]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_keychain/lib/SecPolicy.cpp
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57337.40.85.tar.gz
[apple/security.git] / OSX / libsecurity_keychain / lib / SecPolicy.cpp
1 /*
2 * Copyright (c) 2002-2015 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #include <CoreFoundation/CFString.h>
25 #include <CoreFoundation/CFNumber.h>
26 #include <CoreFoundation/CFArray.h>
27 #include <Security/SecItem.h>
28 #include <Security/SecPolicy.h>
29 #include <Security/SecPolicyPriv.h>
30 #include <Security/SecCertificate.h>
31 #include <Security/SecCertificatePriv.h>
32 #include <security_keychain/Policies.h>
33 #include <security_keychain/PolicyCursor.h>
34 #include "SecBridge.h"
35 #include "utilities/SecCFRelease.h"
36 #include <syslog.h>
37
38
39 // String constant declarations
40
41 #define SEC_CONST_DECL(k,v) const CFStringRef k = CFSTR(v);
42
43 SEC_CONST_DECL (kSecPolicyAppleX509Basic, "1.2.840.113635.100.1.2");
44 SEC_CONST_DECL (kSecPolicyAppleSSL, "1.2.840.113635.100.1.3");
45 SEC_CONST_DECL (kSecPolicyAppleSMIME, "1.2.840.113635.100.1.8");
46 SEC_CONST_DECL (kSecPolicyAppleEAP, "1.2.840.113635.100.1.9");
47 SEC_CONST_DECL (kSecPolicyAppleSWUpdateSigning, "1.2.840.113635.100.1.10");
48 SEC_CONST_DECL (kSecPolicyAppleIPsec, "1.2.840.113635.100.1.11");
49 SEC_CONST_DECL (kSecPolicyAppleiChat, "1.2.840.113635.100.1.12");
50 SEC_CONST_DECL (kSecPolicyApplePKINITClient, "1.2.840.113635.100.1.14");
51 SEC_CONST_DECL (kSecPolicyApplePKINITServer, "1.2.840.113635.100.1.15");
52 SEC_CONST_DECL (kSecPolicyAppleCodeSigning, "1.2.840.113635.100.1.16");
53 SEC_CONST_DECL (kSecPolicyApplePackageSigning, "1.2.840.113635.100.1.17");
54 SEC_CONST_DECL (kSecPolicyAppleIDValidation, "1.2.840.113635.100.1.18");
55 SEC_CONST_DECL (kSecPolicyMacAppStoreReceipt, "1.2.840.113635.100.1.19");
56 SEC_CONST_DECL (kSecPolicyAppleTimeStamping, "1.2.840.113635.100.1.20");
57 SEC_CONST_DECL (kSecPolicyAppleRevocation, "1.2.840.113635.100.1.21");
58 SEC_CONST_DECL (kSecPolicyApplePassbookSigning, "1.2.840.113635.100.1.22");
59 SEC_CONST_DECL (kSecPolicyAppleMobileStore, "1.2.840.113635.100.1.23");
60 SEC_CONST_DECL (kSecPolicyAppleEscrowService, "1.2.840.113635.100.1.24");
61 SEC_CONST_DECL (kSecPolicyAppleProfileSigner, "1.2.840.113635.100.1.25");
62 SEC_CONST_DECL (kSecPolicyAppleQAProfileSigner, "1.2.840.113635.100.1.26");
63 SEC_CONST_DECL (kSecPolicyAppleTestMobileStore, "1.2.840.113635.100.1.27");
64 #if TARGET_OS_IPHONE
65 SEC_CONST_DECL (kSecPolicyAppleOTAPKISigner, "1.2.840.113635.100.1.28");
66 SEC_CONST_DECL (kSecPolicyAppleTestOTAPKISigner, "1.2.840.113635.100.1.29");
67 /* FIXME: this policy name should be deprecated and replaced with "kSecPolicyAppleIDValidationRecordSigning" */
68 SEC_CONST_DECL (kSecPolicyAppleIDValidationRecordSigningPolicy, "1.2.840.113625.100.1.30");
69 SEC_CONST_DECL (kSecPolicyAppleSMPEncryption, "1.2.840.113625.100.1.31");
70 SEC_CONST_DECL (kSecPolicyAppleTestSMPEncryption, "1.2.840.113625.100.1.32");
71 #endif
72 SEC_CONST_DECL (kSecPolicyAppleServerAuthentication, "1.2.840.113635.100.1.33");
73 SEC_CONST_DECL (kSecPolicyApplePCSEscrowService, "1.2.840.113635.100.1.34");
74 SEC_CONST_DECL (kSecPolicyApplePPQSigning, "1.2.840.113625.100.1.35");
75 SEC_CONST_DECL (kSecPolicyAppleTestPPQSigning, "1.2.840.113625.100.1.36");
76 SEC_CONST_DECL (kSecPolicyAppleATVAppSigning, "1.2.840.113625.100.1.37");
77 SEC_CONST_DECL (kSecPolicyAppleTestATVAppSigning, "1.2.840.113625.100.1.38");
78 SEC_CONST_DECL (kSecPolicyApplePayIssuerEncryption, "1.2.840.113625.100.1.39");
79 SEC_CONST_DECL (kSecPolicyAppleOSXProvisioningProfileSigning, "1.2.840.113625.100.1.40");
80 SEC_CONST_DECL (kSecPolicyAppleAST2DiagnosticsServerAuth, "1.2.840.113625.100.1.42");
81
82 SEC_CONST_DECL (kSecPolicyOid, "SecPolicyOid");
83 SEC_CONST_DECL (kSecPolicyName, "SecPolicyName");
84 SEC_CONST_DECL (kSecPolicyClient, "SecPolicyClient");
85 SEC_CONST_DECL (kSecPolicyRevocationFlags, "SecPolicyRevocationFlags");
86 SEC_CONST_DECL (kSecPolicyTeamIdentifier, "SecPolicyTeamIdentifier");
87
88 SEC_CONST_DECL (kSecPolicyKU_DigitalSignature, "CE_KU_DigitalSignature");
89 SEC_CONST_DECL (kSecPolicyKU_NonRepudiation, "CE_KU_NonRepudiation");
90 SEC_CONST_DECL (kSecPolicyKU_KeyEncipherment, "CE_KU_KeyEncipherment");
91 SEC_CONST_DECL (kSecPolicyKU_DataEncipherment, "CE_KU_DataEncipherment");
92 SEC_CONST_DECL (kSecPolicyKU_KeyAgreement, "CE_KU_KeyAgreement");
93 SEC_CONST_DECL (kSecPolicyKU_KeyCertSign, "CE_KU_KeyCertSign");
94 SEC_CONST_DECL (kSecPolicyKU_CRLSign, "CE_KU_CRLSign");
