X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/b04fe171f0375ecd5d8a24747ca1dff85720a0ca..6b200bc335dc93c5516ccb52f14bd896d8c7fad7:/OSX/libsecurity_keychain/lib/SecPolicyPriv.h diff --git a/OSX/libsecurity_keychain/lib/SecPolicyPriv.h b/OSX/libsecurity_keychain/lib/SecPolicyPriv.h deleted file mode 100644 index ee635e69..00000000 --- a/OSX/libsecurity_keychain/lib/SecPolicyPriv.h +++ /dev/null @@ -1,1497 +0,0 @@ -/* - * Copyright (c) 2003-2016 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -/*! - @header SecPolicyPriv - The functions provided in SecPolicyPriv provide an interface to various - X.509 certificate trust policies. -*/ - -#ifndef _SECURITY_SECPOLICYPRIV_H_ -#define _SECURITY_SECPOLICYPRIV_H_ - -#include -#include -#include -#include -#include - -__BEGIN_DECLS - -CF_ASSUME_NONNULL_BEGIN -CF_IMPLICIT_BRIDGING_ENABLED - -/*! - @enum Policy Constants (Private) - @discussion Predefined constants used to specify a policy. - @constant kSecPolicyAppleMobileStore - @constant kSecPolicyAppleTestMobileStore - @constant kSecPolicyAppleEscrowService - @constant kSecPolicyAppleProfileSigner - @constant kSecPolicyAppleQAProfileSigner - @constant kSecPolicyAppleServerAuthentication - @constant kSecPolicyAppleOTAPKISigner - @constant kSecPolicyAppleTestOTAPKISigner - @constant kSecPolicyAppleIDValidationRecordSigning - @constant kSecPolicyAppleSMPEncryption - @constant kSecPolicyAppleTestSMPEncryption - @constant kSecPolicyApplePCSEscrowService - @constant kSecPolicyApplePPQSigning - @constant kSecPolicyAppleTestPPQSigning - @constant kSecPolicyAppleSWUpdateSigning - @constant kSecPolicyApplePackageSigning - @constant kSecPolicyAppleOSXProvisioningProfileSigning - @constant kSecPolicyAppleATVVPNProfileSigning - @constant kSecPolicyAppleAST2DiagnosticsServerAuth - @constant kSecPolicyAppleEscrowProxyServerAuth - @constant kSecPolicyAppleFMiPServerAuth - @constant kSecPolicyAppleMMCService - @constant kSecPolicyAppleGSService - @constant kSecPolicyApplePPQService - @constant kSecPolicyAppleHomeKitServerAuth - @constant kSecPolicyAppleiPhoneActivation - @constant kSecPolicyAppleiPhoneDeviceCertificate - @constant kSecPolicyAppleFactoryDeviceCertificate - @constant kSecPolicyAppleiAP - @constant kSecPolicyAppleiTunesStoreURLBag - @constant kSecPolicyAppleiPhoneApplicationSigning - @constant kSecPolicyAppleiPhoneProfileApplicationSigning - @constant kSecPolicyAppleiPhoneProvisioningProfileSigning - @constant kSecPolicyAppleLockdownPairing - @constant kSecPolicyAppleURLBag - @constant kSecPolicyAppleOTATasking - @constant kSecPolicyAppleMobileAsset - @constant kSecPolicyAppleIDAuthority - @constant kSecPolicyAppleGenericApplePinned - @constant kSecPolicyAppleGenericAppleSSLPinned - @constant kSecPolicyAppleSoftwareSigning - @constant kSecPolicyAppleExternalDeveloper - @constant kSecPolicyAppleOCSPSigner - @constant kSecPolicyAppleIDSService - @constant kSecPolicyAppleIDSServiceContext - @constant kSecPolicyApplePushService - @constant kSecPolicyAppleLegacyPushService - @constant kSecPolicyAppleTVOSApplicationSigning - @constant kSecPolicyAppleUniqueDeviceIdentifierCertificate - @constant kSecPolicyAppleEscrowProxyCompatibilityServerAuth - @constant kSecPolicyAppleMMCSCompatibilityServerAuth - @constant kSecPolicyAppleSecureIOStaticAsset - @constant kSecPolicyAppleWarsaw - */ -extern const CFStringRef kSecPolicyAppleMobileStore - __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); -extern const CFStringRef kSecPolicyAppleTestMobileStore - __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); -extern const CFStringRef kSecPolicyAppleEscrowService - __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); -extern const CFStringRef kSecPolicyAppleProfileSigner - __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); -extern const CFStringRef kSecPolicyAppleQAProfileSigner - __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); -extern const CFStringRef kSecPolicyAppleServerAuthentication - __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0); -extern const CFStringRef kSecPolicyAppleOTAPKISigner - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_7_0); -extern const CFStringRef kSecPolicyAppleTestOTAPKISigner - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_7_0); -extern const CFStringRef kSecPolicyAppleIDValidationRecordSigningPolicy - __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_NA, __MAC_NA, __IPHONE_7_0, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleIDValidationRecordSigning - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleSMPEncryption - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_8_0); -extern const CFStringRef kSecPolicyAppleTestSMPEncryption - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_8_0); -extern const CFStringRef kSecPolicyApplePCSEscrowService - __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_7_0); -extern const CFStringRef kSecPolicyApplePPQSigning - __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); -extern const CFStringRef kSecPolicyAppleTestPPQSigning - __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); -extern const CFStringRef kSecPolicyAppleSWUpdateSigning - __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); -extern const CFStringRef kSecPolicyApplePackageSigning - __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); -extern const CFStringRef kSecPolicyAppleOSXProvisioningProfileSigning - __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); -extern const CFStringRef kSecPolicyAppleATVVPNProfileSigning - __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); -extern const CFStringRef kSecPolicyAppleAST2DiagnosticsServerAuth - __OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3); -extern const CFStringRef kSecPolicyAppleEscrowProxyServerAuth - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleFMiPServerAuth - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleMMCService - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleGSService - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyApplePPQService - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleHomeKitServerAuth - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleiPhoneActivation - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleiPhoneDeviceCertificate - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleFactoryDeviceCertificate - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleiAP - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleiTunesStoreURLBag - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleiPhoneApplicationSigning - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleiPhoneProfileApplicationSigning - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleiPhoneProvisioningProfileSigning - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleLockdownPairing - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleURLBag - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleOTATasking - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleMobileAsset - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleIDAuthority - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleGenericApplePinned - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleGenericAppleSSLPinned - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleSoftwareSigning - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleExternalDeveloper - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleOCSPSigner - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleIDSService - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleIDSServiceContext - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyApplePushService - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleLegacyPushService - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleTVOSApplicationSigning - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleUniqueDeviceIdentifierCertificate - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleEscrowProxyCompatibilityServerAuth - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleMMCSCompatibilityServerAuth - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyAppleSecureIOStaticAsset - __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1); -extern const CFStringRef kSecPolicyAppleWarsaw - __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1); - - -/*! - @enum Policy Value Constants - @abstract Predefined property key constants used to get or set values in - a dictionary for a policy instance. - @discussion - All policies will have the following read-only value: - kSecPolicyOid (the policy object identifier) - - Additional policy values which your code can optionally set: - kSecPolicyName (name which must be matched) - kSecPolicyClient (evaluate for client, rather than server) - kSecPolicyRevocationFlags (only valid for a revocation policy) - kSecPolicyRevocationFlags (only valid for a revocation policy) - kSecPolicyTeamIdentifier (only valid for a Passbook signing policy) - kSecPolicyContext (valid for policies below that take a context parameter) - kSecPolicyPolicyName (only valid for GenericApplePinned or - GenericAppleSSLPinned policies) - kSecPolicyIntermediateMarkerOid (only valid for GenericApplePinned or - GenericAppleSSLPinned policies) - kSecPolicyLeafMarkerOid (only valid for GenericApplePinned or - GenericAppleSSLPinned policies) - kSecPolicyRootDigest (only valid for the UniqueDeviceCertificate policy) - - @constant kSecPolicyContext Specifies a CFDictionaryRef with keys and values - specified by the particular SecPolicyCreate function. - @constant kSecPolicyPolicyName Specifies a CFStringRef of the name of the - desired policy result. - @constant kSecPolicyIntermediateMarkerOid Specifies a CFStringRef of the - marker OID (in decimal format) required in the intermediate certificate. - @constant kSecPolicyLeafMarkerOid Specifies a CFStringRef of the - marker OID (in decimal format) required in the leaf certificate. - @constant kSecPolicyRootDigest Specifies a CFDataRef of digest required to - match the SHA-256 of the root certificate. - */ -extern const CFStringRef kSecPolicyContext - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyPolicyName - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyIntermediateMarkerOid - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyLeafMarkerOid - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); -extern const CFStringRef kSecPolicyRootDigest - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); - - -/*! - @function SecPolicyCreateApplePinned - @abstract Returns a policy object for verifying Apple certificates. - @param policyName A string that identifies the policy name. - @param intermediateMarkerOID A string containing the decimal representation of the - extension OID in the intermediate certificate. - @param leafMarkerOID A string containing the decimal representation of the extension OID - in the leaf certificate. - @discussion The resulting policy uses the Basic X.509 policy with validity check and - pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if the value true is set for the key - "ApplePinningAllowTestCerts%@" (where %@ is the policyName parameter) in the - com.apple.security preferences for the user of the calling application. - * There are exactly 3 certs in the chain. - * The intermediate has a marker extension with OID matching the intermediateMarkerOID - parameter. - * The leaf has a marker extension with OID matching the leafMarkerOID parameter. - * Revocation is checked via any available method. - * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. - @result A policy object. The caller is responsible for calling CFRelease on this when - it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateApplePinned(CFStringRef policyName, - CFStringRef intermediateMarkerOID, CFStringRef leafMarkerOID) - __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); - -/*! - @function SecPolicyCreateAppleSSLPinned - @abstract Returns a policy object for verifying Apple SSL certificates. - @param policyName A string that identifies the service/policy name. - @param hostname hostname to verify the certificate name against. - @param intermediateMarkerOID A string containing the decimal representation of the - extension OID in the intermediate certificate. If NULL is passed, the default OID of - 1.2.840.113635.100.6.2.12 is checked. - @param leafMarkerOID A string containing the decimal representation of the extension OID - in the leaf certificate. - @discussion The resulting policy uses the Basic X.509 policy with validity check and - pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if the value true is set for the key - "ApplePinningAllowTestCerts%@" (where %@ is the policyName parameter) in the - com.apple.security preferences for the user of the calling application. - * There are exactly 3 certs in the chain. - * The intermediate has a marker extension with OID matching the intermediateMarkerOID - parameter, or 1.2.840.113635.100.6.2.12 if NULL is passed. - * The leaf has a marker extension with OID matching the leafMarkerOID parameter. - * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. - * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via any available method. - * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. - @result A policy object. The caller is responsible for calling CFRelease on this when - it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleSSLPinned(CFStringRef policyName, CFStringRef hostname, - CFStringRef __nullable intermediateMarkerOID, CFStringRef leafMarkerOID) - __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); - -/*! - @function SecPolicyCreateiPhoneActivation - @abstract Returns a policy object for verifying iPhone Activation - certificate chains. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in chain. - * The intermediate has Common Name "Apple iPhone Certification Authority". - * The leaf has Common Name "iPhone Activation". - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateiPhoneActivation(void); - -/*! - @function SecPolicyCreateiPhoneDeviceCertificate - @abstract Returns a policy object for verifying iPhone Device certificate - chains. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 4 certs in chain. - * The first intermediate has Common Name "Apple iPhone Device CA". - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateiPhoneDeviceCertificate(void); - -/*! - @function SecPolicyCreateFactoryDeviceCertificate - @abstract Returns a policy object for verifying Factory Device certificate - chains. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to the Factory Device CA. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateFactoryDeviceCertificate(void); - -/*! - @function SecPolicyCreateiAP - @abstract Returns a policy object for verifying iAP certificate chains. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The leaf has notBefore date after 5/31/2006 midnight GMT. - * The leaf has Common Name beginning with "IPA_". - The intended use of this policy is that the caller pass in the - intermediates for iAP1 and iAP2 to SecTrustSetAnchorCertificates(). - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateiAP(void); - -/*! - @function SecPolicyCreateiTunesStoreURLBag - @abstract Returns a policy object for verifying iTunes Store URL bag - certificates. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to the iTMS CA. - * There are exactly 2 certs in the chain. - * The leaf has Organization "Apple Inc.". - * The leaf has Common Name "iTunes Store URL Bag". - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateiTunesStoreURLBag(void); - -/*! - @function SecPolicyCreateEAP - @abstract Returns a policy object for verifying for 802.1x/EAP certificates. - @param server Passing true for this parameter create a policy for EAP - server certificates. - @param trustedServerNames Optional; if present, the hostname in the leaf - certificate must be in the trustedServerNames list. Note that contrary - to all other policies the trustedServerNames list entries can have wildcards - whilst the certificate cannot. This matches the existing deployments. - @discussion This policy uses the Basic X.509 policy with validity check but - disallowing network fetching. If trustedServerNames param is non-null, the - ExtendedKeyUsage extension, if present, of the leaf certificate is verified - to contain either the ServerAuth OID, if the server param is true or - ClientAuth OID, otherwise. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateEAP(Boolean server, CFArrayRef __nullable trustedServerNames); - -/*! - @function SecPolicyCreateIPSec - @abstract Returns a policy object for evaluating IPSec certificate chains. - @param server Passing true for this parameter create a policy for IPSec - server certificates. - @param hostname Optional; if present, the policy will require the specified - hostname or ip address to match the hostname in the leaf certificate. - @discussion This policy uses the Basic X.509 policy with validity check. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateIPSec(Boolean server, CFStringRef __nullable hostname); - -/*! - @function SecPolicyCreateAppleSWUpdateSigning - @abstract Returns a policy object for evaluating SW update signing certs. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in the chain. - * The intermediate ExtendedKeyUsage Extension contains 1.2.840.113635.100.4.1. - * The leaf ExtendedKeyUsage extension contains 1.2.840.113635.100.4.1. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleSWUpdateSigning(void); - -/*! - @function SecPolicyCreateApplePackageSigning - @abstract Returns a policy object for evaluating installer package signing certs. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in the chain. - * The leaf KeyUsage extension has the digital signature bit set. - * The leaf ExtendedKeyUsage extension has the CodeSigning OID. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateApplePackageSigning(void); - -/*! - @function SecPolicyCreateiPhoneApplicationSigning - @abstract Returns a policy object for evaluating signed application - signatures. This is for apps signed directly by the app store. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in the chain. - * The intermediate has Common Name "Apple iPhone Certification Authority". - * The leaf has Common Name "Apple iPhone OS Application Signing". - * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.3 or OID - 1.2.840.113635.100.6.1.6. - * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID - or the CodeSigning OID. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateiPhoneApplicationSigning(void); - -/*! - @function SecPolicyCreateiPhoneProfileApplicationSigning - @abstract Returns a policy object for evaluating signed application - signatures. This policy is for certificates inside a UPP or regular - profile. - @discussion This policy only verifies that the leaf is temporally valid - and not revoked via any available method. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateiPhoneProfileApplicationSigning(void); - -/*! - @function SecPolicyCreateiPhoneProvisioningProfileSigning - @abstract Returns a policy object for evaluating provisioning profile signatures. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in the chain. - * The intermediate has Common Name "Apple iPhone Certification Authority". - * The leaf has Common Name "Apple iPhone OS Provisioning Profile Signing". - * If the device is not a production device and is running an internal - release, the leaf may have the Common Name "TEST Apple iPhone OS - Provisioning Profile Signing TEST". - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateiPhoneProvisioningProfileSigning(void); - -/*! - @function SecPolicyCreateAppleTVOSApplicationSigning - @abstract Returns a policy object for evaluating signed application - signatures. This is for apps signed directly by the Apple TV app store, - and allows for both the prod and the dev/test certs. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. - Test roots are never permitted. - * There are exactly 3 certs in the chain. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1. - * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or - the CodeSigning OID. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.24 or OID - 1.2.840.113635.100.6.1.24.1. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleTVOSApplicationSigning(void); - -/*! - @function SecPolicyCreateOCSPSigner - @abstract Returns a policy object for evaluating ocsp response signers. - @discussion This policy uses the Basic X.509 policy with validity check and - requires the leaf to have an ExtendedKeyUsage of OCSPSigning. