]> git.saurik.com Git - apple/security.git/blob - cssm/certextensions.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-58286.20.16.tar.gz
[apple/security.git] / cssm / certextensions.h
1 /*
2 * Copyright (c) 2000-2009,2011,2012,2014,2016 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * CertExtensions.h -- X.509 Cert Extensions as C structs
24 */
25
26 #ifndef _CERT_EXTENSIONS_H_
27 #define _CERT_EXTENSIONS_H_
28
29 #include <Security/SecBase.h>
30
31 #if SEC_OS_OSX
32
33 #include <Security/cssmtype.h>
34 #include <Security/x509defs.h> /* CSSM_X509_RDN_PTR */
35 #pragma clang diagnostic push
36 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
37
38 #else /* SEC_OS_IPHONE */
39
40 #include <stdbool.h>
41 #include <libDER/libDER.h>
42
43 #endif /* SEC_OS_IPHONE */
44
45 /***
46 *** Structs for declaring extension-specific data.
47 ***/
48
49 /*
50 * GeneralName, used in AuthorityKeyID, SubjectAltName, and
51 * IssuerAltName.
52 *
53 * For now, we just provide explicit support for the types which are
54 * represented as IA5Strings, OIDs, and octet strings. Constructed types
55 * such as EDIPartyName and x400Address are not explicitly handled
56 * right now and must be encoded and decoded by the caller. (See exception
57 * for Name and OtherName, below). In those cases the SecECGeneralName.name.Data / CE_GeneralName.name.Data field
58 * represents the BER contents octets; SecCEGeneralName.name.Length / CE_GeneralName.name.Length is the
59 * length of the contents; the tag of the field is not needed - the BER
60 * encoding uses context-specific implicit tagging. The berEncoded field
61 * is set to true / CSSM_TRUE in these case. Simple types have berEncoded = false / CSSM_FALSE.
62 *
63 * In the case of a GeneralName in the form of a Name, we parse the Name
64 * into a CSSM_X509_NAME and place a pointer to the CSSM_X509_NAME in the
65 * CE_GeneralName.name.Data field. SecCEGeneralName.name.Length / CE_GeneralName.name.Length is set to
66 * sizeof(CSSM_X509_NAME). In this case berEncoded is false.
67 *
68 * In the case of a GeneralName in the form of a OtherName, we parse the fields
69 * into a CE_OtherName and place a pointer to the SecCEOtherName / CE_OtherName in the
70 * SecCEGeneralName.name.Data / CE_GeneralName.name.Data field. SecCEGeneralName.name.Length / CE_GeneralName.name.Length is set to
71 * sizeof(SecCEOtherName) / sizeof(CE_OtherName). In this case berEncoded is false.
72 *
73 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
74 *
75 * GeneralName ::= CHOICE {
76 * otherName [0] OtherName
77 * rfc822Name [1] IA5String,
78 * dNSName [2] IA5String,
79 * x400Address [3] ORAddress,
80 * directoryName [4] Name,
81 * ediPartyName [5] EDIPartyName,
82 * uniformResourceIdentifier [6] IA5String,
83 * iPAddress [7] OCTET STRING,
84 * registeredID [8] OBJECT IDENTIFIER}
85 *
86 * OtherName ::= SEQUENCE {
87 * type-id OBJECT IDENTIFIER,
88 * value [0] EXPLICIT ANY DEFINED BY type-id }
89 *
90 * EDIPartyName ::= SEQUENCE {
91 * nameAssigner [0] DirectoryString OPTIONAL,
92 * partyName [1] DirectoryString }
93 */
94 #if SEC_OS_OSX
95 typedef enum __CE_GeneralNameType {
96 GNT_OtherName = 0,
97 GNT_RFC822Name,
98 GNT_DNSName,
99 GNT_X400Address,
100 GNT_DirectoryName,
101 GNT_EdiPartyName,
102 GNT_URI,
103 GNT_IPAddress,
104 GNT_RegisteredID
105 } CE_GeneralNameType;
106
107 #elif SEC_OS_IPHONE
108
109 typedef enum {
110 GNT_OtherName = 0,
111 GNT_RFC822Name,
112 GNT_DNSName,
113 GNT_X400Address,
114 GNT_DirectoryName,
115 GNT_EdiPartyName,
116 GNT_URI,
117 GNT_IPAddress,
118 GNT_RegisteredID
119 } SecCEGeneralNameType;
