SecCertificateInternal.h
1 /* 2 * Copyright (c) 2007-2019 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24 /* 25 SecCertificateInternal 26 */ 27 28 #ifndef _SECURITY_SECCERTIFICATEINTERNAL_H_ 29 #define _SECURITY_SECCERTIFICATEINTERNAL_H_ 30 31 #include <TargetConditionals.h> 32 #include <libDER/DER_Keys.h> 33 34 #include <Security/SecBase.h> 35 #include <Security/SecCertificatePriv.h> 36 37 #include <Security/certextensions.h> 38 39 // This file can only be included under the ios view of the headers. 40 // If you're not under that view, we'll forward declare the things you need here. 41 #if SECURITY_PROJECT_TAPI_HACKS && SEC_OS_OSX 42 typedef struct { 43 bool present; 44 bool critical; 45 bool isCA; 46 bool pathLenConstraintPresent; 47 uint32_t pathLenConstraint; 48 } SecCEBasicConstraints; 49 50 typedef struct { 51 bool present; 52 bool critical; 53 bool requireExplicitPolicyPresent; 54 uint32_t requireExplicitPolicy; 55 bool inhibitPolicyMappingPresent; 56 uint32_t inhibitPolicyMapping; 57 } SecCEPolicyConstraints; 58 59 typedef struct { 60 DERItem policyIdentifier; 61 DERItem policyQualifiers; 62 } SecCEPolicyInformation; 63 64 typedef struct { 65 bool present; 66 bool critical; 67 size_t numPolicies; // size of *policies; 68 SecCEPolicyInformation *policies; 69 } SecCECertificatePolicies; 70 71 typedef struct { 72 DERItem issuerDomainPolicy; 73 DERItem subjectDomainPolicy; 74 } SecCEPolicyMapping; 75 76 typedef struct { 77 bool present; 78 bool critical; 79 size_t numMappings; // size of *mappings; 80 SecCEPolicyMapping *mappings; 81 } SecCEPolicyMappings; 82 83 typedef struct { 84 bool present; 85 bool critical; 86 uint32_t skipCerts; 87 } SecCEInhibitAnyPolicy; 88 89 #endif 90 91 __BEGIN_DECLS 92 93 SecSignatureHashAlgorithm SecSignatureHashAlgorithmForAlgorithmOid(const DERItem *algOid); 94 95 CFDataRef SecCertificateGetAuthorityKeyID(SecCertificateRef certificate); 96 CFDataRef SecCertificateGetSubjectKeyID(SecCertificateRef certificate); 97 98 /* Return an array of CFURLRefs each of which is an crl distribution point for 99 this certificate. */ 100 CFArrayRef SecCertificateGetCRLDistributionPoints(SecCertificateRef certificate); 101 102 /* Return an array of CFURLRefs each of which is an caIssuer for this 103 certificate. */ 104 CFArrayRef SecCertificateGetCAIssuers(SecCertificateRef certificate); 105 106 /* Dump certificate for debugging. */ 107 void SecCertificateShow(SecCertificateRef certificate); 108 109 /* Return the normalized name or NULL if it fails to parse */ 110 CFDataRef SecDistinguishedNameCopyNormalizedContent(CFDataRef distinguished_name); 111 112 /* Return true iff the certificate has a subject. */ 113 bool SecCertificateHasSubject(SecCertificateRef certificate); 114 /* Return true iff the certificate has a critical subject alt name. */ 115 bool SecCertificateHasCriticalSubjectAltName(SecCertificateRef certificate); 116 117 /* Return the contents of the SubjectAltName extension. */ 118 const DERItem * SecCertificateGetSubjectAltName(SecCertificateRef certificate); 119 120 /* Return true if certificate contains one or more critical extensions we 121 are unable to parse. */ 122 bool SecCertificateHasUnknownCriticalExtension(SecCertificateRef certificate); 123 124 /* Return an attribute dictionary used to store this item in a keychain. */ 125 CFDictionaryRef SecCertificateCopyAttributeDictionary( 126 SecCertificateRef certificate); 127 128 /* Return a certificate from the attribute dictionary that was used to store 129 this item in a keychain. */ 130 SecCertificateRef SecCertificateCreateFromAttributeDictionary( 131 CFDictionaryRef refAttributes); 132 133 /* Return a SecKeyRef for the public key embedded in the cert. */ 134 #if TARGET_OS_OSX 135 SecKeyRef SecCertificateCopyPublicKey_ios(SecCertificateRef certificate) 136 __OSX_DEPRECATED(__MAC_10_12, __MAC_10_14, "Use SecCertificateCopyKey instead."); 137 #endif 138 139 /* Return the SecCEBasicConstraints extension for this certificate if it 140 has one. */ 141 const SecCEBasicConstraints * 142 SecCertificateGetBasicConstraints(SecCertificateRef certificate); 143 144 /* Returns array of CFDataRefs containing the generalNames that are 145 Permitted Subtree Name Constraints for this certificate if it has 146 any. */ 147 CFArrayRef SecCertificateGetPermittedSubtrees(SecCertificateRef certificate); 148 149 /* Returns array of CFDataRefs containing the generalNames that are 150 Excluded Subtree Name Constraints for this certificate if it has 151 any. */ 152 CFArrayRef SecCertificateGetExcludedSubtrees(SecCertificateRef certificate); 153 154 /* Return the SecCEPolicyConstraints extension