--- /dev/null
+/*
+ * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ *
+ * CertExtensions.h -- X.509 Cert Extensions as C structs
+ */
+
+#ifndef _CERT_EXTENSIONS_H_
+#define _CERT_EXTENSIONS_H_
+
+#include <Security/cssmtype.h>
+
+/***
+ *** Structs for declaring extension-specific data.
+ ***/
+
+/*
+ * GeneralName, used in AuthorityKeyID, SubjectAltName, and
+ * IssuerAltName.
+ *
+ * For now, we just provide explicit support for the types which are
+ * represented as IA5Strings, OIDs, and octet strings. Constructed types
+ * such as EDIPartyName and x400Address are not explicitly handled
+ * right now and must be encoded and decoded by the caller. (See exception
+ * for Name and OtherName, below). In those cases the CE_GeneralName.name.Data field
+ * represents the BER contents octets; CE_GeneralName.name.Length is the
+ * length of the contents; the tag of the field is not needed - the BER
+ * encoding uses context-specific implicit tagging. The berEncoded field
+ * is set to CSSM_TRUE in these case. Simple types have berEncoded = CSSM_FALSE.
+ *
+ * In the case of a GeneralName in the form of a Name, we parse the Name
+ * into a CSSM_X509_NAME and place a pointer to the CSSM_X509_NAME in the
+ * CE_GeneralName.name.Data field. CE_GeneralName.name.Length is set to
+ * sizeof(CSSM_X509_NAME). In this case berEncoded is false.
+ *
+ * In the case of a GeneralName in the form of a OtherName, we parse the fields
+ * into a CE_OtherName and place a pointer to the CE_OtherName in the
+ * CE_GeneralName.name.Data field. CE_GeneralName.name.Length is set to
+ * sizeof(CE_OtherName). In this case berEncoded is false.
+ *
+ * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+ *
+ * GeneralName ::= CHOICE {
+ * otherName [0] OtherName
+ * rfc822Name [1] IA5String,
+ * dNSName [2] IA5String,
+ * x400Address [3] ORAddress,
+ * directoryName [4] Name,
+ * ediPartyName [5] EDIPartyName,
+ * uniformResourceIdentifier [6] IA5String,
+ * iPAddress [7] OCTET STRING,
+ * registeredID [8] OBJECT IDENTIFIER}
+ *
+ * OtherName ::= SEQUENCE {
+ * type-id OBJECT IDENTIFIER,
+ * value [0] EXPLICIT ANY DEFINED BY type-id }
+ *
+ * EDIPartyName ::= SEQUENCE {
+ * nameAssigner [0] DirectoryString OPTIONAL,
+ * partyName [1] DirectoryString }
+ */
+typedef enum __CE_GeneralNameType {
+ GNT_OtherName = 0,
+ GNT_RFC822Name,
+ GNT_DNSName,
+ GNT_X400Address,
+ GNT_DirectoryName,
+ GNT_EdiPartyName,
+ GNT_URI,
+ GNT_IPAddress,
+ GNT_RegisteredID
+} CE_GeneralNameType;
+
+typedef struct __CE_OtherName {
+ CSSM_OID typeId;
+ CSSM_DATA value; // unparsed, BER-encoded
+} CE_OtherName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+typedef struct __CE_GeneralName {
+ CE_GeneralNameType nameType; // GNT_RFC822Name, etc.
