]> git.saurik.com Git - apple/security.git/blob - OSX/sec/Security/SecPolicyPriv.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57336.10.29.tar.gz
[apple/security.git] / OSX / sec / Security / SecPolicyPriv.h
1 /*
2 * Copyright (c) 2007-2015 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*!
25 @header SecPolicyPriv
26 The functions provided in SecPolicyPriv provide an interface to various
27 X.509 certificate trust policies.
28 */
29
30 #ifndef _SECURITY_SECPOLICYPRIV_H_
31 #define _SECURITY_SECPOLICYPRIV_H_
32
33 #include <Security/SecPolicy.h>
34 #include <Security/SecCertificate.h>
35 #include <CoreFoundation/CFArray.h>
36 #include <CoreFoundation/CFString.h>
37 #include <Availability.h>
38
39 __BEGIN_DECLS
40
41 /*!
42 @enum Policy Constants (Private)
43 @discussion Predefined constants used to specify a policy.
44 @constant kSecPolicyApplePassbookSigning
45 @constant kSecPolicyAppleMobileStore
46 @constant kSecPolicyAppleTestMobileStore
47 @constant kSecPolicyAppleEscrowService
48 @constant kSecPolicyAppleProfileSigner
49 @constant kSecPolicyAppleQAProfileSigner
50 @constant kSecPolicyAppleServerAuthentication
51 @constant kSecPolicyAppleOTAPKISigner
52 @constant kSecPolicyAppleTestOTAPKISigner
53 @constant kSecPolicyAppleIDValidationRecordSigning
54 @constant kSecPolicyAppleSMPEncryption
55 @constant kSecPolicyAppleTestSMPEncryption
56 @constant kSecPolicyApplePCSEscrowService
57 @constant kSecPolicyAppleSWUpdateSigning
58 @constant kSecPolicyApplePackageSigning
59 @constant kSecPolicyAppleATVAppSigning
60 @constant kSecPolicyAppleTestATVAppSigning
61 @constant kSecPolicyAppleOSXProvisioningProfileSigning
62 */
63 extern const CFStringRef kSecPolicyApplePassbookSigning
64 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
65 extern const CFStringRef kSecPolicyAppleMobileStore
66 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
67 extern const CFStringRef kSecPolicyAppleTestMobileStore
68 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
69 extern const CFStringRef kSecPolicyAppleEscrowService
70 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
71 extern const CFStringRef kSecPolicyAppleProfileSigner
72 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
73 extern const CFStringRef kSecPolicyAppleQAProfileSigner
74 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
75 extern const CFStringRef kSecPolicyAppleServerAuthentication
76 __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
77 #if TARGET_OS_IPHONE
78 extern const CFStringRef kSecPolicyAppleOTAPKISigner
79 __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
80 extern const CFStringRef kSecPolicyAppleTestOTAPKISigner
81 __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
82 extern const CFStringRef kSecPolicyAppleIDValidationRecordSigningPolicy
83 __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
84 extern const CFStringRef kSecPolicyAppleSMPEncryption
85 __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0);
86 extern const CFStringRef kSecPolicyAppleTestSMPEncryption
87 __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0);
88 #endif
89 extern const CFStringRef kSecPolicyApplePCSEscrowService
90 __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_7_0);
91 extern const CFStringRef kSecPolicyAppleSWUpdateSigning
92 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
93 extern const CFStringRef kSecPolicyApplePackageSigning
94 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
95 extern const CFStringRef kSecPolicyAppleATVAppSigning
96 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
97 extern const CFStringRef kSecPolicyAppleTestATVAppSigning
98 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
99 extern const CFStringRef kSecPolicyAppleOSXProvisioningProfileSigning
100 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
101
102
103 /*!
104 @enum Policy Value Constants
105 @abstract Predefined property key constants used to get or set values in
106 a dictionary for a policy instance.
107 @constant kSecPolicyTeamIdentifier Specifies a CFStringRef containing a
108 team identifier which must be matched in the certificate to satisfy
109 this policy. For the Passbook signing policy, this string must match
110 the Organizational Unit field of the certificate subject.
