X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/5dd5f9ec28f304ca377c42fd7f711d6cf12b90e1..5c19dc3ae3bd8e40a9c028b0deddd50ff337692c:/OSX/libsecurity_cssm/lib/certextensions.h diff --git a/OSX/libsecurity_cssm/lib/certextensions.h b/OSX/libsecurity_cssm/lib/certextensions.h new file mode 100644 index 00000000..39dc1a0c --- /dev/null +++ b/OSX/libsecurity_cssm/lib/certextensions.h @@ -0,0 +1,640 @@ +/* + * Copyright (c) 2000-2004,2011,2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + * + * CertExtensions.h -- X.509 Cert Extensions as C structs + */ + +#ifndef _CERT_EXTENSIONS_H_ +#define _CERT_EXTENSIONS_H_ + +#include + +/*** + *** Structs for declaring extension-specific data. + ***/ + +/* + * GeneralName, used in AuthorityKeyID, SubjectAltName, and + * IssuerAltName. + * + * For now, we just provide explicit support for the types which are + * represented as IA5Strings, OIDs, and octet strings. Constructed types + * such as EDIPartyName and x400Address are not explicitly handled + * right now and must be encoded and decoded by the caller. (See exception + * for Name and OtherName, below). In those cases the CE_GeneralName.name.Data field + * represents the BER contents octets; CE_GeneralName.name.Length is the + * length of the contents; the tag of the field is not needed - the BER + * encoding uses context-specific implicit tagging. The berEncoded field + * is set to CSSM_TRUE in these case. Simple types have berEncoded = CSSM_FALSE. + * + * In the case of a GeneralName in the form of a Name, we parse the Name + * into a CSSM_X509_NAME and place a pointer to the CSSM_X509_NAME in the + * CE_GeneralName.name.Data field. CE_GeneralName.name.Length is set to + * sizeof(CSSM_X509_NAME). In this case berEncoded is false. + * + * In the case of a GeneralName in the form of a OtherName, we parse the fields + * into a CE_OtherName and place a pointer to the CE_OtherName in the + * CE_GeneralName.name.Data field. CE_GeneralName.name.Length is set to + * sizeof(CE_OtherName). In this case berEncoded is false. + * + * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + * + * GeneralName ::= CHOICE { + * otherName [0] OtherName + * rfc822Name [1] IA5String, + * dNSName [2] IA5String, + * x400Address [3] ORAddress, + * directoryName [4] Name, + * ediPartyName [5] EDIPartyName, + * uniformResourceIdentifier [6] IA5String, + * iPAddress [7] OCTET STRING, + * registeredID [8] OBJECT IDENTIFIER} + * + * OtherName ::= SEQUENCE { + * type-id OBJECT IDENTIFIER, + * value [0] EXPLICIT ANY DEFINED BY type-id } + * + * EDIPartyName ::= SEQUENCE { + * nameAssigner [0] DirectoryString OPTIONAL, + * partyName [1] DirectoryString } + */ +typedef enum __CE_GeneralNameType { + GNT_OtherName = 0, + GNT_RFC822Name, + GNT_DNSName, + GNT_X400Address, + GNT_DirectoryName, + GNT_EdiPartyName, + GNT_URI, + GNT_IPAddress, + GNT_RegisteredID +} CE_GeneralNameType; + +typedef struct __CE_OtherName { + CSSM_OID typeId; + CSSM_DATA value; // unparsed, BER-encoded +} CE_OtherName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +typedef struct __CE_GeneralName { + CE_GeneralNameType nameType; // GNT_RFC822Name, etc. + CSSM_BOOL berEncoded; + CSSM_DATA name; +} CE_GeneralName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +typedef struct __CE_GeneralNames { + uint32 numNames; + CE_GeneralName *generalName; +} CE_GeneralNames DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/* + * id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } + * + * AuthorityKeyIdentifier ::= SEQUENCE { + * keyIdentifier [0] KeyIdentifier OPTIONAL, + * authorityCertIssuer [1] GeneralNames OPTIONAL, + * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } + * + * KeyIdentifier ::= OCTET STRING + * + * CSSM OID = CSSMOID_AuthorityKeyIdentifier + */ +typedef struct __CE_AuthorityKeyID { + CSSM_BOOL keyIdentifierPresent; + CSSM_DATA keyIdentifier; + CSSM_BOOL generalNamesPresent; + CE_GeneralNames *generalNames; + CSSM_BOOL serialNumberPresent; + CSSM_DATA