#ifndef _SECURITY_TRUST_H_
#define _SECURITY_TRUST_H_
#include <CoreFoundation/CoreFoundation.h>
#include <security_keychain/StorageManager.h>
#include <security_cdsa_client/tpclient.h>
#include <security_utilities/cfutilities.h>
#include <Security/SecTrust.h>
#include <security_keychain/Certificate.h>
#include <security_keychain/Policies.h>
#include <security_keychain/TrustStore.h>
#include <vector>
using namespace CssmClient;
namespace Security {
namespace KeychainCore {
class Trust : public SecCFObject
{
NOCOPY(Trust)
public:
SECCFFUNCTIONS(Trust, SecTrustRef, errSecInvalidItemRef, gTypes().Trust)
Trust(CFTypeRef certificates, CFTypeRef policies);
virtual ~Trust();
enum AnchorPolicy {
useAnchorsDefault, useAnchorsAndBuiltIns, useAnchorsOnly };
enum NetworkPolicy {
useNetworkDefault, useNetworkDisabled, useNetworkEnabled };
void policies(CFTypeRef policies) { mPolicies.take(cfArrayize(policies)); }
void action(CSSM_TP_ACTION action) { mAction = action; }
void actionData(CFDataRef data) { mActionData = data; }
void time(CFDateRef verifyTime) { mVerifyTime = verifyTime; }
void anchors(CFArrayRef anchorList) { mAnchors.take(cfArrayize(anchorList)); }
void anchorPolicy(AnchorPolicy policy) { mAnchorPolicy = policy; }
void networkPolicy(NetworkPolicy policy) { mNetworkPolicy = policy; }
void exceptions(CFArrayRef exceptions) { mExceptions.take(cfArrayize(exceptions)); }
void responses(CFTypeRef responseData) { mResponses.take(cfArrayize(responseData)); }
StorageManager::KeychainList &searchLibs(bool init=true);
void searchLibs(StorageManager::KeychainList &libs);
void evaluate(bool disableEV=false);
void setResult(SecTrustResultType result) { mResult = result; }
void buildEvidence(CFArrayRef &certChain, TPEvidenceInfo * &statusChain);
CSSM_TP_VERIFY_CONTEXT_RESULT_PTR cssmResult();
void extendedResult(CFDictionaryRef &extendedResult);
CFArrayRef properties();
CFDictionaryRef results();
SecTrustResultType result() const { return mResult; }
OSStatus cssmResultCode() const { return mTpReturn; }
TP getTPHandle() const { return mTP; }
CFArrayRef evidence() const { return mEvidenceReturned; }
CFArrayRef policies() const { return mPolicies; }
CFArrayRef anchors() const { return mAnchors; }
CFDateRef time() const { return mVerifyTime; }
AnchorPolicy anchorPolicy() const { return mAnchorPolicy; }
NetworkPolicy networkPolicy() const { return mNetworkPolicy; }
CFArrayRef exceptions() const { return mExceptions; }
static void releaseTPEvidence(TPVerifyResult &result, Allocator &allocator);
private:
SecTrustResultType diagnoseOutcome();
void evaluateUserTrust(const CertGroup &certs,
const CSSM_TP_APPLE_EVIDENCE_INFO *info,
CFCopyRef<CFArrayRef> anchors);
void clearResults();
Keychain keychainByDLDb(const CSSM_DL_DB_HANDLE &handle);
CFMutableArrayRef addPreferenceRevocationPolicies(uint32 &numAdded,
Allocator &alloc);
void freeAddedRevocationPolicyData(CFArrayRef policies,
uint32 numAdded,
Allocator &alloc);
CFDictionaryRef defaultRevocationSettings();
public:
bool policySpecified(CFArrayRef policies, const CSSM_OID &inOid);
bool revocationPolicySpecified(CFArrayRef policies);
void orderRevocationPolicies(CFMutableArrayRef policies);
CFMutableArrayRef convertRevocationPolicy(uint32 &numAdded, Allocator &alloc);
CFMutableArrayRef forceRevocationPolicies(uint32 &numAdded,
Allocator &alloc,
bool requirePerCert=false);
private:
TP mTP;
CSSM_TP_ACTION mAction; CFRef<CFDataRef> mActionData; CFRef<CFArrayRef> mExceptions; CFRef<CFArrayRef> mResponses; CFRef<CFDateRef> mVerifyTime; CFRef<CFArrayRef> mCerts; CFRef<CFArrayRef> mPolicies; CFRef<CFArrayRef> mAnchors; StorageManager::KeychainList *mSearchLibs; bool mSearchLibsSet;
SecTrustResultType mResult; uint32 mResultIndex; OSStatus mTpReturn; TPVerifyResult mTpResult;
vector< SecPointer<Certificate> > mCertChain;
CFRef<CFArrayRef> mEvidenceReturned; CFRef<CFArrayRef> mAllowedAnchors; CFRef<CFArrayRef> mFilteredCerts; CFRef<CFDictionaryRef> mExtendedResult;
bool mUsingTrustSettings; AnchorPolicy mAnchorPolicy; NetworkPolicy mNetworkPolicy;
public:
static ModuleNexus<TrustStore> gStore;
private:
Mutex mMutex;
};
}
}
#endif // !_SECURITY_TRUST_H_