]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_cssm/lib/cssmapple.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57337.40.85.tar.gz
[apple/security.git] / OSX / libsecurity_cssm / lib / cssmapple.h
1 /*
2 * Copyright (c) 2000-2015 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * cssmapple.h -- CSSM features specific to Apple's Implementation
24 */
25
26 #ifndef _CSSMAPPLE_H_
27 #define _CSSMAPPLE_H_ 1
28
29 #include <Security/cssmerr.h>
30 #include <Security/cssmtype.h>
31 #include <Security/x509defs.h> /* for CSSM_APPLE_TP_CERT_REQUEST fields */
32 #include <Security/certextensions.h> /* ditto */
33 #include <sys/types.h> /* for the BSD *_t types */
34 #include <stdbool.h>
35
36 #ifdef __cplusplus
37 extern "C" {
38 #endif
39
40 /* Guids for standard Apple addin modules. */
41
42 /* CSSM itself: {87191ca0-0fc9-11d4-849a-000502b52122} */
43 extern const CSSM_GUID gGuidCssm;
44
45 /* File based DL (aka "Keychain DL"): {87191ca1-0fc9-11d4-849a-000502b52122} */
46 extern const CSSM_GUID gGuidAppleFileDL;
47
48 /* Core CSP (local space): {87191ca2-0fc9-11d4-849a-000502b52122} */
49 extern const CSSM_GUID gGuidAppleCSP;
50
51 /* Secure CSP/DL (aka "Keychain CSPDL): {87191ca3-0fc9-11d4-849a-000502b52122} */
52 extern const CSSM_GUID gGuidAppleCSPDL;
53
54 /* X509 Certificate CL: {87191ca4-0fc9-11d4-849a-000502b52122} */
55 extern const CSSM_GUID gGuidAppleX509CL;
56
57 /* X509 Certificate TP: {87191ca5-0fc9-11d4-849a-000502b52122} */
58 extern const CSSM_GUID gGuidAppleX509TP;
59
60 /* DLAP/OpenDirectory access DL: {87191ca6-0fc9-11d4-849a-000502b52122} */
61 extern const CSSM_GUID gGuidAppleLDAPDL;
62
63 /* TP for ".mac" related policies: {87191ca7-0fc9-11d4-849a-000502b52122} */
64 extern const CSSM_GUID gGuidAppleDotMacTP;
65
66 /* Smartcard CSP/DL: {87191ca8-0fc9-11d4-849a-000502b52122} */
67 extern const CSSM_GUID gGuidAppleSdCSPDL;
68
69 /* DL for ".mac" certificate access: {87191ca9-0fc9-11d4-849a-000502b52122} */
70 extern const CSSM_GUID gGuidAppleDotMacDL;
71
72
73 /* Apple defined WORDID values */
74 enum
75 {
76 CSSM_WORDID_KEYCHAIN_PROMPT = CSSM_WORDID_VENDOR_START,
77 CSSM_WORDID_KEYCHAIN_LOCK,
78 CSSM_WORDID_KEYCHAIN_CHANGE_LOCK,
79 CSSM_WORDID_PROCESS,
80 CSSM_WORDID__RESERVED_1, /* was used in 10.2 test seeds; no longer in use */
81 CSSM_WORDID_SYMMETRIC_KEY,
82 CSSM_WORDID_SYSTEM,
83 CSSM_WORDID_KEY,
84 CSSM_WORDID_PIN,
85 CSSM_WORDID_PREAUTH,
86 CSSM_WORDID_PREAUTH_SOURCE,
87 CSSM_WORDID_ASYMMETRIC_KEY,
88 CSSM_WORDID_PARTITION,
89 CSSM_WORDID__FIRST_UNUSED
90 };
91
92 /* Apple defined ACL subject and credential types */
93 enum
94 {
95 CSSM_ACL_SUBJECT_TYPE_KEYCHAIN_PROMPT = CSSM_WORDID_KEYCHAIN_PROMPT,
96 CSSM_ACL_SUBJECT_TYPE_PROCESS = CSSM_WORDID_PROCESS,
97 CSSM_ACL_SUBJECT_TYPE_CODE_SIGNATURE = CSSM_WORDID_SIGNATURE,
98 CSSM_ACL_SUBJECT_TYPE_COMMENT = CSSM_WORDID_COMMENT,
99 CSSM_ACL_SUBJECT_TYPE_SYMMETRIC_KEY = CSSM_WORDID_SYMMETRIC_KEY,
100 CSSM_ACL_SUBJECT_TYPE_PREAUTH = CSSM_WORDID_PREAUTH,
101 CSSM_ACL_SUBJECT_TYPE_PREAUTH_SOURCE = CSSM_WORDID_PREAUTH_SOURCE,
102 CSSM_ACL_SUBJECT_TYPE_ASYMMETRIC_KEY = CSSM_WORDID_ASYMMETRIC_KEY,
103 CSSM_ACL_SUBJECT_TYPE_PARTITION = CSSM_WORDID_PARTITION,
104 };
105
106 enum
107 {
108 CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT = CSSM_WORDID_KEYCHAIN_PROMPT,
109 CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK = CSSM_WORDID_KEYCHAIN_LOCK,
110 CSSM_SAMPLE_TYPE_KEYCHAIN_CHANGE_LOCK = CSSM_WORDID_KEYCHAIN_CHANGE_LOCK,
111 CSSM_SAMPLE_TYPE_PROCESS = CSSM_WORDID_PROCESS,
112 CSSM_SAMPLE_TYPE_COMMENT = CSSM_WORDID_COMMENT,
113 CSSM_SAMPLE_TYPE_RETRY_ID = CSSM_WORDID_PROPAGATE,
114 CSSM_SAMPLE_TYPE_SYMMETRIC_KEY = CSSM_WORDID_SYMMETRIC_KEY,
115 CSSM_SAMPLE_TYPE_PREAUTH = CSSM_WORDID_PREAUTH,
116 CSSM_SAMPLE_TYPE_ASYMMETRIC_KEY = CSSM_WORDID_ASYMMETRIC_KEY
117 // there is no CSSM_SAMPLE_TYPE_PREAUTH_SOURCE
118 };
119
120
121 /* Apple-defined ACL authorization tags */
122 enum {
123 CSSM_ACL_AUTHORIZATION_CHANGE_ACL = CSSM_ACL_AUTHORIZATION_TAG_VENDOR_DEFINED_START,
124 CSSM_ACL_AUTHORIZATION_CHANGE_OWNER,
125 CSSM_ACL_AUTHORIZATION_PARTITION_ID,
126 CSSM_ACL_AUTHORIZATION_INTEGRITY,
127
128 // the "pre-auth" tags form a contiguous range of (up to) 64K pre-authorizations
129 CSSM_ACL_AUTHORIZATION_PREAUTH_BASE =
130 CSSM_ACL_AUTHORIZATION_TAG_VENDOR_DEFINED_START + 0x1000000,
131 CSSM_ACL_AUTHORIZATION_PREAUTH_END = CSSM_ACL_AUTHORIZATION_PREAUTH_BASE + 0x10000
132 };
133
134 /* pre-authorization conversions (auth-tag to slot and back) */
135 #define CSSM_ACL_AUTHORIZATION_PREAUTH(slot) \
136 (CSSM_ACL_AUTHORIZATION_PREAUTH_BASE + (slot))
137 #define CSSM_ACL_AUTHORIZATION_PREAUTH_SLOT(auth) \
138 ((auth) - CSSM_ACL_AUTHORIZATION_PREAUTH_BASE)
139 #define CSSM_ACL_AUTHORIZATION_IS_PREAUTH(auth) \
140 ((auth) >= CSSM_ACL_AUTHORIZATION_PREAUTH_BASE && \
141 (auth) < CSSM_ACL_AUTHORIZATION_PREAUTH_END)
142
143
144 /* Parameters and structures for Apple-defined ACL subjects and samples */
145
146 enum { /* types of code signatures - item 1 of CSSM_ACL_SUBJECT_TYPE_CODE_SIGNATURE subjects */
147 CSSM_ACL_CODE_SIGNATURE_INVALID = 0, /* standard OS X code signature */
148 CSSM_ACL_CODE_SIGNATURE_OSX = 1 /* standard OS X code signature */
149 };
150
151 /* ACL subjects of type PROCESS */
152
153 enum { /* PROCESS_SUBJECT mask fields */
154 CSSM_ACL_MATCH_UID = 0x01, /* match userid against uid field */
155 CSSM_ACL_MATCH_GID = 0x02, /* match groupid against gid field */
156 CSSM_ACL_MATCH_HONOR_ROOT = 0x100, /* let root (uid 0) match any userid */
157 CSSM_ACL_MATCH_BITS = CSSM_ACL_MATCH_UID | CSSM_ACL_MATCH_GID
158 };
159
160 enum { /* PROCESS_SUBJECT structure version field */
161 CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION = 0x101
162 };
163
164 typedef struct cssm_acl_process_subject_selector { /* PROCESS_SUBJECT selector */
165 uint16 version; /* version of this selector */
166 uint16 mask; /* active fields mask */
167 uint32 uid; /* effective user id match */
168 uint32 gid; /* effective group id match */
169 } CSSM_ACL_PROCESS_SUBJECT_SELECTOR;
170
171 /* ACL subjects of type KEYCHAIN_PROMPT */
172
173 enum { /* KEYCHAIN_PROMPT structure version field */
174 CSSM_ACL_KEYCHAIN_PROMPT_CURRENT_VERSION = 0x101
175 };
176
177 enum { /* KEYCHAIN_PROMPT operational flags */
178 CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE = 0x0001, /* require re-entering of passphrase */
