X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/7948e047ad0cdb129f10661905b2f3eecd5c85a0..df0e469fdcf0e0b3ef74bac6500e5751c40b4ec1:/AppleX509TP/rootCerts.h

diff --git a/AppleX509TP/rootCerts.h b/AppleX509TP/rootCerts.h
index f0a980f2..ec514882 100644
--- a/AppleX509TP/rootCerts.h
+++ b/AppleX509TP/rootCerts.h
@@ -30,21 +30,22 @@
 #ifndef	_TP_ROOT_CERTS_H_
 #define _TP_ROOT_CERTS_H_
 
-#include <Security/cssmtype.h>
-#include <Security/globalizer.h>
-#include <Security/threading.h>
-
 /*
  * As of 3/18/02, use of the built-in root certs is disabled by default. 
- * Their use is enabled at in CSSM_TP_CertGroupVerify by the use of a 
- * private bit in CSSM_APPLE_TP_ACTION_DATA.ActionFlags. 
- * The presence of the root certs at all (at compile time) is controlled
- * TP_ROOT_CERT_ENABLE.
+ * Their use is enabled at in CSSM_TP_CertGroupVerify by the use of the 
+ * CSSM_TP_USE_INTERNAL_ROOT_CERTS bit in 
+ * CSSM_APPLE_TP_ACTION_DATA.ActionFlags.  The presence of the root certs 
+ * at all (at compile time) is controlled TP_ROOT_CERT_ENABLE.
  */
-#define TP_ROOT_CERT_ENABLE		1
+#define TP_ROOT_CERT_ENABLE		0
 
 #if		TP_ROOT_CERT_ENABLE
 
+#include <Security/cssmtype.h>
+#include <Security/globalizer.h>
+#include <Security/threading.h>
+#include "TPCertInfo.h"
+
 /*
  * Each one of these represents one known root cert.
  */
@@ -71,6 +72,23 @@ private:
 	Mutex mLock;
 };
 
+
+/*
+ * Compare a root cert to a list of known embedded roots.
+ */
+extern "C" {
+
+CSSM_BOOL tp_isKnownRootCert(
+	TPCertInfo		*rootCert,			// raw cert to compare
+	CSSM_CL_HANDLE	clHand);
+	
+CSSM_BOOL tp_verifyWithKnownRoots(
+	CSSM_CL_HANDLE	clHand, 
+	CSSM_CSP_HANDLE	cspHand, 
+	TPCertInfo 		*certToVfy);		// last in chain, not root
+
+}
+
 #endif	/* TP_ROOT_CERT_ENABLE */
 
 #endif	/* _TP_ROOT_CERTS_H_ */