1/*
2 * Copyright (c) 2008-2010 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24/*!
25    @header SecPolicyServer
26    The functions provided in SecPolicyServer.h provide an interface to
27    trust policies dealing with certificate revocation.
28*/
29
30#ifndef _SECURITY_SECPOLICYSERVER_H_
31#define _SECURITY_SECPOLICYSERVER_H_
32
33#include <Security/SecPolicyInternal.h>
34
35#include <securityd/policytree.h>
36#include <securityd/SecTrustServer.h>
37
38__BEGIN_DECLS
39
40typedef struct OpaqueSecPVC *SecPVCRef;
41
42struct OpaqueSecPVC {
43    SecPathBuilderRef builder;
44
45    /* @@@ Duplicated from builder, remove. */
46	CFArrayRef policies;
47	CFAbsoluteTime verifyTime;
48
49	SecCertificatePathRef path;
50	CFArrayRef details;
51    CFMutableDictionaryRef info;
52    policy_tree_t valid_policy_tree;
53    CFDictionaryRef callbacks;
54    CFIndex policyIX;
55
56    void *rvcs;
57    unsigned int asyncJobCount;
58
59    bool check_revocation;
60    bool optionally_ev;
61    bool is_ev;
62	bool result;
63};
64
65void SecPVCInit(SecPVCRef pvc, SecPathBuilderRef builder, CFArrayRef policies,
66    CFAbsoluteTime verifyTime);
67void SecPVCDelete(SecPVCRef pvc);
68void SecPVCSetPath(SecPVCRef pvc, SecCertificatePathRef path,
69    CFArrayRef details);
70SecPolicyRef SecPVCGetPolicy(SecPVCRef pv);
71CFAbsoluteTime SecPVCGetVerifyTime(SecPVCRef pv);
72CFIndex SecPVCGetCertificateCount(SecPVCRef pv);
73SecCertificateRef SecPVCGetCertificateAtIndex(SecPVCRef pv, CFIndex ix);
74bool SecPVCIsCertificateAtIndexSelfSigned(SecPVCRef pvc, CFIndex ix);
75bool SecPVCIsAnchored(SecPVCRef pvc);
76
77/* Set the string result as the reason for the sub policy check key
78   failing.  The policy check function should continue processing if
79   this function returns true. */
80bool SecPVCSetResult(SecPVCRef pv, CFStringRef key, CFIndex ix,
81	CFTypeRef result);
82bool SecPVCSetResultForced(SecPVCRef pvc,
83	CFStringRef key, CFIndex ix, CFTypeRef result, bool force);
84
85/* Enable revocation checking if the rest of the policy checks succeed. */
86void SecPVCSetCheckRevocation(SecPVCRef pvc);
87
88/* Run static leaf checks on the path in pvc. */
89bool SecPVCLeafChecks(SecPVCRef pvc);
90
91/* Run static parent checks on the path in pvc. */
92bool SecPVCParentCertificateChecks(SecPVCRef pvc, CFIndex ix);
93
94/* Check whether an intermediate certificates key has been blacklisted. */
95bool SecPVCBlackListedKeyChecks(SecPVCRef pvc, CFIndex ix);
96
97/* Check whether an intermediate certificates key has been gray listed. */
98bool SecPVCGrayListedKeyChecks(SecPVCRef pvc, CFIndex ix);
99
100/* Run dynamic checks on the complete path in pvc.  Return true if the
101   operation is complete, returns false if an async backgroup request was
102   scheduled.  Upon completion of the async background job
103   SecPathBuilderStep() should be called. */
104bool SecPVCPathChecks(SecPVCRef pvc);
105
106/* Return 0 if any certs revocation checking failed, the earliest date on
107   which one of the used revocation validation tokens (ocsp response or
108   crl) expires.  */
109CFAbsoluteTime SecPVCGetEarliestNextUpdate(SecPVCRef pvc);
110
111typedef void (*SecPolicyCheckFunction)(SecPVCRef pv, CFStringRef key);
112
113/*
114    Used by SecTrust to verify if a particular certificate chain matches
115	this policy.  Returns true if the policy accepts the certificate chain.
116*/
117bool SecPolicyValidate(SecPolicyRef policy, SecPVCRef pvc, CFStringRef key);
118
119CFArrayRef SecPolicyArrayDeserialize(CFArrayRef serializedPolicies);
120
121void SecPolicyServerInitalize(void);
122
123/* True iff certificate could be an extended validation (EV) certificate. */
124bool SecPolicySubscriberCertificateCouldBeEV(SecCertificateRef certificate);
125
126void SecEVPolicyToAnchorDigestsInit(void);
127
128__END_DECLS
129
130#endif /* !_SECURITY_SECPOLICYSERVER_H_ */
131