1/* 2 * Copyright (c) 2003-2006,2008,2010-2012 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 * 23 * certExtensionTemplates.h - libnssasn1 structs and templates for cert and 24 * CRL extensions 25 * 26 */ 27 28#ifndef _CERT_EXTENSION_TEMPLATES_H_ 29#define _CERT_EXTENSION_TEMPLATES_H_ 30 31#include <Security/X509Templates.h> 32 33#ifdef __cplusplus 34extern "C" { 35#endif 36 37/* 38 * Basic Constraints 39 * NSS struct : NSS_BasicConstraints 40 * CDSA struct : CE_BasicConstraints 41 */ 42typedef struct { 43 SecAsn1Item cA; // BOOL 44 SecAsn1Item pathLenConstraint; // INTEGER optional 45} NSS_BasicConstraints; 46 47extern const SecAsn1Template kSecAsn1BasicConstraintsTemplate[]; 48 49/* 50 * Key Usage 51 * NSS struct : SecAsn1Item, BIT STRING - length in bits 52 * CDSA struct : CE_KeyUsage 53 */ 54#define kSecAsn1KeyUsageTemplate kSecAsn1BitStringTemplate 55 56/* 57 * Extended Key Usage 58 * NSS struct : NSS_ExtKeyUsage 59 * CDSA struct : CE_ExtendedKeyUsage 60 */ 61typedef struct { 62 SecAsn1Oid **purposes; 63} NSS_ExtKeyUsage; 64#define kSecAsn1ExtKeyUsageTemplate kSecAsn1SequenceOfObjectIDTemplate 65 66/* 67 * Subject Key Identifier 68 * NSS struct : SecAsn1Item 69 * CDSA struct : CE_SubjectKeyID, typedef'd to a SecAsn1Item 70 */ 71#define kSecAsn1SubjectKeyIdTemplate kSecAsn1OctetStringTemplate 72 73/* 74 * Authority Key Identifier 75 * NSS struct : NSS_AuthorityKeyId 76 * CDSA struct : CE_AuthorityKeyID 77 * 78 * All fields are optional. 79 * NOTE: due to an anomaly in the encoding module, if the first field 80 * of a sequence is optional, it has to be a POINTER type. 81 */ 82typedef struct { 83 SecAsn1Item *keyIdentifier; // octet string 84 NSS_GeneralNames genNames; 85 SecAsn1Item serialNumber; // integer 86} NSS_AuthorityKeyId; 87 88extern const SecAsn1Template kSecAsn1AuthorityKeyIdTemplate[]; 89 90/* 91 * Certificate policies. 92 * NSS struct : NSS_CertPolicies 93 * CDSA struct : CE_CertPolicies 94 */ 95typedef struct { 96 SecAsn1Oid policyQualifierId; // CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE 97 SecAsn1Item qualifier; // ASN_ANY, not interpreted here 98} NSS_PolicyQualifierInfo; 99 100extern const SecAsn1Template kSecAsn1PolicyQualifierTemplate[]; 101 102typedef struct { 103 SecAsn1Oid certPolicyId; 104 NSS_PolicyQualifierInfo **policyQualifiers; // SEQUENCE OF 105} NSS_PolicyInformation; 106 107extern const SecAsn1Template kSecAsn1PolicyInformationTemplate[]; 108 109typedef struct { 110 NSS_PolicyInformation **policies; // SEQUENCE OF 111} NSS_CertPolicies; 112 113extern const SecAsn1Template kSecAsn1CertPoliciesTemplate[]; 114 115/* 116 * netscape-cert-type 117 * NSS struct : SecAsn1Item, BIT STRING - length in bits 118 * CDSA struct : CE_NetscapeCertType (a uint16) 119 */ 120#define kSecAsn1NetscapeCertTypeTemplate kSecAsn1BitStringTemplate 121 122/* 123 * CRL Distribution Points. 124 * NSS struct : NSS_DistributionPoint, NSS_DistributionPoints 125 * CDSA struct : CE_CRLDistributionPoint, CE_CRLDistributionPointSyntax 126 */ 127 128typedef struct { 129 SecAsn1Item *distPointName; // ASN_ANY, optional 130 SecAsn1Item reasons; // BIT_STRING, optional 131 NSS_GeneralNames crlIssuer; // optional 132} NSS_DistributionPoint; 133 134typedef struct { 135 NSS_DistributionPoint **distPoints; // SEQUENCE OF 136} NSS_CRLDistributionPoints; 137 138extern const SecAsn1Template kSecAsn1DistributionPointTemplate[]; 139extern const SecAsn1Template kSecAsn1CRLDistributionPointsTemplate[]; 140 141/* 142 * Resolving the NSS_DistributionPoint.distributionPoint option 143 * involves inspecting the tag of the ASN_ANY and using one of 144 * these templates. One the CDSA side the corresponding struct is 145 * a CE_DistributionPointName. 