serialNumber; +} CE_AuthorityKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/* + * id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } + * SubjectKeyIdentifier ::= KeyIdentifier + * + * CSSM OID = CSSMOID_SubjectKeyIdentifier + */ +typedef CSSM_DATA CE_SubjectKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/* + * id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } + * + * KeyUsage ::= BIT STRING { + * digitalSignature (0), + * nonRepudiation (1), + * keyEncipherment (2), + * dataEncipherment (3), + * keyAgreement (4), + * keyCertSign (5), + * cRLSign (6), + * encipherOnly (7), + * decipherOnly (8) } + * + * CSSM OID = CSSMOID_KeyUsage + * + */ +typedef uint16 CE_KeyUsage DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +#define CE_KU_DigitalSignature 0x8000 +#define CE_KU_NonRepudiation 0x4000 +#define CE_KU_KeyEncipherment 0x2000 +#define CE_KU_DataEncipherment 0x1000 +#define CE_KU_KeyAgreement 0x0800 +#define CE_KU_KeyCertSign 0x0400 +#define CE_KU_CRLSign 0x0200 +#define CE_KU_EncipherOnly 0x0100 +#define CE_KU_DecipherOnly 0x0080 + +/* + * id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 } + * + * -- reasonCode ::= { CRLReason } + * + * CRLReason ::= ENUMERATED { + * unspecified (0), + * keyCompromise (1), + * cACompromise (2), + * affiliationChanged (3), + * superseded (4), + * cessationOfOperation (5), + * certificateHold (6), + * removeFromCRL (8) } + * + * CSSM OID = CSSMOID_CrlReason + * + */ +typedef uint32 CE_CrlReason DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +#define CE_CR_Unspecified 0 +#define CE_CR_KeyCompromise 1 +#define CE_CR_CACompromise 2 +#define CE_CR_AffiliationChanged 3 +#define CE_CR_Superseded 4 +#define CE_CR_CessationOfOperation 5 +#define CE_CR_CertificateHold 6 +#define CE_CR_RemoveFromCRL 8 + +/* + * id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } + * + * SubjectAltName ::= GeneralNames + * + * CSSM OID = CSSMOID_SubjectAltName + * + * GeneralNames defined above. + */ + +/* + * id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} + * + * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId* + * + * KeyPurposeId ::= OBJECT IDENTIFIER + * + * CSSM OID = CSSMOID_ExtendedKeyUsage + */ +typedef struct __CE_ExtendedKeyUsage { + uint32 numPurposes; + CSSM_OID_PTR purposes; // in Intel pre-encoded format +} CE_ExtendedKeyUsage; + +/* + * id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } + * + * BasicConstraints ::= SEQUENCE { + * cA BOOLEAN DEFAULT FALSE, + * pathLenConstraint INTEGER (0..MAX) OPTIONAL } + * + * CSSM OID = CSSMOID_BasicConstraints + */ +typedef struct __CE_BasicConstraints { + CSSM_BOOL cA; + CSSM_BOOL pathLenConstraintPresent; + uint32 pathLenConstraint; +} CE_BasicConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/* + * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } + * + * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation + * + * PolicyInformation ::= SEQUENCE { + * policyIdentifier CertPolicyId, + * policyQualifiers SEQUENCE SIZE (1..MAX) OF + * PolicyQualifierInfo OPTIONAL } + * + * CertPolicyId ::= OBJECT IDENTIFIER + * + * PolicyQualifierInfo ::= SEQUENCE { + * policyQualifierId PolicyQualifierId, + * qualifier ANY DEFINED BY policyQualifierId } + * + * -- policyQualifierIds for Internet policy qualifiers + * + * id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } + * id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } + * id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } + * + * PolicyQualifierId ::= + * OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) + * + * Qualifier ::= CHOICE { + * cPSuri CPSuri, + * userNotice UserNotice } + * + * CPSuri ::= IA5String + * + * UserNotice ::= SEQUENCE { + * noticeRef NoticeReference OPTIONAL, + * explicitText DisplayText OPTIONAL} + * + * NoticeReference ::= SEQUENCE { + * organization DisplayText, + * noticeNumbers SEQUENCE OF INTEGER } + * + * DisplayText ::= CHOICE { + * visibleString VisibleString (SIZE (1..200)), + * bmpString BMPString (SIZE (1..200)), + * utf8String UTF8String (SIZE (1..200)) } + * + * CSSM OID = CSSMOID_CertificatePolicies + * + * We only support down to the level of Qualifier, and then only the CPSuri + * choice. UserNotice is transmitted to and from this library as a raw + * CSSM_DATA containing the BER-encoded UserNotice sequence. + */ + +typedef struct __CE_PolicyQualifierInfo { + CSSM_OID policyQualifierId; // CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE + CSSM_DATA qualifier; // CSSMOID_QT_CPS: IA5String contents + // CSSMOID_QT_UNOTICE : Sequence contents +} CE_PolicyQualifierInfo DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +typedef struct __CE_PolicyInformation { + CSSM_OID certPolicyId; + uint32 numPolicyQualifiers; // size of *policyQualifiers; + CE_PolicyQualifierInfo *policyQualifiers; +} CE_PolicyInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +typedef struct __CE_CertPolicies { + uint32 numPolicies; // size of *policies; + CE_PolicyInformation *policies; +} CE_CertPolicies DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/* + * netscape-cert-type, a bit string. + * + * CSSM OID = CSSMOID_NetscapeCertType + * + * Bit fields defined in oidsattr.h: CE_NCT_SSL_Client, etc. + */ +typedef uint16 CE_NetscapeCertType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/* + * CRLDistributionPoints. + * + * id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 } + * + * cRLDistributionPoints ::= { + * CRLDistPointsSyntax } + * + * CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + * + * NOTE: RFC 2459 claims that the tag for the optional DistributionPointName + * is IMPLICIT as shown here, but in practice it is EXPLICIT. It has to be - + * because the underlying type also uses an implicit tag for distinguish + * between CHOICEs. + * + * DistributionPoint ::= SEQUENCE { + * distributionPoint [0] DistributionPointName OPTIONAL, + * reasons [1] ReasonFlags OPTIONAL, + * cRLIssuer [2] GeneralNames OPTIONAL } + * + * DistributionPointName ::= CHOICE { + * fullName [0] GeneralNames, + * nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + * + * ReasonFlags ::= BIT STRING { + * unused (0), + * keyCompromise (1), + * cACompromise (2), + * affiliationChanged (3), + * superseded (4), + * cessationOfOperation (5), + * certificateHold (6) } + * + * CSSM OID = CSSMOID_CrlDistributionPoints + */ + +/* + * Note that this looks similar to CE_CrlReason, but that's an enum and this + * is an OR-able bit string. + */ +typedef uint8 CE_CrlDistReasonFlags DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +#define CE_CD_Unspecified 0x80 +#define CE_CD_KeyCompromise 0x40 +#define CE_CD_CACompromise 0x20 +#define CE_CD_AffiliationChanged 0x10 +#define CE_CD_Superseded 0x08 +#define CE_CD_CessationOfOperation 0x04 +#define CE_CD_CertificateHold 0x02 + +typedef enum __CE_CrlDistributionPointNameType { + CE_CDNT_FullName, + CE_CDNT_NameRelativeToCrlIssuer +} CE_CrlDistributionPointNameType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +typedef struct __CE_DistributionPointName { + CE_CrlDistributionPointNameType nameType; + union { + CE_GeneralNames *fullName; + CSSM_X509_RDN_PTR rdn; + } dpn; +} CE_DistributionPointName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/* + * The top-level CRLDistributionPoint. + * All fields are optional; NULL pointers indicate absence. + */ +typedef struct __CE_CRLDistributionPoint { + CE_DistributionPointName *distPointName; + CSSM_BOOL reasonsPresent; + CE_CrlDistReasonFlags reasons; + CE_GeneralNames *crlIssuer; +} CE_CRLDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +typedef struct __CE_CRLDistPointsSyntax { + uint32 numDistPoints; + CE_CRLDistributionPoint *distPoints; +} CE_CRLDistPointsSyntax DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/* + * Authority Information Access and Subject Information Access. + * + * CSSM OID = CSSMOID_AuthorityInfoAccess + * CSSM OID = CSSMOID_SubjectInfoAccess + * + * SubjAuthInfoAccessSyntax ::= + * SEQUENCE SIZE (1..MAX) OF AccessDescription + * + * AccessDescription ::= SEQUENCE { + * accessMethod OBJECT IDENTIFIER, + * accessLocation GeneralName } + */ +typedef struct __CE_AccessDescription { + CSSM_OID accessMethod; + CE_GeneralName accessLocation; +} CE_AccessDescription DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +typedef struct __CE_AuthorityInfoAccess { + uint32 numAccessDescriptions; + CE_AccessDescription *accessDescriptions; +} CE_AuthorityInfoAccess DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/* + * Qualified Certificate Statement support, per RFC 3739. + * + * First, NameRegistrationAuthorities, a component of + * SemanticsInformation; it's the same as a GeneralNames - + * a sequence of GeneralName. + */ +typedef CE_GeneralNames CE_NameRegistrationAuthorities DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/* + * SemanticsInformation, identified as the qcType field + * of a CE_QC_Statement for statementId value id-qcs-pkixQCSyntax-v2. + * Both fields optional; at least one must be present. + */ +typedef struct __CE_SemanticsInformation { + CSSM_OID *semanticsIdentifier; + CE_NameRegistrationAuthorities *nameRegistrationAuthorities; +} CE_SemanticsInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/* + * One Qualified Certificate Statement. + * The statementId OID is required; zero or one of {semanticsInfo, + * otherInfo} can be valid, depending on the value of statementId. + * For statementId id-qcs-pkixQCSyntax-v2 (CSSMOID_OID_QCS_SYNTAX_V2), + * the semanticsInfo field may be present; otherwise, DER-encoded + * information may be present in otherInfo. Both semanticsInfo and + * otherInfo are optional. + */ +typedef struct __CE_QC_Statement { + CSSM_OID statementId; + CE_SemanticsInformation *semanticsInfo; + CSSM_DATA *otherInfo; +} CE_QC_Statement DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/* + * The top-level Qualified Certificate Statements extension. + */ +typedef struct __CE_QC_Statements { + uint32 numQCStatements; + CE_QC_Statement *qcStatements; +} CE_QC_Statements DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/*** CRL extensions ***/ + +/* + * cRLNumber, an integer. + * + * CSSM OID = CSSMOID_CrlNumber + */ +typedef uint32 CE_CrlNumber; + +/* + * deltaCRLIndicator, an integer. + * + * CSSM OID = CSSMOID_DeltaCrlIndicator + */ +typedef uint32 CE_DeltaCrl; + +/* + * IssuingDistributionPoint + * + * id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } + * + * issuingDistributionPoint ::= SEQUENCE { + * distributionPoint [0] DistributionPointName OPTIONAL, + * onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, + * onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, + * onlySomeReasons [3] ReasonFlags OPTIONAL, + * indirectCRL [4] BOOLEAN DEFAULT FALSE } + * + * CSSM OID = CSSMOID_IssuingDistributionPoint + */ +typedef struct __CE_IssuingDistributionPoint { + CE_DistributionPointName *distPointName; // optional + CSSM_BOOL onlyUserCertsPresent; + CSSM_BOOL onlyUserCerts; + CSSM_BOOL onlyCACertsPresent; + CSSM_BOOL onlyCACerts; + CSSM_BOOL onlySomeReasonsPresent; + CE_CrlDistReasonFlags onlySomeReasons; + CSSM_BOOL indirectCrlPresent; + CSSM_BOOL indirectCrl; +} CE_IssuingDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/* + * NameConstraints + * + * id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } + * + * NameConstraints ::= SEQUENCE { + * permittedSubtrees [0] GeneralSubtrees OPTIONAL, + * excludedSubtrees [1] GeneralSubtrees OPTIONAL } + * + * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree + * + * GeneralSubtree ::= SEQUENCE { + * base GeneralName, + * minimum [0] BaseDistance DEFAULT 0, + * maximum [1] BaseDistance OPTIONAL } + * + * BaseDistance ::= INTEGER (0..MAX) + */ +typedef struct __CE_GeneralSubtree { + CE_GeneralNames *base; + uint32 minimum; // default=0 + CSSM_BOOL maximumPresent; + uint32 maximum; // optional +} CE_GeneralSubtree DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +typedef