120
121 #endif /* SEC_OS_IPHONE */
122
123 #if SEC_OS_OSX
124
125 typedef struct __CE_OtherName {
126 CSSM_OID typeId;
127 CSSM_DATA value; // unparsed, BER-encoded
128 } CE_OtherName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
129
130 typedef struct __CE_GeneralName {
131 CE_GeneralNameType nameType; // GNT_RFC822Name, etc.
132 CSSM_BOOL berEncoded;
133 CSSM_DATA name;
134 } CE_GeneralName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
135
136 typedef struct __CE_GeneralNames {
137 uint32 numNames;
138 CE_GeneralName *generalName;
139 } CE_GeneralNames DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
140
141 #elif SEC_OS_IPHONE
142
143 typedef struct {
144 DERItem typeId;
145 DERItem value; // unparsed, BER-encoded
146 } SecCEOtherName;
147
148 typedef struct {
149 SecCEGeneralNameType nameType; // GNT_RFC822Name, etc.
150 bool berEncoded;
151 DERItem name;
152 } SecCEGeneralName;
153
154 typedef struct {
155 uint32_t numNames;
156 SecCEGeneralName *generalName;
157 } SecCEGeneralNames;
158
159 #endif /* SEC_OS_IPHONE */
160
161 /*
162 * id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
163 *
164 * AuthorityKeyIdentifier ::= SEQUENCE {
165 * keyIdentifier [0] KeyIdentifier OPTIONAL,
166 * authorityCertIssuer [1] GeneralNames OPTIONAL,
167 * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
168 *
169 * KeyIdentifier ::= OCTET STRING
170 *
171 * CSSM OID = CSSMOID_AuthorityKeyIdentifier
172 */
173 #if SEC_OS_OSX
174 typedef struct __CE_AuthorityKeyID {
175 CSSM_BOOL keyIdentifierPresent;
176 CSSM_DATA keyIdentifier;
177 CSSM_BOOL generalNamesPresent;
178 CE_GeneralNames *generalNames;
179 CSSM_BOOL serialNumberPresent;
180 CSSM_DATA serialNumber;
181 } CE_AuthorityKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
182 #elif SEC_OS_IPHONE
183 typedef struct {
184 bool keyIdentifierPresent;
185 DERItem keyIdentifier;
186 bool generalNamesPresent;
187 SecCEGeneralNames *generalNames;
188 bool serialNumberPresent;
189 DERItem serialNumber;
190 } SecCEAuthorityKeyID;
191 #endif /* SEC_OS_IPHONE */
192
193 /*
194 * id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
195 * SubjectKeyIdentifier ::= KeyIdentifier
196 *
197 * CSSM OID = CSSMOID_SubjectKeyIdentifier
198 */
199 #if SEC_OS_OSX
200 typedef CSSM_DATA CE_SubjectKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
201 #elif SEC_OS_IPHONE
202 typedef DERItem SecCESubjectKeyID;
203 #endif /* SEC_OS_IPHONE */
204
205 /*
206 * id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
207 *
208 * KeyUsage ::= BIT STRING {
209 * digitalSignature (0),
210 * nonRepudiation (1),
211 * keyEncipherment (2),
212 * dataEncipherment (3),
213 * keyAgreement (4),
214 * keyCertSign (5),
215 * cRLSign (6),
216 * encipherOnly (7),
217 * decipherOnly (8) }
218 *
219 * CSSM OID = CSSMOID_KeyUsage
220 *
221 */
222 #if SEC_OS_OSX
223 typedef uint16 CE_KeyUsage DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
224 #elif SEC_OS_IPHONE
225 typedef uint16_t SecCEKeyUsage;
226 #endif /* SEC_OS_IPHONE */
227
228 #if SEC_OS_OSX
229 #define CE_KU_DigitalSignature 0x8000
230 #define CE_KU_NonRepudiation 0x4000
231 #define CE_KU_KeyEncipherment 0x2000
232 #define CE_KU_DataEncipherment 0x1000
233 #define CE_KU_KeyAgreement 0x0800
234 #define CE_KU_KeyCertSign 0x0400
235 #define CE_KU_CRLSign 0x0200
236 #define CE_KU_EncipherOnly 0x0100
237 #define CE_KU_DecipherOnly 0x0080
238 #else /* SEC_OS_IPHONE */
239 #define SecCEKU_DigitalSignature 0x8000
240 #define SecCEKU_NonRepudiation 0x4000
241 #define SecCEKU_KeyEncipherment 0x2000
242 #define SecCEKU_DataEncipherment 0x1000
243 #define SecCEKU_KeyAgreement 0x0800
