certextensions.h
1 /* 2 * Copyright (c) 2000-2009,2011,2012,2014,2016 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 * 23 * CertExtensions.h -- X.509 Cert Extensions as C structs 24 */ 25 26 #ifndef _CERT_EXTENSIONS_H_ 27 #define _CERT_EXTENSIONS_H_ 28 29 #include <Security/SecBase.h> 30 31 #if SEC_OS_OSX 32 33 #include <Security/cssmtype.h> 34 #include <Security/x509defs.h> /* CSSM_X509_RDN_PTR */ 35 #pragma clang diagnostic push 36 #pragma clang diagnostic ignored "-Wdeprecated-declarations" 37 38 #else /* SEC_OS_IPHONE */ 39 40 #include <stdbool.h> 41 #include <libDER/libDER.h> 42 43 #endif /* SEC_OS_IPHONE */ 44 45 /*** 46 *** Structs for declaring extension-specific data. 47 ***/ 48 49 /* 50 * GeneralName, used in AuthorityKeyID, SubjectAltName, and 51 * IssuerAltName. 52 * 53 * For now, we just provide explicit support for the types which are 54 * represented as IA5Strings, OIDs, and octet strings. Constructed types 55 * such as EDIPartyName and x400Address are not explicitly handled 56 * right now and must be encoded and decoded by the caller. (See exception 57 * for Name and OtherName, below). In those cases the SecECGeneralName.name.Data / CE_GeneralName.name.Data field 58 * represents the BER contents octets; SecCEGeneralName.name.Length / CE_GeneralName.name.Length is the 59 * length of the contents; the tag of the field is not needed - the BER 60 * encoding uses context-specific implicit tagging. The berEncoded field 61 * is set to true / CSSM_TRUE in these case. Simple types have berEncoded = false / CSSM_FALSE. 62 * 63 * In the case of a GeneralName in the form of a Name, we parse the Name 64 * into a CSSM_X509_NAME and place a pointer to the CSSM_X509_NAME in the 65 * CE_GeneralName.name.Data field. SecCEGeneralName.name.Length / CE_GeneralName.name.Length is set to 66 * sizeof(CSSM_X509_NAME). In this case berEncoded is false. 67 * 68 * In the case of a GeneralName in the form of a OtherName, we parse the fields 69 * into a CE_OtherName and place a pointer to the SecCEOtherName / CE_OtherName in the 70 * SecCEGeneralName.name.Data / CE_GeneralName.name.Data field. SecCEGeneralName.name.Length / CE_GeneralName.name.Length is set to 71 * sizeof(SecCEOtherName) / sizeof(CE_OtherName). In this case berEncoded is false. 72 * 73 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 74 * 75 * GeneralName ::= CHOICE { 76 * otherName [0] OtherName 77 * rfc822Name [1] IA5String, 78 * dNSName [2] IA5String, 79 * x400Address [3] ORAddress, 80 * directoryName [4] Name, 81 * ediPartyName [5] EDIPartyName, 82 * uniformResourceIdentifier [6] IA5String, 83 * iPAddress [7] OCTET STRING, 84 * registeredID [8] OBJECT IDENTIFIER} 85 * 86 * OtherName ::= SEQUENCE { 87 * type-id OBJECT IDENTIFIER, 88 * value [0] EXPLICIT ANY DEFINED BY type-id } 89 * 90 * EDIPartyName ::= SEQUENCE { 91 * nameAssigner [0] DirectoryString OPTIONAL, 92 * partyName [1] DirectoryString } 93 */ 94 95 typedef enum __CE_GeneralNameType { 96 GNT_OtherName = 0, 97 GNT_RFC822Name, 98 GNT_DNSName, 99 GNT_X400Address, 100 GNT_DirectoryName, 101 GNT_EdiPartyName, 102 GNT_URI, 103 GNT_IPAddress, 104 GNT_RegisteredID 105 } CE_GeneralNameType; 106 107 #define SecCEGeneralNameType CE_GeneralNameType 108 109 #if SEC_OS_OSX 110 111 typedef struct __CE_OtherName { 112 CSSM_OID typeId; 113 CSSM_DATA value; // unparsed, BER-encoded 114 } CE_OtherName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 115 116 typedef struct __CE_GeneralName { 117 CE_GeneralNameType nameType; // GNT_RFC822Name, etc. 118 CSSM_BOOL berEncoded; 119 CSSM_DATA name; 120 } CE_GeneralName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 121 122 