1/* 2 * Copyright (c) 2002-2014 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24// 25// CertificateValues.cpp 26// 27#include <security_keychain/Certificate.h> 28#include <Security/oidscert.h> 29#include <Security/oidsattr.h> 30#include <Security/SecCertificate.h> 31#include <Security/SecCertificatePriv.h> 32#include "SecCertificateOIDs.h" 33#include "CertificateValues.h" 34#include "SecCertificateP.h" 35#include "SecCertificatePrivP.h" 36#include <CoreFoundation/CFNumber.h> 37#include "SecCertificateP.h" 38 39/* FIXME including SecCertificateInternalP.h here produces errors; investigate */ 40extern "C" CFDataRef SecCertificateCopyIssuerSequenceP(SecCertificateRefP certificate); 41extern "C" CFDataRef SecCertificateCopySubjectSequenceP(SecCertificateRefP certificate); 42 43extern "C" void appendProperty(CFMutableArrayRef properties, CFStringRef propertyType, CFStringRef label, CFTypeRef value); 44 45extern CFStringRef kSecPropertyKeyType; 46extern CFStringRef kSecPropertyKeyLabel; 47extern CFStringRef kSecPropertyKeyLocalizedLabel; 48extern CFStringRef kSecPropertyKeyValue; 49 50extern CFStringRef kSecPropertyTypeData; 51extern CFStringRef kSecPropertyTypeString; 52extern CFStringRef kSecPropertyTypeURL; 53extern CFStringRef kSecPropertyTypeDate; 54 55CFStringRef kSecPropertyTypeArray = CFSTR("array"); 56CFStringRef kSecPropertyTypeNumber = CFSTR("number"); 57 58 59#pragma mark ---------- CertificateValues Implementation ---------- 60 61using namespace KeychainCore; 62 63void addFieldValues(const void *key, const void *value, void *context); 64void addPropertyToFieldValues(const void *value, void *context); 65void filterFieldValues(const void *key, const void *value, void *context); 66void validateKeys(const void *value, void *context); 67 68CFDictionaryRef CertificateValues::mOIDRemap = NULL; 69 70typedef struct FieldValueFilterContext 71{ 72 CFMutableDictionaryRef filteredValues; 73 CFArrayRef filterKeys; 74} FieldValueFilterContext; 75 76CertificateValues::CertificateValues(SecCertificateRef certificateRef) : mCertificateRef(certificateRef), 77 mCertificateData(NULL) 78{ 79 if (mCertificateRef) 80 CFRetain(mCertificateRef); 81} 82 83CertificateValues::~CertificateValues() throw() 84{ 85 if (mCertificateData) 86 CFRelease(mCertificateData); 87 if (mCertificateRef) 88 CFRelease(mCertificateRef); 89} 90 91CFDictionaryRef CertificateValues::copyFieldValues(CFArrayRef keys, CFErrorRef *error) 92{ 93 if (keys) 94 { 95 if (CFGetTypeID(keys)!=CFArrayGetTypeID()) 96 return NULL; 97 CFRange range = CFRangeMake(0, CFArrayGetCount((CFArrayRef)keys)); 98 bool failed = false; 99 CFArrayApplyFunction(keys, range, validateKeys, &failed); 100 if (failed) 101 return NULL; 102 } 103 104 if (mCertificateData) 105 { 106 CFRelease(mCertificateData); 107 mCertificateData = NULL; 108 } 109 if (!mCertificateData) 110 { 111 mCertificateData = SecCertificateCopyData(mCertificateRef); // OK to call, no big lock 112 if (!mCertificateData) 113 { 114 if (error) { 115 *error = CFErrorCreate(NULL, kCFErrorDomainOSStatus, errSecInvalidCertificateRef, NULL); 116 } 117 return NULL; 118 } 119 } 120 121 SecCertificateRefP certificateP = SecCertificateCreateWithDataP(kCFAllocatorDefault, mCertificateData); 122 if (!certificateP) 123 { 124 if (error) 125 *error = CFErrorCreate(NULL, kCFErrorDomainOSStatus, errSecInvalidCertificateGroup, NULL); 126 return NULL; 127 } 128 129 CFMutableDictionaryRef fieldValues=CFDictionaryCreateMutable(kCFAllocatorDefault, 0, 130 &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); 131 132 // Return an array of CFStringRefs representing the common names in the certificates subject if any 133 CFArrayRef commonNames=SecCertificateCopyCommonNames(certificateP); 134 if (commonNames) 135 { 136 CFMutableArrayRef additionalValues = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); 137 appendProperty(additionalValues, kSecPropertyTypeArray, CFSTR("CN"), commonNames); 138 CFDictionaryAddValue(fieldValues, kSecOIDCommonName, (CFTypeRef)CFArrayGetValueAtIndex(additionalValues, 0)); 139 CFRelease(commonNames); 140 CFRelease(additionalValues); 141 } 142 143 // These can exist in the subject alt name or in the subject 144 CFArrayRef dnsNames=SecCertificateCopyDNSNamesP(certificateP); 145 if (dnsNames) 146 { 147 CFMutableArrayRef additionalValues = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); 148 appendProperty(additionalValues, kSecPropertyTypeArray, CFSTR("DNS"), dnsNames); 149 CFDictionaryAddValue(fieldValues, CFSTR("DNSNAMES"), (CFTypeRef)CFArrayGetValueAtIndex(additionalValues, 0)); 150 CFRelease(dnsNames); 151 CFRelease(additionalValues); 152 } 153 154 CFArrayRef ipAddresses=SecCertificateCopyIPAddresses(certificateP); 155 if (ipAddresses) 156 { 157 CFMutableArrayRef additionalValues = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); 158 appendProperty(additionalValues, kSecPropertyTypeArray, CFSTR("IP"), dnsNames); 159 CFDictionaryAddValue(fieldValues, CFSTR("IPADDRESSES"), (CFTypeRef)CFArrayGetValueAtIndex(additionalValues, 0)); 160 CFRelease(ipAddresses); 161 CFRelease(additionalValues); 162 } 163 164 // These can exist in the subject alt name or in the subject 165 CFArrayRef emailAddrs=SecCertificateCopyRFC822Names(certificateP); 166 if (emailAddrs) 167 { 168 CFMutableArrayRef additionalValues = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); 169 appendProperty(additionalValues, kSecPropertyTypeArray, CFSTR("DNS"), dnsNames); 170 CFDictionaryAddValue(fieldValues, kSecOIDEmailAddress, (CFTypeRef)CFArrayGetValueAtIndex(additionalValues, 0)); 171 CFRelease(emailAddrs); 172 CFRelease(additionalValues); 173 } 174 175 CFAbsoluteTime notBefore = SecCertificateNotValidBeforeP(certificateP); 176 CFNumberRef notBeforeRef = CFNumberCreate(kCFAllocatorDefault, kCFNumberDoubleType, ¬Before); 177 if (notBeforeRef) 178 { 179 CFMutableArrayRef additionalValues = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); 180 appendProperty(additionalValues, kSecPropertyTypeNumber, CFSTR("Not Valid Before"), notBeforeRef); 181 CFDictionaryAddValue(fieldValues, kSecOIDX509V1ValidityNotBefore, (CFTypeRef)CFArrayGetValueAtIndex(additionalValues, 0)); 182 CFRelease(notBeforeRef); 183 CFRelease(additionalValues); 184 } 185 186 CFAbsoluteTime notAfter = SecCertificateNotValidAfterP(certificateP); 187 CFNumberRef notAfterRef = CFNumberCreate(kCFAllocatorDefault, kCFNumberDoubleType, ¬After); 188 if (notAfterRef) 189 { 190 CFMutableArrayRef additionalValues = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); 191 appendProperty(additionalValues, kSecPropertyTypeNumber, CFSTR("Not Valid After"), notAfterRef); 192 CFDictionaryAddValue(fieldValues, kSecOIDX509V1ValidityNotAfter, (CFTypeRef)CFArrayGetValueAtIndex(additionalValues, 0)); 193 CFRelease(notAfterRef); 194 CFRelease(additionalValues); 195 } 196 197 SecKeyUsage keyUsage=SecCertificateGetKeyUsage(certificateP); 198 CFNumberRef ku = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &keyUsage); 199 if (ku) 200 { 201 CFMutableArrayRef additionalValues = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); 202 appendProperty(additionalValues, kSecPropertyTypeNumber, CFSTR("Key Usage"), ku); 203 CFDictionaryAddValue(fieldValues, kSecOIDKeyUsage, (CFTypeRef)CFArrayGetValueAtIndex(additionalValues, 0)); 204 CFRelease(ku); 205 CFRelease(additionalValues); 206 } 207 208 CFArrayRef ekus = SecCertificateCopyExtendedKeyUsage(certificateP); 209 if (ekus) 210 { 211 CFMutableArrayRef additionalValues = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); 212 appendProperty(additionalValues, kSecPropertyTypeArray, CFSTR("Extended Key Usage"), ekus); 213 CFDictionaryAddValue(fieldValues, kSecOIDExtendedKeyUsage, (CFTypeRef)CFArrayGetValueAtIndex(additionalValues, 0)); 214 CFRelease(ekus); 215 CFRelease(additionalValues); 216 } 217 218 // Add all values from properties dictionary 219 CFArrayRef properties = SecCertificateCopyProperties(certificateP); 220 if (properties) 221 { 222 CFRange range = CFRangeMake(0, CFArrayGetCount((CFArrayRef)properties)); 223 CFArrayApplyFunction(properties, range, addPropertyToFieldValues, fieldValues); 224 // CFDictionaryApplyFunction(properties, addFieldValues, fieldValues); 225 CFRelease(properties); 226 } 227 228 CFAbsoluteTime verifyTime = CFAbsoluteTimeGetCurrent(); 229 CFMutableArrayRef summaryProperties = 230 SecCertificateCopySummaryProperties(certificateP, verifyTime); 231 if (summaryProperties) 232 { 233 CFRange range = CFRangeMake(0, CFArrayGetCount((CFArrayRef)summaryProperties)); 234 CFArrayApplyFunction(summaryProperties, range, addPropertyToFieldValues, fieldValues); 235// CFDictionaryApplyFunction(summaryProperties, addFieldValues, fieldValues); 236// CFDictionaryAddValue(fieldValues, CFSTR("summaryProperties"), summaryProperties); 237 CFRelease(summaryProperties); 238 } 239 240 if (certificateP) 241 CFRelease(certificateP); 242 243 if (keys==NULL) 244 return (CFDictionaryRef)fieldValues; 245 246 // Otherwise, we need to filter 247 CFMutableDictionaryRef filteredFieldValues=CFDictionaryCreateMutable(kCFAllocatorDefault, 0, 248 &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); 249 250 FieldValueFilterContext fvcontext; 251 fvcontext.filteredValues = filteredFieldValues; 252 fvcontext.filterKeys = keys; 253 254 CFDictionaryApplyFunction(fieldValues, filterFieldValues, &fvcontext); 255 256 CFRelease(fieldValues); 257 return (CFDictionaryRef)filteredFieldValues; 258} 259 260void validateKeys(const void *value, void *context) 261{ 262 if (value == NULL || (CFGetTypeID(value)!