2 * Copyright (c) 2007-2016 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 The functions provided in SecPolicyPriv provide an interface to various
27 X.509 certificate trust policies.
30 #ifndef _SECURITY_SECPOLICYPRIV_H_
31 #define _SECURITY_SECPOLICYPRIV_H_
33 #include <Security/SecPolicy.h>
34 #include <Security/SecCertificate.h>
35 #include <CoreFoundation/CFArray.h>
36 #include <CoreFoundation/CFString.h>
37 #include <Availability.h>
41 CF_ASSUME_NONNULL_BEGIN
42 CF_IMPLICIT_BRIDGING_ENABLED
45 @enum Policy Constants (Private)
46 @discussion Predefined constants used to specify a policy.
47 @constant kSecPolicyAppleMobileStore
48 @constant kSecPolicyAppleTestMobileStore
49 @constant kSecPolicyAppleEscrowService
50 @constant kSecPolicyAppleProfileSigner
51 @constant kSecPolicyAppleQAProfileSigner
52 @constant kSecPolicyAppleServerAuthentication
53 @constant kSecPolicyAppleOTAPKISigner
54 @constant kSecPolicyAppleTestOTAPKISigner
55 @constant kSecPolicyAppleIDValidationRecordSigning
56 @constant kSecPolicyAppleSMPEncryption
57 @constant kSecPolicyAppleTestSMPEncryption
58 @constant kSecPolicyApplePCSEscrowService
59 @constant kSecPolicyApplePPQSigning
60 @constant kSecPolicyAppleTestPPQSigning
61 @constant kSecPolicyAppleSWUpdateSigning
62 @constant kSecPolicyApplePackageSigning
63 @constant kSecPolicyAppleOSXProvisioningProfileSigning
64 @constant kSecPolicyAppleATVVPNProfileSigning
65 @constant kSecPolicyAppleAST2DiagnosticsServerAuth
66 @constant kSecPolicyAppleEscrowProxyServerAuth
67 @constant kSecPolicyAppleFMiPServerAuth
68 @constant kSecPolicyAppleMMCService
69 @constant kSecPolicyAppleGSService
70 @constant kSecPolicyApplePPQService
71 @constant kSecPolicyAppleHomeKitServerAuth
72 @constant kSecPolicyAppleiPhoneActivation
73 @constant kSecPolicyAppleiPhoneDeviceCertificate
74 @constant kSecPolicyAppleFactoryDeviceCertificate
75 @constant kSecPolicyAppleiAP
76 @constant kSecPolicyAppleiTunesStoreURLBag
77 @constant kSecPolicyAppleiPhoneApplicationSigning
78 @constant kSecPolicyAppleiPhoneProfileApplicationSigning
79 @constant kSecPolicyAppleiPhoneProvisioningProfileSigning
80 @constant kSecPolicyAppleLockdownPairing
81 @constant kSecPolicyAppleURLBag
82 @constant kSecPolicyAppleOTATasking
83 @constant kSecPolicyAppleMobileAsset
84 @constant kSecPolicyAppleIDAuthority
85 @constant kSecPolicyAppleGenericApplePinned
86 @constant kSecPolicyAppleGenericAppleSSLPinned
87 @constant kSecPolicyAppleSoftwareSigning
88 @constant kSecPolicyAppleExternalDeveloper
89 @constant kSecPolicyAppleOCSPSigner
90 @constant kSecPolicyAppleIDSService
91 @constant kSecPolicyAppleIDSServiceContext
92 @constant kSecPolicyApplePushService
93 @constant kSecPolicyAppleLegacyPushService
94 @constant kSecPolicyAppleTVOSApplicationSigning
95 @constant kSecPolicyAppleUniqueDeviceIdentifierCertificate
96 @constant kSecPolicyAppleEscrowProxyCompatibilityServerAuth
97 @constant kSecPolicyAppleMMCSCompatibilityServerAuth
99 extern const CFStringRef kSecPolicyAppleMobileStore
100 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_7_0
);
101 extern const CFStringRef kSecPolicyAppleTestMobileStore
102 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_7_0
);
103 extern const CFStringRef kSecPolicyAppleEscrowService
104 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_7_0
);
105 extern const CFStringRef kSecPolicyAppleProfileSigner
106 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_7_0
);
107 extern const CFStringRef kSecPolicyAppleQAProfileSigner
108 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_7_0
);
109 extern const CFStringRef kSecPolicyAppleServerAuthentication
110 __OSX_AVAILABLE_STARTING(__MAC_10_10
, __IPHONE_8_0
);
111 extern const CFStringRef kSecPolicyAppleOTAPKISigner
112 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_7_0
);
113 extern const CFStringRef kSecPolicyAppleTestOTAPKISigner
114 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_7_0
);
115 extern const CFStringRef kSecPolicyAppleIDValidationRecordSigningPolicy
116 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_NA
, __MAC_NA
, __IPHONE_7_0
, __IPHONE_10_0
);
117 extern const CFStringRef kSecPolicyAppleIDValidationRecordSigning
118 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
119 extern const CFStringRef kSecPolicyAppleSMPEncryption
120 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_8_0
);
121 extern const CFStringRef kSecPolicyAppleTestSMPEncryption
122 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_8_0
);
123 extern const CFStringRef kSecPolicyApplePCSEscrowService
124 __OSX_AVAILABLE_STARTING(__MAC_10_10
, __IPHONE_7_0
);
125 extern const CFStringRef kSecPolicyApplePPQSigning
126 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
127 extern const CFStringRef kSecPolicyAppleTestPPQSigning
128 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
129 extern const CFStringRef kSecPolicyAppleSWUpdateSigning
130 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
131 extern const CFStringRef kSecPolicyApplePackageSigning
132 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
133 extern const CFStringRef kSecPolicyAppleOSXProvisioningProfileSigning
134 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
135 extern const CFStringRef kSecPolicyAppleATVVPNProfileSigning
136 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
137 extern const CFStringRef kSecPolicyAppleAST2DiagnosticsServerAuth
138 __OSX_AVAILABLE_STARTING(__MAC_10_11_4
, __IPHONE_9_3
);
139 extern const CFStringRef kSecPolicyAppleEscrowProxyServerAuth
140 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
141 extern const CFStringRef kSecPolicyAppleFMiPServerAuth
142 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
143 extern const CFStringRef kSecPolicyAppleMMCService
144 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
145 extern const CFStringRef kSecPolicyAppleGSService
146 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
147 extern const CFStringRef kSecPolicyApplePPQService
148 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
149 extern const CFStringRef kSecPolicyAppleHomeKitServerAuth
150 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
151 extern const CFStringRef kSecPolicyAppleiPhoneActivation
152 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
153 extern const CFStringRef kSecPolicyAppleiPhoneDeviceCertificate
154 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
155 extern const CFStringRef kSecPolicyAppleFactoryDeviceCertificate
156 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
157 extern const CFStringRef kSecPolicyAppleiAP
158 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
159 extern const CFStringRef kSecPolicyAppleiTunesStoreURLBag
160 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
161 extern const CFStringRef kSecPolicyAppleiPhoneApplicationSigning
162 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
163 extern const CFStringRef kSecPolicyAppleiPhoneProfileApplicationSigning
164 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
165 extern const CFStringRef kSecPolicyAppleiPhoneProvisioningProfileSigning
166 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
167 extern const CFStringRef kSecPolicyAppleLockdownPairing
168 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
169 extern const CFStringRef kSecPolicyAppleURLBag
170 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
171 extern const CFStringRef kSecPolicyAppleOTATasking
172 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
173 extern const CFStringRef kSecPolicyAppleMobileAsset
174 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
175 extern const CFStringRef kSecPolicyAppleIDAuthority
176 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
177 extern const CFStringRef kSecPolicyAppleGenericApplePinned
178 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
179 extern const CFStringRef kSecPolicyAppleGenericAppleSSLPinned
180 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
181 extern const CFStringRef kSecPolicyAppleSoftwareSigning
182 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
183 extern const CFStringRef kSecPolicyAppleExternalDeveloper
184 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
185 extern const CFStringRef kSecPolicyAppleOCSPSigner
186 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
187 extern const CFStringRef kSecPolicyAppleIDSService
188 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
189 extern const CFStringRef kSecPolicyAppleIDSServiceContext
190 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
191 extern const CFStringRef kSecPolicyApplePushService
192 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
193 extern const CFStringRef kSecPolicyAppleLegacyPushService
194 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
195 extern const CFStringRef kSecPolicyAppleTVOSApplicationSigning
196 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
197 extern const CFStringRef kSecPolicyAppleUniqueDeviceIdentifierCertificate
198 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
199 extern const CFStringRef kSecPolicyAppleEscrowProxyCompatibilityServerAuth
200 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
201 extern const CFStringRef kSecPolicyAppleMMCSCompatibilityServerAuth
202 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
205 @enum Policy Value Constants
206 @abstract Predefined property key constants used to get or set values in
207 a dictionary for a policy instance.
