OSX/sec/securityd/SecTrustServer.h

   1 /*
   2  * Copyright (c) 2008-2009,2012-2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  *
  23  * SecTrustServer.h - certificate trust evaluation engine
  24  *
  25  *
  26  */
  27
  28 #ifndef _SECURITY_SECTRUSTSERVER_H_
  29 #define _SECURITY_SECTRUSTSERVER_H_
  30
  31 #include <CoreFoundation/CFString.h>
  32
  33 #include <Security/SecCertificatePath.h>
  34 #include <Security/SecTrust.h>
  35 #include <Security/SecBasePriv.h> /* For errSecWaitForCallback. */
  36 #include <mach/port.h>
  37
  38
  39 __BEGIN_DECLS
  40
  41
  42 /* args_in keys. */
  43 #define kSecTrustCertificatesKey "certificates"
  44 #define kSecTrustAnchorsKey "anchors"
  45 #define kSecTrustAnchorsOnlyKey "anchorsOnly"
  46 #define kSecTrustPoliciesKey "policies"
  47 #define kSecTrustResponsesKey "responses"
  48 #define kSecTrustSCTsKey "scts"
  49 #define kSecTrustTrustedLogsKey "trustedLogs"
  50 #define kSecTrustVerifyDateKey "verifyDate"
  51
  52 /* args_out keys. */
  53 #define kSecTrustDetailsKey "details"
  54 #define kSecTrustChainKey "chain"
  55 #define kSecTrustResultKey "result"
  56 #define kSecTrustInfoKey "info"
  57
  58 typedef struct SecPathBuilder *SecPathBuilderRef;
  59
  60 /* Completion callback.  You should call SecTrustSessionDestroy from this. */
  61 typedef void(*SecPathBuilderCompleted)(const void *userData,
  62     SecCertificatePathRef chain, CFArrayRef details, CFDictionaryRef info,
  63     SecTrustResultType result);
  64
  65 /* Returns a new trust path builder and policy evaluation engine instance. */
  66 SecPathBuilderRef SecPathBuilderCreate(CFDataRef clientAuditToken,
  67     CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly,
  68     CFArrayRef policies, CFArrayRef ocspResponse,
  69     CFArrayRef signedCertificateTimestamps, CFArrayRef trustedLogs,
  70     CFAbsoluteTime verifyTime, CFArrayRef accessGroups,
  71     SecPathBuilderCompleted completed, const void *userData);
  72
  73 /* Returns true if it's ok to perform network operations for this builder. */
  74 bool SecPathBuilderCanAccessNetwork(SecPathBuilderRef builder);
  75
  76 /* Disable or enable network access for this builder if allow is false
  77    network access will be disabled. */
  78 void SecPathBuilderSetCanAccessNetwork(SecPathBuilderRef builder, bool allow);
  79
  80 /* Get the stapled SCTs */
  81 CFArrayRef SecPathBuilderCopySignedCertificateTimestamps(SecPathBuilderRef builder);
  82 CFArrayRef SecPathBuilderCopyOCSPResponses(SecPathBuilderRef builder);
  83 CFArrayRef SecPathBuilderCopyTrustedLogs(SecPathBuilderRef builder);
  84
  85 /* Core of the trust evaluation engine, this will invoke the completed
  86    callback and return false if the evaluation completed, or return true if
  87    the evaluation is still waiting for some external event (usually the
  88    network). */
  89 bool SecPathBuilderStep(SecPathBuilderRef builder);
  90
  91 /* Return the dispatch queue to be used by this builder. */
  92 dispatch_queue_t SecPathBuilderGetQueue(SecPathBuilderRef builder);
  93
  94 /* Return the client audit token associated with this path builder,
  95    which caller must release, or NULL if there is no external client. */
  96 CFDataRef SecPathBuilderCopyClientAuditToken(SecPathBuilderRef builder);
  97
  98 /* Evaluate trust and call evaluated when done. */
  99 void SecTrustServerEvaluateBlock(CFDataRef clientAuditToken, CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, void (^evaluated)(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, SecCertificatePathRef chain, CFErrorRef error));
 100
 101 /* Synchronously invoke SecTrustServerEvaluateBlock. */
 102 SecTrustResultType SecTrustServerEvaluate(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef *details, CFDictionaryRef *info, SecCertificatePathRef *chain, CFErrorRef *error);
 103
 104 void InitializeAnchorTable(void);
 105
 106 __END_DECLS
 107
 108 #endif /* !_SECURITY_SECTRUSTSERVER_H_ */