95 SEC_CONST_DECL (kSecPolicyKU_EncipherOnly, "CE_KU_EncipherOnly");
96 SEC_CONST_DECL (kSecPolicyKU_DecipherOnly, "CE_KU_DecipherOnly");
97
98 // Private functions
99
100 extern "C" {
101 CFArrayRef SecPolicyCopyEscrowRootCertificates(void);
102 #if SECTRUST_OSX
103 CFStringRef SecPolicyGetOidString(SecPolicyRef policy);
104 CFDictionaryRef SecPolicyGetOptions(SecPolicyRef policy);
105 void SecPolicySetOptionsValue(SecPolicyRef policy, CFStringRef key, CFTypeRef value);
106 #endif
107 }
108
109 // String to CSSM_OID mapping
110
111 struct oidmap_entry_s {
112 const CFTypeRef oidstr;
113 const SecAsn1Oid *oidptr;
114 };
115 typedef struct oidmap_entry_s oidmap_entry_t;
116
117 // policies enumerated by SecPolicySearch (PolicyCursor.cpp)
118 /*
119 static_cast<const CssmOid *>(&CSSMOID_APPLE_ISIGN), // no longer supported
120 static_cast<const CssmOid *>(&CSSMOID_APPLE_X509_BASIC),
121 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_SSL),
122 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_SMIME),
123 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_EAP),
124 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_SW_UPDATE_SIGNING),
125 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_IP_SEC),
126 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_ICHAT), // no longer supported
127 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_RESOURCE_SIGN),
128 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_PKINIT_CLIENT),
129 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_PKINIT_SERVER),
130 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_CODE_SIGNING),
131 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_PACKAGE_SIGNING),
132 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_REVOCATION_CRL),
133 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_REVOCATION_OCSP),
134 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_MACAPPSTORE_RECEIPT),
135 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_APPLEID_SHARING),
136 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_TIMESTAMPING),
137 */
138 const oidmap_entry_t oidmap[] = {
139 { kSecPolicyAppleX509Basic, &CSSMOID_APPLE_X509_BASIC },
140 { kSecPolicyAppleSSL, &CSSMOID_APPLE_TP_SSL },
141 { kSecPolicyAppleSMIME, &CSSMOID_APPLE_TP_SMIME },
142 { kSecPolicyAppleEAP, &CSSMOID_APPLE_TP_EAP },
143 { kSecPolicyAppleSWUpdateSigning, &CSSMOID_APPLE_TP_SW_UPDATE_SIGNING },
144 { kSecPolicyAppleIPsec, &CSSMOID_APPLE_TP_IP_SEC },
145 { kSecPolicyAppleiChat, &CSSMOID_APPLE_TP_ICHAT },
146 { kSecPolicyApplePKINITClient, &CSSMOID_APPLE_TP_PKINIT_CLIENT },
147 { kSecPolicyApplePKINITServer, &CSSMOID_APPLE_TP_PKINIT_SERVER },
148 { kSecPolicyAppleCodeSigning, &CSSMOID_APPLE_TP_CODE_SIGNING },
149 { kSecPolicyApplePackageSigning, &CSSMOID_APPLE_TP_PACKAGE_SIGNING },
150 { kSecPolicyAppleIDValidation, &CSSMOID_APPLE_TP_APPLEID_SHARING },
151 { kSecPolicyMacAppStoreReceipt, &CSSMOID_APPLE_TP_MACAPPSTORE_RECEIPT },
152 { kSecPolicyAppleTimeStamping, &CSSMOID_APPLE_TP_TIMESTAMPING },
153 { kSecPolicyAppleRevocation, &CSSMOID_APPLE_TP_REVOCATION },
154 { kSecPolicyAppleRevocation, &CSSMOID_APPLE_TP_REVOCATION_OCSP },
155 { kSecPolicyAppleRevocation, &CSSMOID_APPLE_TP_REVOCATION_CRL },
156 { kSecPolicyApplePassbookSigning, &CSSMOID_APPLE_TP_PASSBOOK_SIGNING },
157 { kSecPolicyAppleMobileStore, &CSSMOID_APPLE_TP_MOBILE_STORE },
158 { kSecPolicyAppleEscrowService, &CSSMOID_APPLE_TP_ESCROW_SERVICE },
159 { kSecPolicyAppleProfileSigner, &CSSMOID_APPLE_TP_PROFILE_SIGNING },
160 { kSecPolicyAppleQAProfileSigner, &CSSMOID_APPLE_TP_QA_PROFILE_SIGNING },
161 { kSecPolicyAppleTestMobileStore, &CSSMOID_APPLE_TP_TEST_MOBILE_STORE },
162 { kSecPolicyApplePCSEscrowService, &CSSMOID_APPLE_TP_PCS_ESCROW_SERVICE },
163 { kSecPolicyAppleOSXProvisioningProfileSigning, &CSSMOID_APPLE_TP_PROVISIONING_PROFILE_SIGNING },
164 };
165
166 //
167 // CF boilerplate
168 //
169 #if !SECTRUST_OSX
170 CFTypeID
171 SecPolicyGetTypeID(void)
172 {
173 BEGIN_SECAPI
174 return gTypes().Policy.typeID;
175 END_SECAPI1(_kCFRuntimeNotATypeID)
176 }
177 #endif
178
179 //
180 // Sec API bridge functions
181 //
182 /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */
183 OSStatus
184 SecPolicyGetOID(SecPolicyRef policyRef, CSSM_OID* oid)
185 {
186 #if !SECTRUST_OSX
187 BEGIN_SECAPI
188 Required(oid) = Policy::required(policyRef)->oid();
189 END_SECAPI
190 #else
191 /* bridge to support old functionality */
192 if (!policyRef) {
193 return errSecParam;
194 }
195 CFStringRef oidStr = (CFStringRef) SecPolicyGetOidString(policyRef);
196 if (!oidStr || !oid) {
197 return errSecParam; // bad policy ref?