typedef struct __CE_GeneralNames { 123 uint32 numNames; 124 CE_GeneralName *generalName; 125 } CE_GeneralNames DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 126 127 #elif SEC_OS_IPHONE 128 129 typedef struct { 130 DERItem typeId; 131 DERItem value; // unparsed, BER-encoded 132 } SecCEOtherName; 133 134 typedef struct { 135 SecCEGeneralNameType nameType; // GNT_RFC822Name, etc. 136 bool berEncoded; 137 DERItem name; 138 } SecCEGeneralName; 139 140 typedef struct { 141 uint32_t numNames; 142 SecCEGeneralName *generalName; 143 } SecCEGeneralNames; 144 145 #endif /* SEC_OS_IPHONE */ 146 147 /* 148 * id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } 149 * 150 * AuthorityKeyIdentifier ::= SEQUENCE { 151 * keyIdentifier [0] KeyIdentifier OPTIONAL, 152 * authorityCertIssuer [1] GeneralNames OPTIONAL, 153 * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } 154 * 155 * KeyIdentifier ::= OCTET STRING 156 * 157 * CSSM OID = CSSMOID_AuthorityKeyIdentifier 158 */ 159 #if SEC_OS_OSX 160 typedef struct __CE_AuthorityKeyID { 161 CSSM_BOOL keyIdentifierPresent; 162 CSSM_DATA keyIdentifier; 163 CSSM_BOOL generalNamesPresent; 164 CE_GeneralNames *generalNames; 165 CSSM_BOOL serialNumberPresent; 166 CSSM_DATA serialNumber; 167 } CE_AuthorityKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 168 #elif SEC_OS_IPHONE 169 typedef struct { 170 bool keyIdentifierPresent; 171 DERItem keyIdentifier; 172 bool generalNamesPresent; 173 SecCEGeneralNames *generalNames; 174 bool serialNumberPresent; 175 DERItem serialNumber; 176 } SecCEAuthorityKeyID; 177 #endif /* SEC_OS_IPHONE */ 178 179 /* 180 * id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } 181 * SubjectKeyIdentifier ::= KeyIdentifier 182 * 183 * CSSM OID = CSSMOID_SubjectKeyIdentifier 184 */ 185 #if SEC_OS_OSX 186 typedef CSSM_DATA CE_SubjectKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 187 #elif SEC_OS_IPHONE 188 typedef DERItem SecCESubjectKeyID; 189 #endif /* SEC_OS_IPHONE */ 190 191 /* 192 * id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } 193 * 194 * KeyUsage ::= BIT STRING { 195 * digitalSignature (0), 196 * nonRepudiation (1), 197 * keyEncipherment (2), 198 * dataEncipherment (3), 199 * keyAgreement (4), 200 * keyCertSign (5), 201 * cRLSign (6), 202 * encipherOnly (7), 203 * decipherOnly (8) } 204 * 205 * CSSM OID = CSSMOID_KeyUsage 206 * 207 */ 208 #if SEC_OS_OSX 209 typedef uint16 CE_KeyUsage DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 210 #elif SEC_OS_IPHONE 211 typedef uint16_t SecCEKeyUsage; 212 #endif /* SEC_OS_IPHONE */ 213 214 #if SEC_OS_OSX 215 #define CE_KU_DigitalSignature 0x8000 216 #define CE_KU_NonRepudiation 0x4000 217 #define CE_KU_KeyEncipherment 0x2000 218 #define CE_KU_DataEncipherment 0x1000 219 #define CE_KU_KeyAgreement 0x0800 220 #define CE_KU_KeyCertSign 0x0400 221 #define CE_KU_CRLSign 0x0200 222 #define CE_KU_EncipherOnly 0x0100 223 #define CE_KU_DecipherOnly 0x0080 224 #else /* SEC_OS_IPHONE */ 225 #define SecCEKU_DigitalSignature 0x8000 226 #define SecCEKU_NonRepudiation 0x4000 227 #define SecCEKU_KeyEncipherment 0x2000 228 #define SecCEKU_DataEncipherment 0x1000 229 #define SecCEKU_KeyAgreement 0x0800 230 #define SecCEKU_KeyCertSign 0x0400 231 #define SecCEKU_CRLSign 0x0200 232 #define SecCEKU_EncipherOnly 0x0100 233 #define SecCEKU_DecipherOnly 0x0080 234 #endif /* SEC_OS_IPHONE */ 235 236 /* 237 * id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 } 238 * 239 * -- reasonCode ::= { CRLReason } 240 * 241 * CRLReason ::= ENUMERATED { 242 * unspecified (0), 243 * keyCompromise (1), 244 * cACompromise (2), 245 * affiliationChanged (3), 246 * superseded (4), 247 * cessationOfOperation (5), 248 * certificateHold (6), 249 * removeFromCRL (8) } 250 * 251 * CSSM OID = CSSMOID_CrlReason 252 * 253 */ 254 #if SEC_OS_OSX 255 typedef uint32 CE_CrlReason DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 256 #elif SEC_OS_IPHONE 257 typedef uint32_t SecCECrlReason; 258 #endif /* SEC_OS_IPHONE */ 259 260 #if SEC_OS_OSX 261 #define CE_CR_Unspecified 0 262 #define CE_CR_KeyCompromise 1 263 #define CE_CR_CACompromise 2 264 #define CE_CR_AffiliationChanged 3 265 #define CE_CR_Superseded 4 266 #define CE_CR_CessationOfOperation 5 267 #define CE_CR_CertificateHold 6 268 #define CE_CR_RemoveFromCRL 8 269 #elif SEC_OS_IPHONE 270 #define SecCECR_Unspecified 0 271 #define SecCECR_KeyCompromise 1 272 #define SecCECR_CACompromise 2 273 #define SecCECR_AffiliationChanged 3 274 #define SecCECR_Superseded 4 275 #define SecCECR_CessationOfOperation 5 276 #define SecCECR_CertificateHold 6 277 #define SecCECR_RemoveFromCRL 8 278 #endif /* SEC_OS_IPHONE */ 279 280 /* 281 * id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } 282 * 283 * SubjectAltName ::= GeneralNames 284 * 285 * CSSM OID = CSSMOID_SubjectAltName 286 * 287 * GeneralNames defined above. 288 */ 289 290 /* 291 * id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} 292 * 293 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId* 294 * 295 * KeyPurposeId ::= OBJECT IDENTIFIER 296 * 297 * CSSM OID = CSSMOID_ExtendedKeyUsage 298 */ 299 #if SEC_OS_OSX 300 typedef struct __CE_ExtendedKeyUsage { 301 uint32 numPurposes; 302 CSSM_OID_PTR purposes; // in Intel pre-encoded format 303 } CE_ExtendedKeyUsage; 304 305 #elif SEC_OS_IPHONE 306 307 typedef struct { 308 uint32_t numPurposes; 309 DERItem *purposes; // in Intel pre-encoded format 310 } SecCEExtendedKeyUsage; 311 #endif /* SEC_OS_IPHONE */ 312 313 /* 314 * id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } 315 * 316 * BasicConstraints ::= SEQUENCE { 317 * cA BOOLEAN DEFAULT FALSE, 318 * pathLenConstraint INTEGER (0..MAX) OPTIONAL } 319 * 320 * CSSM OID = CSSMOID_BasicConstraints 321 */ 322 #if SEC_OS_OSX 323 typedef struct __CE_BasicConstraints { 324 CSSM_BOOL cA; 325 CSSM_BOOL pathLenConstraintPresent; 326 uint32 pathLenConstraint; 327 } CE_BasicConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 328 329 #elif SEC_OS_IPHONE 330 331 typedef struct { 332 bool present; 333 bool critical; 334 bool isCA; 335 bool pathLenConstraintPresent; 336 uint32_t pathLenConstraint; 337 } SecCEBasicConstraints; 338 339 typedef struct { 340 bool present; 341 bool critical; 342 bool requireExplicitPolicyPresent; 343 uint32_t requireExplicitPolicy; 344 bool inhibitPolicyMappingPresent; 345 uint32_t inhibitPolicyMapping; 346 } SecCEPolicyConstraints; 347 #endif /* SEC_OS_IPHONE */ 348 349 /* 350 * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } 351 * 352 * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation 353 * 354 * PolicyInformation ::= SEQUENCE { 355 * policyIdentifier CertPolicyId, 356 * policyQualifiers SEQUENCE SIZE (1..MAX) OF 357 * PolicyQualifierInfo OPTIONAL } 358 * 359 * CertPolicyId ::= OBJECT IDENTIFIER 360 * 361 * PolicyQualifierInfo ::= SEQUENCE { 362 * policyQualifierId PolicyQualifierId, 363 * qualifier ANY DEFINED BY policyQualifierId } 364 * 365 * -- policyQualifierIds for Internet policy qualifiers 366 * 367 * id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } 368 * id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } 369 * id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } 370 * 371 * PolicyQualifierId ::= 372 * OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) 373 * 374 * Qualifier ::= CHOICE { 375 * cPSuri