Abhishek Banthia
9 years ago
137 changed files with 36538 additions and 0 deletions
Binary file not shown.
@ -0,0 +1 @@
|
||||
Versions/Current/Crashlytics |
@ -0,0 +1 @@
|
||||
Versions/Current/Resources |
Binary file not shown.
@ -0,0 +1,31 @@
|
||||
//
|
||||
// ANSCompatibility.h
|
||||
// AnswersKit
|
||||
//
|
||||
// Copyright (c) 2015 Crashlytics, Inc. All rights reserved.
|
||||
//
|
||||
|
||||
#pragma once |
||||
|
||||
#if !__has_feature(nullability) |
||||
#define nonnull |
||||
#define nullable |
||||
#define _Nullable |
||||
#define _Nonnull |
||||
#endif |
||||
|
||||
#ifndef NS_ASSUME_NONNULL_BEGIN |
||||
#define NS_ASSUME_NONNULL_BEGIN |
||||
#endif |
||||
|
||||
#ifndef NS_ASSUME_NONNULL_END |
||||
#define NS_ASSUME_NONNULL_END |
||||
#endif |
||||
|
||||
#if __has_feature(objc_generics) |
||||
#define ANS_GENERIC_NSARRAY(type) NSArray<type> |
||||
#define ANS_GENERIC_NSDICTIONARY(key_type,object_key) NSDictionary<key_type, object_key> |
||||
#else |
||||
#define ANS_GENERIC_NSARRAY(type) NSArray |
||||
#define ANS_GENERIC_NSDICTIONARY(key_type,object_key) NSDictionary |
||||
#endif |
@ -0,0 +1,210 @@
|
||||
//
|
||||
// Answers.h
|
||||
// Crashlytics
|
||||
//
|
||||
// Copyright (c) 2015 Crashlytics, Inc. All rights reserved.
|
||||
//
|
||||
|
||||
#import <Foundation/Foundation.h> |
||||
#import "ANSCompatibility.h" |
||||
|
||||
NS_ASSUME_NONNULL_BEGIN |
||||
|
||||
/**
|
||||
* This class exposes the Answers Events API, allowing you to track key
|
||||
* user user actions and metrics in your app. |
||||
*/ |
||||
@interface Answers : NSObject |
||||
|
||||
/**
|
||||
* Log a Sign Up event to see users signing up for your app in real-time, understand how |
||||
* many users are signing up with different methods and their success rate signing up. |
||||
* |
||||
* @param signUpMethodOrNil The method by which a user logged in, e.g. Twitter or Digits. |
||||
* @param signUpSucceededOrNil The ultimate success or failure of the login |
||||
* @param customAttributesOrNil A dictionary of custom attributes to associate with this purchase. |
||||
*/ |
||||
+ (void)logSignUpWithMethod:(nullable NSString *)signUpMethodOrNil |
||||
success:(nullable NSNumber *)signUpSucceededOrNil |
||||
customAttributes:(nullable ANS_GENERIC_NSDICTIONARY(NSString *, id) *)customAttributesOrNil; |
||||
|
||||
/**
|
||||
* Log an Log In event to see users logging into your app in real-time, understand how many |
||||
* users are logging in with different methods and their success rate logging into your app. |
||||
* |
||||
* @param loginMethodOrNil The method by which a user logged in, e.g. email, Twitter or Digits. |
||||
* @param loginSucceededOrNil The ultimate success or failure of the login |
||||
* @param customAttributesOrNil A dictionary of custom attributes to associate with this purchase. |
||||
*/ |
||||
+ (void)logLoginWithMethod:(nullable NSString *)loginMethodOrNil |
||||
success:(nullable NSNumber *)loginSucceededOrNil |
||||
customAttributes:(nullable ANS_GENERIC_NSDICTIONARY(NSString *, id) *)customAttributesOrNil; |
||||
|
||||
/**
|
||||
* Log a Share event to see users sharing from your app in real-time, letting you |
||||
* understand what content they're sharing from the type or genre down to the specific id. |
||||
* |
||||
* @param shareMethodOrNil The method by which a user shared, e.g. email, Twitter, SMS. |
||||
* @param contentNameOrNil The human readable name for this piece of content. |
||||
* @param contentTypeOrNil The type of content shared. |
||||
* @param contentIdOrNil The unique identifier for this piece of content. Useful for finding the top shared item. |
||||
* @param customAttributesOrNil A dictionary of custom attributes to associate with this event. |
||||
*/ |
||||
+ (void)logShareWithMethod:(nullable NSString *)shareMethodOrNil |
||||
contentName:(nullable NSString *)contentNameOrNil |
||||
contentType:(nullable NSString *)contentTypeOrNil |
||||
contentId:(nullable NSString *)contentIdOrNil |
||||
customAttributes:(nullable ANS_GENERIC_NSDICTIONARY(NSString *, id) *)customAttributesOrNil; |
||||
|
||||
/**
|
||||
* Log an Invite Event to track how users are inviting other users into |
||||
* your application. |
||||
* |
||||
* @param inviteMethodOrNil The method of invitation, e.g. GameCenter, Twitter, email. |
||||
* @param customAttributesOrNil A dictionary of custom attributes to associate with this purchase. |
||||
*/ |
||||
+ (void)logInviteWithMethod:(nullable NSString *)inviteMethodOrNil |
||||
customAttributes:(nullable ANS_GENERIC_NSDICTIONARY(NSString *, id) *)customAttributesOrNil; |
||||
|
||||
/**
|
||||
* Log a Purchase event to see your revenue in real-time, understand how many users are making purchases, see which |
||||
* items are most popular, and track plenty of other important purchase-related metrics. |
||||
* |
||||
* @param itemPriceOrNil The purchased item's price. |
||||
* @param currencyOrNil The ISO4217 currency code. Example: USD |
||||
* @param purchaseSucceededOrNil Was the purchase succesful or unsuccesful |
||||
* @param itemNameOrNil The human-readable form of the item's name. Example: |
||||
* @param itemIdOrNil The machine-readable, unique item identifier Example: SKU |
||||
* @param itemTypeOrNil The type, or genre of the item. Example: Song |
||||
* @param customAttributesOrNil A dictionary of custom attributes to associate with this purchase. |
||||
*/ |
||||
+ (void)logPurchaseWithPrice:(nullable NSDecimalNumber *)itemPriceOrNil |
||||
currency:(nullable NSString *)currencyOrNil |
||||
success:(nullable NSNumber *)purchaseSucceededOrNil |
||||
itemName:(nullable NSString *)itemNameOrNil |
||||
itemType:(nullable NSString *)itemTypeOrNil |
||||
itemId:(nullable NSString *)itemIdOrNil |
||||
customAttributes:(nullable ANS_GENERIC_NSDICTIONARY(NSString *, id) *)customAttributesOrNil; |
||||
|
||||
/**
|
||||
* Log a Level Start Event to track where users are in your game. |
||||
* |
||||
* @param levelNameOrNil The level name |
||||
* @param customAttributesOrNil A dictionary of custom attributes to associate with this level start event. |
||||
*/ |
||||
+ (void)logLevelStart:(nullable NSString *)levelNameOrNil |
||||
customAttributes:(nullable ANS_GENERIC_NSDICTIONARY(NSString *, id) *)customAttributesOrNil; |
||||
|
||||
/**
|
||||
* Log a Level End event to track how users are completing levels in your game. |
||||
* |
||||
* @param levelNameOrNil The name of the level completed, E.G. "1" or "Training" |
||||
* @param scoreOrNil The score the user completed the level with. |
||||
* @param levelCompletedSuccesfullyOrNil A boolean representing whether or not the level was completed succesfully. |
||||
* @param customAttributesOrNil A dictionary of custom attributes to associate with this purchase. |
||||
*/ |
||||
+ (void)logLevelEnd:(nullable NSString *)levelNameOrNil |
||||
score:(nullable NSNumber *)scoreOrNil |
||||
success:(nullable NSNumber *)levelCompletedSuccesfullyOrNil |
||||
customAttributes:(nullable ANS_GENERIC_NSDICTIONARY(NSString *, id) *)customAttributesOrNil; |
||||
|
||||
/**
|
||||
* Log an Add to Cart event to see users adding items to a shopping cart in real-time, understand how |
||||
* many users start the purchase flow, see which items are most popular, and track plenty of other important |
||||
* purchase-related metrics. |
||||
* |
||||
* @param itemPriceOrNil The purchased item's price. |
||||
* @param currencyOrNil The ISO4217 currency code. Example: USD |
||||
* @param itemNameOrNil The human-readable form of the item's name. Example: |
||||
* @param itemTypeOrNil The type, or genre of the item. Example: Song |
||||
* @param itemIdOrNil The machine-readable, unique item identifier Example: SKU |
||||
* @param customAttributesOrNil A dictionary of custom attributes to associate with this purchase. |
||||
*/ |
||||
+ (void)logAddToCartWithPrice:(nullable NSDecimalNumber *)itemPriceOrNil |
||||
currency:(nullable NSString *)currencyOrNil |
||||
itemName:(nullable NSString *)itemNameOrNil |
||||
itemType:(nullable NSString *)itemTypeOrNil |
||||
itemId:(nullable NSString *)itemIdOrNil |
||||
customAttributes:(nullable ANS_GENERIC_NSDICTIONARY(NSString *, id) *)customAttributesOrNil; |
||||
|
||||
/**
|
||||
* Log a Start Checkout event to see users moving through the purchase funnel in real-time, understand how many |
||||
* users are doing this and how much they're spending per checkout, and see how it related to other important |
||||
* purchase-related metrics. |
||||
* |
||||
* @param totalPriceOrNil The total price of the cart. |
||||
* @param currencyOrNil The ISO4217 currency code. Example: USD |
||||
* @param itemCountOrNil The number of items in the cart. |
||||
* @param customAttributesOrNil A dictionary of custom attributes to associate with this purchase. |
||||
*/ |
||||
+ (void)logStartCheckoutWithPrice:(nullable NSDecimalNumber *)totalPriceOrNil |
||||
currency:(nullable NSString *)currencyOrNil |
||||
itemCount:(nullable NSNumber *)itemCountOrNil |
||||
customAttributes:(nullable ANS_GENERIC_NSDICTIONARY(NSString *, id) *)customAttributesOrNil; |
||||
|
||||
/**
|
||||
* Log a Rating event to see users rating content within your app in real-time and understand what |
||||
* content is most engaging, from the type or genre down to the specific id. |
||||
* |
||||
* @param ratingOrNil The integer rating given by the user. |
||||
* @param contentNameOrNil The human readable name for this piece of content. |
||||
* @param contentTypeOrNil The type of content shared. |
||||
* @param contentIdOrNil The unique identifier for this piece of content. Useful for finding the top shared item. |
||||
* @param customAttributesOrNil A dictionary of custom attributes to associate with this event. |
||||
*/ |
||||
+ (void)logRating:(nullable NSNumber *)ratingOrNil |
||||
contentName:(nullable NSString *)contentNameOrNil |
||||
contentType:(nullable NSString *)contentTypeOrNil |
||||
contentId:(nullable NSString *)contentIdOrNil |
||||
customAttributes:(nullable ANS_GENERIC_NSDICTIONARY(NSString *, id) *)customAttributesOrNil; |
||||
|
||||
/**
|
||||
* Log a Content View event to see users viewing content within your app in real-time and |
||||
* understand what content is most engaging, from the type or genre down to the specific id. |
||||
* |
||||
* @param contentNameOrNil The human readable name for this piece of content. |
||||
* @param contentTypeOrNil The type of content shared. |
||||
* @param contentIdOrNil The unique identifier for this piece of content. Useful for finding the top shared item. |
||||
* @param customAttributesOrNil A dictionary of custom attributes to associate with this event. |
||||
*/ |
||||
+ (void)logContentViewWithName:(nullable NSString *)contentNameOrNil |
||||
contentType:(nullable NSString *)contentTypeOrNil |
||||
contentId:(nullable NSString *)contentIdOrNil |
||||
customAttributes:(nullable ANS_GENERIC_NSDICTIONARY(NSString *, id) *)customAttributesOrNil; |
||||
|
||||
/**
|
||||
* Log a Search event allows you to see users searching within your app in real-time and understand |
||||
* exactly what they're searching for. |
||||
* |
||||
* @param queryOrNil The user's query. |
||||
* @param customAttributesOrNil A dictionary of custom attributes to associate with this event. |
||||
*/ |
||||
+ (void)logSearchWithQuery:(nullable NSString *)queryOrNil |
||||
customAttributes:(nullable ANS_GENERIC_NSDICTIONARY(NSString *, id) *)customAttributesOrNil; |
||||
|
||||
/**
|
||||
* Log a Custom Event to see user actions that are uniquely important for your app in real-time, to see how often |
||||
* they're performing these actions with breakdowns by different categories you add. Use a human-readable name for |
||||
* the name of the event, since this is how the event will appear in Answers. |
||||
* |
||||
* @param eventName The human-readable name for the event. |
||||
* @param customAttributesOrNil A dictionary of custom attributes to associate with this purchase. Attribute keys |
||||
* must be <code>NSString</code> and and values must be <code>NSNumber</code> or <code>NSString</code>. |
||||
* @discussion How we treat <code>NSNumbers</code>: |
||||
* We will provide information about the distribution of values over time. |
||||
* |
||||
* How we treat <code>NSStrings</code>: |
||||
* NSStrings are used as categorical data, allowing comparison across different category values. |
||||
* Strings are limited to a maximum length of 100 characters, attributes over this length will be |
||||
* truncated. |
||||
* |
||||
* When tracking the Tweet views to better understand user engagement, sending the tweet's length |
||||
* and the type of media present in the tweet allows you to track how tweet length and the type of media influence |
||||
* engagement. |
||||
*/ |
||||
+ (void)logCustomEventWithName:(NSString *)eventName |
||||
customAttributes:(nullable ANS_GENERIC_NSDICTIONARY(NSString *, id) *)customAttributesOrNil; |
||||
|
||||
@end |
||||
|
||||
NS_ASSUME_NONNULL_END |
@ -0,0 +1,33 @@
|
||||
//
|
||||
// CLSAttributes.h
|
||||
// Crashlytics
|
||||
//
|
||||
// Copyright (c) 2015 Crashlytics, Inc. All rights reserved.
|
||||
//
|
||||
|
||||
#pragma once |
||||
|
||||
#define CLS_DEPRECATED(x) __attribute__ ((deprecated(x))) |
||||
|
||||
#if !__has_feature(nullability) |
||||
#define nonnull |
||||
#define nullable |
||||
#define _Nullable |
||||
#define _Nonnull |
||||
#endif |
||||
|
||||
#ifndef NS_ASSUME_NONNULL_BEGIN |
||||
#define NS_ASSUME_NONNULL_BEGIN |
||||
#endif |
||||
|
||||
#ifndef NS_ASSUME_NONNULL_END |
||||
#define NS_ASSUME_NONNULL_END |
||||
#endif |
||||
|
||||
#if __has_feature(objc_generics) |
||||
#define CLS_GENERIC_NSARRAY(type) NSArray<type> |
||||
#define CLS_GENERIC_NSDICTIONARY(key_type,object_key) NSDictionary<key_type, object_key> |
||||
#else |
||||
#define CLS_GENERIC_NSARRAY(type) NSArray |
||||
#define CLS_GENERIC_NSDICTIONARY(key_type,object_key) NSDictionary |
||||
#endif |
@ -0,0 +1,64 @@
|
||||
//
|
||||
// CLSLogging.h
|
||||
// Crashlytics
|
||||
//
|
||||
// Copyright (c) 2015 Crashlytics, Inc. All rights reserved.
|
||||
//
|
||||
#ifdef __OBJC__ |
||||
#import "CLSAttributes.h" |
||||
#import <Foundation/Foundation.h> |
||||
|
||||
NS_ASSUME_NONNULL_BEGIN |
||||
#endif |
||||
|
||||
|
||||
|
||||
/**
|
||||
* |
||||
* The CLS_LOG macro provides as easy way to gather more information in your log messages that are |
||||
* sent with your crash data. CLS_LOG prepends your custom log message with the function name and |
||||
* line number where the macro was used. If your app was built with the DEBUG preprocessor macro |
||||
* defined CLS_LOG uses the CLSNSLog function which forwards your log message to NSLog and CLSLog. |
||||
* If the DEBUG preprocessor macro is not defined CLS_LOG uses CLSLog only. |
||||
* |
||||
* Example output: |
||||
* -[AppDelegate login:] line 134 $ login start |
||||
* |
||||
* If you would like to change this macro, create a new header file, unset our define and then define |
||||
* your own version. Make sure this new header file is imported after the Crashlytics header file. |
||||
* |
||||
* #undef CLS_LOG |
||||
* #define CLS_LOG(__FORMAT__, ...) CLSNSLog... |
||||
* |
||||
**/ |
||||
#ifdef __OBJC__ |
||||
#ifdef DEBUG |
||||
#define CLS_LOG(__FORMAT__, ...) CLSNSLog((@"%s line %d $ " __FORMAT__), __PRETTY_FUNCTION__, __LINE__, ##__VA_ARGS__) |
||||
#else |
||||
#define CLS_LOG(__FORMAT__, ...) CLSLog((@"%s line %d $ " __FORMAT__), __PRETTY_FUNCTION__, __LINE__, ##__VA_ARGS__) |
||||
#endif |
||||
#endif |
||||
|
||||
/**
|
||||
* |
||||
* Add logging that will be sent with your crash data. This logging will not show up in the system.log |
||||
* and will only be visible in your Crashlytics dashboard. |
||||
* |
||||
**/ |
||||
|
||||
#ifdef __OBJC__ |
||||
OBJC_EXTERN void CLSLog(NSString *format, ...) NS_FORMAT_FUNCTION(1,2); |
||||
OBJC_EXTERN void CLSLogv(NSString *format, va_list ap) NS_FORMAT_FUNCTION(1,0); |
||||
|
||||
/**
|
||||
* |
||||
* Add logging that will be sent with your crash data. This logging will show up in the system.log |
||||
* and your Crashlytics dashboard. It is not recommended for Release builds. |
||||
* |
||||
**/ |
||||
OBJC_EXTERN void CLSNSLog(NSString *format, ...) NS_FORMAT_FUNCTION(1,2); |
||||
OBJC_EXTERN void CLSNSLogv(NSString *format, va_list ap) NS_FORMAT_FUNCTION(1,0); |
||||
|
||||
|
||||
NS_ASSUME_NONNULL_END |
||||
#endif |
@ -0,0 +1,103 @@
|
||||
//
|
||||
// CLSReport.h
|
||||
// Crashlytics
|
||||
//
|
||||
// Copyright (c) 2015 Crashlytics, Inc. All rights reserved.
|
||||
//
|
||||
|
||||
#import <Foundation/Foundation.h> |
||||
#import "CLSAttributes.h" |
||||
|
||||
NS_ASSUME_NONNULL_BEGIN |
||||
|
||||
/**
|
||||
* The CLSCrashReport protocol is deprecated. See the CLSReport class and the CrashyticsDelegate changes for details. |
||||
**/ |
||||
@protocol CLSCrashReport <NSObject> |
||||
|
||||
@property (nonatomic, copy, readonly) NSString *identifier; |
||||
@property (nonatomic, copy, readonly) NSDictionary *customKeys; |
||||
@property (nonatomic, copy, readonly) NSString *bundleVersion; |
||||
@property (nonatomic, copy, readonly) NSString *bundleShortVersionString; |
||||
@property (nonatomic, copy, readonly) NSDate *crashedOnDate; |
||||
@property (nonatomic, copy, readonly) NSString *OSVersion; |
||||
@property (nonatomic, copy, readonly) NSString *OSBuildVersion; |
||||
|
||||
@end |
||||
|
||||
/**
|
||||
* The CLSReport exposes an interface to the phsyical report that Crashlytics has created. You can |
||||
* use this class to get information about the event, and can also set some values after the |
||||
* event has occured. |
||||
**/ |
||||
@interface CLSReport : NSObject <CLSCrashReport> |
||||
|
||||
- (instancetype)init NS_UNAVAILABLE; |
||||
+ (instancetype)new NS_UNAVAILABLE; |
||||
|
||||
/**
|
||||
* Returns the session identifier for the report. |
||||
**/ |
||||
@property (nonatomic, copy, readonly) NSString *identifier; |
||||
|
||||
/**
|
||||
* Returns the custom key value data for the report. |
||||
**/ |
||||
@property (nonatomic, copy, readonly) NSDictionary *customKeys; |
||||
|
||||
/**
|
||||
* Returns the CFBundleVersion of the application that generated the report. |
||||
**/ |
||||
@property (nonatomic, copy, readonly) NSString *bundleVersion; |
||||
|
||||
/**
|
||||
* Returns the CFBundleShortVersionString of the application that generated the report. |
||||
**/ |
||||
@property (nonatomic, copy, readonly) NSString *bundleShortVersionString; |
||||
|
||||
/**
|
||||
* Returns the date that the report was created. |
||||
**/ |
||||
@property (nonatomic, copy, readonly) NSDate *dateCreated; |
||||
|
||||
/**
|
||||
* Returns the os version that the application crashed on. |
||||
**/ |
||||
@property (nonatomic, copy, readonly) NSString *OSVersion; |
||||
|
||||
/**
|
||||
* Returns the os build version that the application crashed on. |
||||
**/ |
||||
@property (nonatomic, copy, readonly) NSString *OSBuildVersion; |
||||
|
||||
/**
|
||||
* Returns YES if the report contains any crash information, otherwise returns NO. |
||||
**/ |
||||
@property (nonatomic, assign, readonly) BOOL isCrash; |
||||
|
||||
/**
|
||||
* You can use this method to set, after the event, additional custom keys. The rules |
||||
* and semantics for this method are the same as those documented in Crashlytics.h. Be aware |
||||
* that the maximum size and count of custom keys is still enforced, and you can overwrite keys |
||||
* and/or cause excess keys to be deleted by using this method. |
||||
**/ |
||||
- (void)setObjectValue:(nullable id)value forKey:(NSString *)key; |
||||
|
||||
/**
|
||||
* Record an application-specific user identifier. See Crashlytics.h for details. |
||||
**/ |
||||
@property (nonatomic, copy, nullable) NSString * userIdentifier; |
||||
|
||||
/**
|
||||
* Record a user name. See Crashlytics.h for details. |
||||
**/ |
||||
@property (nonatomic, copy, nullable) NSString * userName; |
||||
|
||||
/**
|
||||
* Record a user email. See Crashlytics.h for details. |
||||
**/ |
||||
@property (nonatomic, copy, nullable) NSString * userEmail; |
||||
|
||||
@end |
||||
|
||||
NS_ASSUME_NONNULL_END |
@ -0,0 +1,37 @@
|
||||
//
|
||||
// CLSStackFrame.h
|
||||
// Crashlytics
|
||||
//
|
||||
// Copyright 2015 Crashlytics, Inc. All rights reserved.
|
||||
//
|
||||
|
||||
#import <Foundation/Foundation.h> |
||||
#import "CLSAttributes.h" |
||||
|
||||
NS_ASSUME_NONNULL_BEGIN |
||||
|
||||
/**
|
||||
* |
||||
* This class is used in conjunction with -[Crashlytics recordCustomExceptionName:reason:frameArray:] to |
||||
* record information about non-ObjC/C++ exceptions. All information included here will be displayed
|
||||
* in the Crashlytics UI, and can influence crash grouping. Be particularly careful with the use of the
|
||||
* address property. If set, Crashlytics will attempt symbolication and could overwrite other properities
|
||||
* in the process. |
||||
* |
||||
**/ |
||||
@interface CLSStackFrame : NSObject |
||||
|
||||
+ (instancetype)stackFrame; |
||||
+ (instancetype)stackFrameWithAddress:(NSUInteger)address; |
||||
+ (instancetype)stackFrameWithSymbol:(NSString *)symbol; |
||||
|
||||
@property (nonatomic, copy, nullable) NSString *symbol; |
||||
@property (nonatomic, copy, nullable) NSString *library; |
||||
@property (nonatomic, copy, nullable) NSString *fileName; |
||||
@property (nonatomic, assign) uint32_t lineNumber; |
||||
@property (nonatomic, assign) uint64_t offset; |
||||
@property (nonatomic, assign) uint64_t address; |
||||
|
||||
@end |
||||
|
||||
NS_ASSUME_NONNULL_END |
@ -0,0 +1,248 @@
|
||||
//
|
||||
// Crashlytics.h
|
||||
// Crashlytics
|
||||
//
|
||||
// Copyright (c) 2015 Crashlytics, Inc. All rights reserved.
|
||||
//
|
||||
|
||||
#import <Foundation/Foundation.h> |
||||
|
||||
#import "CLSAttributes.h" |
||||
#import "CLSLogging.h" |
||||
#import "CLSReport.h" |
||||
#import "CLSStackFrame.h" |
||||
#import "Answers.h" |
||||
|
||||
NS_ASSUME_NONNULL_BEGIN |
||||
|
||||
@protocol CrashlyticsDelegate; |
||||
|
||||
/**
|
||||
* Crashlytics. Handles configuration and initialization of Crashlytics. |
||||
*/ |
||||
@interface Crashlytics : NSObject |
||||
|
||||
@property (nonatomic, readonly, copy) NSString *APIKey; |
||||
@property (nonatomic, readonly, copy) NSString *version; |
||||
@property (nonatomic, assign) BOOL debugMode; |
||||
|
||||
/**
|
||||
* |
||||
* The delegate can be used to influence decisions on reporting and behavior, as well as reacting |
||||
* to previous crashes. |
||||
* |
||||
* Make certain that the delegate is setup before starting Crashlytics with startWithAPIKey:... or |
||||
* via +[Fabric with:...]. Failure to do will result in missing any delegate callbacks that occur |
||||
* synchronously during start. |
||||
* |
||||
**/ |
||||
@property (nonatomic, assign, nullable) id <CrashlyticsDelegate> delegate; |
||||
|
||||
/**
|
||||
* The recommended way to install Crashlytics into your application is to place a call to +startWithAPIKey:
|
||||
* in your -application:didFinishLaunchingWithOptions: or -applicationDidFinishLaunching: |
||||
* method. |
||||
* |
||||
* Note: Starting with 3.0, the submission process has been significantly improved. The delay parameter |
||||
* is no longer required to throttle submissions on launch, performance will be great without it. |
||||
* |
||||
* @param apiKey The Crashlytics API Key for this app |
||||
* |
||||
* @return The singleton Crashlytics instance |
||||
*/ |
||||
+ (Crashlytics *)startWithAPIKey:(NSString *)apiKey; |
||||
+ (Crashlytics *)startWithAPIKey:(NSString *)apiKey afterDelay:(NSTimeInterval)delay CLS_DEPRECATED("Crashlytics no longer needs or uses the delay parameter. Please use +startWithAPIKey: instead."); |
||||
|
||||
/**
|
||||
* If you need the functionality provided by the CrashlyticsDelegate protocol, you can use |
||||
* these convenience methods to activate the framework and set the delegate in one call. |
||||
*
|
||||
* @param apiKey The Crashlytics API Key for this app |
||||
* @param delegate A delegate object which conforms to CrashlyticsDelegate. |
||||
* |
||||
* @return The singleton Crashlytics instance |
||||
*/ |
||||
+ (Crashlytics *)startWithAPIKey:(NSString *)apiKey delegate:(nullable id<CrashlyticsDelegate>)delegate; |
||||
+ (Crashlytics *)startWithAPIKey:(NSString *)apiKey delegate:(nullable id<CrashlyticsDelegate>)delegate afterDelay:(NSTimeInterval)delay CLS_DEPRECATED("Crashlytics no longer needs or uses the delay parameter. Please use +startWithAPIKey:delegate: instead."); |
||||
|
||||
/**
|
||||
* Access the singleton Crashlytics instance. |
||||
* |
||||
* @return The singleton Crashlytics instance |
||||
*/ |
||||
+ (Crashlytics *)sharedInstance; |
||||
|
||||
/**
|
||||
* The easiest way to cause a crash - great for testing! |
||||
*/ |
||||
- (void)crash; |
||||
|
||||
/**
|
||||
* The easiest way to cause a crash with an exception - great for testing. |
||||
*/ |
||||
- (void)throwException; |
||||
|
||||
/**
|
||||
* Specify a user identifier which will be visible in the Crashlytics UI. |
||||
* |
||||
* Many of our customers have requested the ability to tie crashes to specific end-users of their |
||||
* application in order to facilitate responses to support requests or permit the ability to reach |
||||
* out for more information. We allow you to specify up to three separate values for display within |
||||
* the Crashlytics UI - but please be mindful of your end-user's privacy. |
||||
* |
||||
* We recommend specifying a user identifier - an arbitrary string that ties an end-user to a record |
||||
* in your system. This could be a database id, hash, or other value that is meaningless to a |
||||
* third-party observer but can be indexed and queried by you. |
||||
* |
||||
* Optionally, you may also specify the end-user's name or username, as well as email address if you |
||||
* do not have a system that works well with obscured identifiers. |
||||
* |
||||
* Pursuant to our EULA, this data is transferred securely throughout our system and we will not |
||||
* disseminate end-user data unless required to by law. That said, if you choose to provide end-user |
||||
* contact information, we strongly recommend that you disclose this in your application's privacy |
||||
* policy. Data privacy is of our utmost concern. |
||||
* |
||||
* @param identifier An arbitrary user identifier string which ties an end-user to a record in your system. |
||||
*/ |
||||
- (void)setUserIdentifier:(nullable NSString *)identifier; |
||||
|
||||
/**
|
||||
* Specify a user name which will be visible in the Crashlytics UI. |
||||
* Please be mindful of your end-user's privacy and see if setUserIdentifier: can fulfil your needs. |
||||
* @see setUserIdentifier: |
||||
* |
||||
* @param name An end user's name. |
||||
*/ |
||||
- (void)setUserName:(nullable NSString *)name; |
||||
|
||||
/**
|
||||
* Specify a user email which will be visible in the Crashlytics UI. |
||||
* Please be mindful of your end-user's privacy and see if setUserIdentifier: can fulfil your needs. |
||||
*
|
||||
* @see setUserIdentifier: |
||||
* |
||||
* @param email An end user's email address. |
||||
*/ |
||||
- (void)setUserEmail:(nullable NSString *)email; |
||||
|
||||
+ (void)setUserIdentifier:(nullable NSString *)identifier CLS_DEPRECATED("Please access this method via +sharedInstance"); |
||||
+ (void)setUserName:(nullable NSString *)name CLS_DEPRECATED("Please access this method via +sharedInstance"); |
||||
+ (void)setUserEmail:(nullable NSString *)email CLS_DEPRECATED("Please access this method via +sharedInstance"); |
||||
|
||||
/**
|
||||
* Set a value for a for a key to be associated with your crash data which will be visible in the Crashlytics UI. |
||||
* When setting an object value, the object is converted to a string. This is typically done by calling
|
||||
* -[NSObject description]. |
||||
* |
||||
* @param value The object to be associated with the key |
||||
* @param key The key with which to associate the value |
||||
*/ |
||||
- (void)setObjectValue:(nullable id)value forKey:(NSString *)key; |
||||
|
||||
/**
|
||||
* Set an int value for a key to be associated with your crash data which will be visible in the Crashlytics UI. |
||||
* |
||||
* @param value The integer value to be set |
||||
* @param key The key with which to associate the value |
||||
*/ |
||||
- (void)setIntValue:(int)value forKey:(NSString *)key; |
||||
|
||||
/**
|
||||
* Set an BOOL value for a key to be associated with your crash data which will be visible in the Crashlytics UI. |
||||
* |
||||
* @param value The BOOL value to be set |
||||
* @param key The key with which to associate the value |
||||
*/ |
||||
- (void)setBoolValue:(BOOL)value forKey:(NSString *)key; |
||||
|
||||
/**
|
||||
* Set an float value for a key to be associated with your crash data which will be visible in the Crashlytics UI. |
||||
* |
||||
* @param value The float value to be set |
||||
* @param key The key with which to associate the value |
||||
*/ |
||||
- (void)setFloatValue:(float)value forKey:(NSString *)key; |
||||
|
||||
+ (void)setObjectValue:(nullable id)value forKey:(NSString *)key CLS_DEPRECATED("Please access this method via +sharedInstance"); |
||||
+ (void)setIntValue:(int)value forKey:(NSString *)key CLS_DEPRECATED("Please access this method via +sharedInstance"); |
||||
+ (void)setBoolValue:(BOOL)value forKey:(NSString *)key CLS_DEPRECATED("Please access this method via +sharedInstance"); |
||||
+ (void)setFloatValue:(float)value forKey:(NSString *)key CLS_DEPRECATED("Please access this method via +sharedInstance"); |
||||
|
||||
/**
|
||||
* This method can be used to record a single exception structure in a report. This is particularly useful |
||||
* when your code interacts with non-native languages like Lua, C#, or Javascript. This call can be |
||||
* expensive and should only be used shortly before process termination. This API is not intended be to used |
||||
* to log NSException objects. All safely-reportable NSExceptions are automatically captured by |
||||
* Crashlytics. |
||||
* |
||||
* @param name The name of the custom exception |
||||
* @param reason The reason this exception occured |
||||
* @param frameArray An array of CLSStackFrame objects |
||||
*/ |
||||
- (void)recordCustomExceptionName:(NSString *)name reason:(nullable NSString *)reason frameArray:(CLS_GENERIC_NSARRAY(CLSStackFrame *) *)frameArray; |
||||
|
||||
- (void)logEvent:(NSString *)eventName CLS_DEPRECATED("Please refer to Answers +logCustomEventWithName:"); |
||||
- (void)logEvent:(NSString *)eventName attributes:(nullable NSDictionary *) attributes CLS_DEPRECATED("Please refer to Answers +logCustomEventWithName:"); |
||||
+ (void)logEvent:(NSString *)eventName CLS_DEPRECATED("Please refer to Answers +logCustomEventWithName:"); |
||||
+ (void)logEvent:(NSString *)eventName attributes:(nullable NSDictionary *) attributes CLS_DEPRECATED("Please refer to Answers +logCustomEventWithName:"); |
||||
|
||||
@end |
||||
|
||||
/**
|
||||
* |
||||
* The CrashlyticsDelegate protocol provides a mechanism for your application to take |
||||
* action on events that occur in the Crashlytics crash reporting system. You can make |
||||
* use of these calls by assigning an object to the Crashlytics' delegate property directly, |
||||
* or through the convenience +startWithAPIKey:delegate: method. |
||||
* |
||||
*/ |
||||
@protocol CrashlyticsDelegate <NSObject> |
||||
@optional |
||||
|
||||
|
||||
- (void)crashlyticsDidDetectCrashDuringPreviousExecution:(Crashlytics *)crashlytics CLS_DEPRECATED("Please refer to -crashlyticsDidDetectReportForLastExecution:"); |
||||
- (void)crashlytics:(Crashlytics *)crashlytics didDetectCrashDuringPreviousExecution:(id <CLSCrashReport>)crash CLS_DEPRECATED("Please refer to -crashlyticsDidDetectReportForLastExecution:"); |
||||
|
||||
/**
|
||||
* |
||||
* Called when a Crashlytics instance has determined that the last execution of the |
||||
* application ended in a crash. This is called synchronously on Crashlytics |
||||
* initialization. Your delegate must invoke the completionHandler, but does not need to do so |
||||
* synchronously, or even on the main thread. Invoking completionHandler with NO will cause the |
||||
* detected report to be deleted and not submitted to Crashlytics. This is useful for |
||||
* implementing permission prompts, or other more-complex forms of logic around submitting crashes. |
||||
* |
||||
* @warning Failure to invoke the completionHandler will prevent submissions from being reported. Watch out. |
||||
* |
||||
* @warning Just implementing this delegate method will disable all forms of synchronous report submission. This can |
||||
* impact the reliability of reporting crashes very early in application launch. |
||||
* |
||||
* @param report The CLSReport object representing the last detected crash |
||||
* @param completionHandler The completion handler to call when your logic has completed. |
||||
* |
||||
*/ |
||||
- (void)crashlyticsDidDetectReportForLastExecution:(CLSReport *)report completionHandler:(void (^)(BOOL submit))completionHandler; |
||||
|
||||
/**
|
||||
* If your app is running on an OS that supports it (OS X 10.9+, iOS 7.0+), Crashlytics will submit |
||||
* most reports using out-of-process background networking operations. This results in a significant |
||||
* improvement in reliability of reporting, as well as power and performance wins for your users. |
||||
* If you don't want this functionality, you can disable by returning NO from this method. |
||||
* |
||||
* @warning Background submission is not supported for extensions on iOS or OS X. |
||||
* |
||||
* @param crashlytics The Crashlytics singleton instance |
||||
* |
||||
* @return Return NO if you don't want out-of-process background network operations. |
||||
* |
||||
*/ |
||||
- (BOOL)crashlyticsCanUseBackgroundSessions:(Crashlytics *)crashlytics; |
||||
|
||||
@end |
||||
|
||||
/**
|
||||
* `CrashlyticsKit` can be used as a parameter to `[Fabric with:@[CrashlyticsKit]];` in Objective-C. In Swift, use Crashlytics.sharedInstance() |
||||
*/ |
||||
#define CrashlyticsKit [Crashlytics sharedInstance] |
||||
|
||||
NS_ASSUME_NONNULL_END |
@ -0,0 +1,14 @@
|
||||
framework module Crashlytics { |
||||
header "Crashlytics.h" |
||||
header "Answers.h" |
||||
header "ANSCompatibility.h" |
||||
header "CLSLogging.h" |
||||
header "CLSReport.h" |
||||
header "CLSStackFrame.h" |
||||
header "CLSAttributes.h" |
||||
|
||||
export * |
||||
|
||||
link "z" |
||||
link "c++" |
||||
} |
@ -0,0 +1,51 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?> |
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> |
||||
<plist version="1.0"> |
||||
<dict> |
||||
<key>BuildMachineOSBuild</key> |
||||
<string>14F1021</string> |
||||
<key>CFBundleDevelopmentRegion</key> |
||||
<string>English</string> |
||||
<key>CFBundleExecutable</key> |
||||
<string>Crashlytics</string> |
||||
<key>CFBundleIdentifier</key> |
||||
<string>com.twitter.crashlytics.mac</string> |
||||
<key>CFBundleInfoDictionaryVersion</key> |
||||
<string>6.0</string> |
||||
<key>CFBundleName</key> |
||||
<string>Crashlytics</string> |
||||
<key>CFBundlePackageType</key> |
||||
<string>FMWK</string> |
||||
<key>CFBundleShortVersionString</key> |
||||
<string>3.4.0</string> |
||||
<key>CFBundleSignature</key> |
||||
<string>????</string> |
||||
<key>CFBundleSupportedPlatforms</key> |
||||
<array> |
||||
<string>MacOSX</string> |
||||
</array> |
||||
<key>CFBundleVersion</key> |
||||
<string>92</string> |
||||
<key>DTCompiler</key> |
||||
<string>com.apple.compilers.llvm.clang.1_0</string> |
||||
<key>DTPlatformBuild</key> |
||||
<string>7B91b</string> |
||||
<key>DTPlatformVersion</key> |
||||
<string>GM</string> |
||||
<key>DTSDKBuild</key> |
||||
<string>15A278</string> |
||||
<key>DTSDKName</key> |
||||
<string>macosx10.11</string> |
||||
<key>DTXcode</key> |
||||
<string>0710</string> |
||||
<key>DTXcodeBuild</key> |
||||
<string>7B91b</string> |
||||
<key>NSHumanReadableCopyright</key> |
||||
<string>Copyright © 2015 Crashlytics, Inc. All rights reserved.</string> |
||||
<key>UIDeviceFamily</key> |
||||
<array> |
||||
<integer>1</integer> |
||||
<integer>2</integer> |
||||
</array> |
||||
</dict> |
||||
</plist> |
@ -0,0 +1,28 @@
|
||||
#!/bin/sh |
||||
|
||||
# run |
||||
# |
||||
# Copyright (c) 2015 Crashlytics. All rights reserved. |
||||
|
||||
# Figure out where we're being called from |
||||
DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) |
||||
|
||||
# Quote path in case of spaces or special chars |
||||
DIR="\"${DIR}" |
||||
|
||||
PATH_SEP="/" |
||||
VALIDATE_COMMAND="uploadDSYM\" $@ validate" |
||||
UPLOAD_COMMAND="uploadDSYM\" $@" |
||||
|
||||
# Ensure params are as expected, run in sync mode to validate |
||||
eval $DIR$PATH_SEP$VALIDATE_COMMAND |
||||
return_code=$? |
||||
|
||||
if [[ $return_code != 0 ]]; then |
||||
exit $return_code |
||||
fi |
||||
|
||||
# Verification passed, upload dSYM in background to prevent Xcode from waiting |
||||
# Note: Validation is performed again before upload. |
||||
# Output can still be found in Console.app |
||||
eval $DIR$PATH_SEP$UPLOAD_COMMAND > /dev/null 2>&1 & |
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -0,0 +1,48 @@
|
||||
//
|
||||
// FABAttributes.h
|
||||
// Fabric
|
||||
//
|
||||
// Copyright (c) 2015 Twitter. All rights reserved.