198 }
199 CSSM_OID *oidptr = NULL;
200 unsigned int i, oidmaplen = sizeof(oidmap) / sizeof(oidmap_entry_t);
201 for (i=0; i<oidmaplen; i++) {
202 CFStringRef str = (CFStringRef) oidmap[i].oidstr;
203 if (CFStringCompare(str, oidStr, 0) == kCFCompareEqualTo) {
204 oidptr = (CSSM_OID*)oidmap[i].oidptr;
205 break;
206 }
207 }
208 if (!oidptr) {
209 // Check private iOS policy names.
210 oidmaplen = sizeof(oidmap_priv) / sizeof(oidmap_entry_t);
211 for (i=0; i<oidmaplen; i++) {
212 CFStringRef str = (CFStringRef) oidmap_priv[i].oidstr;
213 if (CFStringCompare(str, oidStr, 0) == kCFCompareEqualTo) {
214 oidptr = (CSSM_OID*)oidmap_priv[i].oidptr;
215 break;
216 }
217 }
218 }
219 if (oidptr) {
220 oid->Data = oidptr->Data;
221 oid->Length = oidptr->Length;
222 return errSecSuccess;
223 }
224 CFShow(oidStr);
225 syslog(LOG_ERR, "WARNING: SecPolicyGetOID failed to return an OID. This function was deprecated in 10.7. Please use SecPolicyCopyProperties instead.");
226 return errSecServiceNotAvailable;
227 #endif
228 }
229
230 // TODO: use a version of this function from a utility library
231 static CSSM_BOOL compareOids(
232 const CSSM_OID *oid1,
233 const CSSM_OID *oid2)
234 {
235 if((oid1 == NULL) || (oid2 == NULL)) {
236 return CSSM_FALSE;
237 }
238 if(oid1->Length != oid2->Length) {
239 return CSSM_FALSE;
240 }
241 if(memcmp(oid1->Data, oid2->Data, oid1->Length)) {
242 return CSSM_FALSE;
243 }
244 else {
245 return CSSM_TRUE;
246 }
247 }
248
249 /* OS X only: */
250 CFStringRef SecPolicyGetStringForOID(CSSM_OID* oid)
251 {
252 if (!oid) {
253 return NULL;
254 }
255 // given a CSSM_OID pointer, return corresponding string in oidmap
256 unsigned int i, oidmaplen = sizeof(oidmap) / sizeof(oidmap_entry_t);
257 for (i=0; i<oidmaplen; i++) {
258 CSSM_OID* oidptr = (CSSM_OID*)oidmap[i].oidptr;
259 if (compareOids(oid, oidptr)) {
260 return (CFStringRef) oidmap[i].oidstr;
261 }
262 }
263 return NULL;
264 }
265
266 #if SECTRUST_OSX
267 static bool SecPolicyGetCSSMDataValueForString(SecPolicyRef policyRef, CFStringRef stringRef, CSSM_DATA* value)
268 {
269 // Old API expects to vend a pointer and length for a policy value.
270 // The API contract says this pointer is good for the life of the policy.
271 // However, the new policy values are CF objects, and we need a separate
272 // buffer to get their UTF8 bytes. This buffer needs to be released when
273 // the policy object is released.
