1/* 2 * Copyright (c) 2005 Apple Computer, Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24/* 25 * TrustSettingsSchema.h - Dictionary keys used in on-disk TrustSettings plist. 26 */ 27 28#ifndef _TRUST_SETTINGS_SCHEMA_H_ 29#define _TRUST_SETTINGS_SCHEMA_H_ 30 31#include <CoreFoundation/CFString.h> 32 33/* 34 * A TrustSettings Record contains the XML encoding of a CFDictionary. This dictionary 35 * currently contains two name/value pairs: 36 * 37 * key = kTrustRecordVersion, value = SInt32 version number 38 * key = kTrustRecordTrustList, value = CFDictionary 39 * 40 * Each key/value pair of the CFDictionary associated with key kTrustRecordTrustList 41 * consists of: 42 * -- key = the ASCII representation (with alpha characters in upper case) of the 43 * cert's SHA1 digest. 44 * -- value = a CFDictionary representing one cert. 45 * 46 * Key/value pairs in the per-cert dictionary are as follows: 47 * 48 * -- key = kTrustRecordIssuer, value = non-normalized issuer as CFData 49 * -- key = kTrustRecordSerialNumber, value = serial number as CFData 50 * -- key = kTrustRecordModDate, value = CFDateRef of the last modification 51 date of the per-cert entry. 52 * -- key = kTrustRecordTrustSettings, value = array of dictionaries. The 53 * dictionaries are as described in the API in SecUserTrust.h 54 * although we store the values differently (see below). 55 * As written to disk, this key/value is always present although 56 * the usageConstraints array may be empty. 57 * 58 * A usageConstraints dictionary is like so (all elements are optional). These key 59 * strings are defined in SecUserTrust.h. 60 * 61 * key = kSecTrustSettingsPolicy value = policy OID as CFData 62 * key = kSecTrustSettingsApplication value = application as CFData 63 * key = kSecTrustSettingsPolicyString value = CFString, policy-specific 64 * key = kSecTrustSettingsAllowedError value = CFNumber, an SInt32 CSSM_RETURN 65 * key = kSecTrustSettingsResult value = CFNumber, an SInt32 SecTrustSettingsResult 66 * key = kSecTrustSettingsKeyUsage value = CFNumber, an SInt32 key usage 67 * key = kSecTrustSettingsModifyDate value = CFDate, last modification 68 */ 69 70/* 71 * Keys in the top-level dictionary 72 */ 73#define kTrustRecordVersion CFSTR("trustVersion") 74#define kTrustRecordTrustList CFSTR("trustList") 75 76#define kSecTrustRecordNumTopDictKeys 2 77 78/* 79 * Keys in the per-cert dictionary in the TrustedRootList record. 80 */ 81/* value = non-normalized issuer as CFData */ 82#define kTrustRecordIssuer CFSTR("issuerName") 83 84/* value = serial number as CFData */ 85#define kTrustRecordSerialNumber CFSTR("serialNumber") 86 87/* value = CFDateRef representation of modification date */ 88#define kTrustRecordModDate CFSTR("modDate") 89 90/* 91 * value = array of CFDictionaries as used in public API 92 * Not present for a cert which has no usage Constraints (i.e. 93 * "wide open" unrestricted, kSecTrustSettingsResultTrustRoot as 94 * the default SecTrustSettingsResult). 95 */ 96#define kTrustRecordTrustSettings CFSTR("trustSettings") 97 98#define kSecTrustRecordNumCertDictKeys 4 99 100/* 101 * Version of the top-level dictionary. 102 */ 103enum { 104 kSecTrustRecordVersionInvalid = 0, /* should never be seen on disk */ 105 kSecTrustRecordVersionCurrent = 1 106}; 107 108/* 109 * Key for the (optional) default entry in a TrustSettings record. This 110 * appears in place of the cert's hash string, and corresponds to 111 * kSecTrustSettingsDefaultRootCertSetting at the public API. 112 * If you change this, make sure it has characters other than those 113 * appearing in a normal cert hash string (0..9 and A..F). 114 */ 115#define kSecTrustRecordDefaultRootCert CFSTR("kSecTrustRecordDefaultRootCert") 116 117/* 118 * The location of the system root keychain and its associated TrustSettings. 119 * These are immutable; this module never modifies either of them. 120 */ 121#define SYSTEM_ROOT_STORE_PATH "/System/Library/Keychains/SystemRootCertificates.keychain" 122#define SYSTEM_TRUST_SETTINGS_PATH "/System/Library/Keychains/SystemTrustSettings.plist" 123 124/* 125 * The local admin cert store. 126 */ 127#define ADMIN_CERT_STORE_PATH "/Library/Keychains/System.keychain" 128 129/* 130 * Per-user and local admin TrustSettings are stored in this directory. 131 * Per-user settings are of the form <uuid>.plist. 132 */ 133#define TRUST_SETTINGS_PATH "/Library/Security/Trust Settings" 134#define ADMIN_TRUST_SETTINGS "Admin.plist" 135 136/* 137 * The location of the system intermediate cert store keychain. 138 */ 139#define SYSTEM_CERT_STORE_PATH "/System/Library/Keychains/SystemCACertificates.keychain" 140 141/* 142 * The domain and key for the system preference to disable User-level domain TrustSettings. 143 * If this pref exists in /Library/Preferences, and has a value of true, then 144 * per-user TrustSettings will be ignored. 145 */ 146#define kSecTrustSettingsPrefsDomain "com.apple.security" 147#define kSecTrustSettingsDisableUserTrustSettings CFSTR("DisableUserTrustSettings") 148 149#endif /* _TRUST_SETTINGS_SCHEMA_H_ */ 150 151