|
||||
//
|
||||
|
||||
#pragma once |
||||
|
||||
#define FAB_UNAVAILABLE(x) __attribute__((unavailable(x))) |
||||
|
||||
#if __has_feature(nullability) |
||||
#define fab_nullable nullable |
||||
#define fab_nonnull nonnull |
||||
#define fab_null_unspecified null_unspecified |
||||
#define fab_null_resettable null_resettable |
||||
#define __fab_nullable __nullable |
||||
#define __fab_nonnull __nonnull |
||||
#define __fab_null_unspecified __null_unspecified |
||||
#else |
||||
#define fab_nullable |
||||
#define fab_nonnull |
||||
#define fab_null_unspecified |
||||
#define fab_null_resettable |
||||
#define __fab_nullable |
||||
#define __fab_nonnull |
||||
#define __fab_null_unspecified |
||||
#endif |
||||
|
||||
#ifndef NS_ASSUME_NONNULL_BEGIN |
||||
#define NS_ASSUME_NONNULL_BEGIN |
||||
#endif |
||||
|
||||
#ifndef NS_ASSUME_NONNULL_END |
||||
#define NS_ASSUME_NONNULL_END |
||||
#endif |
||||
|
||||
|
||||
/**
|
||||
* The following macros are defined here to provide |
||||
* backwards compatability. If you are still using |
||||
* them you should migrate to the new versions that |
||||
* are defined above. |
||||
*/ |
||||
#define FAB_NONNULL __fab_nonnull |
||||
#define FAB_NULLABLE __fab_nullable |
||||
#define FAB_START_NONNULL NS_ASSUME_NONNULL_BEGIN |
||||
#define FAB_END_NONNULL NS_ASSUME_NONNULL_END |
@ -0,0 +1,64 @@
|
||||
//
|
||||
// Fabric.h
|
||||
//
|
||||
// Copyright (c) 2015 Twitter. All rights reserved.
|
||||
//
|
||||
|
||||
#import <Foundation/Foundation.h> |
||||
#import "FABAttributes.h" |
||||
|
||||
NS_ASSUME_NONNULL_BEGIN |
||||
|
||||
#if TARGET_OS_IPHONE |
||||
#if __IPHONE_OS_VERSION_MIN_REQUIRED < 60000 |
||||
#error "Fabric's minimum iOS version is 6.0" |
||||
#endif |
||||
#else |
||||
#if __MAC_OS_X_VERSION_MIN_REQUIRED < 1070 |
||||
#error "Fabric's minimum OS X version is 10.7" |
||||
#endif |
||||
#endif |
||||
|
||||
/**
|
||||
* Fabric Base. Coordinates configuration and starts all provided kits. |
||||
*/ |
||||
@interface Fabric : NSObject |
||||
|
||||
/**
|
||||
* Initialize Fabric and all provided kits. Call this method within your App Delegate's `application:didFinishLaunchingWithOptions:` and provide the kits you wish to use. |
||||
* |
||||
* For example, in Objective-C: |
||||
* |
||||
* `[Fabric with:@[[Crashlytics class], [Twitter class], [Digits class], [MoPub class]]];` |
||||
* |
||||
* Swift: |
||||
* |
||||
* `Fabric.with([Crashlytics.self(), Twitter.self(), Digits.self(), MoPub.self()])` |
||||
* |
||||
* Only the first call to this method is honored. Subsequent calls are no-ops. |
||||
* |
||||
* @param kitClasses An array of kit Class objects |
||||
* |
||||
* @return Returns the shared Fabric instance. In most cases this can be ignored. |
||||
*/ |
||||
+ (instancetype)with:(NSArray *)kitClasses; |
||||
|
||||
/**
|
||||
* Returns the Fabric singleton object. |
||||
*/ |
||||
+ (instancetype)sharedSDK; |
||||
|
||||
/**
|
||||
* This BOOL enables or disables debug logging, such as kit version information. The default value is NO. |
||||
*/ |
||||
@property (nonatomic, assign) BOOL debug; |
||||
|
||||
/**
|
||||
* Unavailable. Use `+sharedSDK` to retrieve the shared Fabric instance. |
||||
*/ |
||||
- (id)init FAB_UNAVAILABLE("Use +sharedSDK to retrieve the shared Fabric instance."); |
||||
|
||||
@end |
||||
|
||||
NS_ASSUME_NONNULL_END |
||||
|
@ -0,0 +1,6 @@
|
||||
framework module Fabric { |
||||
umbrella header "Fabric.h" |
||||
|
||||
export * |
||||
module * { export * } |
||||
} |
@ -0,0 +1,51 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?> |
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> |
||||
<plist version="1.0"> |
||||
<dict> |
||||
<key>BuildMachineOSBuild</key> |
||||
<string>14F1021</string> |
||||
<key>CFBundleDevelopmentRegion</key> |
||||
<string>en</string> |
||||
<key>CFBundleExecutable</key> |
||||
<string>Fabric</string> |
||||
<key>CFBundleIdentifier</key> |
||||
<string>io.fabric.sdk.mac</string> |
||||
<key>CFBundleInfoDictionaryVersion</key> |
||||
<string>6.0</string> |
||||
<key>CFBundleName</key> |
||||
<string>Fabric</string> |
||||
<key>CFBundlePackageType</key> |
||||
<string>FMWK</string> |
||||
<key>CFBundleShortVersionString</key> |
||||
<string>1.6.0</string> |
||||
<key>CFBundleSignature</key> |
||||
<string>????</string> |
||||
<key>CFBundleSupportedPlatforms</key> |
||||
<array> |
||||
<string>MacOSX</string> |
||||
</array> |
||||
<key>CFBundleVersion</key> |
||||
<string>37</string> |
||||
<key>DTCompiler</key> |
||||
<string>com.apple.compilers.llvm.clang.1_0</string> |
||||
<key>DTPlatformBuild</key> |
||||
<string>7B91b</string> |
||||
<key>DTPlatformVersion</key> |
||||
<string>GM</string> |
||||
<key>DTSDKBuild</key> |
||||
<string>15A278</string> |
||||
<key>DTSDKName</key> |
||||
<string>macosx10.11</string> |
||||
<key>DTXcode</key> |
||||
<string>0710</string> |
||||
<key>DTXcodeBuild</key> |
||||
<string>7B91b</string> |
||||
<key>NSHumanReadableCopyright</key> |
||||
<string>Copyright © 2015 Twitter. All rights reserved.</string> |
||||
<key>UIDeviceFamily</key> |
||||
<array> |
||||
<integer>1</integer> |
||||
<integer>2</integer> |
||||
</array> |
||||
</dict> |
||||
</plist> |
@ -0,0 +1,28 @@
|
||||
#!/bin/sh |
||||
|
||||
# run |
||||
# |
||||
# Copyright (c) 2015 Crashlytics. All rights reserved. |
||||
|
||||
# Figure out where we're being called from |
||||
DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) |
||||
|
||||
# Quote path in case of spaces or special chars |
||||
DIR="\"${DIR}" |
||||
|
||||
PATH_SEP="/" |
||||
VALIDATE_COMMAND="uploadDSYM\" $@ validate" |
||||
UPLOAD_COMMAND="uploadDSYM\" $@" |
||||
|
||||
# Ensure params are as expected, run in sync mode to validate |
||||
eval $DIR$PATH_SEP$VALIDATE_COMMAND |
||||
return_code=$? |
||||
|
||||
if [[ $return_code != 0 ]]; then |
||||
exit $return_code |
||||
fi |
||||
|
||||
# Verification passed, upload dSYM in background to prevent Xcode from waiting |
||||
# Note: Validation is performed again before upload. |
||||
# Output can still be found in Console.app |
||||
eval $DIR$PATH_SEP$UPLOAD_COMMAND > /dev/null 2>&1 & |
Binary file not shown.
@ -0,0 +1,192 @@
|
||||
/*
|
||||
* Copyright (c) 2000-2003,2011,2013-2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
|
||||
/*
|
||||
* AuthSession.h |
||||
* AuthSession - APIs for managing login, authorization, and security Sessions. |
||||
*/ |
||||
#if !defined(__AuthSession__) |
||||
#define __AuthSession__ 1 |
||||
|
||||
#include <Security/Authorization.h> |
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*!
|
||||
@header AuthSession |
||||
|
||||
The Session API provides specialized applications access to Session management and inquiry |
||||
functions. This is a specialized API that should not be of interest to most people. |
||||
|
||||
The Security subsystem separates all processes into Security "sessions". Each process is in |
||||
exactly one session, and session membership inherits across fork/exec. Sessions form boundaries |
||||
for security-related state such as authorizations, keychain lock status, and the like. |
||||
Typically, each successful login (whether graphical or through ssh & friends) creates |
||||
a separate session. System daemons (started at system startup) belong to the "root session" |
||||
which has no user nor graphics access. |
||||
|
||||
Sessions are identified with SecuritySessionIds. A session has a set of attributes |
||||
that are set on creation and can be retrieved with SessionGetInfo(). |
||||
|
||||
There are similar session concepts in the system, related but not necessarily |
||||
completely congruous. In particular, graphics sessions track security sessions |
||||
(but only for graphic logins). |
||||
*/ |
||||
|
||||
|
||||
/*!
|
||||
@typedef SecuritySessionId |
||||
These are externally visible identifiers for authorization sessions. |
||||
Different sessions have different identifiers; beyond that, you can't |
||||
tell anything from these values. |
||||
SessionIds can be compared for equality as you'd expect, but you should be careful |
||||
to use attribute bits wherever appropriate. |
||||
*/ |
||||
typedef UInt32 SecuritySessionId; |
||||
|
||||
|
||||
/*!
|
||||
@enum SecuritySessionId |
||||
Here are some special values for SecuritySessionId. You may specify those |
||||
on input to SessionAPI functions. They will never be returned from such |
||||
functions. |
||||
|
||||
Note: -2 is reserved (see 4487137).
|
||||
*/ |
||||
CF_ENUM(SecuritySessionId) { |
||||
noSecuritySession = 0, /* definitely not a valid SecuritySessionId */ |
||||
callerSecuritySession = ((SecuritySessionId)-1) /* the Session I (the caller) am in */ |
||||
}; |
||||
|
||||
|
||||
/*!
|
||||
@enum SessionAttributeBits |
||||
Each Session has a set of attribute bits. You can get those from the |
||||
SessionGetInfo API function. |
||||
*/ |
||||
typedef CF_OPTIONS(UInt32, SessionAttributeBits) { |
||||
sessionIsRoot = 0x0001, /* is the root session (startup/system programs) */ |
||||
sessionHasGraphicAccess = 0x0010, /* graphic subsystem (CoreGraphics et al) available */ |
||||
sessionHasTTY = 0x0020, /* /dev/tty is available */ |
||||
sessionIsRemote = 0x1000, /* session was established over the network */ |
||||
}; |
||||
|
||||
|
||||
/*!
|
||||
@enum SessionCreationFlags |
||||
These flags control how a new session is created by SessionCreate. |
||||
They have no permanent meaning beyond that. |
||||
*/ |
||||
typedef CF_OPTIONS(UInt32, SessionCreationFlags) { |
||||
sessionKeepCurrentBootstrap = 0x8000 /* caller has allocated sub-bootstrap (expert use only) */ |
||||
}; |
||||
|
||||
|
||||
/*!
|
||||
@enum SessionStatus |
||||
Error codes returned by AuthSession API. |
||||
Note that the AuthSession APIs can also return Authorization API error codes. |
||||
*/ |
||||
CF_ENUM(OSStatus) { |
||||
errSessionSuccess = 0, /* all is well */ |
||||
errSessionInvalidId = -60500, /* invalid session id specified */ |
||||
errSessionInvalidAttributes = -60501, /* invalid set of requested attribute bits */ |
||||
errSessionAuthorizationDenied = -60502, /* you are not allowed to do this */ |
||||
errSessionValueNotSet = -60503, /* the session attribute you requested has not been set */ |
||||
|
||||
errSessionInternal = errAuthorizationInternal, /* internal error */ |
||||
errSessionInvalidFlags = errAuthorizationInvalidFlags /* invalid flags/options */ |
||||
}; |
||||
|
||||
|
||||
/*!
|
||||
@function SessionGetInfo |
||||
Obtain information about a session. You can ask about any session whose |
||||
identifier you know. Use the callerSecuritySession constant to ask about |
||||
your own session (the one your process is in). |
||||
|
||||
@param session (input) The Session you are asking about. Can be one of the |
||||
special constants defined above. |
||||
|
||||
@param sessionId (output/optional) The actual SecuritySessionId for the session you asked about. |
||||
Will never be one of those constants. |
||||
|
||||
@param attributes (output/optional) Receives the attribute bits for the session. |
||||
|
||||
@result An OSStatus indicating success (errSecSuccess) or an error cause. |
||||
|
||||
errSessionInvalidId -60500 Invalid session id specified |
||||
|
||||
*/ |
||||
OSStatus SessionGetInfo(SecuritySessionId session, |
||||
SecuritySessionId * __nullable sessionId, |
||||
SessionAttributeBits * __nullable attributes); |
||||
|
||||
|
||||
/*!
|
||||
@function SessionCreate |
||||
This (very specialized) function creates a security session. |
||||
Upon completion, the new session contains the calling process (and none other). |
||||
You cannot create a session for someone else, and cannot avoid being placed |
||||
into the new session. This is (currently) the only call that changes a process's |
||||
session membership. |
||||
By default, a new bootstrap subset port is created for the calling process. The process |
||||
acquires this new port as its bootstrap port, which all its children will inherit. |
||||
If you happen to have created the subset port on your own, you can pass the |
||||
sessionKeepCurrentBootstrap flag, and SessionCreate will use it. Note however that |
||||
you cannot supersede a prior SessionCreate call that way; only a single SessionCreate |
||||
call is allowed for each Session (however made). |
||||
This call will discard any security information established for the calling process. |
||||
In particular, any authorization handles acquired will become invalid, and so will any |
||||
keychain related information. We recommend that you call SessionCreate before |
||||
making any other security-related calls that establish rights of any kind, to the |
||||
extent this is practical. Also, we strongly recommend that you do not perform |
||||
security-related calls in any other threads while calling SessionCreate. |
||||
|
||||
@param flags Flags controlling how the session is created. |
||||
|
||||
@param attributes The set of attribute bits to set for the new session. |
||||
Not all bits can be set this way. |
||||
|
||||
@result An OSStatus indicating success (errSecSuccess) or an error cause. |
||||
|
||||
errSessionInvalidAttributes -60501 Attempt to set invalid attribute bits
|
||||
errSessionAuthorizationDenied -60502 Attempt to re-initialize a session |
||||
errSessionInvalidFlags -60011 Attempt to specify unsupported flag bits |
||||
|
||||
*/ |
||||
OSStatus SessionCreate(SessionCreationFlags flags, |
||||
SessionAttributeBits attributes); |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* ! __AuthSession__ */ |
@ -0,0 +1,460 @@
|
||||
/*
|
||||
* Copyright (c) 2000-2004,2007,2011-2012 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
|
||||
/*
|
||||
* Authorization.h -- APIs for implementing access control in applications |
||||
* and daemons. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_AUTHORIZATION_H_ |
||||
#define _SECURITY_AUTHORIZATION_H_ |
||||
|
||||
#include <TargetConditionals.h> |
||||
#include <MacTypes.h> |
||||
#include <Availability.h> |
||||
#include <CoreFoundation/CFAvailability.h> |
||||
#include <CoreFoundation/CFBase.h> |
||||
|
||||
#include <stdio.h> |
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*!
|
||||
@header Authorization |
||||
Version 1.0 10/16/2000 |
||||
|
||||
The Authorization API contains all the APIs that a application or tool that need pre-authorization or need an authorization desision made. |
||||
|
||||
A typical use cases are a preference panel that would start off calling AuthorizationCreate() (without UI) to get an authorization object. Then call AuthorizationCopyRights() to figure out what is currently allowed. |
||||
|
||||
If any of the operations that the preference panel wishes to perform are currently not allowed the lock icon in the window would show up in the locked state. Otherwise it would show up unlocked. |
||||
|
||||
When the user locks the lock AuthorizationFree() is called with the kAuthorizationFlagDestroyRights to destroy any authorization rights that have been aquired. |
||||
|
||||
When the user unlocks the lock AuthorizationCreate() is called with the kAuthorizationFlagInteractionAllowed and kAuthorizationFlagExtendRights flags to obtain all required rights. The old authorization object can be freed by calling AuthorizationFree() with no flags. |
||||
|
||||
*/ |
||||
|
||||
|
||||
|
||||
/*!
|
||||
@defined kAuthorizationEmptyEnvironment |
||||
Parameter to specify to AuthorizationCreate when no environment is being provided. |
||||
*/ |
||||
#define kAuthorizationEmptyEnvironment NULL |
||||
|
||||
|
||||
/*!
|
||||
@enum AuthorizationStatus |
||||
Error codes returned by Authorization API. |
||||
*/ |
||||
|
||||
/*
|
||||
Note: the comments that appear after these errors are used to create SecErrorMessages.strings. |
||||
The comments must not be multi-line, and should be in a form meaningful to an end user. If |
||||
a different or additional comment is needed, it can be put in the header doc format, or on a |
||||
line that does not start with errZZZ. |
||||
|
||||
errAuthorizationSuccess can't include a string as it's also errSecSuccess in libsecurity_keychain/lib/SecBase.h |
||||
*/ |
||||
|
||||
CF_ENUM(OSStatus) { |
||||
errAuthorizationSuccess = 0, |
||||
errAuthorizationInvalidSet = -60001, /* The authorization rights are invalid. */ |
||||
errAuthorizationInvalidRef = -60002, /* The authorization reference is invalid. */ |
||||
errAuthorizationInvalidTag = -60003, /* The authorization tag is invalid. */ |
||||
errAuthorizationInvalidPointer = -60004, /* The returned authorization is invalid. */ |
||||
errAuthorizationDenied = -60005, /* The authorization was denied. */ |
||||
errAuthorizationCanceled = -60006, /* The authorization was cancelled by the user. */ |
||||
errAuthorizationInteractionNotAllowed = -60007, /* The authorization was denied since no user interaction was possible. */ |
||||
errAuthorizationInternal = -60008, /* Unable to obtain authorization for this operation. */ |
||||
errAuthorizationExternalizeNotAllowed = -60009, /* The authorization is not allowed to be converted to an external format. */ |
||||
errAuthorizationInternalizeNotAllowed = -60010, /* The authorization is not allowed to be created from an external format. */ |
||||
errAuthorizationInvalidFlags = -60011, /* The provided option flag(s) are invalid for this authorization operation. */ |
||||
errAuthorizationToolExecuteFailure = -60031, /* The specified program could not be executed. */ |
||||
errAuthorizationToolEnvironmentError = -60032, /* An invalid status was returned during execution of a privileged tool. */ |
||||
errAuthorizationBadAddress = -60033, /* The requested socket address is invalid (must be 0-1023 inclusive). */ |
||||
}; |
||||
|
||||
|
||||
/*!
|
||||
@typedef AuthorizationFlags |
||||
Optional flags passed in to several Authorization APIs. |
||||
See the description of AuthorizationCreate, AuthorizationCopyRights and AuthorizationFree for a description of how they affect those calls. |
||||
*/ |
||||
typedef CF_OPTIONS(UInt32, AuthorizationFlags) { |
||||
kAuthorizationFlagDefaults = 0, |
||||
kAuthorizationFlagInteractionAllowed = (1 << 0), |
||||
kAuthorizationFlagExtendRights = (1 << 1), |
||||
kAuthorizationFlagPartialRights = (1 << 2), |
||||
kAuthorizationFlagDestroyRights = (1 << 3), |
||||
kAuthorizationFlagPreAuthorize = (1 << 4), |
||||
|
||||
// private bits (do not use)
|
||||
kAuthorizationFlagNoData = (1 << 20) |
||||
}; |
||||
|
||||
|
||||
/*!
|
||||
@enum AuthorizationRightFlags |
||||
Flags returned in the flags field of ItemSet Items when calling AuthorizationCopyRights(). |
||||
*/ |
||||
enum { |
||||
kAuthorizationFlagCanNotPreAuthorize = (1 << 0) |
||||
}; |
||||
|
||||
|
||||
/*!
|
||||
@typedef AuthorizationRef |
||||
Opaque reference to an authorization object. |
||||
*/ |
||||
typedef const struct AuthorizationOpaqueRef *AuthorizationRef; |
||||
|
||||
|
||||
/*!
|
||||
@typedef AuthorizationString |
||||
A zero terminated string in UTF-8 encoding. |
||||
*/ |
||||
typedef const char *AuthorizationString; |
||||
|
||||
|
||||
/*!
|
||||
@struct AuthorizationItem |
||||
Each AuthorizationItem describes a single string-named item with optional |
||||
parameter value. The value must be contiguous memory of valueLength bytes; |
||||
internal structure is defined separately for each name. |
||||
|
||||
@field name name of the item, as an AuthorizationString. Mandatory. |
||||
@field valueLength Number of bytes in parameter value. Must be 0 if no parameter value. |
||||
@field value Pointer to the optional parameter value associated with name. |
||||
Must be NULL if no parameter value. |
||||
@field flags Reserved field. Must be set to 0 on creation. Do not modify after that. |
||||
*/ |
||||
typedef struct { |
||||
AuthorizationString name; |
||||
size_t valueLength; |
||||
void *value; |
||||
UInt32 flags; |
||||
} AuthorizationItem; |
||||
|
||||
|
||||
/*!
|
||||
@struct AuthorizationItemSet |
||||
An AuthorizationItemSet structure represents a set of zero or more AuthorizationItems. Since it is a set it should not contain any identical AuthorizationItems. |
||||
|
||||
@field count Number of items identified by items. |
||||
@field items Pointer to an array of items. |
||||
*/ |
||||
typedef struct { |
||||
UInt32 count; |
||||
AuthorizationItem *items; |
||||
} AuthorizationItemSet; |
||||
|
||||
|
||||
|
||||
/*!
|
||||
@struct AuthorizationExternalForm |
||||
An AuthorizationExternalForm structure can hold the externalized form of |
||||
an AuthorizationRef. As such, it can be transmitted across IPC channels |
||||
to other processes, which can re-internalize it to recover a valid AuthorizationRef |
||||
handle. |
||||
The data contained in an AuthorizationExternalForm should be considered opaque. |
||||
|
||||
SECURITY NOTE: Applications should take care to not disclose the AuthorizationExternalForm to |
||||
potential attackers since it would authorize rights to them. |
||||
*/ |
||||
enum { |
||||
kAuthorizationExternalFormLength = 32 |
||||
}; |
||||
|
||||
typedef struct { |
||||
char bytes[kAuthorizationExternalFormLength]; |
||||
} AuthorizationExternalForm; |
||||
|
||||
|
||||
|
||||
/*!
|
||||
@typedef AuthorizationRights |
||||
An AuthorizationItemSet representing a set of rights each with an associated argument (value). |
||||
Each argument value is as defined for the specific right they belong to. Argument values may not contain pointers as the should be copyable to different address spaces. |
||||
*/ |
||||
typedef AuthorizationItemSet AuthorizationRights; |
||||
|
||||
|
||||
/*!
|
||||
@typedef AuthorizationEnvironment |
||||
An AuthorizationItemSet representing environmental information of potential use |
||||
to authorization decisions. |
||||
*/ |
||||
typedef AuthorizationItemSet AuthorizationEnvironment; |
||||
|
||||
|
||||
/*!
|
||||
@function AuthorizationCreate |
||||
Create a new autorization object which can be used in other authorization calls. When the authorization is no longer needed AuthorizationFree should be called. |
||||
|
||||
When the kAuthorizationFlagInteractionAllowed flag is set, user interaction will happen when required. Failing to set this flag will result in this call failing with a errAuthorizationInteractionNotAllowed status when interaction is required. |
||||
|
||||
Setting the kAuthorizationFlagExtendRights flag will extend the currently available rights. If this flag is set the returned AuthorizationRef will grant all the rights requested when errAuthorizationSuccess is returned. If this flag is not set the operation will almost certainly succeed, but no attempt will be made to make the requested rights availible. |
||||
Call AuthorizationCopyRights to figure out which of the requested rights are granted by the returned AuthorizationRef. |
||||
|
||||
Setting the kAuthorizationFlagPartialRights flag will cause this call to succeed if only some of the requested rights are being granted by the returned AuthorizationRef. Unless this flag is set this API will fail if not all the requested rights could be obtained. |
||||
|
||||
Setting the kAuthorizationFlagDestroyRights flag will prevent any rights obtained during this call from being preserved after returning from this API (This is most useful when the authorization parameter is NULL and the caller doesn't want to affect the session state in any way). |
||||
|
||||
Setting the kAuthorizationFlagPreAuthorize flag will pre authorize the requested rights so that at a later time -- by calling AuthorizationMakeExternalForm() follow by AuthorizationCreateFromExternalForm() -- the obtained rights can be used in a different process. Rights that can't be preauthorized will be treated as if they were authorized for the sake of returning an error (in other words if all rights are either authorized or could not be preauthorized this call will still succeed). |
||||
The rights which could not be preauthorized are not currently authorized and may fail to authorize when a later call to AuthorizationCopyRights() is made, unless the kAuthorizationFlagExtendRights and kAuthorizationFlagInteractionAllowed flags are set. Even then they might still fail if the user does not supply the correct credentials. |
||||
The reason for passing in this flag is to provide correct audit trail information and to avoid unnecessary user interaction. |
||||
|
||||
@param rights (input/optional) An AuthorizationItemSet containing rights for which authorization is being requested. If none are specified the resulting AuthorizationRef will authorize nothing at all. |
||||
@param environment (input/optional) An AuthorizationItemSet containing environment state used when making the autorization decision. See the AuthorizationEnvironment type for details. |
||||
@param flags (input) options specified by the AuthorizationFlags enum. set all unused bits to zero to allow for future expansion. |
||||
@param authorization (output optional) A pointer to an AuthorizationRef to be returned. When the returned AuthorizationRef is no longer needed AuthorizationFree should be called to prevent anyone from using the aquired rights. If NULL is specified no new rights are returned, but the system will attempt to authorize all the requested rights and return the appropriate status. |
||||
|
||||
@result errAuthorizationSuccess 0 authorization or all requested rights succeeded. |
||||
|
||||
errAuthorizationDenied -60005 The authorization for one or more of the requested rights was denied. |
||||
|
||||
errAuthorizationCanceled -60006 The authorization was cancelled by the user. |
||||
|
||||
errAuthorizationInteractionNotAllowed -60007 The authorization was denied since no interaction with the user was allowed. |
||||
*/ |
||||
OSStatus AuthorizationCreate(const AuthorizationRights * __nullable rights, |
||||
const AuthorizationEnvironment * __nullable environment, |
||||
AuthorizationFlags flags, |
||||
AuthorizationRef __nullable * __nullable authorization); |
||||
|
||||
|
||||
/*!
|
||||
@function AuthorizationFree |
||||
Destroy an AutorizationRef object. If the kAuthorizationFlagDestroyRights flag is passed, |
||||
any rights associated with the authorization are lost. Otherwise, only local resources |
||||
are released, and the rights may still be available to other clients. |
||||
|
||||
Setting the kAuthorizationFlagDestroyRights flag will prevent any rights that were obtained by the specified authorization object to be preserved after returning from this API. This effectivaly locks down all potentially shared authorizations. |
||||
|
||||
@param authorization (input) The authorization object on which this operation is performed. |
||||
|
||||
@param flags (input) Bit mask of option flags to this call. |
||||
|
||||
@result errAuthorizationSuccess 0 No error. |
||||
|
||||
errAuthorizationInvalidRef -60002 The authorization parameter is invalid. |
||||
*/ |
||||
OSStatus AuthorizationFree(AuthorizationRef authorization, AuthorizationFlags flags); |
||||
|
||||
|
||||
/*!
|
||||
@function AuthorizationCopyRights |
||||
Given a set of rights, return the subset that is currently authorized |
||||
by the AuthorizationRef given. |
||||
|
||||
When the kAuthorizationFlagInteractionAllowed flag is set, user interaction will happen when required. Failing to set this flag will result in this call failing with a errAuthorizationInteractionNotAllowed status when interaction is required. |
||||
|
||||
Setting the kAuthorizationFlagExtendRights flag will extend the currently available rights. |
||||
|
||||
Setting the kAuthorizationFlagPartialRights flag will cause this call to succeed if only some of the requested rights are being granted by the returned AuthorizationRef. Unless this flag is set this API will fail if not all the requested rights could be obtained. |
||||
|
||||
Setting the kAuthorizationFlagDestroyRights flag will prevent any additional rights obtained during this call from being preserved after returning from this API. |
||||
|
||||
Setting the kAuthorizationFlagPreAuthorize flag will pre authorize the requested rights so that at a later time -- by calling AuthorizationMakeExternalForm() follow by AuthorizationCreateFromExternalForm() -- the obtained rights can be used in a different process. Rights that can't be preauthorized will be treated as if they were authorized for the sake of returning an error (in other words if all rights are either authorized or could not be preauthorized this call will still succeed), and they will be returned in authorizedRights with their kAuthorizationFlagCanNotPreAuthorize bit in the flags field set to 1. |
||||
The rights which could not be preauthorized are not currently authorized and may fail to authorize when a later call to AuthorizationCopyRights() is made, unless the kAuthorizationFlagExtendRights and kAuthorizationFlagInteractionAllowed flags are set. Even then they might still fail if the user does not supply the correct credentials. |
||||
The reason for passing in this flag is to provide correct audit trail information and to avoid unnecessary user interaction. |
||||
|
||||
Setting the kAuthorizationFlagPreAuthorize flag will pre authorize the requested rights so that at a later time -- by calling AuthorizationMakeExternalForm() follow by AuthorizationCreateFromExternalForm() -- the obtained rights can be used in a different process. When this flags is specified rights that can't be preauthorized will be returned as if they were authorized with their kAuthorizationFlagCanNotPreAuthorize bit in the flags field set to 1. These rights are not currently authorized and may fail to authorize later unless kAuthorizationFlagExtendRights and kAuthorizationFlagInteractionAllowed flags are set when the actual authorization is done. And even then they might still fail if the user does not supply the correct credentials. |
||||
|
||||
@param authorization (input) The authorization object on which this operation is performed. |
||||
@param rights (input) A rights set (see AuthorizationCreate). |
||||
@param environment (input/optional) An AuthorizationItemSet containing environment state used when making the autorization decision. See the AuthorizationEnvironment type for details. |
||||
@param flags (input) options specified by the AuthorizationFlags enum. set all unused bits to zero to allow for future expansion. |
||||
@param authorizedRights (output/optional) A pointer to a newly allocated AuthorizationInfoSet in which the authorized subset of rights are returned (authorizedRights should be deallocated by calling AuthorizationFreeItemSet() when it is no longer needed). If NULL the only information returned is the status. Note that if the kAuthorizationFlagPreAuthorize flag was specified rights that could not be preauthorized are returned in authorizedRights, but their flags contains the kAuthorizationFlagCanNotPreAuthorize bit. |
||||
|
||||
@result errAuthorizationSuccess 0 No error. |
||||
|
||||
errAuthorizationInvalidRef -60002 The authorization parameter is invalid. |
||||
|
||||
errAuthorizationInvalidSet -60001 The rights parameter is invalid. |
||||
|
||||
errAuthorizationInvalidPointer -60004 The authorizedRights parameter is invalid. |
||||
*/ |
||||
OSStatus AuthorizationCopyRights(AuthorizationRef authorization,
|
||||
const AuthorizationRights *rights, |
||||
const AuthorizationEnvironment * __nullable environment, |
||||
AuthorizationFlags flags, |
||||
AuthorizationRights * __nullable * __nullable authorizedRights); |
||||
|
||||
|
||||
#ifdef __BLOCKS__ |
||||
|
||||
/*!
|
||||
@typedef AuthorizationAsyncCallback |
||||
Callback block passed to AuthorizationCopyRightsAsync. |
||||
|
||||
@param err (output) The result of the AuthorizationCopyRights call. |
||||
@param blockAuthorizedRights (output) The authorizedRights from the AuthorizationCopyRights call to be deallocated by calling AuthorizationFreeItemSet() when it is no longer needed. |
||||
*/ |
||||
typedef void (^AuthorizationAsyncCallback)(OSStatus err, AuthorizationRights * __nullable blockAuthorizedRights); |
||||
|
||||
/*!
|
||||
@function AuthorizationCopyRightsAsync |
||||
An asynchronous version of AuthorizationCopyRights. |
||||
|
||||
@param callbackBlock (input) The callback block to be called upon completion. |
||||
*/ |
||||
void AuthorizationCopyRightsAsync(AuthorizationRef authorization, |
||||
const AuthorizationRights *rights, |
||||
const AuthorizationEnvironment * __nullable environment, |
||||
AuthorizationFlags flags, |
||||
AuthorizationAsyncCallback callbackBlock); |
||||
|
||||
|
||||
#endif /* __BLOCKS__ */ |
||||
|
||||
|
||||
/*!
|
||||
@function AuthorizationCopyInfo |
||||
Returns sideband information (e.g. access credentials) obtained from a call to AuthorizationCreate. The format of this data depends of the tag specified. |
||||
|
||||
@param authorization (input) The authorization object on which this operation is performed. |
||||
@param tag (input/optional) An optional string tag specifing which sideband information should be returned. When NULL is specified all available information is returned. |
||||
@param flags (input) options specified by the AuthorizationFlags enum. set all unused bits to zero to allow for future expansion. |
||||
@param info (output) A pointer to a newly allocated AuthorizationInfoSet in which the requested sideband infomation is returned (info should be deallocated by calling AuthorizationFreeItemSet() when it is no longer needed). |
||||
|
||||
@result errAuthorizationSuccess 0 No error. |
||||
|
||||
errAuthorizationInvalidRef -60002 The authorization parameter is invalid. |
||||
|
||||
errAuthorizationInvalidTag -60003 The tag parameter is invalid. |
||||
|
||||
errAuthorizationInvalidPointer -60004 The info parameter is invalid. |
||||
*/ |
||||
OSStatus AuthorizationCopyInfo(AuthorizationRef authorization,
|
||||
AuthorizationString __nullable tag, |
||||
AuthorizationItemSet * __nullable * __nonnull info); |
||||
|
||||
|
||||
/*!
|
||||
@function AuthorizationMakeExternalForm |
||||
Turn an Authorization into an external "byte blob" form so it can be |
||||
transmitted to another process. |
||||
Note that *storing* the external form somewhere will probably not do what |
||||
you want, since authorizations are bounded by sessions, processes, and possibly |
||||
time limits. This is for online transmission of authorizations. |
||||
|
||||
@param authorization The (valid) authorization reference to externalize |
||||
@param extForm Pointer to an AuthorizationExternalForm variable to fill. |
||||
|
||||
@result errAuthorizationSuccess 0 No error. |
||||
|
||||
errAuthorizationExternalizeNotAllowed -60009 Externalizing this authorization is not allowed. |
||||
|
||||
errAuthorizationInvalidRef -60002 The authorization parameter is invalid. |
||||
|
||||
|
||||
*/ |
||||
OSStatus AuthorizationMakeExternalForm(AuthorizationRef authorization, |
||||
AuthorizationExternalForm * __nonnull extForm); |
||||
|
||||
|
||||
/*!