+ CSSM_BOOL berEncoded;
+ CSSM_DATA name;
+} CE_GeneralName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+typedef struct __CE_GeneralNames {
+ uint32 numNames;
+ CE_GeneralName *generalName;
+} CE_GeneralNames DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*
+ * id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
+ *
+ * AuthorityKeyIdentifier ::= SEQUENCE {
+ * keyIdentifier [0] KeyIdentifier OPTIONAL,
+ * authorityCertIssuer [1] GeneralNames OPTIONAL,
+ * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
+ *
+ * KeyIdentifier ::= OCTET STRING
+ *
+ * CSSM OID = CSSMOID_AuthorityKeyIdentifier
+ */
+typedef struct __CE_AuthorityKeyID {
+ CSSM_BOOL keyIdentifierPresent;
+ CSSM_DATA keyIdentifier;
+ CSSM_BOOL generalNamesPresent;
+ CE_GeneralNames *generalNames;
+ CSSM_BOOL serialNumberPresent;
+ CSSM_DATA serialNumber;
+} CE_AuthorityKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*
+ * id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
+ * SubjectKeyIdentifier ::= KeyIdentifier
+ *
+ * CSSM OID = CSSMOID_SubjectKeyIdentifier
+ */
+typedef CSSM_DATA CE_SubjectKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*
+ * id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
+ *
+ * KeyUsage ::= BIT STRING {
+ * digitalSignature (0),
+ * nonRepudiation (1),
+ * keyEncipherment (2),
+ * dataEncipherment (3),
+ * keyAgreement (4),
+ * keyCertSign (5),
+ * cRLSign (6),
+ * encipherOnly (7),
+ * decipherOnly (8) }
+ *
+ * CSSM OID = CSSMOID_KeyUsage
+ *
+ */
+typedef uint16 CE_KeyUsage DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+#define CE_KU_DigitalSignature 0x8000
+#define CE_KU_NonRepudiation 0x4000
+#define CE_KU_KeyEncipherment 0x2000
+#define CE_KU_DataEncipherment 0x1000
+#define CE_KU_KeyAgreement 0x0800
+#define CE_KU_KeyCertSign 0x0400
+#define CE_KU_CRLSign 0x0200
+#define CE_KU_EncipherOnly 0x0100
+#define CE_KU_DecipherOnly 0x0080
+
+/*
+ * id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 }
+ *
+ * -- reasonCode ::= { CRLReason }
+ *
+ * CRLReason ::= ENUMERATED {
+ * unspecified (0),
+ * keyCompromise (1),
+ * cACompromise (2),
+ * affiliationChanged (3),
+ * superseded (4),
+ * cessationOfOperation (5),
+ * certificateHold (6),
+ * removeFromCRL (8) }
+ *
+ * CSSM OID = CSSMOID_CrlReason
+ *
+ */
+typedef uint32 CE_CrlReason DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+#define CE_CR_Unspecified 0
+#define CE_CR_KeyCompromise 1
+#define CE_CR_CACompromise 2
+#define CE_CR_AffiliationChanged 3
+#define CE_CR_Superseded 4
+#define CE_CR_CessationOfOperation 5
+#define CE_CR_CertificateHold 6
+#define CE_CR_RemoveFromCRL 8
+
+/*
+ * id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
+ *
+ * SubjectAltName ::= GeneralNames
+ *
+ * CSSM OID = CSSMOID_SubjectAltName
+ *
+ * GeneralNames defined above.