111 */
112 extern const CFStringRef kSecPolicyTeamIdentifier
113 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
114
115 /*!
116 @function SecPolicyCreateiPhoneActivation
117 @abstract Returns a policy object for verifying iPhone Activation
118 certificate chains.
119 @discussion This policy is like the Basic X.509 policy with the additional
120 requirements that the chain must contain exactly three certificates, the
121 anchor is the Apple Inc. CA, and the subject of the first intermediate
122 certificate has "Apple iPhone Certification Authority" as its only
123 Common Name entry.
124 @result A policy object. The caller is responsible for calling CFRelease
125 on this when it is no longer needed.
126 */
127 SecPolicyRef SecPolicyCreateiPhoneActivation(void);
128
129 /*!
130 @function SecPolicyCreateiPhoneDeviceCertificate
131 @abstract Returns a policy object for verifying iPhone Device certificate
132 chains.
133 @discussion This policy is like the Basic X.509 policy with the additional
134 requirements that the chain must contain exactly four certificates, the
135 anchor is the Apple Inc. CA, and the subject of the first intermediate
136 certificate has "Apple iPhone Device CA" as its only Common Name entry.
137 @result A policy object. The caller is responsible for calling CFRelease
138 on this when it is no longer needed.
139 */
140 SecPolicyRef SecPolicyCreateiPhoneDeviceCertificate(void);
141
142 /*!
143 @function SecPolicyCreateFactoryDeviceCertificate
144 @abstract Returns a policy object for verifying Factory Device certificate
145 chains.
146 @discussion This policy is like the Basic X.509 policy with the additional
147 requirements that the chain must be anchored to the factory device certificate
148 issuer.
149 @result A policy object. The caller is responsible for calling CFRelease
150 on this when it is no longer needed.
151 */
152 SecPolicyRef SecPolicyCreateFactoryDeviceCertificate(void);
153
154 /*!
155 @function SecPolicyCreateiAP
156 @abstract Returns a policy object for verifying iAP certificate chains.
157 @discussion This policy is like the Basic X.509 policy with these
158 additional requirements:
159 * The leaf's NotValidBefore should be greater than 5/31/06 midnight GMT.
160 * The Common Name of the leaf begins with the characters "IPA_".
161 * No validity checking is performed for any of the certificates.
162 The intended use of this policy is that the caller pass in the
163 intermediates for iAP1 and iAP2 to SecTrustSetAnchorCertificates().
164 @result A policy object. The caller is responsible for calling CFRelease
165 on this when it is no longer needed.
166 */
167 SecPolicyRef SecPolicyCreateiAP(void);
168
169 /*!
170 @function SecPolicyCreateiTunesStoreURLBag
171 @abstract Returns a policy object for verifying iTunes Store URL bag
172 certificates.
173 @discussion This policy is like the Basic X.509 policy with these
174 additional requirements:
175 * The leaf's Organization is Apple Inc.
176 * The Common Name of the leaf is "iTunes Store URL Bag".
177 @result A policy object. The caller is responsible for calling CFRelease
178 on this when it is no longer needed.
179 */
180 SecPolicyRef SecPolicyCreateiTunesStoreURLBag(void);
181
182 /*!
183 @function SecPolicyCreateEAP
184 @abstract Returns a policy object for verifying for 802.1x/EAP certificates.
185 @param server Passing true for this parameter create a policy for EAP
186 server certificates.
187 @param trustedServerNames Optional; if present, the hostname in the leaf
188 certificate must be in the trustedServerNames list. Note that contrary
189 to all other policies the trustedServerNames list entries can have wildcards
190 whilst the certificate cannot. This matches the existing deployments.
191 @result A policy object. The caller is responsible for calling CFRelease
192 on this when it is no longer needed.
193 */
194 SecPolicyRef SecPolicyCreateEAP(Boolean server, CFArrayRef trustedServerNames);
195
196 /*!
197 @function SecPolicyCreateIPSec
198 @abstract Returns a policy object for evaluating IPSec certificate chains.
