2 * Copyright (c) 2003-2015 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 Private part of SecPolicy.h
29 #ifndef _SECURITY_SECPOLICYPRIV_H_
30 #define _SECURITY_SECPOLICYPRIV_H_
32 #include <Security/SecPolicy.h>
33 #include <CoreFoundation/CFArray.h>
36 #if defined(__cplusplus)
41 @enum Policy Constants (Private)
42 @discussion Predefined constants used to specify a policy.
43 @constant kSecPolicyAppleMobileStore
44 @constant kSecPolicyAppleTestMobileStore
45 @constant kSecPolicyAppleEscrowService
46 @constant kSecPolicyAppleProfileSigner
47 @constant kSecPolicyAppleQAProfileSigner
48 @constant kSecPolicyAppleServerAuthentication
49 @constant kSecPolicyAppleOTAPKISigner
50 @constant kSecPolicyAppleTestOTAPKISigner
51 @constant kSecPolicyAppleIDValidationRecordSigning
52 @constant kSecPolicyAppleSMPEncryption
53 @constant kSecPolicyAppleTestSMPEncryption
54 @constant kSecPolicyApplePCSEscrowService
55 @constant kSecPolicyApplePPQSigning
56 @constant kSecPolicyAppleTestPPQSigning
57 @constant kSecPolicyAppleSWUpdateSigning
58 @constant kSecPolicyAppleATVAppSigning
59 @constant kSecPolicyAppleTestATVAppSigning
60 @constant kSecPolicyAppleOSXProvisioningProfileSigning
63 extern const CFStringRef kSecPolicyAppleMobileStore
64 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_7_0
);
65 extern const CFStringRef kSecPolicyAppleTestMobileStore
66 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_7_0
);
67 extern const CFStringRef kSecPolicyAppleEscrowService
68 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_7_0
);
69 extern const CFStringRef kSecPolicyAppleProfileSigner
70 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_7_0
);
71 extern const CFStringRef kSecPolicyAppleQAProfileSigner
72 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_7_0
);
73 extern const CFStringRef kSecPolicyAppleServerAuthentication
74 __OSX_AVAILABLE_STARTING(__MAC_10_10
, __IPHONE_8_0
);
76 extern const CFStringRef kSecPolicyAppleOTAPKISigner
77 __OSX_AVAILABLE_STARTING(__MAC_NA
, __IPHONE_7_0
);
78 extern const CFStringRef kSecPolicyAppleTestOTAPKISigner
79 __OSX_AVAILABLE_STARTING(__MAC_NA
, __IPHONE_7_0
);
80 extern const CFStringRef kSecPolicyAppleIDValidationRecordSigningPolicy
81 __OSX_AVAILABLE_STARTING(__MAC_NA
, __IPHONE_7_0
);
82 extern const CFStringRef kSecPolicyAppleSMPEncryption
83 __OSX_AVAILABLE_STARTING(__MAC_NA
, __IPHONE_8_0
);
84 extern const CFStringRef kSecPolicyAppleTestSMPEncryption
85 __OSX_AVAILABLE_STARTING(__MAC_NA
, __IPHONE_8_0
);
87 extern const CFStringRef kSecPolicyApplePCSEscrowService
88 __OSX_AVAILABLE_STARTING(__MAC_10_10
, __IPHONE_8_0
);
89 extern const CFStringRef kSecPolicyApplePPQSigning
90 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
91 extern const CFStringRef kSecPolicyAppleTestPPQSigning
92 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
93 extern const CFStringRef kSecPolicyAppleSWUpdateSigning
94 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
95 extern const CFStringRef kSecPolicyAppleATVAppSigning
96 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
97 extern const CFStringRef kSecPolicyAppleTestATVAppSigning
98 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
99 extern const CFStringRef kSecPolicyAppleOSXProvisioningProfileSigning
100 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
103 @function SecPolicyCopy
104 @abstract Returns a copy of a policy reference based on certificate type and OID.
105 @param certificateType A certificate type.
106 @param policyOID The OID of the policy you want to find. This is a required parameter. See oidsalg.h to see a list of policy OIDs.
107 @param policy The returned policy reference. This is a required parameter.
108 @result A result code. See "Security Error Codes" (SecBase.h).
109 @discussion This function is deprecated in Mac OS X 10.7 and later;
110 to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h.
112 OSStatus
SecPolicyCopy(CSSM_CERT_TYPE certificateType
, const CSSM_OID
*policyOID
, SecPolicyRef
* policy
)
113 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3
, __MAC_10_7
, __IPHONE_NA
, __IPHONE_NA
);
116 @function SecPolicyCopyAll
117 @abstract Returns an array of all known policies based on certificate type.
118 @param certificateType A certificate type. This is a optional parameter. Pass CSSM_CERT_UNKNOWN if the certificate type is unknown.
119 @param policies The returned array of policies. This is a required parameter.
120 @result A result code. See "Security Error Codes" (SecBase.h).