209 All policies will have the following read-only value:
210 kSecPolicyOid (the policy object identifier)
212 Additional policy values which your code can optionally set:
213 kSecPolicyName (name which must be matched)
214 kSecPolicyClient (evaluate for client, rather than server)
215 kSecPolicyRevocationFlags (only valid for a revocation policy)
216 kSecPolicyRevocationFlags (only valid for a revocation policy)
217 kSecPolicyTeamIdentifier (only valid for a Passbook signing policy)
218 kSecPolicyContext (valid for policies below that take a context parameter)
219 kSecPolicyPolicyName (only valid for GenericApplePinned or
220 GenericAppleSSLPinned policies)
221 kSecPolicyIntermediateMarkerOid (only valid for GenericApplePinned or
222 GenericAppleSSLPinned policies)
223 kSecPolicyLeafMarkerOid (only valid for GenericApplePinned or
224 GenericAppleSSLPinned policies)
225 kSecPolicyRootDigest (only valid for the UniqueDeviceCertificate policy)
227 @constant kSecPolicyContext Specifies a CFDictionaryRef with keys and values
228 specified by the particular SecPolicyCreate function.
229 @constant kSecPolicyPolicyName Specifies a CFStringRef of the name of the
230 desired policy result.
231 @constant kSecPolicyIntermediateMarkerOid Specifies a CFStringRef of the
232 marker OID (in decimal format) required in the intermediate certificate.
233 @constant kSecPolicyLeafMarkerOid Specifies a CFStringRef of the
234 marker OID (in decimal format) required in the leaf certificate.
235 @constant kSecPolicyRootDigest Specifies a CFDataRef of digest required to
236 match the SHA-256 of the root certificate.
238 extern const CFStringRef kSecPolicyContext
239 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
240 extern const CFStringRef kSecPolicyPolicyName
241 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
242 extern const CFStringRef kSecPolicyIntermediateMarkerOid
243 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
244 extern const CFStringRef kSecPolicyLeafMarkerOid
245 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
246 extern const CFStringRef kSecPolicyRootDigest
247 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
251 @function SecPolicyCreateApplePinned
252 @abstract Returns a policy object for verifying Apple certificates.
253 @param policyName A string that identifies the policy name.
254 @param intermediateMarkerOID A string containing the decimal representation of the
255 extension OID in the intermediate certificate.
256 @param leafMarkerOID A string containing the decimal representation of the extension OID
257 in the leaf certificate.
258 @discussion The resulting policy uses the Basic X.509 policy with validity check and
260 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
261 the chain to be anchored to Test Apple Root CAs if the value true is set for the key
262 "ApplePinningAllowTestCerts%@" (where %@ is the policyName parameter) in the
263 com.apple.security preferences for the user of the calling application.
264 * There are exactly 3 certs in the chain.
265 * The intermediate has a marker extension with OID matching the intermediateMarkerOID
267 * The leaf has a marker extension with OID matching the leafMarkerOID parameter.
268 * Revocation is checked via OCSP or CRL.
269 * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
270 @result A policy object. The caller is responsible for calling CFRelease on this when
271 it is no longer needed.
273 __nullable CF_RETURNS_RETAINED
274 SecPolicyRef
SecPolicyCreateApplePinned(CFStringRef policyName
,
275 CFStringRef intermediateMarkerOID
, CFStringRef leafMarkerOID
)
276 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
279 @function SecPolicyCreateAppleSSLPinned
280 @abstract Returns a policy object for verifying Apple SSL certificates.
281 @param policyName A string that identifies the service/policy name.
282 @param hostname hostname to verify the certificate name against.
283 @param intermediateMarkerOID A string containing the decimal representation of the
284 extension OID in the intermediate certificate. If NULL is passed, the default OID of
285 1.2.840.113635.100.6.2.12 is checked.
286 @param leafMarkerOID A string containing the decimal representation of the extension OID
287 in the leaf certificate.
288 @discussion The resulting policy uses the Basic X.509 policy with validity check and
290 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
291 the chain to be anchored to Test Apple Root CAs if the value true is set for the key
292 "ApplePinningAllowTestCerts%@" (where %@ is the policyName parameter) in the
293 com.apple.security preferences for the user of the calling application.
294 * There are exactly 3 certs in the chain.
295 * The intermediate has a marker extension with OID matching the intermediateMarkerOID
296 parameter, or 1.2.840.113635.100.6.2.12 if NULL is passed.
297 * The leaf has a marker extension with OID matching the leafMarkerOID parameter.
298 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
299 extension or Common Name.
300 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
301 * Revocation is checked via OCSP or CRL.
302 * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
303 For developers who need to disable pinning this function is equivalent to SecPolicyCreateSSL
304 on internal releases if the value true is set for the key "AppleServerAuthenticationNoPinning%@"
305 (where %@ is the policyName parameter) in the com.apple.Security preferences for the user
306 of the calling application.
307 @result A policy object. The caller is responsible for calling CFRelease on this when
308 it is no longer needed.
310 __nullable CF_RETURNS_RETAINED
311 SecPolicyRef
SecPolicyCreateAppleSSLPinned(CFStringRef policyName
, CFStringRef hostname
,
312 CFStringRef __nullable intermediateMarkerOID
, CFStringRef leafMarkerOID
)
313 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
316 @function SecPolicyCreateiPhoneActivation
317 @abstract Returns a policy object for verifying iPhone Activation
319 @discussion This policy uses the Basic X.509 policy with no validity check
321 * The chain is anchored to "Apple Root CA" certificate.
322 * There are exactly 3 certs in chain.
323 * The intermediate has Common Name "Apple iPhone Certification Authority".
324 * The leaf has Common Name "iPhone Activation".
325 @result A policy object. The caller is responsible for calling CFRelease
326 on this when it is no longer needed.
328 __nullable CF_RETURNS_RETAINED
329 SecPolicyRef
SecPolicyCreateiPhoneActivation(void);
332 @function SecPolicyCreateiPhoneDeviceCertificate
333 @abstract Returns a policy object for verifying iPhone Device certificate
335 @discussion This policy uses the Basic X.509 policy with no validity check
337 * There are exactly 4 certs in chain.
338 * The chain is anchored to "Apple Root CA" certificate.
339 * The first intermediate has Common Name "Apple iPhone Device CA".
340 @result A policy object. The caller is responsible for calling CFRelease
341 on this when it is no longer needed.
343 __nullable CF_RETURNS_RETAINED
344 SecPolicyRef
SecPolicyCreateiPhoneDeviceCertificate(void);
347 @function SecPolicyCreateFactoryDeviceCertificate
348 @abstract Returns a policy object for verifying Factory Device certificate
350 @discussion This policy uses the Basic X.509 policy with no validity check
352 * The chain is anchored to the Factory Device CA.
353 @result A policy object. The caller is responsible for calling CFRelease
354 on this when it is no longer needed.
356 __nullable CF_RETURNS_RETAINED
357 SecPolicyRef
SecPolicyCreateFactoryDeviceCertificate(void);
360 @function SecPolicyCreateiAP
361 @abstract Returns a policy object for verifying iAP certificate chains.
