Keychain/Trust.h

   1 /*
   2  * Copyright (c) 2002 Apple Computer, Inc. All Rights Reserved.
   3  *
   4  * The contents of this file constitute Original Code as defined in and are
   5  * subject to the Apple Public Source License Version 1.2 (the 'License').
   6  * You may not use this file except in compliance with the License. Please obtain
   7  * a copy of the License at http://www.apple.com/publicsource and read it before
   8  * using this file.
   9  *
  10  * This Original Code and all software distributed under the License are
  11  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
  12  * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
  13  * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
  14  * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
  15  * specific language governing rights and limitations under the License.
  16  */
  17
  18 //
  19 // Trust.h - Trust control wrappers
  20 //
  21 #ifndef _SECURITY_TRUST_H_
  22 #define _SECURITY_TRUST_H_
  23
  24 #include <Security/SecRuntime.h>
  25 #include <CoreFoundation/CoreFoundation.h>
  26 #include <Security/StorageManager.h>
  27 #include <Security/tpclient.h>
  28 #include <Security/cfutilities.h>
  29 #include <Security/SecTrust.h>
  30 #include <Security/Certificate.h>
  31 #include <Security/Policies.h>
  32 #include <Security/TrustStore.h>
  33 #include <vector>
  34
  35 using namespace CssmClient;
  36
  37 namespace Security {
  38 namespace KeychainCore {
  39
  40
  41 //
  42 // The Trust object manages trust-verification workflow.
  43 // As such, it represents a somewhat more complex concept than
  44 // a single "object".
  45 //
  46 class Trust : public SecCFObject
  47 {
  48         NOCOPY(Trust)
  49 public:
  50         SECCFFUNCTIONS(Trust, SecTrustRef, errSecInvalidItemRef)
  51
  52     Trust(CFTypeRef certificates, CFTypeRef policies);
  53     virtual ~Trust() throw();
  54
  55         // set (or reset) more input parameters
  56         void policies(CFTypeRef policies)                       { mPolicies.take(cfArrayize(policies)); }
  57     void action(CSSM_TP_ACTION action)                  { mAction = action; }
  58     void actionData(CFDataRef data)                             { mActionData = data; }
  59     void time(CFDateRef verifyTime)                             { mVerifyTime = verifyTime; }
  60     void anchors(CFArrayRef anchorList)                 { mAnchors.take(cfArrayize(anchorList)); }
  61     StorageManager::KeychainList &searchLibs()  { return mSearchLibs; }
  62
  63         // perform evaluation
  64     void evaluate();
  65
  66         // get at evaluation results
  67     void buildEvidence(CFArrayRef &certChain, TPEvidenceInfo * &statusChain);
  68     CSSM_TP_VERIFY_CONTEXT_RESULT_PTR cssmResult();
  69
  70     SecTrustResultType result() const                   { return mResult; }
  71         OSStatus cssmResultCode() const                         { return mTpReturn; }
  72     TP getTPHandle() const                                              { return mTP; }
  73
  74         // an independent release function for TP evidence results
  75         // (yes, we could hand this out to the C layer if desired)
  76         static void releaseTPEvidence(TPVerifyResult &result, CssmAllocator &allocator);
  77
  78 private:
  79     SecTrustResultType diagnoseOutcome();
  80     void evaluateUserTrust(const CertGroup &certs,
  81         const CSSM_TP_APPLE_EVIDENCE_INFO *info,
  82                 CFCopyRef<CFArrayRef> anchors);
  83         void clearResults();
  84
  85         Keychain keychainByDLDb(const CSSM_DL_DB_HANDLE &handle) const;
  86
  87 private:
  88     TP mTP;                                                     // our TP
  89
  90     // input arguments: set up before evaluate()
  91     CSSM_TP_ACTION mAction;                     // TP action to verify
  92     CFRef<CFDataRef> mActionData;       // action data
  93     CFRef<CFDateRef> mVerifyTime;       // verification "now"
  94     CFRef<CFArrayRef> mCerts;           // certificates to verify (item 1 is subject)
  95     CFRef<CFArrayRef> mPolicies;        // array of policy objects to control verification
  96     CFRef<CFArrayRef> mAnchors;         // array of anchor certs
  97     StorageManager::KeychainList mSearchLibs; // array of databases to search
  98
  99     // evaluation results: set as a result of evaluate()
 100     SecTrustResultType mResult;         // result classification
 101     uint32 mResultIndex;                        // which result cert made the decision?
 102     OSStatus mTpReturn;                         // return code from TP Verify
 103     TPVerifyResult mTpResult;           // result of latest TP verify
 104
 105     vector< SecPointer<Certificate> > mCertChain; // distilled certificate chain
 106
 107     // information returned to caller but owned by us
 108     CFRef<CFArrayRef> mEvidenceReturned; // evidence chain returned
 109
 110 public:
 111     static ModuleNexus<TrustStore> Trust::gStore;
 112 };
 113
 114 } // end namespace KeychainCore
 115
 116 } // end namespace Security
 117
 118 #endif // !_SECURITY_TRUST_H_