Security-57031.1.35.tar.gz

[apple/security.git] / SecurityTests / clxutils / clAppUtils / certVerify.h

diff --git a/SecurityTests/clxutils/clAppUtils/certVerify.h b/SecurityTests/clxutils/clAppUtils/certVerify.h
new file mode 100644 (file)
index 0000000..7e047ac
--- /dev/null
+++ b/SecurityTests/clxutils/clAppUtils/certVerify.h
@@ -0,0 +1,148 @@
+#ifndef        _CERT_VERIFY_H_
+#define _CERT_VERIFY_H_
+
+#include <clAppUtils/BlobList.h>
+#include <Security/cssmtype.h>
+#include <Security/cssmapple.h>
+
+/* must be C++ since we use BlobList */
+extern "C" {
+
+/* Display verify results */
+void dumpVfyResult(
+       const CSSM_TP_VERIFY_CONTEXT_RESULT *vfyResult);
+
+typedef enum {
+       CVP_Basic = 0,
+       CVP_SSL,
+       CVP_SMIME,
+       CVP_SWUpdateSign,               // was CVP_CodeSigning
+       CVP_ResourceSigning,
+       CVP_iChat,
+       CVP_IPSec,
+       CVP_PKINIT_Server,
+       CVP_PKINIT_Client,
+       CVP_AppleCodeSigning,   // the Leopard version
+       CVP_PackageSigning
+} CertVerifyPolicy;
+
+typedef enum {
+       CRP_None = 0,
+       CRP_CRL,
+       CRP_OCSP,
+       CRP_CRL_OCSP    
+} CertRevokePolicy;
+
+/* 
+ * Since I never stop adding args to certVerify(), most of which have reasonable 
+ * defaults, the inputs are now expressed like so.
+ */
+#define CERT_VFY_ARGS_VERS     5               /* increment every time you change this struct */
+typedef struct {
+       int                                             version;                /* must be CERT_VFY_ARGS_VERS */
+       CSSM_TP_HANDLE                  tpHand;
+       CSSM_CL_HANDLE                  clHand;
+       CSSM_CSP_HANDLE                 cspHand;
+       BlobList                                *certs; 
+       BlobList                                *roots;
+       BlobList                                *crls;
+       char                                    *vfyTime;
+       
+       CSSM_BOOL                               certNetFetchEnable;
+       CSSM_BOOL                               useSystemAnchors;
+       CSSM_BOOL                               useTrustSettings;
+       CSSM_BOOL                               leafCertIsCA;
+       CSSM_BOOL                               allowExpiredRoot;
+       CSSM_BOOL                               implicitAnchors;
+       CSSM_DL_DB_LIST_PTR             dlDbList;               // optional
+       CertVerifyPolicy                vfyPolicy;
+       
+       const char                              *sslHost;               // optional; SSL policy
+       CSSM_BOOL                               sslClient;              // normally server side
+       const char                              *senderEmail;   // optional, SMIME
+       CE_KeyUsage                             intendedKeyUse; // optional, SMIME only
+       
+       /* revocation options */
+       CertRevokePolicy                revokePolicy;
+       CSSM_BOOL                               allowUnverified;        // if false, at least one must succeed
+
+       /* CRL options */
+       CSSM_BOOL                               requireCrlIfPresent;    
+       CSSM_BOOL                               requireCrlForAll;       
+       CSSM_BOOL                               crlNetFetchEnable;
+       CSSM_DL_DB_HANDLE_PTR   crlDlDb;                // obsolete: write CRLs here
+
+       /* OCSP options */
+       const char                              *responderURI;  // optional, OCSP only
+       const unsigned char             *responderCert; // optional, OCSP only
+       unsigned                                responderCertLen;// optional, OCSP only 
+       CSSM_BOOL                               disableCache;   // both r and w for now
+       CSSM_BOOL                               disableOcspNet;
+       CSSM_BOOL                               requireOcspIfPresent;
+       CSSM_BOOL                               requireOcspForAll;
+       CSSM_BOOL                               generateOcspNonce;
+       CSSM_BOOL                               requireOcspRespNonce;
+       
+       const char                              *expectedErrStr;// e.g.,
+                                                                                       // "CSSMERR_APPLETP_CRL_NOT_TRUSTED"
+                               
+       /* 
+        * expected per-cert errors
+        * format is certNum:errorString
+        * e.g., "1:CSSMERR_APPLETP_CRL_NOT_TRUSTED"
+        */
+       unsigned                                numCertErrors;
+       const char                              **certErrors;   // per-cert status
+       
+       /*
+        * Expected per-cert status (CSSM_TP_APPLE_EVIDENCE_INFO.StatusBits)
+        * format is certNum:status_in_hex
+        * e.g., "1:0x18", leading 0x optional
+        */
+       unsigned                                numCertStatus;
+       const char                              **certStatus;
+       CSSM_BOOL                               quiet;
+       CSSM_BOOL                               verbose;
+
+} CertVerifyArgs;
+
+/* perform one cert/crl verification */
+int certVerify(CertVerifyArgs *args);
+
+/*
+ * A slightly simplified version of certVerify: 
+ *             -- no CRLs
+ *             -- no DlDbs
+ *             -- no net fetch
+ *             -- time = now
+ *             -- no trust settings
+ */
+int certVerifySimple(
+       CSSM_TP_HANDLE                  tpHand, 
+       CSSM_CL_HANDLE                  clHand,
+       CSSM_CSP_HANDLE                 cspHand,
+       BlobList                                &certs,
+       BlobList                                &roots,
+       CSSM_BOOL                               useSystemAnchors,
+       CSSM_BOOL                               leafCertIsCA,
+       CSSM_BOOL                               allowExpiredRoot,
+       CertVerifyPolicy                vfyPolicy,
+       const char                              *sslHost,               // optional, SSL policy
+       CSSM_BOOL                               sslClient,              // normally server side
+       const char                              *senderEmail,   // optional, SMIME
+       CE_KeyUsage                             intendedKeyUse, // optional, SMIME only
+       const char                              *expectedErrStr,// e.g.,
+       unsigned                                numCertErrors,
+       const char                              **certErrors,   // per-cert status
+       unsigned                                numCertStatus,
+       const char                              **certStatus,
+       CSSM_BOOL                               useTrustSettings,
+       CSSM_BOOL                               quiet,
+       CSSM_BOOL                               verbose);
+
+/* convert ASCII string in hex to unsigned */
+unsigned hexToBin(const char *hex);
+
+}   /* extern "C" */
+
+#endif /* _DO_VERIFY_H_ */