|
||||
@function AuthorizationCreateFromExternalForm |
||||
Internalize the external "byte blob" form of an authorization reference. |
||||
|
||||
@param extForm Pointer to an AuthorizationExternalForm value. |
||||
@param authorization Will be filled with a valid AuthorizationRef on success. |
||||
|
||||
@result errAuthorizationInternalizeNotAllowed -60010 Internalizing this authorization is not allowed. |
||||
*/ |
||||
OSStatus AuthorizationCreateFromExternalForm(const AuthorizationExternalForm *extForm, |
||||
AuthorizationRef __nullable * __nonnull authorization); |
||||
|
||||
|
||||
/*!
|
||||
@function AuthorizationFreeItemSet |
||||
Release the memory allocated for an AuthorizationItemSet that was allocated |
||||
by an API call. |
||||
|
||||
@param set The AuthorizationItemSet to deallocate. |
||||
|
||||
@result errAuthorizationSuccess 0 No error. |
||||
|
||||
errAuthorizationInvalidSet -60001 The set parameter is invalid. |
||||
*/ |
||||
OSStatus AuthorizationFreeItemSet(AuthorizationItemSet *set); |
||||
|
||||
|
||||
/*!
|
||||
@function AuthorizationExecuteWithPrivileges |
||||
Run an executable tool with enhanced privileges after passing |
||||
suitable authorization procedures. |
||||
|
||||
@param authorization An authorization reference that is used to authorize |
||||
access to the enhanced privileges. It is also passed to the tool for |
||||
further access control. |
||||
@param pathToTool Full pathname to the tool that should be executed |
||||
with enhanced privileges. |
||||
@param options Option bits (reserved). Must be zero. |
||||
@param arguments An argv-style vector of strings to be passed to the tool. |
||||
@param communicationsPipe Assigned a UNIX stdio FILE pointer for |
||||
a bidirectional pipe to communicate with the tool. The tool will have |
||||
this pipe as its standard I/O channels (stdin/stdout). If NULL, do not |
||||
establish a communications pipe. |
||||
|
||||
@discussion This function has been deprecated and should no longer be used. |
||||
Use a launchd-launched helper tool and/or the Service Mangement framework |
||||
for this functionality. |
||||
*/ |
||||
OSStatus AuthorizationExecuteWithPrivileges(AuthorizationRef authorization, |
||||
const char *pathToTool, |
||||
AuthorizationFlags options, |
||||
char * __nonnull const * __nonnull arguments, |
||||
FILE * __nullable * __nullable communicationsPipe) __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_1,__MAC_10_7,__IPHONE_NA,__IPHONE_NA); |
||||
|
||||
|
||||
/*!
|
||||
@function AuthorizationCopyPrivilegedReference |
||||
From within a tool launched via the AuthorizationExecuteWithPrivileges function |
||||
ONLY, retrieve the AuthorizationRef originally passed to that function. |
||||
While AuthorizationExecuteWithPrivileges already verified the authorization to |
||||
launch your tool, the tool may want to avail itself of any additional pre-authorizations |
||||
the caller may have obtained through that reference. |
||||
|
||||
@discussion This function has been deprecated and should no longer be used. |
||||
Use a launchd-launched helper tool and/or the Service Mangement framework |
||||
for this functionality. |
||||
*/ |
||||
OSStatus AuthorizationCopyPrivilegedReference(AuthorizationRef __nullable * __nonnull authorization, |
||||
AuthorizationFlags flags) __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_1,__MAC_10_7,__IPHONE_NA,__IPHONE_NA); |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_AUTHORIZATION_H_ */ |
@ -0,0 +1,163 @@
|
||||
/*
|
||||
* Copyright (c) 2003,2011,2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*
|
||||
* AuthorizationDB.h -- APIs for managing the authorization policy database |
||||
* and daemons. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_AUTHORIZATIONDB_H_ |
||||
#define _SECURITY_AUTHORIZATIONDB_H_ |
||||
|
||||
#include <Security/Authorization.h> |
||||
#include <CoreFoundation/CoreFoundation.h> |
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*!
|
||||
@header AuthorizationDB |
||||
Version 1.0 |
||||
|
||||
This API allows for any programs to get, modify, delete and add new right definitions to the policy database. Meta-rights specify whether and what authorization is required to make these modifications. |
||||
|
||||
AuthorizationRightSet(authRef, "com.ifoo.ifax.send", CFSTR(kRuleIsAdmin), CFSTR("You must authenticate to send a fax."), NULL, NULL) |
||||
|
||||
add a rule for letting admins send faxes using a canned rule, delegating to a pre-specified rule that authorizes everyone who is an admin. |
||||
|
||||
AuthorizationRightSet(authRef, "com.ifoo.ifax.send", [[CFSTR(kRightRule), CFSTR(kRuleIsAdmin)], [CFSTR(kRightComment), CFSTR("authorizes sending of 1 fax message")]], CFSTR("Authorize sending of a fax"), NULL, NULL) |
||||
|
||||
add identical rule, but specify additional attributes this time. |
||||
|
||||
Keep in mind while specifying a comment to be specific about what you need to authorize for (1 fax), in terms of a general message for user. The means of proof required for kRuleIsAdmin (enter username/password for example) should not be included here, since it could be configured differently. Also note that the "authRef" variable used in each of the above examples must be a vaild AuthorizationRef obtained from AuthorizationCreate(). |
||||
|
||||
*/ |
||||
|
||||
/*! @define kRightRule
|
||||
rule delegation key. Instead of specifying exact behavior some canned rules |
||||
are shipped that may be switched by configurable security. |
||||
*/ |
||||
#define kAuthorizationRightRule "rule" |
||||
|
||||
/*! @defined kRuleIsAdmin
|
||||
canned rule values for use with rule delegation definitions: require user to be an admin. |
||||
*/ |
||||
#define kAuthorizationRuleIsAdmin "is-admin" |
||||
|
||||
/*! @defined kRuleAuthenticateAsSessionUser
|
||||
canned rule value for use with rule delegation definitions: require user to authenticate as the session owner (logged-in user). |
||||
*/ |
||||
#define kAuthorizationRuleAuthenticateAsSessionUser "authenticate-session-owner" |
||||
|
||||
/*! @defined kRuleAuthenticateAsAdmin
|
||||
Canned rule value for use with rule delegation definitions: require user to authenticate as admin. |
||||
*/ |
||||
#define kAuthorizationRuleAuthenticateAsAdmin "authenticate-admin" |
||||
|
||||
/*! @defined kAuthorizationRuleClassAllow
|
||||
Class that allows anything. |
||||
*/ |
||||
#define kAuthorizationRuleClassAllow "allow" |
||||
|
||||
/*! @defined kAuthorizationRuleClassDeny
|
||||
Class that denies anything.
|
||||
*/ |
||||
#define kAuthorizationRuleClassDeny "deny" |
||||
|
||||
/*! @defined kAuthorizationComment
|
||||
comments for the administrator on what is being customized here; |
||||
as opposed to (localized) descriptions presented to the user. |
||||
*/ |
||||
#define kAuthorizationComment "comment" |
||||
|
||||
|
||||
|
||||
/*!
|
||||
@function AuthorizationRightGet
|
||||
|
||||
Retrieves a right definition as a dictionary. There are no restrictions to keep anyone from retrieving these definitions.
|
||||
|
||||
@param rightName (input) the rightname (ASCII). Wildcard rightname definitions are okay. |
||||
@param rightDefinition (output/optional) the dictionary with all keys defining the right. See documented keys. Passing in NULL will just check if there is a definition. The caller is responsible for releasing the returned dictionary. |
||||
|
||||
@result errAuthorizationSuccess 0 No error. |
||||
|
||||
errAuthorizationDenied -60005 No definition found. |
||||
|
||||
*/ |
||||
OSStatus AuthorizationRightGet(const char *rightName, |
||||
CFDictionaryRef * __nullable CF_RETURNS_RETAINED rightDefinition); |
||||
|
||||
/*!
|
||||
@function AuthorizationRightSet |
||||
|
||||
Create or update a right entry. Only normal rights can be registered (wildcard rights are denied); wildcard rights are considered to be put in by an administrator putting together a site configuration. |
||||
|
||||
@param authRef (input) authRef to authorize modifications. |
||||
@param rightName (input) the rightname (ASCII). Wildcard rightnames are not okay. |
||||
@param rightDefinition (input) a CFString of the name of a rule to use (delegate) or CFDictionary containing keys defining one. |
||||
@param descriptionKey (input/optional) a CFString to use as a key for looking up localized descriptions. If no localization is found this will be the description itself. |
||||
@param bundle (input/optional) a bundle to get localizations from if not the main bundle. |
||||
@param localeTableName (input/optional) stringtable name to get localizations from. |
||||
|
||||
@result errAuthorizationSuccess 0 added right definition successfully. |
||||
|
||||
errAuthorizationDenied -60005 Unable to create or update right definition. |
||||
|
||||
errAuthorizationCanceled -60006 Authorization was canceled by user. |
||||
|
||||
errAuthorizationInteractionNotAllowed -60007 Interaction was required but not possible. |
||||
|
||||
*/ |
||||
OSStatus AuthorizationRightSet(AuthorizationRef authRef, |
||||
const char *rightName, |
||||
CFTypeRef rightDefinition, |
||||
CFStringRef __nullable descriptionKey, |
||||
CFBundleRef __nullable bundle, |
||||
CFStringRef __nullable localeTableName); |
||||
|
||||
|
||||
|
||||
/*!
|
||||
@function AuthorizationRightRemove |
||||
|
||||
Request to remove a right from the policy database. |
||||
|
||||
@param authRef (input) authRef, to be used to authorize this action. |
||||
@param rightName (input) the rightname (ASCII). Wildcard rightnames are not okay. |
||||
|
||||
*/ |
||||
OSStatus AuthorizationRightRemove(AuthorizationRef authRef, |
||||
const char *rightName); |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_AUTHORIZATIONDB_H_ */ |
||||
|
@ -0,0 +1,310 @@
|
||||
/*
|
||||
* Copyright (c) 2001-2002,2004,2011-2012,2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
|
||||
/*
|
||||
* AuthorizationPlugin.h |
||||
* AuthorizationPlugin -- APIs for implementing authorization plugins. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_AUTHORIZATIONPLUGIN_H_ |
||||
#define _SECURITY_AUTHORIZATIONPLUGIN_H_ |
||||
|
||||
#include <Security/Authorization.h> |
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*!
|
||||
@header AuthorizationPlugin |
||||
|
||||
The AuthorizationPlugin API allows the creation of plugins that can participate |
||||
in authorization decisions. Using the AuthorizationDB API the system can be configured |
||||
to use these plugins. Plugins are loaded into a separate process, the pluginhost, to
|
||||
isolate the process of authorization from the client. There are two types of pluginhosts. |
||||
One runs as an anonymous user and can be used to communicate with the user, for example |
||||
to ask for a password. Another one runs with root privileges to perform privileged |
||||
operations that may be required. |
||||
|
||||
A typical use is to implement additional policies that cannot be expressed in the |
||||
authorization configuration. |
||||
|
||||
Plugins implement a handshake function called AuthorizationPluginCreate with which |
||||
their interface (AuthorizationPluginInterface) and the engine's interface |
||||
(AuthorizationCallbacks) are exchanged. Plugins are asked to create
|
||||
Mechanisms, which are the basic element as authorizations are performed.
|
||||
|
||||
Mechanisms are invoked when it is time for them to make a decision. A decision is
|
||||
made by setting a single result (AuthorizationResult). Mechanisms in the
|
||||
authorization can communicate auxiliary information by setting and/or getting hints
|
||||
and setting and/or getting context data. Hints are advisory and don't need to be |
||||
looked at, nor are they preserved as part of the authorization result. Context data |
||||
becomes part of the result of the authorization. |
||||
|
||||
Context data is tagged with a flag that describes whether the information is returned |
||||
to the authorization client upon request (AuthorizationCopyInfo() in Authorization.h) |
||||
or whether it's private to the mechanisms making a decision. |
||||
|
||||
*/ |
||||
|
||||
|
||||
/*!
|
||||
@typedef AuthorizationValue |
||||
Auxiliary data is passed between the engine and the mechanism as AuthorizationValues |
||||
*/ |
||||
typedef struct AuthorizationValue |
||||
{ |
||||
size_t length; |
||||
void *data; |
||||
} AuthorizationValue; |
||||
|
||||
/*!
|
||||
@typedef AuthorizationValueVector |
||||
A vector of AuthorizationValues. Used to communicate arguments passed from the
|
||||
configuration file <code>authorization(5)</code>. |
||||
*/ |
||||
typedef struct AuthorizationValueVector |
||||
{ |
||||
UInt32 count; |
||||
AuthorizationValue *values; |
||||
} AuthorizationValueVector; |
||||
|
||||
/*!
|
||||
@typedef |
||||
Data produced as context during the authorization evaluation is tagged.
|
||||
If data is set to be extractable (kAuthorizationContextFlagExtractable), it will be possible for the client of authorization to obtain the value of this attribute using AuthorizationCopyInfo(). |
||||
If data is marked as volatile (kAuthorizationContextFlagVolatile), this value will not be remembered in the AuthorizationRef. |
||||
Sticky data (kAuthorizationContextFlagSticky) persists through a failed or interrupted evaluation. It can be used to propagate an error condition from a downstream plugin to an upstream one. It is not remembered in the AuthorizationRef. |
||||
*/ |
||||
typedef CF_OPTIONS(UInt32, AuthorizationContextFlags) |
||||
{ |
||||
kAuthorizationContextFlagExtractable = (1 << 0), |
||||
kAuthorizationContextFlagVolatile = (1 << 1), |
||||
kAuthorizationContextFlagSticky = (1 << 2) |
||||
}; |
||||
|
||||
|
||||
/*!
|
||||
@typedef AuthorizationMechanismId |
||||
The mechanism id specified in the configuration is passed to the plugin to create the appropriate mechanism. |
||||
*/ |
||||
typedef const AuthorizationString AuthorizationMechanismId; |
||||
|
||||
/*!
|
||||
@typedef AuthorizationPluginId |
||||
Not used by plugin writers. Loaded plugins are identified by their name. |
||||
*/ |
||||
typedef const AuthorizationString AuthorizationPluginId; |
||||
|
||||
/*!
|
||||
@typedef AuthorizationPluginRef |
||||
Handle passed back by the plugin writer when creating a plugin. Any pluginhost will only instantiate one instance. The handle is used when creating mechanisms. |
||||
*/ |
||||
typedef void *AuthorizationPluginRef; |
||||
|
||||
/*!
|
||||
@typedef AuthorizationMechanismRef |
||||
Handle passed back by the plugin writer when creating an an instance of a mechanism in a plugin. One instance will be created for any authorization. |
||||
*/ |
||||
typedef void *AuthorizationMechanismRef; |
||||
|
||||
/*!
|
||||
@typedef AuthorizationEngineRef |
||||
Handle passed from the engine to an instance of a mechanism in a plugin (corresponds to a particular AuthorizationMechanismRef). |
||||
*/ |
||||
typedef struct __OpaqueAuthorizationEngine *AuthorizationEngineRef; |
||||
|
||||
/*!
|
||||
@typedef AuthorizationSessionId |
||||
A unique value for an AuthorizationSession being evaluated, provided by the authorization engine. |
||||
A session is represented by a top level call to an Authorization API. |
||||
*/ |
||||
typedef void *AuthorizationSessionId; |
||||
|
||||
/*!
|
||||
@enum AuthorizationResult |
||||
Possible values for SetResult() in AuthorizationCallbacks. |
||||
|
||||
@constant kAuthorizationResultAllow the operation succeeded and authorization should be granted as far as this mechanism is concerned. |
||||
@constant kAuthorizationResultDeny the operation succeeded but authorization should be denied as far as this mechanism is concerned. |
||||
@constant kAuthorizationResultUndefined the operation failed for some reason and should not be retried for this session. |
||||
@constant kAuthorizationResultUserCanceled the user has requested that the evaluation be terminated. |
||||
*/ |
||||
typedef CF_ENUM(UInt32, AuthorizationResult) { |
||||
kAuthorizationResultAllow, |
||||
kAuthorizationResultDeny, |
||||
kAuthorizationResultUndefined, |
||||
kAuthorizationResultUserCanceled, |
||||
}; |
||||
|
||||
/*!
|
||||
@enum |
||||
Version of the interface (AuthorizationPluginInterface) implemented by the plugin. |
||||
The value is matched to the definition in this file. |
||||
*/ |
||||
enum { |
||||
kAuthorizationPluginInterfaceVersion = 0 |
||||
}; |
||||
|
||||
/*!
|
||||
@enum |
||||
Version of the callback structure (AuthorizationCallbacks) passed to the plugin. |
||||
The value is matched to the definition in this file. The engine may provide a newer |
||||
interface. |
||||
*/ |
||||
enum { |
||||
kAuthorizationCallbacksVersion = 1 |
||||
}; |
||||
|
||||
|
||||
/*!
|
||||
@struct |
||||
Callback API provided by the AuthorizationEngine.
|
||||
|
||||
@field version Engine callback version. |
||||
@field SetResult Set a result after a call to AuthorizationSessionInvoke. |
||||
@field RequestInterrupt Request authorization engine to interrupt all mechamisms invoked after this mechamism has called SessionSetResult and then call AuthorizationSessionInvoke again. |
||||
@field DidDeactivate Respond to the Deactivate request. |
||||
@field GetContextValue Read value from context. AuthorizationValue does not own data. |
||||
@field SetContextValue Write value to context. AuthorizationValue and data are copied. |
||||
@field GetHintValue Read value from hints. AuthorizationValue does not own data. |
||||
@field SetHintValue Write value to hints. AuthorizationValue and data are copied. |
||||
@field GetArguments Read arguments passed. AuthorizationValueVector does not own data. |
||||
@field GetSessionId Read SessionId. |
||||
*/ |
||||
typedef struct AuthorizationCallbacks { |
||||
|
||||
/* Engine callback version. */ |
||||
UInt32 version; |
||||
|
||||
/* Set a result after a call to AuthorizationSessionInvoke. */ |
||||
OSStatus (*SetResult)(AuthorizationEngineRef inEngine, AuthorizationResult inResult); |
||||
|
||||
/* Request authorization engine to interrupt all mechamisms invoked after
|
||||
this mechamism has called SessionSetResult and then call
|
||||
AuthorizationSessionInvoke again. */ |
||||
OSStatus (*RequestInterrupt)(AuthorizationEngineRef inEngine); |
||||
|
||||
/* Respond to the Deactivate request. */ |
||||
OSStatus (*DidDeactivate)(AuthorizationEngineRef inEngine); |
||||
|
||||
/* Read value from context. AuthorizationValue does not own data. */ |
||||
OSStatus (*GetContextValue)(AuthorizationEngineRef inEngine, |
||||
AuthorizationString inKey, |
||||
AuthorizationContextFlags *outContextFlags, |
||||
const AuthorizationValue * __nullable * __nonnull outValue); |
||||
|
||||
/* Write value to context. AuthorizationValue and data are copied. */ |
||||
OSStatus (*SetContextValue)(AuthorizationEngineRef inEngine, |
||||
AuthorizationString inKey, |
||||
AuthorizationContextFlags inContextFlags, |
||||
const AuthorizationValue *inValue); |
||||
|
||||
/* Read value from hints. AuthorizationValue does not own data. */ |
||||
OSStatus (*GetHintValue)(AuthorizationEngineRef inEngine, |
||||
AuthorizationString inKey, |
||||
const AuthorizationValue * __nullable * __nonnull outValue); |
||||
|
||||
/* Write value to hints. AuthorizationValue and data are copied. */ |
||||
OSStatus (*SetHintValue)(AuthorizationEngineRef inEngine, |
||||
AuthorizationString inKey, |
||||
const AuthorizationValue *inValue); |
||||
|
||||
/* Read arguments passed. AuthorizationValueVector does not own data. */ |
||||
OSStatus (*GetArguments)(AuthorizationEngineRef inEngine, |
||||
const AuthorizationValueVector * __nullable * __nonnull outArguments); |
||||
|
||||
/* Read SessionId. */ |
||||
OSStatus (*GetSessionId)(AuthorizationEngineRef inEngine, |
||||
AuthorizationSessionId __nullable * __nonnull outSessionId); |
||||
|
||||
/* Read value from hints. AuthorizationValue does not own data. */ |
||||
OSStatus (*GetImmutableHintValue)(AuthorizationEngineRef inEngine, |
||||
AuthorizationString inKey, |
||||
const AuthorizationValue * __nullable * __nonnull outValue); |
||||
|
||||
} AuthorizationCallbacks; |
||||
|
||||
|
||||
/*!
|
||||
@struct |
||||
Interface that must be implemented by each plugin.
|
||||
|
||||
@field version Must be set to kAuthorizationPluginInterfaceVersion |
||||
@field PluginDestroy Plugin should clean up and release any resources it is holding. |
||||
@field MechanismCreate The plugin should create a mechanism named mechanismId. The mechanism needs to use the AuthorizationEngineRef for the callbacks and pass back a AuthorizationMechanismRef for itself. MechanismDestroy will be called when it is no longer needed. |
||||
@field MechanismInvoke Invoke an instance of a mechanism. It should call SetResult during or after returning from this function. |
||||
@field MechanismDeactivate Mechanism should respond with a DidDeactivate as soon as possible |
||||
@field MechanismDestroy Mechanism should clean up and release any resources it is holding |
||||
*/ |
||||
typedef struct AuthorizationPluginInterface |
||||
{ |
||||
/* Must be set to kAuthorizationPluginInterfaceVersion. */ |
||||
UInt32 version; |
||||
|
||||
/* Notify a plugin that it is about to be unloaded so it get a chance to clean up and release any resources it is holding. */ |
||||
OSStatus (*PluginDestroy)(AuthorizationPluginRef inPlugin); |
||||
|
||||
/* The plugin should create a mechanism named mechanismId. The mechanism needs to use the
|
||||
AuthorizationEngineRef for the callbacks and pass back an AuthorizationMechanismRef for |
||||
itself. MechanismDestroy will be called when it is no longer needed. */ |
||||
OSStatus (*MechanismCreate)(AuthorizationPluginRef inPlugin, |
||||
AuthorizationEngineRef inEngine, |
||||
AuthorizationMechanismId mechanismId, |
||||
AuthorizationMechanismRef __nullable * __nonnull outMechanism); |
||||
|
||||
/* Invoke an instance of a mechanism. It should call SetResult during or after returning from this function. */ |
||||
OSStatus (*MechanismInvoke)(AuthorizationMechanismRef inMechanism); |
||||
|
||||
/* Mechanism should respond with a DidDeactivate as soon as possible. */ |
||||
OSStatus (*MechanismDeactivate)(AuthorizationMechanismRef inMechanism); |
||||
|
||||
/* Mechanism should clean up and release any resources it is holding. */ |
||||
OSStatus (*MechanismDestroy)(AuthorizationMechanismRef inMechanism); |
||||
|
||||
} AuthorizationPluginInterface; |
||||
|
||||
|
||||
/*!
|
||||
@function AuthorizationPluginCreate |
||||
|
||||
Initialize a plugin after it gets loaded. This is the main entry point to a plugin. This function will only be called once.
|
||||
After all Mechanism instances have been destroyed outPluginInterface->PluginDestroy will be called. |
||||
|
||||
@param callbacks (input) A pointer to an AuthorizationCallbacks which contains the callbacks implemented by the AuthorizationEngine. |
||||
@param outPlugin (output) On successful completion should contain a valid AuthorizationPluginRef. This will be passed in to any subsequent calls the engine makes to outPluginInterface->MechanismCreate and outPluginInterface->PluginDestroy. |
||||
@param outPluginInterface (output) On successful completion should contain a pointer to a AuthorizationPluginInterface that will stay valid until outPluginInterface->PluginDestroy is called. */ |
||||
OSStatus AuthorizationPluginCreate(const AuthorizationCallbacks *callbacks, |
||||
AuthorizationPluginRef __nullable * __nonnull outPlugin, |
||||
const AuthorizationPluginInterface * __nullable * __nonnull outPluginInterface); |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* _SECURITY_AUTHORIZATIONPLUGIN_H_ */ |
@ -0,0 +1,80 @@
|
||||
/*
|
||||
* Copyright (c) 2000-2004,2011,2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
|
||||
/*
|
||||
* AuthorizationTags.h -- Right tags for implementing access control in |
||||
* applications and daemons |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_AUTHORIZATIONTAGS_H_ |
||||
#define _SECURITY_AUTHORIZATIONTAGS_H_ |
||||
|
||||
|
||||
/*!
|
||||
@header AuthorizationTags |
||||
|
||||
This header defines some of the supported rights tags to be used in the Authorization API. |
||||
*/ |
||||
|
||||
|
||||
/*!
|
||||
@define kAuthorizationEnvironmentUsername |
||||
The name of the AuthorizationItem that should be passed into the environment when specifying a username. The value and valueLength should contain the username itself. |
||||
*/ |
||||
#define kAuthorizationEnvironmentUsername "username" |
||||
|
||||
/*!
|
||||
@define kAuthorizationEnvironmentPassword |
||||
The name of the AuthorizationItem that should be passed into the environment when specifying a password for a given username. The value and valueLength should contain the actual password data. |
||||
*/ |
||||
#define kAuthorizationEnvironmentPassword "password" |
||||
|
||||
/*!
|
||||
@define kAuthorizationEnvironmentShared |
||||
The name of the AuthorizationItem that should be passed into the environment when specifying a username and password. Adding this entry to the environment will cause the username/password to be added to the shared credential pool of the calling applications session. This means that further calls by other applications in this session will automatically have this credential availible to them. The value is ignored. |
||||
*/ |
||||
#define kAuthorizationEnvironmentShared "shared" |
||||
|
||||
/*!
|
||||
@define kAuthorizationRightExecute |
||||
The name of the AuthorizationItem that should be passed into the rights when preauthorizing for a call to AuthorizationExecuteWithPrivileges(). |
||||
|
||||
You need to aquire this right to be able to perform a AuthorizationExecuteWithPrivileges() operation. In addtion to this right you should obtain whatever rights the tool you are executing with privileges need to perform it's operation on your behalf. Currently no options are supported but you should pass in the full path of the tool you wish to execute in the value and valueLength fields. In the future we will limit the right to only execute the requested path, and we will display this information to the user. |
||||
*/ |
||||
#define kAuthorizationRightExecute "system.privilege.admin" |
||||
|
||||
/*!
|
||||
@define kAuthorizationEnvironmentPrompt |
||||
The name of the AuthorizationItem that should be passed into the environment when specifying a invocation specific additional text. The value should be a localized UTF8 string. |
||||
*/ |
||||
#define kAuthorizationEnvironmentPrompt "prompt" |
||||
|
||||
/*!
|
||||
@define kAuthorizationEnvironmentIcon |
||||
The name of the AuthorizationItem that should be passed into the environment when specifying an alternate icon to be used. The value should be a full path to and image NSImage can deal with. |
||||
*/ |
||||
#define kAuthorizationEnvironmentIcon "icon" |
||||
|
||||
|
||||
#endif /* !_SECURITY_AUTHORIZATIONTAGS_H_ */ |
@ -0,0 +1,382 @@
|
||||
/*
|
||||
* Copyright (c) 2006-2013 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*
|
||||
* CMSDecoder.h - decode, decrypt, and/or verify signatures of messages in the
|
||||
* Cryptographic Message Syntax (CMS), per RFC 3852. |
||||
* |
||||
* See CMSEncoder.h for general information about CMS messages.
|
||||
*/ |
||||
|
||||
#ifndef _CMS_DECODER_H_ |
||||
#define _CMS_DECODER_H_ |
||||
|
||||
#include <CoreFoundation/CoreFoundation.h> |
||||
#include <Security/SecCertificate.h> |
||||
#include <Security/SecTrust.h> |
||||
#include <stdint.h> |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*
|
||||
* Opaque reference to a CMS decoder object.
|
||||
* This is a CF object, with standard CF semantics; dispose of it |
||||
* with CFRelease(). |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) _CMSDecoder *CMSDecoderRef; |
||||
|
||||
CFTypeID CMSDecoderGetTypeID(void); |
||||
|
||||
/*
|
||||
* Status of signature and signer information in a signed message. |
||||
*/ |
||||
typedef CF_ENUM(uint32_t, CMSSignerStatus) { |
||||
kCMSSignerUnsigned = 0, /* message was not signed */ |
||||
kCMSSignerValid, /* message was signed and signature verify OK */ |
||||
kCMSSignerNeedsDetachedContent, /* message was signed but needs detached content
|
||||
* to verify */ |
||||
kCMSSignerInvalidSignature, /* message was signed but had a signature error */ |
||||
kCMSSignerInvalidCert, /* message was signed but an error occurred in verifying
|
||||
* the signer's certificate */ |
||||
kCMSSignerInvalidIndex /* specified signer index out of range */ |
||||
}; |
||||
|
||||
/*
|
||||
* Create a CMSDecoder. Result must eventually be freed via CFRelease(). |
||||
*/ |
||||
OSStatus CMSDecoderCreate( |
||||
CMSDecoderRef * __nonnull CF_RETURNS_RETAINED cmsDecoderOut) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Feed raw bytes of the message to be decoded into the decoder. Can be called |
||||
* multiple times.
|
||||
* Returns errSecUnknownFormat upon detection of improperly formatted CMS |
||||
* message.
|
||||
*/ |
||||
OSStatus CMSDecoderUpdateMessage( |
||||
CMSDecoderRef cmsDecoder, |
||||
const void *msgBytes, |
||||
size_t msgBytesLen) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Indicate that no more CMSDecoderUpdateMessage() calls are forthcoming; |
||||
* finish decoding the message.
|
||||
* Returns errSecUnknownFormat upon detection of improperly formatted CMS |
||||
* message.
|
||||
*/ |
||||
OSStatus CMSDecoderFinalizeMessage( |
||||
CMSDecoderRef cmsDecoder) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* A signed CMS message optionally includes the data which was signed. If the |
||||
* message does not include the signed data, caller specifies the signed data |
||||
* (the "detached content") here.
|
||||
* |
||||
* This can be called either before or after the actual decoding of the message |
||||
* (via CMSDecoderUpdateMessage() and CMSDecoderFinalizeMessage()); the only |
||||
* restriction is that, if detached content is required, this function must
|
||||
* be called befoere successfully ascertaining the signature status via
|
||||
* CMSDecoderCopySignerStatus(). |
||||
*/ |
||||
OSStatus CMSDecoderSetDetachedContent( |
||||
CMSDecoderRef cmsDecoder, |
||||
CFDataRef detachedContent) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Obtain the detached content specified in CMSDecoderSetDetachedContent(). |
||||
* Returns a NULL detachedContent if no detached content has been specified.
|
||||
* Caller must CFRelease() the result. |
||||
*/ |
||||
OSStatus CMSDecoderCopyDetachedContent( |
||||
CMSDecoderRef cmsDecoder, |
||||
CFDataRef * __nonnull CF_RETURNS_RETAINED detachedContentOut) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Optionally specify a SecKeychainRef, or an array of them, containing |
||||
* intermediate certs to be used in verifying a signed message's signer |
||||
* certs. By default, the default keychain search list is used for this.
|
||||
* Specify an empty CFArrayRef to search *no* keychains for intermediate |
||||
* certs.
|
||||
* If this is called, it must be called before CMSDecoderCopySignerStatus(). |
||||
*/ |
||||
OSStatus CMSDecoderSetSearchKeychain( |
||||
CMSDecoderRef cmsDecoder, |
||||
CFTypeRef keychainOrArray) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Obtain the number of signers of a message. A result of zero indicates that |
||||
* the message was not signed.
|
||||
* This cannot be called until after CMSDecoderFinalizeMessage() is called.
|
||||
*/ |
||||
OSStatus CMSDecoderGetNumSigners( |
||||
CMSDecoderRef cmsDecoder, |
||||
size_t *numSignersOut) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Obtain the status of a CMS message's signature. A CMS message can
|
||||
* be signed my multiple signers; this function returns the status |
||||
* associated with signer 'n' as indicated by the signerIndex parameter.
|
||||
* |
||||
* This cannot be called until after CMSDecoderFinalizeMessage() is called.
|
||||
* |
||||
* Note that signature and certificate verification of a decoded message |
||||
* does *not* occur until this routine is called.
|
||||
* |
||||
* All returned values are optional - pass NULL if you don't need a |
||||
* particular parameter.
|
||||
* |
||||
* Note that errors like "bad signature" and "bad cert" do NOT cause this
|
||||
* routine to return a nonzero error status itself; such errors are reported |
||||
* in the various out parameters, listed below.
|
||||
* |
||||
* Inputs: |
||||
* ------- |
||||
* cmsDecoder : a CMSDecoder which has successfully performed a
|
||||
* CMSDecoderFinalizeMessage(). |
||||
* signerIndex : indicates which of 'n' signers is being examined. |
||||
* Range is 0...(numSigners-1). |
||||
* policyOrArray : Either a SecPolicyRef or a CFArray of them. |
||||
* These policies are used to verify the signer's certificate.
|
||||
* evaluateSecTrust : When TRUE, causes the SecTrust oebject created for the
|
||||
* evaluation of the signer cert to actually be evaluated |
||||
* via SecTrustEvaluate(). When FALSE, the caller performs
|
||||
* the SecTrustEvaluate() operation on the SecTrust object
|
||||
* returned via the secTrust out parameter.
|
||||
* NOTE: it is hazardous and not recommended to pass in FALSE |
||||
* for the evaluateSecTrust parameter as well as NULL for the |
||||
* secTrust out parameter, since no evaluation of the signer |
||||
* cert can occur in that situation. |
||||
* |
||||
* Outputs: |
||||
* -------- |
||||
* signerStatusOut -- An enum indicating the overall status. |
||||
* kCMSSignerUnsigned : message was not signed. |
||||
* kCMSSignerValid : both signature and signer certificate verified OK. |
||||
* kCMSSignerNeedsDetachedContent : a call to CMSDecoderSetDetachedContent() |
||||
* is required to ascertain the signature status. |
||||
* kCMSSignerInvalidSignature : bad signature. |
||||
* kCMSSignerInvalidCert : an error occurred verifying the signer's certificate. |
||||
* Further information available via the secTrust and
|
||||
* certVerifyResultCode parameters. This will never be
|
||||
* returned if evaluateSecTrust is FALSE.
|
||||
* kCMSSignerInvalidIndex : specified signerIndex is larger than the number of
|
||||
* signers (minus 1). |
||||
* |
||||
* secTrustOut -- The SecTrust object used to verify the signer's
|
||||
* certificate. Caller must CFRelease this.
|
||||
* certVerifyResultCodeOut -- The result of the certificate verification. If
|
||||
* the evaluateSecTrust argument is set to FALSE on
|
||||
* input, this out parameter is undefined on return. |
||||
* |
||||
* The certVerifyResultCode value can indicate a large number of errors; some of
|
||||
* the most common and interesting errors are: |
||||
* |
||||
* CSSMERR_TP_INVALID_ANCHOR_CERT : The cert was verified back to a
|
||||
* self-signed (root) cert which was present in the message, but
|
||||
* that root cert is not a known, trusted root cert.
|
||||
* CSSMERR_TP_NOT_TRUSTED: The cert could not be verified back to
|
||||
* a root cert. |
||||
* CSSMERR_TP_VERIFICATION_FAILURE: A root cert was found which does |
||||
* not self-verify.
|
||||
* CSSMERR_TP_VERIFY_ACTION_FAILED: Indicates a failure of the requested
|
||||
* policy action.
|
||||
* CSSMERR_TP_INVALID_CERTIFICATE: Indicates a bad leaf cert.
|
||||
* CSSMERR_TP_CERT_EXPIRED: A cert in the chain was expired at the time of |
||||
* verification. |
||||
* CSSMERR_TP_CERT_NOT_VALID_YET: A cert in the chain was not yet valie at
|
||||
* the time of verification. |
||||
*/ |
||||
OSStatus CMSDecoderCopySignerStatus( |
||||
CMSDecoderRef cmsDecoder, |
||||
size_t signerIndex, |
||||
CFTypeRef policyOrArray, |
||||
Boolean evaluateSecTrust, |
||||
CMSSignerStatus * __nullable signerStatusOut, /* optional; RETURNED */ |
||||
SecTrustRef * __nullable CF_RETURNS_RETAINED secTrustOut, /* optional; RETURNED */ |
||||
OSStatus * __nullable certVerifyResultCodeOut) /* optional; RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Obtain the email address of signer 'signerIndex' of a CMS message, if |
||||
* present.
|
||||
* |
||||
* Returns errSecParam if the CMS message was not signed or if signerIndex |
||||
* is greater than the number of signers of the message minus one.
|
||||
* |
||||
* This cannot be called until after CMSDecoderFinalizeMessage() is called.
|
||||
*/ |
||||
OSStatus CMSDecoderCopySignerEmailAddress( |
||||
CMSDecoderRef cmsDecoder, |
||||
size_t signerIndex, |
||||
CFStringRef * __nonnull CF_RETURNS_RETAINED signerEmailAddressOut) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Obtain the certificate of signer 'signerIndex' of a CMS message, if |
||||
* present.
|
||||
* |
||||
* Returns errSecParam if the CMS message was not signed or if signerIndex |
||||
* is greater than the number of signers of the message minus one.
|
||||
* |
||||
* This cannot be called until after CMSDecoderFinalizeMessage() is called.