179 /* the following bits are ignored by 10.4 and earlier */
180 CSSM_ACL_KEYCHAIN_PROMPT_UNSIGNED = 0x0010, /* prompt for unsigned clients */
181 CSSM_ACL_KEYCHAIN_PROMPT_UNSIGNED_ACT = 0x0020, /* UNSIGNED bit overrides system default */
182 CSSM_ACL_KEYCHAIN_PROMPT_INVALID = 0x0040, /* prompt for invalid signed clients */
183 CSSM_ACL_KEYCHAIN_PROMPT_INVALID_ACT = 0x0080, /* INVALID bit overrides system default */
184 };
185
186 typedef struct cssm_acl_keychain_prompt_selector { /* KEYCHAIN_PROMPT selector */
187 uint16 version; /* version of this selector */
188 uint16 flags; /* flag bits */
189 } CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR;
190
191 /* ACL subjects of type CSSM_ACL_SUBJECT_TYPE_PREAUTH_SOURCE */
192 typedef uint32 CSSM_ACL_PREAUTH_TRACKING_STATE;
193 enum { /* preauth tracking state */
194 CSSM_ACL_PREAUTH_TRACKING_COUNT_MASK = 0xff, /* mask for count status */
195 CSSM_ACL_PREAUTH_TRACKING_BLOCKED = 0, /* retries exhausted; the slot is blocked */
196 /* 0 .. 255 is a count of (re)tries remaining */
197
198 /* bits or'ed into any count given */
199 CSSM_ACL_PREAUTH_TRACKING_UNKNOWN = 0x40000000, /* status of slot is unknown (ignore count) */
200 CSSM_ACL_PREAUTH_TRACKING_AUTHORIZED = 0x80000000 /* the slot is currently authorized (or'ed in) */
201 };
202
203
204 /* Apple defined values of a CSSM_DB_ACCESS_TYPE */
205 enum {
206 CSSM_DB_ACCESS_RESET = 0x10000 /* clear pre-authentications (or'ed bit) */
207 };
208
209
210 /* Apple defined algorithm IDs */
211 enum
212 {
213 CSSM_ALGID_APPLE_YARROW = CSSM_ALGID_VENDOR_DEFINED,
214 CSSM_ALGID_AES, /* RijnDael */
215 CSSM_ALGID_FEE, /* FEE Key Generation */
216 CSSM_ALGID_FEE_MD5, /* FEE/ElGamal signature w/ MD5 hash */
217 CSSM_ALGID_FEE_SHA1, /* FEE/ElGamal signature w/ SHA1 hash */
218 CSSM_ALGID_FEED, /* 1:1 FEE asymmetric encryption */
219 CSSM_ALGID_FEEDEXP, /* 2:1 FEE asymmetric encryption */
220 CSSM_ALGID_ASC, /* Apple Secure Compression */
221 CSSM_ALGID_SHA1HMAC_LEGACY, /* HMAC/SHA1, legacy compatible */
222 CSSM_ALGID_KEYCHAIN_KEY, /* derive or manipulate keychain master keys */
223 CSSM_ALGID_PKCS12_PBE_ENCR, /* PKCS12, encrypt/decrypt key */
224 CSSM_ALGID_PKCS12_PBE_MAC, /* PKCS12, MAC key */
225 CSSM_ALGID_SECURE_PASSPHRASE, /* passphrase acquired by SecurityServer */
226 CSSM_ALGID_PBE_OPENSSL_MD5, /* traditional openssl key derivation */
227 CSSM_ALGID_SHA256, /* 256-bit SHA2 */
228 CSSM_ALGID_SHA384, /* 384-bit SHA2 */
229 CSSM_ALGID_SHA512, /* 512-bit SHA2 */
230 CSSM_ALGID_ENTROPY_DEFAULT, /* default entropy source of (CSP) device, if any */
231 CSSM_ALGID_SHA224, /* SHA2, 224 bit */
232 CSSM_ALGID_SHA224WithRSA, /* RSA signature on SHA224 digest */
233 CSSM_ALGID_SHA256WithRSA, /* RSA signature on SHA256 digest */
234 CSSM_ALGID_SHA384WithRSA, /* RSA signature on SHA384 digest */
235 CSSM_ALGID_SHA512WithRSA, /* RSA signature on SHA512 digest */
236 CSSM_ALGID_OPENSSH1, /* OpenSSH v1 RSA key wrapping */
237 CSSM_ALGID_SHA224WithECDSA, /* ECDSA signature on SHA224 digest */
238 CSSM_ALGID_SHA256WithECDSA, /* ECDSA signature on SHA256 digest */
239 CSSM_ALGID_SHA384WithECDSA, /* ECDSA signature on SHA384 digest */
240 CSSM_ALGID_SHA512WithECDSA, /* ECDSA signature on SHA512 digest */
241 CSSM_ALGID_ECDSA_SPECIFIED, /* ECDSA with separate digest algorithm specifier */
242 CSSM_ALGID_ECDH_X963_KDF, /* ECDH with X9.63 key derivation */
243 CSSM_ALGID__FIRST_UNUSED
244 };
245
246 /* Apple defined padding */
247 enum
248 {
249 /* RFC 2246 section E.2 for SSLv2 rollback detection */
250 CSSM_PADDING_APPLE_SSLv2 = CSSM_PADDING_VENDOR_DEFINED
251 };
252
253
254 /* Apple defined keyblob formats */
255 enum {
256 CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED = 0x80000000
257 };
258 enum {
259 /* X509 SubjectPublicKeyInfo */
260 CSSM_KEYBLOB_RAW_FORMAT_X509 = CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED,
261 /* OpenSSH v1 */
262 CSSM_KEYBLOB_RAW_FORMAT_OPENSSH,
263 /* openssl-style DSA private key */
264 CSSM_KEYBLOB_RAW_FORMAT_OPENSSL,
265 /* OpenSSH v2 */
266 CSSM_KEYBLOB_RAW_FORMAT_OPENSSH2
267 };
268
269 /* Apple adds some "common" error codes. CDSA does not define an official start value for this. */
270 enum
271 {
272 CSSM_CUSTOM_COMMON_ERROR_EXTENT = 0x00e0,
273
274 CSSM_ERRCODE_NO_USER_INTERACTION = 0x00e0,
275 CSSM_ERRCODE_USER_CANCELED = 0x00e1,
276 CSSM_ERRCODE_SERVICE_NOT_AVAILABLE = 0x00e2,
277 CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION = 0x00e3,
278 CSSM_ERRCODE_DEVICE_RESET = 0x00e4,
279 CSSM_ERRCODE_DEVICE_FAILED = 0x00e5,
280 CSSM_ERRCODE_IN_DARK_WAKE = 0x00e6
281 };
282
283 enum {
284 CSSMERR_CSSM_NO_USER_INTERACTION = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
285 CSSMERR_AC_NO_USER_INTERACTION = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
286 CSSMERR_CSP_NO_USER_INTERACTION = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
287 CSSMERR_CL_NO_USER_INTERACTION = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
288 CSSMERR_DL_NO_USER_INTERACTION = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
289 CSSMERR_TP_NO_USER_INTERACTION = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION,
290
291 CSSMERR_CSSM_USER_CANCELED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
292 CSSMERR_AC_USER_CANCELED = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
293 CSSMERR_CSP_USER_CANCELED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
294 CSSMERR_CL_USER_CANCELED = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
295 CSSMERR_DL_USER_CANCELED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
296 CSSMERR_TP_USER_CANCELED = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED,
297
298 CSSMERR_CSSM_SERVICE_NOT_AVAILABLE = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
299 CSSMERR_AC_SERVICE_NOT_AVAILABLE = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
300 CSSMERR_CSP_SERVICE_NOT_AVAILABLE = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
301 CSSMERR_CL_SERVICE_NOT_AVAILABLE = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
302 CSSMERR_DL_SERVICE_NOT_AVAILABLE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
303 CSSMERR_TP_SERVICE_NOT_AVAILABLE = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE,
304
305 CSSMERR_CSSM_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION,
306 CSSMERR_AC_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION,