121 @discussion This function is deprecated in Mac OS X 10.7 and later;
122 to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h. (Note: there is normally
123 no reason to iterate over multiple disjointed policies, except to provide a way to edit trust settings for each
124 policy, as is done in certain certificate UI views. In that specific case, your code should call SecPolicyCreateWithOID
125 for each desired policy from the list of supported OID constants in SecPolicy.h.)
127 OSStatus
SecPolicyCopyAll(CSSM_CERT_TYPE certificateType
, CFArrayRef
* policies
)
128 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3
, __MAC_10_7
, __IPHONE_NA
, __IPHONE_NA
);
130 /* Given a unified SecPolicyRef, return a copy with a legacy
131 C++ ItemImpl-based Policy instance. Only for internal use;
132 legacy references cannot be used by SecPolicy API functions. */
133 SecPolicyRef
SecPolicyCreateItemImplInstance(SecPolicyRef policy
);
135 /* Given a CSSM_OID pointer, return a string which can be passed
136 to SecPolicyCreateWithProperties. The return value can be NULL
137 if no supported policy was found for the OID argument. */
138 CFStringRef
SecPolicyGetStringForOID(CSSM_OID
* oid
);
141 @function SecPolicyCreateAppleIDSService
142 @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
144 SecPolicyRef
SecPolicyCreateAppleIDSService(CFStringRef hostname
);
147 @function SecPolicyCreateAppleIDSService
148 @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
150 SecPolicyRef
SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname
, CFDictionaryRef context
);
153 @function SecPolicyCreateApplePushService
154 @abstract Ensure we're appropriately pinned to the Push service (SSL + Apple restrictions)
156 SecPolicyRef
SecPolicyCreateApplePushService(CFStringRef hostname
, CFDictionaryRef context
);
159 @function SecPolicyCreateApplePushServiceLegacy
160 @abstract Ensure we're appropriately pinned to the Push service (SSL + Apple restrictions)
162 SecPolicyRef
SecPolicyCreateApplePushServiceLegacy(CFStringRef hostname
);
165 @function SecPolicyCreateAppleMMCSService
166 @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
168 SecPolicyRef
SecPolicyCreateAppleMMCSService(CFStringRef hostname
, CFDictionaryRef context
);
171 @function SecPolicyCreateAppleGSService
172 @abstract Ensure we're appropriately pinned to the GS service (SSL + Apple restrictions)
174 SecPolicyRef
SecPolicyCreateAppleGSService(CFStringRef hostname
, CFDictionaryRef context
)
175 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
178 @function SecPolicyCreateApplePPQService
179 @abstract Ensure we're appropriately pinned to the PPQ service (SSL + Apple restrictions)
181 SecPolicyRef
SecPolicyCreateApplePPQService(CFStringRef hostname
, CFDictionaryRef context
);
184 @function SecPolicyCreateAppleSSLService
185 @abstract Ensure we're appropriately pinned to an Apple server (SSL + Apple restrictions)
187 SecPolicyRef
SecPolicyCreateAppleSSLService(CFStringRef hostname
);
190 @function SecPolicyCreateAppleTimeStampingAndRevocationPolicies
191 @abstract Create timeStamping policy array from a given set of policies by applying identical revocation behavior
192 @param policyOrArray can be a SecPolicyRef or a CFArray of SecPolicyRef
194 CFArrayRef
SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray
);
197 @function SecPolicyCreateAppleATVAppSigning
198 @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations Certification Authority' by name,
200 Leaf cert must have Digital Signature usage.
201 Leaf cert must have Apple ATV App Signing marker OID (1.2.840.113635.100.6.1.24).
202 Leaf cert must have 'Apple TVOS Application Signing' common name.
204 SecPolicyRef
SecPolicyCreateAppleATVAppSigning(void)
205 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
208 @function SecPolicyCreateTestAppleATVAppSigning
209 @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations Certification Authority' by name,
211 Leaf cert must have Digital Signature usage.
212 Leaf cert must have Apple ATV App Signing Test marker OID (1.2.840.113635.100.6.1.24.1).
213 Leaf cert must have 'TEST Apple TVOS Application Signing TEST' common name.
215 SecPolicyRef
SecPolicyCreateTestAppleATVAppSigning(void)
216 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
219 @function SecPolicyCreateApplePayIssuerEncryption
220 @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations CA - G2' by name,
222 Leaf cert must have Key Encipherment and Key Agreement usage.
223 Leaf cert must have Apple Pay Issuer Encryption marker OID (1.2.840.113635.100.6.39).
225 SecPolicyRef
SecPolicyCreateApplePayIssuerEncryption(void)
226 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
229 @function SecPolicyCreateOSXProvisioningProfileSigning
230 @abstract Check for leaf marker OID 1.2.840.113635.100.4.11,
231 intermediate marker OID 1.2.840.113635.100.6.2.1,
232 chains to Apple Root CA
234 SecPolicyRef
SecPolicyCreateOSXProvisioningProfileSigning(void)
235 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
237 #if defined(__cplusplus)
241 #endif /* !_SECURITY_SECPOLICYPRIV_H_ */