#ifndef _SECURITY_SECTRUSTSERVER_H_
#define _SECURITY_SECTRUSTSERVER_H_
#include <CoreFoundation/CFString.h>
#include <Security/SecTrust.h>
#include <Security/SecBasePriv.h>
#include <securityd/SecCertificateServer.h>
#include <securityd/SecCertificateSource.h>
#include <mach/port.h>
__BEGIN_DECLS
#define ENABLE_CRLS TARGET_OS_OSX
typedef struct SecPathBuilder *SecPathBuilderRef;
typedef struct OpaqueSecPVC *SecPVCRef;
struct OpaqueSecPVC {
SecPathBuilderRef builder;
CFArrayRef policies;
CFDictionaryRef callbacks;
CFIndex policyIX;
bool require_revocation_response;
CFArrayRef leafDetails;
SecTrustResultType leafResult;
CFArrayRef details;
SecTrustResultType result;
};
typedef void(*SecPathBuilderCompleted)(const void *userData,
CFArrayRef chain, CFArrayRef details, CFDictionaryRef info,
SecTrustResultType result);
SecPathBuilderRef SecPathBuilderCreate(CFDataRef clientAuditToken,
CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly,
bool keychainsAllowed, CFArrayRef policies, CFArrayRef ocspResponse,
CFArrayRef signedCertificateTimestamps, CFArrayRef trustedLogs,
CFAbsoluteTime verifyTime, CFArrayRef accessGroups, CFArrayRef exceptions,
SecPathBuilderCompleted completed, const void *userData);
bool SecPathBuilderCanAccessNetwork(SecPathBuilderRef builder);
void SecPathBuilderSetCanAccessNetwork(SecPathBuilderRef builder, bool allow);
CFArrayRef SecPathBuilderCopySignedCertificateTimestamps(SecPathBuilderRef builder);
CFArrayRef SecPathBuilderCopyOCSPResponses(SecPathBuilderRef builder);
CFArrayRef SecPathBuilderCopyTrustedLogs(SecPathBuilderRef builder);
CFSetRef SecPathBuilderGetAllPaths(SecPathBuilderRef builder);
SecCertificatePathVCRef SecPathBuilderGetPath(SecPathBuilderRef builder);
SecCertificatePathVCRef SecPathBuilderGetBestPath(SecPathBuilderRef builder);
CFAbsoluteTime SecPathBuilderGetVerifyTime(SecPathBuilderRef builder);
CFIndex SecPathBuilderGetCertificateCount(SecPathBuilderRef builder);
SecCertificateRef SecPathBuilderGetCertificateAtIndex(SecPathBuilderRef builder, CFIndex ix);
CFArrayRef SecPathBuilderGetExceptions(SecPathBuilderRef builder);
bool SecPathBuilderHasTemporalParentChecks(SecPathBuilderRef builder);
bool SecPathBuilderIsAnchored(SecPathBuilderRef builder);
bool SecPathBuilderIsAnchorSource(SecPathBuilderRef builder, SecCertificateSourceRef source);
SecCertificateSourceRef SecPathBuilderGetAppAnchorSource(SecPathBuilderRef builder);
CFIndex SecPathBuilderGetPVCCount(SecPathBuilderRef builder);
SecPVCRef SecPathBuilderGetPVCAtIndex(SecPathBuilderRef builder, CFIndex ix);
SecPVCRef SecPathBuilderGetResultPVC(SecPathBuilderRef builder);
void SecPathBuilderSetResultInPVCs(SecPathBuilderRef builder, CFStringRef key,
CFIndex ix, CFTypeRef result, bool force);
unsigned int SecPathBuilderDecrementAsyncJobCount(SecPathBuilderRef builder);
void SecPathBuilderSetAsyncJobCount(SecPathBuilderRef builder, unsigned int jobCount);