307 CSSMERR_CSP_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION,
308 CSSMERR_CL_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION,
309 CSSMERR_DL_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION,
310 CSSMERR_TP_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION,
311
312 CSSMERR_CSSM_DEVICE_RESET = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET,
313 CSSMERR_AC_DEVICE_RESET = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET,
314 CSSMERR_CSP_DEVICE_RESET = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET,
315 CSSMERR_CL_DEVICE_RESET = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET,
316 CSSMERR_DL_DEVICE_RESET = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET,
317 CSSMERR_TP_DEVICE_RESET = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET,
318
319 CSSMERR_CSSM_DEVICE_FAILED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED,
320 CSSMERR_AC_DEVICE_FAILED = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED,
321 CSSMERR_CSP_DEVICE_FAILED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED,
322 CSSMERR_CL_DEVICE_FAILED = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED,
323 CSSMERR_DL_DEVICE_FAILED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED,
324 CSSMERR_TP_DEVICE_FAILED = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED,
325
326 CSSMERR_CSSM_IN_DARK_WAKE = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE,
327 CSSMERR_AC_IN_DARK_WAKE = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE,
328 CSSMERR_CSP_IN_DARK_WAKE = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE,
329 CSSMERR_CL_IN_DARK_WAKE = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE,
330 CSSMERR_DL_IN_DARK_WAKE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE,
331 CSSMERR_TP_IN_DARK_WAKE = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE
332 };
333
334 /* AppleCSPDL, AppleCSP private error codes. */
335 enum {
336 CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT = CSSM_CSP_PRIVATE_ERROR + 0,
337 /*
338 * An attempt was made to use a public key which is incomplete due to
339 * the lack of algorithm-specific parameters.
340 */
341 CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE = CSSM_CSP_PRIVATE_ERROR + 1,
342
343 /* a code signature match failed */
344 CSSMERR_CSP_APPLE_SIGNATURE_MISMATCH = CSSM_CSP_PRIVATE_ERROR + 2,
345
346 /* Key StartDate/EndDate invalid */
347 CSSMERR_CSP_APPLE_INVALID_KEY_START_DATE = CSSM_CSP_PRIVATE_ERROR + 3,
348 CSSMERR_CSP_APPLE_INVALID_KEY_END_DATE = CSSM_CSP_PRIVATE_ERROR + 4,
349
350 /* Keychain Syncing error codes */
351 CSSMERR_CSPDL_APPLE_DL_CONVERSION_ERROR = CSSM_CSP_PRIVATE_ERROR + 5,
352
353 /* SSLv2 padding check: rollback attack detected */
354 CSSMERR_CSP_APPLE_SSLv2_ROLLBACK = CSSM_CSP_PRIVATE_ERROR + 6
355 };
356
357
358 /* AppleFileDL record types. */
359 enum
360 {
361 CSSM_DL_DB_RECORD_GENERIC_PASSWORD = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 0,
362 CSSM_DL_DB_RECORD_INTERNET_PASSWORD = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 1,
363 CSSM_DL_DB_RECORD_APPLESHARE_PASSWORD = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 2,
364
365 CSSM_DL_DB_RECORD_X509_CERTIFICATE = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 0x1000,
366 CSSM_DL_DB_RECORD_USER_TRUST,
367 CSSM_DL_DB_RECORD_X509_CRL,
368 CSSM_DL_DB_RECORD_UNLOCK_REFERRAL,
369 CSSM_DL_DB_RECORD_EXTENDED_ATTRIBUTE,
370 CSSM_DL_DB_RECORD_METADATA = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 0x8000
371 };
372
373 /* AppleFileDL extentions: passthrough ids */
374 enum {
375 // Toggle whether or not to autocommit after modifying the database.
376 // The input parameter is a CSSM_BOOL, where TRUE turns autocommit on
377 // and FALSE turns it off.
378 CSSM_APPLEFILEDL_TOGGLE_AUTOCOMMIT,
379
380 // Commit any pending changes to the database.
381 CSSM_APPLEFILEDL_COMMIT,
382
383 // Rollback and discard any pending changes to the database.
384 CSSM_APPLEFILEDL_ROLLBACK,
385
386 // Try to take the file lock on the underlying database
387 // Calling commit or rollback will release the lock
388 CSSM_APPLEFILEDL_TAKE_FILE_LOCK,
389
390 // Make a backup of this database in a new file
391 CSSM_APPLEFILEDL_MAKE_BACKUP,
392 };
393
394 /* UNLOCK_REFERRAL "type" attribute values */
395 enum {
396 CSSM_APPLE_UNLOCK_TYPE_KEY_DIRECT = 1, // master secret key stored directly
397 CSSM_APPLE_UNLOCK_TYPE_WRAPPED_PRIVATE = 2 // master key wrapped by public key
398 };
399
400 /* Apple DL private error codes. */
401 enum
402 {
403 /* The OpenParameters argument passed to CSSM_DL_DbCreate or CSSM_DL_DbOpen
404 was neither NULL nor a pointer to a valid CSSM_APPLEDL_OPEN_PARAMETERS
405 structure. */
406 CSSMERR_APPLEDL_INVALID_OPEN_PARAMETERS = CSSM_DL_PRIVATE_ERROR + 0,
407
408 /* an operation failed because the disk was full */
409 CSSMERR_APPLEDL_DISK_FULL = CSSM_DL_PRIVATE_ERROR + 1,
410
411 /* an operation failed because a disk quota was exceeded */
412 CSSMERR_APPLEDL_QUOTA_EXCEEDED = CSSM_DL_PRIVATE_ERROR + 2,
413
414 /* an operation failed because a file was too large */
415 CSSMERR_APPLEDL_FILE_TOO_BIG = CSSM_DL_PRIVATE_ERROR + 3,
416
417 /* a keychain database's internal information ("blob") is invalid */
418 CSSMERR_APPLEDL_INVALID_DATABASE_BLOB = CSSM_DL_PRIVATE_ERROR + 4,
419 CSSMERR_APPLEDL_INVALID_KEY_BLOB = CSSM_DL_PRIVATE_ERROR + 5,
420
421 /* the internal data format version for a database's internal information ("blob") is invalid */
422 CSSMERR_APPLEDL_INCOMPATIBLE_DATABASE_BLOB = CSSM_DL_PRIVATE_ERROR + 6,
423 CSSMERR_APPLEDL_INCOMPATIBLE_KEY_BLOB = CSSM_DL_PRIVATE_ERROR + 7,
424 };
425
426 /* Apple X509TP private error codes. */
427 enum
428 {
429 /* Host name mismatch */
430 CSSMERR_APPLETP_HOSTNAME_MISMATCH = CSSM_TP_PRIVATE_ERROR + 0,
431 /* Non-understood extension with Critical flag true */
432 CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN = CSSM_TP_PRIVATE_ERROR + 1,
433 /* Basic Constraints extension required per policy, but not present */
434 CSSMERR_APPLETP_NO_BASIC_CONSTRAINTS = CSSM_TP_PRIVATE_ERROR + 2,
435 /* Invalid BasicConstraints.CA */
436 CSSMERR_APPLETP_INVALID_CA = CSSM_TP_PRIVATE_ERROR + 3,
437 /* Invalid Authority Key ID */
438 CSSMERR_APPLETP_INVALID_AUTHORITY_ID = CSSM_TP_PRIVATE_ERROR + 4,
439 /* Invalid Subject Key ID */
440 CSSMERR_APPLETP_INVALID_SUBJECT_ID = CSSM_TP_PRIVATE_ERROR + 5,