274
275 CFDataRef data = NULL;
276 CFIndex maxLength = CFStringGetMaximumSizeForEncoding(CFStringGetLength(stringRef), kCFStringEncodingUTF8) + 1;
277 char* buf = (char*) malloc(maxLength);
278 if (!buf) {
279 return false;
280 }
281 if (CFStringGetCString(stringRef, buf, (CFIndex)maxLength, kCFStringEncodingUTF8)) {
282 CFIndex length = strlen(buf);
283 data = CFDataCreate(NULL, (const UInt8 *)buf, length);
284 }
285 free(buf);
286 if (value) {
287 value->Data = (uint8*)((data) ? CFDataGetBytePtr(data) : NULL);
288 value->Length = (CSSM_SIZE)((data) ? CFDataGetLength(data) : 0);
289 }
290 if (data) {
291 // stash this in a place where it will be released when the policy is destroyed
292 if (policyRef) {
293 SecPolicySetOptionsValue(policyRef, CFSTR("policy_data"), data);
294 CFRelease(data);
295 }
296 else {
297 syslog(LOG_ERR, "WARNING: policy dictionary not found to store returned data; will leak!");
298 }
299 }
300 return true;
301 }
302 #endif
303
304 /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */
305 OSStatus
306 SecPolicyGetValue(SecPolicyRef policyRef, CSSM_DATA* value)
307 {
308 #if !SECTRUST_OSX
309 BEGIN_SECAPI
310 Required(value) = Policy::required(policyRef)->value();
311 END_SECAPI
312 #else
313 /* bridge to support old functionality */
314 #if SECTRUST_DEPRECATION_WARNINGS
315 syslog(LOG_ERR, "WARNING: SecPolicyGetValue was deprecated in 10.7. Please use SecPolicyCopyProperties instead.");
316 #endif
317 if (!(policyRef && value)) {
318 return errSecParam;
319 }
320 CFDictionaryRef options = SecPolicyGetOptions(policyRef);
321 if (!(options && (CFDictionaryGetTypeID() == CFGetTypeID(options)))) {
322 return errSecParam;
323 }
324 CFTypeRef name = NULL;
325 do {
326 if (CFDictionaryGetValueIfPresent(options, CFSTR("SSLHostname") /*kSecPolicyCheckSSLHostname*/,
327 (const void **)&name) && name) {
328 break;
329 }
330 if (CFDictionaryGetValueIfPresent(options, CFSTR("EAPTrustedServerNames") /*kSecPolicyCheckEAPTrustedServerNames*/,
331 (const void **)&name) && name) {
332 break;
333 }
334 if (CFDictionaryGetValueIfPresent(options, CFSTR("email") /*kSecPolicyCheckEmail*/,
335 (const void **)&name) && name) {
336 break;
337 }
338 } while (0);
339 if (name) {
340 CFTypeID typeID = CFGetTypeID(name);
341 if (CFArrayGetTypeID() == typeID) {
342 name = (CFStringRef) CFArrayGetValueAtIndex((CFArrayRef)name, 0);
343 }
344 SecPolicyGetCSSMDataValueForString(policyRef, (CFStringRef)name, value);
345 }
346 else {
347 value->Data = NULL;
348 value->Length = 0;
349 }
350 return errSecSuccess;
351 #endif
352 }
353
354 #if !SECTRUST_OSX
355 CFDictionaryRef
356 SecPolicyCopyProperties(SecPolicyRef policyRef)
357 {
358 /* can't use SECAPI macros, since this function does not return OSStatus */
359 CFDictionaryRef result = NULL;
360 try {
361 result = Policy::required(policyRef)->properties();
362 }
363 catch (...) {
364 if (result) {
365 CFRelease(result);
366 result = NULL;
367 }
368 };
369 return result;
370 }
371 #endif
372
373 /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */
374 OSStatus
375 SecPolicySetValue(SecPolicyRef policyRef, const CSSM_DATA *value)
376 {
377 #if !SECTRUST_OSX
378 BEGIN_SECAPI
379 Required(value);
380 const CssmData newValue(value->Data, value->Length);
381 Policy::required(policyRef)->setValue(newValue);
382 END_SECAPI
383 #else
384 /* bridge to support old functionality */
385 #if SECTRUST_DEPRECATION_WARNINGS
386 syslog(LOG_ERR, "WARNING: SecPolicySetValue was deprecated in 10.7. Please use SecPolicySetProperties instead.");
387 #endif
388 if (!(policyRef && value)) {
389 return errSecParam;
390 }
391 OSStatus status = errSecSuccess;
392 CFDataRef data = NULL;
393 CFStringRef name = NULL;
394 CFNumberRef cnum = NULL;
395 CFStringRef oid = (CFStringRef) SecPolicyGetOidString(policyRef);
396 if (!oid) {
397 syslog(LOG_ERR, "SecPolicySetValue: unknown policy OID");
398 return errSecParam; // bad policy ref?
399 }
400 if (CFEqual(oid, CFSTR("sslServer") /*kSecPolicyOIDSSLServer*/) ||
401 CFEqual(oid, CFSTR("sslClient") /*kSecPolicyOIDSSLClient*/) ||
402 CFEqual(oid, CFSTR("ipsecServer") /*kSecPolicyOIDIPSecServer*/) ||
403 CFEqual(oid, CFSTR("ipsecClient") /*kSecPolicyOIDIPSecClient*/) ||
404 CFEqual(oid, kSecPolicyAppleSSL) ||
405 CFEqual(oid, kSecPolicyAppleIPsec) ||
406 CFEqual(oid, kSecPolicyAppleIDValidation)
407 ) {
408 CSSM_APPLE_TP_SSL_OPTIONS *opts = (CSSM_APPLE_TP_SSL_OPTIONS *)value->Data;
409 if (opts->Version == CSSM_APPLE_TP_SSL_OPTS_VERSION) {
410 if (opts->ServerNameLen > 0) {
411 data = CFDataCreate(NULL, (const UInt8 *)opts->ServerName, opts->ServerNameLen);
412 name = (data) ? CFStringCreateFromExternalRepresentation(NULL, data, kCFStringEncodingUTF8) : NULL;
413 }
414 }
415 if (name) {