244 #define SecCEKU_KeyCertSign 0x0400
245 #define SecCEKU_CRLSign 0x0200
246 #define SecCEKU_EncipherOnly 0x0100
247 #define SecCEKU_DecipherOnly 0x0080
248 #endif /* SEC_OS_IPHONE */
249
250 /*
251 * id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 }
252 *
253 * -- reasonCode ::= { CRLReason }
254 *
255 * CRLReason ::= ENUMERATED {
256 * unspecified (0),
257 * keyCompromise (1),
258 * cACompromise (2),
259 * affiliationChanged (3),
260 * superseded (4),
261 * cessationOfOperation (5),
262 * certificateHold (6),
263 * removeFromCRL (8) }
264 *
265 * CSSM OID = CSSMOID_CrlReason
266 *
267 */
268 #if SEC_OS_OSX
269 typedef uint32 CE_CrlReason DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
270 #elif SEC_OS_IPHONE
271 typedef uint32_t SecCECrlReason;
272 #endif /* SEC_OS_IPHONE */
273
274 #if SEC_OS_OSX
275 #define CE_CR_Unspecified 0
276 #define CE_CR_KeyCompromise 1
277 #define CE_CR_CACompromise 2
278 #define CE_CR_AffiliationChanged 3
279 #define CE_CR_Superseded 4
280 #define CE_CR_CessationOfOperation 5
281 #define CE_CR_CertificateHold 6
282 #define CE_CR_RemoveFromCRL 8
283 #elif SEC_OS_IPHONE
284 #define SecCECR_Unspecified 0
285 #define SecCECR_KeyCompromise 1
286 #define SecCECR_CACompromise 2
287 #define SecCECR_AffiliationChanged 3
288 #define SecCECR_Superseded 4
289 #define SecCECR_CessationOfOperation 5
290 #define SecCECR_CertificateHold 6
291 #define SecCECR_RemoveFromCRL 8
292 #endif /* SEC_OS_IPHONE */
293
294 /*
295 * id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
296 *
297 * SubjectAltName ::= GeneralNames
298 *
299 * CSSM OID = CSSMOID_SubjectAltName
300 *
301 * GeneralNames defined above.
302 */
303
304 /*
305 * id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
306 *
307 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId*
308 *
309 * KeyPurposeId ::= OBJECT IDENTIFIER
310 *
311 * CSSM OID = CSSMOID_ExtendedKeyUsage
312 */
313 #if SEC_OS_OSX
314 typedef struct __CE_ExtendedKeyUsage {
315 uint32 numPurposes;
316 CSSM_OID_PTR purposes; // in Intel pre-encoded format
317 } CE_ExtendedKeyUsage;
318
319 #elif SEC_OS_IPHONE
320
321 typedef struct {
322 uint32_t numPurposes;
323 DERItem *purposes; // in Intel pre-encoded format
324 } SecCEExtendedKeyUsage;
325 #endif /* SEC_OS_IPHONE */
326
327 /*
328 * id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
329 *
330 * BasicConstraints ::= SEQUENCE {
331 * cA BOOLEAN DEFAULT FALSE,
332 * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
333 *
334 * CSSM OID = CSSMOID_BasicConstraints
335 */
336 #if SEC_OS_OSX
337 typedef struct __CE_BasicConstraints {
338 CSSM_BOOL cA;
339 CSSM_BOOL pathLenConstraintPresent;
340 uint32 pathLenConstraint;
341 } CE_BasicConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
342
343 #elif SEC_OS_IPHONE
344
345 typedef struct {
346 bool present;
347 bool critical;
348 bool isCA;
349 bool pathLenConstraintPresent;
350 uint32_t pathLenConstraint;
351 } SecCEBasicConstraints;
352
353 typedef struct {
354 bool present;
355 bool critical;
356 bool requireExplicitPolicyPresent;
357 uint32_t requireExplicitPolicy;
358 bool inhibitPolicyMappingPresent;
359 uint32_t inhibitPolicyMapping;
360 } SecCEPolicyConstraints;
361 #endif /* SEC_OS_IPHONE */
362
363 /*
364 * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
365 *
366 * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
367 *
368 * PolicyInformation ::= SEQUENCE {
369 * policyIdentifier CertPolicyId,
370 * policyQualifiers SEQUENCE SIZE (1..MAX) OF
371 * PolicyQualifierInfo OPTIONAL }
372 *
373 * CertPolicyId ::= OBJECT IDENTIFIER
374 *
375 * PolicyQualifierInfo ::= SEQUENCE {
