/* * Copyright (c) 2002-2004,2011-2016 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * * This file contains Original Code and/or Modifications of Original Code * as defined in and that are subject to the Apple Public Source License * Version 2.0 (the 'License'). You may not use this file except in * compliance with the License. Please obtain a copy of the License at * http://www.opensource.apple.com/apsl/ and read it before using this * file. * * The Original Code and all software distributed under the License are * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. * Please see the License for the specific language governing rights and * limitations under the License. * * @APPLE_LICENSE_HEADER_END@ */ #ifndef _SECURITY_SECCERTIFICATEPRIV_H_ #define _SECURITY_SECCERTIFICATEPRIV_H_ #include <Security/SecBase.h> #include <Security/cssmtype.h> #include <Security/x509defs.h> #include <CoreFoundation/CFBase.h> #include <CoreFoundation/CFArray.h> #include <CoreFoundation/CFData.h> #include <CoreFoundation/CFDate.h> #include <CoreFoundation/CFDictionary.h> #if defined(__cplusplus) extern "C" { #endif typedef CF_ENUM(uint32_t, SecCertificateEscrowRootType) { kSecCertificateBaselineEscrowRoot = 0, kSecCertificateProductionEscrowRoot = 1, kSecCertificateBaselinePCSEscrowRoot = 2, kSecCertificateProductionPCSEscrowRoot = 3, kSecCertificateBaselineEscrowBackupRoot = 4, // v100 and v101 kSecCertificateProductionEscrowBackupRoot = 5, kSecCertificateBaselineEscrowEnrollmentRoot = 6, // v101 only kSecCertificateProductionEscrowEnrollmentRoot = 7, }; extern const CFStringRef kSecCertificateProductionEscrowKey; extern const CFStringRef kSecCertificateProductionPCSEscrowKey; extern const CFStringRef kSecCertificateEscrowFileName; /* Given a unified SecCertificateRef, return a copy with a legacy C++ ItemImpl-based Certificate instance. Only for internal use; legacy references cannot be used by SecCertificate API functions. */ SecCertificateRef SecCertificateCreateItemImplInstance(SecCertificateRef certificate); /* Inverse of above; convert legacy Certificate instance to new ref. */ SecCertificateRef SecCertificateCreateFromItemImplInstance(SecCertificateRef certificate); /* Convenience function to determine type of certificate instance. */ Boolean SecCertificateIsItemImplInstance(SecCertificateRef certificate); /* Given a legacy C++ ItemImpl-based Certificate instance obtained with SecCertificateCreateItemImplInstance, return its clHandle pointer. Only for internal use. */ OSStatus SecCertificateGetCLHandle_legacy(SecCertificateRef certificate, CSSM_CL_HANDLE *clHandle); /* Return a certificate for the DER representation of this certificate. Return NULL if the passed-in data is not a valid DER-encoded X.509 certificate. */ SecCertificateRef SecCertificateCreateWithBytes(CFAllocatorRef allocator, const UInt8 *bytes, CFIndex length); /* Returns a certificate from a pem blob. Return NULL if the passed-in data is not a valid DER-encoded X.509 certificate. */ SecCertificateRef SecCertificateCreateWithPEM(CFAllocatorRef allocator, CFDataRef pem_certificate); /* Return the length of the DER representation of this certificate. */ CFIndex SecCertificateGetLength(SecCertificateRef certificate); /* Return the bytes of the DER representation of this certificate. */ const UInt8 *SecCertificateGetBytePtr(SecCertificateRef certificate); /* Return the SHA-1 hash of this certificate. */ CFDataRef SecCertificateGetSHA1Digest(SecCertificateRef certificate); /* Return the SHA-256 hash of this certificate. */ CFDataRef SecCertificateCopySHA256Digest(SecCertificateRef certificate); /* Return the SHA-1 hash of the public key in this certificate. */ CFDataRef SecCertificateCopyPublicKeySHA1Digest(SecCertificateRef certificate); /* Return the SHA-1 hash of the SubjectPublicKeyInfo sequence in this certificate. */ CFDataRef SecCertificateCopySubjectPublicKeyInfoSHA1Digest(SecCertificateRef certificate); /* Return the SHA-256 hash of the SubjectPublicKeyInfo sequence in this certificate. */ CFDataRef SecCertificateCopySubjectPublicKeyInfoSHA256Digest(SecCertificateRef certificate); /* Deprecated; use SecCertificateCopyCommonName() instead. */ OSStatus SecCertificateGetCommonName(SecCertificateRef certificate, CFStringRef *commonName); /* Deprecated; use SecCertificateCopyEmailAddresses() instead. */ /* This should have been Copy instead of Get since the returned address is not autoreleased. */ OSStatus SecCertificateGetEmailAddress(SecCertificateRef certificate, CFStringRef *emailAddress); /* Return an array of CFStringRefs representing the dns addresses in the certificate if any. */ CFArrayRef SecCertificateCopyDNSNames(SecCertificateRef certificate); /* Return an array of CFStringRefs representing the NTPrincipalNames in the certificate if any. */ CFArrayRef SecCertificateCopyNTPrincipalNames(SecCertificateRef certificate); /* Create a unified SecCertificateRef from a legacy keychain item and its data. */ SecCertificateRef SecCertificateCreateWithKeychainItem(CFAllocatorRef allocator, CFDataRef der_certificate, CFTypeRef keychainItem); /* Set a legacy item instance for a unified SecCertificateRef. */ OSStatus SecCertificateSetKeychainItem(SecCertificateRef certificate, CFTypeRef keychain_item); /* Return a keychain item reference, given a unified SecCertificateRef. Note: for this function to succeed, the provided certificate must have been created by SecCertificateCreateWithKeychainItem, otherwise NULL is returned. */ CFTypeRef SecCertificateCopyKeychainItem(SecCertificateRef certificate); /*! @function SecCertificateCopyIssuerSummary @abstract Return a simple string which hopefully represents a human understandable issuer. @param certificate SecCertificate object created with SecCertificateCreateWithData(). @discussion All the data in this string comes from the certificate itself and thus it's in whatever language the certificate itself is in. @result A CFStringRef which the caller should CFRelease() once it's no longer needed. */ CFStringRef SecCertificateCopyIssuerSummary(SecCertificateRef certificate); /* Return a string formatted according to RFC 2253 representing the complete subject of certificate. */ CFStringRef SecCertificateCopySubjectString(SecCertificateRef certificate); CFMutableArrayRef SecCertificateCopySummaryProperties( SecCertificateRef certificate, CFAbsoluteTime verifyTime); /* * Private API to infer a display name for a SecCertificateRef which * may or may not be in a keychain. */ OSStatus SecCertificateInferLabel(SecCertificateRef certificate, CFStringRef *label); /* * Subset of the above, useful for both certs and CRLs. * Infer printable label for a given an CSSM_X509_NAME. Returns NULL * if no appropriate printable name found. */ const CSSM_DATA *SecInferLabelFromX509Name( const CSSM_X509_NAME *x509Name); /* Accessors for fields in the cached certificate */ /*! @function SecCertificateCopyFieldValues @abstract Retrieves the values for a particular field in a given certificate. @param certificate A valid SecCertificateRef to the certificate. @param field Pointer to the OID whose values should be returned. @param fieldValues On return, a zero terminated list of CSSM_DATA_PTR's. @result A result code. See "Security Error Codes" (SecBase.h). @discussion Return a zero terminated list of CSSM_DATA_PTR's with the values of the field specified by field. Caller must call SecCertificateReleaseFieldValues to free the storage allocated by this call. */ OSStatus SecCertificateCopyFieldValues(SecCertificateRef certificate, const CSSM_OID *field, CSSM_DATA_PTR **fieldValues); /*! @function SecCertificateReleaseFieldValues @abstract Release the storage associated with the values returned by SecCertificateCopyFieldValues. @param certificate A valid SecCertificateRef to the certificate. @param field Pointer to the OID whose values were returned by SecCertificateCopyFieldValues. @param fieldValues Pointer to a zero terminated list of CSSM_DATA_PTR's. @result A result code. See "Security Error Codes" (SecBase.h). @discussion Release the storage associated with the values returned by SecCertificateCopyFieldValues. */ OSStatus SecCertificateReleaseFieldValues(SecCertificateRef certificate, const CSSM_OID *field, CSSM_DATA_PTR *fieldValues); /*! @function SecCertificateCopyFirstFieldValue @abstract Return a CSSM_DATA_PTR with the value of the first field specified by field. @param certificate A valid SecCertificateRef to the certificate. @param field Pointer to the OID whose value should be returned. @param fieldValue On return, a CSSM_DATA_PTR to the field data. @result A result code. See "Security Error Codes" (SecBase.h). @discussion Return a CSSM_DATA_PTR with the value of the first field specified by field. Caller must call SecCertificateReleaseFieldValue to free the storage allocated by this call. */ OSStatus SecCertificateCopyFirstFieldValue(SecCertificateRef certificate, const CSSM_OID *field, CSSM_DATA_PTR *fieldValue); /*! @function SecCertificateReleaseFirstFieldValue @abstract Release the storage associated with