|
||||
*/ |
||||
OSStatus CMSDecoderCopySignerCert( |
||||
CMSDecoderRef cmsDecoder, |
||||
size_t signerIndex, |
||||
SecCertificateRef * __nonnull CF_RETURNS_RETAINED signerCertOut) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Determine whether a CMS message was encrypted. Returns TRUE if so, FALSE if not. |
||||
* Note that if the message was encrypted, and the decoding succeeded, (i.e., |
||||
* CMSDecoderFinalizeMessage() returned errSecSuccess), then the message was successfully |
||||
* decrypted.
|
||||
* This cannot be called until after CMSDecoderFinalizeMessage() is called.
|
||||
*/ |
||||
OSStatus CMSDecoderIsContentEncrypted( |
||||
CMSDecoderRef cmsDecoder, |
||||
Boolean *isEncryptedOut) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Obtain the eContentType OID for a SignedData's EncapsulatedContentType, if
|
||||
* present. If the message was not signed this will return NULL. |
||||
* This cannot be called until after CMSDecoderFinalizeMessage() is called.
|
||||
* The returned OID's data is in the same format as a CSSM_OID; i.e., it's |
||||
* the encoded content of the OID, not including the tag and length bytes.
|
||||
*/ |
||||
OSStatus CMSDecoderCopyEncapsulatedContentType( |
||||
CMSDecoderRef cmsDecoder, |
||||
CFDataRef * __nonnull CF_RETURNS_RETAINED eContentTypeOut) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Obtain an array of all of the certificates in a message. Elements of the
|
||||
* returned array are SecCertificateRefs. The caller must CFRelease the returned
|
||||
* array. If a message does not contain any certificates (which is the case for |
||||
* a message which is encrypted but not signed), the returned *certs value
|
||||
* is NULL. The function will return errSecSuccess in this case. |
||||
* This cannot be called until after CMSDecoderFinalizeMessage() is called.
|
||||
*/ |
||||
OSStatus CMSDecoderCopyAllCerts( |
||||
CMSDecoderRef cmsDecoder, |
||||
CFArrayRef * __nonnull CF_RETURNS_RETAINED certsOut) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Obtain the actual message content (payload), if any. If the message was |
||||
* signed with detached content this will return NULL. |
||||
* Caller must CFRelease the result.
|
||||
* This cannot be called until after CMSDecoderFinalizeMessage() is called.
|
||||
*/ |
||||
OSStatus CMSDecoderCopyContent( |
||||
CMSDecoderRef cmsDecoder, |
||||
CFDataRef * __nonnull CF_RETURNS_RETAINED contentOut) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Obtain the signing time of signer 'signerIndex' of a CMS message, if |
||||
* present. This is an unauthenticate time, although it is part of the |
||||
* signed attributes of the message. |
||||
* |
||||
* Returns errSecParam if the CMS message was not signed or if signerIndex |
||||
* is greater than the number of signers of the message minus one.
|
||||
* |
||||
* This cannot be called until after CMSDecoderFinalizeMessage() is called.
|
||||
*/ |
||||
OSStatus CMSDecoderCopySignerSigningTime( |
||||
CMSDecoderRef cmsDecoder, |
||||
size_t signerIndex, |
||||
CFAbsoluteTime *signingTime) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Obtain the timestamp of signer 'signerIndex' of a CMS message, if |
||||
* present. This timestamp is an authenticated timestamp provided by |
||||
* a timestamping authority. |
||||
* |
||||
* Returns errSecParam if the CMS message was not signed or if signerIndex |
||||
* is greater than the number of signers of the message minus one.
|
||||
* |
||||
* This cannot be called until after CMSDecoderFinalizeMessage() is called.
|
||||
*/ |
||||
OSStatus CMSDecoderCopySignerTimestamp( |
||||
CMSDecoderRef cmsDecoder, |
||||
size_t signerIndex, |
||||
CFAbsoluteTime *timestamp) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Obtain the timestamp of signer 'signerIndex' of a CMS message, if |
||||
* present. This timestamp is an authenticated timestamp provided by |
||||
* a timestamping authority. Use the policy provided as a parameter |
||||
* |
||||
* Returns errSecParam if the CMS message was not signed or if signerIndex |
||||
* is greater than the number of signers of the message minus one. |
||||
* |
||||
* This cannot be called until after CMSDecoderFinalizeMessage() is called. |
||||
*/ |
||||
OSStatus CMSDecoderCopySignerTimestampWithPolicy( |
||||
CMSDecoderRef cmsDecoder, |
||||
CFTypeRef __nullable timeStampPolicy, |
||||
size_t signerIndex, /* usually 0 */ |
||||
CFAbsoluteTime *timestamp) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Obtain an array of the certificates in a timestamp response. Elements of the
|
||||
* returned array are SecCertificateRefs. The caller must CFRelease the returned |
||||
* array. This timestamp is an authenticated timestamp provided by |
||||
* a timestamping authority. |
||||
* |
||||
* Returns errSecParam if the CMS message was not signed or if signerIndex |
||||
* is greater than the number of signers of the message minus one. It returns |
||||
* errSecItemNotFound if no certificates were found. |
||||
* |
||||
* This cannot be called until after CMSDecoderFinalizeMessage() is called.
|
||||
*/ |
||||
OSStatus CMSDecoderCopySignerTimestampCertificates( |
||||
CMSDecoderRef cmsDecoder, |
||||
size_t signerIndex, /* usually 0 */ |
||||
CFArrayRef * __nonnull CF_RETURNS_RETAINED certificateRefs) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_NA); |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif /* _CMS_DECODER_H_ */ |
||||
|
@ -0,0 +1,420 @@
|
||||
/*
|
||||
* Copyright (c) 2006-2012 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*
|
||||
* CMSEncoder.h - encode, sign, and/or encrypt messages in the Cryptographic |
||||
* Message Syntax (CMS), per RFC 3852. |
||||
* |
||||
* A CMS message can be signed, encrypted, or both. A message can be signed by |
||||
* an arbitrary number of signers; in this module, signers are expressed as |
||||
* SecIdentityRefs. A message can be encrypted for an arbitrary number of |
||||
* recipients; recipients are expressed here as SecCertificateRefs.
|
||||
*
|
||||
* In CMS terminology, this module performs encryption using the EnvelopedData
|
||||
* ContentType and signing using the SignedData ContentType. |
||||
* |
||||
* If the message is both signed and encrypted, it uses "nested ContentInfos"
|
||||
* in CMS terminology; in this implementation, signed & encrypted messages
|
||||
* are implemented as an EnvelopedData containing a SignedData.
|
||||
*/ |
||||
|
||||
#ifndef _CMS_ENCODER_H_ |
||||
#define _CMS_ENCODER_H_ |
||||
|
||||
#include <CoreFoundation/CoreFoundation.h> |
||||
#include <Security/cssmtype.h> |
||||
#include <stdint.h> |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*
|
||||
* Opaque reference to a CMS encoder object.
|
||||
* This is a CF object, with standard CF semantics; dispose of it |
||||
* with CFRelease(). |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) _CMSEncoder *CMSEncoderRef; |
||||
|
||||
CFTypeID CMSEncoderGetTypeID(void) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Create a CMSEncoder. Result must eventually be freed via CFRelease(). |
||||
*/ |
||||
OSStatus CMSEncoderCreate( |
||||
CMSEncoderRef * __nonnull CF_RETURNS_RETAINED cmsEncoderOut) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
extern const CFStringRef kCMSEncoderDigestAlgorithmSHA1; |
||||
extern const CFStringRef kCMSEncoderDigestAlgorithmSHA256; |
||||
|
||||
OSStatus CMSEncoderSetSignerAlgorithm( |
||||
CMSEncoderRef cmsEncoder, |
||||
CFStringRef digestAlgorithm) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Specify signers of the CMS message; implies that the message will be signed.
|
||||
* |
||||
* -- Caller can pass in one signer, as a SecIdentityRef, or an array of
|
||||
* signers, as a CFArray of SecIdentityRefs.
|
||||
* -- Can be called multiple times.
|
||||
* -- If the message is not to be signed, don't call this.
|
||||
* -- If this is called, it must be called before the first call to
|
||||
* CMSEncoderUpdateContent(). |
||||
*/ |
||||
OSStatus CMSEncoderAddSigners( |
||||
CMSEncoderRef cmsEncoder, |
||||
CFTypeRef signerOrArray) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Obtain an array of signers as specified in CMSEncoderSetSigners().
|
||||
* Returns a NULL signers array if CMSEncoderSetSigners() has not been called.
|
||||
* Caller must CFRelease the result.
|
||||
*/ |
||||
OSStatus CMSEncoderCopySigners( |
||||
CMSEncoderRef cmsEncoder, |
||||
CFArrayRef * __nonnull CF_RETURNS_RETAINED signersOut) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Specify recipients of the message. Implies that the message will
|
||||
* be encrypted.
|
||||
* |
||||
* -- Caller can pass in one recipient, as a SecCertificateRef, or an
|
||||
* array of recipients, as a CFArray of SecCertificateRefs.
|
||||
* -- Can be called multiple times.
|
||||
* -- If the message is not to be encrypted, don't call this.
|
||||
* -- If this is called, it must be called before the first call to
|
||||
* CMSEncoderUpdateContent(). |
||||
*/ |
||||
OSStatus CMSEncoderAddRecipients( |
||||
CMSEncoderRef cmsEncoder, |
||||
CFTypeRef recipientOrArray) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Obtain an array of recipients as specified in CMSEncoderSetRecipients().
|
||||
* Returns a NULL recipients array if CMSEncoderSetRecipients() has not been
|
||||
* called.
|
||||
* Caller must CFRelease the result.
|
||||
*/ |
||||
OSStatus CMSEncoderCopyRecipients( |
||||
CMSEncoderRef cmsEncoder, |
||||
CFArrayRef * __nonnull CF_RETURNS_RETAINED recipientsOut) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* A signed message optionally includes the data to be signed. If the message |
||||
* is *not* to include the data to be signed, call this function with a value |
||||
* of TRUE for detachedContent. The default, if this function is not called, |
||||
* is detachedContent=FALSE, i.e., the message contains the data to be signed. |
||||
*
|
||||
* -- Encrypted messages can not use detached content. (This restriction
|
||||
* also applies to messages that are both signed and encrypted.) |
||||
* -- If this is called, it must be called before the first call to
|
||||
* CMSEncoderUpdateContent(). |
||||
*/
|
||||
OSStatus CMSEncoderSetHasDetachedContent( |
||||
CMSEncoderRef cmsEncoder, |
||||
Boolean detachedContent) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Obtain a Boolean indicating whether the current message will have detached
|
||||
* content. |
||||
* Returns the value specified in CMSEncoderHasDetachedContent() if that |
||||
* function has been called; else returns the default FALSE. |
||||
*/ |
||||
OSStatus CMSEncoderGetHasDetachedContent( |
||||
CMSEncoderRef cmsEncoder, |
||||
Boolean *detachedContentOut) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Optionally specify an eContentType OID for the inner EncapsulatedData for |
||||
* a signed message. The default eContentType, used if this function is not |
||||
* called, is id-data (which is the normal eContentType for applications such |
||||
* as SMIME). |
||||
* |
||||
* If this is called, it must be called before the first call to
|
||||
* CMSEncoderUpdateContent(). |
||||
* |
||||
* NOTE: This function is deprecated in Mac OS X 10.7 and later; |
||||
* please use CMSEncoderSetEncapsulatedContentTypeOID() instead. |
||||
*/ |
||||
OSStatus CMSEncoderSetEncapsulatedContentType( |
||||
CMSEncoderRef cmsEncoder, |
||||
const CSSM_OID *eContentType) |
||||
/* DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Optionally specify an eContentType OID for the inner EncapsulatedData for |
||||
* a signed message. The default eContentTypeOID, used if this function is not |
||||
* called, is id-data (which is the normal eContentType for applications such |
||||
* as SMIME). |
||||
* |
||||
* The eContentTypeOID parameter may be specified as a CF string, e.g.: |
||||
* CFSTR("1.2.840.113549.1.7.1") |
||||
* |
||||
* If this is called, it must be called before the first call to
|
||||
* CMSEncoderUpdateContent(). |
||||
*/ |
||||
OSStatus CMSEncoderSetEncapsulatedContentTypeOID( |
||||
CMSEncoderRef cmsEncoder, |
||||
CFTypeRef eContentTypeOID) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Obtain the eContentType OID specified in CMSEncoderSetEncapsulatedContentType(). |
||||
* If CMSEncoderSetEncapsulatedContentType() has not been called this returns a
|
||||
* NULL pointer. |
||||
* The returned OID's data is in the same format as the data provided to
|
||||
* CMSEncoderSetEncapsulatedContentType;, i.e., it's the encoded content of
|
||||
* the OID, not including the tag and length bytes.
|
||||
*/ |
||||
OSStatus CMSEncoderCopyEncapsulatedContentType( |
||||
CMSEncoderRef cmsEncoder, |
||||
CFDataRef * __nonnull CF_RETURNS_RETAINED eContentTypeOut) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Signed CMS messages can contain arbitrary sets of certificates beyond those |
||||
* indicating the identity of the signer(s). This function provides a means of
|
||||
* adding these other certs. For normal signed messages it is not necessary to
|
||||
* call this; the signer cert(s) and the intermediate certs needed to verify the |
||||
* signer(s) will be included in the message implicitly.
|
||||
* |
||||
* -- Caller can pass in one cert, as a SecCertificateRef, or an array of certs, |
||||
* as a CFArray of SecCertificateRefs.
|
||||
* -- If this is called, it must be called before the first call to
|
||||
* CMSEncoderUpdateContent(). |
||||
* -- There is a "special case" use of CMS messages which involves neither |
||||
* signing nor encryption, but does include certificates. This is commonly |
||||
* used to transport "bags" of certificates. When constructing such a
|
||||
* message, all an application needs to do is to create a CMSEncoderRef, |
||||
* call CMSEncoderAddSupportingCerts() one or more times, and then call
|
||||
* CMSEncoderCopyEncodedContent() to get the resulting cert bag. No 'content' |
||||
* need be specified. (This is in fact the primary intended use for |
||||
* this function.) |
||||
*/ |
||||
OSStatus CMSEncoderAddSupportingCerts( |
||||
CMSEncoderRef cmsEncoder, |
||||
CFTypeRef certOrArray) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Obtain the SecCertificates provided in CMSEncoderAddSupportingCerts().
|
||||
* If CMSEncoderAddSupportingCerts() has not been called this will return a |
||||
* NULL value for *certs. |
||||
* Caller must CFRelease the result. |
||||
*/ |
||||
OSStatus CMSEncoderCopySupportingCerts( |
||||
CMSEncoderRef cmsEncoder, |
||||
CFArrayRef * __nonnull CF_RETURNS_RETAINED certsOut) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Standard signed attributes, optionally specified in
|
||||
* CMSEncoderAddSignedAttributes(). |
||||
*/ |
||||
typedef CF_ENUM(uint32_t, CMSSignedAttributes) { |
||||
kCMSAttrNone = 0x0000, |
||||
/*
|
||||
* S/MIME Capabilities - identifies supported signature, encryption, and |
||||
* digest algorithms. |
||||
*/ |
||||
kCMSAttrSmimeCapabilities = 0x0001, |
||||
/*
|
||||
* Indicates that a cert is the preferred cert for S/MIME encryption. |
||||
*/ |
||||
kCMSAttrSmimeEncryptionKeyPrefs = 0x0002, |
||||
/*
|
||||
* Same as kCMSSmimeEncryptionKeyPrefs, using an attribute OID preferred |
||||
* by Microsoft. |
||||
*/ |
||||
kCMSAttrSmimeMSEncryptionKeyPrefs = 0x0004, |
||||
/*
|
||||
* Include the signing time. |
||||
*/ |
||||
kCMSAttrSigningTime = 0x0008 |
||||
}; |
||||
|
||||
/*
|
||||
* Optionally specify signed attributes. Only meaningful when creating a
|
||||
* signed message. If this is called, it must be called before |
||||
* CMSEncoderUpdateContent(). |
||||
*/ |
||||
OSStatus CMSEncoderAddSignedAttributes( |
||||
CMSEncoderRef cmsEncoder, |
||||
CMSSignedAttributes signedAttributes) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Specification of what certificates to include in a signed message. |
||||
*/ |
||||
typedef CF_ENUM(uint32_t, CMSCertificateChainMode) { |
||||
kCMSCertificateNone = 0, /* don't include any certificates */ |
||||
kCMSCertificateSignerOnly, /* only include signer certificate(s) */ |
||||
kCMSCertificateChain, /* signer certificate chain up to but not
|
||||
* including root certiticate */
|
||||
kCMSCertificateChainWithRoot /* signer certificate chain including root */ |
||||
}; |
||||
|
||||
/*
|
||||
* Optionally specify which certificates, if any, to include in a
|
||||
* signed CMS message. The default, if this is not called, is |
||||
* kCMSCertificateChain, in which case the signer cert plus all CA |
||||
* certs needed to verify the signer cert, except for the root
|
||||
* cert, are included. |
||||
* If this is called, it must be called before |
||||
* CMSEncoderUpdateContent(). |
||||
*/ |
||||
OSStatus CMSEncoderSetCertificateChainMode( |
||||
CMSEncoderRef cmsEncoder, |
||||
CMSCertificateChainMode chainMode) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Obtain indication of which signer certs are to be included |
||||
* in a signed CMS message.
|
||||
*/ |
||||
OSStatus CMSEncoderGetCertificateChainMode( |
||||
CMSEncoderRef cmsEncoder, |
||||
CMSCertificateChainMode *chainModeOut) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Feed content bytes into the encoder.
|
||||
* Can be called multiple times.
|
||||
* No 'setter' routines can be called after this function has been called.
|
||||
*/
|
||||
OSStatus CMSEncoderUpdateContent( |
||||
CMSEncoderRef cmsEncoder, |
||||
const void *content, |
||||
size_t contentLen) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Finish encoding the message and obtain the encoded result. |
||||
* Caller must CFRelease the result.
|
||||
*/ |
||||
OSStatus CMSEncoderCopyEncodedContent( |
||||
CMSEncoderRef cmsEncoder, |
||||
CFDataRef * __nonnull CF_RETURNS_RETAINED encodedContentOut) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* High-level, one-shot encoder function. |
||||
* |
||||
* Inputs (all except for content optional, though at least one
|
||||
* of {signers, recipients} must be non-NULL) |
||||
* ------------------------------------------------------------ |
||||
* signers : signer identities. Either a SecIdentityRef, or a
|
||||
* CFArray of them. |
||||
* recipients : recipient certificates. Either a SecCertificateRef,
|
||||
* or a CFArray of them. |
||||
* eContentType : contentType for inner EncapsulatedData. |
||||
* detachedContent : when true, do not include the signed data in the message. |
||||
* signedAttributes : Specifies which standard signed attributes are to be
|
||||
* included in the message.
|
||||
* content : raw content to be signed and/or encrypted. |
||||
* |
||||
* Output |
||||
* ------ |
||||
* encodedContent : the result of the encoding. |
||||
* |
||||
* NOTE: This function is deprecated in Mac OS X 10.7 and later; |
||||
* please use CMSEncodeContent() instead. |
||||
*/ |
||||
OSStatus CMSEncode( |
||||
CFTypeRef __nullable signers, |
||||
CFTypeRef __nullable recipients, |
||||
const CSSM_OID * __nullable eContentType, |
||||
Boolean detachedContent, |
||||
CMSSignedAttributes signedAttributes, |
||||
const void * content, |
||||
size_t contentLen, |
||||
CFDataRef * __nonnull CF_RETURNS_RETAINED encodedContentOut) /* RETURNED */ |
||||
/* DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
|
||||
/*
|
||||
* High-level, one-shot encoder function. |
||||
* |
||||
* Inputs (all except for content optional, though at least one
|
||||
* of {signers, recipients} must be non-NULL) |
||||
* ------------------------------------------------------------ |
||||
* signers : signer identities. Either a SecIdentityRef, or a
|
||||
* CFArray of them. |
||||
* recipients : recipient certificates. Either a SecCertificateRef,
|
||||
* or a CFArray of them. |
||||
* eContentTypeOID : contentType OID for inner EncapsulatedData, e.g.: |
||||
* CFSTR("1.2.840.113549.1.7.1") |
||||
* detachedContent : when true, do not include the signed data in the message. |
||||
* signedAttributes : Specifies which standard signed attributes are to be
|
||||
* included in the message.
|
||||
* content : raw content to be signed and/or encrypted. |
||||
* |
||||
* Output |
||||
* ------ |
||||
* encodedContent : the result of the encoding. |
||||
*/ |
||||
OSStatus CMSEncodeContent( |
||||
CFTypeRef __nullable signers, |
||||
CFTypeRef __nullable recipients, |
||||
CFTypeRef __nullable eContentTypeOID, |
||||
Boolean detachedContent, |
||||
CMSSignedAttributes signedAttributes, |
||||
const void *content, |
||||
size_t contentLen, |
||||
CFDataRef * __nullable CF_RETURNS_RETAINED encodedContentOut) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
OSStatus CMSEncoderCopySignerTimestamp( |
||||
CMSEncoderRef cmsEncoder, |
||||
size_t signerIndex, /* usually 0 */ |
||||
CFAbsoluteTime *timestamp) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_NA); |
||||
|
||||
OSStatus CMSEncoderCopySignerTimestampWithPolicy( |
||||
CMSEncoderRef cmsEncoder, |
||||
CFTypeRef __nullable timeStampPolicy, |
||||
size_t signerIndex, /* usually 0 */ |
||||
CFAbsoluteTime *timestamp) /* RETURNED */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_NA); |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif /* _CMS_ENCODER_H_ */ |
||||
|
@ -0,0 +1,318 @@
|
||||
/*
|
||||
* Copyright (c) 2006-2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header CSCommon |
||||
CSCommon is the common header of all Code Signing API headers. |
||||
It defines types, constants, and error codes. |
||||
*/ |
||||
#ifndef _H_CSCOMMON |
||||
#define _H_CSCOMMON |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
#include <stdint.h> |
||||
#include <CoreFoundation/CoreFoundation.h> |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*
|
||||
Code Signing specific OSStatus codes. |
||||
[Assigned range 0xFFFE_FAxx]. |
||||
*/ |
||||
CF_ENUM(OSStatus) { |
||||
errSecCSUnimplemented = -67072, /* unimplemented code signing feature */ |
||||
errSecCSInvalidObjectRef = -67071, /* invalid API object reference */ |
||||
errSecCSInvalidFlags = -67070, /* invalid or inappropriate API flag(s) specified */ |
||||
errSecCSObjectRequired = -67069, /* a required pointer argument was NULL */ |
||||
errSecCSStaticCodeNotFound = -67068, /* cannot find code object on disk */ |
||||
errSecCSUnsupportedGuestAttributes = -67067, /* cannot locate guests using this attribute set */ |
||||
errSecCSInvalidAttributeValues = -67066, /* given attribute values are invalid */ |
||||
errSecCSNoSuchCode = -67065, /* host has no guest with the requested attributes */ |
||||
errSecCSMultipleGuests = -67064, /* ambiguous guest specification (host has multiple guests with these attribute values) */ |
||||
errSecCSGuestInvalid = -67063, /* code identity has been invalidated */ |
||||
errSecCSUnsigned = -67062, /* code object is not signed at all */ |
||||
errSecCSSignatureFailed = -67061, /* invalid signature (code or signature have been modified) */ |
||||
errSecCSSignatureNotVerifiable = -67060, /* the code cannot be read by the verifier (file system permissions etc.) */ |
||||
errSecCSSignatureUnsupported = -67059, /* unsupported type or version of signature */ |
||||
errSecCSBadDictionaryFormat = -67058, /* a required plist file or resource is malformed */ |
||||
errSecCSResourcesNotSealed = -67057, /* resources are present but not sealed by signature */ |
||||
errSecCSResourcesNotFound = -67056, /* code has no resources but signature indicates they must be present */ |
||||
errSecCSResourcesInvalid = -67055, /* the sealed resource directory is invalid */ |
||||
errSecCSBadResource = -67054, /* a sealed resource is missing or invalid */ |
||||
errSecCSResourceRulesInvalid = -67053, /* invalid resource specification rule(s) */ |
||||
errSecCSReqInvalid = -67052, /* invalid or corrupted code requirement(s) */ |
||||
errSecCSReqUnsupported = -67051, /* unsupported type or version of code requirement(s) */ |
||||
errSecCSReqFailed = -67050, /* code failed to satisfy specified code requirement(s) */ |
||||
errSecCSBadObjectFormat = -67049, /* object file format unrecognized, invalid, or unsuitable */ |
||||
errSecCSInternalError = -67048, /* internal error in Code Signing subsystem */ |
||||
errSecCSHostReject = -67047, /* code rejected its host */ |
||||
errSecCSNotAHost = -67046, /* attempt to specify guest of code that is not a host */ |
||||
errSecCSSignatureInvalid = -67045, /* invalid or unsupported format for signature */ |
||||
errSecCSHostProtocolRelativePath = -67044, /* host protocol violation - absolute guest path required */ |
||||
errSecCSHostProtocolContradiction = -67043, /* host protocol violation - contradictory hosting modes */ |
||||
errSecCSHostProtocolDedicationError = -67042, /* host protocol violation - operation not allowed with/for a dedicated guest */ |
||||
errSecCSHostProtocolNotProxy = -67041, /* host protocol violation - proxy hosting not engaged */ |
||||
errSecCSHostProtocolStateError = -67040, /* host protocol violation - invalid guest state change request */ |
||||
errSecCSHostProtocolUnrelated = -67039, /* host protocol violation - the given guest is not a guest of the given host */ |
||||
/* -67038 obsolete (no longer issued) */ |
||||
errSecCSNotSupported = -67037, /* operation inapplicable or not supported for this type of code */ |
||||
errSecCSCMSTooLarge = -67036, /* signature too large to embed (size limitation of on-disk representation) */ |
||||
errSecCSHostProtocolInvalidHash = -67035, /* host protocol violation - invalid guest hash */ |
||||
errSecCSStaticCodeChanged = -67034, /* the code on disk does not match what is running */ |
||||
errSecCSDBDenied = -67033, /* permission to use a database denied */ |
||||
errSecCSDBAccess = -67032, /* cannot access a database */ |
||||
errSecCSSigDBDenied = errSecCSDBDenied, |
||||
errSecCSSigDBAccess = errSecCSDBAccess, |
||||
errSecCSHostProtocolInvalidAttribute = -67031, /* host returned invalid or inconsistent guest attributes */ |
||||
errSecCSInfoPlistFailed = -67030, /* invalid Info.plist (plist or signature have been modified) */ |
||||
errSecCSNoMainExecutable = -67029, /* the code has no main executable file */ |
||||
errSecCSBadBundleFormat = -67028, /* bundle format unrecognized, invalid, or unsuitable */ |
||||
errSecCSNoMatches = -67027, /* no matches for search or update operation */ |
||||
errSecCSFileHardQuarantined = -67026, /* File created by an AppSandbox, exec/open not allowed */ |
||||
errSecCSOutdated = -67025, /* presented data is out of date */ |
||||
errSecCSDbCorrupt = -67024, /* a system database or file is corrupt */ |
||||
errSecCSResourceDirectoryFailed = -67023, /* invalid resource directory (directory or signature have been modified) */ |
||||
errSecCSUnsignedNestedCode = -67022, /* nested code is unsigned */ |
||||
errSecCSBadNestedCode = -67021, /* nested code is modified or invalid */ |
||||
errSecCSBadCallbackValue = -67020, /* monitor callback returned invalid value */ |
||||
errSecCSHelperFailed = -67019, /* the codesign_allocate helper tool cannot be found or used */ |
||||
errSecCSVetoed = -67018, |
||||
errSecCSBadLVArch = -67017, /* library validation flag cannot be used with an i386 binary */ |
||||
errSecCSResourceNotSupported = -67016, /* unsupported resource found (something not a directory, file or symlink) */ |
||||
errSecCSRegularFile = -67015, /* the main executable or Info.plist must be a regular file (no symlinks, etc.) */ |
||||
errSecCSUnsealedAppRoot = -67014, /* unsealed contents present in the bundle root */ |
||||
errSecCSWeakResourceRules = -67013, /* resource envelope is obsolete (custom omit rules) */ |
||||
errSecCSDSStoreSymlink = -67012, /* .DS_Store files cannot be a symlink */
|
||||
errSecCSAmbiguousBundleFormat = -67011, /* bundle format is ambiguous (could be app or framework) */ |
||||
errSecCSBadMainExecutable = -67010, /* main executable failed strict validation */ |
||||
errSecCSBadFrameworkVersion = -67009, /* embedded framework contains modified or invalid version */ |
||||
errSecCSUnsealedFrameworkRoot = -67008, /* unsealed contents present in the root directory of an embedded framework */ |
||||
errSecCSWeakResourceEnvelope = -67007, /* resource envelope is obsolete (version 1 signature) */ |
||||
errSecCSCancelled = -67006, /* operation was terminated by explicit cancellation */ |
||||
errSecCSInvalidPlatform = -67005, /* invalid platform identifier or platform mismatch */ |
||||
errSecCSTooBig = -67004, /* code is too big for current signing format */ |
||||
errSecCSInvalidSymlink = -67003, /* invalid destination for symbolic link in bundle */ |
||||
}; |
||||
|
||||
/*
|
||||
* Code Signing specific CFError "user info" keys. |
||||
* In calls that can return CFErrorRef indications, if a CFErrorRef is actually |
||||
* returned, its "user info" dictionary may contain some of the following keys |
||||
* to more closely describe the circumstances of the failure. |
||||
* Do not rely on the presence of any particular key to categorize a problem; |
||||
* always use the primary OSStatus return for that. The data contained under |
||||
* these keys is always supplemental and optional. |
||||
*/ |
||||
extern const CFStringRef kSecCFErrorArchitecture; /* CFStringRef: name of architecture causing the problem */ |
||||
extern const CFStringRef kSecCFErrorPattern; /* CFStringRef: invalid resource selection pattern encountered */ |
||||
extern const CFStringRef kSecCFErrorResourceSeal; /* CFTypeRef: invalid component in resource seal (CodeResources) */ |
||||
extern const CFStringRef kSecCFErrorResourceAdded; /* CFURLRef: unsealed resource found */ |
||||
extern const CFStringRef kSecCFErrorResourceAltered; /* CFURLRef: modified resource found */ |
||||
extern const CFStringRef kSecCFErrorResourceMissing; /* CFURLRef: sealed (non-optional) resource missing */ |
||||
extern const CFStringRef kSecCFErrorInfoPlist; /* CFTypeRef: Info.plist dictionary or component thereof found invalid */ |
||||
extern const CFStringRef kSecCFErrorGuestAttributes; /* CFTypeRef: Guest attribute set of element not accepted */ |
||||
extern const CFStringRef kSecCFErrorRequirementSyntax; /* CFStringRef: compilation error for Requirement source */ |
||||
extern const CFStringRef kSecCFErrorPath; /* CFURLRef: subcomponent containing the error */ |
||||
|
||||
/*!
|
||||
@typedef SecCodeRef |
||||
This is the type of a reference to running code. |
||||
|
||||
In many (but not all) calls, this can be passed to a SecStaticCodeRef |
||||
argument, which performs an implicit SecCodeCopyStaticCode call and |
||||
operates on the result. |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) __SecCode *SecCodeRef; /* running code */ |
||||
|
||||
/*!
|
||||
@typedef SecStaticCodeRef |
||||
This is the type of a reference to static code on disk. |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) __SecCode const *SecStaticCodeRef; /* code on disk */ |
||||
|
||||
/*!
|
||||
@typedef SecRequirementRef |
||||
This is the type of a reference to a code requirement. |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) __SecRequirement *SecRequirementRef; /* code requirement */ |
||||
|
||||
|
||||
/*!
|
||||
@typedef SecGuestRef |
||||
An abstract handle to identify a particular Guest in the context of its Host. |
||||
|
||||
Guest handles are assigned by the host at will, with kSecNoGuest (zero) being |
||||
reserved as the null value. They can be reused for new children if desired. |
||||
*/ |
||||
typedef u_int32_t SecGuestRef; |
||||
|
||||
CF_ENUM(SecGuestRef) { |
||||
kSecNoGuest = 0, /* not a valid SecGuestRef */ |
||||
}; |
||||
|
||||
|
||||
/*!
|
||||
@typedef SecCSFlags |
||||
This is the type of flags arguments to Code Signing API calls. |
||||
It provides a bit mask of request and option flags. All of the bits in these |
||||
masks are reserved to Apple; if you set any bits not defined in these headers, |
||||
the behavior is generally undefined. |
||||
|
||||
This list describes the flags that are shared among several Code Signing API calls. |
||||
Flags that only apply to one call are defined and documented with that call. |
||||
Global flags are assigned from high order down (31 -> 0); call-specific flags |
||||
are assigned from the bottom up (0 -> 31). |
||||
|
||||
@constant kSecCSDefaultFlags |
||||
When passed to a flags argument throughout, indicates that default behavior |
||||
is desired. Do not mix with other flags values. |
||||
@constant kSecCSConsiderExpiration |
||||
When passed to a call that performs code validation, requests that code signatures |
||||
made by expired certificates be rejected. By default, expiration of participating |
||||
certificates is not automatic grounds for rejection. |
||||
*/ |
||||
typedef CF_OPTIONS(uint32_t, SecCSFlags) { |
||||
kSecCSDefaultFlags = 0, /* no particular flags (default behavior) */ |
||||
|
||||
kSecCSConsiderExpiration = 1 << 31, /* consider expired certificates invalid */ |
||||
kSecCSEnforceRevocationChecks = 1 << 30, /* force revocation checks regardless of preference settings */ |
||||
kSecCSNoNetworkAccess = 1 << 29, /* do not use the network, cancels "kSecCSEnforceRevocationChecks" */ |
||||
kSecCSReportProgress = 1 << 28, /* make progress report call-backs when configured */ |
||||
kSecCSCheckTrustedAnchors = 1 << 27, /* build certificate chain to system trust anchors, not to any self-signed certificate */ |
||||
}; |
||||
|
||||
|
||||
/*!
|
||||
@typedef SecCodeSignatureFlags |
||||
This is the type of option flags that can be embedded in a code signature |
||||
during signing, and that govern the use of the signature thereafter. |
||||
Some of these flags can be set through the codesign(1) command's --options |
||||
argument; some are set implicitly based on signing circumstances; and all |
||||
can be set with the kSecCodeSignerFlags item of a signing information dictionary. |
||||
|
||||
@constant kSecCodeSignatureHost |
||||
Indicates that the code may act as a host that controls and supervises guest |
||||
code. If this flag is not set in a code signature, the code is never considered |
||||
eligible to be a host, and any attempt to act like one will be ignored or rejected. |
||||
@constant kSecCodeSignatureAdhoc |
||||
The code has been sealed without a signing identity. No identity may be retrieved |
||||
from it, and any code requirement placing restrictions on the signing identity |
||||
will fail. This flag is set by the code signing API and cannot be set explicitly. |
||||
@constant kSecCodeSignatureForceHard |
||||
Implicitly set the "hard" status bit for the code when it starts running. |
||||
This bit indicates that the code prefers to be denied access to a resource |
||||
if gaining such access would cause its invalidation. Since the hard bit is |
||||
sticky, setting this option bit guarantees that the code will always have |
||||
it set. |
||||
@constant kSecCodeSignatureForceKill |
||||
Implicitly set the "kill" status bit for the code when it starts running. |
||||
This bit indicates that the code wishes to be terminated with prejudice if |
||||
it is ever invalidated. Since the kill bit is sticky, setting this option bit |
||||
guarantees that the code will always be dynamically valid, since it will die |
||||
immediately if it becomes invalid. |
||||
@constant kSecCodeSignatureForceExpiration |
||||
Forces the kSecCSConsiderExpiration flag on all validations of the code. |
||||
*/ |
||||
typedef CF_OPTIONS(uint32_t, SecCodeSignatureFlags) { |
||||
kSecCodeSignatureHost = 0x0001, /* may host guest code */ |
||||
kSecCodeSignatureAdhoc = 0x0002, /* must be used without signer */ |
||||
kSecCodeSignatureForceHard = 0x0100, /* always set HARD mode on launch */ |
||||
kSecCodeSignatureForceKill = 0x0200, /* always set KILL mode on launch */ |
||||
kSecCodeSignatureForceExpiration = 0x0400, /* force certificate expiration checks */ |
||||
kSecCodeSignatureRestrict = 0x0800, /* restrict dyld loading */ |
||||
kSecCodeSignatureEnforcement = 0x1000, /* enforce code signing */ |
||||
kSecCodeSignatureLibraryValidation = 0x2000, /* library validation required */ |
||||
}; |
||||
|
||||
|
||||
/*!
|
||||
@typedef SecCodeStatus |
||||
The code signing system attaches a set of status flags to each running code. |
||||
These flags are maintained by the code's host, and can be read by anyone. |
||||
A code may change its own flags, a host may change its guests' flags, |
||||
and root may change anyone's flags. However, these flags are sticky in that |
||||
each can change in only one direction (and never back, for the lifetime of the code). |
||||
Not even root can violate this restriction. |
||||
|
||||
There are other flags in SecCodeStatus that are not publicly documented. |
||||
Do not rely on them, and do not ever attempt to explicitly set them. |
||||
|
||||
@constant kSecCodeStatusValid |
||||
Indicates that the code is dynamically valid, i.e. it started correctly |
||||
and has not been invalidated since then. The valid bit can only be cleared. |
||||
|
||||
Warning: This bit is not your one-stop shortcut to determining the validity of code. |
||||
It represents the dynamic component of the full validity function; if this |
||||
bit is unset, the code is definitely invalid, but the converse is not always true. |
||||
In fact, code hosts may represent the outcome of some delayed static validation work in this bit, |
||||
and thus it strictly represents a blend of (all of) dynamic and (some of) static validity, |
||||
depending on the implementation of the particular host managing the code. You can (only) |
||||
rely that (1) dynamic invalidation will clear this bit; and (2) the combination |
||||
of static validation and dynamic validity (as performed by the SecCodeCheckValidity* APIs) |
||||
will give a correct answer. |
||||
|
||||
@constant kSecCodeStatusHard |
||||
Indicates that the code prefers to be denied access to resources if gaining access |
||||
would invalidate it. This bit can only be set. |
||||
It is undefined whether code that is marked hard and is already invalid will still |
||||
be denied access to a resource that would invalidate it if it were still valid. That is, |
||||
the code may or may not get access to such a resource while being invalid, and that choice |
||||
may appear random. |
||||
|
||||
@constant kSecCodeStatusKill |
||||
Indicates that the code wants to be killed (terminated) if it ever loses its validity. |
||||
This bit can only be set. Code that has the kill flag set will never be dynamically invalid |
||||
(and live). Note however that a change in static validity does not necessarily trigger instant |
||||
death. |
||||
*/ |
||||
typedef CF_OPTIONS(uint32_t, SecCodeStatus) { |
||||
kSecCodeStatusValid = 0x0001, |
||||
kSecCodeStatusHard = 0x0100, |
||||
kSecCodeStatusKill = 0x0200, |
||||
}; |
||||
|
||||
|
||||
/*!