441 /* Invalid Key Usage for policy */
442 CSSMERR_APPLETP_INVALID_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 6,
443 /* Invalid Extended Key Usage for policy */
444 CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 7,
445 /* Invalid Subject/Authority Key ID Linkage */
446 CSSMERR_APPLETP_INVALID_ID_LINKAGE = CSSM_TP_PRIVATE_ERROR + 8,
447 /* PathLengthConstraint exceeded */
448 CSSMERR_APPLETP_PATH_LEN_CONSTRAINT = CSSM_TP_PRIVATE_ERROR + 9,
449 /* Cert group terminated at a root cert which did not self-verify */
450 CSSMERR_APPLETP_INVALID_ROOT = CSSM_TP_PRIVATE_ERROR + 10,
451 /* CRL expired/not valid yet */
452 CSSMERR_APPLETP_CRL_EXPIRED = CSSM_TP_PRIVATE_ERROR + 11,
453 CSSMERR_APPLETP_CRL_NOT_VALID_YET = CSSM_TP_PRIVATE_ERROR + 12,
454 /* Cannot find appropriate CRL */
455 CSSMERR_APPLETP_CRL_NOT_FOUND = CSSM_TP_PRIVATE_ERROR + 13,
456 /* specified CRL server down */
457 CSSMERR_APPLETP_CRL_SERVER_DOWN = CSSM_TP_PRIVATE_ERROR + 14,
458 /* illegible CRL distribution point URL */
459 CSSMERR_APPLETP_CRL_BAD_URI = CSSM_TP_PRIVATE_ERROR + 15,
460 /* Unknown critical cert/CRL extension */
461 CSSMERR_APPLETP_UNKNOWN_CERT_EXTEN = CSSM_TP_PRIVATE_ERROR + 16,
462 CSSMERR_APPLETP_UNKNOWN_CRL_EXTEN = CSSM_TP_PRIVATE_ERROR + 17,
463 /* CRL not verifiable to anchor or root */
464 CSSMERR_APPLETP_CRL_NOT_TRUSTED = CSSM_TP_PRIVATE_ERROR + 18,
465 /* CRL verified to untrusted root */
466 CSSMERR_APPLETP_CRL_INVALID_ANCHOR_CERT = CSSM_TP_PRIVATE_ERROR + 19,
467 /* CRL failed policy verification */
468 CSSMERR_APPLETP_CRL_POLICY_FAIL = CSSM_TP_PRIVATE_ERROR + 20,
469 /* IssuingDistributionPoint extension violation */
470 CSSMERR_APPLETP_IDP_FAIL = CSSM_TP_PRIVATE_ERROR + 21,
471 /* Cert not found at specified issuerAltName */
472 CSSMERR_APPLETP_CERT_NOT_FOUND_FROM_ISSUER = CSSM_TP_PRIVATE_ERROR + 22,
473 /* Bad cert obtained from specified issuerAltName */
474 CSSMERR_APPLETP_BAD_CERT_FROM_ISSUER = CSSM_TP_PRIVATE_ERROR + 23,
475 /* S/MIME Email address mismatch */
476 CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND = CSSM_TP_PRIVATE_ERROR + 24,
477 /* Appropriate S/MIME ExtendedKeyUsage not found */
478 CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE = CSSM_TP_PRIVATE_ERROR + 25,
479 /* S/MIME KeyUsage incompatibility */
480 CSSMERR_APPLETP_SMIME_BAD_KEY_USE = CSSM_TP_PRIVATE_ERROR + 26,
481 /* S/MIME, cert with KeyUsage flagged !critical */
482 CSSMERR_APPLETP_SMIME_KEYUSAGE_NOT_CRITICAL = CSSM_TP_PRIVATE_ERROR + 27,
483 /* S/MIME, leaf with empty subject name and no email addrs
484 * in SubjectAltName */
485 CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS = CSSM_TP_PRIVATE_ERROR + 28,
486 /* S/MIME, leaf with empty subject name, SubjectAltName
487 * not critical */
488 CSSMERR_APPLETP_SMIME_SUBJ_ALT_NAME_NOT_CRIT = CSSM_TP_PRIVATE_ERROR + 29,
489 /* Appropriate SSL ExtendedKeyUsage not found */
490 CSSMERR_APPLETP_SSL_BAD_EXT_KEY_USE = CSSM_TP_PRIVATE_ERROR + 30,
491 /* unparseable OCSP response */
492 CSSMERR_APPLETP_OCSP_BAD_RESPONSE = CSSM_TP_PRIVATE_ERROR + 31,
493 /* unparseable OCSP request */
494 CSSMERR_APPLETP_OCSP_BAD_REQUEST = CSSM_TP_PRIVATE_ERROR + 32,
495 /* OCSP service unavailable */
496 CSSMERR_APPLETP_OCSP_UNAVAILABLE = CSSM_TP_PRIVATE_ERROR + 33,
497 /* OCSP status: cert unrecognized */
498 CSSMERR_APPLETP_OCSP_STATUS_UNRECOGNIZED = CSSM_TP_PRIVATE_ERROR + 34,
499 /* revocation check not successful for each cert */
500 CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK = CSSM_TP_PRIVATE_ERROR + 35,
501 /* general network error */
502 CSSMERR_APPLETP_NETWORK_FAILURE = CSSM_TP_PRIVATE_ERROR + 36,
503 /* OCSP response not verifiable to anchor or root */
504 CSSMERR_APPLETP_OCSP_NOT_TRUSTED = CSSM_TP_PRIVATE_ERROR + 37,
505 /* OCSP response verified to untrusted root */
506 CSSMERR_APPLETP_OCSP_INVALID_ANCHOR_CERT = CSSM_TP_PRIVATE_ERROR + 38,
507 /* OCSP response signature error */
508 CSSMERR_APPLETP_OCSP_SIG_ERROR = CSSM_TP_PRIVATE_ERROR + 39,
509 /* No signer for OCSP response found */
510 CSSMERR_APPLETP_OCSP_NO_SIGNER = CSSM_TP_PRIVATE_ERROR + 40,
511 /* OCSP responder status: malformed request */
512 CSSMERR_APPLETP_OCSP_RESP_MALFORMED_REQ = CSSM_TP_PRIVATE_ERROR + 41,
513 /* OCSP responder status: internal error */
514 CSSMERR_APPLETP_OCSP_RESP_INTERNAL_ERR = CSSM_TP_PRIVATE_ERROR + 42,
515 /* OCSP responder status: try later */
516 CSSMERR_APPLETP_OCSP_RESP_TRY_LATER = CSSM_TP_PRIVATE_ERROR + 43,
517 /* OCSP responder status: signature required */
518 CSSMERR_APPLETP_OCSP_RESP_SIG_REQUIRED = CSSM_TP_PRIVATE_ERROR + 44,
519 /* OCSP responder status: unauthorized */
520 CSSMERR_APPLETP_OCSP_RESP_UNAUTHORIZED = CSSM_TP_PRIVATE_ERROR + 45,
521 /* OCSP response nonce did not match request */
522 CSSMERR_APPLETP_OCSP_NONCE_MISMATCH = CSSM_TP_PRIVATE_ERROR + 46,
523 /* Illegal cert chain length for Code Signing */
524 CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH = CSSM_TP_PRIVATE_ERROR + 47,
525 /* Missing Basic Constraints for Code Signing */
526 CSSMERR_APPLETP_CS_NO_BASIC_CONSTRAINTS = CSSM_TP_PRIVATE_ERROR + 48,
527 /* Bad PathLengthConstraint for Code Signing */
528 CSSMERR_APPLETP_CS_BAD_PATH_LENGTH = CSSM_TP_PRIVATE_ERROR + 49,
529 /* Missing ExtendedKeyUsage for Code Signing */
530 CSSMERR_APPLETP_CS_NO_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 50,
531 /* Development style Code Signing Cert Detected */
532 CSSMERR_APPLETP_CODE_SIGN_DEVELOPMENT = CSSM_TP_PRIVATE_ERROR + 51,
533 /* Illegal cert chain length for Resource Signing */
534 CSSMERR_APPLETP_RS_BAD_CERT_CHAIN_LENGTH = CSSM_TP_PRIVATE_ERROR + 52,
535 /* Bad extended key usage for Resource Signing */
536 CSSMERR_APPLETP_RS_BAD_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 53,
537 /* Trust Setting: deny */
538 CSSMERR_APPLETP_TRUST_SETTING_DENY = CSSM_TP_PRIVATE_ERROR + 54,
539 /* Invalid empty SubjectName */
540 CSSMERR_APPLETP_INVALID_EMPTY_SUBJECT = CSSM_TP_PRIVATE_ERROR + 55,
541 /* Unknown critical Qualified Cert Statement ID */
542 CSSMERR_APPLETP_UNKNOWN_QUAL_CERT_STATEMENT = CSSM_TP_PRIVATE_ERROR + 56,
543 /* Missing required extension */
544 CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION = CSSM_TP_PRIVATE_ERROR + 57,
545 /* Extended key usage not marked critical */
546 CSSMERR_APPLETP_EXT_KEYUSAGE_NOT_CRITICAL = CSSM_TP_PRIVATE_ERROR + 58,
547 /* Required name or identifier not present */
