCE SIZE (1..MAX) OF
242 * PolicyQualifierInfo OPTIONAL }
243 *
244 * CertPolicyId ::= OBJECT IDENTIFIER
245 *
246 * PolicyQualifierInfo ::= SEQUENCE {
247 * policyQualifierId PolicyQualifierId,
248 * qualifier ANY DEFINED BY policyQualifierId }
249 *
250 * -- policyQualifierIds for Internet policy qualifiers
251 *
252 * id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
253 * id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
254 * id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
255 *
256 * PolicyQualifierId ::=
257 * OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
258 *
259 * Qualifier ::= CHOICE {
260 * cPSuri CPSuri,
261 * userNotice UserNotice }
262 *
263 * CPSuri ::= IA5String
264 *
265 * UserNotice ::= SEQUENCE {
266 * noticeRef NoticeReference OPTIONAL,
267 * explicitText DisplayText OPTIONAL}
268 *
269 * NoticeReference ::= SEQUENCE {
270 * organization DisplayText,
271 * noticeNumbers SEQUENCE OF INTEGER }
272 *
273 * DisplayText ::= CHOICE {
274 * visibleString VisibleString (SIZE (1..200)),
275 * bmpString BMPString (SIZE (1..200)),
276 * utf8String UTF8String (SIZE (1..200)) }
277 *
278 * CSSM OID = CSSMOID_CertificatePolicies
279 *
280 * We only support down to the level of Qualifier, and then only the CPSuri
281 * choice. UserNotice is transmitted to and from this library as a raw
282 * CSSM_DATA containing the BER-encoded UserNotice sequence.
283 */
284
285 typedef struct __CE_PolicyQualifierInfo {
286 CSSM_OID policyQualifierId; // CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE
287 CSSM_DATA qualifier; // CSSMOID_QT_CPS: IA5String contents
288 // CSSMOID_QT_UNOTICE : Sequence contents
289 } CE_PolicyQualifierInfo DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
290
291 typedef struct __CE_PolicyInformation {
292 CSSM_OID certPolicyId;
293 uint32 numPolicyQualifiers; // size of *policyQualifiers;
294 CE_PolicyQualifierInfo *policyQualifiers;
295 } CE_PolicyInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
296
297 typedef struct __CE_CertPolicies {
298 uint32 numPolicies; // size of *policies;
299 CE_PolicyInformation *policies;
300 } CE_CertPolicies DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
301
302 /*
303 * netscape-cert-type, a bit string.
304 *
305 * CSSM OID = CSSMOID_NetscapeCertType
306 *
307 * Bit fields defined in oidsattr.h: CE_NCT_SSL_Client, etc.
308 */
309 typedef uint16 CE_NetscapeCertType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
310
311 /*
312 * CRLDistributionPoints.
313 *
314 * id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 }
315 *
316 * cRLDistributionPoints ::= {
317 * CRLDistPointsSyntax }
318 *
319 * CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
320 *
321 * NOTE: RFC 2459 claims that the tag for the optional DistributionPointName
322 * is IMPLICIT as shown here, but in practice it is EXPLICIT. It has to be -
323 * because the underlying type also uses an implicit tag for distinguish
324 * between CHOICEs.
325 *
326 * DistributionPoint ::= SEQUENCE {
327 * distributionPoint [0] DistributionPointName OPTIONAL,
328 * reasons [1] ReasonFlags OPTIONAL,
329 * cRLIssuer [2] GeneralNames OPTIONAL }
330 *
331 * DistributionPointName ::= CHOICE {
332 * fullName [0] GeneralNames,
333 * nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
334 *
335 * ReasonFlags ::= BIT STRING {
336 * unused (0),
337 * keyCompromise (1),
338 * cACompromise (2),
339 * affiliationChanged (3),
340 * superseded (4),
341 * cessationOfOperation (5),
342 * certificateHold (6) }
343 *
344 * CSSM OID = CSSMOID_CrlDistributionPoints
345 */
346
347 /*
348 * Note that this looks similar to CE_CrlReason, but that's an enum and this
349 * is an OR-able bit string.
