1  // Copyright (c) 2017-2019 Apple Inc. All Rights Reserved.
  2  // This is the list of Policy Checks. To add a new policy check put it in this file with the POLICYCHECKMACRO defined.
  3  // Then define a new SEC_TRUST_ERROR string in SecFrameworkStrings.h
  4  // Arguments for the POLICYCHECKMACRO in arg order are:
  5  // POLICYCHECKMACRO(NAME, TRUSTRESULT, SUBTYPE, LEAFCHECK, PATHCHECK, LEAFONLY, CSSMERR, OSSTATUS)
  6  // NAME: the name of the check (both its constant name and string value)
  7  // TRUSTRESULT: the trust result this check should produce. R is Recoverable, F is Fatal, D is Deny
  8  // SUBTYPE: the type of failure.
  9  //      N is a name failure, E is expiration, S is key size, H is weak hash, U is usage, P is pinning, V is revocation
 10  //      T is trust, C is compliance, D is denied, B is blocked
 11  // LEAFCHECK: L for checks that happen in the leaf callbacks
 12  // PATHCHECK: A for checks that happen in the path callbacks
 13  // LEAFONLY:  O for checks that are done in leaf-only trust evaluations
 14  // CSSMERR: The CSSM error status code for this error. The constant name of this status code follows in a comment.
 15  // OSSTATUS: the OSStatus to return for this error
 16  
 17  /********************************************************
 18  ************** Unverified Leaf Checks ******************
 19  ********************************************************/
 20  POLICYCHECKMACRO(SSLHostname,                    R, N, L,  , O, 0x80012400, errSecHostNameMismatch) //CSSMERR_APPLETP_HOSTNAME_MISMATCH
 21  POLICYCHECKMACRO(Email,                          R, N, L,  , O, 0x80012418, errSecSMIMEEmailAddressesNotFound) //CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND
 22  POLICYCHECKMACRO(TemporalValidity,               R, E, L, A, O, 0x8001210A, errSecCertificateExpired) //CSSMERR_TP_CERT_EXPIRED
 23  POLICYCHECKMACRO(WeakKeySize,                    F, S, L, A, O, 0x80012115, errSecUnsupportedKeySize) //CSSMERR_TP_INVALID_CERTIFICATE
 24  POLICYCHECKMACRO(WeakSignature,                  F, H, L, A, O, 0x80010955, errSecInvalidDigestAlgorithm) //CSSMERR_CSP_INVALID_DIGEST_ALGORITHM
 25  POLICYCHECKMACRO(KeyUsage,                       R, U, L,  , O, 0x80012406, errSecInvalidKeyUsageForPolicy) //CSSMERR_APPLETP_INVALID_KEY_USAGE
 26  POLICYCHECKMACRO(ExtendedKeyUsage,               R, U, L, A, O, 0x80012407, errSecInvalidExtendedKeyUsage) //CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE
 27  POLICYCHECKMACRO(SubjectCommonName,              R, P, L,  , O, 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING
 28  POLICYCHECKMACRO(SubjectCommonNamePrefix,        R, P, L,  , O, 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING
 29  POLICYCHECKMACRO(SubjectCommonNameTEST,          R, P, L,  , O, 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING
 30  POLICYCHECKMACRO(SubjectOrganization,            R, P, L,  , O, 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING
 31  POLICYCHECKMACRO(SubjectOrganizationalUnit,      R, P, L,  , O, 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING
 32  POLICYCHECKMACRO(NotValidBefore,                 R, P, L,  , O, 0x8001210B, errSecCertificateNotValidYet) //CSSMERR_TP_CERT_NOT_VALID_YET
 33  POLICYCHECKMACRO(EAPTrustedServerNames,          R, N, L,  , O, 0x80012400, errSecHostNameMismatch) //CSSMERR_APPLETP_HOSTNAME_MISMATCH
 34  POLICYCHECKMACRO(LeafMarkerOid,                  R, P, L,  , O, 0x80012439, errSecMissingRequiredExtension) //CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION
 35  POLICYCHECKMACRO(LeafMarkerOidWithoutValueCheck, R, P, L,  , O, 0x80012439, errSecMissingRequiredExtension) //CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION
 36  POLICYCHECKMACRO(LeafMarkersProdAndQA,           R, P, L,  , O, 0x80012439, errSecMissingRequiredExtension) //CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION
 37  POLICYCHECKMACRO(BlackListedLeaf,                F, B, L,  ,  , 0x8001210C, errSecCertificateRevoked) //CSSMERR_TP_CERT_REVOKED