struct __CE_GeneralSubtrees { + uint32 numSubtrees; + CE_GeneralSubtree *subtrees; +} CE_GeneralSubtrees DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +typedef struct __CE_NameConstraints { + CE_GeneralSubtrees *permitted; // optional + CE_GeneralSubtrees *excluded; // optional +} CE_NameConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/* + * PolicyMappings + * + * id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } + * + * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { + * issuerDomainPolicy CertPolicyId, + * subjectDomainPolicy CertPolicyId } + * + * Note that both issuer and subject policy OIDs are required, + * and are stored by value in this structure. + */ +typedef struct __CE_PolicyMapping { + CSSM_OID issuerDomainPolicy; + CSSM_OID subjectDomainPolicy; +} CE_PolicyMapping DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +typedef struct __CE_PolicyMappings { + uint32 numPolicyMappings; + CE_PolicyMapping *policyMappings; +} CE_PolicyMappings DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/* + * PolicyConstraints + * + * id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } + * + * PolicyConstraints ::= SEQUENCE { + * requireExplicitPolicy [0] SkipCerts OPTIONAL, + * inhibitPolicyMapping [1] SkipCerts OPTIONAL } + * + * SkipCerts ::= INTEGER (0..MAX) + */ +typedef struct __CE_PolicyConstraints { + CSSM_BOOL requireExplicitPolicyPresent; + uint32 requireExplicitPolicy; // optional + CSSM_BOOL inhibitPolicyMappingPresent; + uint32 inhibitPolicyMapping; // optional +} CE_PolicyConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/* + * InhibitAnyPolicy, an integer. + * + * CSSM OID = CSSMOID_InhibitAnyPolicy + */ +typedef uint32 CE_InhibitAnyPolicy DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/* + * An enumerated list identifying one of the above per-extension + * structs. + */ +typedef enum __CE_DataType { + DT_AuthorityKeyID, // CE_AuthorityKeyID + DT_SubjectKeyID, // CE_SubjectKeyID + DT_KeyUsage, // CE_KeyUsage + DT_SubjectAltName, // implies CE_GeneralName + DT_IssuerAltName, // implies CE_GeneralName + DT_ExtendedKeyUsage, // CE_ExtendedKeyUsage + DT_BasicConstraints, // CE_BasicConstraints + DT_CertPolicies, // CE_CertPolicies + DT_NetscapeCertType, // CE_NetscapeCertType + DT_CrlNumber, // CE_CrlNumber + DT_DeltaCrl, // CE_DeltaCrl + DT_CrlReason, // CE_CrlReason + DT_CrlDistributionPoints, // CE_CRLDistPointsSyntax + DT_IssuingDistributionPoint,// CE_IssuingDistributionPoint + DT_AuthorityInfoAccess, // CE_AuthorityInfoAccess + DT_Other, // unknown, raw data as a CSSM_DATA + DT_QC_Statements, // CE_QC_Statements + DT_NameConstraints, // CE_NameConstraints + DT_PolicyMappings, // CE_PolicyMappings + DT_PolicyConstraints, // CE_PolicyConstraints + DT_InhibitAnyPolicy // CE_InhibitAnyPolicy +} CE_DataType; + +/* + * One unified representation of all the cert and CRL extensions we know about. + */ +typedef union { + CE_AuthorityKeyID authorityKeyID; + CE_SubjectKeyID subjectKeyID; + CE_KeyUsage keyUsage; + CE_GeneralNames subjectAltName; + CE_GeneralNames issuerAltName; + CE_ExtendedKeyUsage extendedKeyUsage; + CE_BasicConstraints basicConstraints; + CE_CertPolicies certPolicies; + CE_NetscapeCertType netscapeCertType; + CE_CrlNumber crlNumber; + CE_DeltaCrl deltaCrl; + CE_CrlReason crlReason; + CE_CRLDistPointsSyntax crlDistPoints; + CE_IssuingDistributionPoint issuingDistPoint; + CE_AuthorityInfoAccess authorityInfoAccess; + CE_QC_Statements qualifiedCertStatements; + CE_NameConstraints nameConstraints; + CE_PolicyMappings policyMappings; + CE_PolicyConstraints policyConstraints; + CE_InhibitAnyPolicy inhibitAnyPolicy; + CSSM_DATA rawData; // unknown, not decoded +} CE_Data DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +typedef struct __CE_DataAndType { + CE_DataType type; + CE_Data extension; + CSSM_BOOL critical; +} CE_DataAndType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +#endif /* _CERT_EXTENSIONS_H_ */