362 @discussion This policy uses the Basic X.509 policy with no validity check
364 * The leaf has notBefore date after 5/31/2006 midnight GMT.
365 * The leaf has Common Name beginning with "IPA_".
366 The intended use of this policy is that the caller pass in the
367 intermediates for iAP1 and iAP2 to SecTrustSetAnchorCertificates().
368 @result A policy object. The caller is responsible for calling CFRelease
369 on this when it is no longer needed.
371 __nullable CF_RETURNS_RETAINED
372 SecPolicyRef
SecPolicyCreateiAP(void);
375 @function SecPolicyCreateiTunesStoreURLBag
376 @abstract Returns a policy object for verifying iTunes Store URL bag
378 @discussion This policy uses the Basic X.509 policy with no validity check
380 * The chain is anchored to the iTMS CA.
381 * There are exactly 2 certs in the chain.
382 * The leaf has Organization "Apple Inc.".
383 * The leaf has Common Name "iTunes Store URL Bag".
384 @result A policy object. The caller is responsible for calling CFRelease
385 on this when it is no longer needed.
387 __nullable CF_RETURNS_RETAINED
388 SecPolicyRef
SecPolicyCreateiTunesStoreURLBag(void);
391 @function SecPolicyCreateEAP
392 @abstract Returns a policy object for verifying for 802.1x/EAP certificates.
393 @param server Passing true for this parameter create a policy for EAP
395 @param trustedServerNames Optional; if present, the hostname in the leaf
396 certificate must be in the trustedServerNames list. Note that contrary
397 to all other policies the trustedServerNames list entries can have wildcards
398 whilst the certificate cannot. This matches the existing deployments.
399 @discussion This policy uses the Basic X.509 policy with validity check but
400 disallowing network fetching. If trustedServerNames param is non-null, the
401 ExtendedKeyUsage extension, if present, of the leaf certificate is verified
402 to contain either the ServerAuth OID, if the server param is true or
403 ClientAuth OID, otherwise.
404 @result A policy object. The caller is responsible for calling CFRelease
405 on this when it is no longer needed.
407 __nullable CF_RETURNS_RETAINED
408 SecPolicyRef
SecPolicyCreateEAP(Boolean server
, CFArrayRef __nullable trustedServerNames
);
411 @function SecPolicyCreateIPSec
412 @abstract Returns a policy object for evaluating IPSec certificate chains.
413 @param server Passing true for this parameter create a policy for IPSec
415 @param hostname Optional; if present, the policy will require the specified
416 hostname or ip address to match the hostname in the leaf certificate.
417 @discussion This policy uses the Basic X.509 policy with validity check.
418 @result A policy object. The caller is responsible for calling CFRelease
419 on this when it is no longer needed.
421 __nullable CF_RETURNS_RETAINED
422 SecPolicyRef
SecPolicyCreateIPSec(Boolean server
, CFStringRef __nullable hostname
);
425 @function SecPolicyCreateAppleSWUpdateSigning
426 @abstract Returns a policy object for evaluating SW update signing certs.
427 @discussion This policy uses the Basic X.509 policy with no validity check
429 * The chain is anchored to "Apple Root CA" certificate.
430 * There are exactly 3 certs in the chain.
431 * The leaf ExtendedKeyUsage extension contains 1.2.840.113635.100.4.1.
432 @result A policy object. The caller is responsible for calling CFRelease
433 on this when it is no longer needed.
435 __nullable CF_RETURNS_RETAINED
436 SecPolicyRef
SecPolicyCreateAppleSWUpdateSigning(void);
439 @function SecPolicyCreateApplePackageSigning
440 @abstract Returns a policy object for evaluating installer package signing certs.
441 @discussion This policy uses the Basic X.509 policy with no validity check
443 * The chain is anchored to "Apple Root CA" certificate.
444 * There are exactly 3 certs in the chain.
445 @result A policy object. The caller is responsible for calling CFRelease
446 on this when it is no longer needed.
448 __nullable CF_RETURNS_RETAINED
449 SecPolicyRef
SecPolicyCreateApplePackageSigning(void);
452 @function SecPolicyCreateiPhoneApplicationSigning
453 @abstract Returns a policy object for evaluating signed application
454 signatures. This is for apps signed directly by the app store.
455 @discussion This policy uses the Basic X.509 policy with no validity check
457 * The chain is anchored to "Apple Root CA" certificate.
458 * There are exactly 3 certs in the chain.
459 * The intermediate has Common Name "Apple iPhone Certification Authority".
460 * The leaf has Common Name "Apple iPhone OS Application Signing".
461 * If the device is not a production device and is running an internal
462 release, the leaf may have the Common Name "TEST Apple iPhone OS
463 Application Signing TEST".
464 * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID
465 or the CodeSigning OID.
466 @result A policy object. The caller is responsible for calling CFRelease
467 on this when it is no longer needed.
469 __nullable CF_RETURNS_RETAINED
470 SecPolicyRef
SecPolicyCreateiPhoneApplicationSigning(void);
473 @function SecPolicyCreateiPhoneProfileApplicationSigning
474 @abstract Returns a policy object for evaluating signed application
475 signatures. This policy is for certificates inside a UPP or regular
477 @discussion This policy only verifies that the leaf is temporally valid
479 @result A policy object. The caller is responsible for calling CFRelease
480 on this when it is no longer needed.
482 __nullable CF_RETURNS_RETAINED
483 SecPolicyRef
SecPolicyCreateiPhoneProfileApplicationSigning(void);
486 @function SecPolicyCreateiPhoneProvisioningProfileSigning
487 @abstract Returns a policy object for evaluating provisioning profile signatures.
488 @discussion This policy uses the Basic X.509 policy with no validity check
490 * The chain is anchored to "Apple Root CA" certificate.
491 * There are exactly 3 certs in the chain.
492 * The intermediate has Common Name "Apple iPhone Certification Authority".
493 * The leaf has Common Name "Apple iPhone OS Provisioning Profile Signing".
494 * If the device is not a production device and is running an internal
495 release, the leaf may have the Common Name "TEST Apple iPhone OS
496 Provisioning Profile Signing TEST".
497 @result A policy object. The caller is responsible for calling CFRelease
498 on this when it is no longer needed.
500 __nullable CF_RETURNS_RETAINED
501 SecPolicyRef
SecPolicyCreateiPhoneProvisioningProfileSigning(void);
504 @function SecPolicyCreateAppleTVOSApplicationSigning
505 @abstract Returns a policy object for evaluating signed application
506 signatures. This is for apps signed directly by the Apple TV app store,
507 and allows for both the prod and the dev/test certs.
508 @discussion This policy uses the Basic X.509 policy with no validity check
510 * The chain is anchored to any of the production Apple Root CAs.
511 Test roots are never permitted.
512 * There are exactly 3 certs in the chain.
513 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
514 * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or
516 * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.24 or OID
517 1.2.840.113635.100.6.1.24.1.
518 @result A policy object. The caller is responsible for calling CFRelease
519 on this when it is no longer needed.
521 __nullable CF_RETURNS_RETAINED
522 SecPolicyRef
SecPolicyCreateAppleTVOSApplicationSigning(void);
525 @function SecPolicyCreateOCSPSigner
526 @abstract Returns a policy object for evaluating ocsp response signers.
527 @discussion This policy uses the Basic X.509 policy with validity check and
528 requires the leaf to have an ExtendedKeyUsage of OCSPSigning.
529 @result A policy object. The caller is responsible for calling CFRelease
530 on this when it is no longer needed.
532 __nullable CF_RETURNS_RETAINED
533 SecPolicyRef
SecPolicyCreateOCSPSigner(void);
537 kSecSignSMIMEUsage
= (1 << 0),
538 kSecKeyEncryptSMIMEUsage
= (1 << 1),
539 kSecDataEncryptSMIMEUsage
= (1 << 2),
540 kSecKeyExchangeDecryptSMIMEUsage
= (1 << 3),
541 kSecKeyExchangeEncryptSMIMEUsage
= (1 << 4),
542 kSecKeyExchangeBothSMIMEUsage
= (1 << 5),
543 kSecAnyEncryptSMIME
= kSecKeyEncryptSMIMEUsage
| kSecDataEncryptSMIMEUsage
|
544 kSecKeyExchangeDecryptSMIMEUsage
| kSecKeyExchangeEncryptSMIMEUsage
548 @function SecPolicyCreateSMIME
549 @abstract Returns a policy object for evaluating S/MIME certificate chains.