=CFStringGetTypeID())) 263 if (context) 264 *(bool *)context = true; 265} 266 267void filterFieldValues(const void *key, const void *value, void *context) 268{ 269 // each element of keys is a CFStringRef with an OID, e.g. 270 // CFTypeRef kSecOIDTitle = CFSTR("2.5.4.12"); 271 272 CFTypeRef fieldKey = (CFTypeRef)key; 273 if (fieldKey == NULL || (CFGetTypeID(fieldKey)!=CFStringGetTypeID()) || context==NULL) 274 return; 275 276 FieldValueFilterContext *fvcontext = (FieldValueFilterContext *)context; 277 278 CFRange range = CFRangeMake(0, CFArrayGetCount(fvcontext->filterKeys)); 279 CFIndex idx = CFArrayGetFirstIndexOfValue(fvcontext->filterKeys, range, fieldKey); 280 if (idx != kCFNotFound) 281 CFDictionaryAddValue(fvcontext->filteredValues, fieldKey, value); 282} 283 284void addFieldValues(const void *key, const void *value, void *context) 285{ 286 CFMutableDictionaryRef fieldValues = (CFMutableDictionaryRef)context; 287 CFDictionaryAddValue(fieldValues, key, value); 288} 289 290void addPropertyToFieldValues(const void *value, void *context) 291{ 292 CFMutableDictionaryRef fieldValues = (CFMutableDictionaryRef)context; 293 if (CFGetTypeID(value)==CFDictionaryGetTypeID()) 294 { 295 CFStringRef label = (CFStringRef)CFDictionaryGetValue((CFDictionaryRef)value, kSecPropertyKeyLabel); 296#if 0 297 CFStringRef typeD = (CFStringRef)CFDictionaryGetValue((CFDictionaryRef)value, kSecPropertyKeyType); 298 CFTypeRef valueD = (CFStringRef)CFDictionaryGetValue((CFDictionaryRef)value, kSecPropertyKeyValue); 299#endif 300 CFStringRef key = CertificateValues::remapLabelToKey(label); 301 if (key) 302 CFDictionaryAddValue(fieldValues, key, value); 303 } 304} 305 306CFStringRef CertificateValues::remapLabelToKey(CFStringRef label) 307{ 308 if (!label) 309 return NULL; 310 311 if (!mOIDRemap) 312 { 313 CFTypeRef keys[] = 314 { 315 CFSTR("Subject Name"), 316 CFSTR("Normalized Subject Name"), 317 CFSTR("Issuer Name"), 318 CFSTR("Normalized Subject Name"), 319 CFSTR("Version"), 320 CFSTR("Serial Number"), 321 CFSTR("Signature Algorithm"), 322 CFSTR("Subject Unique ID"), 323 CFSTR("Issuer Unique ID"), 324 CFSTR("Public Key Algorithm"), 325 CFSTR("Public Key Data"), 326 CFSTR("Signature"), 327 CFSTR("Not Valid Before"), 328 CFSTR("Not Valid After"), 329 CFSTR("Expires") 330 }; 331 332 CFTypeRef values[] = 333 { 334 kSecOIDX509V1SubjectName, 335 kSecOIDX509V1SubjectNameStd, 336 kSecOIDX509V1IssuerName, 337 kSecOIDX509V1IssuerNameStd, 338 kSecOIDX509V1Version, 339 kSecOIDX509V1SerialNumber, 340 kSecOIDX509V1SignatureAlgorithm, // or CSSMOID_X509V1SignatureAlgorithmTBS? 341 kSecOIDX509V1CertificateSubjectUniqueId, 342 kSecOIDX509V1CertificateIssuerUniqueId, 343 kSecOIDX509V1SubjectPublicKeyAlgorithm, 344 kSecOIDX509V1SubjectPublicKey, 345 kSecOIDX509V1Signature, 346 kSecOIDX509V1ValidityNotBefore, 347 kSecOIDX509V1ValidityNotAfter, 348 kSecOIDInvalidityDate 349 }; 350 351 mOIDRemap = CFDictionaryCreate(NULL, keys, values, 352 (sizeof(keys) / sizeof(*keys)), &kCFTypeDictionaryKeyCallBacks, 353 &kCFTypeDictionaryValueCallBacks); 354 } 355 356 CFTypeRef result = (CFTypeRef)CFDictionaryGetValue(mOIDRemap, label); 357 358 return result?