+ */
+
+/*
+ * id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
+ *
+ * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId*
+ *
+ * KeyPurposeId ::= OBJECT IDENTIFIER
+ *
+ * CSSM OID = CSSMOID_ExtendedKeyUsage
+ */
+typedef struct __CE_ExtendedKeyUsage {
+ uint32 numPurposes;
+ CSSM_OID_PTR purposes; // in Intel pre-encoded format
+} CE_ExtendedKeyUsage;
+
+/*
+ * id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
+ *
+ * BasicConstraints ::= SEQUENCE {
+ * cA BOOLEAN DEFAULT FALSE,
+ * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
+ *
+ * CSSM OID = CSSMOID_BasicConstraints
+ */
+typedef struct __CE_BasicConstraints {
+ CSSM_BOOL cA;
+ CSSM_BOOL pathLenConstraintPresent;
+ uint32 pathLenConstraint;
+} CE_BasicConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*
+ * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
+ *
+ * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
+ *
+ * PolicyInformation ::= SEQUENCE {
+ * policyIdentifier CertPolicyId,
+ * policyQualifiers SEQUENCE SIZE (1..MAX) OF
+ * PolicyQualifierInfo OPTIONAL }
+ *
+ * CertPolicyId ::= OBJECT IDENTIFIER
+ *
+ * PolicyQualifierInfo ::= SEQUENCE {
+ * policyQualifierId PolicyQualifierId,
+ * qualifier ANY DEFINED BY policyQualifierId }
+ *
+ * -- policyQualifierIds for Internet policy qualifiers
+ *
+ * id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
+ * id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
+ * id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
+ *
+ * PolicyQualifierId ::=
+ * OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
+ *
+ * Qualifier ::= CHOICE {
+ * cPSuri CPSuri,
+ * userNotice UserNotice }
+ *
+ * CPSuri ::= IA5String
+ *
+ * UserNotice ::= SEQUENCE {
+ * noticeRef NoticeReference OPTIONAL,
+ * explicitText DisplayText OPTIONAL}
+ *
+ * NoticeReference ::= SEQUENCE {
+ * organization DisplayText,
+ * noticeNumbers SEQUENCE OF INTEGER }
+ *
+ * DisplayText ::= CHOICE {
+ * visibleString VisibleString (SIZE (1..200)),
+ * bmpString BMPString (SIZE (1..200)),
+ * utf8String UTF8String (SIZE (1..200)) }
+ *
+ * CSSM OID = CSSMOID_CertificatePolicies
+ *
+ * We only support down to the level of Qualifier, and then only the CPSuri
+ * choice. UserNotice is transmitted to and from this library as a raw
+ * CSSM_DATA containing the BER-encoded UserNotice sequence.
+ */
+
+typedef struct __CE_PolicyQualifierInfo {
+ CSSM_OID policyQualifierId; // CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE
+ CSSM_DATA qualifier; // CSSMOID_QT_CPS: IA5String contents
+ // CSSMOID_QT_UNOTICE : Sequence contents
+} CE_PolicyQualifierInfo DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+typedef struct __CE_PolicyInformation {
+ CSSM_OID certPolicyId;
+ uint32 numPolicyQualifiers; // size of *policyQualifiers;
+ CE_PolicyQualifierInfo *policyQualifiers;
+} CE_PolicyInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+typedef struct __CE_CertPolicies {
+ uint32 numPolicies; // size of *policies;
+ CE_PolicyInformation *policies;
+} CE_CertPolicies DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*
+ * netscape-cert-type, a bit string.
+ *
+ * CSSM OID = CSSMOID_NetscapeCertType
+ *
+ * Bit fields defined in oidsattr.h: CE_NCT_SSL_Client, etc.
+ */
+typedef uint16 CE_NetscapeCertType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*
+ * CRLDistributionPoints.
+ *
+ * id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 }
+ *
+ * cRLDistributionPoints ::= {
+ * CRLDistPointsSyntax }
+ *
+ * CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
+ *
+ * NOTE: RFC 2459 claims that the tag for the optional DistributionPointName
+ * is IMPLICIT as shown here, but in practice it is EXPLICIT. It has to be -
+ * because the underlying type also uses an implicit tag for distinguish
+ * between CHOICEs.
+ *
+ * DistributionPoint ::= SEQUENCE {
+ * distributionPoint [0] DistributionPointName OPTIONAL,
+ * reasons [1] ReasonFlags OPTIONAL,
+ * cRLIssuer [2] GeneralNames OPTIONAL }
+ *
+ * DistributionPointName ::= CHOICE {
+ * fullName [0] GeneralNames,
+ * nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
+ *
+ * ReasonFlags ::= BIT STRING {
+ * unused (0),
+ * keyCompromise (1),
+ * cACompromise (2),
+ * affiliationChanged (3),
+ * superseded (4),
+ * cessationOfOperation (5),
+ * certificateHold (6) }
+ *
+ * CSSM OID = CSSMOID_CrlDistributionPoints
+ */
+
+/*
+ * Note that this looks similar to CE_CrlReason, but that's an enum and this
+ * is an OR-able bit string.
