sslAppUtils.h
1 /* 2 * Copyright (c) 2006-2008,2010 Apple Inc. All Rights Reserved. 3 */ 4 5 #ifndef _SSLS_APP_UTILS_H_ 6 #define _SSLS_APP_UTILS_H_ 1 7 8 #include <Security/SecBase.h> 9 #include <Security/SecureTransport.h> 10 #include <Security/SecureTransportPriv.h> 11 #include <CoreFoundation/CFArray.h> 12 #include <stdbool.h> 13 #include <Security/SecCertificate.h> 14 15 #ifdef __cplusplus 16 extern "C" { 17 #endif 18 19 /* disable some Panther-only features */ 20 #define JAGUAR_BUILD 0 21 22 const char *sslGetCipherSuiteString(SSLCipherSuite cs); 23 const char *sslGetProtocolVersionString(SSLProtocol prot); 24 const char *sslGetSSLErrString(OSStatus err); 25 void printSslErrStr(const char *op, OSStatus err); 26 const char *sslGetClientCertStateString(SSLClientCertificateState state); 27 const char *sslGetClientAuthTypeString(SSLClientAuthenticationType authType); 28 29 CFArrayRef getSslCerts( 30 const char *kcName, // may be NULL, i.e., use default 31 bool encryptOnly, 32 bool completeCertChain, 33 const char *anchorFile, // optional trusted anchor 34 SecKeychainRef *pKcRef); // RETURNED 35 OSStatus sslCompleteCertChain( 36 SecIdentityRef identity, 37 SecCertificateRef trustedAnchor, // optional additional trusted anchor 38 bool includeRoot, // include the root in outArray 39 // const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL 40 CFArrayRef *outArray); // created and RETURNED 41 CFArrayRef sslKcRefToCertArray( 42 SecKeychainRef kcRef, 43 bool encryptOnly, 44 bool completeCertChain, 45 // const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL policy to complete 46 const char *trustedAnchorFile); 47 48 OSStatus addTrustedSecCert( 49 SSLContextRef ctx, 50 SecCertificateRef secCert, 51 bool replaceAnchors); 52 OSStatus sslReadAnchor( 53 const char *anchorFile, 54 SecCertificateRef *certRef); 55 OSStatus sslAddTrustedRoot( 56 SSLContextRef ctx, 57 const char *anchorFile, 58 bool replaceAnchors); 59 60 /* 61 * Assume incoming identity contains a root (e.g., created by 62 * certtool) and add that cert to ST's trusted anchors. This 63 * enables ST's verify of the incoming chain to succeed without 64 * a kludgy "AllowAnyRoot" specification. 65 */ 66 OSStatus addIdentityAsTrustedRoot( 67 SSLContextRef ctx, 68 CFArrayRef identArray); 69 70 OSStatus sslAddTrustedRoots( 71 SSLContextRef ctx, 72 SecKeychainRef keychain, 73 bool *foundOne); 74 75 void sslOutputDot(void); 76 77 /* 78 * Lists of SSLCipherSuites used in sslSetCipherRestrictions. 79 */ 80 extern const SSLCipherSuite suites40[]; 81 extern const SSLCipherSuite suitesDES[]; 82 extern const SSLCipherSuite suitesDES40[]; 83 extern const SSLCipherSuite suites3DES[]; 84 extern const SSLCipherSuite suitesRC4[]; 85 extern const SSLCipherSuite suitesRC4_40[]; 86 extern const SSLCipherSuite suitesRC2[]; 87 extern const SSLCipherSuite suitesAES128[]; 88 extern const SSLCipherSuite suitesAES256[]; 89 extern const SSLCipherSuite suitesDH[]; 90 extern const SSLCipherSuite suitesDHAnon[]; 91 extern const SSLCipherSuite suitesDH_RSA[]; 92 extern const SSLCipherSuite suitesDH_DSS[]; 93 extern const SSLCipherSuite suites_SHA1[]; 94 extern const SSLCipherSuite suites_MD5[]; 95 extern const SSLCipherSuite suites_ECDHE[]; 96 extern const SSLCipherSuite suites_ECDH[]; 97 98 /* 99 * Given an SSLContextRef and an array of SSLCipherSuites, terminated by 100 * SSL_NO_SUCH_CIPHERSUITE, select those SSLCipherSuites which the library 101 * supports and do a SSLSetEnabledCiphers() specifying those. 102 */ 103 OSStatus sslSetEnabledCiphers( 104 SSLContextRef ctx, 105 const SSLCipherSuite *ciphers); 106 107 /* 108 * Specify restricted sets of cipherspecs and protocols. 109 */ 110 OSStatus sslSetCipherRestrictions( 111 SSLContextRef ctx, 112 char cipherRestrict); 113 114 #ifndef SPHINX 115 OSStatus sslSetProtocols( 116 SSLContextRef ctx, 117 const char *acceptedProts, 118 SSLProtocol tryVersion); // only used if acceptedProts NULL 119 #endif 120 121 int sslVerifyRtn( 122 const char *whichSide, // "client" or "server" 123 OSStatus expectRtn, 124 OSStatus gotRtn); 125 int sslVerifyProtVers( 126 const char *whichSide, // "client" or "server" 127 SSLProtocol expectProt, 128 SSLProtocol gotProt); 129 int sslVerifyClientCertState( 130 const char *whichSide, // "client" or "server" 131 SSLClientCertificateState expectState, 132 SSLClientCertificateState gotState); 133 int sslVerifyCipher( 134 const char *whichSide, // "client" or "server" 135 SSLCipherSuite expectCipher, 136 SSLCipherSuite gotCipher); 137 138 139 /* 140 * Wrapper for sslIdentPicker, with optional trusted anchor specified as a filename. 141 */ 142 OSStatus sslIdentityPicker( 143 SecKeychainRef kcRef, // NULL means use default list 144 const char *trustedAnchor, // optional additional trusted anchor 145 bool includeRoot, // true --> root is appended to outArray 146 // false --> root not included 147 // const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL 148 CFArrayRef *outArray); // created and RETURNED 149 150 void sslKeychainPath( 151 const char *kcName, 152 char *kcPath); // allocd by caller, MAXPATHLEN 153 154 /* Verify presence of required file. Returns nonzero if not found. */ 155 int sslCheckFile(const char *path); 156 157 /* Stringify a SSL_ECDSA_NamedCurve */ 158 extern const char *sslCurveString( 159 SSL_ECDSA_NamedCurve namedCurve); 160 161 SecKeyRef create_private_key_from_der(bool ecdsa, const unsigned char *pkey_der, size_t pkey_der_len); 162 CFArrayRef chain_from_der(bool ecdsa, const unsigned char *pkey_der, size_t pkey_der_len, const unsigned char *cert_der, size_t cert_der_len); 163 164 #ifdef __cplusplus 165 } 166 #endif 167 168 #endif /* _SSLS_APP_UTILS_H_ */