550 @param smimeUsage Pass the bitwise or of one or more kSecXXXSMIMEUsage
551 flags, to indicate the intended usage of this certificate.
552 @param email Optional; if present, the policy will require the specified
553 email to match the email in the leaf certificate.
554 @discussion This policy uses the Basic X.509 policy with validity check and
555 requires the leaf to have
556 * a KeyUsage matching the smimeUsage,
557 * an ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or the
558 EmailProtection OID, and
559 * if the email param is specified, the email address in the RFC822Name in the
560 SubjectAlternativeName extension or in the Email Address field of the
562 @result A policy object. The caller is responsible for calling CFRelease
563 on this when it is no longer needed.
565 __nullable CF_RETURNS_RETAINED
566 SecPolicyRef
SecPolicyCreateSMIME(CFIndex smimeUsage
, CFStringRef __nullable email
);
569 @function SecPolicyCreateCodeSigning
570 @abstract Returns a policy object for evaluating code signing certificate chains.
571 @discussion This policy uses the Basic X.509 policy with validity check and
572 requires the leaf to have
573 * a KeyUsage with both the DigitalSignature and NonRepudiation bits set, and
574 * an ExtendedKeyUsage with the AnyExtendedKeyUsage OID or the CodeSigning OID.
575 @result A policy object. The caller is responsible for calling CFRelease
576 on this when it is no longer needed.
578 __nullable CF_RETURNS_RETAINED
579 SecPolicyRef
SecPolicyCreateCodeSigning(void);
582 @function SecPolicyCreateLockdownPairing
583 @abstract basic x509 policy for checking lockdown pairing certificate chains.
584 @disucssion This policy checks some of the Basic X.509 policy options with no
585 validity check. It explicitly allows for empty subjects.
586 @result A policy object. The caller is responsible for calling CFRelease
587 on this when it is no longer needed.
589 __nullable CF_RETURNS_RETAINED
590 SecPolicyRef
SecPolicyCreateLockdownPairing(void);
593 @function SecPolicyCreateURLBag
594 @abstract Returns a policy object for evaluating certificate chains for signing URL bags.
595 @discussion This policy uses the Basic X.509 policy with no validity check and requires
596 that the leaf has ExtendedKeyUsage extension with the CodeSigning OID.
597 @result A policy object. The caller is responsible for calling CFRelease
598 on this when it is no longer needed.
600 __nullable CF_RETURNS_RETAINED
601 SecPolicyRef
SecPolicyCreateURLBag(void);
604 @function SecPolicyCreateOTATasking
605 @abstract Returns a policy object for evaluating certificate chains for signing OTA Tasking.
606 @discussion This policy uses the Basic X.509 policy with validity check and
608 * The chain is anchored to "Apple Root CA" certificate.
609 * There are exactly 3 certs in the chain.
610 * The leaf has Common Name "OTA Task Signing".
611 @result A policy object. The caller is responsible for calling CFRelease
612 on this when it is no longer needed.
614 __nullable CF_RETURNS_RETAINED
615 SecPolicyRef
SecPolicyCreateOTATasking(void);
618 @function SecPolicyCreateMobileAsset
619 @abstract Returns a policy object for evaluating certificate chains for signing Mobile Assets.
620 @discussion This policy uses the Basic X.509 policy with no validity check
622 * The chain is anchored to "Apple Root CA" certificate.
623 * There are exactly 3 certs in the chain.
624 * The leaf has Common Name "Asset Manifest Signing".
625 @result A policy object. The caller is responsible for calling CFRelease
626 on this when it is no longer needed.
628 __nullable CF_RETURNS_RETAINED
629 SecPolicyRef
SecPolicyCreateMobileAsset(void);
632 @function SecPolicyCreateAppleIDAuthorityPolicy
633 @abstract Returns a policy object for evaluating certificate chains for Apple ID Authority.
634 @discussion This policy uses the Basic X.509 policy with validity check
636 * The chain is anchored to "Apple Root CA" certificate.
637 * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3
638 or OID 1.2.840.113635.100.6.2.7.
639 * The leaf has a marker extension with OID 1.2.840.113635.100.4.7.
640 @result A policy object. The caller is responsible for calling CFRelease
641 on this when it is no longer needed.
643 __nullable CF_RETURNS_RETAINED
644 SecPolicyRef
SecPolicyCreateAppleIDAuthorityPolicy(void);
647 @function SecPolicyCreateMacAppStoreReceipt
648 @abstract Returns a policy object for evaluating certificate chains for signing
649 Mac App Store Receipts.
650 @discussion This policy uses the Basic X.509 policy with validity check
652 * The chain is anchored to "Apple Root CA" certificate.
653 @result A policy object. The caller is responsible for calling CFRelease
654 on this when it is no longer needed.
656 __nullable CF_RETURNS_RETAINED
657 SecPolicyRef
SecPolicyCreateMacAppStoreReceipt(void);
660 @function SecPolicyCreatePassbookCardSigner
661 @abstract Returns a policy object for evaluating certificate chains for signing Passbook cards.
662 @param cardIssuer Required; must match name in marker extension.
663 @param teamIdentifier Optional; if present, the policy will require the specified
664 team ID to match the organizationalUnit field in the leaf certificate's subject.
665 @discussion This policy uses the Basic X.509 policy with validity check
667 * The chain is anchored to "Apple Root CA" certificate.
668 * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.16 and containing the
670 * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.14.
671 * The leaf has a Organizational Unit matching the TeamID.
672 @result A policy object. The caller is responsible for calling CFRelease
673 on this when it is no longer needed.
675 __nullable CF_RETURNS_RETAINED
676 SecPolicyRef
SecPolicyCreatePassbookCardSigner(CFStringRef cardIssuer
,
677 CFStringRef __nullable teamIdentifier
);
680 @function SecPolicyCreateMobileStoreSigner
681 @abstract Returns a policy object for evaluating Mobile Store certificate chains.
682 @discussion This policy uses the Basic X.509 policy with validity check
684 * The chain is anchored to "Apple Root CA" certificate.
685 * There are exactly 3 certs in the chain.
686 * The intermediate has Common Name "Apple System Integration 2 Certification Authority".
687 * The leaf has KeyUsage with the DigitalSignature bit set.
688 * The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.12.
689 @result A policy object. The caller is responsible for calling CFRelease
690 on this when it is no longer needed.
692 __nullable CF_RETURNS_RETAINED
693 SecPolicyRef
SecPolicyCreateMobileStoreSigner(void);
696 @function SecPolicyCreateTestMobileStoreSigner
697 @abstract Returns a policy object for evaluating Test Mobile Store certificate chains.
698 @discussion This policy uses the Basic X.509 policy with validity check
700 * The chain is anchored to "Apple Root CA" certificate.
701 * There are exactly 3 certs in the chain.
702 * The intermediate has Common Name "Apple System Integration 2 Certification Authority".
703 * The leaf has KeyUsage with the DigitalSignature bit set.
704 * The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.12.1.
705 @result A policy object. The caller is responsible for calling CFRelease
706 on this when it is no longer needed.
708 __nullable CF_RETURNS_RETAINED
709 SecPolicyRef
SecPolicyCreateTestMobileStoreSigner(void);
712 @function SecPolicyCreateEscrowServiceSigner
713 @abstract Returns a policy object for evaluating Escrow Service certificate chains.
714 @discussion This policy uses the Basic X.509 policy with no validity check
716 * The chain is anchored to the current Escrow Roots in the OTAPKI asset.
717 * There are exactly 2 certs in the chain.
718 * The leaf has KeyUsage with the KeyEncipherment bit set.
719 @result A policy object. The caller is responsible for calling CFRelease
720 on this when it is no longer needed.