376 * policyQualifierId PolicyQualifierId,
377 * qualifier ANY DEFINED BY policyQualifierId }
378 *
379 * -- policyQualifierIds for Internet policy qualifiers
380 *
381 * id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
382 * id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
383 * id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
384 *
385 * PolicyQualifierId ::=
386 * OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
387 *
388 * Qualifier ::= CHOICE {
389 * cPSuri CPSuri,
390 * userNotice UserNotice }
391 *
392 * CPSuri ::= IA5String
393 *
394 * UserNotice ::= SEQUENCE {
395 * noticeRef NoticeReference OPTIONAL,
396 * explicitText DisplayText OPTIONAL}
397 *
398 * NoticeReference ::= SEQUENCE {
399 * organization DisplayText,
400 * noticeNumbers SEQUENCE OF INTEGER }
401 *
402 * DisplayText ::= CHOICE {
403 * visibleString VisibleString (SIZE (1..200)),
404 * bmpString BMPString (SIZE (1..200)),
405 * utf8String UTF8String (SIZE (1..200)) }
406 *
407 * CSSM OID = CSSMOID_CertificatePolicies
408 *
409 * We only support down to the level of Qualifier, and then only the CPSuri
410 * choice. UserNotice is transmitted to and from this library as a raw
411 * CSSM_DATA containing the BER-encoded UserNotice sequence.
412 */
413 #if SEC_OS_OSX
414
415 typedef struct __CE_PolicyQualifierInfo {
416 CSSM_OID policyQualifierId; // CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE
417 CSSM_DATA qualifier; // CSSMOID_QT_CPS: IA5String contents
418
419 #elif SEC_OS_IPHONE
420 #if 0
421 typedef struct {
422 DERItem policyQualifierId; // CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE
423 DERItem qualifier; // CSSMOID_QT_CPS: IA5String contents
424 } SecCEPolicyQualifierInfo;
425 #endif
426
427 typedef struct {
428 DERItem policyIdentifier;
429 DERItem policyQualifiers;
430 } SecCEPolicyInformation;
431
432 typedef struct {
433 bool present;
434 bool critical;
435 size_t numPolicies; // size of *policies;
436 SecCEPolicyInformation *policies;
437 } SecCECertificatePolicies;
438
439 typedef struct {
440 DERItem issuerDomainPolicy;
441 DERItem subjectDomainPolicy;
442 } SecCEPolicyMapping;
443
444 /*
445 PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
446 issuerDomainPolicy CertPolicyId,
447 subjectDomainPolicy CertPolicyId }
448 */
449 typedef struct {
450 bool present;
451 bool critical;
452 size_t numMappings; // size of *mappings;
453 SecCEPolicyMapping *mappings;
454 } SecCEPolicyMappings;
455
456 /*
457 InhibitAnyPolicy ::= SkipCerts
458 SkipCerts ::= INTEGER (0..MAX)
459 */
460 typedef struct {
461 bool present;
462 bool critical;
463 uint32_t skipCerts;
464 } SecCEInhibitAnyPolicy;
465 #endif /* SEC_OS_IPHONE */
466 // CSSMOID_QT_UNOTICE : Sequence contents
467 #if SEC_OS_OSX
468 } CE_PolicyQualifierInfo DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
469
470 typedef struct __CE_PolicyInformation {
471 CSSM_OID certPolicyId;
472 uint32 numPolicyQualifiers; // size of *policyQualifiers;
473 CE_PolicyQualifierInfo *policyQualifiers;
474 } CE_PolicyInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
475
476 typedef struct __CE_CertPolicies {
477 uint32 numPolicies; // size of *policies;
478 CE_PolicyInformation *policies;
479 } CE_CertPolicies DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
480
481 /*
482 * netscape-cert-type, a bit string.
483 *
484 * CSSM OID = CSSMOID_NetscapeCertType
485 *
486 * Bit fields defined in oidsattr.h: CE_NCT_SSL_Client, etc.
487 */
488 typedef uint16 CE_NetscapeCertType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
489
490 /*
491 * CRLDistributionPoints.