416 SecPolicySetOptionsValue(policyRef, CFSTR("SSLHostname") /*kSecPolicyCheckSSLHostname*/, name);
417 }
418 else {
419 status = errSecParam;
420 }
421 }
422 else if (CFEqual(oid, CFSTR("eapServer") /*kSecPolicyOIDEAPServer*/) ||
423 CFEqual(oid, CFSTR("eapClient") /*kSecPolicyOIDEAPClient*/) ||
424 CFEqual(oid, kSecPolicyAppleEAP)
425 ) {
426 CSSM_APPLE_TP_SSL_OPTIONS *opts = (CSSM_APPLE_TP_SSL_OPTIONS *)value->Data;
427 if (opts->Version == CSSM_APPLE_TP_SSL_OPTS_VERSION) {
428 if (opts->ServerNameLen > 0) {
429 data = CFDataCreate(NULL, (const UInt8 *)opts->ServerName, opts->ServerNameLen);
430 name = (data) ? CFStringCreateFromExternalRepresentation(NULL, data, kCFStringEncodingUTF8) : NULL;
431 }
432 }
433 if (name) {
434 SecPolicySetOptionsValue(policyRef, CFSTR("EAPTrustedServerNames") /*kSecPolicyCheckEAPTrustedServerNames*/, name);
435 }
436 else {
437 status = errSecParam;
438 }
439 }
440 else if (CFEqual(oid, CFSTR("SMIME") /*kSecPolicyOIDSMIME*/) ||
441 CFEqual(oid, CFSTR("AppleShoebox") /*kSecPolicyOIDAppleShoebox*/) ||
442 CFEqual(oid, CFSTR("ApplePassbook") /*kSecPolicyOIDApplePassbook*/) ||
443 CFEqual(oid, kSecPolicyAppleSMIME) ||
444 CFEqual(oid, kSecPolicyApplePassbookSigning)
445 ) {
446 CSSM_APPLE_TP_SMIME_OPTIONS *opts = (CSSM_APPLE_TP_SMIME_OPTIONS *)value->Data;
447 if (opts->Version == CSSM_APPLE_TP_SMIME_OPTS_VERSION) {
448 if (opts->SenderEmailLen > 0) {
449 data = CFDataCreate(NULL, (const UInt8 *)opts->SenderEmail, opts->SenderEmailLen);
450 name = (data) ? CFStringCreateFromExternalRepresentation(NULL, data, kCFStringEncodingUTF8) : NULL;
451 }
452 }
453 if (name) {
454 SecPolicySetOptionsValue(policyRef, CFSTR("email") /*kSecPolicyCheckEmail*/, name);
455 }
456 else {
457 status = errSecParam;
458 }
459 }
460 else if (CFEqual(oid, CFSTR("revocation") /* kSecPolicyOIDRevocation */) ||
461 CFEqual(oid, kSecPolicyAppleRevocation)
462 ) {
463 CSSM_APPLE_TP_CRL_OPTIONS *opts = (CSSM_APPLE_TP_CRL_OPTIONS *)value->Data;
464 if (opts->Version == CSSM_APPLE_TP_CRL_OPTS_VERSION) {
465 CSSM_APPLE_TP_CRL_OPT_FLAGS crlFlags = opts->CrlFlags;
466 CFOptionFlags revocationFlags = 0;
467 if ((crlFlags & CSSM_TP_ACTION_FETCH_CRL_FROM_NET) == 0) {
468 /* disable network access */
469 revocationFlags |= kSecRevocationNetworkAccessDisabled;
470 }
471 if ((crlFlags & CSSM_TP_ACTION_CRL_SUFFICIENT) == 0) {
472 /* if OCSP method is not sufficient, must use CRL */
473 revocationFlags |= (kSecRevocationCRLMethod | kSecRevocationPreferCRL);
474 } else {
475 /* either method is sufficient */
476 revocationFlags |= kSecRevocationUseAnyAvailableMethod;
477 }
478 if ((crlFlags & CSSM_TP_ACTION_REQUIRE_CRL_PER_CERT) != 0) {
479 /* require a response */
480 revocationFlags |= kSecRevocationRequirePositiveResponse;
481 }
482 cnum = CFNumberCreate(kCFAllocatorDefault, kCFNumberCFIndexType, &revocationFlags);
483 if (cnum) {
484 SecPolicySetOptionsValue(policyRef, kSecPolicyRevocationFlags, cnum);
485 }
486 }
487 }
488 else {
489 syslog(LOG_ERR, "SecPolicySetValue: unrecognized policy OID");
490 status = errSecParam;
491 }
492 if (data) { CFRelease(data); }
493 if (name) { CFRelease(name); }
494 if (cnum) { CFRelease(cnum); }
495 return status;
496 #endif
497 }
498
499 #if !SECTRUST_OSX
500 OSStatus
501 SecPolicySetProperties(SecPolicyRef policyRef, CFDictionaryRef properties)
502 {
503 BEGIN_SECAPI
504 Policy::required(policyRef)->setProperties(properties);
505 END_SECAPI
506 }
507 #endif
508
509 /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */
510 OSStatus
511 SecPolicyGetTPHandle(SecPolicyRef policyRef, CSSM_TP_HANDLE* tpHandle)
512 {
513 #if !SECTRUST_OSX
514 BEGIN_SECAPI
515 Required(tpHandle) = Policy::required(policyRef)->tp()->handle();
516 END_SECAPI
517 #else
518 /* this function is unsupported in unified SecTrust */
519 #if SECTRUST_DEPRECATION_WARNINGS
520 syslog(LOG_ERR, "WARNING: SecPolicyGetTPHandle was deprecated in 10.7, and does nothing in 10.11. Please stop using it.");
521 #endif
522 return errSecServiceNotAvailable;
523 #endif
524 }
525
526 /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */
527 OSStatus
528 SecPolicyCopyAll(CSSM_CERT_TYPE certificateType, CFArrayRef* policies)
529 {
530 #if !SECTRUST_OSX
531 BEGIN_SECAPI
532 Required(policies);
533 CFMutableArrayRef currPolicies = NULL;
534 currPolicies = CFArrayCreateMutable(NULL, 0, NULL);
535 if ( currPolicies )
536 {
537 SecPointer<PolicyCursor> cursor(new PolicyCursor(NULL, NULL));
538 SecPointer<Policy> policy;
539 while ( cursor->next(policy) ) /* copies the next policy */
540 {
541 CFArrayAppendValue(currPolicies, policy->handle()); /* 'SecPolicyRef' appended */
542 CFRelease(policy->handle()); /* refcount bumped up when appended to array */
543 }
