OSX/libsecurity_keychain/lib/SecPolicyPriv.h

   1 /*
   2  * Copyright (c) 2003-2015 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*!
  25         @header SecPolicyPriv
  26         Private part of SecPolicy.h
  27 */
  28
  29 #ifndef _SECURITY_SECPOLICYPRIV_H_
  30 #define _SECURITY_SECPOLICYPRIV_H_
  31
  32 #include <Security/SecPolicy.h>
  33 #include <CoreFoundation/CFArray.h>
  34
  35
  36 #if defined(__cplusplus)
  37 extern "C" {
  38 #endif
  39
  40 /*!
  41         @enum Policy Constants (Private)
  42         @discussion Predefined constants used to specify a policy.
  43         @constant kSecPolicyAppleMobileStore
  44         @constant kSecPolicyAppleTestMobileStore
  45         @constant kSecPolicyAppleEscrowService
  46         @constant kSecPolicyAppleProfileSigner
  47         @constant kSecPolicyAppleQAProfileSigner
  48         @constant kSecPolicyAppleServerAuthentication
  49         @constant kSecPolicyAppleOTAPKISigner
  50         @constant kSecPolicyAppleTestOTAPKISigner
  51         @constant kSecPolicyAppleIDValidationRecordSigning
  52         @constant kSecPolicyAppleSMPEncryption
  53         @constant kSecPolicyAppleTestSMPEncryption
  54         @constant kSecPolicyApplePCSEscrowService
  55         @constant kSecPolicyApplePPQSigning
  56         @constant kSecPolicyAppleTestPPQSigning
  57         @constant kSecPolicyAppleSWUpdateSigning
  58         @constant kSecPolicyAppleATVAppSigning
  59         @constant kSecPolicyAppleTestATVAppSigning
  60         @constant kSecPolicyAppleOSXProvisioningProfileSigning
  61
  62 */
  63 extern const CFStringRef kSecPolicyAppleMobileStore
  64     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  65 extern const CFStringRef kSecPolicyAppleTestMobileStore
  66     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  67 extern const CFStringRef kSecPolicyAppleEscrowService
  68     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  69 extern const CFStringRef kSecPolicyAppleProfileSigner
  70     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  71 extern const CFStringRef kSecPolicyAppleQAProfileSigner
  72     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
  73 extern const CFStringRef kSecPolicyAppleServerAuthentication
  74     __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
  75 #if TARGET_OS_IPHONE
  76 extern const CFStringRef kSecPolicyAppleOTAPKISigner
  77     __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
  78 extern const CFStringRef kSecPolicyAppleTestOTAPKISigner
  79     __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
  80 extern const CFStringRef kSecPolicyAppleIDValidationRecordSigningPolicy
  81         __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
  82 extern const CFStringRef kSecPolicyAppleSMPEncryption
  83         __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0);
  84 extern const CFStringRef kSecPolicyAppleTestSMPEncryption
  85         __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0);
  86 #endif
  87 extern const CFStringRef kSecPolicyApplePCSEscrowService
  88     __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
  89 extern const CFStringRef kSecPolicyApplePPQSigning
  90     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
  91 extern const CFStringRef kSecPolicyAppleTestPPQSigning
  92     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
  93 extern const CFStringRef kSecPolicyAppleSWUpdateSigning
  94     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
  95 extern const CFStringRef kSecPolicyAppleATVAppSigning
  96     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
  97 extern const CFStringRef kSecPolicyAppleTestATVAppSigning
  98     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
  99 extern const CFStringRef kSecPolicyAppleOSXProvisioningProfileSigning
 100     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
 101
 102 /*!
 103         @function SecPolicyCopy
 104         @abstract Returns a copy of a policy reference based on certificate type and OID.
 105         @param certificateType A certificate type.
 106         @param policyOID The OID of the policy you want to find. This is a required parameter. See oidsalg.h to see a list of policy OIDs.
 107         @param policy The returned policy reference. This is a required parameter.
 108         @result A result code.  See "Security Error Codes" (SecBase.h).
 109         @discussion This function is deprecated in Mac OS X 10.7 and later;
 110         to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h.
 111 */
 112 OSStatus SecPolicyCopy(CSSM_CERT_TYPE certificateType, const CSSM_OID *policyOID, SecPolicyRef* policy)
 113         __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
 114
 115 /*!
 116         @function SecPolicyCopyAll
 117         @abstract Returns an array of all known policies based on certificate type.
 118     @param certificateType A certificate type. This is a optional parameter. Pass CSSM_CERT_UNKNOWN if the certificate type is unknown.
 119     @param policies The returned array of policies. This is a required parameter.
 120     @result A result code.  See "Security Error Codes" (SecBase.h).