722 __nullable CF_RETURNS_RETAINED
723 SecPolicyRef
SecPolicyCreateEscrowServiceSigner(void);
726 @function SecPolicyCreatePCSEscrowServiceSigner
727 @abstract Returns a policy object for evaluating PCS Escrow Service certificate chains.
728 @discussion This policy uses the Basic X.509 policy with validity check
730 * The chain is anchored to the current PCS Escrow Roots in the OTAPKI asset.
731 * There are exactly 2 certs in the chain.
732 * The leaf has KeyUsage with the KeyEncipherment bit set.
733 @result A policy object. The caller is responsible for calling CFRelease
734 on this when it is no longer needed.
736 __nullable CF_RETURNS_RETAINED
737 SecPolicyRef
SecPolicyCreatePCSEscrowServiceSigner(void);
740 @function SecPolicyCreateOSXProvisioningProfileSigning
741 @abstract Returns a policy object for evaluating certificate chains for signing OS X
742 Provisioning Profiles.
743 @discussion This policy uses the Basic X.509 policy with validity check
745 * The chain is anchored to "Apple Root CA" certificate.
746 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
747 * The leaf has KeyUsage with the DigitalSignature bit set.
748 * The leaf has a marker extension with OID 1.2.840.113635.100.4.11.
749 * Revocation is checked via OCSP.
750 @result A policy object. The caller is responsible for calling CFRelease
751 on this when it is no longer needed.
753 __nullable CF_RETURNS_RETAINED
754 SecPolicyRef
SecPolicyCreateOSXProvisioningProfileSigning(void);
757 @function SecPolicyCreateConfigurationProfileSigner
758 @abstract Returns a policy object for evaluating certificate chains for signing
759 Configuration Profiles.
760 @discussion This policy uses the Basic X.509 policy with validity check
762 * The chain is anchored to "Apple Root CA" certificate.
763 * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.16.
764 @result A policy object. The caller is responsible for calling CFRelease
765 on this when it is no longer needed.
767 __nullable CF_RETURNS_RETAINED
768 SecPolicyRef
SecPolicyCreateConfigurationProfileSigner(void);
771 @function SecPolicyCreateQAConfigurationProfileSigner
772 @abstract Returns a policy object for evaluating certificate chains for signing
773 QA Configuration Profiles.
774 @discussion This policy uses the Basic X.509 policy with validity check
776 * The chain is anchored to "Apple Root CA" certificate.
777 * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.17.
778 @result A policy object. The caller is responsible for calling CFRelease
779 on this when it is no longer needed.
781 __nullable CF_RETURNS_RETAINED
782 SecPolicyRef
SecPolicyCreateQAConfigurationProfileSigner(void);
785 @function SecPolicyCreateOTAPKISigner
786 @abstract Returns a policy object for evaluating OTA PKI certificate chains.
787 @discussion This policy uses the Basic X.509 policy with validity check
789 * The chain is anchored to Apple PKI Settings CA.
790 * There are exactly 2 certs in the chain.
791 @result A policy object. The caller is responsible for calling CFRelease
792 on this when it is no longer needed.
794 __nullable CF_RETURNS_RETAINED
795 SecPolicyRef
SecPolicyCreateOTAPKISigner(void);
798 @function SecPolicyCreateTestOTAPKISigner
799 @abstract Returns a policy object for evaluating OTA PKI certificate chains.
800 @discussion This policy uses the Basic X.509 policy with validity check
802 * The chain is anchored to Apple Test PKI Settings CA.
803 * There are exactly 2 certs in the chain.
804 @result A policy object. The caller is responsible for calling CFRelease
805 on this when it is no longer needed.
807 __nullable CF_RETURNS_RETAINED
808 SecPolicyRef
SecPolicyCreateTestOTAPKISigner(void);
811 @function SecPolicyCreateAppleIDValidationRecordSigningPolicy
812 @abstract Returns a policy object for evaluating certificate chains for signing
813 Apple ID Validation Records.
814 @discussion This policy uses the Basic X.509 policy with validity check
816 * The chain is anchored to "Apple Root CA" certificate.
817 * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3
818 or OID 1.2.840.113635.100.6.2.10.
819 * The leaf has a marker extension with OID 1.2.840.113635.100.6.25.
820 * Revocation is checked via OCSP.
821 @result A policy object. The caller is responsible for calling CFRelease
822 on this when it is no longer needed.
824 __nullable CF_RETURNS_RETAINED
825 SecPolicyRef
SecPolicyCreateAppleIDValidationRecordSigningPolicy(void);
828 @function SecPolicyCreateAppleSMPEncryption
829 @abstract Returns a policy object for evaluating SMP certificate chains.
830 @discussion This policy uses the Basic X.509 policy with no validity check
832 * The chain is anchored to "Apple Root CA - ECC" certificate.
833 * There are exactly 3 certs in the chain.
834 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.13.
835 * The leaf has KeyUsage with the KeyEncipherment bit set.
836 * The leaf has a marker extension with OID 1.2.840.113635.100.6.30.
837 * Revocation is checked via OCSP.
838 @result A policy object. The caller is responsible for calling CFRelease
839 on this when it is no longer needed.
841 __nullable CF_RETURNS_RETAINED
842 SecPolicyRef
SecPolicyCreateAppleSMPEncryption(void);
845 @function SecPolicyCreateTestAppleSMPEncryption
846 @abstract Returns a policy object for evaluating Test SMP certificate chains.
847 @discussion This policy uses the Basic X.509 policy with no validity check
849 * The chain is anchored to a Test Apple Root with ECC public key certificate.
850 * There are exactly 3 certs in the chain.
851 * The intermediate has Common Name "Test Apple System Integration CA - ECC".
852 * The leaf has KeyUsage with the KeyEncipherment bit set.
853 * Revocation is checked via OCSP.
854 @result A policy object. The caller is responsible for calling CFRelease
855 on this when it is no longer needed.
857 __nullable CF_RETURNS_RETAINED
858 SecPolicyRef
SecPolicyCreateTestAppleSMPEncryption(void);
861 @function SecPolicyCreateApplePPQSigning
862 @abstract Returns a policy object for verifying production PPQ Signing certificates.
863 @discussion This policy uses the Basic X.509 policy with no validity check
865 * The chain is anchored to "Apple Root CA" certificate.
866 * There are exactly 3 certs in the chain.
867 * The intermediate has Common Name "Apple System Integration 2 Certification
869 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
870 * The leaf has KeyUsage with the DigitalSignature bit set.
871 * The leaf has a marker extension with OID 1.2.840.113635.100.6.38.2.
872 @result A policy object. The caller is responsible for calling CFRelease
873 on this when it is no longer needed.
875 __nullable CF_RETURNS_RETAINED
876 SecPolicyRef
SecPolicyCreateApplePPQSigning(void);
879 @function SecPolicyCreateTestApplePPQSigning
880 @abstract Returns a policy object for verifying test PPQ Signing certificates.
881 @discussion This policy uses the Basic X.509 policy with no validity check
883 * The chain is anchored to "Apple Root CA" certificate.
884 * There are exactly 3 certs in the chain.
885 * The intermediate has Common Name "Apple System Integration 2 Certification
887 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
888 * The leaf has KeyUsage with the DigitalSignature bit set.
889 * The leaf has a marker extension with OID 1.2.840.113635.100.6.38.1.
890 @result A policy object. The caller is responsible for calling CFRelease
891 on this when it is no longer needed.
893 __nullable CF_RETURNS_RETAINED
894 SecPolicyRef
SecPolicyCreateTestApplePPQSigning(void);
897 @function SecPolicyCreateAppleIDSService
898 @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
899 @discussion This policy uses the SSL server policy.
900 @result A policy object. The caller is responsible for calling CFRelease
901 on this when it is no longer needed.
903 __nullable CF_RETURNS_RETAINED
904 SecPolicyRef
SecPolicyCreateAppleIDSService(CFStringRef __nullable hostname
);
907 @function SecPolicyCreateAppleIDSServiceContext
908 @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
909 @param hostname Required; hostname to verify the certificate name against.
