1/*
2 * Copyright (c) 2005 Apple Computer, Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24/*
25 * TrustSettingsSchema.h - Dictionary keys used in on-disk TrustSettings plist.
26 */
27
28#ifndef	_TRUST_SETTINGS_SCHEMA_H_
29#define _TRUST_SETTINGS_SCHEMA_H_
30
31#include <CoreFoundation/CFString.h>
32
33/*
34 * A TrustSettings Record contains the XML encoding of a CFDictionary. This dictionary
35 * currently contains two name/value pairs:
36 *
37 * key = kTrustRecordVersion,   value = SInt32 version number
38 * key = kTrustRecordTrustList, value = CFDictionary
39 *
40 * Each key/value pair of the CFDictionary associated with key kTrustRecordTrustList
41 * consists of:
42 * -- key   = the ASCII representation (with alpha characters in upper case) of the
43 *            cert's SHA1 digest.
44 * -- value = a CFDictionary representing one cert.
45 *
46 * Key/value pairs in the per-cert dictionary are as follows:
47 *
48 * -- key = kTrustRecordIssuer, value = non-normalized issuer as CFData
49 * -- key = kTrustRecordSerialNumber, value = serial number as CFData
50 * -- key = kTrustRecordModDate, value = CFDateRef of the last modification
51			date of the per-cert entry.
52 * -- key = kTrustRecordTrustSettings, value = array of dictionaries. The
53 *          dictionaries are as described in the API in SecUserTrust.h
54 *			although we store the values differently (see below).
55 *			As written to disk, this key/value is always present although
56 *			the usageConstraints array may be empty.
57 *
58 * A usageConstraints dictionary is like so (all elements are optional). These key
59 * strings are defined in SecUserTrust.h.
60 *
61 * key = kSecTrustSettingsPolicy		value = policy OID as CFData
62 * key = kSecTrustSettingsApplication	value = application as CFData
63 * key = kSecTrustSettingsPolicyString	value = CFString, policy-specific
64 * key = kSecTrustSettingsAllowedError	value = CFNumber, an SInt32 CSSM_RETURN
65 * key = kSecTrustSettingsResult		value = CFNumber, an SInt32 SecTrustSettingsResult
66 * key = kSecTrustSettingsKeyUsage		value = CFNumber, an SInt32 key usage
67 * key = kSecTrustSettingsModifyDate	value = CFDate, last modification
68 */
69
70/*
71 * Keys in the top-level dictionary
72 */
73#define kTrustRecordVersion				CFSTR("trustVersion")
74#define kTrustRecordTrustList			CFSTR("trustList")
75
76#define kSecTrustRecordNumTopDictKeys		2
77
78/*
79 * Keys in the per-cert dictionary in the TrustedRootList record.
80 */
81/* value = non-normalized issuer as CFData */
82#define kTrustRecordIssuer				CFSTR("issuerName")
83
84/* value = serial number as CFData */
85#define kTrustRecordSerialNumber		CFSTR("serialNumber")
86
87/* value = CFDateRef representation of modification date */
88#define kTrustRecordModDate				CFSTR("modDate")
89
90/*
91 * value = array of CFDictionaries as used in public API
92 * Not present for a cert which has no usage Constraints (i.e.
93 * "wide open" unrestricted, kSecTrustSettingsResultTrustRoot as
94 * the default SecTrustSettingsResult).
95 */
96#define kTrustRecordTrustSettings		CFSTR("trustSettings")
97
98#define kSecTrustRecordNumCertDictKeys	4
99
100/*
101 * Version of the top-level dictionary.
102 */
103enum {
104	kSecTrustRecordVersionInvalid	= 0,	/* should never be seen on disk */
105	kSecTrustRecordVersionCurrent	= 1
106};
107
108/*
109 * Key for the (optional) default entry in a TrustSettings record. This
110 * appears in place of the cert's hash string, and corresponds to
111 * kSecTrustSettingsDefaultRootCertSetting at the public API.
112 * If you change this, make sure it has characters other than those
113 * appearing in a normal cert hash string (0..9 and A..F).
114 */
115#define kSecTrustRecordDefaultRootCert		CFSTR("kSecTrustRecordDefaultRootCert")
116
117/*
118 * The location of the system root keychain and its associated TrustSettings.
119 * These are immutable; this module never modifies either of them.
120 */
121#define SYSTEM_ROOT_STORE_PATH			"/System/Library/Keychains/SystemRootCertificates.keychain"
122#define SYSTEM_TRUST_SETTINGS_PATH		"/System/Library/Keychains/SystemTrustSettings.plist"
123
124/*
125 * The local admin cert store.
126 */
127#define ADMIN_CERT_STORE_PATH			"/Library/Keychains/System.keychain"
128
129/*
130 * Per-user and local admin TrustSettings are stored in this directory.
131 * Per-user settings are of the form <uuid>.plist.
132 */
133#define TRUST_SETTINGS_PATH				"/Library/Security/Trust Settings"
134#define ADMIN_TRUST_SETTINGS			"Admin.plist"
135
136/*
137 * The location of the system intermediate cert store keychain.
138 */
139#define SYSTEM_CERT_STORE_PATH			"/System/Library/Keychains/SystemCACertificates.keychain"
140
141/*
142 * The domain and key for the system preference to disable User-level domain TrustSettings.
143 * If this pref exists in /Library/Preferences, and has a value of true, then
144 * per-user TrustSettings will be ignored.
145 */
146#define kSecTrustSettingsPrefsDomain				"com.apple.security"
147#define kSecTrustSettingsDisableUserTrustSettings	CFSTR("DisableUserTrustSettings")
148
149#endif	/* _TRUST_SETTINGS_SCHEMA_H_ */
150
151