|
||||
@typedef SecRequirementType |
||||
An enumeration indicating different types of internal requirements for code. |
||||
*/ |
||||
typedef CF_ENUM(uint32_t, SecRequirementType) { |
||||
kSecHostRequirementType = 1, /* what hosts may run us */ |
||||
kSecGuestRequirementType = 2, /* what guests we may run */ |
||||
kSecDesignatedRequirementType = 3, /* designated requirement */ |
||||
kSecLibraryRequirementType = 4, /* what libraries we may link against */ |
||||
kSecPluginRequirementType = 5, /* what plug-ins we may load */ |
||||
kSecInvalidRequirementType, /* invalid type of Requirement (must be last) */ |
||||
kSecRequirementTypeCount = kSecInvalidRequirementType /* number of valid requirement types */ |
||||
}; |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif //_H_CSCOMMON
|
@ -0,0 +1,261 @@
|
||||
/*
|
||||
* Copyright (c) 1999-2002,2005-2007,2010-2014 Apple Inc. All Rights Reserved. |
||||
* |
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*
|
||||
* CipherSuite.h - SSL Cipher Suite definitions. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_CIPHERSUITE_H_ |
||||
#define _SECURITY_CIPHERSUITE_H_ |
||||
|
||||
#include <TargetConditionals.h> |
||||
#include <stdint.h> |
||||
|
||||
/*
|
||||
* Defined as enum for debugging, but in the protocol |
||||
* it is actually exactly two bytes |
||||
*/ |
||||
#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) |
||||
/* 32-bit value on OS X */ |
||||
typedef uint32_t SSLCipherSuite; |
||||
#else |
||||
/* 16-bit value on iOS */ |
||||
typedef uint16_t SSLCipherSuite; |
||||
#endif |
||||
|
||||
CF_ENUM(SSLCipherSuite) |
||||
{ SSL_NULL_WITH_NULL_NULL = 0x0000, |
||||
SSL_RSA_WITH_NULL_MD5 = 0x0001, |
||||
SSL_RSA_WITH_NULL_SHA = 0x0002, |
||||
SSL_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003, |
||||
SSL_RSA_WITH_RC4_128_MD5 = 0x0004, |
||||
SSL_RSA_WITH_RC4_128_SHA = 0x0005, |
||||
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006, |
||||
SSL_RSA_WITH_IDEA_CBC_SHA = 0x0007, |
||||
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008, |
||||
SSL_RSA_WITH_DES_CBC_SHA = 0x0009, |
||||
SSL_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A, |
||||
SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B, |
||||
SSL_DH_DSS_WITH_DES_CBC_SHA = 0x000C, |
||||
SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D, |
||||
SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E, |
||||
SSL_DH_RSA_WITH_DES_CBC_SHA = 0x000F, |
||||
SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010, |
||||
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011, |
||||
SSL_DHE_DSS_WITH_DES_CBC_SHA = 0x0012, |
||||
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013, |
||||
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014, |
||||
SSL_DHE_RSA_WITH_DES_CBC_SHA = 0x0015, |
||||
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016, |
||||
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017, |
||||
SSL_DH_anon_WITH_RC4_128_MD5 = 0x0018, |
||||
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0x0019, |
||||
SSL_DH_anon_WITH_DES_CBC_SHA = 0x001A, |
||||
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001B, |
||||
SSL_FORTEZZA_DMS_WITH_NULL_SHA = 0x001C, |
||||
SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA = 0x001D, |
||||
|
||||
/* TLS addenda using AES, per RFC 3268 */ |
||||
TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F, |
||||
TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030, |
||||
TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031, |
||||
TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032, |
||||
TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033, |
||||
TLS_DH_anon_WITH_AES_128_CBC_SHA = 0x0034, |
||||
TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035, |
||||
TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036, |
||||
TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037, |
||||
TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038, |
||||
TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039, |
||||
TLS_DH_anon_WITH_AES_256_CBC_SHA = 0x003A, |
||||
|
||||
/* ECDSA addenda, RFC 4492 */ |
||||
TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001, |
||||
TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002, |
||||
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003, |
||||
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004, |
||||
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005, |
||||
TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006, |
||||
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007, |
||||
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008, |
||||
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009, |
||||
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A, |
||||
TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B, |
||||
TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C, |
||||
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D, |
||||
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E, |
||||
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F, |
||||
TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010, |
||||
TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011, |
||||
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012, |
||||
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013, |
||||
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014, |
||||
TLS_ECDH_anon_WITH_NULL_SHA = 0xC015, |
||||
TLS_ECDH_anon_WITH_RC4_128_SHA = 0xC016, |
||||
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 0xC017, |
||||
TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xC018, |
||||
TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xC019, |
||||
|
||||
/* TLS 1.2 addenda, RFC 5246 */ |
||||
|
||||
/* Initial state. */ |
||||
TLS_NULL_WITH_NULL_NULL = 0x0000, |
||||
|
||||
/* Server provided RSA certificate for key exchange. */ |
||||
TLS_RSA_WITH_NULL_MD5 = 0x0001, |
||||
TLS_RSA_WITH_NULL_SHA = 0x0002, |
||||
TLS_RSA_WITH_RC4_128_MD5 = 0x0004, |
||||
TLS_RSA_WITH_RC4_128_SHA = 0x0005, |
||||
TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A, |
||||
//TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F,
|
||||
//TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035,
|
||||
TLS_RSA_WITH_NULL_SHA256 = 0x003B, |
||||
TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C, |
||||
TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D, |
||||
|
||||
/* Server-authenticated (and optionally client-authenticated) Diffie-Hellman. */ |
||||
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D, |
||||
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010, |
||||
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013, |
||||
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016, |
||||
//TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030,
|
||||
//TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031,
|
||||
//TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032,
|
||||
//TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033,
|
||||
//TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036,
|
||||
//TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037,
|
||||
//TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038,
|
||||
//TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039,
|
||||
TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E, |
||||
TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F, |
||||
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040, |
||||
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067, |
||||
TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068, |
||||
TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069, |
||||
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A, |
||||
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B, |
||||
|
||||
/* Completely anonymous Diffie-Hellman */ |
||||
TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018, |
||||
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001B, |
||||
//TLS_DH_anon_WITH_AES_128_CBC_SHA = 0x0034,
|
||||
//TLS_DH_anon_WITH_AES_256_CBC_SHA = 0x003A,
|
||||
TLS_DH_anon_WITH_AES_128_CBC_SHA256 = 0x006C, |
||||
TLS_DH_anon_WITH_AES_256_CBC_SHA256 = 0x006D, |
||||
|
||||
/* Addendum from RFC 4279, TLS PSK */ |
||||
|
||||
TLS_PSK_WITH_RC4_128_SHA = 0x008A, |
||||
TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B, |
||||
TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C, |
||||
TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D, |
||||
TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E, |
||||
TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F, |
||||
TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090, |
||||
TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091, |
||||
TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092, |
||||
TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093, |
||||
TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094, |
||||
TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095, |
||||
|
||||
/* RFC 4785 - Pre-Shared Key (PSK) Ciphersuites with NULL Encryption */ |
||||
|
||||
TLS_PSK_WITH_NULL_SHA = 0x002C, |
||||
TLS_DHE_PSK_WITH_NULL_SHA = 0x002D, |
||||
TLS_RSA_PSK_WITH_NULL_SHA = 0x002E, |
||||
|
||||
/* Addenda from rfc 5288 AES Galois Counter Mode (GCM) Cipher Suites
|
||||
for TLS. */ |
||||
TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C, |
||||
TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D, |
||||
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E, |
||||
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F, |
||||
TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0, |
||||
TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1, |
||||
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2, |
||||
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3, |
||||
TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4, |
||||
TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5, |
||||
TLS_DH_anon_WITH_AES_128_GCM_SHA256 = 0x00A6, |
||||
TLS_DH_anon_WITH_AES_256_GCM_SHA384 = 0x00A7, |
||||
|
||||
/* RFC 5487 - PSK with SHA-256/384 and AES GCM */ |
||||
TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8, |
||||
TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9, |
||||
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA, |
||||
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB, |
||||
TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC, |
||||
TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD, |
||||
|
||||
TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE, |
||||
TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF, |
||||
TLS_PSK_WITH_NULL_SHA256 = 0x00B0, |
||||
TLS_PSK_WITH_NULL_SHA384 = 0x00B1, |
||||
|
||||
TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2, |
||||
TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3, |
||||
TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4, |
||||
TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5, |
||||
|
||||
TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6, |
||||
TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7, |
||||
TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8, |
||||
TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9, |
||||
|
||||
|
||||
/* Addenda from rfc 5289 Elliptic Curve Cipher Suites with
|
||||
HMAC SHA-256/384. */ |
||||
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023, |
||||
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024, |
||||
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025, |
||||
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026, |
||||
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027, |
||||
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028, |
||||
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029, |
||||
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A, |
||||
|
||||
/* Addenda from rfc 5289 Elliptic Curve Cipher Suites with
|
||||
SHA-256/384 and AES Galois Counter Mode (GCM) */ |
||||
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B, |
||||
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C, |
||||
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D, |
||||
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E, |
||||
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F, |
||||
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030, |
||||
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031, |
||||
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032, |
||||
|
||||
/* RFC 5746 - Secure Renegotiation */ |
||||
TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF, |
||||
/*
|
||||
* Tags for SSL 2 cipher kinds which are not specified |
||||
* for SSL 3. |
||||
*/ |
||||
SSL_RSA_WITH_RC2_CBC_MD5 = 0xFF80, |
||||
SSL_RSA_WITH_IDEA_CBC_MD5 = 0xFF81, |
||||
SSL_RSA_WITH_DES_CBC_MD5 = 0xFF82, |
||||
SSL_RSA_WITH_3DES_EDE_CBC_MD5 = 0xFF83, |
||||
SSL_NO_SUCH_CIPHERSUITE = 0xFFFF |
||||
}; |
||||
|
||||
#endif /* !_SECURITY_CIPHERSUITE_H_ */ |
@ -0,0 +1,37 @@
|
||||
/*
|
||||
* Copyright (c) 2006,2011,2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
#ifndef _H_CODESIGNING |
||||
#define _H_CODESIGNING |
||||
|
||||
|
||||
/*!
|
||||
@header CodeSigning |
||||
This header file includes all the headers that are needed to use |
||||
the client interface to Code Signing. |
||||
It does not include headers for the other Code Signing related interfaces. |
||||
*/ |
||||
#include <Security/SecStaticCode.h> |
||||
#include <Security/SecCode.h> |
||||
#include <Security/SecRequirement.h> |
||||
|
||||
#endif //_H_CODESIGNING
|
@ -0,0 +1,228 @@
|
||||
/*
|
||||
* Copyright (c) 2002-2011 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecACL |
||||
The functions provided in SecACL are for managing entries in the access control list.
|
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SECACL_H_ |
||||
#define _SECURITY_SECACL_H_ |
||||
|
||||
#include <Security/SecBase.h> |
||||
#include <Security/cssmtype.h> |
||||
#include <Security/cssmapple.h> |
||||
#include <Security/SecAccess.h> |
||||
#include <CoreFoundation/CoreFoundation.h> |
||||
|
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
typedef CF_OPTIONS(uint16, SecKeychainPromptSelector) |
||||
{ |
||||
kSecKeychainPromptRequirePassphase = 0x0001, /* require re-entering of passphrase */ |
||||
/* the following bits are ignored by 10.4 and earlier */ |
||||
kSecKeychainPromptUnsigned = 0x0010, /* prompt for unsigned clients */ |
||||
kSecKeychainPromptUnsignedAct = 0x0020, /* UNSIGNED bit overrides system default */ |
||||
kSecKeychainPromptInvalid = 0x0040, /* prompt for invalid signed clients */ |
||||
kSecKeychainPromptInvalidAct = 0x0080, |
||||
}; |
||||
|
||||
|
||||
/*!
|
||||
@function SecACLGetTypeID |
||||
@abstract Returns the type identifier of SecACL instances. |
||||
@result The CFTypeID of SecACL instances. |
||||
*/ |
||||
CFTypeID SecACLGetTypeID(void) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecACLCreateFromSimpleContents |
||||
@abstract Creates a new access control list entry from the application list, description, and prompt selector provided and adds it to an item's access. |
||||
@param access An access reference. |
||||
@param applicationList An array of SecTrustedApplication instances that will be allowed access without prompting.
|
||||
@param description The human readable name that will be used to refer to this item when the user is prompted. |
||||
@param promptSelector A pointer to a CSSM prompt selector. |
||||
@param newAcl A pointer to an access control list entry. On return, this points to the reference of the new access control list entry. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in 10.7 and later; |
||||
use SecACLCreateWithSimpleContents instead. |
||||
*/ |
||||
OSStatus SecACLCreateFromSimpleContents(SecAccessRef access, |
||||
CFArrayRef __nullable applicationList, |
||||
CFStringRef description, |
||||
const CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR *promptSelector, |
||||
SecACLRef * __nonnull CF_RETURNS_RETAINED newAcl) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecACLCreateWithSimpleContents |
||||
@abstract Creates a new access control list entry from the application list, description, and prompt selector provided and adds it to an item's access. |
||||
@param access An access reference. |
||||
@param applicationList An array of SecTrustedApplication instances that will be allowed access without prompting.
|
||||
@param description The human readable name that will be used to refer to this item when the user is prompted. |
||||
@param promptSelector A SecKeychainPromptSelector selector. |
||||
@param newAcl A pointer to an access control list entry. On return, this points to the reference of the new access control list entry. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecACLCreateWithSimpleContents(SecAccessRef access, |
||||
CFArrayRef __nullable applicationList, |
||||
CFStringRef description,
|
||||
SecKeychainPromptSelector promptSelector, |
||||
SecACLRef * __nonnull CF_RETURNS_RETAINED newAcl) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecACLRemove |
||||
@abstract Removes the access control list entry specified. |
||||
@param aclRef The reference to the access control list entry to remove. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecACLRemove(SecACLRef aclRef) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecACLCopySimpleContents |
||||
@abstract Returns the application list, description, and CSSM prompt selector for a given access control list entry. |
||||
@param acl An access control list entry reference. |
||||
@param applicationList On return, An array of SecTrustedApplication instances that will be allowed access without prompting, for the given access control list entry. The caller needs to call CFRelease on this array when it's no longer needed. |
||||
@param description On return, the human readable name that will be used to refer to this item when the user is prompted, for the given access control list entry. The caller needs to call CFRelease on this string when it's no longer needed. |
||||
@param promptSelector A pointer to a CSSM prompt selector. On return, this points to the CSSM prompt selector for the given access control list entry. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in 10.7 and later; |
||||
use SecACLCopyContents instead. |
||||
*/ |
||||
OSStatus SecACLCopySimpleContents(SecACLRef acl, |
||||
CFArrayRef * __nonnull CF_RETURNS_RETAINED applicationList, |
||||
CFStringRef * __nonnull CF_RETURNS_RETAINED description, |
||||
CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR *promptSelector) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecACLCopyContents |
||||
@abstract Returns the application list, description, and prompt selector for a given access control list entry. |
||||
@param acl An access control list entry reference. |
||||
@param applicationList On return, An array of SecTrustedApplication instances that will be allowed access without prompting, for the given access control list entry. The caller needs to call CFRelease on this array when it's no longer needed. |
||||
@param description On return, the human readable name that will be used to refer to this item when the user is prompted, for the given access control list entry. The caller needs to call CFRelease on this string when it's no longer needed. |
||||
@param promptSelector A pointer to a SecKeychainPromptSelector. On return, this points to the SecKeychainPromptSelector for the given access control list entry. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/
|
||||
OSStatus SecACLCopyContents(SecACLRef acl, |
||||
CFArrayRef * __nonnull CF_RETURNS_RETAINED applicationList, |
||||
CFStringRef * __nonnull CF_RETURNS_RETAINED description, |
||||
SecKeychainPromptSelector *promptSelector) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
/*!
|
||||
@function SecACLSetSimpleContents |
||||
@abstract Sets the application list, description, and CSSM prompt selector for a given access control list entry. |
||||
@param acl A reference to the access control list entry to edit. |
||||
@param applicationList An application list reference.
|
||||
@param description The human readable name that will be used to refer to this item when the user is prompted. |
||||
@param promptSelector A pointer to a CSSM prompt selector. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in 10.7 and later; |
||||
use SecACLSetContents instead. |
||||
*/ |
||||
OSStatus SecACLSetSimpleContents(SecACLRef acl, |
||||
CFArrayRef __nullable applicationList, |
||||
CFStringRef description, |
||||
const CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR *promptSelector) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecACLSetContents |
||||
@abstract Sets the application list, description, and prompt selector for a given access control list entry. |
||||
@param acl A reference to the access control list entry to edit. |
||||
@param applicationList An application list reference.
|
||||
@param description The human readable name that will be used to refer to this item when the user is prompted. |
||||
@param promptSelector A SecKeychainPromptSelector selector. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecACLSetContents(SecACLRef acl, |
||||
CFArrayRef __nullable applicationList, |
||||
CFStringRef description,
|
||||
SecKeychainPromptSelector promptSelector) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecACLGetAuthorizations |
||||
@abstract Retrieve the CSSM authorization tags of a given access control list entry. |
||||
@param acl An access control list entry reference. |
||||
@param tags On return, this points to the first item in an array of CSSM authorization tags. |
||||
@param tagCount On return, this points to the number of tags in the CSSM authorization tag array. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in 10.7 and later; |
||||
use SecACLCopyAuthorizations instead. |
||||
*/ |
||||
OSStatus SecACLGetAuthorizations(SecACLRef acl, |
||||
CSSM_ACL_AUTHORIZATION_TAG *tags, uint32 *tagCount) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecACLCopyAuthorizations |
||||
@abstract Retrieve the authorization tags of a given access control list entry. |
||||
@param acl An access control list entry reference. |
||||
@result On return, a CFArrayRef of the authorizations for this ACL. |
||||
*/ |
||||
CFArrayRef SecACLCopyAuthorizations(SecACLRef acl) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecACLSetAuthorizations |
||||
@abstract Sets the CSSM authorization tags of a given access control list entry. |
||||
@param acl An access control list entry reference. |
||||
@param tags A pointer to the first item in an array of CSSM authorization tags. |
||||
@param tagCount The number of tags in the CSSM authorization tag array. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in 10.7 and later; |
||||
use SecACLUpdateAuthorizations instead. |
||||
*/ |
||||
OSStatus SecACLSetAuthorizations(SecACLRef acl, |
||||
CSSM_ACL_AUTHORIZATION_TAG *tags, uint32 tagCount) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
|
||||
/*!
|
||||
@function SecACLUpdateAuthorizations |
||||
@abstract Sets the authorization tags of a given access control list entry. |
||||
@param acl An access control list entry reference. |
||||
@param authorizations A pointer to an array of authorization tags. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecACLUpdateAuthorizations(SecACLRef acl, CFArrayRef authorizations) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_SECACL_H_ */ |
@ -0,0 +1,221 @@
|
||||
/*
|
||||
* Copyright (c) 2002-2004,2011,2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecAccess |
||||
SecAccess implements a way to set and manipulate access control rules and |
||||
restrictions on SecKeychainItems. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SECACCESS_H_ |
||||
#define _SECURITY_SECACCESS_H_ |
||||
|
||||
#include <Security/SecBase.h> |
||||
#include <Security/cssmtype.h> |
||||
#include <CoreFoundation/CFArray.h> |
||||
#include <CoreFoundation/CFError.h> |
||||
#include <sys/types.h> |
||||
#include <unistd.h> |
||||
|
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
typedef UInt32 SecAccessOwnerType; |
||||
enum |
||||
{ |
||||
kSecUseOnlyUID = 1, |
||||
kSecUseOnlyGID = 2, |
||||
kSecHonorRoot = 0x100, |
||||
kSecMatchBits = (kSecUseOnlyUID | kSecUseOnlyGID) |
||||
}; |
||||
|
||||
/* No restrictions. Permission to perform all operations on
|
||||
the resource or available to an ACL owner. */ |
||||
extern const CFStringRef kSecACLAuthorizationAny |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
extern const CFStringRef kSecACLAuthorizationLogin |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecACLAuthorizationGenKey |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecACLAuthorizationDelete |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecACLAuthorizationExportWrapped |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecACLAuthorizationExportClear |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecACLAuthorizationImportWrapped |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecACLAuthorizationImportClear |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecACLAuthorizationSign |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecACLAuthorizationEncrypt |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecACLAuthorizationDecrypt |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecACLAuthorizationMAC |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecACLAuthorizationDerive |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/* Defined authorization tag values for Keychain */ |
||||
extern const CFStringRef kSecACLAuthorizationKeychainCreate |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecACLAuthorizationKeychainDelete |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecACLAuthorizationKeychainItemRead |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecACLAuthorizationKeychainItemInsert |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecACLAuthorizationKeychainItemModify |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecACLAuthorizationKeychainItemDelete |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
extern const CFStringRef kSecACLAuthorizationChangeACL
|
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecACLAuthorizationChangeOwner |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecAccessGetTypeID |
||||
@abstract Returns the type identifier of SecAccess instances. |
||||
@result The CFTypeID of SecAccess instances. |
||||
*/ |
||||
CFTypeID SecAccessGetTypeID(void); |
||||
|
||||
/*!
|
||||
@function SecAccessCreate |
||||
@abstract Creates a new SecAccessRef that is set to the currently designated system default |
||||
configuration of a (newly created) security object. Note that the precise nature of |
||||
this default may change between releases. |
||||
@param descriptor The name of the item as it should appear in security dialogs |
||||
@param trustedlist A CFArray of TrustedApplicationRefs, specifying which applications |
||||
should be allowed to access an item without triggering confirmation dialogs. |
||||
If NULL, defaults to (just) the application creating the item. To set no applications, |
||||
pass a CFArray with no elements. |
||||
@param accessRef On return, a pointer to the new access reference. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecAccessCreate(CFStringRef descriptor, CFArrayRef __nullable trustedlist, SecAccessRef * __nonnull CF_RETURNS_RETAINED accessRef); |
||||
|
||||
/*!
|
||||
@function SecAccessCreateFromOwnerAndACL |
||||
@abstract Creates a new SecAccessRef using the owner and access control list you provide. |
||||
@param owner A pointer to a CSSM access control list owner. |
||||
@param aclCount An unsigned 32-bit integer representing the number of items in the access control list. |
||||
@param acls A pointer to the access control list. |
||||
@param On return, a pointer to the new access reference. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion For 10.7 and later please use the SecAccessCreateWithOwnerAndACL API |
||||
*/ |
||||
OSStatus SecAccessCreateFromOwnerAndACL(const CSSM_ACL_OWNER_PROTOTYPE *owner, uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls, SecAccessRef * __nonnull CF_RETURNS_RETAINED accessRef) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecAccessCreateWithOwnerAndACL |
||||
@abstract Creates a new SecAccessRef using either for a user or a group with a list of ACLs |
||||
@param userId An user id that specifies the user to associate with this SecAccessRef. |
||||
@param groupId A group id that specifies the group to associate with this SecAccessRef. |
||||
@param ownerType Specifies the how the ownership of the new SecAccessRef is defined. |
||||
@param acls A CFArrayRef of the ACLs to associate with this SecAccessRef |
||||
@param error Optionally a pointer to a CFErrorRef to return any errors with may have occured |
||||
@result A pointer to the new access reference. |
||||
*/ |
||||
__nullable |
||||
SecAccessRef SecAccessCreateWithOwnerAndACL(uid_t userId, gid_t groupId, SecAccessOwnerType ownerType, CFArrayRef __nullable acls, CFErrorRef *error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecAccessGetOwnerAndACL |
||||
@abstract Retrieves the owner and the access control list of a given access. |
||||
@param accessRef A reference to the access from which to retrieve the information. |
||||
@param owner On return, a pointer to the access control list owner. |
||||
@param aclCount On return, a pointer to an unsigned 32-bit integer representing the number of items in the access control list. |
||||
@param acls On return, a pointer to the access control list. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion For 10.7 and later please use the SecAccessCopyOwnerAndACL API |
||||
*/ |
||||
OSStatus SecAccessGetOwnerAndACL(SecAccessRef accessRef, CSSM_ACL_OWNER_PROTOTYPE_PTR __nullable * __nonnull owner, uint32 *aclCount, CSSM_ACL_ENTRY_INFO_PTR __nullable * __nonnull acls) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecAccessCopyOwnerAndACL |
||||
@abstract Retrieves the owner and the access control list of a given access. |
||||
@param accessRef A reference to the access from which to retrieve the information. |
||||
@param userId On return, the user id of the owner |
||||
@param groupId On return, the group id of the owner |
||||
@param ownerType On return, the type of owner for this AccessRef |
||||
@param aclList On return, a pointer to a new created CFArray of SecACL instances. The caller is responsible for calling CFRelease on this array. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/
|
||||
OSStatus SecAccessCopyOwnerAndACL(SecAccessRef accessRef, uid_t * __nullable userId, gid_t * __nullable groupId, SecAccessOwnerType * __nullable ownerType, CFArrayRef * __nullable CF_RETURNS_RETAINED aclList) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecAccessCopyACLList |
||||
@abstract Copies all the access control lists of a given access. |
||||
@param accessRef A reference to the access from which to retrieve the information. |
||||
@param aclList On return, a pointer to a new created CFArray of SecACL instances. The caller is responsible for calling CFRelease on this array. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecAccessCopyACLList(SecAccessRef accessRef, CFArrayRef * __nonnull CF_RETURNS_RETAINED aclList); |
||||
|
||||
/*!
|
||||
@function SecAccessCopySelectedACLList |
||||
@abstract Copies selected access control lists from a given access. |
||||
@param accessRef A reference to the access from which to retrieve the information. |
||||
@param action An authorization tag specifying what action with which to select the action control lists. |
||||
@param aclList On return, a pointer to the selected access control lists. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion For 10.7 and later please use the SecAccessCopyMatchingACLList API |
||||
*/ |
||||
OSStatus SecAccessCopySelectedACLList(SecAccessRef accessRef, CSSM_ACL_AUTHORIZATION_TAG action, CFArrayRef * __nonnull CF_RETURNS_RETAINED aclList) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
|
||||
/*!
|
||||
@function SecAccessCopyMatchingACLList |
||||
@abstract Copies selected access control lists from a given access. |
||||
@param accessRef A reference to the access from which to retrieve the information. |
||||
@param authorizationTag An authorization tag specifying what action with which to select the action control lists. |
||||
@result A pointer to the selected access control lists. |
||||
*/ |
||||
__nullable |
||||
CFArrayRef SecAccessCopyMatchingACLList(SecAccessRef accessRef, CFTypeRef authorizationTag) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_SECACCESS_H_ */ |
@ -0,0 +1,85 @@
|
||||
/*
|
||||
* Copyright (c) 2014 Apple Inc. All Rights Reserved. |
||||
* |
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecAccessControl |
||||
SecAccessControl defines access rights for items. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SECACCESSCONTROL_H_ |
||||
#define _SECURITY_SECACCESSCONTROL_H_ |
||||
|
||||
#include <Security/SecBase.h> |
||||
#include <CoreFoundation/CFError.h> |
||||
#include <sys/cdefs.h> |
||||
|
||||
__BEGIN_DECLS |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
/*!
|
||||
@function SecAccessControlGetTypeID |
||||
@abstract Returns the type identifier of SecAccessControl instances. |
||||
@result The CFTypeID of SecAccessControl instances. |
||||
*/ |
||||
CFTypeID SecAccessControlGetTypeID(void) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0); |
||||
|
||||
typedef CF_OPTIONS(CFIndex, SecAccessControlCreateFlags) { |
||||
kSecAccessControlUserPresence = 1 << 0, // User presence policy using Touch ID or Passcode. Touch ID does not have to be available or enrolled. Item is still accessible by Touch ID even if fingers are added or removed.
|
||||
kSecAccessControlTouchIDAny CF_ENUM_AVAILABLE(NA, 9_0) = 1 << 1, // Constraint: Touch ID (any finger). Touch ID must be available and at least one finger must be enrolled. Item is still accessible by Touch ID even if fingers are added or removed.
|
||||
kSecAccessControlTouchIDCurrentSet CF_ENUM_AVAILABLE(NA, 9_0) = 1 << 3, // Constraint: Touch ID from the set of currently enrolled fingers. Touch ID must be available and at least one finger must be enrolled. When fingers are added or removed, the item is invalidated.
|
||||
kSecAccessControlDevicePasscode CF_ENUM_AVAILABLE(10_11, 9_0) = 1 << 4, // Constraint: Device passcode
|
||||
kSecAccessControlOr CF_ENUM_AVAILABLE(NA, 9_0) = 1 << 14, // Constraint logic operation: when using more than one constraint, at least one of them must be satisfied.
|
||||
kSecAccessControlAnd CF_ENUM_AVAILABLE(NA, 9_0) = 1 << 15, // Constraint logic operation: when using more than one constraint, all must be satisfied.
|
||||
kSecAccessControlPrivateKeyUsage CF_ENUM_AVAILABLE(NA, 9_0) = 1 << 30, // Create access control for private key operations (i.e. sign operation)
|
||||
kSecAccessControlApplicationPassword CF_ENUM_AVAILABLE(NA, 9_0) = 1 << 31, // Security: Application provided password for data encryption key generation. This is not a constraint but additional item encryption mechanism.
|
||||
} __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0); |
||||
|
||||
/*!
|
||||
@function SecAccessControlCreateWithFlags |
||||
@abstract Creates new access control object based on protection type and additional flags. |
||||
@discussion Created access control object should be used as a value for kSecAttrAccessControl attribute in SecItemAdd, |
||||
SecItemUpdate or SecKeyGeneratePair functions. Accessing keychain items or performing operations on keys which are |
||||
protected by access control objects can block the execution because of UI which can appear to satisfy the access control |
||||
conditions, therefore it is recommended to either move those potentially blocking operations out of the main |
||||
application thread or use combination of kSecUseAuthenticationContext and kSecUseAuthenticationUI attributes to control |
||||
where the UI interaction can appear. |
||||
@param allocator Allocator to be used by this instance. |
||||
@param protection Protection class to be used for the item. One of kSecAttrAccessible constants. |
||||
@param flags If no flags are set then all operations are allowed. |
||||
@param error Additional error information filled in case of failure. |
||||
@result Newly created access control object. |
||||
*/ |
||||
__nullable |
||||
SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef __nullable allocator, CFTypeRef protection, |
||||
SecAccessControlCreateFlags flags, CFErrorRef *error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
__END_DECLS |
||||
|
||||
#endif // _SECURITY_SECACCESSCONTROL_H_
|
@ -0,0 +1,153 @@
|
||||
/*
|
||||
* Copyright (c) 2003-2006,2008-2013 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
* |
||||
* SecAsn1Coder.h: ANS1 encode/decode object. |
||||
* |
||||
* A SecAsn1Coder is capable of encoding and decoding both DER and BER data |
||||
* streams, based on caller-supplied templates which in turn are based |
||||
* upon ASN.1 specifications. A SecAsn1Coder allocates memory during encode |
||||
* and decode using a memory pool which is owned and managed by the SecAsn1Coder |
||||
* object, and which is freed when the SecAsn1Coder object os released.
|
||||
*/ |
||||
|
||||
#ifndef _SEC_ASN1_CODER_H_ |
||||
#define _SEC_ASN1_CODER_H_ |
||||
|
||||
#include <sys/types.h> |
||||
#include <Security/SecAsn1Types.h> |
||||
#include <TargetConditionals.h> |
||||
#include <Security/SecBase.h> /* error codes */ |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*
|
||||
* Opaque reference to a SecAsn1Coder object. |
||||
*/ |
||||
typedef struct SecAsn1Coder *SecAsn1CoderRef; |
||||
|
||||
/*
|
||||
* Create/destroy SecAsn1Coder object.
|
||||
*/ |
||||
OSStatus SecAsn1CoderCreate( |
||||
SecAsn1CoderRef __nullable * __nonnull coder); |
||||
|
||||
OSStatus SecAsn1CoderRelease( |
||||
SecAsn1CoderRef coder); |
||||
|
||||
/*
|
||||
* DER decode an untyped item per the specified template array.
|
||||
* The result is allocated in this SecAsn1Coder's memory pool and
|
||||
* is freed when this object is released. |
||||
* |
||||
* The templates argument points to a an array of SecAsn1Templates
|
||||
* defining the object to be decoded; the end of the array is
|
||||
* indicated by a SecAsn1Template with file kind equalling 0.
|
||||
* |
||||
* The dest pointer is a template-specific struct allocated by the caller
|
||||
* and must be zeroed by the caller.
|
||||
* |
||||
* Returns errSecUnknownFormat on decode-specific error. |
||||
*/ |
||||
OSStatus SecAsn1Decode( |
||||
SecAsn1CoderRef coder, |
||||
const void *src, // DER-encoded source
|
||||
size_t len, |
||||
const SecAsn1Template *templates,
|
||||
void *dest); |
||||
|
||||
/*
|
||||
* Convenience routine, decode from a SecAsn1Item. |
||||
*/ |
||||
OSStatus SecAsn1DecodeData( |
||||
SecAsn1CoderRef coder, |
||||
const SecAsn1Item *src, |
||||
const SecAsn1Template *templ,
|
||||
void *dest); |
||||
|
||||
/*
|
||||
* DER encode. The encoded data (in dest.Data) is allocated in this
|
||||
* SecAsn1Coder's memory pool and is freed when this object is released. |
||||
* |
||||
* The src pointer is a template-specific struct. |
||||
* |
||||
* The templates argument points to a an array of SecAsn1Templates
|
||||
* defining the object to be decoded; the end of the array is
|
||||
* indicated by a SecAsn1Template with file kind equalling 0.
|
||||
*/ |
||||
OSStatus SecAsn1EncodeItem( |
||||
SecAsn1CoderRef coder, |
||||
const void *src, |
||||
const SecAsn1Template *templates,
|
||||
SecAsn1Item *dest); |
||||
|
||||
/*
|
||||
* Some alloc-related methods which come in handy when using |
||||
* this object. All memory is allocated using this object's
|
||||
* memory pool. Caller never has to free it. Used for |
||||
* temp allocs of memory which only needs a scope which is the |
||||
* same as this object.