146 * 147 * This one resolves to an NSS_GeneralNames: 148 */ 149#define NSS_DIST_POINT_FULL_NAME_TAG 0 150extern const SecAsn1Template kSecAsn1DistPointFullNameTemplate[]; 151 152/* 153 * This one resolves to an NSS_RDN. 154 */ 155#define NSS_DIST_POINT_RDN_TAG 1 156extern const SecAsn1Template kSecAsn1DistPointRDNTemplate[]; 157 158/* 159 * Issuing distribution point. 160 * 161 * NSS Struct : NSS_IssuingDistributionPoint 162 * CDSA struct : CE_IssuingDistributionPoint 163 * 164 * All fields optional; default for ASN_BOOLs is false. 165 */ 166typedef struct { 167 /* manually decode to a CE_DistributionPointName */ 168 SecAsn1Item *distPointName; // ASN_ANY, optional 169 170 SecAsn1Item *onlyUserCerts; // ASN_BOOL 171 SecAsn1Item *onlyCACerts; // ASN_BOOL 172 SecAsn1Item *onlySomeReasons; // BIT STRING 173 SecAsn1Item *indirectCRL; // ASN_BOOL 174} NSS_IssuingDistributionPoint; 175 176extern const SecAsn1Template kSecAsn1IssuingDistributionPointTemplate[]; 177 178/* 179 * Authority Information Access, Subject Information Access. 180 * 181 * NSS Struct : NSS_AuthorityInfoAccess 182 * CDSA struct : CE_AuthorityInfoAccess 183 */ 184typedef struct { 185 SecAsn1Item accessMethod; 186 187 /* NSS encoder just can't handle direct inline of an NSS_GeneralName here. 188 * After decode and prior to encode this is an encoded GeneralName. 189 */ 190 SecAsn1Item encodedAccessLocation; 191} NSS_AccessDescription; 192 193typedef struct { 194 NSS_AccessDescription **accessDescriptions; 195} NSS_AuthorityInfoAccess; 196 197extern const SecAsn1Template kSecAsn1AccessDescriptionTemplate[]; 198extern const SecAsn1Template kSecAsn1AuthorityInfoAccessTemplate[]; 199 200/* 201 * Qualified Certificate Statements support 202 */ 203typedef struct { 204 SecAsn1Oid *semanticsIdentifier; /* optional */ 205 NSS_GeneralNames *nameRegistrationAuthorities; /* optional */ 206} NSS_SemanticsInformation; 207 208typedef struct { 209 SecAsn1Oid statementId; 210 SecAsn1Item info; /* optional, ANY */ 211} NSS_QC_Statement; 212 213typedef struct { 214 NSS_QC_Statement **qcStatements; 215} NSS_QC_Statements; 216 217extern const SecAsn1Template kSecAsn1SemanticsInformationTemplate[]; 218extern const SecAsn1Template kSecAsn1QC_StatementTemplate[]; 219extern const SecAsn1Template kSecAsn1QC_StatementsTemplate[]; 220 221/* 222 * NameConstraints support 223 */ 224typedef struct { 225 NSS_GeneralNames base; 226 SecAsn1Item minimum; // INTEGER default=0 227 SecAsn1Item maximum; // INTEGER optional 228} NSS_GeneralSubtree; 229 230typedef struct { 231 NSS_GeneralSubtree **subtrees; // SEQUENCE OF 232} NSS_GeneralSubtrees; 233 234typedef struct { 235 NSS_GeneralSubtrees *permittedSubtrees; // optional 236 NSS_GeneralSubtrees *excludedSubtrees; // optional 237} NSS_NameConstraints; 238 239extern const SecAsn1Template kSecAsn1NameConstraintsTemplate[]; 240 241/* 242 * PolicyMappings support 243 */ 244typedef struct { 245 SecAsn1Oid issuerDomainPolicy; 246 SecAsn1Oid subjectDomainPolicy; 247} NSS_PolicyMapping; 248 249typedef struct { 250 NSS_PolicyMapping **policyMappings; // SEQUENCE OF 251} NSS_PolicyMappings; 252 253extern const SecAsn1Template kSecAsn1PolicyMappingsTemplate[]; 254 255/* 256 * PolicyConstraints support 257 */ 258typedef struct { 259 SecAsn1Item requireExplicitPolicy; // INTEGER optional 260 SecAsn1Item inhibitPolicyMapping; // INTEGER optional 261} NSS_PolicyConstraints; 262 263extern const SecAsn1Template kSecAsn1PolicyConstraintsTemplate[]; 264 265/* 266 * InhibitAnyPolicy support 267 */ 268#define kSecAsn1InhibitAnyPolicyTemplate kSecAsn1IntegerTemplate; 269 270#ifdef __cplusplus 271} 272#endif 273 274#endif /* _CERT_EXTENSION_TEMPLATES_H_ */ 275