/* * Copyright (c) 2003-2004,2006-2010,2013-2014 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * * This file contains Original Code and/or Modifications of Original Code * as defined in and that are subject to the Apple Public Source License * Version 2.0 (the 'License'). You may not use this file except in * compliance with the License. Please obtain a copy of the License at * http://www.opensource.apple.com/apsl/ and read it before using this * file. * * The Original Code and all software distributed under the License are * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. * Please see the License for the specific language governing rights and * limitations under the License. * * @APPLE_LICENSE_HEADER_END@ * * OTATrustUtilities.h */ #ifndef _OTATRUSTUTILITIES_H_ #define _OTATRUSTUTILITIES_H_ 1 #include <CoreFoundation/CoreFoundation.h> #include <sys/types.h> #include <stdio.h> __BEGIN_DECLS // Opaque type that holds the data for a specific version of the OTA PKI assets typedef struct _OpaqueSecOTAPKI *SecOTAPKIRef; // Get a reference to the current OTA PKI asset data // Caller is responsible for releasing the returned SecOTAPKIRef CF_EXPORT SecOTAPKIRef SecOTAPKICopyCurrentOTAPKIRef(void); // Accessor to retrieve a copy of the current black listed key. // Caller is responsible for releasing the returned CFSetRef CF_EXPORT CFSetRef SecOTAPKICopyBlackListSet(SecOTAPKIRef otapkiRef); // Accessor to retrieve a copy of the current gray listed key. // Caller is responsible for releasing the returned CFSetRef CF_EXPORT CFSetRef SecOTAPKICopyGrayList(SecOTAPKIRef otapkiRef); // Accessor to retrieve a copy of the current allow list dictionary. // Caller is responsible for releasing the returned CFDictionaryRef CF_EXPORT CFDictionaryRef SecOTAPKICopyAllowList(SecOTAPKIRef otapkiRef); // Accessor to retrieve a copy of the allow list for a specific authority key ID. // Caller is responsible for releasing the returned CFArrayRef CF_EXPORT CFArrayRef SecOTAPKICopyAllowListForAuthKeyID(SecOTAPKIRef otapkiRef, CFStringRef authKeyID); // Accessor to retrieve a copy of the current trusted certificate transparency logs. // Caller is responsible for releasing the returned CFArrayRef CF_EXPORT CFArrayRef SecOTAPKICopyTrustedCTLogs(SecOTAPKIRef otapkiRef); // Accessor to retrieve a copy of the current pinning list. // Caller is responsible for releasing the returned CFArrayRef CF_EXPORT CFArrayRef SecOTAPKICopyPinningList(SecOTAPKIRef otapkiRef); // Accessor to retrieve the array of Escrow certificates. // Caller is responsible for releasing the returned CFArrayRef CF_EXPORT CFArrayRef SecOTAPKICopyEscrowCertificates(uint32_t escrowRootType, SecOTAPKIRef otapkiRef); // Accessor to retrieve the dictionary of EV Policy OIDs to Anchor digest. // Caller is responsible for releasing the returned CFDictionaryRef CF_EXPORT CFDictionaryRef SecOTAPKICopyEVPolicyToAnchorMapping(SecOTAPKIRef otapkiRef); // Accessor to retrieve the dictionary of anchor digest to file offset. // Caller is responsible for releasing the returned CFDictionaryRef CF_EXPORT CFDictionaryRef SecOTAPKICopyAnchorLookupTable(SecOTAPKIRef otapkiRef); // Accessor to retrieve the pointer to the top of the anchor certs file. // Caller should NOT free the returned pointer. The caller should hold // a reference to the SecOTAPKIRef object until finished with // the returned pointer. CF_EXPORT const char* SecOTAPKIGetAnchorTable(SecOTAPKIRef otapkiRef); // Accessor to retrieve the full path to the valid update snapshot resource. // The return value may be NULL if the resource does not exist. // Caller should NOT free the returned pointer. The caller should hold // a reference to the SecOTAPKIRef object until finished with // the returned pointer. CF_EXPORT const char* SecOTAPKIGetValidUpdateSnapshot(SecOTAPKIRef otapkiRef); // Accessor to retrieve the full path to the valid database snapshot resource. // The return value may be NULL if the resource does not exist. // Caller should NOT free the returned pointer. The caller should hold // a reference to the SecOTAPKIRef object until finished with // the returned pointer. CF_EXPORT const char* SecOTAPKIGetValidDatabaseSnapshot(SecOTAPKIRef otapkiRef); // Accessor to retrieve the current valid snapshot version. CF_EXPORT CFIndex SecOTAPKIGetValidSnapshotVersion(SecOTAPKIRef otapkiRef); // Accessor to retrieve the current valid snapshot format. CF_EXPORT CFIndex SecOTAPKIGetValidSnapshotFormat(SecOTAPKIRef otapkiRef); // Accessor to retrieve the current OTA PKI asset version number CF_EXPORT int SecOTAPKIGetAssetVersion(SecOTAPKIRef otapkiRef); // Signal that a new OTA PKI asset version is available. This call // will update the current SecOTAPKIRef to now reference the latest // asset data CF_EXPORT void SecOTAPKIRefreshData(void); // SPI to return the array of currently trusted Escrow certificates CF_EXPORT CFArrayRef SecOTAPKICopyCurrentEscrowCertificates(uint32_t escrowRootType, CFErrorRef* error); // SPI to return the current OTA PKI asset version CF_EXPORT int SecOTAPKIGetCurrentAssetVersion(CFErrorRef* error); // SPI to signal securityd to get a new set of trust data CF_EXPORT int SecOTAPKISignalNewAsset(CFErrorRef* error); __END_DECLS #endif /* _OTATRUSTUTILITIES_H_ */