|
||||
* |
||||
* All except SecAsn1Malloc return a errSecAllocate in the highly
|
||||
* unlikely event of a malloc failure. |
||||
* |
||||
* SecAsn1Malloc() returns a pointer to allocated memory, like
|
||||
* malloc(). |
||||
*/ |
||||
void *SecAsn1Malloc( |
||||
SecAsn1CoderRef coder, |
||||
size_t len);
|
||||
|
||||
/* Allocate item.Data, set item.Length */ |
||||
OSStatus SecAsn1AllocItem( |
||||
SecAsn1CoderRef coder, |
||||
SecAsn1Item *item, |
||||
size_t len); |
||||
|
||||
/* Allocate and copy, various forms */ |
||||
OSStatus SecAsn1AllocCopy( |
||||
SecAsn1CoderRef coder, |
||||
const void *src, /* memory copied from here */ |
||||
size_t len, /* length to allocate & copy */ |
||||
SecAsn1Item *dest); /* dest->Data allocated and copied to;
|
||||
* dest->Length := len */ |
||||
|
||||
OSStatus SecAsn1AllocCopyItem( |
||||
SecAsn1CoderRef coder, |
||||
const SecAsn1Item *src, /* src->Length bytes allocated and copied from
|
||||
* src->Data */ |
||||
SecAsn1Item *dest); /* dest->Data allocated and copied to;
|
||||
* dest->Length := src->Length */ |
||||
|
||||
/* Compare two decoded OIDs. Returns true iff they are equivalent. */ |
||||
bool SecAsn1OidCompare(const SecAsn1Oid *oid1, const SecAsn1Oid *oid2); |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif /* _SEC_ASN1_CODER_H_ */ |
@ -0,0 +1,135 @@
|
||||
/*
|
||||
* Copyright (c) 2003-2006,2008,2010-2012 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
* |
||||
* SecAsn1Templates.h - Common ASN1 primitive templates for use with SecAsn1Coder. |
||||
*/ |
||||
|
||||
#ifndef _SEC_ASN1_TEMPLATES_H_ |
||||
#define _SEC_ASN1_TEMPLATES_H_ |
||||
|
||||
#include <Security/SecAsn1Types.h> |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/************************************************************************/ |
||||
|
||||
/*
|
||||
* Generic Templates |
||||
* One for each of the simple types, plus a special one for ANY, plus: |
||||
* - a pointer to each one of those |
||||
* - a set of each one of those |
||||
* - a sequence of each one of those |
||||
*/ |
||||
|
||||
extern const SecAsn1Template kSecAsn1AnyTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1BitStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1BMPStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1BooleanTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1EnumeratedTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1GeneralizedTimeTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1IA5StringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1IntegerTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1UnsignedIntegerTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1NullTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1ObjectIDTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1OctetStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1PrintableStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1T61StringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1UniversalStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1UTCTimeTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1UTF8StringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1VisibleStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1TeletexStringTemplate[]; |
||||
|
||||
extern const SecAsn1Template kSecAsn1PointerToAnyTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1PointerToBitStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1PointerToBMPStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1PointerToBooleanTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1PointerToEnumeratedTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1PointerToGeneralizedTimeTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1PointerToIA5StringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1PointerToIntegerTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1PointerToNullTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1PointerToObjectIDTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1PointerToOctetStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1PointerToPrintableStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1PointerToT61StringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1PointerToUniversalStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1PointerToUTCTimeTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1PointerToUTF8StringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1PointerToVisibleStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1PointerToTeletexStringTemplate[]; |
||||
|
||||
extern const SecAsn1Template kSecAsn1SequenceOfAnyTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SequenceOfBitStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SequenceOfBMPStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SequenceOfBooleanTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SequenceOfEnumeratedTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SequenceOfGeneralizedTimeTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SequenceOfIA5StringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SequenceOfIntegerTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SequenceOfNullTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SequenceOfObjectIDTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SequenceOfOctetStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SequenceOfPrintableStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SequenceOfT61StringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SequenceOfUniversalStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SequenceOfUTCTimeTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SequenceOfUTF8StringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SequenceOfVisibleStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SequenceOfTeletexStringTemplate[]; |
||||
|
||||
extern const SecAsn1Template kSecAsn1SetOfAnyTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SetOfBitStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SetOfBMPStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SetOfBooleanTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SetOfEnumeratedTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SetOfGeneralizedTimeTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SetOfIA5StringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SetOfIntegerTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SetOfNullTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SetOfObjectIDTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SetOfOctetStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SetOfPrintableStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SetOfT61StringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SetOfUniversalStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SetOfUTCTimeTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SetOfUTF8StringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SetOfVisibleStringTemplate[]; |
||||
extern const SecAsn1Template kSecAsn1SetOfTeletexStringTemplate[]; |
||||
|
||||
/*
|
||||
* Template for skipping a subitem; only used when decoding. |
||||
*/ |
||||
extern const SecAsn1Template kSecAsn1SkipTemplate[]; |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif /* _SEC_ASN1_TEMPLATES_H_ */ |
@ -0,0 +1,244 @@
|
||||
/*
|
||||
* The contents of this file are subject to the Mozilla Public |
||||
* License Version 1.1 (the "License"); you may not use this file |
||||
* except in compliance with the License. You may obtain a copy of |
||||
* the License at http://www.mozilla.org/MPL/
|
||||
*
|
||||
* Software distributed under the License is distributed on an "AS |
||||
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or |
||||
* implied. See the License for the specific language governing |
||||
* rights and limitations under the License. |
||||
*
|
||||
* The Original Code is the Netscape security libraries. |
||||
*
|
||||
* The Initial Developer of the Original Code is Netscape |
||||
* Communications Corporation. Portions created by Netscape are
|
||||
* Copyright (C) 1994-2000 Netscape Communications Corporation. All |
||||
* Rights Reserved. |
||||
*
|
||||
* Contributor(s): |
||||
*
|
||||
* Alternatively, the contents of this file may be used under the |
||||
* terms of the GNU General Public License Version 2 or later (the |
||||
* "GPL"), in which case the provisions of the GPL are applicable
|
||||
* instead of those above. If you wish to allow use of your
|
||||
* version of this file only under the terms of the GPL and not to |
||||
* allow others to use your version of this file under the MPL, |
||||
* indicate your decision by deleting the provisions above and |
||||
* replace them with the notice and other provisions required by |
||||
* the GPL. If you do not delete the provisions above, a recipient |
||||
* may use your version of this file under either the MPL or the |
||||
* GPL. |
||||
*/ |
||||
|
||||
/*
|
||||
* Types for encoding/decoding of ASN.1 using BER/DER (Basic/Distinguished |
||||
* Encoding Rules). |
||||
*/ |
||||
|
||||
#ifndef _SEC_ASN1_TYPES_H_ |
||||
#define _SEC_ASN1_TYPES_H_ |
||||
|
||||
#include <CoreFoundation/CFBase.h> /* Boolean */ |
||||
#include <sys/types.h> |
||||
#include <stdint.h> |
||||
|
||||
#include <TargetConditionals.h> |
||||
#if TARGET_OS_EMBEDDED || TARGET_IPHONE_SIMULATOR |
||||
/* @@@ We need something that tells us which platform we are building
|
||||
for that let's us distinguish if we are doing an emulator build. */ |
||||
|
||||
typedef struct { |
||||
size_t Length; |
||||
uint8_t * __nullable Data; |
||||
} SecAsn1Item, SecAsn1Oid; |
||||
|
||||
typedef struct { |
||||
SecAsn1Oid algorithm; |
||||
SecAsn1Item parameters; |
||||
} SecAsn1AlgId; |
||||
|
||||
typedef struct { |
||||
SecAsn1AlgId algorithm; |
||||
SecAsn1Item subjectPublicKey; |
||||
} SecAsn1PubKeyInfo; |
||||
|
||||
#else |
||||
#include <Security/cssmtype.h> |
||||
#include <Security/x509defs.h> |
||||
|
||||
typedef CSSM_DATA SecAsn1Item; |
||||
typedef CSSM_OID SecAsn1Oid; |
||||
typedef CSSM_X509_ALGORITHM_IDENTIFIER SecAsn1AlgId; |
||||
typedef CSSM_X509_SUBJECT_PUBLIC_KEY_INFO SecAsn1PubKeyInfo; |
||||
|
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*
|
||||
* An array of these structures defines a BER/DER encoding for an object. |
||||
* |
||||
* The array usually starts with a dummy entry whose kind is SEC_ASN1_SEQUENCE; |
||||
* such an array is terminated with an entry where kind == 0. (An array |
||||
* which consists of a single component does not require a second dummy |
||||
* entry -- the array is only searched as long as previous component(s) |
||||
* instruct it.) |
||||
*/ |
||||
typedef struct SecAsn1Template_struct { |
||||
/*
|
||||
* Kind of item being decoded/encoded, including tags and modifiers. |
||||
*/ |
||||
uint32_t kind; |
||||
|
||||
/*
|
||||
* This value is the offset from the base of the structure (i.e., the
|
||||
* (void *) passed as 'src' to SecAsn1EncodeItem, or the 'dst' argument |
||||
* passed to SecAsn1CoderRef()) to the field that holds the value being
|
||||
* decoded/encoded. |
||||
*/ |
||||
uint32_t offset; |
||||
|
||||
/*
|
||||
* When kind suggests it (e.g., SEC_ASN1_POINTER, SEC_ASN1_GROUP,
|
||||
* SEC_ASN1_INLINE, or a component that is *not* a SEC_ASN1_UNIVERSAL),
|
||||
* this points to a sub-template for nested encoding/decoding. |
||||
* OR, iff SEC_ASN1_DYNAMIC is set, then this is a pointer to a pointer |
||||
* to a function which will return the appropriate template when called |
||||
* at runtime. NOTE! that explicit level of indirection, which is |
||||
* necessary because ANSI does not allow you to store a function |
||||
* pointer directly as a "void *" so we must store it separately and |
||||
* dereference it to get at the function pointer itself. |
||||
*/ |
||||
const void *sub; |
||||
|
||||
/*
|
||||
* In the first element of a template array, the value is the size |
||||
* of the structure to allocate when this template is being referenced |
||||
* by another template via SEC_ASN1_POINTER or SEC_ASN1_GROUP. |
||||
* In all other cases, the value is ignored. |
||||
*/ |
||||
uint32_t size; |
||||
} SecAsn1Template; |
||||
|
||||
|
||||
/*
|
||||
* BER/DER values for ASN.1 identifier octets. |
||||
*/ |
||||
#define SEC_ASN1_TAG_MASK 0xff |
||||
|
||||
/*
|
||||
* BER/DER universal type tag numbers. |
||||
*/ |
||||
#define SEC_ASN1_TAGNUM_MASK 0x1f |
||||
#define SEC_ASN1_BOOLEAN 0x01 |
||||
#define SEC_ASN1_INTEGER 0x02 |
||||
#define SEC_ASN1_BIT_STRING 0x03 |
||||
#define SEC_ASN1_OCTET_STRING 0x04 |
||||
#define SEC_ASN1_NULL 0x05 |
||||
#define SEC_ASN1_OBJECT_ID 0x06 |
||||
#define SEC_ASN1_OBJECT_DESCRIPTOR 0x07 |
||||
/* External type and instance-of type 0x08 */ |
||||
#define SEC_ASN1_REAL 0x09 |
||||
#define SEC_ASN1_ENUMERATED 0x0a |
||||
#define SEC_ASN1_EMBEDDED_PDV 0x0b |
||||
#define SEC_ASN1_UTF8_STRING 0x0c |
||||
/* not used 0x0d */ |
||||
/* not used 0x0e */ |
||||
/* not used 0x0f */ |
||||
#define SEC_ASN1_SEQUENCE 0x10 |
||||
#define SEC_ASN1_SET 0x11 |
||||
#define SEC_ASN1_NUMERIC_STRING 0x12 |
||||
#define SEC_ASN1_PRINTABLE_STRING 0x13 |
||||
#define SEC_ASN1_T61_STRING 0x14 |
||||
#define SEC_ASN1_VIDEOTEX_STRING 0x15 |
||||
#define SEC_ASN1_IA5_STRING 0x16 |
||||
#define SEC_ASN1_UTC_TIME 0x17 |
||||
#define SEC_ASN1_GENERALIZED_TIME 0x18 |
||||
#define SEC_ASN1_GRAPHIC_STRING 0x19 |
||||
#define SEC_ASN1_VISIBLE_STRING 0x1a |
||||
#define SEC_ASN1_GENERAL_STRING 0x1b |
||||
#define SEC_ASN1_UNIVERSAL_STRING 0x1c |
||||
/* not used 0x1d */ |
||||
#define SEC_ASN1_BMP_STRING 0x1e |
||||
#define SEC_ASN1_HIGH_TAG_NUMBER 0x1f |
||||
#define SEC_ASN1_TELETEX_STRING SEC_ASN1_T61_STRING |
||||
|
||||
/*
|
||||
* Modifiers to type tags. These are also specified by a/the |
||||
* standard, and must not be changed. |
||||
*/ |
||||
#define SEC_ASN1_METHOD_MASK 0x20 |
||||
#define SEC_ASN1_PRIMITIVE 0x00 |
||||
#define SEC_ASN1_CONSTRUCTED 0x20 |
||||
|
||||
#define SEC_ASN1_CLASS_MASK 0xc0 |
||||
#define SEC_ASN1_UNIVERSAL 0x00 |
||||
#define SEC_ASN1_APPLICATION 0x40 |
||||
#define SEC_ASN1_CONTEXT_SPECIFIC 0x80 |
||||
#define SEC_ASN1_PRIVATE 0xc0 |
||||
|
||||
/*
|
||||
* Our additions, used for templates. |
||||
* These are not defined by any standard; the values are used internally only. |
||||
* Just be careful to keep them out of the low 8 bits. |
||||
*/ |
||||
#define SEC_ASN1_OPTIONAL 0x00100 |
||||
#define SEC_ASN1_EXPLICIT 0x00200 |
||||
#define SEC_ASN1_ANY 0x00400 |
||||
#define SEC_ASN1_INLINE 0x00800 |
||||
#define SEC_ASN1_POINTER 0x01000 |
||||
#define SEC_ASN1_GROUP 0x02000 /* with SET or SEQUENCE means |
||||
* SET OF or SEQUENCE OF */ |
||||
#define SEC_ASN1_DYNAMIC 0x04000 /* subtemplate is found by calling |
||||
* a function at runtime */ |
||||
#define SEC_ASN1_SKIP 0x08000 /* skip a field; only for decoding */ |
||||
#define SEC_ASN1_INNER 0x10000 /* with ANY means capture the |
||||
* contents only (not the id, len, |
||||
* or eoc); only for decoding */ |
||||
#define SEC_ASN1_SAVE 0x20000 /* stash away the encoded bytes first; |
||||
* only for decoding */ |
||||
#define SEC_ASN1_SKIP_REST 0x80000 /* skip all following fields; |
||||
* only for decoding */ |
||||
#define SEC_ASN1_CHOICE 0x100000 /* pick one from a template */ |
||||
|
||||
/*
|
||||
* Indicate that a type SEC_ASN1_INTEGER is actually signed. |
||||
* The default is unsigned, which causes a leading zero to be
|
||||
* encoded if the MS bit of the source data is 1. |
||||
*/ |
||||
#define SEC_ASN1_SIGNED_INT 0X800000 |
||||
|
||||
/* Shorthand/Aliases */ |
||||
#define SEC_ASN1_SEQUENCE_OF (SEC_ASN1_GROUP | SEC_ASN1_SEQUENCE) |
||||
#define SEC_ASN1_SET_OF (SEC_ASN1_GROUP | SEC_ASN1_SET) |
||||
#define SEC_ASN1_ANY_CONTENTS (SEC_ASN1_ANY | SEC_ASN1_INNER) |
||||
|
||||
/*
|
||||
* Function used for SEC_ASN1_DYNAMIC. |
||||
* "arg" is a pointer to the top-level structure being encoded or |
||||
* decoded. |
||||
* |
||||
* "enc" when true, means that we are encoding (false means decoding) |
||||
* |
||||
* "buf" For decode only; points to the start of the decoded data for
|
||||
* the current template. Callee can use the tag at this location
|
||||
* to infer the returned template. Not used on encode.
|
||||
* |
||||
* "Dest" points to the template-specific item being decoded to
|
||||
* or encoded from. (This is as opposed to arg, which
|
||||
* points to the start of the struct associated with the
|
||||
* current array of templates).
|
||||
*/ |
||||
|
||||
typedef const SecAsn1Template * SecAsn1TemplateChooser( |
||||
void *arg,
|
||||
Boolean enc, |
||||
const char *buf, |
||||
void *dest); |
||||
|
||||
typedef SecAsn1TemplateChooser * SecAsn1TemplateChooserPtr; |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#endif /* _SEC_ASN1_TYPES_H_ */ |
@ -0,0 +1,655 @@
|
||||
/*
|
||||
* Copyright (c) 2000-2014 Apple Inc. All Rights Reserved. |
||||
* |
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecBase |
||||
SecBase contains common declarations for the Security functions. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SECBASE_H_ |
||||
#define _SECURITY_SECBASE_H_ |
||||
|
||||
#include <CoreFoundation/CFBase.h> |
||||
#include <AvailabilityMacros.h> |
||||
|
||||
#if defined(__clang__) |
||||
#define SEC_DEPRECATED_ATTRIBUTE DEPRECATED_ATTRIBUTE |
||||
#else |
||||
#define SEC_DEPRECATED_ATTRIBUTE |
||||
#endif |
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
#ifndef __SEC_TYPES__ |
||||
#define __SEC_TYPES__ |
||||
|
||||
/*!
|
||||
@typedef SecKeychainRef |
||||
@abstract Contains information about a keychain. |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) OpaqueSecKeychainRef *SecKeychainRef; |
||||
|
||||
/*!
|
||||
@typedef SecKeychainItemRef |
||||
@abstract Contains information about a keychain item. |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) OpaqueSecKeychainItemRef *SecKeychainItemRef; |
||||
|
||||
/*!
|
||||
@typedef SecKeychainSearchRef |
||||
@abstract Contains information about a keychain search. |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) OpaqueSecKeychainSearchRef *SecKeychainSearchRef; |
||||
|
||||
/*!
|
||||
@typedef SecKeychainAttrType |
||||
@abstract Represents a keychain attribute type. |
||||
*/ |
||||
typedef OSType SecKeychainAttrType; |
||||
|
||||
/*!
|
||||
@struct SecKeychainAttribute |
||||
@abstract Contains keychain attributes. |
||||
@field tag A 4-byte attribute tag. |
||||
@field length The length of the buffer pointed to by data. |
||||
@field data A pointer to the attribute data. |
||||
*/ |
||||
struct SecKeychainAttribute |
||||
{ |
||||
SecKeychainAttrType tag; |
||||
UInt32 length; |
||||
void *data; |
||||
}; |
||||
typedef struct SecKeychainAttribute SecKeychainAttribute; |
||||
|
||||
/*!
|
||||
@typedef SecKeychainAttributePtr |
||||
@abstract Represents a pointer to a keychain attribute structure. |
||||
*/ |
||||
typedef SecKeychainAttribute *SecKeychainAttributePtr; |
||||
|
||||
/*!
|
||||
@typedef SecKeychainAttributeList |
||||
@abstract Represents a list of keychain attributes. |
||||
@field count An unsigned 32-bit integer that represents the number of keychain attributes in the array. |
||||
@field attr A pointer to the first keychain attribute in the array. |
||||
*/ |
||||
struct SecKeychainAttributeList |
||||
{ |
||||
UInt32 count; |
||||
SecKeychainAttribute *attr; |
||||
}; |
||||
typedef struct SecKeychainAttributeList SecKeychainAttributeList; |
||||
|
||||
/*!
|
||||
@typedef SecKeychainStatus |
||||
@abstract Represents the status of a keychain. |
||||
*/ |
||||
typedef UInt32 SecKeychainStatus; |
||||
#endif |
||||
|
||||
/*!
|
||||
@typedef SecTrustedApplicationRef |
||||
@abstract Contains information about a trusted application. |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) OpaqueSecTrustedApplicationRef *SecTrustedApplicationRef; |
||||
|
||||
/*!
|
||||
@typedef SecPolicyRef |
||||
@abstract Contains information about a policy. |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) OpaqueSecPolicyRef *SecPolicyRef; |
||||
|
||||
/*!
|
||||
@typedef SecCertificateRef |
||||
@abstract Contains information about a certificate. |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) OpaqueSecCertificateRef *SecCertificateRef; |
||||
|
||||
/*!
|
||||
@typedef SecAccessRef |
||||
@abstract Contains information about an access. |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) OpaqueSecAccessRef *SecAccessRef; |
||||
|
||||
/*!
|
||||
@typedef SecIdentityRef |
||||
@abstract Contains information about an identity. |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) OpaqueSecIdentityRef *SecIdentityRef; |
||||
|
||||
/*!
|
||||
@typedef SecKeyRef |
||||
@abstract Contains information about a key. |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) OpaqueSecKeyRef *SecKeyRef; |
||||
|
||||
/*!
|
||||
@typedef SecACLRef |
||||
@abstract Contains information about an access control list (ACL) entry. |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) OpaqueSecTrustRef *SecACLRef; |
||||
|
||||
/*!
|
||||
@typedef SecAccessControlRef |
||||
@abstract CFType representing access control for an item. |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) OpaqueSecAccessControl *SecAccessControlRef; |
||||
|
||||
/*!
|
||||
@typedef SecPasswordRef |
||||
@abstract Contains information about a password. |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) OpaqueSecPasswordRef *SecPasswordRef; |
||||
|
||||
/*!
|
||||
@typedef SecKeychainAttributeInfo |
||||
@abstract Represents an attribute. |
||||
@field count The number of tag-format pairs in the respective arrays. |
||||
@field tag A pointer to the first attribute tag in the array. |
||||
@field format A pointer to the first CSSM_DB_ATTRIBUTE_FORMAT in the array. |
||||
@discussion Each tag and format item form a pair. |
||||
*/ |
||||
struct SecKeychainAttributeInfo |
||||
{ |
||||
UInt32 count; |
||||
UInt32 *tag; |
||||
UInt32 *format; |
||||
}; |
||||
typedef struct SecKeychainAttributeInfo SecKeychainAttributeInfo; |
||||
|
||||
/*!
|
||||
@function SecCopyErrorMessageString |
||||
@abstract Returns a string describing the specified error result code. |
||||
@param status An error result code of type OSStatus or CSSM_RETURN, as returned by a Security or CSSM function. |
||||
@reserved Reserved for future use. Your code should pass NULL in this parameter. |
||||
@result A reference to an error string, or NULL if no error string is available for the specified result code. Your code must release this reference by calling the CFRelease function. |
||||
*/ |
||||
__nullable |
||||
CFStringRef SecCopyErrorMessageString(OSStatus status, void * __nullable reserved) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_NA); |
||||
/*!
|
||||
@enum Security Error Codes |
||||
@abstract Result codes returned from Security framework functions. |
||||
@constant errSecSuccess No error. |
||||
@constant errSecUnimplemented Function or operation not implemented. |
||||
@constant errSecDskFull Disk Full error. |
||||
@constant errSecIO I/O error. |
||||
@constant errSecParam One or more parameters passed to a function were not valid. |
||||
@constant errSecWrPerm Write permissions error. |
||||
@constant errSecAllocate Failed to allocate memory. |
||||
@constant errSecUserCanceled User canceled the operation. |
||||
@constant errSecBadReq Bad parameter or invalid state for operation. |
||||
@constant errSecInternalComponent |
||||
@constant errSecCoreFoundationUnknown |
||||
@constant errSecNotAvailable No keychain is available. |
||||
@constant errSecReadOnly Read only error. |
||||
@constant errSecAuthFailed Authorization/Authentication failed. |
||||
@constant errSecNoSuchKeychain The keychain does not exist. |
||||
@constant errSecInvalidKeychain The keychain is not valid. |
||||
@constant errSecDuplicateKeychain A keychain with the same name already exists. |
||||
@constant errSecDuplicateCallback The specified callback is already installed. |
||||
@constant errSecInvalidCallback The specified callback is not valid. |
||||
@constant errSecDuplicateItem The item already exists. |
||||
@constant errSecItemNotFound The item cannot be found. |
||||
@constant errSecBufferTooSmall The buffer is too small. |
||||
@constant errSecDataTooLarge The data is too large. |
||||
@constant errSecNoSuchAttr The attribute does not exist. |
||||
@constant errSecInvalidItemRef The item reference is invalid. |
||||
@constant errSecInvalidSearchRef The search reference is invalid. |
||||
@constant errSecNoSuchClass The keychain item class does not exist. |
||||
@constant errSecNoDefaultKeychain A default keychain does not exist. |
||||
@constant errSecInteractionNotAllowed User interaction is not allowed. |
||||
@constant errSecReadOnlyAttr The attribute is read only. |
||||
@constant errSecWrongSecVersion The version is incorrect. |
||||
@constant errSecKeySizeNotAllowed The key size is not allowed. |
||||
@constant errSecNoStorageModule There is no storage module available. |
||||
@constant errSecNoCertificateModule There is no certificate module available. |
||||
@constant errSecNoPolicyModule There is no policy module available. |
||||
@constant errSecInteractionRequired User interaction is required. |
||||
@constant errSecDataNotAvailable The data is not available. |
||||
@constant errSecDataNotModifiable The data is not modifiable. |
||||
@constant errSecCreateChainFailed The attempt to create a certificate chain failed. |
||||
@constant errSecACLNotSimple The access control list is not in standard simple form. |
||||
@constant errSecPolicyNotFound The policy specified cannot be found. |
||||
@constant errSecInvalidTrustSetting The specified trust setting is invalid. |
||||
@constant errSecNoAccessForItem The specified item has no access control. |
||||
@constant errSecInvalidOwnerEdit Invalid attempt to change the owner of this item. |
||||
@constant errSecTrustNotAvailable No trust results are available. |
||||
@constant errSecUnsupportedFormat Import/Export format unsupported. |
||||
@constant errSecUnknownFormat Unknown format in import. |
||||
@constant errSecKeyIsSensitive Key material must be wrapped for export. |
||||
@constant errSecMultiplePrivKeys An attempt was made to import multiple private keys. |
||||
@constant errSecPassphraseRequired Passphrase is required for import/export. |
||||
@constant errSecInvalidPasswordRef The password reference was invalid. |
||||
@constant errSecInvalidTrustSettings The Trust Settings Record was corrupted. |
||||
@constant errSecNoTrustSettings No Trust Settings were found. |
||||
@constant errSecPkcs12VerifyFailure MAC verification failed during PKCS12 Import. |
||||
@constant errSecDecode Unable to decode the provided data. |
||||
|
||||
@discussion The assigned error space is discontinuous: e.g. -25240..-25279, -25290..-25329, -68608..-67585, and so on. |
||||
*/ |
||||
|
||||
/*
|
||||
Note: the comments that appear after these errors are used to create SecErrorMessages.strings. |
||||
The comments must not be multi-line, and should be in a form meaningful to an end user. If |
||||
a different or additional comment is needed, it can be put in the header doc format, or on a |
||||
line that does not start with errZZZ. |
||||
*/ |
||||
|
||||
CF_ENUM(OSStatus) |
||||
{ |
||||
errSecSuccess = 0, /* No error. */ |
||||
errSecUnimplemented = -4, /* Function or operation not implemented. */ |
||||
errSecDskFull = -34, |
||||
errSecIO = -36, /*I/O error (bummers)*/ |
||||
|
||||
errSecParam = -50, /* One or more parameters passed to a function were not valid. */ |
||||
errSecWrPerm = -61, /* write permissions error*/ |
||||
errSecAllocate = -108, /* Failed to allocate memory. */ |
||||
errSecUserCanceled = -128, /* User canceled the operation. */ |
||||
errSecBadReq = -909, /* Bad parameter or invalid state for operation. */ |
||||
|
||||
errSecInternalComponent = -2070, |
||||
errSecCoreFoundationUnknown = -4960, |
||||
|
||||
errSecNotAvailable = -25291, /* No keychain is available. You may need to restart your computer. */ |
||||
errSecReadOnly = -25292, /* This keychain cannot be modified. */ |
||||
errSecAuthFailed = -25293, /* The user name or passphrase you entered is not correct. */ |
||||
errSecNoSuchKeychain = -25294, /* The specified keychain could not be found. */ |
||||
errSecInvalidKeychain = -25295, /* The specified keychain is not a valid keychain file. */ |
||||
errSecDuplicateKeychain = -25296, /* A keychain with the same name already exists. */ |
||||
errSecDuplicateCallback = -25297, /* The specified callback function is already installed. */ |
||||
errSecInvalidCallback = -25298, /* The specified callback function is not valid. */ |
||||
errSecDuplicateItem = -25299, /* The specified item already exists in the keychain. */ |
||||
errSecItemNotFound = -25300, /* The specified item could not be found in the keychain. */ |
||||
errSecBufferTooSmall = -25301, /* There is not enough memory available to use the specified item. */ |
||||
errSecDataTooLarge = -25302, /* This item contains information which is too large or in a format that cannot be displayed. */ |
||||
errSecNoSuchAttr = -25303, /* The specified attribute does not exist. */ |
||||
errSecInvalidItemRef = -25304, /* The specified item is no longer valid. It may have been deleted from the keychain. */ |
||||
errSecInvalidSearchRef = -25305, /* Unable to search the current keychain. */ |
||||
errSecNoSuchClass = -25306, /* The specified item does not appear to be a valid keychain item. */ |
||||
errSecNoDefaultKeychain = -25307, /* A default keychain could not be found. */ |
||||
errSecInteractionNotAllowed = -25308, /* User interaction is not allowed. */ |
||||
errSecReadOnlyAttr = -25309, /* The specified attribute could not be modified. */ |
||||
errSecWrongSecVersion = -25310, /* This keychain was created by a different version of the system software and cannot be opened. */ |
||||
errSecKeySizeNotAllowed = -25311, /* This item specifies a key size which is too large. */ |
||||
errSecNoStorageModule = -25312, /* A required component (data storage module) could not be loaded. You may need to restart your computer. */ |
||||
errSecNoCertificateModule = -25313, /* A required component (certificate module) could not be loaded. You may need to restart your computer. */ |
||||
errSecNoPolicyModule = -25314, /* A required component (policy module) could not be loaded. You may need to restart your computer. */ |
||||
errSecInteractionRequired = -25315, /* User interaction is required, but is currently not allowed. */ |
||||
errSecDataNotAvailable = -25316, /* The contents of this item cannot be retrieved. */ |
||||
errSecDataNotModifiable = -25317, /* The contents of this item cannot be modified. */ |
||||
errSecCreateChainFailed = -25318, /* One or more certificates required to validate this certificate cannot be found. */ |
||||
errSecInvalidPrefsDomain = -25319, /* The specified preferences domain is not valid. */ |
||||
errSecInDarkWake = -25320, /* In dark wake, no UI possible */ |
||||
|
||||
errSecACLNotSimple = -25240, /* The specified access control list is not in standard (simple) form. */ |
||||
errSecPolicyNotFound = -25241, /* The specified policy cannot be found. */ |
||||
errSecInvalidTrustSetting = -25242, /* The specified trust setting is invalid. */ |
||||
errSecNoAccessForItem = -25243, /* The specified item has no access control. */ |
||||
errSecInvalidOwnerEdit = -25244, /* Invalid attempt to change the owner of this item. */ |
||||
errSecTrustNotAvailable = -25245, /* No trust results are available. */ |
||||
errSecUnsupportedFormat = -25256, /* Import/Export format unsupported. */ |
||||
errSecUnknownFormat = -25257, /* Unknown format in import. */ |
||||
errSecKeyIsSensitive = -25258, /* Key material must be wrapped for export. */ |
||||
errSecMultiplePrivKeys = -25259, /* An attempt was made to import multiple private keys. */ |
||||
errSecPassphraseRequired = -25260, /* Passphrase is required for import/export. */ |
||||
errSecInvalidPasswordRef = -25261, /* The password reference was invalid. */ |
||||
errSecInvalidTrustSettings = -25262, /* The Trust Settings Record was corrupted. */ |
||||
errSecNoTrustSettings = -25263, /* No Trust Settings were found. */ |
||||
errSecPkcs12VerifyFailure = -25264, /* MAC verification failed during PKCS12 import (wrong password?) */ |
||||
errSecNotSigner = -26267, /* A certificate was not signed by its proposed parent. */ |
||||
|
||||
errSecDecode = -26275, /* Unable to decode the provided data. */ |
||||
|
||||
errSecServiceNotAvailable = -67585, /* The required service is not available. */ |
||||
errSecInsufficientClientID = -67586, /* The client ID is not correct. */ |
||||
errSecDeviceReset = -67587, /* A device reset has occurred. */ |
||||
errSecDeviceFailed = -67588, /* A device failure has occurred. */ |
||||
errSecAppleAddAppACLSubject = -67589, /* Adding an application ACL subject failed. */ |
||||
errSecApplePublicKeyIncomplete = -67590, /* The public key is incomplete. */ |
||||
errSecAppleSignatureMismatch = -67591, /* A signature mismatch has occurred. */ |
||||
errSecAppleInvalidKeyStartDate = -67592, /* The specified key has an invalid start date. */ |
||||
errSecAppleInvalidKeyEndDate = -67593, /* The specified key has an invalid end date. */ |
||||
errSecConversionError = -67594, /* A conversion error has occurred. */ |
||||
errSecAppleSSLv2Rollback = -67595, /* A SSLv2 rollback error has occurred. */ |
||||
errSecDiskFull = -34, /* The disk is full. */ |
||||
errSecQuotaExceeded = -67596, /* The quota was exceeded. */ |
||||
errSecFileTooBig = -67597, /* The file is too big. */ |
||||
errSecInvalidDatabaseBlob = -67598, /* The specified database has an invalid blob. */ |
||||
errSecInvalidKeyBlob = -67599, /* The specified database has an invalid key blob. */ |
||||
errSecIncompatibleDatabaseBlob = -67600, /* The specified database has an incompatible blob. */ |
||||
errSecIncompatibleKeyBlob = -67601, /* The specified database has an incompatible key blob. */ |
||||
errSecHostNameMismatch = -67602, /* A host name mismatch has occurred. */ |
||||
errSecUnknownCriticalExtensionFlag = -67603, /* There is an unknown critical extension flag. */ |
||||
errSecNoBasicConstraints = -67604, /* No basic constraints were found. */ |
||||
errSecNoBasicConstraintsCA = -67605, /* No basic CA constraints were found. */ |
||||
errSecInvalidAuthorityKeyID = -67606, /* The authority key ID is not valid. */ |
||||
errSecInvalidSubjectKeyID = -67607, /* The subject key ID is not valid. */ |
||||
errSecInvalidKeyUsageForPolicy = -67608, /* The key usage is not valid for the specified policy. */ |
||||
errSecInvalidExtendedKeyUsage = -67609, /* The extended key usage is not valid. */ |
||||
errSecInvalidIDLinkage = -67610, /* The ID linkage is not valid. */ |
||||
errSecPathLengthConstraintExceeded = -67611, /* The path length constraint was exceeded. */ |
||||
errSecInvalidRoot = -67612, /* The root or anchor certificate is not valid. */ |
||||
errSecCRLExpired = -67613, /* The CRL has expired. */ |
||||
errSecCRLNotValidYet = -67614, /* The CRL is not yet valid. */ |
||||
errSecCRLNotFound = -67615, /* The CRL was not found. */ |
||||
errSecCRLServerDown = -67616, /* The CRL server is down. */ |
||||
errSecCRLBadURI = -67617, /* The CRL has a bad Uniform Resource Identifier. */ |
||||
errSecUnknownCertExtension = -67618, /* An unknown certificate extension was encountered. */ |
||||
errSecUnknownCRLExtension = -67619, /* An unknown CRL extension was encountered. */ |
||||
errSecCRLNotTrusted = -67620, /* The CRL is not trusted. */ |
||||
errSecCRLPolicyFailed = -67621, /* The CRL policy failed. */ |
||||
errSecIDPFailure = -67622, /* The issuing distribution point was not valid. */ |
||||
errSecSMIMEEmailAddressesNotFound = -67623, /* An email address mismatch was encountered. */ |
||||
errSecSMIMEBadExtendedKeyUsage = -67624, /* The appropriate extended key usage for SMIME was not found. */ |
||||
errSecSMIMEBadKeyUsage = -67625, /* The key usage is not compatible with SMIME. */ |
||||
errSecSMIMEKeyUsageNotCritical = -67626, /* The key usage extension is not marked as critical. */ |
||||
errSecSMIMENoEmailAddress = -67627, /* No email address was found in the certificate. */ |
||||
errSecSMIMESubjAltNameNotCritical = -67628, /* The subject alternative name extension is not marked as critical. */ |
||||
errSecSSLBadExtendedKeyUsage = -67629, /* The appropriate extended key usage for SSL was not found. */ |
||||
errSecOCSPBadResponse = -67630, /* The OCSP response was incorrect or could not be parsed. */ |
||||
errSecOCSPBadRequest = -67631, /* The OCSP request was incorrect or could not be parsed. */ |
||||
errSecOCSPUnavailable = -67632, /* OCSP service is unavailable. */ |
||||
errSecOCSPStatusUnrecognized = -67633, /* The OCSP server did not recognize this certificate. */ |
||||
errSecEndOfData = -67634, /* An end-of-data was detected. */ |
||||
errSecIncompleteCertRevocationCheck = -67635, /* An incomplete certificate revocation check occurred. */ |
||||
errSecNetworkFailure = -67636, /* A network failure occurred. */ |
||||
errSecOCSPNotTrustedToAnchor = -67637, /* The OCSP response was not trusted to a root or anchor certificate. */ |
||||
errSecRecordModified = -67638, /* The record was modified. */ |
||||
errSecOCSPSignatureError = -67639, /* The OCSP response had an invalid signature. */ |
||||
errSecOCSPNoSigner = -67640, /* The OCSP response had no signer. */ |
||||
errSecOCSPResponderMalformedReq = -67641, /* The OCSP responder was given a malformed request. */ |
||||
errSecOCSPResponderInternalError = -67642, /* The OCSP responder encountered an internal error. */ |
||||
errSecOCSPResponderTryLater = -67643, /* The OCSP responder is busy, try again later. */ |
||||
errSecOCSPResponderSignatureRequired = -67644, /* The OCSP responder requires a signature. */ |
||||
errSecOCSPResponderUnauthorized = -67645, /* The OCSP responder rejected this request as unauthorized. */ |
||||
errSecOCSPResponseNonceMismatch = -67646, /* The OCSP response nonce did not match the request. */ |
||||
errSecCodeSigningBadCertChainLength = -67647, /* Code signing encountered an incorrect certificate chain length. */ |
||||
errSecCodeSigningNoBasicConstraints = -67648, /* Code signing found no basic constraints. */ |
||||
errSecCodeSigningBadPathLengthConstraint= -67649, /* Code signing encountered an incorrect path length constraint. */ |
||||
errSecCodeSigningNoExtendedKeyUsage = -67650, /* Code signing found no extended key usage. */ |
||||
errSecCodeSigningDevelopment = -67651, /* Code signing indicated use of a development-only certificate. */ |
||||
errSecResourceSignBadCertChainLength = -67652, /* Resource signing has encountered an incorrect certificate chain length. */ |
||||
errSecResourceSignBadExtKeyUsage = -67653, /* Resource signing has encountered an error in the extended key usage. */ |
||||
errSecTrustSettingDeny = -67654, /* The trust setting for this policy was set to Deny. */ |
||||
errSecInvalidSubjectName = -67655, /* An invalid certificate subject name was encountered. */ |
||||
errSecUnknownQualifiedCertStatement = -67656, /* An unknown qualified certificate statement was encountered. */ |
||||
errSecMobileMeRequestQueued = -67657, /* The MobileMe request will be sent during the next connection. */ |
||||
errSecMobileMeRequestRedirected = -67658, /* The MobileMe request was redirected. */ |
||||
errSecMobileMeServerError = -67659, /* A MobileMe server error occurred. */ |
||||
errSecMobileMeServerNotAvailable = -67660, /* The MobileMe server is not available. */ |
||||
errSecMobileMeServerAlreadyExists = -67661, /* The MobileMe server reported that the item already exists. */ |
||||
errSecMobileMeServerServiceErr = -67662, /* A MobileMe service error has occurred. */ |
||||
errSecMobileMeRequestAlreadyPending = -67663, /* A MobileMe request is already pending. */ |
||||
errSecMobileMeNoRequestPending = -67664, /* MobileMe has no request pending. */ |
||||
errSecMobileMeCSRVerifyFailure = -67665, /* A MobileMe CSR verification failure has occurred. */ |
||||
errSecMobileMeFailedConsistencyCheck = -67666, /* MobileMe has found a failed consistency check. */ |
||||
errSecNotInitialized = -67667, /* A function was called without initializing CSSM. */ |
||||
errSecInvalidHandleUsage = -67668, /* The CSSM handle does not match with the service type. */ |
||||
errSecPVCReferentNotFound = -67669, /* A reference to the calling module was not found in the list of authorized callers. */ |