544 *policies = CFArrayCreateCopy(NULL, currPolicies);
545 CFRelease(currPolicies);
546 CFRelease(cursor->handle());
547 }
548 END_SECAPI
549 #else
550 /* bridge to support old functionality */
551 #if SECTRUST_DEPRECATION_WARNINGS
552 syslog(LOG_ERR, "WARNING: SecPolicyCopyAll was deprecated in 10.7. Please use SecPolicy creation functions instead.");
553 #endif
554 if (!policies) {
555 return errSecParam;
556 }
557 CFMutableArrayRef curPolicies = CFArrayCreateMutable(NULL, 0, NULL);
558 if (!curPolicies) {
559 return errSecAllocate;
560 }
561 /* build the subset of policies which were supported on OS X,
562 and which are also implemented on iOS */
563 CFStringRef supportedPolicies[] = {
564 kSecPolicyAppleX509Basic, /* CSSMOID_APPLE_X509_BASIC */
565 kSecPolicyAppleSSL, /* CSSMOID_APPLE_TP_SSL */
566 kSecPolicyAppleSMIME, /* CSSMOID_APPLE_TP_SMIME */
567 kSecPolicyAppleEAP, /*CSSMOID_APPLE_TP_EAP */
568 kSecPolicyAppleSWUpdateSigning, /* CSSMOID_APPLE_TP_SW_UPDATE_SIGNING */
569 kSecPolicyAppleIPsec, /* CSSMOID_APPLE_TP_IP_SEC */
570 kSecPolicyAppleCodeSigning, /* CSSMOID_APPLE_TP_CODE_SIGNING */
571 kSecPolicyMacAppStoreReceipt, /* CSSMOID_APPLE_TP_MACAPPSTORE_RECEIPT */
572 kSecPolicyAppleIDValidation, /* CSSMOID_APPLE_TP_APPLEID_SHARING */
573 kSecPolicyAppleTimeStamping, /* CSSMOID_APPLE_TP_TIMESTAMPING */
574 kSecPolicyAppleRevocation, /* CSSMOID_APPLE_TP_REVOCATION_{CRL,OCSP} */
575 NULL
576 };
577 CFIndex ix = 0;
578 while (true) {
579 CFStringRef policyID = supportedPolicies[ix++];
580 if (!policyID) {
581 break;
582 }
583 SecPolicyRef curPolicy = SecPolicyCreateWithProperties(policyID, NULL);
584 if (curPolicy) {
585 CFArrayAppendValue(curPolicies, curPolicy);
586 CFRelease(curPolicy);
587 }
588 }
589 *policies = CFArrayCreateCopy(NULL, curPolicies);
590 CFRelease(curPolicies);
591 return errSecSuccess;
592 #endif
593 }
594
595 /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */
596 OSStatus
597 SecPolicyCopy(CSSM_CERT_TYPE certificateType, const CSSM_OID *policyOID, SecPolicyRef* policy)
598 {
599 #if !SECTRUST_OSX
600 Required(policy);
601 Required(policyOID);
602 #else
603 if (!policyOID || !policy) {
604 return errSecParam;
605 }
606 #endif
607 SecPolicySearchRef srchRef = NULL;
608 OSStatus ortn;
609
610 ortn = SecPolicySearchCreate(certificateType, policyOID, NULL, &srchRef);
611 if(ortn) {
612 return ortn;
613 }
614 ortn = SecPolicySearchCopyNext(srchRef, policy);
615 CFRelease(srchRef);
616 return ortn;
617 }
618
619 /* OS X only: convert a new-world SecPolicyRef to an old-world ItemImpl instance */
620 SecPolicyRef
621 SecPolicyCreateItemImplInstance(SecPolicyRef policy)
622 {
623 #if !SECTRUST_OSX
624 return (SecPolicyRef)(policy ? CFRetain(policy) : NULL);
625 #else
626 if (!policy) {
627 return NULL;
628 }
629 CSSM_OID oid;
630 OSStatus status = SecPolicyGetOID(policy, &oid);
631 if (status) {
632 return NULL;
633 }
634 SecPolicyRef policyRef = NULL;
635 CFDictionaryRef properties = SecPolicyCopyProperties(policy);
636 try {
637 SecPointer<Policy> policyObj;
638 PolicyCursor::policy(&oid, policyObj);
639 policyRef = policyObj->handle();
640 Policy::required(policyRef)->setProperties(properties);
641 }
642 catch (...) {
643 policyRef = NULL;
644 }
645 if (properties) {
646 CFRelease(properties);
647 }
648 return policyRef;
649 #endif
650 }
651
652 #if !SECTRUST_OSX
653 /* new in 10.6 */
654 SecPolicyRef
655 SecPolicyCreateBasicX509(void)
656 {
657 // return a SecPolicyRef object for the X.509 Basic policy
658 SecPolicyRef policy = nil;
659 SecPolicySearchRef policySearch = nil;
660 OSStatus status = SecPolicySearchCreate(CSSM_CERT_X_509v3, &CSSMOID_APPLE_X509_BASIC, NULL, &policySearch);
661 if (!status) {
662 status = SecPolicySearchCopyNext(policySearch, &policy);
663 }
664 if (policySearch) {
665 CFRelease(policySearch);
666 }
667 return policy;
668 }
669 #endif
670
671 #if !SECTRUST_OSX
672 /* new in 10.6 */
673 SecPolicyRef
674 SecPolicyCreateSSL(Boolean server, CFStringRef hostname)
675 {
676 // return a SecPolicyRef object for the SSL policy, given hostname and client options
677 SecPolicyRef policy = nil;
678 SecPolicySearchRef policySearch = nil;
679 OSStatus status = SecPolicySearchCreate(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_SSL, NULL, &policySearch);
680 if (!status) {
681 status = SecPolicySearchCopyNext(policySearch, &policy);
682 }
683 if (!status && policy) {
684 // set options for client-side or server-side policy evaluation
685 char *strbuf = NULL;
686 const char *hostnamestr = NULL;
687 if (hostname) {
688 hostnamestr = CFStringGetCStringPtr(hostname, kCFStringEncodingUTF8);
689 if (hostnamestr == NULL) {
690 CFIndex maxLen = CFStringGetMaximumSizeForEncoding(CFStringGetLength(hostname), kCFStringEncodingUTF8) + 1;
