1/*
2 * Copyright (c) 2008-2009 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24/*!
25	@header SecCertificateRequest
26*/
27
28#ifndef _SECURITY_SECCERTIFICATEREQUEST_H_
29#define _SECURITY_SECCERTIFICATEREQUEST_H_
30
31#include <Security/SecCertificatePriv.h>
32#include <Security/SecKey.h>
33
34__BEGIN_DECLS
35
36extern const void * kSecOidCommonName;
37extern const void * kSecOidCountryName;
38extern const void * kSecOidStateProvinceName;
39extern const void * kSecOidLocalityName;
40extern const void * kSecOidOrganization;
41extern const void * kSecOidOrganizationalUnit;
42
43extern const unsigned char SecASN1PrintableString;
44extern const unsigned char SecASN1UTF8String;
45
46/*
47        Parameter keys for certificate request generation:
48        @param kSecCSRChallengePassword CFStringRef
49            conversion to PrintableString or UTF8String needs to be possible.
50        @param kSecCertificateKeyUsage  CFNumberRef
51            with key usage mask using kSecKeyUsage constants.
52        @param kSecSubjectAltName       CFArrayRef of CFStringRef or CFDataRef
53            either dnsName or emailAddress (if contains @) or
54            ipAddress, ipv4 (4) or ipv6 (16) bytes
55        @param kSecCSRBasicContraintsPathLen    CFNumberRef
56            if set will include basic constraints and mark it as
57            a CA cert.  If 0 <= number < 256, specifies path length, otherwise
58            path length will be omitted.  Basic contraints will always be
59            marked critical.
60        @param kSecCertificateExtensions     CFDictionaryRef
61            if set all keys (strings with oids in dotted notation) will be added
62            as extensions with accompanying value in binary (CFDataRef) or
63            appropriate string (CFStringRef) type (based on used character set).
64*/
65extern const void * kSecCSRChallengePassword;
66extern const void * kSecSubjectAltName;
67extern const void * kSecCertificateKeyUsage;
68extern const void * kSecCSRBasicContraintsPathLen;
69extern const void * kSecCertificateExtensions;
70
71typedef struct {
72    const void *oid;          /* kSecOid constant or CFDataRef with oid */
73    unsigned char type; /* currently only SecASN1PrintableString */
74    CFTypeRef value;    /* CFStringRef -> ASCII, UTF8, CFDataRef -> binary */
75} SecATV;
76
77typedef SecATV *SecRDN;
78
79/*
80	@function SecGenerateCertificateRequest
81	@abstract Return a newly generated CSR for subject and keypair.
82	@param subject  RDNs in the subject
83    @param num      Number of RDNs
84    @param publicKey    Public key
85    @param privateKey   Private key
86	@discussion only handles RSA keypairs and uses a SHA-1 PKCS1 signature
87    @result On success, a newly allocated CSR, otherwise NULL
88
89Example for subject:
90    SecATV cn[]   = { { kSecOidCommonName, SecASN1PrintableString, CFSTR("test") }, {} };
91    SecATV c[]    = { { kSecOidCountryName, SecASN1PrintableString, CFSTR("US") }, {} };
92    SecATV o[]    = { { kSecOidOrganization, SecASN1PrintableString, CFSTR("Apple Inc.") }, {} };
93    SecRDN atvs[] = { cn, c, o, NULL };
94*/
95CFDataRef SecGenerateCertificateRequestWithParameters(SecRDN *subject,
96    CFDictionaryRef parameters, SecKeyRef publicKey, SecKeyRef privateKey) CF_RETURNS_RETAINED;
97
98CFDataRef SecGenerateCertificateRequest(CFArrayRef subject,
99    CFDictionaryRef parameters, SecKeyRef publicKey, SecKeyRef privateKey) CF_RETURNS_RETAINED;
100
101/*
102	@function SecVerifyCertificateRequest
103	@abstract validate a CSR and return contained information to certify
104	@param publicKey (optional/out) SecKeyRef public key to certify
105    @param challenge (optional/out) CFStringRef enclosed challenge
106    @param subject (optional/out) encoded subject RDNs
107    @param extensions (optional/out) encoded extensions
108*/
109bool SecVerifyCertificateRequest(CFDataRef csr, SecKeyRef *publicKey,
110    CFStringRef *challenge, CFDataRef *subject, CFDataRef *extensions);
111
112SecCertificateRef
113SecGenerateSelfSignedCertificate(CFArrayRef subject, CFDictionaryRef parameters,
114    SecKeyRef publicKey, SecKeyRef privateKey);
115
116SecCertificateRef
117SecIdentitySignCertificate(SecIdentityRef issuer, CFDataRef serialno,
118    SecKeyRef publicKey, CFTypeRef subject, CFTypeRef extensions);
119
120
121/* PRIVATE */
122
123CFDataRef
124SecGenerateCertificateRequestSubject(SecCertificateRef ca_certificate, CFArrayRef subject);
125
126__END_DECLS
127
128#endif /* _SECURITY_SECCERTIFICATEREQUEST_H_ */
129