/*
- * Copyright (c) 2002-2004 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2002-2010,2012 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
useAnchorsOnly // SetTrustAnchorCertificatesOnly value = true
};
+ enum NetworkPolicy {
+ useNetworkDefault, // default policy: network fetch enabled only for SSL
+ useNetworkDisabled, // explicitly disable network use for any policy
+ useNetworkEnabled // explicitly enable network use for any policy
+ };
+
// set (or reset) more input parameters
void policies(CFTypeRef policies) { mPolicies.take(cfArrayize(policies)); }
void action(CSSM_TP_ACTION action) { mAction = action; }
void time(CFDateRef verifyTime) { mVerifyTime = verifyTime; }
void anchors(CFArrayRef anchorList) { mAnchors.take(cfArrayize(anchorList)); }
void anchorPolicy(AnchorPolicy policy) { mAnchorPolicy = policy; }
+ void networkPolicy(NetworkPolicy policy) { mNetworkPolicy = policy; }
+ void exceptions(CFArrayRef exceptions) { mExceptions.take(cfArrayize(exceptions)); }
+ void responses(CFTypeRef responseData) { mResponses.take(cfArrayize(responseData)); }
StorageManager::KeychainList &searchLibs(bool init=true);
void searchLibs(StorageManager::KeychainList &libs);
// perform evaluation
- void evaluate(bool disableEV=false);
+ void evaluate(bool disableEV=false);
+
+ // update evaluation results
+ void setResult(SecTrustResultType result) { mResult = result; }
// get at evaluation results
- void buildEvidence(CFArrayRef &certChain, TPEvidenceInfo * &statusChain);
- CSSM_TP_VERIFY_CONTEXT_RESULT_PTR cssmResult();
+ void buildEvidence(CFArrayRef &certChain, TPEvidenceInfo * &statusChain);
+ CSSM_TP_VERIFY_CONTEXT_RESULT_PTR cssmResult();
void extendedResult(CFDictionaryRef &extendedResult);
CFArrayRef properties();
+ CFDictionaryRef results();
- SecTrustResultType result() const { return mResult; }
+ SecTrustResultType result() const { return mResult; }
OSStatus cssmResultCode() const { return mTpReturn; }
- TP getTPHandle() const { return mTP; }
+ TP getTPHandle() const { return mTP; }
CFArrayRef evidence() const { return mEvidenceReturned; }
- CFArrayRef policies() const { return mPolicies; }
- CFArrayRef anchors() const { return mAnchors; }
+ CFArrayRef policies() const { return mPolicies; }
+ CFArrayRef anchors() const { return mAnchors; }
CFDateRef time() const { return mVerifyTime; }
+ AnchorPolicy anchorPolicy() const { return mAnchorPolicy; }
+ NetworkPolicy networkPolicy() const { return mNetworkPolicy; }
+ CFArrayRef exceptions() const { return mExceptions; }
// an independent release function for TP evidence results
// (yes, we could hand this out to the C layer if desired)
static void releaseTPEvidence(TPVerifyResult &result, Allocator &allocator);
private:
- SecTrustResultType diagnoseOutcome();
- void evaluateUserTrust(const CertGroup &certs,
- const CSSM_TP_APPLE_EVIDENCE_INFO *info,
+ SecTrustResultType diagnoseOutcome();
+ void evaluateUserTrust(const CertGroup &certs,
+ const CSSM_TP_APPLE_EVIDENCE_INFO *info,
CFCopyRef<CFArrayRef> anchors);
void clearResults();
Keychain keychainByDLDb(const CSSM_DL_DB_HANDLE &handle);
/* revocation policy support */
- CFMutableArrayRef addSpecifiedRevocationPolicies(uint32 &numAdded,
- Allocator &alloc);
- void freeSpecifiedRevocationPolicies(CFArrayRef policies,
- uint32 numAdded,
- Allocator &alloc);
CFMutableArrayRef addPreferenceRevocationPolicies(uint32 &numAdded,
Allocator &alloc);
- void freePreferenceRevocationPolicies(CFArrayRef policies,