548 CSSMERR_APPLETP_IDENTIFIER_MISSING = CSSM_TP_PRIVATE_ERROR + 59,
549 /* Certificate authority pinning mismatch */
550 CSSMERR_APPLETP_CA_PIN_MISMATCH = CSSM_TP_PRIVATE_ERROR + 60
551 };
552
553 /* Apple .mac TP private error codes. */
554 enum
555 {
556 /* cert request queued */
557 CSSMERR_APPLE_DOTMAC_REQ_QUEUED = CSSM_TP_PRIVATE_ERROR + 100,
558 /* cert request redirected */
559 CSSMERR_APPLE_DOTMAC_REQ_REDIRECT = CSSM_TP_PRIVATE_ERROR + 101,
560 /* general server-reported error */
561 CSSMERR_APPLE_DOTMAC_REQ_SERVER_ERR = CSSM_TP_PRIVATE_ERROR + 102,
562 /* server-reported parameter error */
563 CSSMERR_APPLE_DOTMAC_REQ_SERVER_PARAM = CSSM_TP_PRIVATE_ERROR + 103,
564 /* server-reported authorization error */
565 CSSMERR_APPLE_DOTMAC_REQ_SERVER_AUTH = CSSM_TP_PRIVATE_ERROR + 104,
566 /* server-reported unimplemented */
567 CSSMERR_APPLE_DOTMAC_REQ_SERVER_UNIMPL = CSSM_TP_PRIVATE_ERROR + 105,
568 /* server-reported not available */
569 CSSMERR_APPLE_DOTMAC_REQ_SERVER_NOT_AVAIL = CSSM_TP_PRIVATE_ERROR + 106,
570 /* server-reported already exists */
571 CSSMERR_APPLE_DOTMAC_REQ_SERVER_ALREADY_EXIST = CSSM_TP_PRIVATE_ERROR + 107,
572 /* server-reported service error */
573 CSSMERR_APPLE_DOTMAC_REQ_SERVER_SERVICE_ERROR = CSSM_TP_PRIVATE_ERROR + 108,
574 /* request already pending for specified user */
575 CSSMERR_APPLE_DOTMAC_REQ_IS_PENDING = CSSM_TP_PRIVATE_ERROR + 109,
576 /* no request pending for specified user */
577 CSSMERR_APPLE_DOTMAC_NO_REQ_PENDING = CSSM_TP_PRIVATE_ERROR + 110,
578 /* CSR failed to verify */
579 CSSMERR_APPLE_DOTMAC_CSR_VERIFY_FAIL = CSSM_TP_PRIVATE_ERROR + 111,
580 /* server reported failed consistency check */
581 CSSMERR_APPLE_DOTMAC_FAILED_CONSISTENCY_CHECK = CSSM_TP_PRIVATE_ERROR + 112
582 };
583
584 enum
585 {
586 CSSM_APPLEDL_OPEN_PARAMETERS_VERSION = 1
587 };
588
589 enum cssm_appledl_open_parameters_mask
590 {
591 kCSSM_APPLEDL_MASK_MODE = (1 << 0)
592 };
593
594 /* Pass a CSSM_APPLEDL_OPEN_PARAMETERS_PTR as the OpenParameters argument to
595 CSSM_DL_DbCreate or CSSM_DL_DbOpen. When using this struct, you must zero
596 out the entire struct before setting any additional parameters to ensure
597 forward compatibility. */
598 typedef struct cssm_appledl_open_parameters
599 {
600 uint32 length; /* Should be sizeof(CSSM_APPLEDL_OPEN_PARAMETERS). */
601 uint32 version; /* Should be CSSM_APPLEDL_OPEN_PARAMETERS_VERSION. */
602
603 /* If no OpenParameters are specified, autoCommit is on (!CSSM_FALSE) by default.
604 When autoCommit is on (!CSSM_FALSE), changes made to the Db are written to disk
605 before returning from each function.
606 When autoCommit is off (CSSM_FALSE), changes made to the database are not guaranteed
607 to be written to disk until the Db is closed. This is useful for bulk writes.
608 Be aware that if autoCommit is off, changes made in previous calls to the DL might
609 get rolled back if a new modification operation fails. */
610 CSSM_BOOL autoCommit;
611
612 /* Mask marking which of the following fields are to be used. */
613 uint32 mask;
614
615 /* When calling DbCreate, the initial mode to create the database file with; ignored on DbOpen. You must set the kCSSM_APPLEDL_MASK_MODE bit in mask or mode is ignored. */
616 mode_t mode;
617 } CSSM_APPLEDL_OPEN_PARAMETERS, *CSSM_APPLEDL_OPEN_PARAMETERS_PTR;
618
619
620 /* AppleCSPDL passthough ids */
621 enum
622 {
623 /* Tell the SecurityServer to lock the database specified by the DLDBHandle argument.
624 The InputParams and OutputParams arguments are ignored. */
625 CSSM_APPLECSPDL_DB_LOCK = 0,
626
627 /* Tell the SecurityServer to unlock the database specified by the DLDBHandle argument.
628 The InputParameters argument is a CSSM_DATA_PTR containing the password, or NULL if
629 the SecurityServer should prompt for the password.
630 The OutputParams argument is ignored.
631 The SecurityServer will put up UI (though the SecurityAgent) when this function is called
632 iff InputParameters is NULL. */
633 CSSM_APPLECSPDL_DB_UNLOCK = 1,
634
635 /* Ask the SecurityServer to get the db settings specified for the database
636 specified by the DLDBHandle argument. The settings are returned in the OutputParameters argument.
637 The OutputParameters argument is a pointer to a CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS_PTR.
638 Upon successful completion, the AppleCSPDL will have allocated a
639 CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS structure using the application-specified
640 allocators for the DL attachment specified by the DLDBHandle argument. The structure will contain
641 the current database settings for the specified database. The client should free the
642 CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS_PTR after it has finished using it.
643 The InputParameters argument is ignored.
644 The SecurityServer might put up UI (though the SecurityAgent) when this function is called. */
645 CSSM_APPLECSPDL_DB_GET_SETTINGS = 2,
646
647 /* Tell the SecurityServer to set the db settings specified in InputParameters on the database
648 specified by the DLDBHandle argument.
649 The InputParameters argument is a const CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS * containing
650 the new settings for the specified database.
651 The OutputParams argument is ignored.
652 The SecurityServer might put up UI (though the SecurityAgent) when this function is called. */
653 CSSM_APPLECSPDL_DB_SET_SETTINGS = 3,
654
655 /* Ask the SecurityServer whether the database specified by the DLDBHandle argument is locked.
656 The InputParameters argument is ignored.
657 The OutputParameters argument is a pointer to a CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR.
658 Upon successful completion, the AppleCSPDL will have allocated a
659 CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS structure using the application-specified
660 allocators for the DL attachment specified by the DLDBHandle argument. The structure will contain
661 the current lock status for the specified database. The client should free the
662 CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR after it has finished using it.
663 The SecurityServer will put up UI (though the SecurityAgent) when this function is called. */
664 CSSM_APPLECSPDL_DB_IS_LOCKED = 4,
665
666 /* Tell the SecurityServer to change the password for the database specified by
667 the DLDBHandle.