 38  POLICYCHECKMACRO(GrayListedLeaf,                 R, T, L,  ,  , 0x8001212A, errSecNotTrusted) //CSSMERR_TP_NOT_TRUSTED
 39  POLICYCHECKMACRO(LeafSPKISHA256,                 R, P, L,  ,  , 0x8001243D, errSSLATSCertificateTrustViolation) //CSSMERR_APPLETP_LEAF_PIN_MISMATCH
 40  POLICYCHECKMACRO(NotCA,                          R, C, L,  , O, 0x80012116, errSecCertificateIsCA) // CSSMERR_TP_INVALID_CERT_AUTHORITY
 41  POLICYCHECKMACRO(KeyUsageReportOnly,             R, U, L,  ,  , 0x80012406, errSecInvalidKeyUsageForPolicy) //CSSMERR_APPLETP_INVALID_KEY_USAGE
 42  
 43  /********************************************************
 44  *********** Unverified Intermediate Checks *************
 45  ********************************************************/
 46  POLICYCHECKMACRO(IssuerCommonName,                       R, P,  , A,  , 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING
 47  POLICYCHECKMACRO(BasicConstraints,                       R, C,  , A,  , 0x80012402, errSecNoBasicConstraints) //CSSMERR_APPLETP_NO_BASIC_CONSTRAINTS
 48  POLICYCHECKMACRO(BasicConstraintsCA,                     R, C,  ,  ,  , 0x80012403, errSecNoBasicConstraintsCA) //CSSMERR_APPLETP_INVALID_CA
 49  POLICYCHECKMACRO(BasicConstraintsPathLen,                R, C,  ,  ,  , 0x80012409, errSecPathLengthConstraintExceeded) //CSSMERR_APPLETP_PATH_LEN_CONSTRAINT
 50  POLICYCHECKMACRO(IntermediateSPKISHA256,                 R, P,  , A,  , 0x8001243B, errSecPublicKeyInconsistent) //CSSMERR_APPLETP_IDENTIFIER_MISSING
 51  POLICYCHECKMACRO(IntermediateEKU,                        R, P,  , A,  , 0x80012407, errSecInvalidExtendedKeyUsage) //CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE
 52  POLICYCHECKMACRO(IntermediateMarkerOid,                  R, P,  , A,  , 0x80012439, errSecMissingRequiredExtension) //CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION
 53  POLICYCHECKMACRO(IntermediateMarkerOidWithoutValueCheck, R, P,  , A,  , 0x80012439, errSecMissingRequiredExtension) //CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION
 54  POLICYCHECKMACRO(IntermediateOrganization,               R, P,  , A,  , 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING
 55  POLICYCHECKMACRO(IntermediateCountry,                    R, P,  , A,  , 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING
 56  
 57  /********************************************************
 58  ************** Unverified Anchor Checks ****************
 59  ********************************************************/
 60  POLICYCHECKMACRO(AnchorSHA256,                   R, P,  , A,  , 0x8001243C, errSecInvalidRoot) //CSSMERR_APPLETP_CA_PIN_MISMATCH
 61  POLICYCHECKMACRO(AnchorTrusted,                  R, T,  ,  ,  , 0x8001212A, errSecNotTrusted) //CSSMERR_TP_NOT_TRUSTED
 62  POLICYCHECKMACRO(MissingIntermediate,            R, T,  ,  ,  , 0x8001212A, errSecCreateChainFailed) //CSSMERR_TP_NOT_TRUSTED
 63  POLICYCHECKMACRO(AnchorApple,                    R, P,  , A,  , 0x8001243C, errSecInvalidRoot) //CSSMERR_APPLETP_CA_PIN_MISMATCH
 64  POLICYCHECKMACRO(CAspkiSHA256,                   R, P,  , A,  , 0x8001243C, errSSLATSCertificateTrustViolation) //CSSMERR_APPLETP_CA_PIN_MISMATCH
 65  
 66  /********************************************************
 67  *********** Unverified Certificate Checks **************
 68  ********************************************************/
 69  POLICYCHECKMACRO(NonEmptySubject,                R, C,  , A, O, 0x80012437, errSecInvalidSubjectName) //CSSMERR_APPLETP_INVALID_EMPTY_SUBJECT
 70  POLICYCHECKMACRO(IdLinkage,                      R, C,  , A,  , 0x80012404, errSecInvalidIDLinkage) //CSSMERR_APPLETP_INVALID_AUTHORITY_ID
 71  POLICYCHECKMACRO(KeySize,                        R, P,  , A, O, 0x80010918, errSecUnsupportedKeySize) //CSSMERR_CSP_UNSUPPORTED_KEY_SIZE
 72  POLICYCHECKMACRO(SignatureHashAlgorithms,        R, H,  , A, O, 0x80010913, errSecInvalidDigestAlgorithm) //CSSMERR_CSP_ALGID_MISMATCH
 73  POLICYCHECKMACRO(CertificatePolicy,              R, P,  , A, O, 0x80012439, errSecInvalidPolicyIdentifiers) //CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION
 74  POLICYCHECKMACRO(ValidRoot,                      R, E,  ,  ,  , 0x8001210A, errSecCertificateExpired) //CSSMERR_TP_CERT_EXPIRED
 75  
 76  /********************************************************
 77  **************** Verified Path Checks ******************
 78  ********************************************************/
 79  POLICYCHECKMACRO(CriticalExtensions,             R, C,  , A, O, 0x80012401, errSecUnknownCriticalExtensionFlag) //CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN
 80  POLICYCHECKMACRO(ChainLength,                    R, P,  , A,  , 0x80012409, errSecPathLengthConstraintExceeded) //CSSMERR_APPLETP_PATH_LEN_CONSTRAINT
 81  POLICYCHECKMACRO(BasicCertificateProcessing,     R, C,  , A,  , 0x80012115, errSecInvalidCertificateRef) //CSSMERR_TP_INVALID_CERTIFICATE
 82  POLICYCHECKMACRO(NameConstraints,                R, C,  ,  ,  , 0x80012115, errSecInvalidName) //CSSMERR_TP_INVALID_CERTIFICATE
 83  POLICYCHECKMACRO(PolicyConstraints,              R, C,  ,  ,  , 0x80012115, errSecInvalidPolicyIdentifiers) //CSSMERR_TP_INVALID_CERTIFICATE
 84  POLICYCHECKMACRO(GrayListedKey,                  R, T,  ,  ,  , 0x8001212A, errSecNotTrusted) //CSSMERR_TP_NOT_TRUSTED
 85  POLICYCHECKMACRO(BlackListedKey,                 F, B,  ,  ,  , 0x8001210C, errSecCertificateRevoked) //CSSMERR_TP_CERT_REVOKED
 86  POLICYCHECKMACRO(UsageConstraints,               D, D,  ,  ,  , 0x80012436, errSecTrustSettingDeny) //CSSMERR_APPLETP_TRUST_SETTING_DENY
 87  POLICYCHECKMACRO(SystemTrustedWeakHash,          R, H,  , A,  , 0x80010955, errSecInvalidDigestAlgorithm) //CSSMERR_CSP_INVALID_DIGEST_ALGORITHM
 88  POLICYCHECKMACRO(SystemTrustedWeakKey,           R, S,  , A,  , 0x80010918, errSecUnsupportedKeySize) //CSSMERR_CSP_UNSUPPORTED_KEY_SIZE
 89  POLICYCHECKMACRO(PinningRequired,                R, P, L,  ,  , 0x8001243C, errSecInvalidRoot) //CSSMERR_APPLETP_CA_PIN_MISMATCH
 90  POLICYCHECKMACRO(Revocation,                     F, V, L,  ,  , 0x8001210C, errSecCertificateRevoked) //CSSMERR_TP_CERT_REVOKED
 91  POLICYCHECKMACRO(RevocationResponseRequired,     R, P, L,  ,  , 0x80012423, errSecIncompleteCertRevocationCheck) //CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK
 92  POLICYCHECKMACRO(CTRequired,                     R, T,  , A,  , 0x8001212A, errSecNotTrusted) //CSSMERR_TP_NOT_TRUSTED
 93  POLICYCHECKMACRO(SystemTrustedCTRequired,        R, C,  , A,  , 0x80012114, errSecVerifyActionFailed) //CSSMERR_TP_VERIFY_ACTION_FAILED
 94  POLICYCHECKMACRO(IssuerPolicyConstraints,        F, B,  ,  ,  , 0x80012120, errSecCertificatePolicyNotAllowed) //CSSMERR_TP_INVALID_POLICY_IDENTIFIERS
 95  POLICYCHECKMACRO(IssuerNameConstraints,          F, B,  ,  ,  , 0x8001211F, errSecCertificateNameNotAllowed) //CSSMERR_TP_INVALID_NAME
 96  POLICYCHECKMACRO(ValidityPeriodMaximums,         R, C,  , A,  , 0x8001210D, errSecCertificateValidityPeriodTooLong) //CSSMERR_TP_CERT_SUSPENDED
 97  POLICYCHECKMACRO(ServerAuthEKU,                  R, U,  , A,  , 0x80012407, errSecInvalidExtendedKeyUsage) //CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE
 98  POLICYCHECKMACRO(UnparseableExtension,           R, C,  ,  , O, 0x80012410, errSecUnknownCertExtension) //CSSMERR_APPLETP_UNKNOWN_CERT_EXTEN
 99  POLICYCHECKMACRO(NonTlsCTRequired,               R, T,  , A,  , 0x80012114, errSecVerifyActionFailed) //CSSMERR_TP_VERIFY_ACTION_FAILED
100  
101  /********************************************************
102  ******************* Feature Toggles *********************
103  ********************************************************/
104  POLICYCHECKMACRO(NoNetworkAccess,                ,  , L,  ,  ,           , errSecInternal)
105  POLICYCHECKMACRO(ExtendedValidation,             ,  ,  ,  ,  ,           , errSecInternal)
106  POLICYCHECKMACRO(RevocationOnline,               ,  , L,  ,  ,           , errSecInternal)
107  POLICYCHECKMACRO(RevocationIfTrusted,            ,  , L,  ,  ,           , errSecInternal)