+ */
+typedef uint8 CE_CrlDistReasonFlags DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+#define CE_CD_Unspecified 0x80
+#define CE_CD_KeyCompromise 0x40
+#define CE_CD_CACompromise 0x20
+#define CE_CD_AffiliationChanged 0x10
+#define CE_CD_Superseded 0x08
+#define CE_CD_CessationOfOperation 0x04
+#define CE_CD_CertificateHold 0x02
+
+typedef enum __CE_CrlDistributionPointNameType {
+ CE_CDNT_FullName,
+ CE_CDNT_NameRelativeToCrlIssuer
+} CE_CrlDistributionPointNameType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+typedef struct __CE_DistributionPointName {
+ CE_CrlDistributionPointNameType nameType;
+ union {
+ CE_GeneralNames *fullName;
+ CSSM_X509_RDN_PTR rdn;
+ } dpn;
+} CE_DistributionPointName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*
+ * The top-level CRLDistributionPoint.
+ * All fields are optional; NULL pointers indicate absence.
+ */
+typedef struct __CE_CRLDistributionPoint {
+ CE_DistributionPointName *distPointName;
+ CSSM_BOOL reasonsPresent;
+ CE_CrlDistReasonFlags reasons;
+ CE_GeneralNames *crlIssuer;
+} CE_CRLDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+typedef struct __CE_CRLDistPointsSyntax {
+ uint32 numDistPoints;
+ CE_CRLDistributionPoint *distPoints;
+} CE_CRLDistPointsSyntax DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*
+ * Authority Information Access and Subject Information Access.
+ *
+ * CSSM OID = CSSMOID_AuthorityInfoAccess
+ * CSSM OID = CSSMOID_SubjectInfoAccess
+ *
+ * SubjAuthInfoAccessSyntax ::=
+ * SEQUENCE SIZE (1..MAX) OF AccessDescription
+ *
+ * AccessDescription ::= SEQUENCE {
+ * accessMethod OBJECT IDENTIFIER,
+ * accessLocation GeneralName }
+ */
+typedef struct __CE_AccessDescription {
+ CSSM_OID accessMethod;
+ CE_GeneralName accessLocation;
+} CE_AccessDescription DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+typedef struct __CE_AuthorityInfoAccess {
+ uint32 numAccessDescriptions;
+ CE_AccessDescription *accessDescriptions;
+} CE_AuthorityInfoAccess DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*
+ * Qualified Certificate Statement support, per RFC 3739.
+ *
+ * First, NameRegistrationAuthorities, a component of
+ * SemanticsInformation; it's the same as a GeneralNames -
+ * a sequence of GeneralName.
+ */
+typedef CE_GeneralNames CE_NameRegistrationAuthorities DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*
+ * SemanticsInformation, identified as the qcType field
+ * of a CE_QC_Statement for statementId value id-qcs-pkixQCSyntax-v2.
+ * Both fields optional; at least one must be present.
+ */
+typedef struct __CE_SemanticsInformation {
+ CSSM_OID *semanticsIdentifier;
+ CE_NameRegistrationAuthorities *nameRegistrationAuthorities;
+} CE_SemanticsInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*
+ * One Qualified Certificate Statement.
+ * The statementId OID is required; zero or one of {semanticsInfo,
+ * otherInfo} can be valid, depending on the value of statementId.
+ * For statementId id-qcs-pkixQCSyntax-v2 (CSSMOID_OID_QCS_SYNTAX_V2),
+ * the semanticsInfo field may be present; otherwise, DER-encoded
+ * information may be present in otherInfo. Both semanticsInfo and
+ * otherInfo are optional.