199 @param server Passing true for this parameter create a policy for IPSec
200 server certificates.
201 @param hostname Optional; if present, the policy will require the specified
202 hostname or ip address to match the hostname in the leaf certificate.
203 @result A policy object. The caller is responsible for calling CFRelease
204 on this when it is no longer needed.
205 */
206 SecPolicyRef SecPolicyCreateIPSec(Boolean server, CFStringRef hostname);
207
208 /*!
209 @function SecPolicyCreateAppleSWUpdateSigning
210 @abstract Returned a policy object for evaluating SW update signing certs.
211 @result A policy object. The caller is responsible for calling CFRelease
212 on this when it is no longer needed.
213 */
214 SecPolicyRef SecPolicyCreateAppleSWUpdateSigning(void);
215
216 /*!
217 @function SecPolicyCreateApplePackageSigning
218 @abstract Returned a policy object for evaluating installer package signing certs.
219 @result A policy object. The caller is responsible for calling CFRelease
220 on this when it is no longer needed.
221 */
222 SecPolicyRef SecPolicyCreateApplePackageSigning(void);
223
224 /*!
225 @function SecPolicyCreateiPhoneApplicationSigning
226 @abstract Returns a policy object for evaluating signed application
227 signatures. This is for apps signed directly by the app store.
228 @result A policy object. The caller is responsible for calling CFRelease
229 on this when it is no longer needed.
230 */
231 SecPolicyRef SecPolicyCreateiPhoneApplicationSigning(void);
232
233 /*!
234 @function SecPolicyCreateiPhoneProfileApplicationSigning
235 @abstract Returns a policy object for evaluating signed application
236 signatures. This is meant for certificates inside a UPP or regular
237 profile. Currently it only checks for experation of the leaf and
238 revocation status.
239 @result A policy object. The caller is responsible for calling CFRelease
240 on this when it is no longer needed.
241 */
242 SecPolicyRef SecPolicyCreateiPhoneProfileApplicationSigning(void);
243
244 /*!
245 @function SecPolicyCreateiPhoneProvisioningProfileSigning
246 @abstract Returns a policy object for evaluating provisioning profile signatures.
247 @result A policy object. The caller is responsible for calling CFRelease
248 on this when it is no longer needed.
249 */
250 SecPolicyRef SecPolicyCreateiPhoneProvisioningProfileSigning(void);
251
252 /*!
253 @function SecPolicyCreateAppleTVOSApplicationSigning
254 @abstract Returns a policy object for evaluating signed application
255 signatures. This is for apps signed directly by the Apple TV app store,
256 and allows for both the prod and the dev/test certs.
257 @result A policy object. The caller is responsible for calling CFRelease
258 on this when it is no longer needed.
259 */
260 SecPolicyRef SecPolicyCreateAppleTVOSApplicationSigning(void);
261
262 /*!
263 @function SecPolicyCreateOCSPSigner
264 @abstract Returns a policy object for evaluating ocsp response signers.
265 @result A policy object. The caller is responsible for calling CFRelease
266 on this when it is no longer needed.
267 */
268 SecPolicyRef SecPolicyCreateOCSPSigner(void);
269
270
271 enum {
272 kSecSignSMIMEUsage = (1 << 0),
273 kSecKeyEncryptSMIMEUsage = (1 << 1),
274 kSecDataEncryptSMIMEUsage = (1 << 2),
275 kSecKeyExchangeDecryptSMIMEUsage = (1 << 3),
276 kSecKeyExchangeEncryptSMIMEUsage = (1 << 4),
277 kSecKeyExchangeBothSMIMEUsage = (1 << 5),
278 kSecAnyEncryptSMIME = kSecKeyEncryptSMIMEUsage | kSecDataEncryptSMIMEUsage |
279 kSecKeyExchangeDecryptSMIMEUsage | kSecKeyExchangeEncryptSMIMEUsage
280 };
281
282 /*!
283 @function SecPolicyCreateSMIME
284 @abstract Returns a policy object for evaluating S/MIME certificate chains.
