#ifndef _SECURITY_TRUST_H_
#define _SECURITY_TRUST_H_
#include <CoreFoundation/CoreFoundation.h>
#include <security_keychain/StorageManager.h>
#include <security_cdsa_client/tpclient.h>
#include <security_utilities/cfutilities.h>
#include <Security/SecTrust.h>
#include <security_keychain/Certificate.h>
#include <security_keychain/Policies.h>
#include <security_keychain/TrustStore.h>
#include <vector>
using namespace CssmClient;
namespace Security {
namespace KeychainCore {
class Trust : public SecCFObject
{
NOCOPY(Trust)
public:
SECCFFUNCTIONS(Trust, SecTrustRef, errSecInvalidItemRef, gTypes().Trust)
Trust(CFTypeRef certificates, CFTypeRef policies);
virtual ~Trust();
void policies(CFTypeRef policies) { mPolicies.take(cfArrayize(policies)); }
void action(CSSM_TP_ACTION action) { mAction = action; }
void actionData(CFDataRef data) { mActionData = data; }
void time(CFDateRef verifyTime) { mVerifyTime = verifyTime; }
void anchors(CFArrayRef anchorList) { mAnchors.take(cfArrayize(anchorList)); }
StorageManager::KeychainList &searchLibs() { return mSearchLibs; }
void searchLibs(StorageManager::KeychainList &libs) { mSearchLibs = libs; }
void evaluate();
void buildEvidence(CFArrayRef &certChain, TPEvidenceInfo * &statusChain);
CSSM_TP_VERIFY_CONTEXT_RESULT_PTR cssmResult();
void extendedResult(CFDictionaryRef &extendedResult);
SecTrustResultType result() const { return mResult; }
OSStatus cssmResultCode() const { return mTpReturn; }
TP getTPHandle() const { return mTP; }
CFArrayRef policies() const { return mPolicies; }
CFArrayRef anchors() const { return mAnchors; }
CFDateRef time() const { return mVerifyTime; }
static void releaseTPEvidence(TPVerifyResult &result, Allocator &allocator);
private:
SecTrustResultType diagnoseOutcome();
void evaluateUserTrust(const CertGroup &certs,
const CSSM_TP_APPLE_EVIDENCE_INFO *info,
CFCopyRef<CFArrayRef> anchors);
void clearResults();
Keychain keychainByDLDb(const CSSM_DL_DB_HANDLE &handle);
CFMutableArrayRef addSpecifiedRevocationPolicies(uint32 &numAdded,
Allocator &alloc);
void freeSpecifiedRevocationPolicies(CFArrayRef policies,
uint32 numAdded,
Allocator &alloc);
CFMutableArrayRef addPreferenceRevocationPolicies(uint32 &numAdded,
Allocator &alloc);
void freePreferenceRevocationPolicies(CFArrayRef policies,
uint32 numAdded,
Allocator &alloc);
bool revocationPolicySpecified(CFArrayRef policies);
CFMutableArrayRef forceOCSPRevocationPolicy(uint32 &numAdded,
Allocator &alloc);
private:
TP mTP;
CSSM_TP_ACTION mAction; CFRef<CFDataRef> mActionData; CFRef<CFDateRef> mVerifyTime; CFRef<CFArrayRef> mCerts; CFRef<CFArrayRef> mPolicies; CFRef<CFArrayRef> mAnchors; StorageManager::KeychainList mSearchLibs;
SecTrustResultType mResult; uint32 mResultIndex; OSStatus mTpReturn; TPVerifyResult mTpResult; StorageManager::KeychainList mSearchLibsUsed;
vector< SecPointer<Certificate> > mCertChain;
CFRef<CFArrayRef> mEvidenceReturned; CFRef<CFArrayRef> mAllowedAnchors; CFRef<CFArrayRef> mFilteredCerts; CFRef<CFDictionaryRef> mExtendedResult;
bool mUsingTrustSettings;
public:
static ModuleNexus<TrustStore> gStore;
private:
Mutex mMutex;
};
}
}
#endif // !_SECURITY_TRUST_H_