+ */
+typedef struct __CE_QC_Statement {
+ CSSM_OID statementId;
+ CE_SemanticsInformation *semanticsInfo;
+ CSSM_DATA *otherInfo;
+} CE_QC_Statement DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*
+ * The top-level Qualified Certificate Statements extension.
+ */
+typedef struct __CE_QC_Statements {
+ uint32 numQCStatements;
+ CE_QC_Statement *qcStatements;
+} CE_QC_Statements DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*** CRL extensions ***/
+
+/*
+ * cRLNumber, an integer.
+ *
+ * CSSM OID = CSSMOID_CrlNumber
+ */
+typedef uint32 CE_CrlNumber;
+
+/*
+ * deltaCRLIndicator, an integer.
+ *
+ * CSSM OID = CSSMOID_DeltaCrlIndicator
+ */
+typedef uint32 CE_DeltaCrl;
+
+/*
+ * IssuingDistributionPoint
+ *
+ * id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
+ *
+ * issuingDistributionPoint ::= SEQUENCE {
+ * distributionPoint [0] DistributionPointName OPTIONAL,
+ * onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
+ * onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
+ * onlySomeReasons [3] ReasonFlags OPTIONAL,
+ * indirectCRL [4] BOOLEAN DEFAULT FALSE }
+ *
+ * CSSM OID = CSSMOID_IssuingDistributionPoint
+ */
+typedef struct __CE_IssuingDistributionPoint {
+ CE_DistributionPointName *distPointName; // optional
+ CSSM_BOOL onlyUserCertsPresent;
+ CSSM_BOOL onlyUserCerts;
+ CSSM_BOOL onlyCACertsPresent;
+ CSSM_BOOL onlyCACerts;
+ CSSM_BOOL onlySomeReasonsPresent;
+ CE_CrlDistReasonFlags onlySomeReasons;
+ CSSM_BOOL indirectCrlPresent;
+ CSSM_BOOL indirectCrl;
+} CE_IssuingDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*
+ * NameConstraints
+ *
+ * id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
+ *
+ * NameConstraints ::= SEQUENCE {
+ * permittedSubtrees [0] GeneralSubtrees OPTIONAL,
+ * excludedSubtrees [1] GeneralSubtrees OPTIONAL }
+ *
+ * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
+ *
+ * GeneralSubtree ::= SEQUENCE {
+ * base GeneralName,
+ * minimum [0] BaseDistance DEFAULT 0,
+ * maximum [1] BaseDistance OPTIONAL }
+ *
+ * BaseDistance ::= INTEGER (0..MAX)
+ */
+typedef struct __CE_GeneralSubtree {
+ CE_GeneralNames *base;
+ uint32 minimum; // default=0
+ CSSM_BOOL maximumPresent;
+ uint32 maximum; // optional
+} CE_GeneralSubtree DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+typedef struct __CE_GeneralSubtrees {
+ uint32 numSubtrees;
+ CE_GeneralSubtree *subtrees;
+} CE_GeneralSubtrees DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+typedef struct __CE_NameConstraints {
+ CE_GeneralSubtrees *permitted; // optional
+ CE_GeneralSubtrees *excluded; // optional
+} CE_NameConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*
+ * PolicyMappings
+ *
+ * id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 }
+ *
+ * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ * issuerDomainPolicy CertPolicyId,
+ * subjectDomainPolicy CertPolicyId }
+ *
+ * Note that both issuer and subject policy OIDs are required,
+ * and are stored by value in this structure.