the values returned by SecCertificateCopyFirstFieldValue. @param certificate A valid SecCertificateRef to the certificate. @param field Pointer to the OID whose values were returned by SecCertificateCopyFieldValue. @param fieldValue The field data to release. @result A result code. See "Security Error Codes" (SecBase.h). @discussion Release the storage associated with the values returned by SecCertificateCopyFieldValue. */ OSStatus SecCertificateReleaseFirstFieldValue(SecCertificateRef certificate, const CSSM_OID *field, CSSM_DATA_PTR fieldValue); /*! @function SecCertificateCopySubjectComponent @abstract Retrieves a component of the subject distinguished name of a given certificate. @param certificate A reference to the certificate from which to retrieve the common name. @param component A component oid naming the component desired. See <Security/oidsattr.h>. @param result On return, a reference to the string form of the component, if present in the subject. Your code must release this reference by calling the CFRelease function. @result A result code. See "Security Error Codes" (SecBase.h). */ OSStatus SecCertificateCopySubjectComponent(SecCertificateRef certificate, const CSSM_OID *component, CFStringRef *result); /* Return the DER encoded issuer sequence for the certificate's issuer. */ CFDataRef SecCertificateCopyIssuerSequence(SecCertificateRef certificate); /* Return the DER encoded subject sequence for the certificate's subject. */ CFDataRef SecCertificateCopySubjectSequence(SecCertificateRef certificate); #if (SECTRUST_OSX && TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE || TARGET_IPHONE_SIMULATOR)) CFDataRef SecCertificateGetNormalizedIssuerContent(SecCertificateRef certificate); CFDataRef SecCertificateGetNormalizedSubjectContent(SecCertificateRef certificate); CFDataRef SecCertificateCopyNormalizedIssuerSequence(SecCertificateRef certificate); CFDataRef SecCertificateCopyNormalizedSubjectSequence(SecCertificateRef certificate); #endif /* Convenience functions for searching. */ OSStatus SecCertificateFindByIssuerAndSN(CFTypeRef keychainOrArray, const CSSM_DATA *issuer, const CSSM_DATA *serialNumber, SecCertificateRef *certificate); OSStatus SecCertificateFindBySubjectKeyID(CFTypeRef keychainOrArray, const CSSM_DATA *subjectKeyID, SecCertificateRef *certificate); OSStatus SecCertificateFindByEmail(CFTypeRef keychainOrArray, const char *emailAddress, SecCertificateRef *certificate); /* These should go to SecKeychainSearchPriv.h. */ OSStatus SecKeychainSearchCreateForCertificateByIssuerAndSN(CFTypeRef keychainOrArray, const CSSM_DATA *issuer, const CSSM_DATA *serialNumber, SecKeychainSearchRef *searchRef); OSStatus SecKeychainSearchCreateForCertificateByIssuerAndSN_CF(CFTypeRef keychainOrArray, CFDataRef issuer, CFDataRef serialNumber, SecKeychainSearchRef *searchRef); OSStatus SecKeychainSearchCreateForCertificateBySubjectKeyID(CFTypeRef keychainOrArray, const CSSM_DATA *subjectKeyID, SecKeychainSearchRef *searchRef); OSStatus SecKeychainSearchCreateForCertificateByEmail(CFTypeRef keychainOrArray, const char *emailAddress, SecKeychainSearchRef *searchRef); /* Convenience function for generating digests; should be moved elsewhere. */ CSSM_RETURN SecDigestGetData(CSSM_ALGORITHMS alg, CSSM_DATA* digest, const CSSM_DATA* data); /* Return true iff certificate is valid as of verifyTime. */ /* DEPRECATED: Use SecCertificateIsValid instead. */ bool SecCertificateIsValidX(SecCertificateRef certificate, CFAbsoluteTime verifyTime) __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA); /*! @function SecCertificateIsValid @abstract Check certificate validity on a given date. @param certificate A certificate reference. @result Returns true if the specified date falls within the certificate's validity period, false otherwise. */ bool SecCertificateIsValid(SecCertificateRef certificate, CFAbsoluteTime verifyTime) __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_2_0); /*! @function SecCertificateNotValidBefore @abstract Obtain the starting date of the given certificate. @param certificate A certificate reference. @result Returns the absolute time at which the given certificate becomes valid, or 0 if this value could not be obtained. */ CFAbsoluteTime SecCertificateNotValidBefore(SecCertificateRef certificate) __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_2_0); /*! @function SecCertificateNotValidAfter @abstract Obtain the expiration date of the given certificate. @param certificate A certificate reference. @result Returns