]> git.saurik.com Git - apple/security.git/blob - sslViewer/sslAppUtils.h
Security-59306.140.5.tar.gz
[apple/security.git] / sslViewer / sslAppUtils.h
1 /*
2 * Copyright (c) 2006-2008,2010 Apple Inc. All Rights Reserved.
3 */
4
5 #ifndef _SSLS_APP_UTILS_H_
6 #define _SSLS_APP_UTILS_H_ 1
7
8 #include <Security/SecBase.h>
9 #include <Security/SecureTransport.h>
10 #include <Security/SecureTransportPriv.h>
11 #include <CoreFoundation/CFArray.h>
12 #include <stdbool.h>
13 #include <Security/SecCertificate.h>
14
15 #ifdef __cplusplus
16 extern "C" {
17 #endif
18
19 /* disable some Panther-only features */
20 #define JAGUAR_BUILD 0
21
22 const char *sslGetCipherSuiteString(SSLCipherSuite cs);
23 const char *sslGetProtocolVersionString(SSLProtocol prot);
24 const char *sslGetSSLErrString(OSStatus err);
25 void printSslErrStr(const char *op, OSStatus err);
26 const char *sslGetClientCertStateString(SSLClientCertificateState state);
27 const char *sslGetClientAuthTypeString(SSLClientAuthenticationType authType);
28
29 CFArrayRef getSslCerts(
30 const char *kcName, // may be NULL, i.e., use default
31 bool encryptOnly,
32 bool completeCertChain,
33 const char *anchorFile, // optional trusted anchor
34 SecKeychainRef *pKcRef); // RETURNED
35 OSStatus sslCompleteCertChain(
36 SecIdentityRef identity,
37 SecCertificateRef trustedAnchor, // optional additional trusted anchor
38 bool includeRoot, // include the root in outArray
39 // const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL
40 CFArrayRef *outArray); // created and RETURNED
41 CFArrayRef sslKcRefToCertArray(
42 SecKeychainRef kcRef,
43 bool encryptOnly,
44 bool completeCertChain,
45 // const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL policy to complete
46 const char *trustedAnchorFile);
47
48 OSStatus addTrustedSecCert(
49 SSLContextRef ctx,
50 SecCertificateRef secCert,
51 bool replaceAnchors);
52 OSStatus sslReadAnchor(
53 const char *anchorFile,
54 SecCertificateRef *certRef);
55 OSStatus sslAddTrustedRoot(
56 SSLContextRef ctx,
57 const char *anchorFile,
58 bool replaceAnchors);
59
60 /*
61 * Assume incoming identity contains a root (e.g., created by
62 * certtool) and add that cert to ST's trusted anchors. This
63 * enables ST's verify of the incoming chain to succeed without
64 * a kludgy "AllowAnyRoot" specification.
65 */
66 OSStatus addIdentityAsTrustedRoot(
67 SSLContextRef ctx,
68 CFArrayRef identArray);
69
70 OSStatus sslAddTrustedRoots(
71 SSLContextRef ctx,
72 SecKeychainRef keychain,
73 bool *foundOne);
74
75 void sslOutputDot(void);
76
77 /*
78 * Lists of SSLCipherSuites used in sslSetCipherRestrictions.
79 */
80 extern const SSLCipherSuite suites40[];
81 extern const SSLCipherSuite suitesDES[];
82 extern const SSLCipherSuite suitesDES40[];
83 extern const SSLCipherSuite suites3DES[];
84 extern const SSLCipherSuite suitesRC4[];
85 extern const SSLCipherSuite suitesRC4_40[];
86 extern const SSLCipherSuite suitesRC2[];
87 extern const SSLCipherSuite suitesAES128[];
88 extern const SSLCipherSuite suitesAES256[];
89 extern const SSLCipherSuite suitesDH[];
90 extern const SSLCipherSuite suitesDHAnon[];
91 extern const SSLCipherSuite suitesDH_RSA[];
92 extern const SSLCipherSuite suitesDH_DSS[];
93 extern const SSLCipherSuite suites_SHA1[];
94 extern const SSLCipherSuite suites_MD5[];
95 extern const SSLCipherSuite suites_ECDHE[];
96 extern const SSLCipherSuite suites_ECDH[];
97
98 /*
99 * Given an SSLContextRef and an array of SSLCipherSuites, terminated by
100 * SSL_NO_SUCH_CIPHERSUITE, select those SSLCipherSuites which the library
101 * supports and do a SSLSetEnabledCiphers() specifying those.
102 */
103 OSStatus sslSetEnabledCiphers(
104 SSLContextRef ctx,
105 const SSLCipherSuite *ciphers);
106
107 /*
108 * Specify restricted sets of cipherspecs and protocols.
109 */
110 OSStatus sslSetCipherRestrictions(
111 SSLContextRef ctx,
112 char cipherRestrict);
113
114 #ifndef SPHINX
115 OSStatus sslSetProtocols(
116 SSLContextRef ctx,
117 const char *acceptedProts,
118 SSLProtocol tryVersion); // only used if acceptedProts NULL
119 #endif
120
121 int sslVerifyRtn(
122 const char *whichSide, // "client" or "server"
123 OSStatus expectRtn,
124 OSStatus gotRtn);
125 int sslVerifyProtVers(
126 const char *whichSide, // "client" or "server"
127 SSLProtocol expectProt,
128 SSLProtocol gotProt);
129 int sslVerifyClientCertState(
130 const char *whichSide, // "client" or "server"
131 SSLClientCertificateState expectState,
132 SSLClientCertificateState gotState);
133 int sslVerifyCipher(
134 const char *whichSide, // "client" or "server"
135 SSLCipherSuite expectCipher,
136 SSLCipherSuite gotCipher);
137
138
139 /*
140 * Wrapper for sslIdentPicker, with optional trusted anchor specified as a filename.
141 */
142 OSStatus sslIdentityPicker(
143 SecKeychainRef kcRef, // NULL means use default list
144 const char *trustedAnchor, // optional additional trusted anchor
145 bool includeRoot, // true --> root is appended to outArray
146 // false --> root not included
147 // const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL
148 CFArrayRef *outArray); // created and RETURNED
149
150 void sslKeychainPath(
151 const char *kcName,
152 char *kcPath); // allocd by caller, MAXPATHLEN
153
154 /* Verify presence of required file. Returns nonzero if not found. */
155 int sslCheckFile(const char *path);
156
157 /* Stringify a SSL_ECDSA_NamedCurve */
158 extern const char *sslCurveString(
159 SSL_ECDSA_NamedCurve namedCurve);
160
161 SecKeyRef create_private_key_from_der(bool ecdsa, const unsigned char *pkey_der, size_t pkey_der_len);
162 CFArrayRef chain_from_der(bool ecdsa, const unsigned char *pkey_der, size_t pkey_der_len, const unsigned char *cert_der, size_t cert_der_len);
163
164 #ifdef __cplusplus
165 }
166 #endif
167
168 #endif /* _SSLS_APP_UTILS_H_ */