CPSuri, 376 * userNotice UserNotice } 377 * 378 * CPSuri ::= IA5String 379 * 380 * UserNotice ::= SEQUENCE { 381 * noticeRef NoticeReference OPTIONAL, 382 * explicitText DisplayText OPTIONAL} 383 * 384 * NoticeReference ::= SEQUENCE { 385 * organization DisplayText, 386 * noticeNumbers SEQUENCE OF INTEGER } 387 * 388 * DisplayText ::= CHOICE { 389 * visibleString VisibleString (SIZE (1..200)), 390 * bmpString BMPString (SIZE (1..200)), 391 * utf8String UTF8String (SIZE (1..200)) } 392 * 393 * CSSM OID = CSSMOID_CertificatePolicies 394 * 395 * We only support down to the level of Qualifier, and then only the CPSuri 396 * choice. UserNotice is transmitted to and from this library as a raw 397 * CSSM_DATA containing the BER-encoded UserNotice sequence. 398 */ 399 #if SEC_OS_OSX 400 401 typedef struct __CE_PolicyQualifierInfo { 402 CSSM_OID policyQualifierId; // CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE 403 CSSM_DATA qualifier; // CSSMOID_QT_CPS: IA5String contents 404 405 #elif SEC_OS_IPHONE 406 #if 0 407 typedef struct { 408 DERItem policyQualifierId; // CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE 409 DERItem qualifier; // CSSMOID_QT_CPS: IA5String contents 410 } SecCEPolicyQualifierInfo; 411 #endif 412 413 typedef struct { 414 DERItem policyIdentifier; 415 DERItem policyQualifiers; 416 } SecCEPolicyInformation; 417 418 typedef struct { 419 bool present; 420 bool critical; 421 size_t numPolicies; // size of *policies; 422 SecCEPolicyInformation *policies; 423 } SecCECertificatePolicies; 424 425 typedef struct { 426 DERItem issuerDomainPolicy; 427 DERItem subjectDomainPolicy; 428 } SecCEPolicyMapping; 429 430 /* 431 PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { 432 issuerDomainPolicy CertPolicyId, 433 subjectDomainPolicy CertPolicyId } 434 */ 435 typedef struct { 436 bool present; 437 bool critical; 438 size_t numMappings; // size of *mappings; 439 SecCEPolicyMapping *mappings; 440 } SecCEPolicyMappings; 441 442 /* 443 InhibitAnyPolicy ::= SkipCerts 444 SkipCerts ::= INTEGER (0..MAX) 445 */ 446 typedef struct { 447 bool present; 448 bool critical; 449 uint32_t skipCerts; 450 } SecCEInhibitAnyPolicy; 451 #endif /* SEC_OS_IPHONE */ 452 // CSSMOID_QT_UNOTICE : Sequence contents 453 #if SEC_OS_OSX 454 } CE_PolicyQualifierInfo DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 455 456 typedef struct __CE_PolicyInformation { 457 CSSM_OID certPolicyId; 458 uint32 numPolicyQualifiers; // size of *policyQualifiers; 459 CE_PolicyQualifierInfo *policyQualifiers; 460 } CE_PolicyInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 461 462 typedef struct __CE_CertPolicies { 463 uint32 numPolicies; // size of *policies; 464 CE_PolicyInformation *policies; 465 } CE_CertPolicies DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 466 467 /* 468 * netscape-cert-type, a bit string. 469 * 470 * CSSM OID = CSSMOID_NetscapeCertType 471 * 472 * Bit fields defined in oidsattr.h: CE_NCT_SSL_Client, etc. 473 */ 474 typedef uint16 CE_NetscapeCertType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 475 476 /* 477 * CRLDistributionPoints. 478 * 479 * id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 } 480 * 481 * cRLDistributionPoints ::= { 482 * CRLDistPointsSyntax } 483 * 484 * CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint 485 * 486 * NOTE: RFC 2459 claims that the tag for the optional DistributionPointName 487 * is IMPLICIT as shown here, but in practice it is EXPLICIT. It has to be - 488 * because the underlying type also uses an implicit tag for distinguish 489 * between CHOICEs. 