1/* 2 * Copyright (c) 2008-2014 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24/*! 25 @header SecPolicyPriv 26 The functions provided in SecPolicyInternal provide the interface to 27 trust policies used by SecTrust. 28*/ 29 30#ifndef _SECURITY_SECPOLICYINTERNAL_H_ 31#define _SECURITY_SECPOLICYINTERNAL_H_ 32 33#include <Security/SecPolicy.h> 34#include <Security/SecTrust.h> 35#include <Security/SecCertificatePath.h> 36#include <CoreFoundation/CFArray.h> 37#include <CoreFoundation/CFString.h> 38#include <CoreFoundation/CFRuntime.h> 39 40__BEGIN_DECLS 41 42/******************************************************** 43 ****************** SecPolicy struct ******************** 44 ********************************************************/ 45struct __SecPolicy { 46 CFRuntimeBase _base; 47 CFStringRef _oid; 48 CFDictionaryRef _options; 49}; 50 51/*! 52 @enum Policy Check Keys 53 @discussion Keys that represent various checks that can be done in a trust 54 policy. 55 @constant kSecPolicyCheckCriticalExtensions Ensure that no certificate in the chain has any critical extensions that we do not understand. 56 @constant kSecPolicyCheckIdLinkage Check that all the certificates in the chain that have a SubjectId, match the AuthorityId of the certificate they sign. This check is optional, in that if either certificate is missing the required extension the check succeeds. 57 @constant kSecPolicyCheckBasicContraints Fails if the basic constraints for the certificate chain are not met, this allows for basic constraints to be non critical and doesn't require every CA certificate to have a basic constraints extension, and allows for leaf certificates to have basic constraints extensions. 58 @constant kSecPolicyCheckExtendedKeyUsage @@@ 59 @constant kSecPolicyCheckIdLinkage Fails if the AuthorityKeyID -> SubjectKeyID chaining isn't right. 60 @constant kSecPolicyCheckKeyUsage @@@ 61 @constant kSecPolicyCheckNonEmptySubject Perform the following check: RFC 3280, 4.1.2.6, says that an empty subject name can only appear in a leaf cert, and only if subjectAltName is present and marked critical. 62 @constant kSecPolicyCheckQualifiedCertStatements Perform the following check: RFC 3739: if this cert has a Qualified Cert Statements extension, and it's Critical, make sure we understand all of the extension's statementIds. 63 @constant kSecPolicyCheckValidIntermediates Fails if any certificates in the chain are not valid at the verify time other than the leaf and the root. 64 @constant kSecPolicyCheckValidLeaf Fails if the leaf certificate is not valid at the verify time. 65 @constant kSecPolicyCheckValidRoot Fails if the root certificate is not valid at the verify time. 66 @constant kSecPolicyCheckAnchorTrusted @@@. 67 @constant kSecPolicyCheckAnchorSHA1 @@@. 68 @constant kSecPolicyCheckSSLHostname @@@. 69 @constant kSecPolicyCheckEmail @@@. 70 @constant kSecPolicyCheckIssuerCommonName @@@. 71 @constant kSecPolicyCheckSubjectCommonNamePrefix @@@. 72 @constant kSecPolicyCheckChainLength @@@. 73 @constant kSecPolicyCheckNotValidBefore @@@. 74 @constant kSecPolicyCheckEAPTrustedServerNames @@@. 75 @constant kSecPolicyCheckBasicCertificateProcessing @@@. 76 @constant kSecPolicyCheckExtendedValidation @@@. 77 @constant kSecPolicyCheckRevocation @@@. 78 @constant kSecPolicyCheckNoNetworkAccess @@@. 79 @constant kSecPolicyCheckBlackListedLeaf @@@. 80*/ 81extern CFStringRef kSecPolicyCheckBasicContraints; 82extern CFStringRef kSecPolicyCheckCriticalExtensions; 83extern CFStringRef kSecPolicyCheckExtendedKeyUsage; 84extern CFStringRef kSecPolicyCheckIdLinkage; 85extern CFStringRef kSecPolicyCheckKeyUsage; 86extern CFStringRef kSecPolicyCheckNonEmptySubject; 87extern CFStringRef kSecPolicyCheckQualifiedCertStatements; 88extern CFStringRef kSecPolicyCheckValidIntermediates; 89extern CFStringRef kSecPolicyCheckValidLeaf; 90extern CFStringRef kSecPolicyCheckValidRoot; 91extern CFStringRef kSecPolicyCheckAnchorTrusted; 92extern CFStringRef kSecPolicyCheckAnchorSHA1; 93extern CFStringRef kSecPolicyCheckSSLHostname; 94extern CFStringRef kSecPolicyCheckEmail; 95extern CFStringRef kSecPolicyCheckIssuerCommonName; 96extern CFStringRef kSecPolicyCheckSubjectCommonName; 97extern CFStringRef kSecPolicyCheckSubjectCommonNameTEST; 98extern CFStringRef kSecPolicyCheckSubjectOrganization; 99extern CFStringRef kSecPolicyCheckSubjectOrganizationalUnit; 100extern CFStringRef kSecPolicyCheckSubjectCommonNamePrefix; 101extern CFStringRef kSecPolicyCheckChainLength; 102extern CFStringRef kSecPolicyCheckNotValidBefore; 103extern CFStringRef kSecPolicyCheckEAPTrustedServerNames; 104extern CFStringRef kSecPolicyCheckCertificatePolicy; 105extern CFStringRef kSecPolicyCheckBasicCertificateProcessing; 106extern CFStringRef kSecPolicyCheckExtendedValidation; 107extern CFStringRef kSecPolicyCheckRevocation; 108extern CFStringRef kSecPolicyCheckNoNetworkAccess; 109extern CFStringRef kSecPolicyCheckBlackListedLeaf; 110extern CFStringRef kSecPolicyCheckBlackListedKey; 111extern CFStringRef kSecPolicyCheckGrayListedLeaf; 112extern CFStringRef kSecPolicyCheckLeafMarkerOid; 113extern CFStringRef kSecPolicyCheckIntermediateMarkerOid; 114extern CFStringRef kSecPolicyCheckGrayListedKey; 115 116SecPolicyRef SecPolicyCreate(CFStringRef oid, CFDictionaryRef options); 117 118xpc_object_t SecPolicyArrayCopyXPCArray(CFArrayRef policies, CFErrorRef *error); 119CFArrayRef SecPolicyXPCArrayCopyArray(xpc_object_t xpc_policies, CFErrorRef *error); 120 121__END_DECLS 122 123#endif /* !_SECURITY_SECPOLICYINTERNAL_H_ */ 124