2 * Copyright (c) 2008-2015 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 The functions provided in SecPolicyInternal provide the interface to
27 trust policies used by SecTrust.
30 #ifndef _SECURITY_SECPOLICYINTERNAL_H_
31 #define _SECURITY_SECPOLICYINTERNAL_H_
33 #include <Security/SecPolicy.h>
34 #include <Security/SecTrust.h>
35 #include <Security/SecCertificatePath.h>
36 #include <CoreFoundation/CFArray.h>
37 #include <CoreFoundation/CFString.h>
38 #include <CoreFoundation/CFRuntime.h>
42 /********************************************************
43 ****************** SecPolicy struct ********************
44 ********************************************************/
48 CFDictionaryRef _options
;
52 @enum Policy Check Keys
53 @discussion Keys that represent various checks that can be done in a trust
55 @constant kSecPolicyCheckCriticalExtensions Ensure that no certificate in the chain has any critical extensions that we do not understand.
56 @constant kSecPolicyCheckIdLinkage Check that all the certificates in the chain that have a SubjectId, match the AuthorityId of the certificate they sign. This check is optional, in that if either certificate is missing the required extension the check succeeds.
57 @constant kSecPolicyCheckBasicContraints Fails if the basic constraints for the certificate chain are not met, this allows for basic constraints to be non critical and doesn't require every CA certificate to have a basic constraints extension, and allows for leaf certificates to have basic constraints extensions.
58 @constant kSecPolicyCheckExtendedKeyUsage @@@
59 @constant kSecPolicyCheckIdLinkage Fails if the AuthorityKeyID -> SubjectKeyID chaining isn't right.
60 @constant kSecPolicyCheckKeyUsage @@@
61 @constant kSecPolicyCheckWeakIntermediates Fails if any certificates in the chain (other than the leaf and root) have a too small key size.
62 @constant kSecPolicyCheckWeakLeaf Fails if the leaf has a too small key size.
63 @constant kSecPolicyCheckWeakRoot Fails fi the root has a too small key size.
64 @constant kSecPolicyCheckNonEmptySubject Perform the following check: RFC 3280, 4.1.2.6, says that an empty subject name can only appear in a leaf cert, and only if subjectAltName is present and marked critical.
65 @constant kSecPolicyCheckQualifiedCertStatements Perform the following check: RFC 3739: if this cert has a Qualified Cert Statements extension, and it's Critical, make sure we understand all of the extension's statementIds.
66 @constant kSecPolicyCheckValidIntermediates Fails if any certificates in the chain are not valid at the verify time other than the leaf and the root.
67 @constant kSecPolicyCheckValidLeaf Fails if the leaf certificate is not valid at the verify time.
68 @constant kSecPolicyCheckValidRoot Fails if the root certificate is not valid at the verify time.
69 @constant kSecPolicyCheckAnchorTrusted @@@.
70 @constant kSecPolicyCheckAnchorSHA1 @@@.
71 @constant kSecPolicyCheckAnchorApple @@@.
72 @constant kSecPolicyCheckSSLHostname @@@.
73 @constant kSecPolicyCheckEmail @@@.
74 @constant kSecPolicyCheckIssuerCommonName @@@.
75 @constant kSecPolicyCheckSubjectCommonNamePrefix @@@.
76 @constant kSecPolicyCheckChainLength @@@.
77 @constant kSecPolicyCheckNotValidBefore @@@.
78 @constant kSecPolicyCheckEAPTrustedServerNames @@@.
79 @constant kSecPolicyCheckBasicCertificateProcessing @@@.
80 @constant kSecPolicyCheckExtendedValidation @@@.
81 @constant kSecPolicyCheckRevocation @@@.
82 @constant kSecPolicyCheckNoNetworkAccess @@@.
83 @constant kSecPolicyCheckBlackListedLeaf @@@.