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateOCSPSigner(void); - - -enum { - kSecSignSMIMEUsage = (1 << 0), - kSecKeyEncryptSMIMEUsage = (1 << 1), - kSecDataEncryptSMIMEUsage = (1 << 2), - kSecKeyExchangeDecryptSMIMEUsage = (1 << 3), - kSecKeyExchangeEncryptSMIMEUsage = (1 << 4), - kSecKeyExchangeBothSMIMEUsage = (1 << 5), - kSecAnyEncryptSMIME = kSecKeyEncryptSMIMEUsage | kSecDataEncryptSMIMEUsage | - kSecKeyExchangeDecryptSMIMEUsage | kSecKeyExchangeEncryptSMIMEUsage -}; - -/*! - @function SecPolicyCreateSMIME - @abstract Returns a policy object for evaluating S/MIME certificate chains. - @param smimeUsage Pass the bitwise or of one or more kSecXXXSMIMEUsage - flags, to indicate the intended usage of this certificate. - @param email Optional; if present, the policy will require the specified - email to match the email in the leaf certificate. - @discussion This policy uses the Basic X.509 policy with validity check and - requires the leaf to have - * a KeyUsage matching the smimeUsage, - * an ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or the - EmailProtection OID, and - * if the email param is specified, the email address in the RFC822Name in the - SubjectAlternativeName extension or in the Email Address field of the - Subject Name. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateSMIME(CFIndex smimeUsage, CFStringRef __nullable email); - -/*! - @function SecPolicyCreateCodeSigning - @abstract Returns a policy object for evaluating code signing certificate chains. - @discussion This policy uses the Basic X.509 policy with validity check and - requires the leaf to have - * a KeyUsage with both the DigitalSignature and NonRepudiation bits set, and - * an ExtendedKeyUsage with the AnyExtendedKeyUsage OID or the CodeSigning OID. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateCodeSigning(void); - -/*! - @function SecPolicyCreateLockdownPairing - @abstract basic x509 policy for checking lockdown pairing certificate chains. - @disucssion This policy checks some of the Basic X.509 policy options with no - validity check. It explicitly allows for empty subjects. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateLockdownPairing(void); - -/*! - @function SecPolicyCreateURLBag - @abstract Returns a policy object for evaluating certificate chains for signing URL bags. - @discussion This policy uses the Basic X.509 policy with no validity check and requires - that the leaf has ExtendedKeyUsage extension with the CodeSigning OID. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateURLBag(void); - -/*! - @function SecPolicyCreateOTATasking - @abstract Returns a policy object for evaluating certificate chains for signing OTA Tasking. - @discussion This policy uses the Basic X.509 policy with validity check and - pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in the chain. - * The intermediate has Common Name "Apple iPhone Certification Authority". - * The leaf has Common Name "OTA Task Signing". - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateOTATasking(void); - -/*! - @function SecPolicyCreateMobileAsset - @abstract Returns a policy object for evaluating certificate chains for signing Mobile Assets. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in the chain. - * The intermediate has Common Name "Apple iPhone Certification Authority". - * The leaf has Common Name "Asset Manifest Signing". - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateMobileAsset(void); - -/*! - @function SecPolicyCreateAppleIDAuthorityPolicy - @abstract Returns a policy object for evaluating certificate chains for Apple ID Authority. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3 - or OID 1.2.840.113635.100.6.2.7. - * The leaf has a marker extension with OID 1.2.840.113635.100.4.7. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleIDAuthorityPolicy(void); - -/*! - @function SecPolicyCreateMacAppStoreReceipt - @abstract Returns a policy object for evaluating certificate chains for signing - Mac App Store Receipts. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in the chain. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1. - * The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.6.1. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.11.1. - * Revocation is checked via any available method. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateMacAppStoreReceipt(void); - -/*! - @function SecPolicyCreatePassbookCardSigner - @abstract Returns a policy object for evaluating certificate chains for signing Passbook cards. - @param cardIssuer Required; must match name in marker extension. - @param teamIdentifier Optional; if present, the policy will require the specified - team ID to match the organizationalUnit field in the leaf certificate's subject. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.16 and containing the - cardIssuer. - * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.14. - * The leaf has a Organizational Unit matching the TeamID. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreatePassbookCardSigner(CFStringRef cardIssuer, - CFStringRef __nullable teamIdentifier); - -/*! - @function SecPolicyCreateMobileStoreSigner - @abstract Returns a policy object for evaluating Mobile Store certificate chains. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in the chain. - * The intermediate has Common Name "Apple System Integration 2 Certification Authority". - * The leaf has KeyUsage with the DigitalSignature bit set. - * The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.12. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateMobileStoreSigner(void); - -/*! - @function SecPolicyCreateTestMobileStoreSigner - @abstract Returns a policy object for evaluating Test Mobile Store certificate chains. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in the chain. - * The intermediate has Common Name "Apple System Integration 2 Certification Authority". - * The leaf has KeyUsage with the DigitalSignature bit set. - * The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.12.1. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateTestMobileStoreSigner(void); - -/*! - @function SecPolicyCreateEscrowServiceSigner - @abstract Returns a policy object for evaluating Escrow Service certificate chains. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to the current Escrow Roots in the OTAPKI asset. - * There are exactly 2 certs in the chain. - * The leaf has KeyUsage with the KeyEncipherment bit set. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateEscrowServiceSigner(void); - -/*! - @function SecPolicyCreatePCSEscrowServiceSigner - @abstract Returns a policy object for evaluating PCS Escrow Service certificate chains. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to the current PCS Escrow Roots in the OTAPKI asset. - * There are exactly 2 certs in the chain. - * The leaf has KeyUsage with the KeyEncipherment bit set. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreatePCSEscrowServiceSigner(void); - -/*! - @function SecPolicyCreateOSXProvisioningProfileSigning - @abstract Returns a policy object for evaluating certificate chains for signing OS X - Provisioning Profiles. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1. - * The leaf has KeyUsage with the DigitalSignature bit set. - * The leaf has a marker extension with OID 1.2.840.113635.100.4.11. - * Revocation is checked via OCSP. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void); - -/*! - @function SecPolicyCreateConfigurationProfileSigner - @abstract Returns a policy object for evaluating certificate chains for signing - Configuration Profiles. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in the chain. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.3. - * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.16. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateConfigurationProfileSigner(void); - -/*! - @function SecPolicyCreateQAConfigurationProfileSigner - @abstract Returns a policy object for evaluating certificate chains for signing - QA Configuration Profiles. On customer builds, this function returns the same - policy as SecPolicyCreateConfigurationProfileSigner. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.3. - * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.17. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateQAConfigurationProfileSigner(void); - -/*! - @function SecPolicyCreateOTAPKISigner - @abstract Returns a policy object for evaluating OTA PKI certificate chains. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to Apple PKI Settings CA. - * There are exactly 2 certs in the chain. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateOTAPKISigner(void); - -/*! - @function SecPolicyCreateTestOTAPKISigner - @abstract Returns a policy object for evaluating OTA PKI certificate chains. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to Apple Test PKI Settings CA. - * There are exactly 2 certs in the chain. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateTestOTAPKISigner(void); - -/*! - @function SecPolicyCreateAppleIDValidationRecordSigningPolicy - @abstract Returns a policy object for evaluating certificate chains for signing - Apple ID Validation Records. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3 - or OID 1.2.840.113635.100.6.2.10. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.25. - * Revocation is checked via OCSP. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. -*/ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void); - -/*! - @function SecPolicyCreateAppleSMPEncryption - @abstract Returns a policy object for evaluating SMP certificate chains. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in the chain. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.13. - * The leaf has KeyUsage with the KeyEncipherment bit set. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.30. - * Revocation is checked via OCSP. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleSMPEncryption(void); - -/*! - @function SecPolicyCreateTestAppleSMPEncryption - @abstract Returns a policy object for evaluating Test SMP certificate chains. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to a Test Apple Root with ECC public key certificate. - * There are exactly 3 certs in the chain. - * The intermediate has Common Name "Test Apple System Integration CA - ECC". - * The leaf has KeyUsage with the KeyEncipherment bit set. - * Revocation is checked via OCSP. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateTestAppleSMPEncryption(void); - -/*! - @function SecPolicyCreateApplePPQSigning - @abstract Returns a policy object for verifying production PPQ Signing certificates. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in the chain. - * The intermediate has Common Name "Apple System Integration 2 Certification - Authority". - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10. - * The leaf has KeyUsage with the DigitalSignature bit set. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.38.2. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateApplePPQSigning(void); - -/*! - @function SecPolicyCreateTestApplePPQSigning - @abstract Returns a policy object for verifying test PPQ Signing certificates. On - customer builds, this function returns the same policy as SecPolicyCreateApplePPQSigning. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in the chain. - * The intermediate has Common Name "Apple System Integration 2 Certification - Authority". - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10. - * The leaf has KeyUsage with the DigitalSignature bit set. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.38.1. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateTestApplePPQSigning(void); - -/*! - @function SecPolicyCreateAppleIDSService - @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions) - @discussion This policy uses the SSL server policy. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef __nullable hostname); - -/*! - @function SecPolicyCreateAppleIDSServiceContext - @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions) - @param hostname Required; hostname to verify the certificate name against. - @param context Optional; if present, "AppleServerAuthenticationAllowUATIDS" with value - Boolean true will allow Test Apple roots on internal releases. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs - are permitted only on internal releases either using the context dictionary or with - defaults write. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.4.2 or, - if Test Roots are allowed, OID 1.2.840.113635.100.6.27.4.1. - * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. - * The leaf is checked against the Black and Gray lists. - * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via any available method. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDictionaryRef __nullable context); - -/*! - @function SecPolicyCreateApplePushService - @abstract Ensure we're appropriately pinned to the Apple Push service (SSL + Apple restrictions) - @param hostname Required; hostname to verify the certificate name against. - @param context Optional; if present, "AppleServerAuthenticationAllowUATAPN" with value - Boolean true will allow Test Apple roots on internal releases. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs - are permitted only on internal releases either using the context dictionary or with - defaults write. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.5.2 or, - if Test Roots are allowed, OID 1.2.840.113635.100.6.27.5.1. - * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. - * The leaf is checked against the Black and Gray lists. - * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via any available method. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryRef __nullable context); - -/*! - @function SecPolicyCreateApplePushServiceLegacy - @abstract Ensure we're appropriately pinned to the Push service (via Entrust) - @param hostname Required; hostname to verify the certificate name against. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to an Entrust Intermediate. - * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. - * The leaf is checked against the Black and Gray lists. - * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via any available method. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateApplePushServiceLegacy(CFStringRef hostname); - -/*! - @function SecPolicyCreateAppleMMCSService - @abstract Ensure we're appropriately pinned to the MMCS service (SSL + Apple restrictions) - @param hostname Required; hostname to verify the certificate name against. - @param context Optional; if present, "AppleServerAuthenticationAllowUATMMCS" with value - Boolean true will allow Test Apple roots and test OIDs on internal releases. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.11.2 or, if - enabled, OID 1.2.840.113635.100.6.27.11.1. - * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. - * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via any available method. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname, CFDictionaryRef __nullable context); - -/*! - @function SecPolicyCreateAppleCompatibilityMMCSService - @abstract Ensure we're appropriately pinned to the MMCS service using compatibility certs - @param hostname Required; hostname to verify the certificate name against. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to the GeoTrust Global CA - * The intermediate has a subject public key info hash matching the public key of - the Apple IST CA G1 intermediate. - * The chain length is 3. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.11.2 or - OID 1.2.840.113635.100.6.27.11.1. - * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. - * The leaf is checked against the Black and Gray lists. - * The leaf has ExtendedKeyUsage with the ServerAuth OID. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleCompatibilityMMCSService(CFStringRef hostname) - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); - -/*! - @function SecPolicyCreateAppleGSService - @abstract Ensure we're appropriately pinned to the GS service (SSL + Apple restrictions) - @param hostname Required; hostname to verify the certificate name against. - @param context Optional; if present, "AppleServerAuthenticationAllowUATGS" with value - Boolean true will allow Test Apple roots on internal releases. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs - are permitted only on internal releases either using the context dictionary or with - defaults write. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.2. - * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. - * The leaf is checked against the Black and Gray lists. - * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via any available method. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef __nullable context) - __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); - -/*! - @function SecPolicyCreateApplePPQService - @abstract Ensure we're appropriately pinned to the PPQ service (SSL + Apple restrictions) - @param hostname Required; hostname to verify the certificate name against. - @param context Optional; if present, "AppleServerAuthenticationAllowUATPPQ" with value - Boolean true will allow Test Apple roots on internal releases. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs - are permitted only on internal releases either using the context dictionary or with - defaults write. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.3.2 or, - if Test Roots are allowed, OID 1.2.840.113635.100.6.27.3.1. - * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. - * The leaf is checked against the Black and Gray lists. - * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via any available method. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRef __nullable context) - __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); - -/*! - @function SecPolicyCreateAppleAST2Service - @abstract Ensure we're appropriately pinned to the AST2 Diagnostic service (SSL + Apple restrictions) - @param hostname Required; hostname to verify the certificate name against. - @param context Optional; if present, "AppleServerAuthenticationAllowUATAST2" with value - Boolean true will allow Test Apple roots on internal releases. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs - are permitted either using the context dictionary or with defaults write. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.8.2 or, - if Test Roots are allowed, OID 1.2.840.113635.100.6.27.8.1. - * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. - * The leaf is checked against the Black and Gray lists. - * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via any available method. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleAST2Service(CFStringRef hostname, CFDictionaryRef __nullable context) - __OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3); - -/*! - @function SecPolicyCreateAppleEscrowProxyService - @abstract Ensure we're appropriately pinned to the iCloud Escrow Proxy service (SSL + Apple restrictions) - @param hostname Required; hostname to verify the certificate name against. - @param context Optional; if present, "AppleServerAuthenticationAllowUATEscrow" with value -Boolean true will allow Test Apple roots on internal releases. - @discussion This policy uses the Basic X.509 policy with validity check -and pinning options: - * The chain is anchored to any of the production Apple Root CAs via full certificate - comparison. Test Apple Root CAs are permitted only on internal releases either - using the context dictionary or with defaults write. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.7.2 or, - if Test Roots are allowed, OID 1.2.840.113635.100.6.27.7.1. - * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. - * The leaf is checked against the Black and Gray lists. - * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via any available method. - @result A policy object. The caller is responsible for calling CFRelease -on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleEscrowProxyService(CFStringRef hostname, CFDictionaryRef __nullable context) - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); - -/*! - @function SecPolicyCreateAppleCompatibilityEscrowProxyService - @abstract Ensure we're appropriately pinned to the iCloud Escrow Proxy service using compatibility certs - @param hostname Required; hostname to verify the certificate name against. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to the GeoTrust Global CA - * The intermediate has a subject public key info hash matching the public key of - the Apple IST CA G1 intermediate. - * The chain length is 3. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.7.2 or, - if UAT is enabled with a defaults write (internal devices only), - OID 1.2.840.113635.100.6.27.7.1. - * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. - * The leaf is checked against the Black and Gray lists. - * The leaf has ExtendedKeyUsage with the ServerAuth OID. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleCompatibilityEscrowProxyService(CFStringRef hostname) -__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); - -/*! - @function SecPolicyCreateAppleFMiPService - @abstract Ensure we're appropriately pinned to the Find My iPhone service (SSL + Apple restrictions) - @param hostname Required; hostname to verify the certificate name against. - @param context Optional; if present, "AppleServerAuthenticationAllowUATFMiP" with value - Boolean true will allow Test Apple roots on internal releases. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs via full certificate - comparison. Test Apple Root CAs are permitted only on internal releases either - using the context dictionary or with defaults write. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.6.2 or, - if Test Roots are allowed, OID 1.2.840.113635.100.6.27.6.1. - * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. - * The leaf is checked against the Black and Gray lists. - * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via any available method. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleFMiPService(CFStringRef hostname, CFDictionaryRef __nullable context) - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); - -/*! - @function SecPolicyCreateAppleSSLService - @abstract Ensure we're appropriately pinned to an Apple server (SSL + Apple restrictions) - @param hostname Optional; hostname to verify the certificate name against. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.1 - * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. - * The leaf is checked against the Black and Gray lists. - * The leaf has ExtendedKeyUsage, if any, with the ServerAuth OID. - * Revocation is checked via any available method. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef __nullable hostname); - -/*! - @function SecPolicyCreateAppleTimeStamping - @abstract Returns a policy object for evaluating time stamping certificate chains. - @discussion This policy uses the Basic X.509 policy with validity check - and requires the leaf has ExtendedKeyUsage with the TimeStamping OID. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleTimeStamping(void); - -/*! - @function SecPolicyCreateApplePayIssuerEncryption - @abstract Returns a policy object for evaluating Apple Pay Issuer Encryption certificate chains. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in the chain. - * The intermediate has Common Name "Apple Worldwide Developer Relations CA - G2". - * The leaf has KeyUsage with the KeyEncipherment bit set. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.39. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void) - __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); - -/*! - @function SecPolicyCreateAppleATVVPNProfileSigning - @abstract Returns a policy object for evaluating Apple TV VPN Profile certificate chains. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs - are permitted only on internal releases. - * There are exactly 3 certs in the chain. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.43. - * Revocation is checked via OCSP. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void) - __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); - -/*! - @function SecPolicyCreateAppleHomeKitServerAuth - @abstract Ensure we're appropriately pinned to the HomeKit service (SSL + Apple restrictions) - @param hostname Required; hostname to verify the certificate name against. - @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs via full certificate - comparison. Test Apple Root CAs are permitted only on internal releases with defaults write. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.16 - * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.9. - * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. - * The leaf is checked against the Black and Gray lists. - * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via any available method. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname) - __OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3); - -/*! - @function SecPolicyCreateAppleExternalDeveloper - @abstract Returns a policy object for verifying Apple-issued external developer - certificates. - @discussion The resulting policy uses the Basic X.509 policy with validity check and - pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in the chain. - * The intermediate has a marker extension with OID matching 1.2.840.113635.100.6.2.1 - (WWDR CA) or 1.2.840.113635.100.6.2.6 (Developer ID CA). - * The leaf has a marker extension with OID matching one of the following: - * 1.2.840.113635.100.6.1.2 ("iPhone Developer" leaf) - * 1.2.840.113635.100.6.1.4 ("iPhone Distribution" leaf) - * 1.2.840.113635.100.6.1.5 ("Safari Developer" leaf) - * 1.2.840.113635.100.6.1.7 ("3rd Party Mac Developer Application" leaf) - * 1.2.840.113635.100.6.1.8 ("3rd Party Mac Developer Installer" leaf) - * 1.2.840.113635.100.6.1.12 ("Mac Developer" leaf) - * 1.2.840.113635.100.6.1.13 ("Developer ID Application" leaf) - * 1.2.840.113635.100.6.1.14 ("Developer ID Installer" leaf) - * The leaf has an ExtendedKeyUsage OID matching one of the following: - * 1.3.6.1.5.5.7.3.3 (CodeSigning EKU) - * 1.2.840.113635.100.4.8 ("Safari Developer" EKU) - * 1.2.840.113635.100.4.9 ("3rd Party Mac Developer Installer" EKU) - * 1.2.840.113635.100.4.13 ("Developer ID Installer" EKU) - * Revocation is checked via any available method. - * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. - @result A policy object. The caller is responsible for calling CFRelease on this when - it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleExternalDeveloper(void) - __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); - -/*! - @function SecPolicyCreateAppleSoftwareSigning - @abstract Returns a policy object for verifying the Apple Software Signing certificate. - @discussion The resulting policy uses the Basic X.509 policy with validity check and - pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in the chain. - * The intermediate has the Common Name "Apple Code Signing Certification Authority". - * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.22. - * The leaf has an ExtendedKeyUsage OID matching 1.3.6.1.5.5.7.3.3 (Code Signing). - * Revocation is checked via any available method. - * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. - @result A policy object. The caller is responsible for calling CFRelease on this when - it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleSoftwareSigning(void) - __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); - -/*! - @function SecPolicyGetName - @abstract Returns a policy's name. - @param policy A policy reference. - @result A policy name. - */ -__nullable CFStringRef SecPolicyGetName(SecPolicyRef policy) - __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); - -/*! - @function SecPolicyGetOidString - @abstract Returns a policy's oid in string decimal format. - @param policy A policy reference. - @result A policy oid. - */ -CFStringRef SecPolicyGetOidString(SecPolicyRef policy) - __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); - -/*! - @function SecPolicyCreateAppleUniqueDeviceCertificate - @abstract Returns a policy object for verifying Unique Device Identifier Certificates. - @param testRootHash Optional; The SHA-256 fingerprint of a test root for pinning. - @discussion The resulting policy uses the Basic X.509 policy with no validity check and - pinning options: - * The chain is anchored to the SEP Root CA. Internal releases allow the chain to be - anchored to the testRootHash input if the value true is set for the key - "ApplePinningAllowTestCertsUCRT" in the com.apple.security preferences for the user - of the calling application. - * There are exactly 3 certs in the chain. - * The intermediate has an extension with OID matching 1.2.840.113635.100.6.44 and value - of "ucrt". - * The leaf has a marker extension with OID matching 1.2.840.113635.100.10.1. - * RSA key sizes are disallowed. EC key sizes are P-256 or larger. -@result A policy object. The caller is responsible for calling CFRelease on this when - it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleUniqueDeviceCertificate(CFDataRef __nullable testRootHash) - __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); - -/*! - @function SecPolicyCreateAppleWarsaw - @abstract Returns a policy object for verifying signed Warsaw assets. - @discussion The resulting policy uses the Basic X.509 policy with validity check and - pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in the chain. - * The intermediate has an extension with OID matching 1.2.840.113635.100.6.2.14. - * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.29. - * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. - @result A policy object. The caller is responsible for calling CFRelease on this when - it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleWarsaw(void) - __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1); - -/*! - @function SecPolicyCreateAppleSecureIOStaticAsset - @abstract Returns a policy object for verifying signed static assets for Secure IO. - @discussion The resulting policy uses the Basic X.509 policy with no validity check and - pinning options: - * The chain is anchored to any of the production Apple Root CAs. Internal releases allow - the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. - * There are exactly 3 certs in the chain. - * The intermediate has an extension with OID matching 1.2.840.113635.100.6.2.10. - * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.50. - * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. - @result A policy object. The caller is responsible for calling CFRelease on this when - it is no longer needed. - */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateAppleSecureIOStaticAsset(void) - __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1); - - -CF_IMPLICIT_BRIDGING_DISABLED -CF_ASSUME_NONNULL_END - -/* - * Legacy functions (OS X only) - */ -#if TARGET_OS_MAC && !TARGET_OS_IPHONE - -CF_ASSUME_NONNULL_BEGIN -CF_IMPLICIT_BRIDGING_ENABLED - -/*! - @function SecPolicyCopy - @abstract Returns a copy of a policy reference based on certificate type and OID. - @param certificateType A certificate type. - @param policyOID The OID of the policy you want to find. This is a required parameter. See oidsalg.h to see a list of policy OIDs. - @param policy The returned policy reference. This is a required parameter. - @result A result code. See "Security Error Codes" (SecBase.h). - @discussion This function is deprecated in Mac OS X 10.7 and later; - to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h. - */ -OSStatus SecPolicyCopy(CSSM_CERT_TYPE certificateType, const CSSM_OID *policyOID, SecPolicyRef * __nonnull CF_RETURNS_RETAINED policy) - __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA); - -/*! - @function SecPolicyCopyAll - @abstract Returns an array of all known policies based on certificate type. - @param certificateType A certificate type. This is a optional parameter. Pass CSSM_CERT_UNKNOWN if the certificate type is unknown. - @param policies The returned array of policies. This is a required parameter. - @result A result code. See "Security Error Codes" (SecBase.h). - @discussion This function is deprecated in Mac OS X 10.7 and later; - to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h. (Note: there is normally - no reason to iterate over multiple disjointed policies, except to provide a way to edit trust settings for each - policy, as is done in certain certificate UI views. In that specific case, your code should call SecPolicyCreateWithOID - for each desired policy from the list of supported OID constants in SecPolicy.h.) - */ -OSStatus SecPolicyCopyAll(CSSM_CERT_TYPE certificateType, CFArrayRef * __nonnull CF_RETURNS_RETAINED policies) - __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA); - -/* Given a unified SecPolicyRef, return a copy with a legacy - C++ ItemImpl-based Policy instance. Only for internal use; - legacy references cannot be used by SecPolicy API functions. */ -__nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateItemImplInstance(SecPolicyRef policy); - -/* Given a CSSM_OID pointer, return a string which can be passed - to SecPolicyCreateWithProperties. The return value can be NULL - if no supported policy was found for the OID argument. */ -__nullable -CFStringRef SecPolicyGetStringForOID(CSSM_OID* oid); - -/*! - @function SecPolicyCreateAppleTimeStampingAndRevocationPolicies - @abstract Create timeStamping policy array from a given set of policies by applying identical revocation behavior - @param policyOrArray can be a SecPolicyRef or a CFArray of SecPolicyRef - @discussion This function is soon to be deprecated. Callers should create an array of the non-deprecated timestamping - and revocation policies. - */ -__nullable CF_RETURNS_RETAINED -CFArrayRef SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray); - -CF_IMPLICIT_BRIDGING_DISABLED -CF_ASSUME_NONNULL_END - -#endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */ - -__END_DECLS - -#endif /* !_SECURITY_SECPOLICYPRIV_H_ */