]> git.saurik.com Git - apple/security.git/blob - OSX/sec/Security/SecTrustSettings.h
Security-57337.40.85.tar.gz
[apple/security.git] / OSX / sec / Security / SecTrustSettings.h
1 /*
2 * Copyright (c) 2007,2012 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*!
25 @header SecTrustSettings
26 The functions and data types in SecTrustSettings implement a way to
27 set and retrive trustability of certificates.
28 */
29
30 #ifndef _SECURITY_SECTRUSTSETTINGS_H_
31 #define _SECURITY_SECTRUSTSETTINGS_H_
32
33 #include <CoreFoundation/CFArray.h>
34 #include <Security/SecCertificate.h>
35
36 #ifdef __cplusplus
37 extern "C" {
38 #endif
39
40 /*
41 * Any certificate (cert) which resides in a keychain can have associated with
42 * it a set of Trust Settings. Trust Settings specify conditions in which a
43 * given cert can be trusted or explicitly distrusted. A "trusted" cert is
44 * either a root (self-signed) cert that, when a cert chain verifies back to that
45 * root, the entire cert chain is trusted; or a non-root cert that does not need
46 * to verify to a trusted root cert (which is normally the case when verifying a
47 * cert chain). An "explicitly distrusted" cert is one which will, when encountered
48 * during the evaluation of a cert chain, cause immediate and unconditional failure
49 * of the verify operation.
50 *
51 * Trust Settings are configurable by the user; they can apply on three levels
52 * (called domains):
53 *
54 * -- Per-user.
55 * -- Locally administered, system-wide. Administrator privileges are required
56 * to make changes to this domain.
57 * -- System. These Trust Settings are immutable and comprise the set of trusted
58 * root certificates supplied in Mac OS X.
59 *
60 * Per-user Trust Settings override locally administered Trust Settings, which
61 * in turn override the System Trust Settings.
62 *
63 * Each cert's Trust Settings are expressed as a CFArray which includes any
64 * number (including zero) of CFDictionaries, each of which comprises one set of
65 * Usage Constraints. Each Usage Constraints dictionary contains zero or one of
66 * each the following components:
67 *
68 * key = kSecTrustSettingsPolicy value = SecPolicyRef
69 * key = kSecTrustSettingsApplication value = SecTrustedApplicationRef
70 * key = kSecTrustSettingsPolicyString value = CFString, policy-specific
71 * key = kSecTrustSettingsKeyUsage value = CFNumber, an SInt32 key usage
72 *
73 * A given Usage Constraints dictionary applies to a given cert if *all* of the
74 * usage constraint components specified in the dictionary match the usage of
75 * the cert being evaluated; when this occurs, the value of the
76 * kSecTrustSettingsResult entry in the dictionary, shown below, is the effective
77 * trust setting for the cert.
78 *
79 * key = kSecTrustSettingsResult value = CFNumber, an SInt32 SecTrustSettingsResult
80 *
81 * The overall Trust Settings of a given cert are the sum of all such Usage
82 * Constraints CFDictionaries: Trust Settings for a given usage apply if *any*
83 * of the CFDictionaries in the cert's Trust Settings array satisfies
84 * the specified usage. Thus, when a cert has multiple Usage Constraints
85 * dictionaries in its Trust Settings array, the overall Trust Settings
86 * for the cert are
87 *
88 * (Usage Constraint 0 component 0 AND Usage Constraint 0 component 1 ...)
89 * -- OR --
90 * (Usage Constraint 1 component 0 AND Usage Constraint 1 component 1 ...)
91 * -- OR --
92 * ...
93 *
94 * Notes on the various Usage Constraints components:
95 *
96 * kSecTrustSettingsPolicy Specifies a cert verification policy, e.g., SSL,
97 * SMIME, etc.
98 * kSecTrustSettingsApplication Specifies the application performing the cert
99 * verification.
100 * kSecTrustSettingsPolicyString Policy-specific. For the SMIME policy, this is
101 * an email address.
102 * For the SSL policy, this is a host name.
103 * kSecTrustSettingsKeyUsage A bitfield indicating key operations (sign,
104 * encrypt, etc.) for which this Usage Constraint
105 * apply. Values are defined below as the
106 * SecTrustSettingsKeyUsage enum.
107 * kSecTrustSettingsResult The resulting trust value. If not present this has a
108 * default of kSecTrustSettingsResultTrustRoot, meaning
109 * "trust this root cert". Other legal values are:
110 * kSecTrustSettingsResultTrustAsRoot : trust non-root
111 * cert as if it were a trusted root.
112 * kSecTrustSettingsResultDeny : explicitly distrust this
113 * cert.
114 * kSecTrustSettingsResultUnspecified : neither trust nor
115 * distrust; can be used to specify an "Allowed error"
116 * (see below) without assigning trust to a specific
117 * cert.
118 *
119 * Another optional component in a Usage Constraints dictionary is a CSSM_RETURN
120 * which, if encountered during certificate verification, is ignored for that
121 * cert. These "allowed error" values are constrained by Usage Constraints as
122 * described above; a Usage Constraint dictionary with no constraints but with
123 * an Allowed Error value causes that error to always be allowed when the cert
124 * is being evaluated.
125 *
126 * The "allowed error" entry in a Usage Constraints dictionary is formatted
127 * as follows:
128 *
129 * key = kSecTrustSettingsAllowedError value = CFNumber, an SInt32 CSSM_RETURN
130 *
131 * Note that if kSecTrustSettingsResult value of kSecTrustSettingsResultUnspecified
132 * is *not* present for a Usage Constraints dictionary with no Usage
133 * Constraints, the default of kSecTrustSettingsResultTrustRoot is assumed. To
134 * specify a kSecTrustSettingsAllowedError without explicitly trusting (or
135 * distrusting) the associated cert, specify kSecTrustSettingsResultUnspecified
136 * for the kSecTrustSettingsResult component.