285 @param smimeUsage Pass the bitwise or of one or more kSecXXXSMIMEUsage
286 flags, to indicated the intended usage of this certificate. A certificate which allows
287 @param email Optional; if present, the policy will require the specified
288 email to match the email in the leaf certificate.
289 @result A policy object. The caller is responsible for calling CFRelease
290 on this when it is no longer needed.
291 */
292 SecPolicyRef SecPolicyCreateSMIME(CFIndex smimeUsage, CFStringRef email);
293
294 /*!
295 @function SecPolicyCreateCodeSigning
296 @abstract Returns a policy object for evaluating code signing certificate chains.
297 @result A policy object. The caller is responsible for calling CFRelease
298 on this when it is no longer needed.
299 */
300 SecPolicyRef SecPolicyCreateCodeSigning(void);
301
302 /*!
303 @function SecPolicyCreateLockdownPairing
304 @abstract basic x509 policy for checking lockdown pairing certificate chains.
305 It explicitly allows for empty subjects
306 */
307 SecPolicyRef SecPolicyCreateLockdownPairing(void);
308
309 /*!
310 @function SecPolicyCreateURLBag
311 @abstract check for private CA, eku codesigning and certificate policy that
312 pertains to signing of URL bags.
313 */
314 SecPolicyRef SecPolicyCreateURLBag(void);
315
316 /*!
317 @function SecPolicyCreateOTATasking
318 @abstract check for 3 long chain through Apple Certification Policy with common name
319 "OTA Task Signing".
320 */
321 SecPolicyRef SecPolicyCreateOTATasking(void);
322
323 /*!
324 @function SecPolicyCreateMobileAsset
325 @abstract check for 3 long chain through Apple Certification Policy with common name
326 "Asset Manifest Signing".
327 */
328 SecPolicyRef SecPolicyCreateMobileAsset(void);
329
330 /*!
331 @function SecPolicyCreateAppleIDAuthorityPolicy
332 @abstract check for an Apple ID identity per marker in the leaf and marker in the intermediate, rooted in the Apple CA.
333 */
334 SecPolicyRef SecPolicyCreateAppleIDAuthorityPolicy(void);
335
336 /*!
337 @function SecPolicyCreateMacAppStoreReceipt
338 @abstract check for valid Mac App Store receipt signing certificate chain
339 */
340 SecPolicyRef SecPolicyCreateMacAppStoreReceipt(void);
341
342 /*!
343 @function SecPolicyCreatePassbookCardSigner
344 @abstract check rooted in the Apple CA, eku passbook, marker passbook and name matching
345 @param cardIssuer Required; must match name in marker extension.
346 @param teamIdentifier Optional; if present, the policy will require the specified
347 team ID to match the organizationalUnit field in the leaf certificate's subject.
348 @result A policy object. The caller is responsible for calling CFRelease
349 on this when it is no longer needed.
350 */
351 SecPolicyRef SecPolicyCreatePassbookCardSigner(CFStringRef cardIssuer,
352 CFStringRef teamIdentifier);
353
354 /*!
355 @function SecPolicyCreateMobileStoreSigner
356 @abstract Check for key usage of digital signature,
357 check for 3 long chain through Apple System Integration 2 Certification Authority
358 with a certificate policy OID of 1.2.840.113635.100.5.12 that roots to the
359 Apple root
360 */
361 SecPolicyRef SecPolicyCreateMobileStoreSigner(void);
362
363 /*!
364 @function SecPolicyCreateTestMobileStoreSigner
365 @abstract Check for key usage of digital signature,
366 check for 3 long chain through Apple System Integration 2 Certification Authority
367 with a certificate policy OID of 1.2.840.113635.100.5.12.1 that roots to the
368 Apple root
369 */
370 SecPolicyRef SecPolicyCreateTestMobileStoreSigner(void);
371
372 /*!
373 @function SecPolicyCreateEscrowServiceSigner
374 @abstract Check for key usage of digital signature, has a leaf marker OID of
375 1.2.840.113635.100.6.23.1 and roots to the production Escrow Root
376 */
377 SecPolicyRef SecPolicyCreateEscrowServiceSigner(void);
378
379 /*!