668
669 The InputParameters argument is a const CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS * containing
670 a CSSM_ACCESS_CREDENTIALS * which determines how the password will be changed. If the
671 accessCredentials are NULL, the SecurityAgent will prompt for the old and the new password for the
672 specified database. If credentials are specified, there should be 2 entries:
673 1. a 3-element list containing:
674 CSSM_WORDID_KEYCHAIN_LOCK, CSSM_SAMPLE_TYPE_PASSWORD, and the old password.
675 2. a 3-element list containing:
676 CSSM_WORDID_KEYCHAIN_CHANGE_LOCK, CSSM_SAMPLE_TYPE_PASSWORD, and the new password.
677
678 The OutputParams argument is ignored.
679 The SecurityServer might put up UI (though the SecurityAgent) when this function is called. */
680 CSSM_APPLECSPDL_DB_CHANGE_PASSWORD =5,
681
682 /* Return the SecurityServer database handle for the database specified by the DLDBHandle */
683 CSSM_APPLECSPDL_DB_GET_HANDLE = 6,
684
685 /* Given a CSSM_KEY for the CSPDL, return the SecurityServer key handle */
686 CSSM_APPLESCPDL_CSP_GET_KEYHANDLE = 7,
687
688 CSSM_APPLE_PRIVATE_CSPDL_CODE_8 = 8,
689 CSSM_APPLE_PRIVATE_CSPDL_CODE_9 = 9,
690 CSSM_APPLE_PRIVATE_CSPDL_CODE_10 = 10,
691 CSSM_APPLE_PRIVATE_CSPDL_CODE_11 = 11,
692 CSSM_APPLE_PRIVATE_CSPDL_CODE_12 = 12,
693 CSSM_APPLE_PRIVATE_CSPDL_CODE_13 = 13,
694 CSSM_APPLE_PRIVATE_CSPDL_CODE_14 = 14,
695 CSSM_APPLE_PRIVATE_CSPDL_CODE_15 = 15,
696 CSSM_APPLE_PRIVATE_CSPDL_CODE_16 = 16,
697 CSSM_APPLE_PRIVATE_CSPDL_CODE_17 = 17,
698 CSSM_APPLE_PRIVATE_CSPDL_CODE_18 = 18,
699 CSSM_APPLE_PRIVATE_CSPDL_CODE_19 = 19,
700 CSSM_APPLE_PRIVATE_CSPDL_CODE_20 = 20,
701 CSSM_APPLE_PRIVATE_CSPDL_CODE_21 = 21,
702 CSSM_APPLE_PRIVATE_CSPDL_CODE_22 = 22,
703 CSSM_APPLE_PRIVATE_CSPDL_CODE_23 = 23,
704
705 /* Given a CSSM_KEY_PTR in any format, obtain the SHA-1 hash of the
706 * associated key blob.
707 * Key is specified in CSSM_CSP_CreatePassThroughContext.
708 * Hash is allocated bythe CSP, in the App's memory, and returned
709 * in *outData. */
710 CSSM_APPLECSP_KEYDIGEST = 0x100
711 };
712
713
714
715 /* AppleCSPDL passthough parameters */
716 typedef struct cssm_applecspdl_db_settings_parameters
717 {
718 uint32 idleTimeout; // seconds idle timeout lock
719 uint8 lockOnSleep; // lock database when system sleeps
720 } CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS, *CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS_PTR;
721
722 /* AppleCSPDL passthough parameters */
723 typedef struct cssm_applecspdl_db_is_locked_parameters
724 {
725 uint8 isLocked; // True iff the database is locked
726 } CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS, *CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR;
727
728 /* AppleCSPDL passthough parameters */
729 typedef struct cssm_applecspdl_db_change_password_parameters
730 {
731 CSSM_ACCESS_CREDENTIALS *accessCredentials;
732 } CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS, *CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS_PTR;
733
734 /* Custom wrapped key formats */
735 enum {
736 CSSM_KEYBLOB_WRAPPED_FORMAT_APPLE_CUSTOM = 100,
737 CSSM_KEYBLOB_WRAPPED_FORMAT_OPENSSL, // traditional openssl
738 CSSM_KEYBLOB_WRAPPED_FORMAT_OPENSSH1 // OpenSSH v1
739 };
740
741 /*
742 * Custom context attributes for AppleCSP.
743 */
744 enum {
745 CSSM_ATTRIBUTE_VENDOR_DEFINED = 0x800000
746 };
747
748 enum {
749 /*
750 * Public Key attribute for use with CSSM_ALGID_FEED.
751 */
752 CSSM_ATTRIBUTE_PUBLIC_KEY =
753 (CSSM_ATTRIBUTE_DATA_KEY | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 0)),
754
755 /*
756 * FEE key attributes.
757 * See CSSM_FEE_PRIME_TYPE_xxx, CSSM_FEE_CURVE_TYPE_xxx enums, below.
758 */
759 CSSM_ATTRIBUTE_FEE_PRIME_TYPE =
760 (CSSM_ATTRIBUTE_DATA_UINT32 | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 1)),
761 CSSM_ATTRIBUTE_FEE_CURVE_TYPE =
762 (CSSM_ATTRIBUTE_DATA_UINT32 | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 2)),
763
764 /*
765 * Apple Secure Compression (ComCryption) optimization.
766 * See CSSM_ASC_OPTIMIZE_xxx, enums, below.
767 */
768 CSSM_ATTRIBUTE_ASC_OPTIMIZATION =
769 (CSSM_ATTRIBUTE_DATA_UINT32 | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 3)),
770
771 /*
772 * RSA blinding. Value is integer, nonzero (blinding on) or zero.
773 */
774 CSSM_ATTRIBUTE_RSA_BLINDING =
775 (CSSM_ATTRIBUTE_DATA_UINT32 | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 4)),
776
777 /*
778 * Additional public key from which to obtain algorithm-specific
779 * parameters.
780 */
781 CSSM_ATTRIBUTE_PARAM_KEY =
782 (CSSM_ATTRIBUTE_DATA_KEY | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 5)),
783
784 /*
785 * Prompt string for CSSM_ALGID_SECURE_PASSPHRASE key acquisition.
786 * Data is a UTF8-encoded external representation of a CFString.
787 */
788 CSSM_ATTRIBUTE_PROMPT =
789 (CSSM_ATTRIBUTE_DATA_CSSM_DATA | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 6)),
790
791 /*
792 * Alert panel title for CSSM_ALGID_SECURE_PASSPHRASE key acquisition.
793 * Data is a UTF8-encoded external representation of a CFString.
794 */
795 CSSM_ATTRIBUTE_ALERT_TITLE =
796 (CSSM_ATTRIBUTE_DATA_CSSM_DATA | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 7)),
797
798 /*
799 * Boolean to specify whether secure passphrase is being used to encrypt or to
800 * recover data. In the former case the user will be prompted to enter the
801 * passphrase twice. Value is integer, nonzero (verify passphrase) or zero.
802 */
803 CSSM_ATTRIBUTE_VERIFY_PASSPHRASE =
804 (CSSM_ATTRIBUTE_DATA_UINT32 | (CSSM_ATTRIBUTE_VENDOR_DEFINED + 8))
805
806 };
807
808 /*
809 * FEE key pair prime modulus types.
810 */
811 enum {
812 CSSM_FEE_PRIME_TYPE_DEFAULT = 0, /* default per key size */
813 CSSM_FEE_PRIME_TYPE_MERSENNE, /* (2 ** q) - 1Ê*/
814 CSSM_FEE_PRIME_TYPE_FEE, /* (2 ** q) - k */
815 CSSM_FEE_PRIME_TYPE_GENERAL /* random prime */
816 };
817
818 /*
819 * FEE curve types. Comments refer to equation
820 *
821 * y**2 = x**3 + c(x**2) + ax + b
822 */
823 enum {
824 CSSM_FEE_CURVE_TYPE_DEFAULT = 0, /* default per key size */
825 CSSM_FEE_CURVE_TYPE_MONTGOMERY, /* a==1, b==0 */
826 CSSM_FEE_CURVE_TYPE_WEIERSTRASS, /* c==0. IEEE P1363 compliant. */
827 CSSM_FEE_CURVE_TYPE_ANSI_X9_62 /* ANSI X9.62 compatible */
828 };
829
830 /*
831 * Apple Secure Compression (ComCryption) optimization attributes.
832 */
833 enum {
834 CSSM_ASC_OPTIMIZE_DEFAULT = 0,
835 CSSM_ASC_OPTIMIZE_SIZE, /* max compression (currently the default) */
836 CSSM_ASC_OPTIMIZE_SECURITY, /* currently not implemented */
837 CSSM_ASC_OPTIMIZE_TIME, /* min runtime */
838 CSSM_ASC_OPTIMIZE_TIME_SIZE, /* implies loss of security */
839 CSSM_ASC_OPTIMIZE_ASCII, /* optimized for ASCC text, not implemented */
840 };
841
842 /*
843 * Apple custom CSSM_KEYATTR_FLAGS.