137 *
138 * Note that an empty Trust Settings array means "always trust this cert,
139 * with a resulting kSecTrustSettingsResult of kSecTrustSettingsResultTrustRoot".
140 * An empty Trust Settings array is definitely not the same as *no* Trust
141 * Settings, which means "this cert must be verified to a known trusted cert".
142 *
143 * Note the distinction between kSecTrustSettingsResultTrustRoot and
144 * kSecTrustSettingsResultTrustAsRoot; the former can only be applied to
145 * root (self-signed) certs; the latter can only be applied to non-root
146 * certs. This also means that an empty TrustSettings array for a non-root
147 * cert is invalid, since the default value for kSecTrustSettingsResult is
148 * kSecTrustSettingsResultTrustRoot, which is invalid for a non-root cert.
149 *
150 * Authentication
151 * --------------
152 *
153 * When making changes to the per-user Trust Settings, the user will be
154 * prompted with an alert panel asking for authentication via user name a
155 * password (or other credentials normally used for login). This means
156 * that it is not possible to modify per-user Trust Settings when not
157 * running in a GUI environment (i.e. the user is not logged in via
158 * Loginwindow).
159 *
160 * When making changes to the system-wide Trust Settings, the user will be
161 * prompted with an alert panel asking for an administrator's name and
162 * password, unless the calling process is running as root in which case
163 * no futher authentication is needed.
164 */
165
166 /*
167 * The keys in one Usage Constraints dictionary.
168 */
169 #define kSecTrustSettingsPolicy CFSTR("kSecTrustSettingsPolicy")
170 #define kSecTrustSettingsApplication CFSTR("kSecTrustSettingsApplication")
171 #define kSecTrustSettingsPolicyString CFSTR("kSecTrustSettingsPolicyString")
172 #define kSecTrustSettingsKeyUsage CFSTR("kSecTrustSettingsKeyUsage")
173 #define kSecTrustSettingsAllowedError CFSTR("kSecTrustSettingsAllowedError")
174 #define kSecTrustSettingsResult CFSTR("kSecTrustSettingsResult")
175
176 /*
177 * Key usage bits, the value for Usage Constraints key kSecTrustSettingsKeyUsage.
178 */
179 enum {
180 /* sign/verify data */
181 kSecTrustSettingsKeyUseSignature = 0x00000001,
182 /* bulk encryption */
183 kSecTrustSettingsKeyUseEnDecryptData = 0x00000002,
184 /* key wrap/unwrap */
185 kSecTrustSettingsKeyUseEnDecryptKey = 0x00000004,
186 /* sign/verify cert */
187 kSecTrustSettingsKeyUseSignCert = 0x00000008,
188 /* sign/verify CRL and OCSP */
189 kSecTrustSettingsKeyUseSignRevocation = 0x00000010,
190 /* key exchange, e.g., Diffie-Hellman */
191 kSecTrustSettingsKeyUseKeyExchange = 0x00000020,
192 /* any usage (the default if this value is not specified) */
193 kSecTrustSettingsKeyUseAny = 0xffffffff
194 };
195 typedef uint32_t SecTrustSettingsKeyUsage;
196
197 /*!
198 @enum SecTrustSettingsResult
199 @abstract Result of a trust settings evaluation.
200 */
201 enum {
202 kSecTrustSettingsResultInvalid = 0, /* Never valid in a Trust Settings array or
203 * in an API call. */
204 kSecTrustSettingsResultTrustRoot, /* Root cert is explicitly trusted */
205 kSecTrustSettingsResultTrustAsRoot, /* Non-root cert is explicitly trusted */
206 kSecTrustSettingsResultDeny, /* Cert is explicitly distrusted */
207 kSecTrustSettingsResultUnspecified /* Neither trusted nor distrusted; evaluation
208 * proceeds as usual */
209 };
210 typedef uint32_t SecTrustSettingsResult;
211
212 /*
213 * Specify user, local administrator, or system domain Trust Properties.
214 * Note that kSecTrustSettingsDomainSystem settings are read-only, even by
215 * root.
216 */
217 enum {
218 kSecTrustSettingsDomainUser = 0,
219 kSecTrustSettingsDomainAdmin,
220 kSecTrustSettingsDomainSystem
221 };
222 typedef uint32_t SecTrustSettingsDomain;
223
224 /*
225 * SecCertificateRef value indicating the default Root Certificate Trust Settings
226 * for a given domain. When evaluating Trust Settings for a root cert in
227 * a given domain, *and* no matching explicit Trust Settings exists for the
228 * root cert in questions, *and* default Root Cert Trust Settings exist
229 * in that domain which matches the evaluation condition, then the
230 * SecTrustSettingsResult for that default Trust Setting (if not
231 * kSecTrustSettingsResultUnspecified) will apply.
232 *
233 * This can be used e.g. by a system administrator to explicilty distrust all
234 * of the root certs in the (immutable) system domain for a specific policy.
235 *
236 * This const is passed as the 'SecCertificateRef certRef' argument to
237 * SecTrustSettingsCopyTrustSettings(), SecTrustSettingsSetTrustSettings(),
238 * and SecTrustSettingsRemoveTrustSettings(), and
239 * SecTrustSettingsCopyModificationDate().
240 */
241 #define kSecTrustSettingsDefaultRootCertSetting ((SecCertificateRef)-1)
242
243 #ifdef __cplusplus
244 }
245 #endif
246
247 #endif /* _SECURITY_SECTRUSTSETTINGS_H_ */