||||
errSecFunctionIntegrityFail = -67670, /* A function address was not within the verified module. */ |
||||
errSecInternalError = -67671, /* An internal error has occurred. */ |
||||
errSecMemoryError = -67672, /* A memory error has occurred. */ |
||||
errSecInvalidData = -67673, /* Invalid data was encountered. */ |
||||
errSecMDSError = -67674, /* A Module Directory Service error has occurred. */ |
||||
errSecInvalidPointer = -67675, /* An invalid pointer was encountered. */ |
||||
errSecSelfCheckFailed = -67676, /* Self-check has failed. */ |
||||
errSecFunctionFailed = -67677, /* A function has failed. */ |
||||
errSecModuleManifestVerifyFailed = -67678, /* A module manifest verification failure has occurred. */ |
||||
errSecInvalidGUID = -67679, /* An invalid GUID was encountered. */ |
||||
errSecInvalidHandle = -67680, /* An invalid handle was encountered. */ |
||||
errSecInvalidDBList = -67681, /* An invalid DB list was encountered. */ |
||||
errSecInvalidPassthroughID = -67682, /* An invalid passthrough ID was encountered. */ |
||||
errSecInvalidNetworkAddress = -67683, /* An invalid network address was encountered. */ |
||||
errSecCRLAlreadySigned = -67684, /* The certificate revocation list is already signed. */ |
||||
errSecInvalidNumberOfFields = -67685, /* An invalid number of fields were encountered. */ |
||||
errSecVerificationFailure = -67686, /* A verification failure occurred. */ |
||||
errSecUnknownTag = -67687, /* An unknown tag was encountered. */ |
||||
errSecInvalidSignature = -67688, /* An invalid signature was encountered. */ |
||||
errSecInvalidName = -67689, /* An invalid name was encountered. */ |
||||
errSecInvalidCertificateRef = -67690, /* An invalid certificate reference was encountered. */ |
||||
errSecInvalidCertificateGroup = -67691, /* An invalid certificate group was encountered. */ |
||||
errSecTagNotFound = -67692, /* The specified tag was not found. */ |
||||
errSecInvalidQuery = -67693, /* The specified query was not valid. */ |
||||
errSecInvalidValue = -67694, /* An invalid value was detected. */ |
||||
errSecCallbackFailed = -67695, /* A callback has failed. */ |
||||
errSecACLDeleteFailed = -67696, /* An ACL delete operation has failed. */ |
||||
errSecACLReplaceFailed = -67697, /* An ACL replace operation has failed. */ |
||||
errSecACLAddFailed = -67698, /* An ACL add operation has failed. */ |
||||
errSecACLChangeFailed = -67699, /* An ACL change operation has failed. */ |
||||
errSecInvalidAccessCredentials = -67700, /* Invalid access credentials were encountered. */ |
||||
errSecInvalidRecord = -67701, /* An invalid record was encountered. */ |
||||
errSecInvalidACL = -67702, /* An invalid ACL was encountered. */ |
||||
errSecInvalidSampleValue = -67703, /* An invalid sample value was encountered. */ |
||||
errSecIncompatibleVersion = -67704, /* An incompatible version was encountered. */ |
||||
errSecPrivilegeNotGranted = -67705, /* The privilege was not granted. */ |
||||
errSecInvalidScope = -67706, /* An invalid scope was encountered. */ |
||||
errSecPVCAlreadyConfigured = -67707, /* The PVC is already configured. */ |
||||
errSecInvalidPVC = -67708, /* An invalid PVC was encountered. */ |
||||
errSecEMMLoadFailed = -67709, /* The EMM load has failed. */ |
||||
errSecEMMUnloadFailed = -67710, /* The EMM unload has failed. */ |
||||
errSecAddinLoadFailed = -67711, /* The add-in load operation has failed. */ |
||||
errSecInvalidKeyRef = -67712, /* An invalid key was encountered. */ |
||||
errSecInvalidKeyHierarchy = -67713, /* An invalid key hierarchy was encountered. */ |
||||
errSecAddinUnloadFailed = -67714, /* The add-in unload operation has failed. */ |
||||
errSecLibraryReferenceNotFound = -67715, /* A library reference was not found. */ |
||||
errSecInvalidAddinFunctionTable = -67716, /* An invalid add-in function table was encountered. */ |
||||
errSecInvalidServiceMask = -67717, /* An invalid service mask was encountered. */ |
||||
errSecModuleNotLoaded = -67718, /* A module was not loaded. */ |
||||
errSecInvalidSubServiceID = -67719, /* An invalid subservice ID was encountered. */ |
||||
errSecAttributeNotInContext = -67720, /* An attribute was not in the context. */ |
||||
errSecModuleManagerInitializeFailed = -67721, /* A module failed to initialize. */ |
||||
errSecModuleManagerNotFound = -67722, /* A module was not found. */ |
||||
errSecEventNotificationCallbackNotFound = -67723, /* An event notification callback was not found. */ |
||||
errSecInputLengthError = -67724, /* An input length error was encountered. */ |
||||
errSecOutputLengthError = -67725, /* An output length error was encountered. */ |
||||
errSecPrivilegeNotSupported = -67726, /* The privilege is not supported. */ |
||||
errSecDeviceError = -67727, /* A device error was encountered. */ |
||||
errSecAttachHandleBusy = -67728, /* The CSP handle was busy. */ |
||||
errSecNotLoggedIn = -67729, /* You are not logged in. */ |
||||
errSecAlgorithmMismatch = -67730, /* An algorithm mismatch was encountered. */ |
||||
errSecKeyUsageIncorrect = -67731, /* The key usage is incorrect. */ |
||||
errSecKeyBlobTypeIncorrect = -67732, /* The key blob type is incorrect. */ |
||||
errSecKeyHeaderInconsistent = -67733, /* The key header is inconsistent. */ |
||||
errSecUnsupportedKeyFormat = -67734, /* The key header format is not supported. */ |
||||
errSecUnsupportedKeySize = -67735, /* The key size is not supported. */ |
||||
errSecInvalidKeyUsageMask = -67736, /* The key usage mask is not valid. */ |
||||
errSecUnsupportedKeyUsageMask = -67737, /* The key usage mask is not supported. */ |
||||
errSecInvalidKeyAttributeMask = -67738, /* The key attribute mask is not valid. */ |
||||
errSecUnsupportedKeyAttributeMask = -67739, /* The key attribute mask is not supported. */ |
||||
errSecInvalidKeyLabel = -67740, /* The key label is not valid. */ |
||||
errSecUnsupportedKeyLabel = -67741, /* The key label is not supported. */ |
||||
errSecInvalidKeyFormat = -67742, /* The key format is not valid. */ |
||||
errSecUnsupportedVectorOfBuffers = -67743, /* The vector of buffers is not supported. */ |
||||
errSecInvalidInputVector = -67744, /* The input vector is not valid. */ |
||||
errSecInvalidOutputVector = -67745, /* The output vector is not valid. */ |
||||
errSecInvalidContext = -67746, /* An invalid context was encountered. */ |
||||
errSecInvalidAlgorithm = -67747, /* An invalid algorithm was encountered. */ |
||||
errSecInvalidAttributeKey = -67748, /* A key attribute was not valid. */ |
||||
errSecMissingAttributeKey = -67749, /* A key attribute was missing. */ |
||||
errSecInvalidAttributeInitVector = -67750, /* An init vector attribute was not valid. */ |
||||
errSecMissingAttributeInitVector = -67751, /* An init vector attribute was missing. */ |
||||
errSecInvalidAttributeSalt = -67752, /* A salt attribute was not valid. */ |
||||
errSecMissingAttributeSalt = -67753, /* A salt attribute was missing. */ |
||||
errSecInvalidAttributePadding = -67754, /* A padding attribute was not valid. */ |
||||
errSecMissingAttributePadding = -67755, /* A padding attribute was missing. */ |
||||
errSecInvalidAttributeRandom = -67756, /* A random number attribute was not valid. */ |
||||
errSecMissingAttributeRandom = -67757, /* A random number attribute was missing. */ |
||||
errSecInvalidAttributeSeed = -67758, /* A seed attribute was not valid. */ |
||||
errSecMissingAttributeSeed = -67759, /* A seed attribute was missing. */ |
||||
errSecInvalidAttributePassphrase = -67760, /* A passphrase attribute was not valid. */ |
||||
errSecMissingAttributePassphrase = -67761, /* A passphrase attribute was missing. */ |
||||
errSecInvalidAttributeKeyLength = -67762, /* A key length attribute was not valid. */ |
||||
errSecMissingAttributeKeyLength = -67763, /* A key length attribute was missing. */ |
||||
errSecInvalidAttributeBlockSize = -67764, /* A block size attribute was not valid. */ |
||||
errSecMissingAttributeBlockSize = -67765, /* A block size attribute was missing. */ |
||||
errSecInvalidAttributeOutputSize = -67766, /* An output size attribute was not valid. */ |
||||
errSecMissingAttributeOutputSize = -67767, /* An output size attribute was missing. */ |
||||
errSecInvalidAttributeRounds = -67768, /* The number of rounds attribute was not valid. */ |
||||
errSecMissingAttributeRounds = -67769, /* The number of rounds attribute was missing. */ |
||||
errSecInvalidAlgorithmParms = -67770, /* An algorithm parameters attribute was not valid. */ |
||||
errSecMissingAlgorithmParms = -67771, /* An algorithm parameters attribute was missing. */ |
||||
errSecInvalidAttributeLabel = -67772, /* A label attribute was not valid. */ |
||||
errSecMissingAttributeLabel = -67773, /* A label attribute was missing. */ |
||||
errSecInvalidAttributeKeyType = -67774, /* A key type attribute was not valid. */ |
||||
errSecMissingAttributeKeyType = -67775, /* A key type attribute was missing. */ |
||||
errSecInvalidAttributeMode = -67776, /* A mode attribute was not valid. */ |
||||
errSecMissingAttributeMode = -67777, /* A mode attribute was missing. */ |
||||
errSecInvalidAttributeEffectiveBits = -67778, /* An effective bits attribute was not valid. */ |
||||
errSecMissingAttributeEffectiveBits = -67779, /* An effective bits attribute was missing. */ |
||||
errSecInvalidAttributeStartDate = -67780, /* A start date attribute was not valid. */ |
||||
errSecMissingAttributeStartDate = -67781, /* A start date attribute was missing. */ |
||||
errSecInvalidAttributeEndDate = -67782, /* An end date attribute was not valid. */ |
||||
errSecMissingAttributeEndDate = -67783, /* An end date attribute was missing. */ |
||||
errSecInvalidAttributeVersion = -67784, /* A version attribute was not valid. */ |
||||
errSecMissingAttributeVersion = -67785, /* A version attribute was missing. */ |
||||
errSecInvalidAttributePrime = -67786, /* A prime attribute was not valid. */ |
||||
errSecMissingAttributePrime = -67787, /* A prime attribute was missing. */ |
||||
errSecInvalidAttributeBase = -67788, /* A base attribute was not valid. */ |
||||
errSecMissingAttributeBase = -67789, /* A base attribute was missing. */ |
||||
errSecInvalidAttributeSubprime = -67790, /* A subprime attribute was not valid. */ |
||||
errSecMissingAttributeSubprime = -67791, /* A subprime attribute was missing. */ |
||||
errSecInvalidAttributeIterationCount = -67792, /* An iteration count attribute was not valid. */ |
||||
errSecMissingAttributeIterationCount = -67793, /* An iteration count attribute was missing. */ |
||||
errSecInvalidAttributeDLDBHandle = -67794, /* A database handle attribute was not valid. */ |
||||
errSecMissingAttributeDLDBHandle = -67795, /* A database handle attribute was missing. */ |
||||
errSecInvalidAttributeAccessCredentials = -67796, /* An access credentials attribute was not valid. */ |
||||
errSecMissingAttributeAccessCredentials = -67797, /* An access credentials attribute was missing. */ |
||||
errSecInvalidAttributePublicKeyFormat = -67798, /* A public key format attribute was not valid. */ |
||||
errSecMissingAttributePublicKeyFormat = -67799, /* A public key format attribute was missing. */ |
||||
errSecInvalidAttributePrivateKeyFormat = -67800, /* A private key format attribute was not valid. */ |
||||
errSecMissingAttributePrivateKeyFormat = -67801, /* A private key format attribute was missing. */ |
||||
errSecInvalidAttributeSymmetricKeyFormat = -67802, /* A symmetric key format attribute was not valid. */ |
||||
errSecMissingAttributeSymmetricKeyFormat = -67803, /* A symmetric key format attribute was missing. */ |
||||
errSecInvalidAttributeWrappedKeyFormat = -67804, /* A wrapped key format attribute was not valid. */ |
||||
errSecMissingAttributeWrappedKeyFormat = -67805, /* A wrapped key format attribute was missing. */ |
||||
errSecStagedOperationInProgress = -67806, /* A staged operation is in progress. */ |
||||
errSecStagedOperationNotStarted = -67807, /* A staged operation was not started. */ |
||||
errSecVerifyFailed = -67808, /* A cryptographic verification failure has occurred. */ |
||||
errSecQuerySizeUnknown = -67809, /* The query size is unknown. */ |
||||
errSecBlockSizeMismatch = -67810, /* A block size mismatch occurred. */ |
||||
errSecPublicKeyInconsistent = -67811, /* The public key was inconsistent. */ |
||||
errSecDeviceVerifyFailed = -67812, /* A device verification failure has occurred. */ |
||||
errSecInvalidLoginName = -67813, /* An invalid login name was detected. */ |
||||
errSecAlreadyLoggedIn = -67814, /* The user is already logged in. */ |
||||
errSecInvalidDigestAlgorithm = -67815, /* An invalid digest algorithm was detected. */ |
||||
errSecInvalidCRLGroup = -67816, /* An invalid CRL group was detected. */ |
||||
errSecCertificateCannotOperate = -67817, /* The certificate cannot operate. */ |
||||
errSecCertificateExpired = -67818, /* An expired certificate was detected. */ |
||||
errSecCertificateNotValidYet = -67819, /* The certificate is not yet valid. */ |
||||
errSecCertificateRevoked = -67820, /* The certificate was revoked. */ |
||||
errSecCertificateSuspended = -67821, /* The certificate was suspended. */ |
||||
errSecInsufficientCredentials = -67822, /* Insufficient credentials were detected. */ |
||||
errSecInvalidAction = -67823, /* The action was not valid. */ |
||||
errSecInvalidAuthority = -67824, /* The authority was not valid. */ |
||||
errSecVerifyActionFailed = -67825, /* A verify action has failed. */ |
||||
errSecInvalidCertAuthority = -67826, /* The certificate authority was not valid. */ |
||||
errSecInvaldCRLAuthority = -67827, /* The CRL authority was not valid. */ |
||||
errSecInvalidCRLEncoding = -67828, /* The CRL encoding was not valid. */ |
||||
errSecInvalidCRLType = -67829, /* The CRL type was not valid. */ |
||||
errSecInvalidCRL = -67830, /* The CRL was not valid. */ |
||||
errSecInvalidFormType = -67831, /* The form type was not valid. */ |
||||
errSecInvalidID = -67832, /* The ID was not valid. */ |
||||
errSecInvalidIdentifier = -67833, /* The identifier was not valid. */ |
||||
errSecInvalidIndex = -67834, /* The index was not valid. */ |
||||
errSecInvalidPolicyIdentifiers = -67835, /* The policy identifiers are not valid. */ |
||||
errSecInvalidTimeString = -67836, /* The time specified was not valid. */ |
||||
errSecInvalidReason = -67837, /* The trust policy reason was not valid. */ |
||||
errSecInvalidRequestInputs = -67838, /* The request inputs are not valid. */ |
||||
errSecInvalidResponseVector = -67839, /* The response vector was not valid. */ |
||||
errSecInvalidStopOnPolicy = -67840, /* The stop-on policy was not valid. */ |
||||
errSecInvalidTuple = -67841, /* The tuple was not valid. */ |
||||
errSecMultipleValuesUnsupported = -67842, /* Multiple values are not supported. */ |
||||
errSecNotTrusted = -67843, /* The trust policy was not trusted. */ |
||||
errSecNoDefaultAuthority = -67844, /* No default authority was detected. */ |
||||
errSecRejectedForm = -67845, /* The trust policy had a rejected form. */ |
||||
errSecRequestLost = -67846, /* The request was lost. */ |
||||
errSecRequestRejected = -67847, /* The request was rejected. */ |
||||
errSecUnsupportedAddressType = -67848, /* The address type is not supported. */ |
||||
errSecUnsupportedService = -67849, /* The service is not supported. */ |
||||
errSecInvalidTupleGroup = -67850, /* The tuple group was not valid. */ |
||||
errSecInvalidBaseACLs = -67851, /* The base ACLs are not valid. */ |
||||
errSecInvalidTupleCredendtials = -67852, /* The tuple credentials are not valid. */ |
||||
errSecInvalidEncoding = -67853, /* The encoding was not valid. */ |
||||
errSecInvalidValidityPeriod = -67854, /* The validity period was not valid. */ |
||||
errSecInvalidRequestor = -67855, /* The requestor was not valid. */ |
||||
errSecRequestDescriptor = -67856, /* The request descriptor was not valid. */ |
||||
errSecInvalidBundleInfo = -67857, /* The bundle information was not valid. */ |
||||
errSecInvalidCRLIndex = -67858, /* The CRL index was not valid. */ |
||||
errSecNoFieldValues = -67859, /* No field values were detected. */ |
||||
errSecUnsupportedFieldFormat = -67860, /* The field format is not supported. */ |
||||
errSecUnsupportedIndexInfo = -67861, /* The index information is not supported. */ |
||||
errSecUnsupportedLocality = -67862, /* The locality is not supported. */ |
||||
errSecUnsupportedNumAttributes = -67863, /* The number of attributes is not supported. */ |
||||
errSecUnsupportedNumIndexes = -67864, /* The number of indexes is not supported. */ |
||||
errSecUnsupportedNumRecordTypes = -67865, /* The number of record types is not supported. */ |
||||
errSecFieldSpecifiedMultiple = -67866, /* Too many fields were specified. */ |
||||
errSecIncompatibleFieldFormat = -67867, /* The field format was incompatible. */ |
||||
errSecInvalidParsingModule = -67868, /* The parsing module was not valid. */ |
||||
errSecDatabaseLocked = -67869, /* The database is locked. */ |
||||
errSecDatastoreIsOpen = -67870, /* The data store is open. */ |
||||
errSecMissingValue = -67871, /* A missing value was detected. */ |
||||
errSecUnsupportedQueryLimits = -67872, /* The query limits are not supported. */ |
||||
errSecUnsupportedNumSelectionPreds = -67873, /* The number of selection predicates is not supported. */ |
||||
errSecUnsupportedOperator = -67874, /* The operator is not supported. */ |
||||
errSecInvalidDBLocation = -67875, /* The database location is not valid. */ |
||||
errSecInvalidAccessRequest = -67876, /* The access request is not valid. */ |
||||
errSecInvalidIndexInfo = -67877, /* The index information is not valid. */ |
||||
errSecInvalidNewOwner = -67878, /* The new owner is not valid. */ |
||||
errSecInvalidModifyMode = -67879, /* The modify mode is not valid. */ |
||||
errSecMissingRequiredExtension = -67880, /* A required certificate extension is missing. */ |
||||
errSecExtendedKeyUsageNotCritical = -67881, /* The extended key usage extension was not marked critical. */ |
||||
errSecTimestampMissing = -67882, /* A timestamp was expected but was not found. */ |
||||
errSecTimestampInvalid = -67883, /* The timestamp was not valid. */ |
||||
errSecTimestampNotTrusted = -67884, /* The timestamp was not trusted. */ |
||||
errSecTimestampServiceNotAvailable = -67885, /* The timestamp service is not available. */ |
||||
errSecTimestampBadAlg = -67886, /* An unrecognized or unsupported Algorithm Identifier in timestamp. */ |
||||
errSecTimestampBadRequest = -67887, /* The timestamp transaction is not permitted or supported. */ |
||||
errSecTimestampBadDataFormat = -67888, /* The timestamp data submitted has the wrong format. */ |
||||
errSecTimestampTimeNotAvailable = -67889, /* The time source for the Timestamp Authority is not available. */ |
||||
errSecTimestampUnacceptedPolicy = -67890, /* The requested policy is not supported by the Timestamp Authority. */ |
||||
errSecTimestampUnacceptedExtension = -67891, /* The requested extension is not supported by the Timestamp Authority. */ |
||||
errSecTimestampAddInfoNotAvailable = -67892, /* The additional information requested is not available. */ |
||||
errSecTimestampSystemFailure = -67893, /* The timestamp request cannot be handled due to system failure. */ |
||||
errSecSigningTimeMissing = -67894, /* A signing time was expected but was not found. */ |
||||
errSecTimestampRejection = -67895, /* A timestamp transaction was rejected. */ |
||||
errSecTimestampWaiting = -67896, /* A timestamp transaction is waiting. */ |
||||
errSecTimestampRevocationWarning = -67897, /* A timestamp authority revocation warning was issued. */ |
||||
errSecTimestampRevocationNotification = -67898, /* A timestamp authority revocation notification was issued. */ |
||||
}; |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_SECBASE_H_ */ |
@ -0,0 +1,480 @@
|
||||
/*
|
||||
* Copyright (c) 2002-2011,2013 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecCertificate |
||||
The functions provided in SecCertificate implement and manage a particular type of keychain item that represents a certificate. You can store a certificate in a keychain, but a certificate can also be a transient object. |
||||
|
||||
You can use a certificate as a keychain item in most functions. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SECCERTIFICATE_H_ |
||||
#define _SECURITY_SECCERTIFICATE_H_ |
||||
|
||||
#include <CoreFoundation/CFBase.h> |
||||
#include <CoreFoundation/CFArray.h> |
||||
#include <CoreFoundation/CFData.h> |
||||
#include <CoreFoundation/CFDate.h> |
||||
#include <CoreFoundation/CFError.h> |
||||
#include <Security/SecBase.h> |
||||
#include <Security/cssmtype.h> |
||||
#include <Security/x509defs.h> |
||||
#include <Availability.h> |
||||
#include <AvailabilityMacros.h> |
||||
/*
|
||||
#include <Security/SecTransform.h> |
||||
#include <Security/SecIdentity.h> |
||||
*/ |
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
/*!
|
||||
@enum CertificateItemAttributes |
||||
@abstract Indicates the type of a certificate item attribute. |
||||
@constant kSecSubjectItemAttr Indicates a DER-encoded subject distinguished name. |
||||
@constant kSecIssuerItemAttr Indicates a DER-encoded issuer distinguished name. |
||||
@constant kSecSerialNumberItemAttr Indicates a DER-encoded certificate serial number (without the tag and length). |
||||
@constant kSecPublicKeyHashItemAttr Indicates a public key hash. |
||||
@constant kSecSubjectKeyIdentifierItemAttr Indicates a subject key identifier. |
||||
@constant kSecCertTypeItemAttr Indicates a certificate type. |
||||
@constant kSecCertEncodingItemAttr Indicates a certificate encoding. |
||||
*/ |
||||
enum |
||||
{ |
||||
kSecSubjectItemAttr = 'subj', |
||||
kSecIssuerItemAttr = 'issu', |
||||
kSecSerialNumberItemAttr = 'snbr', |
||||
kSecPublicKeyHashItemAttr = 'hpky', |
||||
kSecSubjectKeyIdentifierItemAttr = 'skid', |
||||
kSecCertTypeItemAttr = 'ctyp', |
||||
kSecCertEncodingItemAttr = 'cenc' |
||||
} /*DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER*/; |
||||
|
||||
/*!
|
||||
@function SecCertificateGetTypeID |
||||
@abstract Returns the type identifier of SecCertificate instances. |
||||
@result The CFTypeID of SecCertificate instances. |
||||
*/ |
||||
CFTypeID SecCertificateGetTypeID(void) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0); |
||||
|
||||
#pragma mark ---- Certificate Operations ---- |
||||
|
||||
/*!
|
||||
@function SecCertificateCreateFromData |
||||
@abstract Creates a certificate based on the input data, type, and encoding.
|
||||
@param data A pointer to the certificate data. |
||||
@param type The certificate type as defined in cssmtype.h. |
||||
@param encoding The certificate encoding as defined in cssmtype.h. |
||||
@param certificate On return, a reference to the newly created certificate. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This API is deprecated in 10.7 Please use the SecCertificateCreateWithData API instead. |
||||
*/ |
||||
OSStatus SecCertificateCreateFromData(const CSSM_DATA *data, CSSM_CERT_TYPE type, CSSM_CERT_ENCODING encoding, SecCertificateRef * __nonnull CF_RETURNS_RETAINED certificate) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecCertificateCreateWithData |
||||
@abstract Create a certificate reference given its DER representation as a CFData. |
||||
@param allocator CFAllocator to allocate the certificate data. Pass NULL to use the default allocator. |
||||
@param certificate DER encoded X.509 certificate. |
||||
@result On return, a reference to the certificate. Returns NULL if the passed-in data is not a valid DER-encoded X.509 certificate. |
||||
*/ |
||||
__nullable |
||||
SecCertificateRef SecCertificateCreateWithData(CFAllocatorRef __nullable allocator, CFDataRef data) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecCertificateAddToKeychain |
||||
@abstract Adds a certificate to the specified keychain. |
||||
@param certificate A reference to a certificate. |
||||
@param keychain A reference to the keychain in which to add the certificate. Pass NULL to add the certificate to the default keychain. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is successful only if the certificate was created using the SecCertificateCreateFromData or |
||||
SecCertificateCreateWithData functions, and the certificate has not yet been added to the specified keychain. |
||||
*/ |
||||
OSStatus SecCertificateAddToKeychain(SecCertificateRef certificate, SecKeychainRef __nullable keychain) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecCertificateGetData |
||||
@abstract Retrieves the data for a given certificate. |
||||
@param certificate A reference to the certificate from which to retrieve the data. |
||||
@param data On return, the CSSM_DATA structure pointed to by data is filled in. You must allocate the space for a CSSM_DATA structure before calling this function. This data pointer is only guaranteed to remain valid as long as the certificate remains unchanged and valid. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This API is deprecated in 10.7. Please use the SecCertificateCopyData API instead. |
||||
*/ |
||||
OSStatus SecCertificateGetData(SecCertificateRef certificate, CSSM_DATA_PTR data) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecCertificateCopyData |
||||
@abstract Returns the DER representation of an X.509 certificate. |
||||
@param certificate A reference to a certificate. |
||||
@result On return, a data reference containing the DER encoded representation of the X.509 certificate. |
||||
*/ |
||||
CFDataRef SecCertificateCopyData(SecCertificateRef certificate) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecCertificateGetType |
||||
@abstract Retrieves the type for a given certificate. |
||||
@param certificate A reference to the certificate from which to obtain the type. |
||||
@param certificateType On return, the certificate type of the certificate. Certificate types are defined in cssmtype.h. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This API is deprecated in 10.7. Please use the SecCertificateCopyValues API instead.
|
||||
*/ |
||||
OSStatus SecCertificateGetType(SecCertificateRef certificate, CSSM_CERT_TYPE *certificateType) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecCertificateGetSubject |
||||
@abstract Retrieves the subject name for a given certificate. |
||||
@param certificate A reference to the certificate from which to obtain the subject name. |
||||
@param subject On return, a pointer to a CSSM_X509_NAME struct which contains the subject's X.509 name (x509defs.h). This pointer remains valid until the certificate reference is released. The caller should not attempt to free this pointer. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion Prior to Mac OS X 10.5, this function did not return any output in the subject parameter. Your code should check the returned pointer value (in addition to the function result) before attempting to use it. |
||||
For example: |
||||
const CSSM_X509_NAME *subject = NULL; |
||||
OSStatus status = SecCertificateGetSubject(certificate, &subject); |
||||
if ( (status == errSecSuccess) && (subject != NULL) ) { |
||||
// subject is valid
|
||||
} |
||||
This API is deprecated in 10.7. Please use the SecCertificateCopyValues API instead.
|
||||
*/ |
||||
OSStatus SecCertificateGetSubject(SecCertificateRef certificate, const CSSM_X509_NAME * __nullable * __nonnull subject) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecCertificateGetIssuer |
||||
@abstract Retrieves the issuer name for a given certificate. |
||||
@param certificate A reference to the certificate from which to obtain the issuer name. |
||||
@param issuer On return, a pointer to a CSSM_X509_NAME struct which contains the issuer's X.509 name (x509defs.h). This pointer remains valid until the certificate reference is released. The caller should not attempt to free this pointer. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion Prior to Mac OS X 10.5, this function did not return any output in the issuer parameter. Your code should check the returned pointer value (in addition to the function result) before attempting to use it. |
||||
For example: |
||||
const CSSM_X509_NAME *issuer = NULL; |
||||
OSStatus status = SecCertificateGetIssuer(certificate, &issuer); |
||||
if ( (status == errSecSuccess) && (issuer != NULL) ) { |
||||
// issuer is valid
|
||||
} |
||||
This API is deprecated in 10.7. Please use the SecCertificateCopyValues API instead.
|
||||
*/ |
||||
OSStatus SecCertificateGetIssuer(SecCertificateRef certificate, const CSSM_X509_NAME * __nullable * __nonnull issuer) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecCertificateGetCLHandle |
||||
@abstract Retrieves the certificate library handle for a given certificate. |
||||
@param certificate A reference to the certificate from which to obtain the certificate library handle. |
||||
@param clHandle On return, the certificate library handle of the given certificate. This handle remains valid at least as long as the certificate does. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This API is deprecated in 10.7. Please use the SecCertificateCopyValues API instead. |
||||
*/ |
||||
OSStatus SecCertificateGetCLHandle(SecCertificateRef certificate, CSSM_CL_HANDLE *clHandle) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecCertificateGetAlgorithmID |
||||
@abstract Retrieves the algorithm identifier for a given certificate. |
||||
@param certificate A reference to the certificate from which to retrieve the algorithm identifier. |
||||
@param algid On return, a pointer to a CSSM_X509_ALGORITHM_IDENTIFIER struct which identifies the algorithm for this certificate (x509defs.h). This pointer remains valid until the certificate reference is released. The caller should not attempt to free this pointer. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
discussion This API is deprecated in 10.7. Please use the SecCertificateCopyValues API instead. |
||||
*/ |
||||
OSStatus SecCertificateGetAlgorithmID(SecCertificateRef certificate, const CSSM_X509_ALGORITHM_IDENTIFIER * __nullable * __nonnull algid) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecCertificateCopyPublicKey |
||||
@abstract Retrieves the public key for a given certificate. |
||||
@param certificate A reference to the certificate from which to retrieve the public key. |
||||
@param key On return, a reference to the public key for the specified certificate. Your code must release this reference by calling the CFRelease function. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecCertificateCopyPublicKey(SecCertificateRef certificate, SecKeyRef * __nonnull CF_RETURNS_RETAINED key) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecCertificateCopyCommonName |
||||
@abstract Retrieves the common name of the subject of a given certificate. |
||||
@param certificate A reference to the certificate from which to retrieve the common name. |
||||
@param commonName On return, a reference to the common name. Your code must release this reference by calling the CFRelease function. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion All the data in this string comes from the certificate itself, and thus it's in whatever language the certificate itself is in. |
||||
Note that the certificate's common name field may not be present, or may be inadequate to describe the certificate; for display purposes, |
||||
you should consider using SecCertificateCopySubjectSummary instead of this function. |
||||
*/ |
||||
OSStatus SecCertificateCopyCommonName(SecCertificateRef certificate, CFStringRef * __nonnull CF_RETURNS_RETAINED commonName) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecCertificateCopySubjectSummary |
||||
@abstract Returns a simple string which hopefully represents a human understandable summary. |
||||
@param certificate A reference to the certificate from which to derive the subject summary string. |
||||
@result On return, a reference to the subject summary string. Your code must release this reference by calling the CFRelease function. |
||||
@discussion All the data in this string comes from the certificate itself, and thus it's in whatever language the certificate itself is in. |
||||
*/ |
||||
CFStringRef SecCertificateCopySubjectSummary(SecCertificateRef certificate) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecCertificateCopyEmailAddresses |
||||
@abstract Returns an array of zero or more email addresses for the subject of a given certificate. |
||||
@param certificate A reference to the certificate from which to retrieve the email addresses. |
||||
@param emailAddresses On return, an array of zero or more CFStringRef elements corresponding to each email address found. |
||||
Your code must release this array reference by calling the CFRelease function. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecCertificateCopyEmailAddresses(SecCertificateRef certificate, CFArrayRef * __nonnull CF_RETURNS_RETAINED emailAddresses) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecCertificateCopyPreference |
||||
@abstract Returns the preferred certificate for the specified name and key usage. If a preferred certificate does not exist for the specified name and key usage, NULL is returned. |
||||
@param name A string containing an email address (RFC822) or other name for which a preferred certificate is requested. |
||||
@param keyUsage A CSSM_KEYUSE key usage value, as defined in cssmtype.h. Pass 0 to ignore this parameter. |
||||
@param certificate On return, a reference to the preferred certificate, or NULL if none was found. You are responsible for releasing this reference by calling the CFRelease function. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function will typically be used to obtain the preferred encryption certificate for an email recipient. |
||||
This API is deprecated in 10.7. Please use the SecCertificateCopyPreferred API instead. |
||||
*/ |
||||
OSStatus SecCertificateCopyPreference(CFStringRef name, uint32 keyUsage, SecCertificateRef * __nonnull CF_RETURNS_RETAINED certificate) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecCertificateCopyPreferred |
||||
@abstract Returns the preferred certificate for the specified name and key usage. If a preferred certificate does not exist for the specified name and key usage, NULL is returned. |
||||
@param name A string containing an email address (RFC822) or other name for which a preferred certificate is requested. |
||||
@param keyUsage A CFArrayRef value, containing items defined in SecItem.h Pass NULL to ignore this parameter. (kSecAttrCanEncrypt, kSecAttrCanDecrypt, kSecAttrCanDerive, kSecAttrCanSign, kSecAttrCanVerify, kSecAttrCanWrap, kSecAttrCanUnwrap) |
||||
@result On return, a reference to the preferred certificate, or NULL if none was found. You are responsible for releasing this reference by calling the CFRelease function. |
||||
@discussion This function will typically be used to obtain the preferred encryption certificate for an email recipient. If a preferred certificate has not been set |
||||
for the supplied name, the returned reference will be NULL. Your code should then perform a search for possible certificates, using the SecItemCopyMatching API. |
||||
*/ |
||||
__nullable |
||||
SecCertificateRef SecCertificateCopyPreferred(CFStringRef name, CFArrayRef __nullable keyUsage) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecCertificateSetPreference |
||||
@abstract Sets the preferred certificate for a specified name, key usage, and date. |
||||
@param certificate A reference to the certificate which will be preferred. |
||||
@param name A string containing an email address (RFC822) or other name for which a preferred certificate will be associated. |
||||
@param keyUsage A CSSM_KEYUSE key usage value, as defined in cssmtype.h. Pass 0 to avoid specifying a particular key usage. |
||||
@param date (optional) A date reference. If supplied, the preferred certificate will be changed only if this date is later than the currently saved setting. Pass NULL if this preference should not be restricted by date. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function will typically be used to set the preferred encryption certificate for an email recipient, either manually (when encrypting email to a recipient) or automatically upon receipt of encrypted email. |
||||
This API is deprecated in 10.7. Plese use the SecCertificateSetPreferred API instead. |
||||
*/ |
||||
OSStatus SecCertificateSetPreference(SecCertificateRef certificate, CFStringRef name, uint32 keyUsage, CFDateRef __nullable date) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecCertificateSetPreferred |
||||
@abstract Sets the preferred certificate for a specified name and optional key usage. |
||||
@param certificate A reference to the preferred certificate. If NULL is passed, any existing preference for the specified name is cleared instead. |
||||
@param name A string containing an email address (RFC822) or other name for which a preferred certificate will be associated. |
||||
@param keyUsage A CFArrayRef value, containing items defined in SecItem.h Pass NULL to ignore this parameter. (kSecAttrCanEncrypt, kSecAttrCanDecrypt, kSecAttrCanDerive, kSecAttrCanSign, kSecAttrCanVerify, kSecAttrCanWrap, kSecAttrCanUnwrap) |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function will typically be used to set the preferred encryption certificate for an email recipient, either manually (when encrypting email to a recipient) |
||||
or automatically upon receipt of encrypted email. |
||||
*/ |
||||
OSStatus SecCertificateSetPreferred(SecCertificateRef __nullable certificate, CFStringRef name, CFArrayRef __nullable keyUsage) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@enum kSecPropertyKey |
||||
@abstract Constants used to access dictionary entries returned by SecCertificateCopyValues |
||||
@constant kSecPropertyKeyType The type of the entry |
||||
@constant kSecPropertyKeyLabel The label of the entry |
||||
@constant kSecPropertyKeyLocalizedLabel The localized label of the entry |
||||
@constant kSecPropertyKeyValue The value of the entry |
||||
*/ |
||||
|
||||
extern const CFStringRef kSecPropertyKeyType __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPropertyKeyLabel __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPropertyKeyLocalizedLabel __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPropertyKeyValue __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@enum kSecPropertyType |
||||
@abstract Public Constants for property list values returned by SecCertificateCopyValues |
||||
@discussion Note that kSecPropertyTypeTitle and kSecPropertyTypeError are defined in SecTrust.h |
||||
*/ |
||||
extern const CFStringRef kSecPropertyTypeWarning __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPropertyTypeSuccess __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPropertyTypeSection __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPropertyTypeData __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPropertyTypeString __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPropertyTypeURL __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPropertyTypeDate __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecCertificateCopyValues |
||||
@abstract Creates a dictionary that represents a certificate's contents. |
||||
@param certificate The certificate from which to get values |
||||
@param keys An array of string OID values, or NULL. If present, this is
|
||||
the subset of values from the certificate to return. If NULL, |
||||
all values will be returned. Only OIDs that are top level keys |
||||
in the returned dictionary can be specified. Unknown OIDs are |
||||
ignored. |
||||
@param error An optional pointer to a CFErrorRef. This value is
|
||||
set if an error occurred. If not NULL the caller is
|
||||
responsible for releasing the CFErrorRef. |
||||
@discussion The keys array will contain all of the keys used in the |
||||
returned dictionary. The top level keys in the returned |
||||
dictionary are OIDs, many of which are found in SecCertificateOIDs.h. |
||||
Each entry that is returned is itself a dictionary with four |
||||
entries, whose keys are kSecPropertyKeyType, kSecPropertyKeyLabel,
|
||||
kSecPropertyKeyLocalizedLabel, kSecPropertyKeyValue. The label |
||||
entries may contain a descriptive (localized) string, or an |
||||
OID string. The kSecPropertyKeyType describes the type in the |
||||
value entry. The value entry may be any CFType, although it
|
||||
is usually a CFStringRef, CFArrayRef or a CFDictionaryRef.