+ */
+typedef struct __CE_PolicyMapping {
+ CSSM_OID issuerDomainPolicy;
+ CSSM_OID subjectDomainPolicy;
+} CE_PolicyMapping DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+typedef struct __CE_PolicyMappings {
+ uint32 numPolicyMappings;
+ CE_PolicyMapping *policyMappings;
+} CE_PolicyMappings DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*
+ * PolicyConstraints
+ *
+ * id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 }
+ *
+ * PolicyConstraints ::= SEQUENCE {
+ * requireExplicitPolicy [0] SkipCerts OPTIONAL,
+ * inhibitPolicyMapping [1] SkipCerts OPTIONAL }
+ *
+ * SkipCerts ::= INTEGER (0..MAX)
+ */
+typedef struct __CE_PolicyConstraints {
+ CSSM_BOOL requireExplicitPolicyPresent;
+ uint32 requireExplicitPolicy; // optional
+ CSSM_BOOL inhibitPolicyMappingPresent;
+ uint32 inhibitPolicyMapping; // optional
+} CE_PolicyConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*
+ * InhibitAnyPolicy, an integer.
+ *
+ * CSSM OID = CSSMOID_InhibitAnyPolicy
+ */
+typedef uint32 CE_InhibitAnyPolicy DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*
+ * An enumerated list identifying one of the above per-extension
+ * structs.
+ */
+typedef enum __CE_DataType {
+ DT_AuthorityKeyID, // CE_AuthorityKeyID
+ DT_SubjectKeyID, // CE_SubjectKeyID
+ DT_KeyUsage, // CE_KeyUsage
+ DT_SubjectAltName, // implies CE_GeneralName
+ DT_IssuerAltName, // implies CE_GeneralName
+ DT_ExtendedKeyUsage, // CE_ExtendedKeyUsage
+ DT_BasicConstraints, // CE_BasicConstraints
+ DT_CertPolicies, // CE_CertPolicies
+ DT_NetscapeCertType, // CE_NetscapeCertType
+ DT_CrlNumber, // CE_CrlNumber
+ DT_DeltaCrl, // CE_DeltaCrl
+ DT_CrlReason, // CE_CrlReason
+ DT_CrlDistributionPoints, // CE_CRLDistPointsSyntax
+ DT_IssuingDistributionPoint,// CE_IssuingDistributionPoint
+ DT_AuthorityInfoAccess, // CE_AuthorityInfoAccess
+ DT_Other, // unknown, raw data as a CSSM_DATA
+ DT_QC_Statements, // CE_QC_Statements
+ DT_NameConstraints, // CE_NameConstraints
+ DT_PolicyMappings, // CE_PolicyMappings
+ DT_PolicyConstraints, // CE_PolicyConstraints
+ DT_InhibitAnyPolicy // CE_InhibitAnyPolicy
+} CE_DataType;
+
+/*
+ * One unified representation of all the cert and CRL extensions we know about.
+ */
+typedef union {
+ CE_AuthorityKeyID authorityKeyID;
+ CE_SubjectKeyID subjectKeyID;
+ CE_KeyUsage keyUsage;
+ CE_GeneralNames subjectAltName;
+ CE_GeneralNames issuerAltName;
+ CE_ExtendedKeyUsage extendedKeyUsage;
+ CE_BasicConstraints basicConstraints;
+ CE_CertPolicies certPolicies;
+ CE_NetscapeCertType netscapeCertType;
+ CE_CrlNumber crlNumber;
+ CE_DeltaCrl deltaCrl;
+ CE_CrlReason crlReason;
+ CE_CRLDistPointsSyntax crlDistPoints;
+ CE_IssuingDistributionPoint issuingDistPoint;
+ CE_AuthorityInfoAccess authorityInfoAccess;
+ CE_QC_Statements qualifiedCertStatements;
+ CE_NameConstraints nameConstraints;
+ CE_PolicyMappings policyMappings;
+ CE_PolicyConstraints policyConstraints;
+ CE_InhibitAnyPolicy inhibitAnyPolicy;
+ CSSM_DATA rawData; // unknown, not decoded
+} CE_Data DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+typedef struct __CE_DataAndType {
+ CE_DataType type;
+ CE_Data extension;
+ CSSM_BOOL critical;
+} CE_DataAndType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+#endif /* _CERT_EXTENSIONS_H_ */
projects / apple / security.git / blobdiff