85 extern const CFStringRef kSecPolicyCheckBasicContraints
;
86 extern const CFStringRef kSecPolicyCheckCriticalExtensions
;
87 extern const CFStringRef kSecPolicyCheckExtendedKeyUsage
;
88 extern const CFStringRef kSecPolicyCheckIdLinkage
;
89 extern const CFStringRef kSecPolicyCheckWeakIntermediates
;
90 extern const CFStringRef kSecPolicyCheckWeakLeaf
;
91 extern const CFStringRef kSecPolicyCheckWeakRoot
;
92 extern const CFStringRef kSecPolicyCheckKeyUsage
;
93 extern const CFStringRef kSecPolicyCheckNonEmptySubject
;
94 extern const CFStringRef kSecPolicyCheckQualifiedCertStatements
;
95 extern const CFStringRef kSecPolicyCheckValidIntermediates
;
96 extern const CFStringRef kSecPolicyCheckValidLeaf
;
97 extern const CFStringRef kSecPolicyCheckValidRoot
;
98 extern const CFStringRef kSecPolicyCheckAnchorTrusted
;
99 extern const CFStringRef kSecPolicyCheckAnchorSHA1
;
100 extern const CFStringRef kSecPolicyCheckAnchorApple
;
101 extern const CFStringRef kSecPolicyCheckSSLHostname
;
102 extern const CFStringRef kSecPolicyCheckEmail
;
103 extern const CFStringRef kSecPolicyCheckIssuerCommonName
;
104 extern const CFStringRef kSecPolicyCheckSubjectCommonName
;
105 extern const CFStringRef kSecPolicyCheckSubjectCommonNameTEST
;
106 extern const CFStringRef kSecPolicyCheckSubjectOrganization
;
107 extern const CFStringRef kSecPolicyCheckSubjectOrganizationalUnit
;
108 extern const CFStringRef kSecPolicyCheckSubjectCommonNamePrefix
;
109 extern const CFStringRef kSecPolicyCheckChainLength
;
110 extern const CFStringRef kSecPolicyCheckNotValidBefore
;
111 extern const CFStringRef kSecPolicyCheckEAPTrustedServerNames
;
112 extern const CFStringRef kSecPolicyCheckCertificatePolicy
;
113 extern const CFStringRef kSecPolicyCheckBasicCertificateProcessing
;
114 extern const CFStringRef kSecPolicyCheckExtendedValidation
;
115 extern const CFStringRef kSecPolicyCheckRevocation
;
116 extern const CFStringRef kSecPolicyCheckRevocationResponseRequired
;
117 extern const CFStringRef kSecPolicyCheckNoNetworkAccess
;
118 extern const CFStringRef kSecPolicyCheckBlackListedLeaf
;
119 extern const CFStringRef kSecPolicyCheckBlackListedKey
;
120 extern const CFStringRef kSecPolicyCheckGrayListedLeaf
;
121 extern const CFStringRef kSecPolicyCheckLeafMarkerOid
;
122 extern const CFStringRef kSecPolicyCheckIntermediateMarkerOid
;
123 extern const CFStringRef kSecPolicyCheckIntermediateSPKISHA256
;
124 extern const CFStringRef kSecPolicyCheckGrayListedKey
;
125 extern const CFStringRef kSecPolicyCheckCertificateTransparency
;
127 /* Special options for checking Apple Anchors */
128 extern const CFStringRef kSecPolicyAppleAnchorIncludeTestRoots
;
129 extern const CFStringRef kSecPolicyAppleAnchorAllowTestRootsOnProduction
;
131 SecPolicyRef
SecPolicyCreate(CFStringRef oid
, CFDictionaryRef options
);
133 CFStringRef
SecPolicyGetOidString(SecPolicyRef policy
);
134 CFDictionaryRef
SecPolicyGetOptions(SecPolicyRef policy
);
135 void SecPolicySetOptionsValue(SecPolicyRef policy
, CFStringRef key
, CFTypeRef value
);
137 xpc_object_t
SecPolicyArrayCopyXPCArray(CFArrayRef policies
, CFErrorRef
*error
);
138 CFArrayRef
SecPolicyXPCArrayCopyArray(xpc_object_t xpc_policies
, CFErrorRef
*error
);
142 #endif /* !_SECURITY_SECPOLICYINTERNAL_H_ */
projects / apple / security.git / blob