910 @param context Optional; if present, "AppleServerAuthenticationAllowUATIDS" with value
911 Boolean true will allow Test Apple roots on internal releases.
912 @discussion This policy uses the Basic X.509 policy with validity check
914 * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
915 are permitted only on internal releases either using the context dictionary or with
917 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
918 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.4.2 or,
919 if Test Roots are allowed, OID 1.2.840.113635.100.6.27.4.1.
920 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
921 extension or Common Name.
922 * The leaf is checked against the Black and Gray lists.
923 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
924 * Revocation is checked via OCSP.
925 @result A policy object. The caller is responsible for calling CFRelease
926 on this when it is no longer needed.
928 __nullable CF_RETURNS_RETAINED
929 SecPolicyRef
SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname
, CFDictionaryRef __nullable context
);
932 @function SecPolicyCreateApplePushService
933 @abstract Ensure we're appropriately pinned to the Apple Push service (SSL + Apple restrictions)
934 @param hostname Required; hostname to verify the certificate name against.
935 @param context Optional; if present, "AppleServerAuthenticationAllowUATAPN" with value
936 Boolean true will allow Test Apple roots on internal releases.
937 @discussion This policy uses the Basic X.509 policy with validity check
939 * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
940 are permitted only on internal releases either using the context dictionary or with
942 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
943 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.5.2 or,
944 if Test Roots are allowed, OID 1.2.840.113635.100.6.27.5.1.
945 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
946 extension or Common Name.
947 * The leaf is checked against the Black and Gray lists.
948 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
949 * Revocation is checked via OCSP.
950 @result A policy object. The caller is responsible for calling CFRelease
951 on this when it is no longer needed.
953 __nullable CF_RETURNS_RETAINED
954 SecPolicyRef
SecPolicyCreateApplePushService(CFStringRef hostname
, CFDictionaryRef __nullable context
);
957 @function SecPolicyCreateApplePushServiceLegacy
958 @abstract Ensure we're appropriately pinned to the Push service (via Entrust)
959 @param hostname Required; hostname to verify the certificate name against.
960 @discussion This policy uses the Basic X.509 policy with validity check
962 * The chain is anchored to an Entrust Intermediate.
963 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
964 extension or Common Name.
965 * The leaf is checked against the Black and Gray lists.
966 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
967 * Revocation is checked via OCSP.
968 @result A policy object. The caller is responsible for calling CFRelease
969 on this when it is no longer needed.
971 __nullable CF_RETURNS_RETAINED
972 SecPolicyRef
SecPolicyCreateApplePushServiceLegacy(CFStringRef hostname
);
975 @function SecPolicyCreateAppleMMCSService
976 @abstract Ensure we're appropriately pinned to the MMCS service (SSL + Apple restrictions)
977 @param hostname Required; hostname to verify the certificate name against.
978 @param context Optional; if present, "AppleServerAuthenticationAllowUATMMCS" with value
979 Boolean true will allow Test Apple roots and test OIDs on internal releases.
980 @discussion This policy uses the Basic X.509 policy with validity check
982 * The chain is anchored to any of the production Apple Root CAs.
983 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
984 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.11.2 or, if
985 enabled, OID 1.2.840.113635.100.6.27.11.1.
986 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
987 extension or Common Name.
988 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
989 * Revocation is checked via any available method.
990 @result A policy object. The caller is responsible for calling CFRelease
991 on this when it is no longer needed.
993 __nullable CF_RETURNS_RETAINED
994 SecPolicyRef
SecPolicyCreateAppleMMCSService(CFStringRef hostname
, CFDictionaryRef __nullable context
);
997 @function SecPolicyCreateAppleCompatibilityMMCSService
998 @abstract Ensure we're appropriately pinned to the MMCS service using compatibility certs
999 @param hostname Required; hostname to verify the certificate name against.
1000 @discussion This policy uses the Basic X.509 policy with validity check
1001 and pinning options:
1002 * The chain is anchored to the GeoTrust Global CA
1003 * The intermediate has a subject public key info hash matching the public key of
1004 the Apple IST CA G1 intermediate.
1005 * The chain length is 3.
1006 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.11.2 or
1007 OID 1.2.840.113635.100.6.27.11.1.
1008 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1009 extension or Common Name.
1010 * The leaf is checked against the Black and Gray lists.
1011 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1012 @result A policy object. The caller is responsible for calling CFRelease
1013 on this when it is no longer needed.
1015 __nullable CF_RETURNS_RETAINED
1016 SecPolicyRef
SecPolicyCreateAppleCompatibilityMMCSService(CFStringRef hostname
)
1017 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
1020 @function SecPolicyCreateAppleGSService
1021 @abstract Ensure we're appropriately pinned to the GS service (SSL + Apple restrictions)
1022 @param hostname Required; hostname to verify the certificate name against.
1023 @param context Optional; if present, "AppleServerAuthenticationAllowUATGS" with value
1024 Boolean true will allow Test Apple roots on internal releases.
1025 @discussion This policy uses the Basic X.509 policy with validity check
1026 and pinning options:
1027 * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
1028 are permitted only on internal releases either using the context dictionary or with
1030 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
1031 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.2.
1032 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1033 extension or Common Name.
1034 * The leaf is checked against the Black and Gray lists.
1035 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1036 * Revocation is checked via OCSP.
1037 @result A policy object. The caller is responsible for calling CFRelease
1038 on this when it is no longer needed.
1040 __nullable CF_RETURNS_RETAINED
1041 SecPolicyRef
SecPolicyCreateAppleGSService(CFStringRef hostname
, CFDictionaryRef __nullable context
)
1042 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
1045 @function SecPolicyCreateApplePPQService
1046 @abstract Ensure we're appropriately pinned to the PPQ service (SSL + Apple restrictions)
1047 @param hostname Required; hostname to verify the certificate name against.
1048 @param context Optional; if present, "AppleServerAuthenticationAllowUATPPQ" with value
1049 Boolean true will allow Test Apple roots on internal releases.
1050 @discussion This policy uses the Basic X.509 policy with validity check
1051 and pinning options:
1052 * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
1053 are permitted only on internal releases either using the context dictionary or with
1055 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
1056 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.3.2 or,
1057 if Test Roots are allowed, OID 1.2.840.113635.100.6.27.3.1.
1058 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1059 extension or Common Name.
1060 * The leaf is checked against the Black and Gray lists.
1061 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1062 * Revocation is checked via OCSP.
1063 @result A policy object. The caller is responsible for calling CFRelease
1064 on this when it is no longer needed.
1066 __nullable CF_RETURNS_RETAINED
1067 SecPolicyRef
SecPolicyCreateApplePPQService(CFStringRef hostname
, CFDictionaryRef __nullable context
)
1068 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
1071 @function SecPolicyCreateAppleAST2Service
1072 @abstract Ensure we're appropriately pinned to the AST2 Diagnostic service (SSL + Apple restrictions)
1073 @param hostname Required; hostname to verify the certificate name against.
1074 @param context Optional; if present, "AppleServerAuthenticationAllowUATAST2" with value
1075 Boolean true will allow Test Apple roots on internal releases.
1076 @discussion This policy uses the Basic X.509 policy with validity check
1077 and pinning options:
1078 * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
1079 are permitted either using the context dictionary or with defaults write.
1080 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
1081 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.8.2 or,
1082 if Test Roots are allowed, OID 1.2.840.113635.100.6.27.8.1.
1083 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1084 extension or Common Name.
1085 * The leaf is checked against the Black and Gray lists.
1086 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1087 * Revocation is checked via OCSP.
1088 @result A policy object. The caller is responsible for calling CFRelease
1089 on this when it is no longer needed.
1091 __nullable CF_RETURNS_RETAINED
1092 SecPolicyRef
SecPolicyCreateAppleAST2Service(CFStringRef hostname
, CFDictionaryRef __nullable context
)
1093 __OSX_AVAILABLE_STARTING(__MAC_10_11_4
, __IPHONE_9_3
);
1096 @function SecPolicyCreateAppleEscrowProxyService
1097 @abstract Ensure we're appropriately pinned to the iCloud Escrow Proxy service (SSL + Apple restrictions)
1098 @param hostname Required; hostname to verify the certificate name against.
