OSX/libsecurity_keychain/lib/SecTrustSettingsPriv.h

   1 /*
   2  * Copyright (c) 2006,2011,2014-2015 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*
  25  * SecTrustSettingsPriv.h - TrustSettings SPI functions.
  26  */
  27
  28 #ifndef _SEC_TRUST_SETTINGS_PRIV_H_
  29 #define _SEC_TRUST_SETTINGS_PRIV_H_
  30
  31 #include <CoreFoundation/CoreFoundation.h>
  32 #include <Security/cssmtype.h>
  33 #include <Security/SecPolicy.h>
  34 #include <Security/SecCertificate.h>
  35 #include <Security/SecTrustSettings.h>
  36
  37 #ifdef __cplusplus
  38 extern "C" {
  39 #endif
  40
  41 /*
  42  * A private key in the Usage Contraints dictionary.
  43  */
  44 #define kSecTrustSettingsPolicyName                     CFSTR("kSecTrustSettingsPolicyName")
  45
  46 /*
  47  * Fundamental routine used by TP to ascertain status of one cert.
  48  *
  49  * Returns true in *foundMatchingEntry if a trust setting matching
  50  * specific constraints was found for the cert. Returns true in
  51  * *foundAnyEntry if any entry was found for the cert, even if it
  52  * did not match the specified constraints. The TP uses this to
  53  * optimize for the case where a cert is being evaluated for
  54  * one type of usage, and then later for another type. If
  55  * foundAnyEntry is false, the second evaluation need not occur.
  56  *
  57  * Returns the domain in which a setting was found in *foundDomain.
  58  *
  59  * Allowed errors applying to the specified cert evaluation
  60  * are returned in a mallocd array in *allowedErrors and must
  61  * be freed by caller.
  62  */
  63 OSStatus SecTrustSettingsEvaluateCert(
  64         CFStringRef                                     certHashStr,
  65         /* parameters describing the current cert evalaution */
  66         const CSSM_OID                          *policyOID,
  67         const char                                      *policyString,          /* optional */
  68         uint32                                          policyStringLen,
  69         SecTrustSettingsKeyUsage        keyUsage,                       /* optional */
  70         bool                                            isRootCert,                     /* for checking default setting */
  71         /* RETURNED values */
  72         SecTrustSettingsDomain          *foundDomain,
  73         CSSM_RETURN                                     **allowedErrors,        /* mallocd and RETURNED */
  74         uint32                                          *numAllowedErrors,      /* RETURNED */
  75         SecTrustSettingsResult          *resultType,            /* RETURNED */
  76         bool                                            *foundMatchingEntry,/* RETURNED */
  77         bool                                            *foundAnyEntry);        /* RETURNED */
  78
  79 /*
  80  * Obtain trusted certs which match specified usage.
  81  * Only certs with a SecTrustSettingsResult of
  82  * kSecTrustSettingsResultTrustRoot or
  83  * or kSecTrustSettingsResultTrustAsRoot will be returned.
  84  *
  85  * To be used by SecureTransport for its (hopefully soon-to-be-
  86  * deprecated) SSLSetTrustedRoots() call; I hope nothing else has
  87  * to use this...
  88  *
  89  * Caller must CFRelease the returned CFArrayRef.
  90  */
  91 OSStatus SecTrustSettingsCopyQualifiedCerts(
  92         const CSSM_OID                          *policyOID,
  93         const char                                      *policyString,          /* optional */
  94         uint32                                          policyStringLen,
  95         SecTrustSettingsKeyUsage        keyUsage,                       /* optional */
  96         CFArrayRef                                      *certArray);            /* RETURNED */
  97
  98 /*
  99  * Obtain unrestricted root certificates from the specified domain(s).
 100  * Only returns root certificates with no usage constraints.
 101  * Caller must CFRelease the returned CFArrayRef.
 102  */
 103 OSStatus SecTrustSettingsCopyUnrestrictedRoots(
 104         Boolean                                 userDomain,
 105         Boolean                                 adminDomain,
 106         Boolean                                 systemDomain,
 107         CFArrayRef                              *certArray);            /* RETURNED */
 108
 109 /*
 110  * Obtain a string representing a cert's SHA1 digest. This string is
 111  * the key used to look up per-cert trust settings in a TrustSettings record.
 112  */
 113 CFStringRef SecTrustSettingsCertHashStrFromCert(
 114         SecCertificateRef certRef);
 115
 116 CFStringRef SecTrustSettingsCertHashStrFromData(
 117         const void *cert,
 118         size_t certLen);
 119
 120 /*
 121  * Add a cert's TrustSettings to a non-persistent TrustSettings record.
 122  * Primarily intended for use in creating a system TrustSettings record
 123  * (which is itself immutable via this module).
 124  *
 125  * The settingsIn argument is an external representation of a TrustSettings
 126  * record, obtained from this function or from
 127  * SecTrustSettingsCreateExternalRepresentation().
 128  * If settingsIn is NULL, a new (empty) TrustSettings will be created.
 129  *
 130  * The certRef and trustSettingsDictOrArray arguments are as in
 131  * SecTrustSettingsSetTrustSettings(). May be NULL, when e.g. creating
 132  * a new and empty TrustSettings record.
 133  *
 134  * The external representation is written to the settingOut argument,
 135  * which must eventually be CFReleased by the caller.
 136  */
 137 OSStatus SecTrustSettingsSetTrustSettingsExternal(
 138         CFDataRef                       settingsIn,                                     /* optional */
 139         SecCertificateRef       certRef,                                        /* optional */
 140         CFTypeRef                       trustSettingsDictOrArray,       /* optional */
 141         CFDataRef                       *settingsOut);                          /* RETURNED */
 142
 143 /*
 144  * Purge the cache of User and Admin Certs
 145  */
 146 void SecTrustSettingsPurgeUserAdminCertsCache(void);
 147
 148 /*
 149  * A wrapper around SecTrustSettingsCopyCertificates that combines user and admin
 150  * domain outputs.
 151  */
 152 OSStatus SecTrustSettingsCopyCertificatesForUserAdminDomains(
 153     CFArrayRef CF_RETURNS_RETAINED *certArray);
 154
 155 #ifdef __cplusplus
 156 }
 157 #endif
 158
 159 #endif  /* _SEC_TRUST_SETTINGS_PRIV_H_ */
 160