 121         @discussion This function is deprecated in Mac OS X 10.7 and later;
 122         to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h. (Note: there is normally
 123         no reason to iterate over multiple disjointed policies, except to provide a way to edit trust settings for each
 124         policy, as is done in certain certificate UI views. In that specific case, your code should call SecPolicyCreateWithOID
 125         for each desired policy from the list of supported OID constants in SecPolicy.h.)
 126 */
 127 OSStatus SecPolicyCopyAll(CSSM_CERT_TYPE certificateType, CFArrayRef* policies)
 128         __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
 129
 130 /* Given a unified SecPolicyRef, return a copy with a legacy
 131    C++ ItemImpl-based Policy instance. Only for internal use;
 132    legacy references cannot be used by SecPolicy API functions. */
 133 SecPolicyRef SecPolicyCreateItemImplInstance(SecPolicyRef policy);
 134
 135 /* Given a CSSM_OID pointer, return a string which can be passed
 136    to SecPolicyCreateWithProperties. The return value can be NULL
 137    if no supported policy was found for the OID argument. */
 138 CFStringRef SecPolicyGetStringForOID(CSSM_OID* oid);
 139
 140 /*!
 141  @function SecPolicyCreateAppleIDSService
 142  @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
 143  */
 144 SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef hostname);
 145
 146 /*!
 147  @function SecPolicyCreateAppleIDSService
 148  @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
 149  */
 150 SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDictionaryRef context);
 151
 152 /*!
 153  @function SecPolicyCreateApplePushService
 154  @abstract Ensure we're appropriately pinned to the Push service (SSL + Apple restrictions)
 155  */
 156 SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryRef context);
 157
 158 /*!
 159  @function SecPolicyCreateApplePushServiceLegacy
 160  @abstract Ensure we're appropriately pinned to the Push service (SSL + Apple restrictions)
 161  */
 162 SecPolicyRef SecPolicyCreateApplePushServiceLegacy(CFStringRef hostname);
 163
 164 /*!
 165  @function SecPolicyCreateAppleMMCSService
 166  @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
 167  */
 168 SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname, CFDictionaryRef context);
 169
 170 /*!
 171  @function SecPolicyCreateAppleGSService
 172  @abstract Ensure we're appropriately pinned to the GS service (SSL + Apple restrictions)
 173 */
 174 SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef context)
 175     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
 176
 177 /*!
 178  @function SecPolicyCreateApplePPQService
 179  @abstract Ensure we're appropriately pinned to the PPQ service (SSL + Apple restrictions)
 180 */
 181 SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRef context);
 182
 183 /*!
 184  @function SecPolicyCreateAppleSSLService
 185  @abstract Ensure we're appropriately pinned to an Apple server (SSL + Apple restrictions)
 186  */
 187 SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef hostname);
 188
 189 /*!
 190  @function SecPolicyCreateAppleTimeStampingAndRevocationPolicies
 191  @abstract Create timeStamping policy array from a given set of policies by applying identical revocation behavior
 192  @param policyOrArray can be a SecPolicyRef or a CFArray of SecPolicyRef
 193  */
 194 CFArrayRef SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray);
 195
 196 /*!
 197  @function SecPolicyCreateAppleATVAppSigning
 198  @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations Certification Authority' by name,
 199  and apple anchor.
 200  Leaf cert must have Digital Signature usage.
 201  Leaf cert must have Apple ATV App Signing marker OID (1.2.840.113635.100.6.1.24).
 202  Leaf cert must have 'Apple TVOS Application Signing' common name.
 203  */
 204 SecPolicyRef SecPolicyCreateAppleATVAppSigning(void)
 205     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
 206
 207 /*!
 208  @function SecPolicyCreateTestAppleATVAppSigning
 209  @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations Certification Authority' by name,
 210  and apple anchor.
 211  Leaf cert must have Digital Signature usage.
 212  Leaf cert must have Apple ATV App Signing Test marker OID (1.2.840.113635.100.6.1.24.1).
 213  Leaf cert must have 'TEST Apple TVOS Application Signing TEST' common name.
 214  */
 215 SecPolicyRef SecPolicyCreateTestAppleATVAppSigning(void)
 216     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
 217
 218 /*!
 219  @function SecPolicyCreateApplePayIssuerEncryption
 220  @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations CA - G2' by name,
 221  and apple anchor.
 222  Leaf cert must have Key Encipherment and Key Agreement usage.
 223  Leaf cert must have Apple Pay Issuer Encryption marker OID (1.2.840.113635.100.6.39).
 224  */
 225 SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void)
 226     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
 227
 228 /*!
 229  @function SecPolicyCreateOSXProvisioningProfileSigning
 230  @abstract Check for leaf marker OID 1.2.840.113635.100.4.11,
 231          intermediate marker OID 1.2.840.113635.100.6.2.1,
 232          chains to Apple Root CA
 233 */
 234 SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void)
 235     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
 236
 237 #if defined(__cplusplus)
 238 }
 239 #endif
 240
 241 #endif /* !_SECURITY_SECPOLICYPRIV_H_ */