#ifndef _SECURITY_SECTRUSTSERVER_H_
#define _SECURITY_SECTRUSTSERVER_H_
#include <CoreFoundation/CFString.h>
#include <Security/SecTrust.h>
#include <Security/SecBasePriv.h>
#include "trust/trustd/SecCertificateServer.h"
#include "trust/trustd/SecCertificateSource.h"
#include <mach/port.h>
__BEGIN_DECLS
typedef struct SecPathBuilder *SecPathBuilderRef;
typedef struct OpaqueSecPVC *SecPVCRef;
struct OpaqueSecPVC {
SecPathBuilderRef builder;
CFArrayRef policies;
CFDictionaryRef callbacks;
CFIndex policyIX;
bool require_revocation_response;
CFArrayRef leafDetails;
SecTrustResultType leafResult;
CFArrayRef details;
SecTrustResultType result;
};
typedef void(*SecPathBuilderCompleted)(const void *userData,
CFArrayRef chain, CFArrayRef details, CFDictionaryRef info,
SecTrustResultType result);
SecPathBuilderRef SecPathBuilderCreate(dispatch_queue_t builderQueue, CFDataRef clientAuditToken,
CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly,
bool keychainsAllowed, CFArrayRef policies, CFArrayRef ocspResponse,
CFArrayRef signedCertificateTimestamps, CFArrayRef trustedLogs,
CFAbsoluteTime verifyTime, CFArrayRef accessGroups, CFArrayRef exceptions,
SecPathBuilderCompleted completed, const void *userData);
void SecPathBuilderDestroy(SecPathBuilderRef builder);
bool SecPathBuilderDidValidatePath(SecPathBuilderRef builder);
bool SecPathBuilderReportResult(SecPathBuilderRef builder);
bool SecPathBuilderCanAccessNetwork(SecPathBuilderRef builder);
void SecPathBuilderSetCanAccessNetwork(SecPathBuilderRef builder, bool allow);
CFArrayRef SecPathBuilderCopySignedCertificateTimestamps(SecPathBuilderRef builder);
CFArrayRef SecPathBuilderCopyOCSPResponses(SecPathBuilderRef builder);
CFDictionaryRef SecPathBuilderCopyTrustedLogs(SecPathBuilderRef builder);
CFSetRef SecPathBuilderGetAllPaths(SecPathBuilderRef builder);
SecCertificatePathVCRef SecPathBuilderGetPath(SecPathBuilderRef builder);
SecCertificatePathVCRef SecPathBuilderGetBestPath(SecPathBuilderRef builder);
void SecPathBuilderSetPath(SecPathBuilderRef builder, SecCertificatePathVCRef path);
CFAbsoluteTime SecPathBuilderGetVerifyTime(SecPathBuilderRef builder);
CFIndex SecPathBuilderGetCertificateCount(SecPathBuilderRef builder);
SecCertificateRef SecPathBuilderGetCertificateAtIndex(SecPathBuilderRef builder, CFIndex ix);
CFArrayRef SecPathBuilderGetExceptions(SecPathBuilderRef builder);
bool SecPathBuilderHasTemporalParentChecks(SecPathBuilderRef builder);
bool SecPathBuilderIsAnchored(SecPathBuilderRef builder);
bool SecPathBuilderIsAnchorSource(SecPathBuilderRef builder, SecCertificateSourceRef source);
SecCertificateSourceRef SecPathBuilderGetAppAnchorSource(SecPathBuilderRef builder);
CFIndex SecPathBuilderGetPVCCount(SecPathBuilderRef builder);
SecPVCRef SecPathBuilderGetPVCAtIndex(SecPathBuilderRef builder, CFIndex ix);
SecPVCRef SecPathBuilderGetResultPVC(SecPathBuilderRef builder);
void SecPathBuilderSetResultInPVCs(SecPathBuilderRef builder, CFStringRef key,
CFIndex ix, CFTypeRef result, bool force);
unsigned int SecPathBuilderDecrementAsyncJobCount(SecPathBuilderRef builder);
void SecPathBuilderSetAsyncJobCount(SecPathBuilderRef builder, unsigned int jobCount);
unsigned int SecPathBuilderGetAsyncJobCount(SecPathBuilderRef builder);
CFMutableDictionaryRef SecPathBuilderGetInfo(SecPathBuilderRef builder);
CFStringRef SecPathBuilderGetRevocationMethod(SecPathBuilderRef builder);
void SecPathBuilderSetRevocationMethod(SecPathBuilderRef builder, CFStringRef method);
bool SecPathBuilderGetCheckRevocationOnline(SecPathBuilderRef builder);
void SecPathBuilderSetCheckRevocationOnline(SecPathBuilderRef builder);
bool SecPathBuilderGetCheckRevocationIfTrusted(SecPathBuilderRef builder);
void SecPathBuilderSetCheckRevocationIfTrusted(SecPathBuilderRef builder);
bool SecPathBuilderStep(SecPathBuilderRef builder);
dispatch_queue_t SecPathBuilderGetQueue(SecPathBuilderRef builder);
CFDataRef SecPathBuilderCopyClientAuditToken(SecPathBuilderRef builder);
void SecTrustServerEvaluateBlock(dispatch_queue_t builderQueue, CFDataRef clientAuditToken, CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, void (^evaluated)(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, CFArrayRef chain, CFErrorRef error));
SecTrustResultType SecTrustServerEvaluate(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef *details, CFDictionaryRef *info, CFArrayRef *chain, CFErrorRef *error);
typedef CF_OPTIONS(uint8_t, TA_SCTSource) {
TA_SCTEmbedded = 1 << 0,
TA_SCT_OCSP = 1 << 1,
TA_SCT_TLS = 1 << 2,
};
typedef CF_OPTIONS(uint8_t, TAValidStatus) {
TAValidDefinitelyOK = 1 << 0,
TAValidProbablyOK = 1 << 1,
TAValidProbablyRevoked = 1 << 2,
TAValidDefinitelyRevoked = 1 << 3,
TAValidDateConstrainedOK = 1 << 4,
TAValidDateConstrainedRevoked = 1 << 5,
TAValidPolicyConstrainedOK = 1 << 6,
TAValidPolicyConstrainedDenied = 1 << 7,
};
typedef struct {
uint64_t start_time;
bool suspected_mitm;
bool ca_fail_eku_check;
bool tls_invalid_ku;
TA_SCTSource sct_sources;
uint32_t number_scts;
uint32_t number_trusted_scts;
bool ct_one_current;
bool ca_issuer_cache_hit;
bool ca_issuer_network;
uint32_t ca_issuer_fetches;
uint64_t ca_issuer_fetch_time;
uint32_t ca_issuer_fetch_failed;
bool ca_issuer_unsupported_data;
bool ca_issuer_multiple_certs;
bool ocsp_no_check;
bool ocsp_cache_hit;
bool ocsp_network;
uint32_t ocsp_fetches;
uint64_t ocsp_fetch_time;
uint32_t ocsp_fetch_failed;
bool ocsp_validation_failed;
bool ocsp_weak_hash;
TAValidStatus valid_status;
bool valid_trigger_ocsp;
bool valid_require_ct;
bool valid_known_intermediates_only;
bool valid_unknown_intermediate;
} TrustAnalyticsBuilder;
TrustAnalyticsBuilder *SecPathBuilderGetAnalyticsData(SecPathBuilderRef builder);
__END_DECLS
#endif