691 strbuf = (char *)malloc(maxLen);
692 if (CFStringGetCString(hostname, strbuf, maxLen, kCFStringEncodingUTF8)) {
693 hostnamestr = strbuf;
694 }
695 }
696 }
697 uint32 hostnamelen = (hostnamestr) ? (uint32)strlen(hostnamestr) : 0;
698 uint32 flags = (!server) ? CSSM_APPLE_TP_SSL_CLIENT : 0;
699 CSSM_APPLE_TP_SSL_OPTIONS opts = {CSSM_APPLE_TP_SSL_OPTS_VERSION, hostnamelen, hostnamestr, flags};
700 CSSM_DATA data = {sizeof(opts), (uint8*)&opts};
701 SecPolicySetValue(policy, &data);
702
703 if (strbuf) {
704 free(strbuf);
705 }
706 }
707 if (policySearch) {
708 CFRelease(policySearch);
709 }
710 return policy;
711 }
712 #endif
713
714 #if !SECTRUST_OSX
715 /* not exported */
716 static SecPolicyRef
717 SecPolicyCreateWithSecAsn1Oid(SecAsn1Oid *oidPtr)
718 {
719 SecPolicyRef policy = NULL;
720 try {
721 SecPointer<Policy> policyObj;
722 PolicyCursor::policy(oidPtr, policyObj);
723 policy = policyObj->handle();
724 }
725 catch (...) {}
726
727 return policy;
728 }
729 #endif
730
731 static SecPolicyRef
732 _SecPolicyCreateWithOID(CFTypeRef policyOID)
733 {
734 // for now, we only accept the policy constants that are defined in SecPolicy.h
735 CFStringRef oidStr = (CFStringRef)policyOID;
736 CSSM_OID *oidPtr = NULL;
737 SecPolicyRef policy = NULL;
738 if (!oidStr) {
739 return policy;
740 }
741 unsigned int i, oidmaplen = sizeof(oidmap) / sizeof(oidmap_entry_t);
742 for (i=0; i<oidmaplen; i++) {
743 CFStringRef str = (CFStringRef) oidmap[i].oidstr;
744 if (CFStringCompare(str, oidStr, 0) == kCFCompareEqualTo) {
745 oidPtr = (CSSM_OID*)oidmap[i].oidptr;
746 break;
747 }
748 }
749 if (CFEqual(oidStr, kSecPolicyAppleServerAuthentication)) {
750 return SecPolicyCreateAppleSSLService(NULL);
751 }
752 if (oidPtr) {
753 SecPolicySearchRef policySearch = NULL;
754 OSStatus status = SecPolicySearchCreate(CSSM_CERT_X_509v3, oidPtr, NULL, &policySearch);
755 if (!status && policySearch) {
756 status = SecPolicySearchCopyNext(policySearch, &policy);
757 if (status != errSecSuccess) {
758 policy = NULL;
759 }
760 CFRelease(policySearch);
761 }
762 if (!policy && CFEqual(policyOID, kSecPolicyAppleRevocation)) {
763 policy = SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod);
764 }
765 #if !SECTRUST_OSX
766 if (!policy) {
767 policy = SecPolicyCreateWithSecAsn1Oid((SecAsn1Oid*)oidPtr);
768 }
769 #endif
770 }
771 return policy;
772 }
773
774 /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA) */
775 SecPolicyRef
776 SecPolicyCreateWithOID(CFTypeRef policyOID)
777 {
778 SecPolicyRef policy = _SecPolicyCreateWithOID(policyOID);
779 if (!policy) {
780 syslog(LOG_ERR, "WARNING: SecPolicyCreateWithOID was unable to return the requested policy. This function was deprecated in 10.9. Please use supported SecPolicy creation functions instead.");
781 }
782 return policy;
783 }
784
785 #if !SECTRUST_OSX
786 /* new in 10.9 */
787 SecPolicyRef
788 SecPolicyCreateWithProperties(CFTypeRef policyIdentifier, CFDictionaryRef properties)
789 {
790 SecPolicyRef policy = _SecPolicyCreateWithOID(policyIdentifier);
791 SecPolicySetProperties(policy, properties);
792
793 return policy;
794 }
795 #endif
796
797 #if !SECTRUST_OSX
798 /* new in 10.9 */
799 SecPolicyRef
800 SecPolicyCreateRevocation(CFOptionFlags revocationFlags)
801 {
802 // return a SecPolicyRef object for the unified revocation policy
803 SecAsn1Oid *oidPtr = (SecAsn1Oid*)&CSSMOID_APPLE_TP_REVOCATION;
804 SecPolicyRef policy = SecPolicyCreateWithSecAsn1Oid(oidPtr);
805 if (policy) {
806 CSSM_DATA policyData = { (CSSM_SIZE)sizeof(CFOptionFlags), (uint8*)&revocationFlags };
807 SecPolicySetValue(policy, &policyData);
808 }
809 return policy;
810 }
811 #endif
812
813 /* OS X only: deprecated SPI entry point */
814 /* new in 10.9 ***FIXME*** TO BE REMOVED */
815 CFArrayRef SecPolicyCopyEscrowRootCertificates(void)
816 {
817 return SecCertificateCopyEscrowRoots(kSecCertificateProductionEscrowRoot);
818 }
819
820 SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef hostname)
821 {
822 return SecPolicyCreateSSL(true, hostname);
823 }
824
825 SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDictionaryRef __unused context)
826 {
827 return SecPolicyCreateSSL(true, hostname);
828 }
829
830 SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryRef __unused context)
831 {
832 return SecPolicyCreateSSL(true, hostname);
833 }
834
835 SecPolicyRef SecPolicyCreateApplePushServiceLegacy(CFStringRef hostname)
836 {
837 return SecPolicyCreateSSL(true, hostname);
838 }
839
840 SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname, CFDictionaryRef __unused context)
841 {
842 return SecPolicyCreateSSL(true, hostname);
843 }
844
845 SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef __unused context)
