SEC_CONST_DECL (kSecPolicyAppleTestPPQSigning, "1.2.840.113625.100.1.36");
SEC_CONST_DECL (kSecPolicyAppleATVAppSigning, "1.2.840.113625.100.1.37");
SEC_CONST_DECL (kSecPolicyAppleTestATVAppSigning, "1.2.840.113625.100.1.38");
+SEC_CONST_DECL (kSecPolicyApplePayIssuerEncryption, "1.2.840.113625.100.1.39");
+SEC_CONST_DECL (kSecPolicyAppleOSXProvisioningProfileSigning, "1.2.840.113625.100.1.40");
+SEC_CONST_DECL (kSecPolicyAppleAST2DiagnosticsServerAuth, "1.2.840.113625.100.1.42");
SEC_CONST_DECL (kSecPolicyOid, "SecPolicyOid");
SEC_CONST_DECL (kSecPolicyName, "SecPolicyName");
{ kSecPolicyAppleQAProfileSigner, &CSSMOID_APPLE_TP_QA_PROFILE_SIGNING },
{ kSecPolicyAppleTestMobileStore, &CSSMOID_APPLE_TP_TEST_MOBILE_STORE },
{ kSecPolicyApplePCSEscrowService, &CSSMOID_APPLE_TP_PCS_ESCROW_SERVICE },
-};
-
-// TBD: have only one set of policy identifiers in SecPolicy.c so we can get rid of this
-const oidmap_entry_t oidmap_priv[] = {
- { CFSTR("basicX509"), &CSSMOID_APPLE_X509_BASIC },
- { CFSTR("sslServer"), &CSSMOID_APPLE_TP_SSL },
- { CFSTR("sslClient"), &CSSMOID_APPLE_TP_SSL },
- { CFSTR("SMIME"), &CSSMOID_APPLE_TP_SMIME },
- { CFSTR("eapServer"), &CSSMOID_APPLE_TP_EAP },
- { CFSTR("eapClient"), &CSSMOID_APPLE_TP_EAP },
- { CFSTR("AppleSWUpdateSigning"), &CSSMOID_APPLE_TP_SW_UPDATE_SIGNING },
- { CFSTR("ipsecServer"), &CSSMOID_APPLE_TP_IP_SEC },
- { CFSTR("ipsecClient"), &CSSMOID_APPLE_TP_IP_SEC },
- { CFSTR("CodeSigning"), &CSSMOID_APPLE_TP_CODE_SIGNING },
- { CFSTR("PackageSigning"), &CSSMOID_APPLE_TP_PACKAGE_SIGNING },
- { CFSTR("AppleIDAuthority"), &CSSMOID_APPLE_TP_APPLEID_SHARING },
- { CFSTR("MacAppStoreReceipt"), &CSSMOID_APPLE_TP_MACAPPSTORE_RECEIPT },
- { CFSTR("AppleTimeStamping"), &CSSMOID_APPLE_TP_TIMESTAMPING },
- { CFSTR("revocation"), &CSSMOID_APPLE_TP_REVOCATION },
- { CFSTR("ApplePassbook"), &CSSMOID_APPLE_TP_PASSBOOK_SIGNING },
- { CFSTR("AppleMobileStore"), &CSSMOID_APPLE_TP_MOBILE_STORE },
- { CFSTR("AppleEscrowService"), &CSSMOID_APPLE_TP_ESCROW_SERVICE },
- { CFSTR("AppleProfileSigner"), &CSSMOID_APPLE_TP_PROFILE_SIGNING },
- { CFSTR("AppleQAProfileSigner"), &CSSMOID_APPLE_TP_QA_PROFILE_SIGNING },
- { CFSTR("AppleTestMobileStore"), &CSSMOID_APPLE_TP_TEST_MOBILE_STORE },
- { CFSTR("ApplePCSEscrowService"), &CSSMOID_APPLE_TP_PCS_ESCROW_SERVICE },
+ { kSecPolicyAppleOSXProvisioningProfileSigning, &CSSMOID_APPLE_TP_PROVISIONING_PROFILE_SIGNING },
};
//
}
#endif
-/* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA) */
-SecPolicyRef
-SecPolicyCreateWithOID(CFTypeRef policyOID)
+static SecPolicyRef
+_SecPolicyCreateWithOID(CFTypeRef policyOID)
{
// for now, we only accept the policy constants that are defined in SecPolicy.h
CFStringRef oidStr = (CFStringRef)policyOID;
OSStatus status = SecPolicySearchCreate(CSSM_CERT_X_509v3, oidPtr, NULL, &policySearch);
if (!status && policySearch) {
status = SecPolicySearchCopyNext(policySearch, &policy);
+ if (status != errSecSuccess) {
+ policy = NULL;
+ }
CFRelease(policySearch);
}
if (!policy && CFEqual(policyOID, kSecPolicyAppleRevocation)) {