380 @function SecPolicyCreatePCSEscrowServiceSigner
381 @abstract Check for key usage of digital signature, has a leaf marker OID of
382 1.2.840.113635.100.6.23.1 and roots to the production PCS Escrow Root
383 */
384 SecPolicyRef SecPolicyCreatePCSEscrowServiceSigner(void);
385
386 /*!
387 @function SecPolicyCopyEscrowRootCertificate
388 @abstract Return back the Root certificate for the Escrow service
389 */
390 SecCertificateRef SecPolicyCopyEscrowRootCertificate(void);
391
392 /*!
393 @function SecPolicyCreateOSXProvisioningProfileSigning
394 @abstract Check for leaf marker OID 1.2.840.113635.100.4.11,
395 intermediate marker OID 1.2.840.113635.100.6.2.1,
396 chains to Apple Root CA
397 */
398 SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void);
399
400 /*!
401 @function SecPolicyCreateConfigurationProfileSigner
402 @abstract Check for key usage of digital signature, has a EKU OID of
403 1.2.840.113635.100.4.16 and
404 roots to Apple Application Integration 2 Certification Authority
405 */
406 SecPolicyRef SecPolicyCreateConfigurationProfileSigner(void);
407
408 /*!
409 @function SecPolicyCreateQAConfigurationProfileSigner
410 @abstract Check for key usage of digital signature, has a EKU OID of
411 1.2.840.113635.100.4.17 and
412 roots to Apple Application Integration 2 Certification Authority
413 */
414 SecPolicyRef SecPolicyCreateQAConfigurationProfileSigner(void);
415
416 /*!
417 @function SecPolicyCreateOTAPKISigner
418 @abstract Check for key usage of digital signature, and
419 roots to Apple PKI Settings Root Certification Authority
420 */
421 SecPolicyRef SecPolicyCreateOTAPKISigner(void);
422
423 /*!
424 @function SecPolicyCreateTestOTAPKISigner
425 @abstract Check for key usage of digital signature, and
426 roots to Apple PKI Settings Root - TESTING
427 */
428 SecPolicyRef SecPolicyCreateTestOTAPKISigner(void);
429
430 /*!
431 @function SecPolicyCreateAppleIDValidationRecordSigningPolicy
432 @abstract Check for leaf certificate contains the
433 appleIDValidationRecordSigning (1 2 840 113635 100 6 25), and
434 intermediate certificate contains
435 appleCertificateExtensionApplicationIntegrationIntermediate
436 (1 2 840 113635 100 6 2 3) and
437 appleCertificateExtensionSystemIntegration2Intermediate
438 (1 2 840 113635 100 6 2 10) and roots to the Apple root
439 */
440 SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void);
441
442 /*!
443 @function SecPolicyCreateAppleSMPEncryption
444 @abstract Check for intermediate certificate 'Apple System Integration CA - ECC' by name,
445 and root certificate 'Apple Root CA - ECC' by hash.
446 Leaf cert must have Key Encipherment usage. Other checks TBD.
447 */
448 SecPolicyRef SecPolicyCreateAppleSMPEncryption(void);
449
450 /*!
451 @function SecPolicyCreateTestAppleSMPEncryption
452 @abstract Check for intermediate certificate 'Test Apple System Integration CA - ECC' by name,
453 and root certificate 'Test Apple Root CA - ECC' by hash.
454 Leaf cert must have Key Encipherment usage. Other checks TBD.
455 */
456 SecPolicyRef SecPolicyCreateTestAppleSMPEncryption(void);
457
458 /*!
459 @function SecPolicyCreateApplePPQSigning
460 @abstract Check for intermediate certificate 'Apple System Integration 2 Certification Authority' by name,
461 and apple anchor.
462 Leaf cert must have Digital Signature usage.
463 Leaf cert must have Apple PPQ Signing marker OID (1.2.840.113635.100.6.38.2).
464 Intermediate must have marker OID (1.2.840.113635.100.6.2.10).
465 */
466 SecPolicyRef SecPolicyCreateApplePPQSigning(void);
467
468 /*!