846 {
847 return SecPolicyCreateSSL(true, hostname);
848 }
849
850 SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRef __unused context)
851 {
852 return SecPolicyCreateSSL(true, hostname);
853 }
854
855 SecPolicyRef SecPolicyCreateAppleAST2Service(CFStringRef hostname, CFDictionaryRef __unused context)
856 {
857 return SecPolicyCreateSSL(true, hostname);
858 }
859
860 #if !SECTRUST_OSX
861 /* new in 10.11 */
862 SecPolicyRef SecPolicyCreateAppleATVAppSigning(void)
863 {
864 return _SecPolicyCreateWithOID(kSecPolicyAppleX509Basic);
865 }
866 #endif
867
868 #if !SECTRUST_OSX
869 /* new in 10.11 */
870 SecPolicyRef SecPolicyCreateTestAppleATVAppSigning(void)
871 {
872 return _SecPolicyCreateWithOID(kSecPolicyAppleX509Basic);
873 }
874 #endif
875
876 #if !SECTRUST_OSX
877 /* new in 10.11 */
878 SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void)
879 {
880 return _SecPolicyCreateWithOID(kSecPolicyAppleX509Basic);
881 }
882 #endif
883
884 #if !SECTRUST_OSX
885 /* new in 10.11 */
886 SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void)
887 {
888 return _SecPolicyCreateWithOID(kSecPolicyAppleOSXProvisioningProfileSigning);
889 }
890 #endif
891
892
893 #if !SECTRUST_OSX
894 /* new in 10.11 */
895 SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void)
896 {
897 return _SecPolicyCreateWithOID(kSecPolicyAppleX509Basic);
898 }
899 #endif
900
901 #if !SECTRUST_OSX
902 SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef hostname)
903 {
904 // SSL server, pinned to an Apple intermediate
905 SecPolicyRef policy = SecPolicyCreateSSL(true, hostname);
906 if (policy) {
907 // change options for policy evaluation
908 char *strbuf = NULL;
909 const char *hostnamestr = NULL;
910 if (hostname) {
911 hostnamestr = CFStringGetCStringPtr(hostname, kCFStringEncodingUTF8);
912 if (hostnamestr == NULL) {
913 CFIndex maxLen = CFStringGetMaximumSizeForEncoding(CFStringGetLength(hostname), kCFStringEncodingUTF8) + 1;
914 strbuf = (char *)malloc(maxLen);
915 if (CFStringGetCString(hostname, strbuf, maxLen, kCFStringEncodingUTF8)) {
916 hostnamestr = strbuf;
917 }
918 }
919 }
920 uint32 hostnamelen = (hostnamestr) ? (uint32)strlen(hostnamestr) : 0;
921 uint32 flags = 0x00000002; // 2nd-lowest bit set to require Apple intermediate pin
922 CSSM_APPLE_TP_SSL_OPTIONS opts = {CSSM_APPLE_TP_SSL_OPTS_VERSION, hostnamelen, hostnamestr, flags};
923 CSSM_DATA data = {sizeof(opts), (uint8*)&opts};
924 SecPolicySetValue(policy, &data);
925 }
926 return policy;
927 }
928 #endif
929
930 /* OS X only: TBD */
931 #include <security_utilities/cfutilities.h>
932 /* New in 10.10 */
933 // Takes the "context" policies to extract the revocation and apply it to timeStamp.
934 CFArrayRef
935 SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray)
936 {
937 #if !SECTRUST_OSX
938 /* can't use SECAPI macros, since this function does not return OSStatus */
939 CFArrayRef resultPolicyArray=NULL;
940 try {
941 // Set default policy
942 CFRef<CFArrayRef> policyArray = cfArrayize(policyOrArray);
943 CFRef<SecPolicyRef> defaultPolicy = _SecPolicyCreateWithOID(kSecPolicyAppleTimeStamping);
944 CFRef<CFMutableArrayRef> appleTimeStampingPolicies = makeCFMutableArray(1,defaultPolicy.get());
945
946 // Parse the policy and add revocation related ones
947 CFIndex numPolicies = CFArrayGetCount(policyArray);
948 for(CFIndex dex=0; dex<numPolicies; dex++) {
949 SecPolicyRef secPol = (SecPolicyRef)CFArrayGetValueAtIndex(policyArray, dex);
950 SecPointer<Policy> pol = Policy::required(SecPolicyRef(secPol));
951 const CssmOid &oid = pol->oid();
952 if ((oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION))
953 || (oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_CRL))
954 || (oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_OCSP)))
955 {
956 CFArrayAppendValue(appleTimeStampingPolicies, secPol);
957 }
958 }
959 // Transfer of ownership
960 resultPolicyArray=appleTimeStampingPolicies.yield();
961 }
962 catch (...) {
963 CFReleaseNull(resultPolicyArray);
964 };
965 #else
966 /* implement with unified SecPolicyRef instances */
967 /* %%% FIXME revisit this since SecPolicyCreateWithOID is OSX-only; */
968 /* should use SecPolicyCreateWithProperties instead */
969 SecPolicyRef policy = NULL;
970 CFMutableArrayRef resultPolicyArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
971 policy = SecPolicyCreateWithOID(kSecPolicyAppleTimeStamping);
972 if (policy) {
973 CFArrayAppendValue(resultPolicyArray, policy);
974 CFReleaseNull(policy);
975 }
976 policy = SecPolicyCreateWithOID(kSecPolicyAppleRevocation);
977 if (policy) {
978 CFArrayAppendValue(resultPolicyArray, policy);
979 CFReleaseNull(policy);
980 }
981 #endif
982 return resultPolicyArray;
983 }
984
mirror of Security