}
#endif
}
+ return policy;
+}
+
+/* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA) */
+SecPolicyRef
+SecPolicyCreateWithOID(CFTypeRef policyOID)
+{
+ SecPolicyRef policy = _SecPolicyCreateWithOID(policyOID);
if (!policy) {
syslog(LOG_ERR, "WARNING: SecPolicyCreateWithOID was unable to return the requested policy. This function was deprecated in 10.9. Please use supported SecPolicy creation functions instead.");
}
SecPolicyRef
SecPolicyCreateWithProperties(CFTypeRef policyIdentifier, CFDictionaryRef properties)
{
- SecPolicyRef policy = SecPolicyCreateWithOID(policyIdentifier);
+ SecPolicyRef policy = _SecPolicyCreateWithOID(policyIdentifier);
SecPolicySetProperties(policy, properties);
return policy;
return SecPolicyCreateSSL(true, hostname);
}
+SecPolicyRef SecPolicyCreateAppleAST2Service(CFStringRef hostname, CFDictionaryRef __unused context)
+{
+ return SecPolicyCreateSSL(true, hostname);
+}
+
+SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname)
+{
+ return SecPolicyCreateSSL(true, hostname);
+}
+
+#if !SECTRUST_OSX
+/* new in 10.11 */
SecPolicyRef SecPolicyCreateAppleATVAppSigning(void)
{
- return SecPolicyCreateWithOID(kSecPolicyAppleX509Basic);
+ return _SecPolicyCreateWithOID(kSecPolicyAppleX509Basic);
}
+#endif
+#if !SECTRUST_OSX
+/* new in 10.11 */
SecPolicyRef SecPolicyCreateTestAppleATVAppSigning(void)
{
- return SecPolicyCreateWithOID(kSecPolicyAppleX509Basic);
+ return _SecPolicyCreateWithOID(kSecPolicyAppleX509Basic);
}
+#endif
+#if !SECTRUST_OSX
+/* new in 10.11 */
SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void)
{
- return SecPolicyCreateWithOID(kSecPolicyAppleX509Basic);
+ return _SecPolicyCreateWithOID(kSecPolicyAppleX509Basic);
}
+#endif
+
+#if !SECTRUST_OSX
+/* new in 10.11 */
+SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void)
+{
+ return _SecPolicyCreateWithOID(kSecPolicyAppleOSXProvisioningProfileSigning);
+}
+#endif
+
+
+#if !SECTRUST_OSX
+/* new in 10.11 */
+SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void)
+{
+ return _SecPolicyCreateWithOID(kSecPolicyAppleX509Basic);
+}
+#endif
#if !SECTRUST_OSX
SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef hostname)
try {
// Set default policy
CFRef<CFArrayRef> policyArray = cfArrayize(policyOrArray);
- CFRef<SecPolicyRef> defaultPolicy = SecPolicyCreateWithOID(kSecPolicyAppleTimeStamping);
+ CFRef<SecPolicyRef> defaultPolicy = _SecPolicyCreateWithOID(kSecPolicyAppleTimeStamping);
CFRef<CFMutableArrayRef> appleTimeStampingPolicies = makeCFMutableArray(1,defaultPolicy.get());
// Parse the policy and add revocation related ones
};
#else
/* implement with unified SecPolicyRef instances */
+ /* %%% FIXME revisit this since SecPolicyCreateWithOID is OSX-only; */
+ /* should use SecPolicyCreateWithProperties instead */
SecPolicyRef policy = NULL;
CFMutableArrayRef resultPolicyArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
policy = SecPolicyCreateWithOID(kSecPolicyAppleTimeStamping);
projects / apple / security.git / blobdiff