492 *
493 * id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 }
494 *
495 * cRLDistributionPoints ::= {
496 * CRLDistPointsSyntax }
497 *
498 * CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
499 *
500 * NOTE: RFC 2459 claims that the tag for the optional DistributionPointName
501 * is IMPLICIT as shown here, but in practice it is EXPLICIT. It has to be -
502 * because the underlying type also uses an implicit tag for distinguish
503 * between CHOICEs.
504 *
505 * DistributionPoint ::= SEQUENCE {
506 * distributionPoint [0] DistributionPointName OPTIONAL,
507 * reasons [1] ReasonFlags OPTIONAL,
508 * cRLIssuer [2] GeneralNames OPTIONAL }
509 *
510 * DistributionPointName ::= CHOICE {
511 * fullName [0] GeneralNames,
512 * nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
513 *
514 * ReasonFlags ::= BIT STRING {
515 * unused (0),
516 * keyCompromise (1),
517 * cACompromise (2),
518 * affiliationChanged (3),
519 * superseded (4),
520 * cessationOfOperation (5),
521 * certificateHold (6) }
522 *
523 * CSSM OID = CSSMOID_CrlDistributionPoints
524 */
525
526 /*
527 * Note that this looks similar to CE_CrlReason, but that's an enum and this
528 * is an OR-able bit string.
529 */
530 typedef uint8 CE_CrlDistReasonFlags DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
531
532 #define CE_CD_Unspecified 0x80
533 #define CE_CD_KeyCompromise 0x40
534 #define CE_CD_CACompromise 0x20
535 #define CE_CD_AffiliationChanged 0x10
536 #define CE_CD_Superseded 0x08
537 #define CE_CD_CessationOfOperation 0x04
538 #define CE_CD_CertificateHold 0x02
539
540 typedef enum __CE_CrlDistributionPointNameType {
541 CE_CDNT_FullName,
542 CE_CDNT_NameRelativeToCrlIssuer
543 } CE_CrlDistributionPointNameType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
544
545 typedef struct __CE_DistributionPointName {
546 CE_CrlDistributionPointNameType nameType;
547 union {
548 CE_GeneralNames *fullName;
549 CSSM_X509_RDN_PTR rdn;
550 } dpn;
551 } CE_DistributionPointName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
552
553 /*
554 * The top-level CRLDistributionPoint.
555 * All fields are optional; NULL pointers indicate absence.
556 */
557 typedef struct __CE_CRLDistributionPoint {
558 CE_DistributionPointName *distPointName;
559 CSSM_BOOL reasonsPresent;
560 CE_CrlDistReasonFlags reasons;
561 CE_GeneralNames *crlIssuer;
562 } CE_CRLDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
563
564 typedef struct __CE_CRLDistPointsSyntax {
565 uint32 numDistPoints;
566 CE_CRLDistributionPoint *distPoints;
567 } CE_CRLDistPointsSyntax DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
568
569 /*
570 * Authority Information Access and Subject Information Access.
571 *
572 * CSSM OID = CSSMOID_AuthorityInfoAccess
573 * CSSM OID = CSSMOID_SubjectInfoAccess
574 *
575 * SubjAuthInfoAccessSyntax ::=
576 * SEQUENCE SIZE (1..MAX) OF AccessDescription
577 *
578 * AccessDescription ::= SEQUENCE {
579 * accessMethod OBJECT IDENTIFIER,
580 * accessLocation GeneralName }
581 */
582 typedef struct __CE_AccessDescription {
583 CSSM_OID accessMethod;
584 CE_GeneralName accessLocation;
585 } CE_AccessDescription DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
586
587 typedef struct __CE_AuthorityInfoAccess {
588 uint32 numAccessDescriptions;
589 CE_AccessDescription *accessDescriptions;
590 } CE_AuthorityInfoAccess DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
591
592 /*
593 * Qualified Certificate Statement support, per RFC 3739.
594 *
595 * First, NameRegistrationAuthorities, a component of
596 * SemanticsInformation; it's the same as a GeneralNames -
597 * a sequence of GeneralName.
598 */
599 typedef CE_GeneralNames CE_NameRegistrationAuthorities DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
600
601 /*
602 * SemanticsInformation, identified as the qcType field
603 * of a CE_QC_Statement for statementId value id-qcs-pkixQCSyntax-v2.
604 * Both fields optional; at least one must be present.