490 * 491 * DistributionPoint ::= SEQUENCE { 492 * distributionPoint [0] DistributionPointName OPTIONAL, 493 * reasons [1] ReasonFlags OPTIONAL, 494 * cRLIssuer [2] GeneralNames OPTIONAL } 495 * 496 * DistributionPointName ::= CHOICE { 497 * fullName [0] GeneralNames, 498 * nameRelativeToCRLIssuer [1] RelativeDistinguishedName } 499 * 500 * ReasonFlags ::= BIT STRING { 501 * unused (0), 502 * keyCompromise (1), 503 * cACompromise (2), 504 * affiliationChanged (3), 505 * superseded (4), 506 * cessationOfOperation (5), 507 * certificateHold (6) } 508 * 509 * CSSM OID = CSSMOID_CrlDistributionPoints 510 */ 511 512 /* 513 * Note that this looks similar to CE_CrlReason, but that's an enum and this 514 * is an OR-able bit string. 515 */ 516 typedef uint8 CE_CrlDistReasonFlags DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 517 518 #define CE_CD_Unspecified 0x80 519 #define CE_CD_KeyCompromise 0x40 520 #define CE_CD_CACompromise 0x20 521 #define CE_CD_AffiliationChanged 0x10 522 #define CE_CD_Superseded 0x08 523 #define CE_CD_CessationOfOperation 0x04 524 #define CE_CD_CertificateHold 0x02 525 526 typedef enum __CE_CrlDistributionPointNameType { 527 CE_CDNT_FullName, 528 CE_CDNT_NameRelativeToCrlIssuer 529 } CE_CrlDistributionPointNameType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 530 531 typedef struct __CE_DistributionPointName { 532 CE_CrlDistributionPointNameType nameType; 533 union { 534 CE_GeneralNames *fullName; 535 CSSM_X509_RDN_PTR rdn; 536 } dpn; 537 } CE_DistributionPointName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 538 539 /* 540 * The top-level CRLDistributionPoint. 541 * All fields are optional; NULL pointers indicate absence. 542 */ 543 typedef struct __CE_CRLDistributionPoint { 544 CE_DistributionPointName *distPointName; 545 CSSM_BOOL reasonsPresent; 546 CE_CrlDistReasonFlags reasons; 547 CE_GeneralNames *crlIssuer; 548 } CE_CRLDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 549 550 typedef struct __CE_CRLDistPointsSyntax { 551 uint32 numDistPoints; 552 CE_CRLDistributionPoint *distPoints; 553 } CE_CRLDistPointsSyntax DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 554 555 /* 556 * Authority Information Access and Subject Information Access. 557 * 558 * CSSM OID = CSSMOID_AuthorityInfoAccess 559 * CSSM OID = CSSMOID_SubjectInfoAccess 560 * 561 * SubjAuthInfoAccessSyntax ::= 562 * SEQUENCE SIZE (1..MAX) OF AccessDescription 563 * 564 * AccessDescription ::= SEQUENCE { 565 * accessMethod OBJECT IDENTIFIER, 566 * accessLocation GeneralName } 567 */ 568 typedef struct __CE_AccessDescription { 569 CSSM_OID accessMethod; 570 CE_GeneralName accessLocation; 571 } CE_AccessDescription DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 572 573 typedef struct __CE_AuthorityInfoAccess { 574 uint32 numAccessDescriptions; 575 CE_AccessDescription *accessDescriptions; 576 } CE_AuthorityInfoAccess DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 577 578 /* 579 * Qualified Certificate Statement support, per RFC 3739. 580 * 581 * First, NameRegistrationAuthorities, a component of 582 * SemanticsInformation; it's the same as a GeneralNames - 583 * a sequence of GeneralName. 584 */ 585 typedef CE_GeneralNames CE_NameRegistrationAuthorities DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 586 587 /* 588 * SemanticsInformation, identified as the qcType field 589 * of a CE_QC_Statement for statementId value id-qcs-pkixQCSyntax-v2. 590 * Both fields optional; at least one must be present. 591 */ 592 typedef struct __CE_SemanticsInformation { 593 CSSM_OID *semanticsIdentifier; 594 CE_NameRegistrationAuthorities *nameRegistrationAuthorities; 595 } CE_SemanticsInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 596 597 /* 598 * One Qualified Certificate Statement. 