+ void freeAddedRevocationPolicyData(CFArrayRef policies,
uint32 numAdded,
Allocator &alloc);
- CFDictionaryRef defaultRevocationSettings();
+ CFDictionaryRef defaultRevocationSettings();
+public:
bool policySpecified(CFArrayRef policies, const CSSM_OID &inOid);
bool revocationPolicySpecified(CFArrayRef policies);
void orderRevocationPolicies(CFMutableArrayRef policies);
+ CFMutableArrayRef convertRevocationPolicy(uint32 &numAdded, Allocator &alloc);
CFMutableArrayRef forceRevocationPolicies(uint32 &numAdded,
Allocator &alloc,
bool requirePerCert=false);
private:
- TP mTP; // our TP
-
- // input arguments: set up before evaluate()
- CSSM_TP_ACTION mAction; // TP action to verify
- CFRef<CFDataRef> mActionData; // action data
- CFRef<CFDateRef> mVerifyTime; // verification "now"
- CFRef<CFArrayRef> mCerts; // certificates to verify (item 1 is subject)
- CFRef<CFArrayRef> mPolicies; // array of policy objects to control verification
- CFRef<CFArrayRef> mAnchors; // array of anchor certs
- StorageManager::KeychainList *mSearchLibs; // array of databases to search
- bool mSearchLibsSet; // true if mSearchLibs has been initialized
-
- // evaluation results: set as a result of evaluate()
- SecTrustResultType mResult; // result classification
- uint32 mResultIndex; // which result cert made the decision?
- OSStatus mTpReturn; // return code from TP Verify
- TPVerifyResult mTpResult; // result of latest TP verify
-
- vector< SecPointer<Certificate> > mCertChain; // distilled certificate chain
-
- // information returned to caller but owned by us
- CFRef<CFArrayRef> mEvidenceReturned; // evidence chain returned
+ TP mTP; // our TP
+
+ // input arguments: set up before evaluate()
+ CSSM_TP_ACTION mAction; // TP action to verify
+ CFRef<CFDataRef> mActionData; // action data
+ CFRef<CFArrayRef> mExceptions; // trust exceptions
+ CFRef<CFArrayRef> mResponses; // array of OCSP response data (optional)
+ CFRef<CFDateRef> mVerifyTime; // verification "now"
+ CFRef<CFArrayRef> mCerts; // certificates to verify (item 1 is subject)
+ CFRef<CFArrayRef> mPolicies; // array of policy objects to control verification
+ CFRef<CFArrayRef> mAnchors; // array of anchor certs
+ StorageManager::KeychainList *mSearchLibs; // array of databases to search
+ bool mSearchLibsSet; // true if mSearchLibs has been initialized
+
+ // evaluation results: set as a result of evaluate()
+ SecTrustResultType mResult; // result classification
+ uint32 mResultIndex; // which result cert made the decision?
+ OSStatus mTpReturn; // return code from TP Verify
+ TPVerifyResult mTpResult; // result of latest TP verify
+
+ vector< SecPointer<Certificate> > mCertChain; // distilled certificate chain
+
+ // information returned to caller but owned by us
+ CFRef<CFArrayRef> mEvidenceReturned; // evidence chain returned
CFRef<CFArrayRef> mAllowedAnchors; // array of permitted anchor certificates
CFRef<CFArrayRef> mFilteredCerts; // array of certificates to verify, post-filtering
- CFRef<CFDictionaryRef> mExtendedResult; // dictionary of extended results
+ CFRef<CFDictionaryRef> mExtendedResult; // dictionary of extended results
bool mUsingTrustSettings; // true if built-in anchors will be trusted
AnchorPolicy mAnchorPolicy; // policy for trusting passed-in and/or built-in anchors
+ NetworkPolicy mNetworkPolicy; // policy for allowing network use during evaluation
public:
- static ModuleNexus<TrustStore> gStore;
+ static ModuleNexus<TrustStore> gStore;
private:
Mutex mMutex;
projects / apple / security.git / blobdiff