unsigned int SecPathBuilderGetAsyncJobCount(SecPathBuilderRef builder);
CFMutableDictionaryRef SecPathBuilderGetInfo(SecPathBuilderRef builder);
CFStringRef SecPathBuilderGetRevocationMethod(SecPathBuilderRef builder);
void SecPathBuilderSetRevocationMethod(SecPathBuilderRef builder, CFStringRef method);
bool SecPathBuilderGetCheckRevocationOnline(SecPathBuilderRef builder);
void SecPathBuilderSetCheckRevocationOnline(SecPathBuilderRef builder);
bool SecPathBuilderGetCheckRevocationIfTrusted(SecPathBuilderRef builder);
void SecPathBuilderSetCheckRevocationIfTrusted(SecPathBuilderRef builder);
bool SecPathBuilderStep(SecPathBuilderRef builder);
dispatch_queue_t SecPathBuilderGetQueue(SecPathBuilderRef builder);
CFDataRef SecPathBuilderCopyClientAuditToken(SecPathBuilderRef builder);
void SecTrustServerEvaluateBlock(CFDataRef clientAuditToken, CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, void (^evaluated)(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, CFArrayRef chain, CFErrorRef error));
SecTrustResultType SecTrustServerEvaluate(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef *details, CFDictionaryRef *info, CFArrayRef *chain, CFErrorRef *error);
typedef CF_OPTIONS(uint8_t, TA_SCTSource) {
TA_SCTEmbedded = 1 << 0,
TA_SCT_OCSP = 1 << 1,
TA_SCT_TLS = 1 << 2,
};
typedef CF_ENUM(uint8_t, TA_CTFailureReason) {
TA_CTNoFailure = 0,
TA_CTNoSCTs = 1,
TA_CTMissingLogs = 2,
TA_CTNoCurrentSCTsUnknownLog = 3,
TA_CTNoCurrentSCTsDisqualifiedLog = 4,
TA_CTPresentedNotEnoughUnknown = 5,
TA_CTPresentedNotEnoughDisqualified = 6,
TA_CTPresentedNotEnough = 7,
TA_CTEmbeddedNotEnoughUnknown = 8,
TA_CTEmbeddedNotEnoughDisqualified = 9,
TA_CTEmbeddedNotEnough = 10,
};
typedef CF_OPTIONS(uint8_t, TAValidStatus) {
TAValidDefinitelyOK = 1 << 0,
TAValidProbablyOK = 1 << 1,
TAValidProbablyRevoked = 1 << 2,
TAValidDefinitelyRevoked = 1 << 3,
TAValidDateConstrainedOK = 1 << 4,
TAValidDateContrainedRevoked = 1 << 5,
};
typedef struct {
uint64_t start_time;
TA_SCTSource sct_sources;
uint32_t number_scts;
uint32_t number_trusted_scts;
TA_CTFailureReason ct_failure_reason;
bool ct_one_current;
bool ca_issuer_cache_hit;
bool ca_issuer_network;
uint32_t ca_issuer_fetches;
uint64_t ca_issuer_fetch_time;
uint32_t ca_issuer_fetch_failed;
bool ca_issuer_unsupported_data;
bool ca_issuer_multiple_certs;
bool ocsp_no_check;
bool ocsp_cache_hit;
bool ocsp_network;
uint32_t ocsp_fetches;
uint64_t ocsp_fetch_time;
uint32_t ocsp_fetch_failed;
bool ocsp_validation_failed;
#if ENABLE_CRLS
bool crl_client;
bool crl_cert;
uint32_t crl_fetches;
uint64_t crl_fetch_time;
uint32_t crl_fetch_failed;
#endif
TAValidStatus valid_status;
bool valid_trigger_ocsp;
bool valid_require_ct;
bool valid_known_intermediates_only;
bool valid_unknown_intermediate;
} TrustAnalyticsBuilder;
TrustAnalyticsBuilder *SecPathBuilderGetAnalyticsData(SecPathBuilderRef builder);
__END_DECLS
#endif