1099 @param context Optional; if present, "AppleServerAuthenticationAllowUATEscrow" with value
1100 Boolean true will allow Test Apple roots on internal releases.
1101 @discussion This policy uses the Basic X.509 policy with validity check
1102 and pinning options:
1103 * The chain is anchored to any of the production Apple Root CAs via full certificate
1104 comparison. Test Apple Root CAs are permitted only on internal releases either
1105 using the context dictionary or with defaults write.
1106 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
1107 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.7.2 or,
1108 if Test Roots are allowed, OID 1.2.840.113635.100.6.27.7.1.
1109 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1110 extension or Common Name.
1111 * The leaf is checked against the Black and Gray lists.
1112 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1113 * Revocation is checked via CRL.
1114 @result A policy object. The caller is responsible for calling CFRelease
1115 on this when it is no longer needed.
1117 __nullable CF_RETURNS_RETAINED
1118 SecPolicyRef
SecPolicyCreateAppleEscrowProxyService(CFStringRef hostname
, CFDictionaryRef __nullable context
)
1119 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
1122 @function SecPolicyCreateAppleCompatibilityEscrowProxyService
1123 @abstract Ensure we're appropriately pinned to the iCloud Escrow Proxy service using compatibility certs
1124 @param hostname Required; hostname to verify the certificate name against.
1125 @discussion This policy uses the Basic X.509 policy with validity check
1126 and pinning options:
1127 * The chain is anchored to the GeoTrust Global CA
1128 * The intermediate has a subject public key info hash matching the public key of
1129 the Apple IST CA G1 intermediate.
1130 * The chain length is 3.
1131 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.7.2 or,
1132 if UAT is enabled with a defaults write (internal devices only),
1133 OID 1.2.840.113635.100.6.27.7.1.
1134 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1135 extension or Common Name.
1136 * The leaf is checked against the Black and Gray lists.
1137 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1138 @result A policy object. The caller is responsible for calling CFRelease
1139 on this when it is no longer needed.
1141 __nullable CF_RETURNS_RETAINED
1142 SecPolicyRef
SecPolicyCreateAppleCompatibilityEscrowProxyService(CFStringRef hostname
)
1143 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
1146 @function SecPolicyCreateAppleFMiPService
1147 @abstract Ensure we're appropriately pinned to the Find My iPhone service (SSL + Apple restrictions)
1148 @param hostname Required; hostname to verify the certificate name against.
1149 @param context Optional; if present, "AppleServerAuthenticationAllowUATFMiP" with value
1150 Boolean true will allow Test Apple roots on internal releases.
1151 @discussion This policy uses the Basic X.509 policy with validity check
1152 and pinning options:
1153 * The chain is anchored to any of the production Apple Root CAs via full certificate
1154 comparison. Test Apple Root CAs are permitted only on internal releases either
1155 using the context dictionary or with defaults write.
1156 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
1157 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.6.2 or,
1158 if Test Roots are allowed, OID 1.2.840.113635.100.6.27.6.1.
1159 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1160 extension or Common Name.
1161 * The leaf is checked against the Black and Gray lists.
1162 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1163 * Revocation is checked via CRL.
1164 @result A policy object. The caller is responsible for calling CFRelease
1165 on this when it is no longer needed.
1167 __nullable CF_RETURNS_RETAINED
1168 SecPolicyRef
SecPolicyCreateAppleFMiPService(CFStringRef hostname
, CFDictionaryRef __nullable context
)
1169 __OSX_AVAILABLE_STARTING(__MAC_10_12
, __IPHONE_10_0
);
1172 @function SecPolicyCreateAppleSSLService
1173 @abstract Ensure we're appropriately pinned to an Apple server (SSL + Apple restrictions)
1174 @param hostname Optional; hostname to verify the certificate name against.
1175 @discussion This policy uses the Basic X.509 policy with validity check
1176 and pinning options:
1177 * The chain is anchored to "Apple Root CA" certificate.
1178 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
1179 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.1
1180 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1181 extension or Common Name.
1182 * The leaf is checked against the Black and Gray lists.
1183 * The leaf has ExtendedKeyUsage, if any, with the ServerAuth OID.
1184 * Revocation is checked via OCSP.
1185 @result A policy object. The caller is responsible for calling CFRelease
1186 on this when it is no longer needed.
1188 __nullable CF_RETURNS_RETAINED
1189 SecPolicyRef
SecPolicyCreateAppleSSLService(CFStringRef __nullable hostname
);
1192 @function SecPolicyCreateAppleTimeStamping
1193 @abstract Returns a policy object for evaluating time stamping certificate chains.
1194 @discussion This policy uses the Basic X.509 policy with validity check
1195 and requires the leaf has ExtendedKeyUsage with the TimeStamping OID.
1196 @result A policy object. The caller is responsible for calling CFRelease
1197 on this when it is no longer needed.
1199 __nullable CF_RETURNS_RETAINED
1200 SecPolicyRef
SecPolicyCreateAppleTimeStamping(void);
1203 @function SecPolicyCreateApplePayIssuerEncryption
1204 @abstract Returns a policy object for evaluating Apple Pay Issuer Encryption certificate chains.
1205 @discussion This policy uses the Basic X.509 policy with no validity check
1206 and pinning options:
1207 * The chain is anchored to "Apple Root CA - ECC" certificate.
1208 * There are exactly 3 certs in the chain.
1209 * The intermediate has Common Name "Apple Worldwide Developer Relations CA - G2".
1210 * The leaf has KeyUsage with the KeyEncipherment bit set.
1211 * The leaf has a marker extension with OID 1.2.840.113635.100.6.39.
1212 @result A policy object. The caller is responsible for calling CFRelease
1213 on this when it is no longer needed.
1215 __nullable CF_RETURNS_RETAINED
1216 SecPolicyRef
SecPolicyCreateApplePayIssuerEncryption(void)
1217 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
1220 @function SecPolicyCreateAppleATVVPNProfileSigning
1221 @abstract Returns a policy object for evaluating Apple TV VPN Profile certificate chains.
1222 @discussion This policy uses the Basic X.509 policy with no validity check
1223 and pinning options:
1224 * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
1225 are permitted only on internal releases.
1226 * There are exactly 3 certs in the chain.
1227 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
1228 * The leaf has a marker extension with OID 1.2.840.113635.100.6.43.
1229 * Revocation is checked via OCSP.
1230 @result A policy object. The caller is responsible for calling CFRelease
1231 on this when it is no longer needed.
1233 __nullable CF_RETURNS_RETAINED
1234 SecPolicyRef
SecPolicyCreateAppleATVVPNProfileSigning(void)
1235 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
1238 @function SecPolicyCreateAppleHomeKitServerAuth
1239 @abstract Ensure we're appropriately pinned to the HomeKit service (SSL + Apple restrictions)
1240 @param hostname Required; hostname to verify the certificate name against.
1241 @discussion This policy uses the Basic X.509 policy with validity check
1242 and pinning options:
1243 * The chain is anchored to any of the production Apple Root CAs via full certificate
1244 comparison. Test Apple Root CAs are permitted only on internal releases with defaults write.
1245 * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.16
1246 * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.9.
1247 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
1248 extension or Common Name.
1249 * The leaf is checked against the Black and Gray lists.
1250 * The leaf has ExtendedKeyUsage with the ServerAuth OID.
1251 * Revocation is checked via CRL.
1252 @result A policy object. The caller is responsible for calling CFRelease
1253 on this when it is no longer needed.
1255 __nullable CF_RETURNS_RETAINED
1256 SecPolicyRef
SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname
)
1257 __OSX_AVAILABLE_STARTING(__MAC_10_11_4
, __IPHONE_9_3
);
1260 @function SecPolicyCreateAppleExternalDeveloper
1261 @abstract Returns a policy object for verifying Apple-issued external developer
1263 @discussion The resulting policy uses the Basic X.509 policy with validity check and
1265 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
1266 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
1267 * There are exactly 3 certs in the chain.