605 */
606 typedef struct __CE_SemanticsInformation {
607 CSSM_OID *semanticsIdentifier;
608 CE_NameRegistrationAuthorities *nameRegistrationAuthorities;
609 } CE_SemanticsInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
610
611 /*
612 * One Qualified Certificate Statement.
613 * The statementId OID is required; zero or one of {semanticsInfo,
614 * otherInfo} can be valid, depending on the value of statementId.
615 * For statementId id-qcs-pkixQCSyntax-v2 (CSSMOID_OID_QCS_SYNTAX_V2),
616 * the semanticsInfo field may be present; otherwise, DER-encoded
617 * information may be present in otherInfo. Both semanticsInfo and
618 * otherInfo are optional.
619 */
620 typedef struct __CE_QC_Statement {
621 CSSM_OID statementId;
622 CE_SemanticsInformation *semanticsInfo;
623 CSSM_DATA *otherInfo;
624 } CE_QC_Statement DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
625
626 /*
627 * The top-level Qualified Certificate Statements extension.
628 */
629 typedef struct __CE_QC_Statements {
630 uint32 numQCStatements;
631 CE_QC_Statement *qcStatements;
632 } CE_QC_Statements DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
633
634 /*** CRL extensions ***/
635
636 /*
637 * cRLNumber, an integer.
638 *
639 * CSSM OID = CSSMOID_CrlNumber
640 */
641 typedef uint32 CE_CrlNumber;
642
643 /*
644 * deltaCRLIndicator, an integer.
645 *
646 * CSSM OID = CSSMOID_DeltaCrlIndicator
647 */
648 typedef uint32 CE_DeltaCrl;
649
650 /*
651 * IssuingDistributionPoint
652 *
653 * id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
654 *
655 * issuingDistributionPoint ::= SEQUENCE {
656 * distributionPoint [0] DistributionPointName OPTIONAL,
657 * onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
658 * onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
659 * onlySomeReasons [3] ReasonFlags OPTIONAL,
660 * indirectCRL [4] BOOLEAN DEFAULT FALSE }
661 *
662 * CSSM OID = CSSMOID_IssuingDistributionPoint
663 */
664 typedef struct __CE_IssuingDistributionPoint {
665 CE_DistributionPointName *distPointName; // optional
666 CSSM_BOOL onlyUserCertsPresent;
667 CSSM_BOOL onlyUserCerts;
668 CSSM_BOOL onlyCACertsPresent;
669 CSSM_BOOL onlyCACerts;
670 CSSM_BOOL onlySomeReasonsPresent;
671 CE_CrlDistReasonFlags onlySomeReasons;
672 CSSM_BOOL indirectCrlPresent;
673 CSSM_BOOL indirectCrl;
674 } CE_IssuingDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
675
676 /*
677 * NameConstraints
678 *
679 * id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
680 *
681 * NameConstraints ::= SEQUENCE {
682 * permittedSubtrees [0] GeneralSubtrees OPTIONAL,
683 * excludedSubtrees [1] GeneralSubtrees OPTIONAL }
684 *
685 * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
686 *
687 * GeneralSubtree ::= SEQUENCE {
688 * base GeneralName,
689 * minimum [0] BaseDistance DEFAULT 0,
690 * maximum [1] BaseDistance OPTIONAL }
691 *
692 * BaseDistance ::= INTEGER (0..MAX)
693 */
694 typedef struct __CE_GeneralSubtree {
695 CE_GeneralNames *base;
696 uint32 minimum; // default=0
697 CSSM_BOOL maximumPresent;
698 uint32 maximum; // optional
699 } CE_GeneralSubtree DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
700
701 typedef struct __CE_GeneralSubtrees {
702 uint32 numSubtrees;
703 CE_GeneralSubtree *subtrees;
704 } CE_GeneralSubtrees DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
705
706 typedef struct __CE_NameConstraints {
707 CE_GeneralSubtrees *permitted; // optional
708 CE_GeneralSubtrees *excluded; // optional
709 } CE_NameConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
710
711 /*
712 * PolicyMappings
713 *
714 * id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 }
715 *
716 * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
717 * issuerDomainPolicy CertPolicyId,
718 * subjectDomainPolicy CertPolicyId }
719 *
720 * Note that both issuer and subject policy OIDs are required,
721 * and are stored by value in this structure.