844 */
845 enum {
846 /*
847 * When set, indicates a public key which is incomplete (though
848 * still valid) due to the lack of algorithm-specific parameters.
849 */
850 CSSM_KEYATTR_PARTIAL = 0x00010000,
851
852 /*
853 * When set, public keys are stored encrypted. Default is to store
854 * public keys in the clear. AppleCSPDL only.
855 */
856 CSSM_KEYATTR_PUBLIC_KEY_ENCRYPT = 0x00020000
857 };
858
859 /*
860 * Name/OID pair used in CSSM_APPLE_TP_CERT_REQUEST
861 */
862 typedef struct {
863 const char *string;
864 const CSSM_OID *oid;
865 } CSSM_APPLE_TP_NAME_OID;
866
867 /*
868 * Certificate request passed to CSSM_TP_SubmitCredRequest() in the
869 * CSSM_TP_AUTHORITY_REQUEST_TYPE.Requests field. Used for requesting
870 * both locally-generated certs (CSSMOID_APPLE_TP_LOCAL_CERT_GEN) and
871 * cert signing requests (CSSMOID_APPLE_TP_CSR_GEN).
872 */
873 typedef struct {
874 CSSM_CSP_HANDLE cspHand; // sign with this CSP
875 CSSM_CL_HANDLE clHand; // and this CL
876 uint32 serialNumber;
877 uint32 numSubjectNames;// size subjectNames[]
878 CSSM_APPLE_TP_NAME_OID *subjectNames;
879
880 /*
881 * Issuer name can be expressed in the simplified CSSM_APPLE_TP_NAME_OID
882 * array, as is the subject name, or as an CSSM_X509_NAME, which is
883 * typically obtained from a signing cert.
884 * Exactly one of {issuerNames, issuerNameX509} must be non-NULL.
885 */
886 uint32 numIssuerNames; // size issuerNames[]
887 CSSM_APPLE_TP_NAME_OID *issuerNames; // optional; NULL implies root
888 // (signer == subject)
889 CSSM_X509_NAME_PTR issuerNameX509;
890 const CSSM_KEY *certPublicKey;
891 const CSSM_KEY *issuerPrivateKey;
892
893 /* Unfortunately there is no practical way to map any algorithm
894 * to its appropriate OID, and we need both.... */
895 CSSM_ALGORITHMS signatureAlg; // e.g., CSSM_ALGID_SHA1WithRSA
896 CSSM_OID signatureOid; // e.g., CSSMOID_SHA1WithRSA
897 uint32 notBefore; // relative to "now"
898 uint32 notAfter;
899 uint32 numExtensions;
900 CE_DataAndType *extensions; // optional
901
902 /*
903 * Optional challenge string for CSSMOID_APPLE_TP_CSR_GEN.
904 */
905 const char *challengeString;
906 } CSSM_APPLE_TP_CERT_REQUEST;
907
908 /*
909 * Options for X509TP's CSSM_TP_CertGroupVerify for policy CSSMOID_APPLE_TP_SSL.
910 * A pointer to, and length of, one of these is optionally placed in
911 * CSSM_TP_VERIFY_CONTEXT.Cred->Policy.PolicyIds[n].FieldValue.
912 */
913 #define CSSM_APPLE_TP_SSL_OPTS_VERSION 1
914
915 /*
916 * Values for CSSM_APPLE_TP_SSL_OPTIONS.flags.
917 *
918 * Set this flag when evaluating a client cert.
919 */
920 #define CSSM_APPLE_TP_SSL_CLIENT 0x00000001
921
922 typedef struct {
923 uint32 Version; // CSSM_APPLE_TP_SSL_OPTS_VERSION
924
925 /*
926 * The domain name of the server (e.g., "store.apple.com".) In the
927 * SSL and TLS protocols, this must match the common name of the
928 * subject cert. Expressed as a C string, optionally NULL terminated
929 * if it is NULL terminated, the length field should include the NULL).
930 */
931 uint32 ServerNameLen;
932 const char *ServerName; // optional
933
934 /* new fields for struct version 1 */
935 uint32 Flags;
936 } CSSM_APPLE_TP_SSL_OPTIONS;
937
938 /*
939 * Options for X509TP's CSSM_TP_CertGroupVerify for policy
940 * CSSMOID_APPLE_TP_REVOCATION_CRL. A pointer to, and length of, one
941 * of these is optionally placed in
942 * CSSM_TP_VERIFY_CONTEXT.Cred->Policy.PolicyIds[n].FieldValue.
943 */
944 #define CSSM_APPLE_TP_CRL_OPTS_VERSION 0
945
946 typedef uint32 CSSM_APPLE_TP_CRL_OPT_FLAGS;
947 enum {
948 // require CRL verification for each cert; default is "try"
949 CSSM_TP_ACTION_REQUIRE_CRL_PER_CERT = 0x00000001,
950 // enable fetch from network
951 CSSM_TP_ACTION_FETCH_CRL_FROM_NET = 0x00000002,
952 // if set and positive OCSP verify for given cert, no further revocation
953 // checking need be done on that cert
954 CSSM_TP_ACTION_CRL_SUFFICIENT = 0x00000004,
955 // require CRL verification for certs which claim a CRL provider
956 CSSM_TP_ACTION_REQUIRE_CRL_IF_PRESENT = 0x00000008
957 };
958
959 typedef struct {
960 uint32 Version; // CSSM_APPLE_TP_CRL_OPTS_VERSION
961 CSSM_APPLE_TP_CRL_OPT_FLAGS CrlFlags;
962
963 /*
964 * When non-NULL, store CRLs fetched from net here.
965 * This is most likely a pointer to one of the
966 * CSSM_TP_CALLERAUTH_CONTEXT.DBList entries but that
967 * is not a strict requirement.
968 */
969 CSSM_DL_DB_HANDLE_PTR crlStore;
970 } CSSM_APPLE_TP_CRL_OPTIONS;
971
972 /*
973 * Options for X509TP's CSSM_TP_CertGroupVerify for policy
974 * CSSMOID_APPLE_TP_SMIME. A pointer to, and length of, one
975 * of these is optionally placed in
976 * CSSM_TP_VERIFY_CONTEXT.Cred->Policy.PolicyIds[n].FieldValue.
977 */
978 #define CSSM_APPLE_TP_SMIME_OPTS_VERSION 0
979 typedef struct {
980 uint32 Version; // CSSM_APPLE_TP_SMIME_OPTS_VERSION
981
982 /*
983 * Intended usage of the leaf cert. The cert's KeyUsage extension,
984 * if present, must be a superset of this.
985 */
986 CE_KeyUsage IntendedUsage;
987
988 /*
989 * The email address of the sender. If there is an email address
990 * in the sender's cert, that email address must match this one.
991 * Both (email address in the cert, and this one) are optional.
992 * Expressed as a C string, optionally NULL terminated (i.e.,
993 * SenderEmail[SenderEmailLen - 1] may or may not be NULL).
994 */
995 uint32 SenderEmailLen;
996 const char *SenderEmail; // optional
997 } CSSM_APPLE_TP_SMIME_OPTIONS;
998
999
1000 /*
1001 * Optional ActionData for all X509TP CertGroupVerify policies.
1002 * A pointer to, and length of, one of these is optionally placed in
1003 * CSSM_TP_VERIFY_CONTEXT.ActionData.
1004 */
1005 typedef uint32 CSSM_APPLE_TP_ACTION_FLAGS;
1006 enum {
1007 CSSM_TP_ACTION_ALLOW_EXPIRED = 0x00000001, // allow expired certs
1008 CSSM_TP_ACTION_LEAF_IS_CA = 0x00000002, // first cert is a CA
1009 CSSM_TP_ACTION_FETCH_CERT_FROM_NET = 0x00000004, // enable net fetch of CA cert
1010 CSSM_TP_ACTION_ALLOW_EXPIRED_ROOT = 0x00000008, // allow expired roots
1011 CSSM_TP_ACTION_REQUIRE_REV_PER_CERT = 0x00000010, // require positive revocation
1012 // check per cert
1013 CSSM_TP_ACTION_TRUST_SETTINGS = 0x00000020, // use TrustSettings instead of
1014 // anchors
1015 CSSM_TP_ACTION_IMPLICIT_ANCHORS = 0x00000040 // properly self-signed certs are
1016 // treated as anchors implicitly
1017 };
1018
1019 #define CSSM_APPLE_TP_ACTION_VERSION 0
1020 typedef struct {
1021 uint32 Version; // CSSM_APPLE_TP_ACTION_VERSION
1022 CSSM_APPLE_TP_ACTION_FLAGS ActionFlags; // CSSM_TP_ACTION_ALLOW_EXPIRED, etc.
1023 } CSSM_APPLE_TP_ACTION_DATA;
1024
1025 /*
1026 * Per-cert evidence returned from CSSM_TP_CertGroupVerify.