469 @function SecPolicyCreateTestApplePPQSigning
470 @abstract Check for intermediate certificate 'Apple System Integration 2 Certification Authority' by name,
471 and apple anchor.
472 Leaf cert must have Digital Signature usage.
473 Leaf cert must have Apple PPQ Signing Test marker OID (1.2.840.113635.100.6.38.1).
474 Intermediate must have marker OID (1.2.840.113635.100.6.2.10).
475 */
476 SecPolicyRef SecPolicyCreateTestApplePPQSigning(void);
477
478 /*!
479 @function SecPolicyCreateAppleIDSService
480 @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
481 */
482 SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef hostname);
483
484 /*!
485 @function SecPolicyCreateAppleIDSServiceContext
486 @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
487 */
488 SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDictionaryRef context);
489
490 /*!
491 @function SecPolicyCreateApplePushService
492 @abstract Ensure we're appropriately pinned to the Push service (SSL + Apple restrictions)
493 */
494 SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryRef context);
495
496 /*!
497 @function SecPolicyCreateApplePushServiceLegacy
498 @abstract Ensure we're appropriately pinned to the Push service (via Entrust)
499 */
500 SecPolicyRef SecPolicyCreateApplePushServiceLegacy(CFStringRef hostname);
501
502 /*!
503 @function SecPolicyCreateAppleMMCSService
504 @abstract Ensure we're appropriately pinned to the MMCS service (SSL + Apple restrictions)
505 */
506 SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname, CFDictionaryRef context);
507
508 /*!
509 @function SecPolicyCreateAppleGSService
510 @abstract Ensure we're appropriately pinned to the GS service (SSL + Apple restrictions)
511 */
512 SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef context)
513 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
514
515 /*!
516 @function SecPolicyCreateApplePPQService
517 @abstract Ensure we're appropriately pinned to the PPQ service (SSL + Apple restrictions)
518 */
519 SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRef context)
520 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
521
522 /*!
523 @function SecPolicyCreateAppleSSLService
524 @abstract Ensure we're appropriately pinned to an Apple server (SSL + Apple restrictions)
525 */
526 SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef hostname);
527
528 /*!
529 @function SecPolicyCreateAppleTimeStamping
530 @abstract Check for RFC3161 timestamping EKU.
531 */
532 SecPolicyRef SecPolicyCreateAppleTimeStamping(void);
533
534 /*!
535 @function SecPolicyCreateAppleATVAppSigning
536 @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations Certification Authority' by name,
537 and apple anchor.
538 Leaf cert must have Digital Signature usage.
539 Leaf cert must have Apple ATV App Signing marker OID (1.2.840.113635.100.6.1.24).
540 Leaf cert must have 'Apple TVOS Application Signing' common name.
541 */
542 SecPolicyRef SecPolicyCreateAppleATVAppSigning(void)
543 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
544
545 /*!
546 @function SecPolicyCreateTestAppleATVAppSigning
547 @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations Certification Authority' by name,
548 and apple anchor.
549 Leaf cert must have Digital Signature usage.
550 Leaf cert must have Apple ATV App Signing Test marker OID (1.2.840.113635.100.6.1.24.1).
551 Leaf cert must have 'TEST Apple TVOS Application Signing TEST' common name.
552 */
553 SecPolicyRef SecPolicyCreateTestAppleATVAppSigning(void)
554 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
555
556
557 /*!
558 @function SecPolicyCreateApplePayIssuerEncryption
559 @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations CA - G2' by name,
560 and apple anchor.
561 Leaf cert must have Key Encipherment and Key Agreement usage.
562 Leaf cert must have Apple Pay Issuer Encryption marker OID (1.2.840.113635.100.6.39).
563 */
564 SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void)
565 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
566
567 __END_DECLS
568
569 #endif /* !_SECURITY_SECPOLICYPRIV_H_ */
mirror of Security