599 * The statementId OID is required; zero or one of {semanticsInfo, 600 * otherInfo} can be valid, depending on the value of statementId. 601 * For statementId id-qcs-pkixQCSyntax-v2 (CSSMOID_OID_QCS_SYNTAX_V2), 602 * the semanticsInfo field may be present; otherwise, DER-encoded 603 * information may be present in otherInfo. Both semanticsInfo and 604 * otherInfo are optional. 605 */ 606 typedef struct __CE_QC_Statement { 607 CSSM_OID statementId; 608 CE_SemanticsInformation *semanticsInfo; 609 CSSM_DATA *otherInfo; 610 } CE_QC_Statement DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 611 612 /* 613 * The top-level Qualified Certificate Statements extension. 614 */ 615 typedef struct __CE_QC_Statements { 616 uint32 numQCStatements; 617 CE_QC_Statement *qcStatements; 618 } CE_QC_Statements DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 619 620 /*** CRL extensions ***/ 621 622 /* 623 * cRLNumber, an integer. 624 * 625 * CSSM OID = CSSMOID_CrlNumber 626 */ 627 typedef uint32 CE_CrlNumber; 628 629 /* 630 * deltaCRLIndicator, an integer. 631 * 632 * CSSM OID = CSSMOID_DeltaCrlIndicator 633 */ 634 typedef uint32 CE_DeltaCrl; 635 636 /* 637 * IssuingDistributionPoint 638 * 639 * id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } 640 * 641 * issuingDistributionPoint ::= SEQUENCE { 642 * distributionPoint [0] DistributionPointName OPTIONAL, 643 * onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, 644 * onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, 645 * onlySomeReasons [3] ReasonFlags OPTIONAL, 646 * indirectCRL [4] BOOLEAN DEFAULT FALSE } 647 * 648 * CSSM OID = CSSMOID_IssuingDistributionPoint 649 */ 650 typedef struct __CE_IssuingDistributionPoint { 651 CE_DistributionPointName *distPointName; // optional 652 CSSM_BOOL onlyUserCertsPresent; 653 CSSM_BOOL onlyUserCerts; 654 CSSM_BOOL onlyCACertsPresent; 655 CSSM_BOOL onlyCACerts; 656 CSSM_BOOL onlySomeReasonsPresent; 657 CE_CrlDistReasonFlags onlySomeReasons; 658 CSSM_BOOL indirectCrlPresent; 659 CSSM_BOOL indirectCrl; 660 } CE_IssuingDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 661 662 /* 663 * NameConstraints 664 * 665 * id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } 666 * 667 * NameConstraints ::= SEQUENCE { 668 * permittedSubtrees [0] GeneralSubtrees OPTIONAL, 669 * excludedSubtrees [1] GeneralSubtrees OPTIONAL } 670 * 671 * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree 672 * 673 * GeneralSubtree ::= SEQUENCE { 674 * base GeneralName, 675 * minimum [0] BaseDistance DEFAULT 0, 676 * maximum [1] BaseDistance OPTIONAL } 677 * 678 * BaseDistance ::= INTEGER (0..MAX) 679 */ 680 typedef struct __CE_GeneralSubtree { 681 CE_GeneralNames *base; 682 uint32 minimum; // default=0 683 CSSM_BOOL maximumPresent; 684 uint32 maximum; // optional 685 } CE_GeneralSubtree DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 686 687 typedef struct __CE_GeneralSubtrees { 688 uint32 numSubtrees; 689 CE_GeneralSubtree *subtrees; 690 } CE_GeneralSubtrees DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 691 692 typedef struct __CE_NameConstraints { 693 CE_GeneralSubtrees *permitted; // optional 694 CE_GeneralSubtrees *excluded; // optional 695 } CE_NameConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 696 697 /* 698 * PolicyMappings 699 * 700 * id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } 701 * 702 * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { 703 * issuerDomainPolicy CertPolicyId, 704 * subjectDomainPolicy CertPolicyId } 705 * 706 * Note that both issuer and subject policy OIDs are required, 707 * and are stored by value in this structure. 