722 */
723 typedef struct __CE_PolicyMapping {
724 CSSM_OID issuerDomainPolicy;
725 CSSM_OID subjectDomainPolicy;
726 } CE_PolicyMapping DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
727
728 typedef struct __CE_PolicyMappings {
729 uint32 numPolicyMappings;
730 CE_PolicyMapping *policyMappings;
731 } CE_PolicyMappings DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
732
733 /*
734 * PolicyConstraints
735 *
736 * id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 }
737 *
738 * PolicyConstraints ::= SEQUENCE {
739 * requireExplicitPolicy [0] SkipCerts OPTIONAL,
740 * inhibitPolicyMapping [1] SkipCerts OPTIONAL }
741 *
742 * SkipCerts ::= INTEGER (0..MAX)
743 */
744 typedef struct __CE_PolicyConstraints {
745 CSSM_BOOL requireExplicitPolicyPresent;
746 uint32 requireExplicitPolicy; // optional
747 CSSM_BOOL inhibitPolicyMappingPresent;
748 uint32 inhibitPolicyMapping; // optional
749 } CE_PolicyConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
750
751 /*
752 * InhibitAnyPolicy, an integer.
753 *
754 * CSSM OID = CSSMOID_InhibitAnyPolicy
755 */
756 typedef uint32 CE_InhibitAnyPolicy DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
757
758 /*
759 * An enumerated list identifying one of the above per-extension
760 * structs.
761 */
762 typedef enum __CE_DataType {
763 DT_AuthorityKeyID, // CE_AuthorityKeyID
764 DT_SubjectKeyID, // CE_SubjectKeyID
765 DT_KeyUsage, // CE_KeyUsage
766 DT_SubjectAltName, // implies CE_GeneralName
767 DT_IssuerAltName, // implies CE_GeneralName
768 DT_ExtendedKeyUsage, // CE_ExtendedKeyUsage
769 DT_BasicConstraints, // CE_BasicConstraints
770 DT_CertPolicies, // CE_CertPolicies
771 DT_NetscapeCertType, // CE_NetscapeCertType
772 DT_CrlNumber, // CE_CrlNumber
773 DT_DeltaCrl, // CE_DeltaCrl
774 DT_CrlReason, // CE_CrlReason
775 DT_CrlDistributionPoints, // CE_CRLDistPointsSyntax
776 DT_IssuingDistributionPoint,// CE_IssuingDistributionPoint
777 DT_AuthorityInfoAccess, // CE_AuthorityInfoAccess
778 DT_Other, // unknown, raw data as a CSSM_DATA
779 DT_QC_Statements, // CE_QC_Statements
780 DT_NameConstraints, // CE_NameConstraints
781 DT_PolicyMappings, // CE_PolicyMappings
782 DT_PolicyConstraints, // CE_PolicyConstraints
783 DT_InhibitAnyPolicy // CE_InhibitAnyPolicy
784 } CE_DataType;
785
786 /*
787 * One unified representation of all the cert and CRL extensions we know about.
788 */
789 typedef union {
790 CE_AuthorityKeyID authorityKeyID;
791 CE_SubjectKeyID subjectKeyID;
792 CE_KeyUsage keyUsage;
793 CE_GeneralNames subjectAltName;
794 CE_GeneralNames issuerAltName;
795 CE_ExtendedKeyUsage extendedKeyUsage;
796 CE_BasicConstraints basicConstraints;
797 CE_CertPolicies certPolicies;
798 CE_NetscapeCertType netscapeCertType;
799 CE_CrlNumber crlNumber;
800 CE_DeltaCrl deltaCrl;
801 CE_CrlReason crlReason;
802 CE_CRLDistPointsSyntax crlDistPoints;
803 CE_IssuingDistributionPoint issuingDistPoint;
804 CE_AuthorityInfoAccess authorityInfoAccess;
805 CE_QC_Statements qualifiedCertStatements;
806 CE_NameConstraints nameConstraints;
807 CE_PolicyMappings policyMappings;
808 CE_PolicyConstraints policyConstraints;
809 CE_InhibitAnyPolicy inhibitAnyPolicy;
810 CSSM_DATA rawData; // unknown, not decoded
811 } CE_Data DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
812
813 typedef struct __CE_DataAndType {
814 CE_DataType type;
815 CE_Data extension;
816 CSSM_BOOL critical;
817 } CE_DataAndType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
818
819 #endif /* SEC_OS_OSX */
820
821 #if SEC_OS_OSX
822 #pragma clang diagnostic pop
823 #endif
824
825 #endif /* _CERT_EXTENSIONS_H_ */
mirror of Security