350 */
351 typedef uint8 CE_CrlDistReasonFlags DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
352
353 #define CE_CD_Unspecified 0x80
354 #define CE_CD_KeyCompromise 0x40
355 #define CE_CD_CACompromise 0x20
356 #define CE_CD_AffiliationChanged 0x10
357 #define CE_CD_Superseded 0x08
358 #define CE_CD_CessationOfOperation 0x04
359 #define CE_CD_CertificateHold 0x02
360
361 typedef enum __CE_CrlDistributionPointNameType {
362 CE_CDNT_FullName,
363 CE_CDNT_NameRelativeToCrlIssuer
364 } CE_CrlDistributionPointNameType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
365
366 typedef struct __CE_DistributionPointName {
367 CE_CrlDistributionPointNameType nameType;
368 union {
369 CE_GeneralNames *fullName;
370 CSSM_X509_RDN_PTR rdn;
371 } dpn;
372 } CE_DistributionPointName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
373
374 /*
375 * The top-level CRLDistributionPoint.
376 * All fields are optional; NULL pointers indicate absence.
377 */
378 typedef struct __CE_CRLDistributionPoint {
379 CE_DistributionPointName *distPointName;
380 CSSM_BOOL reasonsPresent;
381 CE_CrlDistReasonFlags reasons;
382 CE_GeneralNames *crlIssuer;
383 } CE_CRLDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
384
385 typedef struct __CE_CRLDistPointsSyntax {
386 uint32 numDistPoints;
387 CE_CRLDistributionPoint *distPoints;
388 } CE_CRLDistPointsSyntax DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
389
390 /*
391 * Authority Information Access and Subject Information Access.
392 *
393 * CSSM OID = CSSMOID_AuthorityInfoAccess
394 * CSSM OID = CSSMOID_SubjectInfoAccess
395 *
396 * SubjAuthInfoAccessSyntax ::=
397 * SEQUENCE SIZE (1..MAX) OF AccessDescription
398 *
399 * AccessDescription ::= SEQUENCE {
400 * accessMethod OBJECT IDENTIFIER,
401 * accessLocation GeneralName }
402 */
403 typedef struct __CE_AccessDescription {
404 CSSM_OID accessMethod;
405 CE_GeneralName accessLocation;
406 } CE_AccessDescription DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
407
408 typedef struct __CE_AuthorityInfoAccess {
409 uint32 numAccessDescriptions;
410 CE_AccessDescription *accessDescriptions;
411 } CE_AuthorityInfoAccess DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
412
413 /*
414 * Qualified Certificate Statement support, per RFC 3739.
415 *
416 * First, NameRegistrationAuthorities, a component of
417 * SemanticsInformation; it's the same as a GeneralNames -
418 * a sequence of GeneralName.
419 */
420 typedef CE_GeneralNames CE_NameRegistrationAuthorities DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
421
422 /*
423 * SemanticsInformation, identified as the qcType field
424 * of a CE_QC_Statement for statementId value id-qcs-pkixQCSyntax-v2.
425 * Both fields optional; at least one must be present.
426 */
427 typedef struct __CE_SemanticsInformation {
428 CSSM_OID *semanticsIdentifier;
429 CE_NameRegistrationAuthorities *nameRegistrationAuthorities;
430 } CE_SemanticsInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
431
432 /*
433 * One Qualified Certificate Statement.
434 * The statementId OID is required; zero or one of {semanticsInfo,
435 * otherInfo} can be valid, depending on the value of statementId.
436 * For statementId id-qcs-pkixQCSyntax-v2 (CSSMOID_OID_QCS_SYNTAX_V2),
437 * the semanticsInfo field may be present; otherwise, DER-encoded
438 * information may be present in otherInfo. Both semanticsInfo and
439 * otherInfo are optional.