708 */ 709 typedef struct __CE_PolicyMapping { 710 CSSM_OID issuerDomainPolicy; 711 CSSM_OID subjectDomainPolicy; 712 } CE_PolicyMapping DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 713 714 typedef struct __CE_PolicyMappings { 715 uint32 numPolicyMappings; 716 CE_PolicyMapping *policyMappings; 717 } CE_PolicyMappings DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 718 719 /* 720 * PolicyConstraints 721 * 722 * id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } 723 * 724 * PolicyConstraints ::= SEQUENCE { 725 * requireExplicitPolicy [0] SkipCerts OPTIONAL, 726 * inhibitPolicyMapping [1] SkipCerts OPTIONAL } 727 * 728 * SkipCerts ::= INTEGER (0..MAX) 729 */ 730 typedef struct __CE_PolicyConstraints { 731 CSSM_BOOL requireExplicitPolicyPresent; 732 uint32 requireExplicitPolicy; // optional 733 CSSM_BOOL inhibitPolicyMappingPresent; 734 uint32 inhibitPolicyMapping; // optional 735 } CE_PolicyConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 736 737 /* 738 * InhibitAnyPolicy, an integer. 739 * 740 * CSSM OID = CSSMOID_InhibitAnyPolicy 741 */ 742 typedef uint32 CE_InhibitAnyPolicy DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 743 744 /* 745 * An enumerated list identifying one of the above per-extension 746 * structs. 747 */ 748 typedef enum __CE_DataType { 749 DT_AuthorityKeyID, // CE_AuthorityKeyID 750 DT_SubjectKeyID, // CE_SubjectKeyID 751 DT_KeyUsage, // CE_KeyUsage 752 DT_SubjectAltName, // implies CE_GeneralName 753 DT_IssuerAltName, // implies CE_GeneralName 754 DT_ExtendedKeyUsage, // CE_ExtendedKeyUsage 755 DT_BasicConstraints, // CE_BasicConstraints 756 DT_CertPolicies, // CE_CertPolicies 757 DT_NetscapeCertType, // CE_NetscapeCertType 758 DT_CrlNumber, // CE_CrlNumber 759 DT_DeltaCrl, // CE_DeltaCrl 760 DT_CrlReason, // CE_CrlReason 761 DT_CrlDistributionPoints, // CE_CRLDistPointsSyntax 762 DT_IssuingDistributionPoint,// CE_IssuingDistributionPoint 763 DT_AuthorityInfoAccess, // CE_AuthorityInfoAccess 764 DT_Other, // unknown, raw data as a CSSM_DATA 765 DT_QC_Statements, // CE_QC_Statements 766 DT_NameConstraints, // CE_NameConstraints 767 DT_PolicyMappings, // CE_PolicyMappings 768 DT_PolicyConstraints, // CE_PolicyConstraints 769 DT_InhibitAnyPolicy // CE_InhibitAnyPolicy 770 } CE_DataType; 771 772 /* 773 * One unified representation of all the cert and CRL extensions we know about. 774 */ 775 typedef union { 776 CE_AuthorityKeyID authorityKeyID; 777 CE_SubjectKeyID subjectKeyID; 778 CE_KeyUsage keyUsage; 779 CE_GeneralNames subjectAltName; 780 CE_GeneralNames issuerAltName; 781 CE_ExtendedKeyUsage extendedKeyUsage; 782 CE_BasicConstraints basicConstraints; 783 CE_CertPolicies certPolicies; 784 CE_NetscapeCertType netscapeCertType; 785 CE_CrlNumber crlNumber; 786 CE_DeltaCrl deltaCrl; 787 CE_CrlReason crlReason; 788 CE_CRLDistPointsSyntax crlDistPoints; 789 CE_IssuingDistributionPoint issuingDistPoint; 790 CE_AuthorityInfoAccess authorityInfoAccess; 791 CE_QC_Statements qualifiedCertStatements; 792 CE_NameConstraints nameConstraints; 793 CE_PolicyMappings policyMappings; 794 CE_PolicyConstraints policyConstraints; 795 CE_InhibitAnyPolicy inhibitAnyPolicy; 796 CSSM_DATA rawData; // unknown, not decoded 797 } CE_Data DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 798 799 typedef struct __CE_DataAndType { 800 CE_DataType type; 801 CE_Data extension; 802 CSSM_BOOL critical; 803 } CE_DataAndType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 804 805 #endif /* SEC_OS_OSX */ 806 807 #if SEC_OS_OSX 808 #pragma clang diagnostic pop 809 #endif 810 811 #endif /* _CERT_EXTENSIONS_H_ */