1027 * An array of these is presented in CSSM_TP_VERIFY_CONTEXT_RESULT.Evidence[2].
1028 * Same number of these as in the cert group in Evidence[1].
1029 */
1030
1031 /* First, an array of bits indicating various status of the cert. */
1032 typedef uint32 CSSM_TP_APPLE_CERT_STATUS;
1033 enum
1034 {
1035 CSSM_CERT_STATUS_EXPIRED = 0x00000001,
1036 CSSM_CERT_STATUS_NOT_VALID_YET = 0x00000002,
1037 CSSM_CERT_STATUS_IS_IN_INPUT_CERTS = 0x00000004,
1038 CSSM_CERT_STATUS_IS_IN_ANCHORS = 0x00000008,
1039 CSSM_CERT_STATUS_IS_ROOT = 0x00000010,
1040 CSSM_CERT_STATUS_IS_FROM_NET = 0x00000020,
1041 /* settings found in per-user Trust Settings */
1042 CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_USER = 0x00000040,
1043 /* settings found in Admin Trust Settings */
1044 CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_ADMIN = 0x00000080,
1045 /* settings found in System Trust Settings */
1046 CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_SYSTEM = 0x00000100,
1047 /* Trust Settings result = Trust */
1048 CSSM_CERT_STATUS_TRUST_SETTINGS_TRUST = 0x00000200,
1049 /* Trust Settings result = Deny */
1050 CSSM_CERT_STATUS_TRUST_SETTINGS_DENY = 0x00000400,
1051 /* Per-cert error ignored due to Trust Settings */
1052 CSSM_CERT_STATUS_TRUST_SETTINGS_IGNORED_ERROR = 0x00000800
1053 };
1054
1055 typedef struct {
1056 CSSM_TP_APPLE_CERT_STATUS StatusBits;
1057 uint32 NumStatusCodes;
1058 CSSM_RETURN *StatusCodes;
1059
1060 /* index into raw cert group or AnchorCerts depending on IS_IN_ANCHORS */
1061 uint32 Index;
1062
1063 /* nonzero if cert came from a DLDB */
1064 CSSM_DL_DB_HANDLE DlDbHandle;
1065 CSSM_DB_UNIQUE_RECORD_PTR UniqueRecord;
1066
1067 } CSSM_TP_APPLE_EVIDENCE_INFO;
1068
1069 /*
1070 * CSSM_TP_VERIFY_CONTEXT_RESULT.Evidence[0], basically defines which version/flavor
1071 * of remaining evidence is.
1072 */
1073 #define CSSM_TP_APPLE_EVIDENCE_VERSION 0
1074 typedef struct
1075 {
1076 uint32 Version;
1077 } CSSM_TP_APPLE_EVIDENCE_HEADER;
1078
1079
1080 /*
1081 * Apple-specific CSSM_EVIDENCE_FORM values
1082 *
1083 * The form of the evidence returns from CSSM_TP_CertGroupVerify is:
1084 *
1085 * EvidenceForm contents of *Evidence
1086 * ------------ ---------------------
1087 * CSSM_EVIDENCE_FORM_APPLE_HEADER CSSM_TP_APPLE_EVIDENCE_HEADER
1088 * CSSM_EVIDENCE_FORM_APPLE_CERTGROUP CSSM_CERTGROUP
1089 * CSSM_EVIDENCE_FORM_APPLE_CERT_INFO array of CSSM_TP_APPLE_EVIDENCE_INFO, size
1090 * CSSM_CERTGROUP.NumCerts
1091 */
1092
1093 #define CSSM_EVIDENCE_FORM_APPLE_CUSTOM 0x80000000
1094 enum
1095 {
1096 CSSM_EVIDENCE_FORM_APPLE_HEADER = CSSM_EVIDENCE_FORM_APPLE_CUSTOM + 0,
1097 CSSM_EVIDENCE_FORM_APPLE_CERTGROUP = CSSM_EVIDENCE_FORM_APPLE_CUSTOM + 1,
1098 CSSM_EVIDENCE_FORM_APPLE_CERT_INFO = CSSM_EVIDENCE_FORM_APPLE_CUSTOM + 2
1099 };
1100
1101 /* AppleX509CL extensions: passthrough ids */
1102 enum {
1103 /*
1104 * Obtain a signed Certificate Signing Request.
1105 * Input = CSSM_APPLE_CL_CSR_REQUEST
1106 * Output = allocated CSSM_DATA which points to a DER-encoded CSR.
1107 */
1108 CSSM_APPLEX509CL_OBTAIN_CSR,
1109
1110 /*
1111 * Perform signature verify of a CSR.
1112 * Input: CSSM_DATA referring to a DER-encoded CSR.
1113 * Output: Nothing, returns CSSMERR_CL_VERIFICATION_FAILURE on
1114 * on failure.
1115 */
1116 CSSM_APPLEX509CL_VERIFY_CSR
1117 };
1118
1119 /*
1120 * Used in CL's CSSM_APPLEX509_OBTAIN_CSR Passthrough. This is the
1121 * input; the output is a CSSM_DATA * containing the signed and
1122 * DER-encoded CSR.
1123 */
1124 typedef struct {
1125 CSSM_X509_NAME_PTR subjectNameX509;
1126
1127 /* Unfortunately there is no practical way to map any algorithm
1128 * to its appropriate OID, and we need both.... */
1129 CSSM_ALGORITHMS signatureAlg; // e.g., CSSM_ALGID_SHA1WithRSA
1130 CSSM_OID signatureOid; // e.g., CSSMOID_SHA1WithRSA
1131
1132 CSSM_CSP_HANDLE cspHand; // sign with this CSP
1133 const CSSM_KEY *subjectPublicKey;
1134 const CSSM_KEY *subjectPrivateKey;
1135
1136 /*
1137 * Optional challenge string.
1138 */
1139 const char *challengeString;
1140 } CSSM_APPLE_CL_CSR_REQUEST;
1141
1142 /*
1143 * When a CRL with no NextUpdate field is encountered, we use this time
1144 * as the NextUpdate attribute when storing in a DB. It represents the
1145 * virtual end of time in CSSM_TIMESTRING form.
1146 */
1147 #define CSSM_APPLE_CRL_END_OF_TIME "99991231235959"
1148
1149 /*
1150 * Default filesystem names and locations for SecurityServer features
1151 * (included here for lack of a better place)
1152 */
1153 #define kKeychainSuffix ".keychain"
1154 #define kSystemKeychainName "System.keychain"
1155 #define kSystemKeychainDir "/Library/Keychains/"
1156 #define kSystemUnlockFile "/var/db/SystemKey"
1157
1158
1159 /*
1160 * CSSM ACL tags used to store partition/integrity data in ACLs
1161 */
1162 #define CSSM_APPLE_ACL_TAG_PARTITION_ID "___PARTITION___"
1163 #define CSSM_APPLE_ACL_TAG_INTEGRITY "___INTEGRITY___"
1164
1165
1166 void cssmPerror(const char *how, CSSM_RETURN error);
1167
1168 /* Convert between CSSM_OID and CSSM_ALGORITHMS */
1169 bool cssmOidToAlg(const CSSM_OID *oid, CSSM_ALGORITHMS *alg);
1170 const CSSM_OID *cssmAlgToOid(CSSM_ALGORITHMS algId);
1171
1172 /*
1173 * The MacOS OSStatus space has an embedding for UNIX errno values, similar to
1174 * the way we embed CSSM_RETURN values in OSStatus. These are the base and limit
1175 * values for this embedding.
1176 */
1177 #define errSecErrnoBase 100000
1178 #define errSecErrnoLimit 100255
1179
1180 #ifdef __cplusplus
1181 }
1182 #endif // __cplusplus
1183
1184 #endif /* _CSSMAPPLE_H_ */
mirror of Security