for this certificate if it 155 has one. */ 156 const SecCEPolicyConstraints * 157 SecCertificateGetPolicyConstraints(SecCertificateRef certificate); 158 159 /* Return a dictionary from CFDataRef to CFArrayRef of CFDataRef 160 representing the policyMapping extension of this certificate. */ 161 const SecCEPolicyMappings * 162 SecCertificateGetPolicyMappings(SecCertificateRef certificate); 163 164 /* Return the SecCECertificatePolicies extension for this certificate if it 165 has one. */ 166 const SecCECertificatePolicies * 167 SecCertificateGetCertificatePolicies(SecCertificateRef certificate); 168 169 /* Returns UINT32_MAX if InhibitAnyPolicy extension is not present or invalid, 170 returns the value of the SkipCerts field of the InhibitAnyPolicy extension 171 otherwise. */ 172 const SecCEInhibitAnyPolicy * 173 SecCertificateGetInhibitAnyPolicySkipCerts(SecCertificateRef certificate); 174 175 /* Return the public key algorithm and parameters for certificate. */ 176 const DERAlgorithmId *SecCertificateGetPublicKeyAlgorithm( 177 SecCertificateRef certificate); 178 179 /* Return the raw public key data for certificate. */ 180 const DERItem *SecCertificateGetPublicKeyData(SecCertificateRef certificate); 181 182 /* Return legacy property values for use by SecCertificateCopyValues. */ 183 CFArrayRef SecCertificateCopyLegacyProperties(SecCertificateRef certificate); 184 185 // MARK: - 186 // MARK: Certificate Operations 187 188 OSStatus SecCertificateIsSignedBy(SecCertificateRef certificate, 189 SecKeyRef issuerKey); 190 191 #ifndef SECURITY_PROJECT_TAPI_HACKS 192 void appendProperty(CFMutableArrayRef properties, CFStringRef propertyType, 193 CFStringRef label, CFStringRef localizedLabel, CFTypeRef value, bool localized); 194 #endif 195 196 /* Utility functions. */ 197 CFStringRef SecDERItemCopyOIDDecimalRepresentation(CFAllocatorRef allocator, 198 const DERItem *oid); 199 200 #ifndef SECURITY_PROJECT_TAPI_HACKS 201 CFDataRef createNormalizedX501Name(CFAllocatorRef allocator, 202 const DERItem *x501name); 203 #endif 204 205 /* Decode a choice of UTCTime or GeneralizedTime to a CFAbsoluteTime. Return 206 an absoluteTime if the date was valid and properly decoded. Return 207 NULL_TIME otherwise. */ 208 CFAbsoluteTime SecAbsoluteTimeFromDateContent(DERTag tag, const uint8_t *bytes, 209 size_t length); 210 211 bool SecCertificateHasMarkerExtension(SecCertificateRef certificate, CFTypeRef oid); 212 213 bool SecCertificateHasOCSPNoCheckMarkerExtension(SecCertificateRef certificate); 214 215 typedef OSStatus (*parseGeneralNameCallback)(void *context, 216 SecCEGeneralNameType type, const DERItem *value); 217 OSStatus SecCertificateParseGeneralNameContentProperty(DERTag tag, 218 const DERItem *generalNameContent, 219 void *context, parseGeneralNameCallback callback); 220 221 OSStatus SecCertificateParseGeneralNames(const DERItem *generalNames, void *context, 222 parseGeneralNameCallback callback); 223 224 CFArrayRef SecCertificateCopyOrganizationFromX501NameContent(const DERItem *nameContent); 225 226 bool SecCertificateIsWeakKey(SecCertificateRef certificate); 227 bool SecCertificateIsAtLeastMinKeySize(SecCertificateRef certificate, 228 CFDictionaryRef keySizes); 229 bool SecCertificateIsStrongKey(SecCertificateRef certificate); 230 231 extern const CFStringRef kSecSignatureDigestAlgorithmUnknown; 232 #ifndef SECURITY_PROJECT_TAPI_HACKS 233 extern const CFStringRef kSecSignatureDigestAlgorithmMD2; 234 extern const CFStringRef kSecSignatureDigestAlgorithmMD4; 235 extern const CFStringRef kSecSignatureDigestAlgorithmMD5; 236 extern const CFStringRef kSecSignatureDigestAlgorithmSHA1; 237 extern const CFStringRef kSecSignatureDigestAlgorithmSHA224; 238 extern const CFStringRef kSecSignatureDigestAlgorithmSHA256; 239 extern const CFStringRef kSecSignatureDigestAlgorithmSHA384; 240 extern const CFStringRef kSecSignatureDigestAlgorithmSHA512; 241 #endif 242 243 bool SecCertificateIsWeakHash(SecCertificateRef certificate); 244 245 CFDataRef SecCertificateCreateOidDataFromString(CFAllocatorRef allocator, CFStringRef string); 246 bool SecCertificateIsOidString(CFStringRef oid); 247 248 DERItem *SecCertificateGetExtensionValue(SecCertificateRef certificate, CFTypeRef oid); 249 250 CFArrayRef SecCertificateCopyRFC822NamesFromSubject(SecCertificateRef certificate); 251 CFArrayRef SecCertificateCopyDNSNamesFromSAN(SecCertificateRef certificate); 252 CFArrayRef SecCertificateCopyIPAddressDatas(SecCertificateRef certificate); 253 254 CFIndex SecCertificateGetUnparseableKnownExtension(SecCertificateRef certificate); 255 256 __END_DECLS 257 258 #endif /* !_SECURITY_SECCERTIFICATEINTERNAL_H_ */