the absolute time at which the given certificate expires, or 0 if this value could not be obtained. */ CFAbsoluteTime SecCertificateNotValidAfter(SecCertificateRef certificate) __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_2_0); /*! @function SecCertificateIsSelfSigned @abstract Determine if the given certificate is self-signed. @param certRef A certificate reference. @param isSelfSigned Will be set to true on return if the certificate is self-signed, false otherwise. @result A result code. Returns errSecSuccess if the certificate's status can be determined. */ OSStatus SecCertificateIsSelfSigned(SecCertificateRef certRef, Boolean *isSelfSigned) __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_9_0); /*! @function SecCertificateIsSelfSignedCA @abstract Determine if the given certificate is self-signed and has a basic constraints extension indicating it is a certificate authority. @param certificate A certificate reference. @result Returns true if the certificate is self-signed and has a basic constraints extension indicating it is a certificate authority, otherwise false. */ bool SecCertificateIsSelfSignedCA(SecCertificateRef certificate) __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_9_0); /*! @function SecCertificateIsCA @abstract Determine if the given certificate has a basic constraints extension indicating it is a certificate authority. @param certificate A certificate reference. @result Returns true if the certificate has a basic constraints extension indicating it is a certificate authority, otherwise false. */ bool SecCertificateIsCA(SecCertificateRef certificate) __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_9_0); /*! @function SecCertificateCopyEscrowRoots @abstract Retrieve the array of valid escrow certificates for a given root type. @param escrowRootType An enumerated type indicating which root type to return. @result An array of zero or more escrow certificates matching the provided type. */ CFArrayRef SecCertificateCopyEscrowRoots(SecCertificateEscrowRootType escrowRootType) __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); /* Return an attribute dictionary used to store this item in a keychain. */ CFDictionaryRef SecCertificateCopyAttributeDictionary(SecCertificateRef certificate) __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); /* * Enumerated constants for signature hash algorithms. */ typedef uint32_t SecSignatureHashAlgorithm; enum { kSecSignatureHashAlgorithmUnknown = 0, kSecSignatureHashAlgorithmMD2 = 1, kSecSignatureHashAlgorithmMD4 = 2, kSecSignatureHashAlgorithmMD5 = 3, kSecSignatureHashAlgorithmSHA1 = 4, kSecSignatureHashAlgorithmSHA224 = 5, kSecSignatureHashAlgorithmSHA256 = 6, kSecSignatureHashAlgorithmSHA384 = 7, kSecSignatureHashAlgorithmSHA512 = 8 }; /*! @function SecCertificateGetSignatureHashAlgorithm @abstract Determine the hash algorithm used in a certificate's signature. @param certificate A certificate reference. @result Returns an enumerated value indicating the signature hash algorithm used in a certificate. If the hash algorithm is unsupported or cannot be obtained (e.g. because the supplied certificate reference is invalid), a value of 0 (kSecSignatureHashAlgorithmUnknown) is returned. */ SecSignatureHashAlgorithm SecCertificateGetSignatureHashAlgorithm(SecCertificateRef certificate) __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); /*! @function SecCertificateCopyProperties @abstract Return a property array for this trust certificate. @param certificate A reference to the certificate to evaluate. @result A property array. It is the caller's responsability to CFRelease the returned array when it is no longer needed. See SecTrustCopySummaryPropertiesAtIndex on how to intepret this array. Unlike that function call this function returns a detailed description of the certificate in question. */ CFArrayRef SecCertificateCopyProperties(SecCertificateRef certificate); CFDataRef SecCertificateCopySubjectPublicKeyInfoSHA256Digest(SecCertificateRef certificate); /* Returns an array of CFDataRefs for all embedded SCTs */ CFArrayRef SecCertificateCopySignedCertificateTimestamps(SecCertificateRef certificate) __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_9_0); /* Return the precert TBSCertificate DER data - used for Certificate Transparency */ CFDataRef SecCertificateCopyPrecertTBS(SecCertificateRef certificate) __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_9_0); #if defined(__cplusplus) } #endif #endif /* !_SECURITY_SECCERTIFICATEPRIV_H_ */