1268 * The intermediate has a marker extension with OID matching 1.2.840.113635.100.6.2.1
1269 (WWDR CA) or 1.2.840.113635.100.6.2.6 (Developer ID CA).
1270 * The leaf has a marker extension with OID matching one of the following:
1271 * 1.2.840.113635.100.6.1.2 ("iPhone Developer" leaf)
1272 * 1.2.840.113635.100.6.1.4 ("iPhone Distribution" leaf)
1273 * 1.2.840.113635.100.6.1.5 ("Safari Developer" leaf)
1274 * 1.2.840.113635.100.6.1.7 ("3rd Party Mac Developer Application" leaf)
1275 * 1.2.840.113635.100.6.1.8 ("3rd Party Mac Developer Installer" leaf)
1276 * 1.2.840.113635.100.6.1.12 ("Mac Developer" leaf)
1277 * 1.2.840.113635.100.6.1.13 ("Developer ID Application" leaf)
1278 * 1.2.840.113635.100.6.1.14 ("Developer ID Installer" leaf)
1279 * The leaf has an ExtendedKeyUsage OID matching one of the following:
1280 * 1.3.6.1.5.5.7.3.3 (CodeSigning EKU)
1281 * 1.2.840.113635.100.4.8 ("Safari Developer" EKU)
1282 * 1.2.840.113635.100.4.9 ("3rd Party Mac Developer Installer" EKU)
1283 * 1.2.840.113635.100.4.13 ("Developer ID Installer" EKU)
1284 * Revocation is checked via OCSP or CRL.
1285 * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
1286 @result A policy object. The caller is responsible for calling CFRelease on this when
1287 it is no longer needed.
1289 __nullable CF_RETURNS_RETAINED
1290 SecPolicyRef
SecPolicyCreateAppleExternalDeveloper(void)
1291 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1294 @function SecPolicyCreateAppleSoftwareSigning
1295 @abstract Returns a policy object for verifying the Apple Software Signing certificate.
1296 @discussion The resulting policy uses the Basic X.509 policy with validity check and
1298 * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
1299 the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
1300 * There are exactly 3 certs in the chain.
1301 * The intermediate has the Common Name "Apple Code Signing Certification Authority".
1302 * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.22.
1303 * The leaf has an ExtendedKeyUsage OID matching 1.3.6.1.5.5.7.3.3 (Code Signing).
1304 * Revocation is checked via OCSP or CRL.
1305 * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
1306 @result A policy object. The caller is responsible for calling CFRelease on this when
1307 it is no longer needed.
1309 __nullable CF_RETURNS_RETAINED
1310 SecPolicyRef
SecPolicyCreateAppleSoftwareSigning(void)
1311 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1314 @function SecPolicyGetName
1315 @abstract Returns a policy's name.
1316 @param policy A policy reference.
1317 @result A policy name.
1319 __nullable CFStringRef
SecPolicyGetName(SecPolicyRef policy
)
1320 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1323 @function SecPolicyGetOidString
1324 @abstract Returns a policy's oid in string decimal format.
1325 @param policy A policy reference.
1326 @result A policy oid.
1328 CFStringRef
SecPolicyGetOidString(SecPolicyRef policy
)
1329 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1332 @function SecPolicyCreateAppleUniqueDeviceCertificate
1333 @abstract Returns a policy object for verifying Unique Device Identifier Certificates.
1334 @param testRootHash Optional; The SHA-256 fingerprint of a test root for pinning.
1335 @discussion The resulting policy uses the Basic X.509 policy with no validity check and
1337 * The chain is anchored to the SEP Root CA. Internal releases allow the chain to be
1338 anchored to the testRootHash input if the value true is set for the key
1339 "ApplePinningAllowTestCertsUCRT" in the com.apple.security preferences for the user
1340 of the calling application.
1341 * There are exactly 3 certs in the chain.
1342 * The intermediate has an extension with OID matching 1.2.840.113635.100.6.44 and value
1344 * The leaf has a marker extension with OID matching 1.2.840.113635.100.10.1.
1345 * RSA key sizes are are disallowed. EC key sizes are P-256 or larger.
1346 @result A policy object. The caller is responsible for calling CFRelease on this when
1347 it is no longer needed.
1349 __nullable CF_RETURNS_RETAINED
1350 SecPolicyRef
SecPolicyCreateAppleUniqueDeviceCertificate(CFDataRef __nullable testRootHash
)
1351 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1353 CF_IMPLICIT_BRIDGING_DISABLED
1354 CF_ASSUME_NONNULL_END
1357 * Legacy functions (OS X only)
1359 #if TARGET_OS_MAC && !TARGET_OS_IPHONE
1361 CF_ASSUME_NONNULL_BEGIN
1362 CF_IMPLICIT_BRIDGING_ENABLED
1365 @function SecPolicyCopy
1366 @abstract Returns a copy of a policy reference based on certificate type and OID.
1367 @param certificateType A certificate type.
1368 @param policyOID The OID of the policy you want to find. This is a required parameter. See oidsalg.h to see a list of policy OIDs.
1369 @param policy The returned policy reference. This is a required parameter.
1370 @result A result code. See "Security Error Codes" (SecBase.h).
1371 @discussion This function is deprecated in Mac OS X 10.7 and later;
1372 to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h.
1374 OSStatus
SecPolicyCopy(CSSM_CERT_TYPE certificateType
, const CSSM_OID
*policyOID
, SecPolicyRef
* __nonnull CF_RETURNS_RETAINED policy
)
1375 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3
, __MAC_10_7
, __IPHONE_NA
, __IPHONE_NA
);
1378 @function SecPolicyCopyAll
1379 @abstract Returns an array of all known policies based on certificate type.
1380 @param certificateType A certificate type. This is a optional parameter. Pass CSSM_CERT_UNKNOWN if the certificate type is unknown.
1381 @param policies The returned array of policies. This is a required parameter.
1382 @result A result code. See "Security Error Codes" (SecBase.h).
1383 @discussion This function is deprecated in Mac OS X 10.7 and later;
1384 to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h. (Note: there is normally
1385 no reason to iterate over multiple disjointed policies, except to provide a way to edit trust settings for each
1386 policy, as is done in certain certificate UI views. In that specific case, your code should call SecPolicyCreateWithOID
1387 for each desired policy from the list of supported OID constants in SecPolicy.h.)
1389 OSStatus
SecPolicyCopyAll(CSSM_CERT_TYPE certificateType
, CFArrayRef
* __nonnull CF_RETURNS_RETAINED policies
)
1390 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3
, __MAC_10_7
, __IPHONE_NA
, __IPHONE_NA
);
1392 /* Given a unified SecPolicyRef, return a copy with a legacy
1393 C++ ItemImpl-based Policy instance. Only for internal use;
1394 legacy references cannot be used by SecPolicy API functions. */
1395 __nullable CF_RETURNS_RETAINED
1396 SecPolicyRef
SecPolicyCreateItemImplInstance(SecPolicyRef policy
);
1398 /* Given a CSSM_OID pointer, return a string which can be passed
1399 to SecPolicyCreateWithProperties. The return value can be NULL
1400 if no supported policy was found for the OID argument. */
1402 CFStringRef
SecPolicyGetStringForOID(CSSM_OID
* oid
);
1405 @function SecPolicyCreateAppleTimeStampingAndRevocationPolicies
1406 @abstract Create timeStamping policy array from a given set of policies by applying identical revocation behavior
1407 @param policyOrArray can be a SecPolicyRef or a CFArray of SecPolicyRef
1408 @discussion This function is soon to be deprecated. Callers should create an array of the non-deprecated timestamping
1409 and revocation policies.
1411 __nullable CF_RETURNS_RETAINED
1412 CFArrayRef
SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray
);
1414 CF_IMPLICIT_BRIDGING_DISABLED
1415 CF_ASSUME_NONNULL_END
1417 #endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */
1421 #endif /* !_SECURITY_SECPOLICYPRIV_H_ */