1/* 2 * Copyright (c) 2003-2012,2014 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24/*! 25 @header SecTrustPriv 26 Private part of SecTrust.h 27*/ 28 29#ifndef _SECURITY_SECTRUST_PRIV_H_ 30#define _SECURITY_SECTRUST_PRIV_H_ 31 32#include <Security/SecTrust.h> 33#include <CoreFoundation/CFString.h> 34#include <CoreFoundation/CFDictionary.h> 35 36 37#if defined(__cplusplus) 38extern "C" { 39#endif 40 41/* 42 unique keychain item attributes for user trust records. 43*/ 44enum { 45 kSecTrustCertAttr = 'tcrt', 46 kSecTrustPolicyAttr = 'tpol', 47 /* Leopard and later */ 48 kSecTrustPubKeyAttr = 'tpbk', 49 kSecTrustSignatureAttr = 'tsig' 50}; 51 52/*! 53 @function SecTrustGetUserTrust 54 @abstract Gets the user-specified trust settings of a certificate and policy. 55 @param certificate A reference to a certificate. 56 @param policy A reference to a policy. 57 @param trustSetting On return, a pointer to the user specified trust settings. 58 @result A result code. See "Security Error Codes" (SecBase.h). 59 @availability Mac OS X version 10.4. Deprecated in Mac OS X version 10.5. 60*/ 61OSStatus SecTrustGetUserTrust(SecCertificateRef certificate, SecPolicyRef policy, SecTrustUserSetting *trustSetting) 62 /*DEPRECATED_IN_MAC_OS_X_VERSION_10_5_AND_LATER*/; 63 64/*! 65 @function SecTrustSetUserTrust 66 @abstract Sets the user-specified trust settings of a certificate and policy. 67 @param certificate A reference to a certificate. 68 @param policy A reference to a policy. 69 @param trustSetting The user-specified trust settings. 70 @result A result code. See "Security Error Codes" (SecBase.h). 71 @availability Mac OS X version 10.4. Deprecated in Mac OS X version 10.5. 72 @discussion as of Mac OS version 10.5, this will result in a call to 73 SecTrustSettingsSetTrustSettings(). 74*/ 75OSStatus SecTrustSetUserTrust(SecCertificateRef certificate, SecPolicyRef policy, SecTrustUserSetting trustSetting) 76 /*DEPRECATED_IN_MAC_OS_X_VERSION_10_5_AND_LATER*/; 77 78/*! 79 @function SecTrustSetUserTrustLegacy 80 @abstract Sets the user-specified trust settings of a certificate and policy. 81 @param certificate A reference to a certificate. 82 @param policy A reference to a policy. 83 @param trustSetting The user-specified trust settings. 84 @result A result code. See "Security Error Codes" (SecBase.h). 85 86 @This is the private version of what used to be SecTrustSetUserTrust(); it operates 87 on UserTrust entries as that function used to. The current SecTrustSetUserTrust() 88 function operated on Trust Settings. 89*/ 90OSStatus SecTrustSetUserTrustLegacy(SecCertificateRef certificate, SecPolicyRef policy, SecTrustUserSetting trustSetting); 91 92/*! 93 @function SecTrustGetCSSMAnchorCertificates 94 @abstract Retrieves the CSSM anchor certificates. 95 @param cssmAnchors A pointer to an array of anchor certificates. 96 @param cssmAnchorCount A pointer to the number of certificates in anchors. 97 @result A result code. See "Security Error Codes" (SecBase.h). 98 @availability Mac OS X version 10.4. Deprecated in Mac OS X version 10.5. 99*/ 100OSStatus SecTrustGetCSSMAnchorCertificates(const CSSM_DATA **cssmAnchors, uint32 *cssmAnchorCount) 101 /*DEPRECATED_IN_MAC_OS_X_VERSION_10_5_AND_LATER*/; 102 103/*! 104 @function SecTrustCopyExtendedResult 105 @abstract Gets the extended trust result after an evaluation has been performed. 106 @param trust A trust reference. 107 @param result On return, result points to a CFDictionaryRef containing extended trust results (if no error occurred). 108 The caller is responsible for releasing this dictionary with CFRelease when finished with it. 109 @result A result code. See "Security Error Codes" (SecBase.h). 110 @discussion This function may only be used after SecTrustEvaluate has been called for the trust reference, otherwise 111 errSecTrustNotAvailable is returned. If the certificate is not an extended validation certificate, there is 112 no extended result data and errSecDataNotAvailable is returned. Currently, only one dictionary key is defined 113 (kSecEVOrganizationName). 114 115 Note: this function will be deprecated in a future release of OS X. Your 116 code should use SecTrustCopyResult to obtain the trust results dictionary. 117*/ 118OSStatus SecTrustCopyExtendedResult(SecTrustRef trust, CFDictionaryRef *result) 119 __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); 120 121 122/*! 123 @enum Trust Result Constants 124 @discussion Predefined key constants used to obtain values in a 125 dictionary of trust evaluation results for a certificate chain, 126 as retrieved from a call to SecTrustCopyResult. 127 128 @constant kSecTrustResultDetails 129 This key will be present if a trust evaluation has been performed. 130 Its value is a CFArrayRef of CFDictionaryRef representing detailed 131 status info for each certificate in the completed chain. 132 */ 133extern CFTypeRef kSecTrustResultDetails 134 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_NA); 135 136 137/* 138 * Preference-related strings for Revocation policies. 139 */ 140 141/* 142 * Preference domain, i.e., the name of a plist in ~/Library/Preferences or in 143 * /Library/Preferences 144 */ 145#define kSecRevocationDomain "com.apple.security.revocation" 146 147/* OCSP and CRL style keys, followed by values used for both of them */ 148#define kSecRevocationOcspStyle CFSTR("OCSPStyle") 149#define kSecRevocationCrlStyle CFSTR("CRLStyle") 150 #define kSecRevocationOff CFSTR("None") /* default for each one */ 151 #define kSecRevocationBestAttempt CFSTR("BestAttempt") 152 #define kSecRevocationRequireIfPresent CFSTR("RequireIfPresent") 153 #define kSecRevocationRequireForAll CFSTR("RequireForAll") 154 155/* Which first if both enabled? */ 156#define kSecRevocationWhichFirst CFSTR("RevocationFirst") 157 #define kSecRevocationOcspFirst CFSTR("OCSP") 158 #define kSecRevocationCrlFirst CFSTR("CRL") 159 160/* boolean: A "this policy is sufficient per cert" for each */ 161#define kSecRevocationOCSPSufficientPerCert CFSTR("OCSPSufficientPerCert") 162#define kSecRevocationCRLSufficientPerCert CFSTR("CRLSufficientPerCert") 163 164/* local OCSP responder URI, value arbitrary string value */ 165#define kSecOCSPLocalResponder CFSTR("OCSPLocalResponder") 166 167/* Extended trust result keys (now in public API) */ 168#define kSecEVOrganizationName kSecTrustOrganizationName 169#define kSecTrustExpirationDate kSecTrustRevocationValidUntilDate 170 171#if defined(__cplusplus) 172} 173#endif 174 175#endif /* !_SECURITY_SECTRUST_PRIV_H_ */ 176