440 */
441 typedef struct __CE_QC_Statement {
442 CSSM_OID statementId;
443 CE_SemanticsInformation *semanticsInfo;
444 CSSM_DATA *otherInfo;
445 } CE_QC_Statement DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
446
447 /*
448 * The top-level Qualified Certificate Statements extension.
449 */
450 typedef struct __CE_QC_Statements {
451 uint32 numQCStatements;
452 CE_QC_Statement *qcStatements;
453 } CE_QC_Statements DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
454
455 /*** CRL extensions ***/
456
457 /*
458 * cRLNumber, an integer.
459 *
460 * CSSM OID = CSSMOID_CrlNumber
461 */
462 typedef uint32 CE_CrlNumber;
463
464 /*
465 * deltaCRLIndicator, an integer.
466 *
467 * CSSM OID = CSSMOID_DeltaCrlIndicator
468 */
469 typedef uint32 CE_DeltaCrl;
470
471 /*
472 * IssuingDistributionPoint
473 *
474 * id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
475 *
476 * issuingDistributionPoint ::= SEQUENCE {
477 * distributionPoint [0] DistributionPointName OPTIONAL,
478 * onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
479 * onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
480 * onlySomeReasons [3] ReasonFlags OPTIONAL,
481 * indirectCRL [4] BOOLEAN DEFAULT FALSE }
482 *
483 * CSSM OID = CSSMOID_IssuingDistributionPoint
484 */
485 typedef struct __CE_IssuingDistributionPoint {
486 CE_DistributionPointName *distPointName; // optional
487 CSSM_BOOL onlyUserCertsPresent;
488 CSSM_BOOL onlyUserCerts;
489 CSSM_BOOL onlyCACertsPresent;
490 CSSM_BOOL onlyCACerts;
491 CSSM_BOOL onlySomeReasonsPresent;
492 CE_CrlDistReasonFlags onlySomeReasons;
493 CSSM_BOOL indirectCrlPresent;
494 CSSM_BOOL indirectCrl;
495 } CE_IssuingDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
496
497 /*
498 * NameConstraints
499 *
500 * id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
501 *
502 * NameConstraints ::= SEQUENCE {
503 * permittedSubtrees [0] GeneralSubtrees OPTIONAL,
504 * excludedSubtrees [1] GeneralSubtrees OPTIONAL }
505 *
506 * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
507 *
508 * GeneralSubtree ::= SEQUENCE {
509 * base GeneralName,
510 * minimum [0] BaseDistance DEFAULT 0,
511 * maximum [1] BaseDistance OPTIONAL }
512 *
513 * BaseDistance ::= INTEGER (0..MAX)
514 */
515 typedef struct __CE_GeneralSubtree {
516 CE_GeneralNames *base;
517 uint32 minimum; // default=0
518 CSSM_BOOL maximumPresent;
519 uint32 maximum; // optional
520 } CE_GeneralSubtree DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
521
522 typedef struct __CE_GeneralSubtrees {
523 uint32 numSubtrees;
524 CE_GeneralSubtree *subtrees;
525 } CE_GeneralSubtrees DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
526
527 typedef struct __CE_NameConstraints {
528 CE_GeneralSubtrees *permitted; // optional
529 CE_GeneralSubtrees *excluded; // optional
530 } CE_NameConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
531
532 /*
533 * PolicyMappings
534 *
535 * id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 }
536 *
537 * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
538 * issuerDomainPolicy CertPolicyId,
539 * subjectDomainPolicy CertPolicyId }
540 *
541 * Note that both issuer and subject policy OIDs are required,
542 * and are stored by value in this structure.
