1#ifndef _CERT_VERIFY_H_ 2#define _CERT_VERIFY_H_ 3 4#include <clAppUtils/BlobList.h> 5#include <Security/cssmtype.h> 6#include <Security/cssmapple.h> 7 8/* must be C++ since we use BlobList */ 9extern "C" { 10 11/* Display verify results */ 12void dumpVfyResult( 13 const CSSM_TP_VERIFY_CONTEXT_RESULT *vfyResult); 14 15typedef enum { 16 CVP_Basic = 0, 17 CVP_SSL, 18 CVP_SMIME, 19 CVP_SWUpdateSign, // was CVP_CodeSigning 20 CVP_ResourceSigning, 21 CVP_iChat, 22 CVP_IPSec, 23 CVP_PKINIT_Server, 24 CVP_PKINIT_Client, 25 CVP_AppleCodeSigning, // the Leopard version 26 CVP_PackageSigning 27} CertVerifyPolicy; 28 29typedef enum { 30 CRP_None = 0, 31 CRP_CRL, 32 CRP_OCSP, 33 CRP_CRL_OCSP 34} CertRevokePolicy; 35 36/* 37 * Since I never stop adding args to certVerify(), most of which have reasonable 38 * defaults, the inputs are now expressed like so. 39 */ 40#define CERT_VFY_ARGS_VERS 5 /* increment every time you change this struct */ 41typedef struct { 42 int version; /* must be CERT_VFY_ARGS_VERS */ 43 CSSM_TP_HANDLE tpHand; 44 CSSM_CL_HANDLE clHand; 45 CSSM_CSP_HANDLE cspHand; 46 BlobList *certs; 47 BlobList *roots; 48 BlobList *crls; 49 char *vfyTime; 50 51 CSSM_BOOL certNetFetchEnable; 52 CSSM_BOOL useSystemAnchors; 53 CSSM_BOOL useTrustSettings; 54 CSSM_BOOL leafCertIsCA; 55 CSSM_BOOL allowExpiredRoot; 56 CSSM_BOOL implicitAnchors; 57 CSSM_DL_DB_LIST_PTR dlDbList; // optional 58 CertVerifyPolicy vfyPolicy; 59 60 const char *sslHost; // optional; SSL policy 61 CSSM_BOOL sslClient; // normally server side 62 const char *senderEmail; // optional, SMIME 63 CE_KeyUsage intendedKeyUse; // optional, SMIME only 64 65 /* revocation options */ 66 CertRevokePolicy revokePolicy; 67 CSSM_BOOL allowUnverified; // if false, at least one must succeed 68 69 /* CRL options */ 70 CSSM_BOOL requireCrlIfPresent; 71 CSSM_BOOL requireCrlForAll; 72 CSSM_BOOL crlNetFetchEnable; 73 CSSM_DL_DB_HANDLE_PTR crlDlDb; // obsolete: write CRLs here 74 75 /* OCSP options */ 76 const char *responderURI; // optional, OCSP only 77 const unsigned char *responderCert; // optional, OCSP only 78 unsigned responderCertLen;// optional, OCSP only 79 CSSM_BOOL disableCache; // both r and w for now 80 CSSM_BOOL disableOcspNet; 81 CSSM_BOOL requireOcspIfPresent; 82 CSSM_BOOL requireOcspForAll; 83 CSSM_BOOL generateOcspNonce; 84 CSSM_BOOL requireOcspRespNonce; 85 86 const char *expectedErrStr;// e.g., 87 // "CSSMERR_APPLETP_CRL_NOT_TRUSTED" 88 89 /* 90 * expected per-cert errors 91 * format is certNum:errorString 92 * e.g., "1:CSSMERR_APPLETP_CRL_NOT_TRUSTED" 93 */ 94 unsigned numCertErrors; 95 const char **certErrors; // per-cert status 96 97 /* 98 * Expected per-cert status (CSSM_TP_APPLE_EVIDENCE_INFO.StatusBits) 99 * format is certNum:status_in_hex 100 * e.g., "1:0x18", leading 0x optional 101 */ 102 unsigned numCertStatus; 103 const char **certStatus; 104 CSSM_BOOL quiet; 105 CSSM_BOOL verbose; 106 107} CertVerifyArgs; 108 109/* perform one cert/crl verification */ 110int certVerify(CertVerifyArgs *args); 111 112/* 113 * A slightly simplified version of certVerify: 114 * -- no CRLs 115 * -- no DlDbs 116 * -- no net fetch 117 * -- time = now 118 * -- no trust settings 119 */ 120int certVerifySimple( 121 CSSM_TP_HANDLE tpHand, 122 CSSM_CL_HANDLE clHand, 123 CSSM_CSP_HANDLE cspHand, 124 BlobList &certs, 125 BlobList &roots, 126 CSSM_BOOL useSystemAnchors, 127 CSSM_BOOL leafCertIsCA, 128 CSSM_BOOL allowExpiredRoot, 129 CertVerifyPolicy vfyPolicy, 130 const char *sslHost, // optional, SSL policy 131 CSSM_BOOL sslClient, // normally server side 132 const char *senderEmail, // optional, SMIME 133 CE_KeyUsage intendedKeyUse, // optional, SMIME only 134 const char *expectedErrStr,// e.g., 135 unsigned numCertErrors, 136 const char **certErrors, // per-cert status 137 unsigned numCertStatus, 138 const char **certStatus, 139 CSSM_BOOL useTrustSettings, 140 CSSM_BOOL quiet, 141 CSSM_BOOL verbose); 142 143/* convert ASCII string in hex to unsigned */ 144unsigned hexToBin(const char *hex); 145 146} /* extern "C" */ 147 148#endif /* _DO_VERIFY_H_ */ 149