(CFStringRef)result:label; 359} 360 361CFDataRef CertificateValues::copySerialNumber(CFErrorRef *error) 362{ 363 CFDataRef result = NULL; 364 SecCertificateRefP certificateP = getSecCertificateRefP(error); 365 366 if (certificateP) 367 { 368 result = SecCertificateCopySerialNumberP(certificateP); 369 CFRelease(certificateP); 370 } 371 return result; 372} 373 374CFDataRef CertificateValues::copyNormalizedIssuerContent(CFErrorRef *error) 375{ 376 CFDataRef result = NULL; 377 SecCertificateRefP certificateP = getSecCertificateRefP(error); 378 if (certificateP) 379 { 380 result = SecCertificateCopyNormalizedIssuerSequence(certificateP); 381 CFRelease(certificateP); 382 } 383 return result; 384} 385 386CFDataRef CertificateValues::copyNormalizedSubjectContent(CFErrorRef *error) 387{ 388 CFDataRef result = NULL; 389 SecCertificateRefP certificateP = getSecCertificateRefP(error); 390 if (certificateP) 391 { 392 result = SecCertificateCopyNormalizedSubjectSequence(certificateP); 393 CFRelease(certificateP); 394 } 395 return result; 396} 397 398CFDataRef CertificateValues::copyIssuerSequence(CFErrorRef *error) 399{ 400 CFDataRef result = NULL; 401 SecCertificateRefP certificateP = getSecCertificateRefP(error); 402 if (certificateP) 403 { 404 result = SecCertificateCopyIssuerSequenceP(certificateP); 405 CFRelease(certificateP); 406 } 407 return result; 408} 409 410CFDataRef CertificateValues::copySubjectSequence(CFErrorRef *error) 411{ 412 CFDataRef result = NULL; 413 SecCertificateRefP certificateP = getSecCertificateRefP(error); 414 if (certificateP) 415 { 416 result = SecCertificateCopySubjectSequenceP(certificateP); 417 CFRelease(certificateP); 418 } 419 return result; 420} 421 422bool CertificateValues::isValid(CFAbsoluteTime verifyTime, CFErrorRef *error) 423{ 424 bool result = NULL; 425 SecCertificateRefP certificateP = getSecCertificateRefP(error); 426 if (certificateP) 427 { 428 result = SecCertificateIsValidP(certificateP, verifyTime); 429 CFRelease(certificateP); 430 } 431 return result; 432} 433 434CFAbsoluteTime CertificateValues::notValidBefore(CFErrorRef *error) 435{ 436 CFAbsoluteTime result = 0; 437 SecCertificateRefP certificateP = getSecCertificateRefP(error); 438 if (certificateP) 439 { 440 result = SecCertificateNotValidBeforeP(certificateP); 441 CFRelease(certificateP); 442 } 443 return result; 444} 445 446CFAbsoluteTime CertificateValues::notValidAfter(CFErrorRef *error) 447{ 448 CFAbsoluteTime result = 0; 449 SecCertificateRefP certificateP = getSecCertificateRefP(error); 450 if (certificateP) 451 { 452 result = SecCertificateNotValidAfterP(certificateP); 453 CFRelease(certificateP); 454 } 455 return result; 456} 457 458SecCertificateRefP CertificateValues::getSecCertificateRefP(CFErrorRef *error) 459{ 460 // SecCertificateCopyData returns an object created with CFDataCreate, so we 461 // own it and must release it 462 463 if (mCertificateData) 464 { 465 CFRelease(mCertificateData); 466 mCertificateData = NULL; 467 } 468 469 mCertificateData = SecCertificateCopyData(mCertificateRef); // OK to call, no big lock 470 if (!mCertificateData && error) 471 { 472 *error = CFErrorCreate(NULL, kCFErrorDomainOSStatus, errSecInvalidCertificateRef, NULL); 473 return NULL; 474 } 475 476 SecCertificateRefP certificateP = SecCertificateCreateWithDataP(kCFAllocatorDefault, mCertificateData); 477 if (!certificateP && error) 478 { 479 *error = CFErrorCreate(NULL, kCFErrorDomainOSStatus, errSecInvalidCertificateGroup, NULL); 480 return NULL; 481 } 482 483 return certificateP; 484} 485 486#pragma mark ---------- OID Constants ---------- 487 488CFTypeRef kSecOIDADC_CERT_POLICY = CFSTR("1.2.840.113635.100.5.3"); 489CFTypeRef kSecOIDAPPLE_CERT_POLICY = CFSTR("1.2.840.113635.100.5.1"); 490CFTypeRef kSecOIDAPPLE_EKU_CODE_SIGNING = CFSTR("1.2.840.113635.100.4.1"); 491CFTypeRef kSecOIDAPPLE_EKU_CODE_SIGNING_DEV = CFSTR("1.2.840.113635.100.4.1.1"); 492CFTypeRef kSecOIDAPPLE_EKU_ICHAT_ENCRYPTION = CFSTR("1.2.840.113635.100.4.3"); 493CFTypeRef kSecOIDAPPLE_EKU_ICHAT_SIGNING = CFSTR("1.2.840.113635.100.4.2"); 494CFTypeRef kSecOIDAPPLE_EKU_RESOURCE_SIGNING = CFSTR("1.2.840.113635.100.4.1.4"); 495CFTypeRef kSecOIDAPPLE_EKU_SYSTEM_IDENTITY = CFSTR("1.2.840.113635.100.4.4"); 496CFTypeRef kSecOIDAPPLE_EXTENSION = CFSTR("1.2.840.113635.100.6"); 497CFTypeRef kSecOIDAPPLE_EXTENSION_ADC_APPLE_SIGNING = CFSTR("1.2.840.113635.100.6.1.2.0.0"); 498CFTypeRef kSecOIDAPPLE_EXTENSION_ADC_DEV_SIGNING = CFSTR("1.2.840.113635.100.6.1.2.0"); 499CFTypeRef kSecOIDAPPLE_EXTENSION_APPLE_SIGNING = CFSTR("1.2.840.113635.100.6.1.1"); 500CFTypeRef kSecOIDAPPLE_EXTENSION_CODE_SIGNING = CFSTR("1.2.840.113635.100.6.1"); 501CFTypeRef kSecOIDAPPLE_EXTENSION_INTERMEDIATE_MARKER = CFSTR("1.2.840.113635.100.6.2"); 502CFTypeRef kSecOIDAPPLE_EXTENSION_WWDR_INTERMEDIATE = CFSTR("1.2.840.113635.100.6.2.1"); 503CFTypeRef kSecOIDAPPLE_EXTENSION_ITMS_INTERMEDIATE = CFSTR("1.2.840.113635.100.6.2.2"); 504CFTypeRef kSecOIDAPPLE_EXTENSION_AAI_INTERMEDIATE = CFSTR("1.2.840.113635.100.6.2.3"); 505CFTypeRef kSecOIDAPPLE_EXTENSION_APPLEID_INTERMEDIATE = CFSTR("1.2.840.113635.100.6.2.7"); 506CFTypeRef kSecOIDAuthorityInfoAccess = CFSTR("1.3.6.1.5.5.7.1.1"); 507CFTypeRef kSecOIDAuthorityKeyIdentifier = CFSTR("2.5.29.35"); 508CFTypeRef kSecOIDBasicConstraints = CFSTR("2.5.29.19"); 509CFTypeRef kSecOIDBiometricInfo = CFSTR("1.3.6.1.5.5.7.1.2"); 510CFTypeRef kSecOIDCSSMKeyStruct = CFSTR("2.16.840.1.113741.2.1.1.1.20"); 511CFTypeRef kSecOIDCertIssuer = CFSTR("2.5.29.29"); 512CFTypeRef kSecOIDCertificatePolicies = CFSTR("2.5.29.32"); 513CFTypeRef kSecOIDClientAuth = CFSTR("1.3.6.1.5.5.7.3.2"); 514CFTypeRef kSecOIDCollectiveStateProvinceName = CFSTR("2.5.4.8.1"); 515CFTypeRef kSecOIDCollectiveStreetAddress = CFSTR("2.5.4.9.1"); 516CFTypeRef kSecOIDCommonName = CFSTR("2.5.4.3"); 517CFTypeRef kSecOIDCountryName = CFSTR("2.5.4.6"); 518CFTypeRef kSecOIDCrlDistributionPoints = CFSTR("2.5.29.31"); 519CFTypeRef kSecOIDCrlNumber = CFSTR("2.5.29.20"); 520CFTypeRef kSecOIDCrlReason = CFSTR("2.5.29.21"); 521CFTypeRef kSecOIDDOTMAC_CERT_EMAIL_ENCRYPT = CFSTR("1.2.840.113635.100.3.2.3"); 522CFTypeRef kSecOIDDOTMAC_CERT_EMAIL_SIGN = CFSTR("1.2.840.113635.100.3.2.2"); 523CFTypeRef kSecOIDDOTMAC_CERT_EXTENSION = CFSTR("1.2.840.113635.100.3.2"); 524CFTypeRef kSecOIDDOTMAC_CERT_IDENTITY = CFSTR("1.2.840.113635.100.3.2.1"); 525CFTypeRef kSecOIDDOTMAC_CERT_POLICY = CFSTR("1.2.840.113635.100.5.2"); 526CFTypeRef kSecOIDDeltaCrlIndicator = CFSTR("2.5.29.27"); 527CFTypeRef kSecOIDDescription = CFSTR("2.5.4.13"); 528CFTypeRef kSecOIDEKU_IPSec = CFSTR("1.3.6.1.5.5.8.2.2"); 529CFTypeRef kSecOIDEmailAddress = CFSTR("1.2.840.113549.1.9.1"); 530CFTypeRef kSecOIDEmailProtection = CFSTR("1.3.6.1.5.5.7.3.4"); 531CFTypeRef kSecOIDExtendedKeyUsage = CFSTR("2.5.29.37"); 532CFTypeRef kSecOIDExtendedKeyUsageAny = CFSTR("2.5.29.37.0"); 533CFTypeRef kSecOIDExtendedUseCodeSigning = CFSTR("1.3.6.1.5.5.7.3.3"); 534CFTypeRef kSecOIDGivenName = CFSTR("2.5.4.42"); 535CFTypeRef kSecOIDHoldInstructionCode = CFSTR("2.5.29.23"); 536CFTypeRef kSecOIDInvalidityDate = CFSTR("2.5.29.24"); 537CFTypeRef kSecOIDIssuerAltName = CFSTR("2.5.29.18"); 538CFTypeRef kSecOIDIssuingDistributionPoint = CFSTR("2.5.29.28"); 539CFTypeRef kSecOIDIssuingDistributionPoints = CFSTR("2.5.29.28"); 540CFTypeRef kSecOIDKERBv5_PKINIT_KP_CLIENT_AUTH = CFSTR("1.3.6.1.5.2.3.4"); 541CFTypeRef kSecOIDKERBv5_PKINIT_KP_KDC = CFSTR("1.3.6.1.5.2.3.5"); 542CFTypeRef kSecOIDKeyUsage = CFSTR("2.5.29.15"); 543CFTypeRef kSecOIDLocalityName = CFSTR("2.5.4.7"); 544CFTypeRef kSecOIDMS_NTPrincipalName = CFSTR("1.3.6.1.4.1.311.20.2.3"); 545CFTypeRef kSecOIDMicrosoftSGC = CFSTR("1.3.6.1.4.1.311.10.3.3"); 546CFTypeRef kSecOIDNameConstraints = CFSTR("2.5.29.30"); 547CFTypeRef kSecOIDNetscapeCertSequence = CFSTR("2.16.840.1.113730.2.5"); 548CFTypeRef kSecOIDNetscapeCertType = CFSTR("2.16.840.1.113730.1.1"); 549CFTypeRef kSecOIDNetscapeSGC = CFSTR("2.16.840.1.113730.4.1"); 550CFTypeRef kSecOIDOCSPSigning = CFSTR("1.3.6.1.5.5.7.3.9"); 551CFTypeRef kSecOIDOrganizationName = CFSTR("2.5.4.10"); 552CFTypeRef kSecOIDOrganizationalUnitName = CFSTR("2.5.4.11"); 553CFTypeRef kSecOIDPolicyConstraints = CFSTR("2.5.29.36"); 554CFTypeRef kSecOIDPolicyMappings = CFSTR("2.5.29.33"); 555CFTypeRef kSecOIDPrivateKeyUsagePeriod = CFSTR("2.5.29.16"); 556CFTypeRef kSecOIDQC_Statements = CFSTR("1.3.6.1.5.5.7.1.3"); 557CFTypeRef kSecOIDSerialNumber = CFSTR("2.5.4.5"); 558CFTypeRef kSecOIDServerAuth = CFSTR("1.3.6.1.5.5.7.3.1"); 559CFTypeRef kSecOIDStateProvinceName = CFSTR("2.5.4.8"); 560CFTypeRef kSecOIDStreetAddress = CFSTR("2.5.4.9"); 561CFTypeRef kSecOIDSubjectAltName = CFSTR("2.5.29.17"); 562CFTypeRef kSecOIDSubjectDirectoryAttributes = CFSTR("2.5.29.9"); 563CFTypeRef kSecOIDSubjectEmailAddress = CFSTR("2.16.840.1.113741.2.1.1.1.50.3"); 564CFTypeRef kSecOIDSubjectInfoAccess = CFSTR("1.3.6.1.5.5.7.1.11"); 565CFTypeRef kSecOIDSubjectKeyIdentifier = CFSTR("2.5.29.14"); 566CFTypeRef kSecOIDSubjectPicture = CFSTR("2.16.840.1.113741.2.1.1.1.50.2"); 567CFTypeRef kSecOIDSubjectSignatureBitmap = CFSTR("2.16.840.1.113741.2.1.1.1.50.1"); 568CFTypeRef kSecOIDSurname = CFSTR("2.5.4.4"); 569CFTypeRef kSecOIDTimeStamping = CFSTR("1.3.6.1.5.5.7.3.8"); 570CFTypeRef kSecOIDTitle = CFSTR("2.5.4.12"); 571CFTypeRef kSecOIDUseExemptions = CFSTR("2.16.840.1.113741.2.1.1.1.50.4"); 572CFTypeRef kSecOIDX509V1CertificateIssuerUniqueId = CFSTR("2.16.840.1.113741.2.1.1.1.11"); 573CFTypeRef kSecOIDX509V1CertificateSubjectUniqueId = CFSTR("2.16.840.1.113741.2.1.1.1.12"); 574CFTypeRef kSecOIDX509V1IssuerName = CFSTR("2.16.840.1.113741.2.1.1.1.5"); 575CFTypeRef kSecOIDX509V1IssuerNameCStruct = CFSTR("2.16.840.1.113741.2.1.1.1.5.1"); 576CFTypeRef kSecOIDX509V1IssuerNameLDAP = CFSTR("2.16.840.1.113741.2.1.1.1.5.2"); 577CFTypeRef kSecOIDX509V1IssuerNameStd = CFSTR("2.16.840.1.113741.2.1.1.1.23"); 578CFTypeRef kSecOIDX509V1SerialNumber = CFSTR("2.16.840.1.113741.2.1.1.1.3"); 579CFTypeRef kSecOIDX509V1Signature = CFSTR("2.16.840.1.113741.2.1.3.2.2"); 580CFTypeRef kSecOIDX509V1SignatureAlgorithm = CFSTR("2.16.840.1.113741.2.1.3.2.1"); 581CFTypeRef kSecOIDX509V1SignatureAlgorithmParameters = CFSTR("2.16.840.1.113741.2.1.3.2.3"); 582CFTypeRef kSecOIDX509V1SignatureAlgorithmTBS = CFSTR("2.16.840.1.113741.2.1.3.2.10"); 583CFTypeRef kSecOIDX509V1SignatureCStruct = CFSTR("2.16.840.1.113741.2.1.3.2.0.1"); 584CFTypeRef kSecOIDX509V1SignatureStruct = CFSTR("2.16.840.1.113741.2.1.3.2.0"); 585CFTypeRef kSecOIDX509V1SubjectName = CFSTR("2.16.840.1.113741.2.1.1.1.8"); 586CFTypeRef kSecOIDX509V1SubjectNameCStruct = CFSTR("2.16.840.1.113741.2.1.1.1.8.1"); 587CFTypeRef kSecOIDX509V1SubjectNameLDAP = CFSTR("2.16.840.1.113741.2.1.1.1.8.2"); 588CFTypeRef kSecOIDX509V1SubjectNameStd = CFSTR("2.16.840.1.113741.2.1.1.1.22"); 589CFTypeRef kSecOIDX509V1SubjectPublicKey = CFSTR("2.16.840.1.113741.2.1.1.1.10"); 590CFTypeRef kSecOIDX509V1SubjectPublicKeyAlgorithm = CFSTR("2.16.840.1.113741.2.1.1.1.9"); 591CFTypeRef kSecOIDX509V1SubjectPublicKeyAlgorithmParameters = CFSTR("2.16.840.1.113741.2.1.1.1.18"); 592CFTypeRef kSecOIDX509V1SubjectPublicKeyCStruct = CFSTR("2.16.840.1.113741.2.1.1.1.20.1"); 593CFTypeRef kSecOIDX509V1ValidityNotAfter = CFSTR("2.16.840.1.113741.2.1.1.1.7"); 594CFTypeRef kSecOIDX509V1ValidityNotBefore = CFSTR("2.16.840.1.113741.2.1.1.1.6"); 595CFTypeRef kSecOIDX509V1Version = CFSTR("2.16.840.1.113741.2.1.1.1.2"); 596CFTypeRef kSecOIDX509V3Certificate = CFSTR("2.16.840.1.113741.2.1.1.1.1"); 597CFTypeRef kSecOIDX509V3CertificateCStruct = CFSTR("2.16.840.1.113741.2.1.1.1.1.1"); 598CFTypeRef kSecOIDX509V3CertificateExtensionCStruct = CFSTR("2.16.840.1.113741.2.1.1.1.13.1"); 599CFTypeRef kSecOIDX509V3CertificateExtensionCritical = CFSTR("2.16.840.1.113741.2.1.1.1.16"); 600CFTypeRef kSecOIDX509V3CertificateExtensionId = CFSTR("2.16.840.1.113741.2.1.1.1.15"); 601CFTypeRef kSecOIDX509V3CertificateExtensionStruct = CFSTR("2.16.840.1.113741.2.1.1.1.13"); 602CFTypeRef kSecOIDX509V3CertificateExtensionType = CFSTR("2.16.840.1.113741.2.1.1.1.19"); 603CFTypeRef kSecOIDX509V3CertificateExtensionValue = CFSTR("2.16.840.1.113741.2.1.1.1.17"); 604CFTypeRef kSecOIDX509V3CertificateExtensionsCStruct = CFSTR("2.16.840.1.113741.2.1.1.1.21.1"); 605CFTypeRef kSecOIDX509V3CertificateExtensionsStruct = CFSTR("2.16.840.1.113741.2.1.1.1.21"); 606CFTypeRef kSecOIDX509V3CertificateNumberOfExtensions = CFSTR("2.16.840.1.113741.2.1.1.1.14"); 607CFTypeRef kSecOIDX509V3SignedCertificate = CFSTR("2.16.840.1.113741.2.1.1.1.0"); 608CFTypeRef kSecOIDX509V3SignedCertificateCStruct = CFSTR("2.16.840.1.113741.2.1.1.1.0.1"); 609CFTypeRef kSecOIDSRVName = CFSTR("1.3.6.1.5.5.7.8.7"); 610 611