543 */
544 typedef struct __CE_PolicyMapping {
545 CSSM_OID issuerDomainPolicy;
546 CSSM_OID subjectDomainPolicy;
547 } CE_PolicyMapping DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
548
549 typedef struct __CE_PolicyMappings {
550 uint32 numPolicyMappings;
551 CE_PolicyMapping *policyMappings;
552 } CE_PolicyMappings DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
553
554 /*
555 * PolicyConstraints
556 *
557 * id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 }
558 *
559 * PolicyConstraints ::= SEQUENCE {
560 * requireExplicitPolicy [0] SkipCerts OPTIONAL,
561 * inhibitPolicyMapping [1] SkipCerts OPTIONAL }
562 *
563 * SkipCerts ::= INTEGER (0..MAX)
564 */
565 typedef struct __CE_PolicyConstraints {
566 CSSM_BOOL requireExplicitPolicyPresent;
567 uint32 requireExplicitPolicy; // optional
568 CSSM_BOOL inhibitPolicyMappingPresent;
569 uint32 inhibitPolicyMapping; // optional
570 } CE_PolicyConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
571
572 /*
573 * InhibitAnyPolicy, an integer.
574 *
575 * CSSM OID = CSSMOID_InhibitAnyPolicy
576 */
577 typedef uint32 CE_InhibitAnyPolicy DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
578
579 /*
580 * An enumerated list identifying one of the above per-extension
581 * structs.
582 */
583 typedef enum __CE_DataType {
584 DT_AuthorityKeyID, // CE_AuthorityKeyID
585 DT_SubjectKeyID, // CE_SubjectKeyID
586 DT_KeyUsage, // CE_KeyUsage
587 DT_SubjectAltName, // implies CE_GeneralName
588 DT_IssuerAltName, // implies CE_GeneralName
589 DT_ExtendedKeyUsage, // CE_ExtendedKeyUsage
590 DT_BasicConstraints, // CE_BasicConstraints
591 DT_CertPolicies, // CE_CertPolicies
592 DT_NetscapeCertType, // CE_NetscapeCertType
593 DT_CrlNumber, // CE_CrlNumber
594 DT_DeltaCrl, // CE_DeltaCrl
595 DT_CrlReason, // CE_CrlReason
596 DT_CrlDistributionPoints, // CE_CRLDistPointsSyntax
597 DT_IssuingDistributionPoint,// CE_IssuingDistributionPoint
598 DT_AuthorityInfoAccess, // CE_AuthorityInfoAccess
599 DT_Other, // unknown, raw data as a CSSM_DATA
600 DT_QC_Statements, // CE_QC_Statements
601 DT_NameConstraints, // CE_NameConstraints
602 DT_PolicyMappings, // CE_PolicyMappings
603 DT_PolicyConstraints, // CE_PolicyConstraints
604 DT_InhibitAnyPolicy // CE_InhibitAnyPolicy
605 } CE_DataType;
606
607 /*
608 * One unified representation of all the cert and CRL extensions we know about.
609 */
610 typedef union {
611 CE_AuthorityKeyID authorityKeyID;
612 CE_SubjectKeyID subjectKeyID;
613 CE_KeyUsage keyUsage;
614 CE_GeneralNames subjectAltName;
615 CE_GeneralNames issuerAltName;
616 CE_ExtendedKeyUsage extendedKeyUsage;
617 CE_BasicConstraints basicConstraints;
618 CE_CertPolicies certPolicies;
619 CE_NetscapeCertType netscapeCertType;
620 CE_CrlNumber crlNumber;
621 CE_DeltaCrl deltaCrl;
622 CE_CrlReason crlReason;
623 CE_CRLDistPointsSyntax crlDistPoints;
624 CE_IssuingDistributionPoint issuingDistPoint;
625 CE_AuthorityInfoAccess authorityInfoAccess;
626 CE_QC_Statements qualifiedCertStatements;
627 CE_NameConstraints nameConstraints;
628 CE_PolicyMappings policyMappings;
629 CE_PolicyConstraints policyConstraints;
630 CE_InhibitAnyPolicy inhibitAnyPolicy;
631 CSSM_DATA rawData; // unknown, not decoded
632 } CE_Data DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
633
634 typedef struct __CE_DataAndType {
635 CE_DataType type;
636 CE_Data extension;
637 CSSM_BOOL critical;
638 } CE_DataAndType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
639
640 #endif /* _CERT_EXTENSIONS_H_ */
mirror of Security