|
||||
*/ |
||||
__nullable |
||||
CFDictionaryRef SecCertificateCopyValues(SecCertificateRef certificate, CFArrayRef __nullable keys, CFErrorRef *error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@enum Transform Key Value Constants |
||||
@discussion Predefined values for the kSecTransformAttrCertificateUsage attribute. |
||||
|
||||
|
||||
kSecCertificateUsageSigning |
||||
kSecCertificateUsageSigningAndEncrypting |
||||
kSecCertificateUsageDeriveAndSign |
||||
|
||||
*/ |
||||
|
||||
extern const CFStringRef kSecCertificateUsageSigning __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecCertificateUsageSigningAndEncrypting __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecCertificateUsageDeriveAndSign __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecCertificateCopyLongDescription |
||||
@abstract Return the long description of a certificate |
||||
@param alloc The CFAllocator which should be used to allocate |
||||
memory for the dictionary and its storage for values. This |
||||
parameter may be NULL in which case the current default |
||||
CFAllocator is used. If this reference is not a valid |
||||
CFAllocator, the behavior is undefined. |
||||
@param certificate The certificate from which to retrieve the long description |
||||
@param error An optional pointer to a CFErrorRef. This value is
|
||||
set if an error occurred. If not NULL the caller is
|
||||
responsible for releasing the CFErrorRef. |
||||
@result A CFStringRef of the long description or NULL. If NULL and the error |
||||
parameter is supplied the error will be returned in the error parameter |
||||
@discussion Note that the format of this string may change in the future |
||||
*/ |
||||
|
||||
__nullable |
||||
CFStringRef SecCertificateCopyLongDescription(CFAllocatorRef __nullable alloc, SecCertificateRef certificate, CFErrorRef *error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecCertificateCopyShortDescription |
||||
@abstract Return the short description of a certificate |
||||
@param alloc The CFAllocator which should be used to allocate |
||||
memory for the dictionary and its storage for values. This |
||||
parameter may be NULL in which case the current default |
||||
CFAllocator is used. If this reference is not a valid |
||||
CFAllocator, the behavior is undefined. |
||||
@param certificate The certificate from which to retrieve the short description |
||||
@param error An optional pointer to a CFErrorRef. This value is
|
||||
set if an error occurred. If not NULL the caller is
|
||||
responsible for releasing the CFErrorRef. |
||||
@result A CFStringRef of the short description or NULL. If NULL and the error |
||||
parameter is supplied the error will be returned in the error parameter |
||||
@discussion Note that the format of this string may change in the future |
||||
*/ |
||||
|
||||
__nullable |
||||
CFStringRef SecCertificateCopyShortDescription(CFAllocatorRef __nullable alloc, SecCertificateRef certificate, CFErrorRef *error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecCertificateCopySerialNumber |
||||
@abstract Return the certificate's serial number. |
||||
@param certificate The certificate from which to get values |
||||
@param error An optional pointer to a CFErrorRef. This value is
|
||||
set if an error occurred. If not NULL the caller is
|
||||
responsible for releasing the CFErrorRef. |
||||
@discussion Return the content of a DER-encoded integer (without the |
||||
tag and length fields) for this certificate's serial
|
||||
number. The caller must CFRelease the value returned. |
||||
*/ |
||||
|
||||
__nullable |
||||
CFDataRef SecCertificateCopySerialNumber(SecCertificateRef certificate, CFErrorRef *error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecCertificateCopyNormalizedIssuerContent |
||||
@abstract Return the certificate's normalized issuer |
||||
@param certificate The certificate from which to get values |
||||
@param error An optional pointer to a CFErrorRef. This value is
|
||||
set if an error occurred. If not NULL the caller is
|
||||
responsible for releasing the CFErrorRef. |
||||
@discussion The issuer is a sequence in the format used by |
||||
SecItemCopyMatching. The content returned is a DER-encoded |
||||
X.509 distinguished name. For a display version of the issuer, |
||||
call SecCertificateCopyValues. The caller must CFRelease |
||||
the value returned. |
||||
*/ |
||||
|
||||
__nullable |
||||
CFDataRef SecCertificateCopyNormalizedIssuerContent(SecCertificateRef certificate, CFErrorRef *error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecCertificateCopyNormalizedSubjectContent |
||||
@abstract Return the certificate's normalized subject |
||||
@param certificate The certificate from which to get values |
||||
@param error An optional pointer to a CFErrorRef. This value is
|
||||
set if an error occurred. If not NULL the caller is
|
||||
responsible for releasing the CFErrorRef. |
||||
@discussion The subject is a sequence in the format used by |
||||
SecItemCopyMatching. The content returned is a DER-encoded |
||||
X.509 distinguished name. For a display version of the subject, |
||||
call SecCertificateCopyValues. The caller must CFRelease |
||||
the value returned. |
||||
*/ |
||||
|
||||
__nullable |
||||
CFDataRef SecCertificateCopyNormalizedSubjectContent(SecCertificateRef certificate, CFErrorRef *error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_SECCERTIFICATE_H_ */ |
@ -0,0 +1,172 @@
|
||||
/*
|
||||
* Copyright (c) 2002-2012 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecCertificateOIDs |
||||
These constants are used to access entries in the dictionary returned by |
||||
SecCertificateCopyValues, which are the parsed field from a certificate.
|
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SECCERTIFICATEOIDS_H_ |
||||
#define _SECURITY_SECCERTIFICATEOIDS_H_ |
||||
|
||||
#include <CoreFoundation/CFBase.h> |
||||
#include <Availability.h> |
||||
#include <AvailabilityMacros.h> |
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
extern const CFStringRef kSecOIDADC_CERT_POLICY __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAPPLE_CERT_POLICY __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAPPLE_EKU_CODE_SIGNING __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAPPLE_EKU_CODE_SIGNING_DEV __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAPPLE_EKU_ICHAT_ENCRYPTION __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAPPLE_EKU_ICHAT_SIGNING __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAPPLE_EKU_RESOURCE_SIGNING __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAPPLE_EKU_SYSTEM_IDENTITY __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAPPLE_EXTENSION __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAPPLE_EXTENSION_ADC_APPLE_SIGNING __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAPPLE_EXTENSION_ADC_DEV_SIGNING __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAPPLE_EXTENSION_APPLE_SIGNING __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAPPLE_EXTENSION_CODE_SIGNING __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAPPLE_EXTENSION_INTERMEDIATE_MARKER __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAPPLE_EXTENSION_WWDR_INTERMEDIATE __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAPPLE_EXTENSION_ITMS_INTERMEDIATE __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAPPLE_EXTENSION_AAI_INTERMEDIATE __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAPPLE_EXTENSION_APPLEID_INTERMEDIATE __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAuthorityInfoAccess __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDAuthorityKeyIdentifier __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDBasicConstraints __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDBiometricInfo __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDCSSMKeyStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDCertIssuer __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDCertificatePolicies __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDClientAuth __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDCollectiveStateProvinceName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDCollectiveStreetAddress __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDCommonName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDCountryName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDCrlDistributionPoints __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDCrlNumber __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDCrlReason __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDDOTMAC_CERT_EMAIL_ENCRYPT __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDDOTMAC_CERT_EMAIL_SIGN __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDDOTMAC_CERT_EXTENSION __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDDOTMAC_CERT_IDENTITY __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDDOTMAC_CERT_POLICY __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDDeltaCrlIndicator __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDDescription __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDEKU_IPSec __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDEmailAddress __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDEmailProtection __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDExtendedKeyUsage __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDExtendedKeyUsageAny __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDExtendedUseCodeSigning __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDGivenName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDHoldInstructionCode __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDInvalidityDate __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDIssuerAltName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDIssuingDistributionPoint __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDIssuingDistributionPoints __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDKERBv5_PKINIT_KP_CLIENT_AUTH __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDKERBv5_PKINIT_KP_KDC __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDKeyUsage __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDLocalityName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDMS_NTPrincipalName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDMicrosoftSGC __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDNameConstraints __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDNetscapeCertSequence __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDNetscapeCertType __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDNetscapeSGC __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDOCSPSigning __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDOrganizationName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDOrganizationalUnitName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDPolicyConstraints __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDPolicyMappings __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDPrivateKeyUsagePeriod __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDQC_Statements __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDSerialNumber __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDServerAuth __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDStateProvinceName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDStreetAddress __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDSubjectAltName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDSubjectDirectoryAttributes __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDSubjectEmailAddress __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDSubjectInfoAccess __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDSubjectKeyIdentifier __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDSubjectPicture __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDSubjectSignatureBitmap __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDSurname __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDTimeStamping __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDTitle __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDUseExemptions __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1CertificateIssuerUniqueId __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1CertificateSubjectUniqueId __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1IssuerName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1IssuerNameCStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1IssuerNameLDAP __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1IssuerNameStd __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1SerialNumber __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1Signature __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1SignatureAlgorithm __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1SignatureAlgorithmParameters __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1SignatureAlgorithmTBS __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1SignatureCStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1SignatureStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1SubjectName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1SubjectNameCStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1SubjectNameLDAP __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1SubjectNameStd __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1SubjectPublicKey __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1SubjectPublicKeyAlgorithm __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1SubjectPublicKeyAlgorithmParameters __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1SubjectPublicKeyCStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1ValidityNotAfter __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1ValidityNotBefore __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V1Version __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V3Certificate __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V3CertificateCStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V3CertificateExtensionCStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V3CertificateExtensionCritical __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V3CertificateExtensionId __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V3CertificateExtensionStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V3CertificateExtensionType __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V3CertificateExtensionValue __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V3CertificateExtensionsCStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V3CertificateExtensionsStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V3CertificateNumberOfExtensions __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V3SignedCertificate __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDX509V3SignedCertificateCStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecOIDSRVName __OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_NA); |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_SECCERTIFICATEOIDS_H_ */ |
@ -0,0 +1,447 @@
|
||||
/*
|
||||
* Copyright (c) 2006-2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecCode |
||||
SecCode represents separately indentified running code in the system. |
||||
In addition to UNIX processes, this can also include (with suitable support) |
||||
scripts, applets, widgets, etc. |
||||
*/ |
||||
#ifndef _H_SECCODE |
||||
#define _H_SECCODE |
||||
|
||||
#include <Security/CSCommon.h> |
||||
#include <CoreFoundation/CFBase.h> |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*!
|
||||
@function SecCodeGetTypeID |
||||
Returns the type identifier of all SecCode instances. |
||||
*/ |
||||
CFTypeID SecCodeGetTypeID(void); |
||||
|
||||
|
||||
/*!
|
||||
@function SecCodeCopySelf |
||||
Obtains a SecCode object for the code making the call. |
||||
The calling code is determined in a way that is subject to modification over |
||||
time, but obeys the following rules. If it is a UNIX process, its process id (pid) |
||||
is always used. If it is an active code host that has a dedicated guest, such a guest |
||||
is always preferred. If it is a host that has called SecHostSelectGuest, such selection |
||||
is considered until revoked. |
||||
|
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
@param self Upon successful return, contains a SecCodeRef representing the caller. |
||||
|
||||
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in |
||||
CSCommon.h or certain other Security framework headers. |
||||
*/ |
||||
OSStatus SecCodeCopySelf(SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED self); |
||||
|
||||
|
||||
/*!
|
||||
@function SecCodeCopyStaticCode |
||||
Given a SecCode object, locate its origin in the file system and return |
||||
a SecStaticCode object representing it. |
||||
|
||||
The link established by this call is generally reliable but is NOT guaranteed |
||||
to be secure. |
||||
|
||||
Many API functions taking SecStaticCodeRef arguments will also directly |
||||
accept a SecCodeRef and apply this translation implicitly, operating on |
||||
its result or returning its error code if any. Each of these functions |
||||
calls out that behavior in its documentation. |
||||
|
||||
If the code was obtained from a universal (aka "fat") program file, |
||||
the resulting SecStaticCodeRef will refer only to the architecture actually |
||||
being used. This means that multiple running codes started from the same file |
||||
may conceivably result in different static code references if they ended up |
||||
using different execution architectures. (This is unusual but possible.) |
||||
|
||||
@param code A valid SecCode object reference representing code running |
||||
on the system. |
||||
|
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
@constant kSecCSUseAllArchitectures |
||||
If code refers to a single architecture of a universal binary, return a SecStaticCodeRef |
||||
that refers to the entire universal code with all its architectures. By default, the |
||||
returned static reference identifies only the actual architecture of the running program. |
||||
|
||||
@param staticCode On successful return, a SecStaticCode object reference representing |
||||
the file system origin of the given SecCode. On error, unchanged. |
||||
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in |
||||
CSCommon.h or certain other Security framework headers. |
||||
*/ |
||||
CF_ENUM(uint32_t) { |
||||
kSecCSUseAllArchitectures = 1 << 0, |
||||
}; |
||||
|
||||
OSStatus SecCodeCopyStaticCode(SecCodeRef code, SecCSFlags flags, SecStaticCodeRef * __nonnull CF_RETURNS_RETAINED staticCode); |
||||
|
||||
|
||||
/*!
|
||||
@function SecCodeCopyHost |
||||
Given a SecCode object, identify the (different) SecCode object that acts |
||||
as its host. A SecCode's host acts as a supervisor and controller, |
||||
and is the ultimate authority on the its dynamic validity and status. |
||||
The host relationship is securely established (absent reported errors). |
||||
|
||||
@param code A valid SecCode object reference representing code running |
||||
on the system. |
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
@param host On successful return, a SecCode object reference identifying |
||||
the code's host. |
||||
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in |
||||
CSCommon.h or certain other Security framework headers. |
||||
*/ |
||||
OSStatus SecCodeCopyHost(SecCodeRef guest, SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED host); |
||||
|
||||
/*!
|
||||
@function SecCodeCopyGuestWithAttributes |
||||
This is the omnibus API function for obtaining dynamic code references. |
||||
In general, it asks a particular code acting as a code host to locate |
||||
and return a guest with given attributes. Different hosts support |
||||
different combinations of attributes and values for guest selection.
|
||||
|
||||
Asking the NULL host invokes system default procedures for obtaining |
||||
any running code in the system with the attributes given. The returned |
||||
code may be anywhere in the system. |
||||
|
||||
The methods a host uses to identify, separate, and control its guests |
||||
are specific to each type of host. This call provides a generic abstraction layer |
||||
that allows uniform interrogation of all hosts. A SecCode that does not |
||||
act as a host will always return errSecCSNoSuchCode. A SecCode that does |
||||
support hosting may return itself to signify that the attribute refers to |
||||
itself rather than one of its hosts. |
||||
|
||||
@param host A valid SecCode object reference representing code running |
||||
on the system that acts as a Code Signing host. As a special case, passing |
||||
NULL indicates that the Code Signing root of trust should be used as a starting |
||||
point. Currently, that is the system kernel. |
||||
@param attributes A CFDictionary containing zero or more attribute selector |
||||
values. Each selector has a CFString key and associated CFTypeRef value. |
||||
The key name identifies the attribute being specified; the associated value, |
||||
whose type depends on the the key name, selects a particular value or other |
||||
constraint on that attribute. Each host only supports particular combinations |
||||
of keys and values, and errors will be returned if any unsupported set is requested. |
||||
As a special case, NULL is taken to mean an empty attribute set. |
||||
Note that some hosts that support hosting chains (guests being hosts) |
||||
may return sub-guests in this call. In other words, do not assume that |
||||
a SecCodeRef returned by this call is a direct guest of the queried host |
||||
(though it will be a proximate guest, i.e. a guest's guest some way down). |
||||
Asking the NULL host for NULL attributes returns a code reference for the system root |
||||
of trust (at present, the running Darwin kernel). |
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
@param guest On successful return, a SecCode object reference identifying |
||||
the particular guest of the host that owns the attribute value(s) specified. |
||||
This argument will not be changed if the call fails (does not return errSecSuccess). |
||||
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in |
||||
CSCommon.h or certain other Security framework headers. In particular: |
||||
@error errSecCSUnsupportedGuestAttributes The host does not support the attribute |
||||
type given by attributeType. |
||||
@error errSecCSInvalidAttributeValues The type of value given for a guest |
||||
attribute is not supported by the host. |
||||
@error errSecCSNoSuchCode The host has no guest with the attribute value given |
||||
by attributeValue, even though the value is of a supported type. This may also |
||||
be returned if the host code does not currently act as a Code Signing host. |
||||
@error errSecCSNotAHost The specified host cannot, in fact, act as a code |
||||
host. (It is missing the kSecCodeSignatureHost option flag in its code |
||||
signature.) |
||||
@error errSecCSMultipleGuests The attributes specified do not uniquely identify |
||||
a guest (the specification is ambiguous). |
||||
*/ |
||||
extern const CFStringRef kSecGuestAttributeCanonical; |
||||
extern const CFStringRef kSecGuestAttributeHash; |
||||
extern const CFStringRef kSecGuestAttributeMachPort; |
||||
extern const CFStringRef kSecGuestAttributePid; |
||||
extern const CFStringRef kSecGuestAttributeDynamicCode; |
||||
extern const CFStringRef kSecGuestAttributeDynamicCodeInfoPlist; |
||||
extern const CFStringRef kSecGuestAttributeArchitecture; |
||||
extern const CFStringRef kSecGuestAttributeSubarchitecture; |
||||
|
||||
OSStatus SecCodeCopyGuestWithAttributes(SecCodeRef __nullable host, |
||||
CFDictionaryRef __nullable attributes, SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED guest); |
||||
|
||||
|
||||
/*!
|
||||
@function SecCodeCheckValidity |
||||
Performs dynamic validation of the given SecCode object. The call obtains and |
||||
verifies the signature on the code object. It checks the validity of only those |
||||
sealed components required to establish identity. It checks the SecCode's |
||||
dynamic validity status as reported by its host. It ensures that the SecCode's |
||||
host is in turn valid. Finally, it validates the code against a SecRequirement |
||||
if one is given. The call succeeds if all these conditions are satisfactory. |
||||
It fails otherwise. |
||||
|
||||
This call is secure against attempts to modify the file system source of the |
||||
SecCode. |
||||
|
||||
@param code The code object to be validated. |
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
@param requirement An optional code requirement specifying additional conditions |
||||
the code object must satisfy to be considered valid. If NULL, no additional |
||||
requirements are imposed. |
||||
@param errors An optional pointer to a CFErrorRef variable. If the call fails |
||||
(and something other than errSecSuccess is returned), and this argument is non-NULL, |
||||
a CFErrorRef is stored there further describing the nature and circumstances |
||||
of the failure. The caller must CFRelease() this error object when done with it. |
||||
@result If validation passes, errSecSuccess. If validation fails, an OSStatus value |
||||
documented in CSCommon.h or certain other Security framework headers. |
||||
*/ |
||||
OSStatus SecCodeCheckValidity(SecCodeRef code, SecCSFlags flags, |
||||
SecRequirementRef __nullable requirement); |
||||
|
||||
OSStatus SecCodeCheckValidityWithErrors(SecCodeRef code, SecCSFlags flags, |
||||
SecRequirementRef __nullable requirement, CFErrorRef *errors); |
||||
|
||||
|
||||
/*!
|
||||
@function SecCodeCopyPath |
||||
For a given Code or StaticCode object, returns a URL to a location on disk where the |
||||
code object can be found. For single files, the URL points to that file. |
||||
For bundles, it points to the directory containing the entire bundle. |
||||
|
||||
This returns the same URL as the kSecCodeInfoMainExecutable key returned |
||||
by SecCodeCopySigningInformation. |
||||
|
||||
@param code The Code or StaticCode object to be located. For a Code |
||||
argument, its StaticCode is processed as per SecCodeCopyStaticCode. |
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
@param path On successful return, contains a CFURL identifying the location |
||||
on disk of the staticCode object. |
||||
@result On success, errSecSuccess. On error, an OSStatus value |
||||
documented in CSCommon.h or certain other Security framework headers. |
||||
*/ |
||||
OSStatus SecCodeCopyPath(SecStaticCodeRef staticCode, SecCSFlags flags, |
||||
CFURLRef * __nonnull CF_RETURNS_RETAINED path); |
||||
|
||||
|
||||
/*!
|
||||
@function SecCodeCopyDesignatedRequirement |
||||
For a given Code or StaticCode object, determines its Designated Code Requirement. |
||||
The Designated Requirement is the SecRequirement that the code believes |
||||
should be used to properly identify it in the future. |
||||
|
||||
If the SecCode contains an explicit Designated Requirement, a copy of that |
||||
is returned. If it does not, a SecRequirement is implicitly constructed from |
||||
its signing authority and its embedded unique identifier. No Designated |
||||
Requirement can be obtained from code that is unsigned. Code that is modified |
||||
after signature, improperly signed, or has become invalid, may or may not yield |
||||
a Designated Requirement. This call does not validate the SecStaticCode argument. |
||||
|
||||
@param code The Code or StaticCode object to be interrogated. For a Code |
||||
argument, its StaticCode is processed as per SecCodeCopyStaticCode. |
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
@param requirement On successful return, contains a copy of a SecRequirement |
||||
object representing the code's Designated Requirement. On error, unchanged. |
||||
@result On success, errSecSuccess. On error, an OSStatus value |
||||
documented in CSCommon.h or certain other Security framework headers. |
||||
*/ |
||||
OSStatus SecCodeCopyDesignatedRequirement(SecStaticCodeRef code, SecCSFlags flags, |
||||
SecRequirementRef * __nonnull CF_RETURNS_RETAINED requirement); |
||||
|
||||
|
||||
/*
|
||||
@function SecCodeCopySigningInformation |
||||
For a given Code or StaticCode object, extract various pieces of information |
||||
from its code signature and return them in the form of a CFDictionary. The amount |
||||
and detail level of the data is controlled by the flags passed to the call. |
||||
|
||||
If the code exists but is not signed at all, this call will succeed and return |
||||
a dictionary that does NOT contain the kSecCodeInfoIdentifier key. This is the |
||||
recommended way to check quickly whether a code is signed. |
||||
|
||||
If the signing data for the code is corrupt or invalid, this call may fail or it |
||||
may return partial data. To ensure that only valid data is returned (and errors |
||||
are raised for invalid data), you must successfully call one of the CheckValidity |
||||
functions on the code before calling CopySigningInformation. |
||||
|
||||
@param code The Code or StaticCode object to be interrogated. For a Code |
||||
argument, its StaticCode is processed as per SecCodeCopyStaticCode. |
||||
Note that dynamic information (kSecCSDynamicInformation) cannot be obtained |
||||
for a StaticCode argument. |
||||
@param flags Optional flags. Use any or all of the kSecCS*Information flags |
||||
to select what information to return. A generic set of entries is returned |
||||
regardless; you may specify kSecCSDefaultFlags for just those. |
||||
@param information A CFDictionary containing information about the code is stored |
||||
here on successful completion. The contents of the dictionary depend on |
||||
the flags passed. Regardless of flags, the kSecCodeInfoIdentifier key is |
||||
always present if the code is signed, and always absent if the code is |
||||
unsigned. |
||||
Note that some of the objects returned are (retained) "live" API objects |
||||
used by the code signing infrastructure. Making changes to these objects |
||||
is unsupported and may cause subsequent code signing operations on the |
||||
affected code to behave in undefined ways. |
||||
@result On success, errSecSuccess. On error, an OSStatus value |
||||
documented in CSCommon.h or certain other Security framework headers. |
||||
|
||||
Flags: |
||||
|
||||
@constant kSecCSSigningInformation Return cryptographic signing information, |
||||
including the certificate chain and CMS data (if any). For ad-hoc signed |
||||
code, there are no certificates and the CMS data is empty. |
||||
@constant kSecCSRequirementInformation Return information about internal code |
||||
requirements embedded in the code. This includes the Designated Requirement. |
||||
@constant kSecCSInternalInformation Return internal code signing information. |
||||
This information is for use by Apple, and is subject to change without notice. |
||||
It will not be further documented here. |
||||
@constant kSecCSDynamicInformation Return dynamic validity information about |
||||
the Code. The subject code must be a SecCodeRef (not a SecStaticCodeRef). |
||||
@constant kSecCSContentInformation Return more information about the file system |
||||
contents making up the signed code on disk. It is not generally advisable to |
||||
make use of this information, but some utilities (such as software-update |
||||
tools) may find it useful. |
||||
|
||||
Dictionary keys: |
||||
|
||||
@constant kSecCodeInfoCertificates A CFArray of SecCertificates identifying the |
||||
certificate chain of the signing certificate as seen by the system. Absent |
||||
for ad-hoc signed code. May be partial or absent in error cases. |
||||
@constant kSecCodeInfoChangedFiles A CFArray of CFURLs identifying all files in |
||||
the code that may have been modified by the process of signing it. (In other |
||||
words, files not in this list will not have been touched by the signing operation.) |
||||
@constant kSecCodeInfoCMS A CFData containing the CMS cryptographic object that |
||||
secures the code signature. Empty for ad-hoc signed code. |
||||
@constant kSecCodeInfoDesignatedRequirement A SecRequirement describing the |
||||
actual Designated Requirement of the code. |
||||
@constant kSecCodeInfoEntitlements A CFData containing the embedded entitlement |
||||
blob of the code, if any. |
||||
@constant kSecCodeInfoEntitlementsDict A CFDictionary containing the embedded entitlements |
||||
of the code if it has entitlements and they are in standard dictionary form. |
||||
Absent if the code has no entitlements, or they are in a different format (in which |
||||
case, see kSecCodeInfoEntitlements). |
||||
@constant kSecCodeInfoFlags A CFNumber with the static (on-disk) state of the object. |
||||
Contants are defined by the type SecCodeSignatureFlags. |
||||
@constant kSecCodeInfoFormat A CFString characterizing the type and format of |
||||
the code. Suitable for display to a (knowledeable) user. |
||||
@constant kSecCodeInfoDigestAlgorithm A CFNumber indicating the kind of cryptographic |
||||
hash function used within the signature to seal its pieces together. |
||||
@constant kSecCodeInfoPlatformIdentifier If this code was signed as part of an operating |
||||
system release, this value identifies that release. |
||||
@constant kSecCodeInfoIdentifier A CFString with the actual signing identifier |
||||
sealed into the signature. Absent for unsigned code. |
||||
@constant kSecCodeInfoImplicitDesignatedRequirement A SecRequirement describing |
||||
the designated requirement that the system did generate, or would have generated, |
||||
for the code. If the Designated Requirement was implicitly generated, this is |
||||
the same object as kSecCodeInfoDesignatedRequirement; this can be used to test |
||||
for an explicit Designated Requirement. |
||||
@constant kSecCodeInfoMainExecutable A CFURL identifying the main executable file |
||||
of the code. For single files, that is the file itself. For bundles, it is the |
||||
main executable as identified by its Info.plist. |
||||
@constant kSecCodeInfoPList A retained CFDictionary referring to the secured Info.plist |
||||
as seen by code signing. Absent if no Info.plist is known to the code signing |
||||
subsystem. Note that this is not the same dictionary as the one CFBundle would |
||||
give you (CFBundle is free to add entries to the on-disk plist). |
||||
@constant kSecCodeInfoRequirements A CFString describing the internal requirements |
||||
of the code in canonical syntax. |
||||
@constant kSecCodeInfoRequirementsData A CFData containing the internal requirements |
||||
of the code as a binary blob. |
||||
@constant kSecCodeInfoSource A CFString describing the source of the code signature |
||||
used for the code object. The values are meant to be shown in informational |
||||
displays; do not rely on the precise value returned. |
||||
@constant kSecCodeInfoStatus A CFNumber containing the dynamic status word of the |
||||
(running) code. This is a snapshot at the time the API is executed and may be |
||||
out of date by the time you examine it. Do note however that most of the bits |
||||
are sticky and thus some values are permanently reliable. Be careful. |
||||
@constant kSecCodeInfoTime A CFDate describing the signing date (securely) embedded |
||||
in the code signature. Note that a signer is able to omit this date or pre-date |
||||
it. Nobody certifies that this was really the date the code was signed; however, |
||||
you do know that this is the date the signer wanted you to see. |
||||
Ad-hoc signatures have no CMS and thus never have secured signing dates. |
||||
@constant kSecCodeInfoTimestamp A CFDate describing the signing date as (securely) |
||||
certified by a timestamp authority service. This time cannot be falsified by the |
||||
signer; you trust the timestamp authority's word on this. |
||||
Ad-hoc signatures have no CMS and thus never have secured signing dates. |
||||
@constant kSecCodeInfoTrust The (retained) SecTrust object the system uses to |
||||
evaluate the validity of the code's signature. You may use the SecTrust API |
||||
to extract detailed information, particularly for reasons why certificate |
||||
validation may have failed. This object may continue to be used for further |
||||
evaluations of this code; if you make any changes to it, behavior is undefined. |
||||
@constant kSecCodeInfoUnique A CFData binary identifier that uniquely identifies |
||||
the static code in question. It can be used to recognize this particular code |
||||
(and none other) now or in the future. Compare to kSecCodeInfoIdentifier, which |
||||
remains stable across (developer-approved) updates. |
||||
The algorithm used may change from time to time. However, for any existing signature, |
||||
the value is stable. |
||||
*/ |
||||
CF_ENUM(uint32_t) { |
||||
kSecCSInternalInformation = 1 << 0, |
||||
kSecCSSigningInformation = 1 << 1, |
||||
kSecCSRequirementInformation = 1 << 2, |
||||
kSecCSDynamicInformation = 1 << 3, |
||||
kSecCSContentInformation = 1 << 4 |
||||
}; |
||||
/* flag required to get this value */ |
||||
extern const CFStringRef kSecCodeInfoCertificates; /* Signing */ |
||||
extern const CFStringRef kSecCodeInfoChangedFiles; /* Content */ |
||||
extern const CFStringRef kSecCodeInfoCMS; /* Signing */ |
||||
extern const CFStringRef kSecCodeInfoDesignatedRequirement; /* Requirement */ |
||||
extern const CFStringRef kSecCodeInfoEntitlements; /* Requirement */ |
||||
extern const CFStringRef kSecCodeInfoEntitlementsDict; /* Requirement */ |
||||
extern const CFStringRef kSecCodeInfoFlags; /* generic */ |
||||
extern const CFStringRef kSecCodeInfoFormat; /* generic */ |
||||
extern const CFStringRef kSecCodeInfoDigestAlgorithm; /* generic */ |
||||
extern const CFStringRef kSecCodeInfoPlatformIdentifier; /* generic */ |
||||
extern const CFStringRef kSecCodeInfoIdentifier; /* generic */ |
||||
extern const CFStringRef kSecCodeInfoImplicitDesignatedRequirement; /* Requirement */ |
||||
extern const CFStringRef kSecCodeInfoMainExecutable; /* generic */ |
||||
extern const CFStringRef kSecCodeInfoPList; /* generic */ |
||||
extern const CFStringRef kSecCodeInfoRequirements; /* Requirement */ |
||||
extern const CFStringRef kSecCodeInfoRequirementData; /* Requirement */ |
||||
extern const CFStringRef kSecCodeInfoSource; /* generic */ |
||||
extern const CFStringRef kSecCodeInfoStatus; /* Dynamic */ |
||||
extern const CFStringRef kSecCodeInfoTeamIdentifier; /* Signing */ |
||||
extern const CFStringRef kSecCodeInfoTime; /* Signing */ |
||||
extern const CFStringRef kSecCodeInfoTimestamp; /* Signing */ |
||||
extern const CFStringRef kSecCodeInfoTrust; /* Signing */ |
||||
extern const CFStringRef kSecCodeInfoUnique; /* generic */ |
||||
|
||||
OSStatus SecCodeCopySigningInformation(SecStaticCodeRef code, SecCSFlags flags, |
||||
CFDictionaryRef * __nonnull CF_RETURNS_RETAINED information); |
||||
|
||||
|
||||
/*
|
||||
@function SecCodeMapMemory |
||||
For a given Code or StaticCode object, ask the kernel to accept the signing information |
||||
currently attached to it in the caller and use it to validate memory page-ins against it, |
||||
updating dynamic validity state accordingly. This change affects all processes that have |
||||
the main executable of this code mapped. |
||||
|
||||
@param code A Code or StaticCode object representing the signed code whose main executable |
||||
should be subject to page-in validation. |
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
*/ |
||||
OSStatus SecCodeMapMemory(SecStaticCodeRef code, SecCSFlags flags); |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif //_H_SECCODE
|
@ -0,0 +1,244 @@
|
||||
/*
|
||||
* Copyright (c) 2006-2007,2011,2013 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecCodeHost |
||||
This header provides the hosting API for Code Signing. These are calls |
||||
that are (only) made by code that is hosting guests. |
||||
In the context of Code Signing, a Host is code that creates and manages other |
||||
codes from which it defends its own integrity. As part of that duty, it maintains |
||||
state for each of its children, and answers questions about them. |
||||
|
||||
A Host is externally represented by a SecCodeRef (it is a SecCode object). |
||||
So is a Guest. There is no specific API object to represent Hosts or Guests. |
||||
Within the Hosting API, guests are identified by simple numeric handles that |
||||
are unique and valid only in the context of their specific host. |
||||
|
||||
The functions in this API always apply to the Host making the API calls. |
||||
They cannot be used to (directly) interrogate another host. |
||||
*/ |
||||
#ifndef _H_SECCODEHOST |
||||
#define _H_SECCODEHOST |
||||
|
||||
#include <Security/CSCommon.h> |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*!
|
||||
@header SecCodeHost |
||||
This header describes the Code Signing Hosting API. These are calls made |
||||
by code that wishes to become a Host in the Code Signing Host/Guest infrastructure. |
||||
Hosting allows the caller to establish separate, independent code identities |
||||
(SecCodeRefs) for parts of itself, usually because it is loading and managing |
||||
code in the form of scripts, plugins, etc. |
||||
|
||||
The Hosting API does not directly connect to the Code Signing Client APIs. |
||||
Certain calls in the client API will cause internal queries to hosts about their |
||||
guests. The Host side of these queries is managed through this API. The results |
||||
will eventually be delivered to client API callers in appropriate form. |
||||
|
||||
If code never calls any of the Hosting API functions, it is deemed to not have |
||||
guests and not act as a Host. This is the default and requires no action. |
||||
|
||||
Hosting operates in one of two modes, dynamic or proxy. Whichever mode is first |
||||
engaged prevails for the lifetime of the caller. There is no way to switch between |
||||
the two, and calling an API belonging to the opposite mode will fail. |
||||
|
||||
In dynamic hosting mode, the caller provides a Mach port that receives direct |
||||
queries about its guests. Dynamic mode is engaged by calling SecHostSetHostingPort. |
||||
|
||||
In proxy hosting mode, the caller provides information about its guests as |
||||
guests are created, removed, or change status. The system caches this information |
||||
and answers queries about guests from this pool of information. The caller is not |
||||
directly involved in answering such queries, and has no way to intervene. |
||||
*/ |
||||
|
||||
|
||||
/*!
|
||||
@function SecHostCreateGuest |
||||
Create a new Guest and describe its initial properties. |
||||
|
||||
This call activates Hosting Proxy Mode. From here on, the system will record |
||||
guest information provided through SecHostCreateGuest, SecHostSetGuestStatus, and |
||||
SecHostRemoveGuest, and report hosting status to callers directly. This mode |
||||
is incompatible with dynamic host mode as established by a call to SecHostSetHostingPort. |
||||
|
||||
@param host Pass kSecNoGuest to create a guest of the process itself. |
||||
To create a guest of another guest (extending the hosting chain), pass the SecGuestRef |
||||
of the guest to act as the new guest's host. If host has a dedicated guest, |
||||
it will be deemed to be be the actual host, recursively. |
||||
@param status The Code Signing status word for the new guest. These are combinations |
||||
of the kSecCodeStatus* flags in <Security/CSCommon.h>. Note that the proxy will enforce |
||||
the rules for the stickiness of these bits. In particular, if you don't pass the |
||||
kSecCodeStatusValid bit during creation, your new guest will be born invalid and will |
||||
never have a valid identity. |
||||
@param path The canonical path to the guest's code on disk. This is the path you would |
||||
pass to SecStaticCodeCreateWithPath to make a static code object reference. You must |
||||
use an absolute path. |
||||
@param attributes An optional CFDictionaryRef containing attributes that can be used |
||||
to locate this particular guest among all of the caller's guests. The "canonical" |
||||
attribute is automatically added for the value of guestRef. If you pass NULL, |
||||
no other attributes are established for the guest. |
||||
While any key can be used in the attributes dictionary, the kSecGuestAttribute* constants |
||||
(in SecCode.h) are conventionally used here. |
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior, or |
||||
a combination of the flags defined below for special features. |
||||
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in |
||||
CSCommon.h or certain other Security framework headers. |
||||
@param newGuest Upon successful creation of the new guest, the new SecGuestRef |
||||
that should be used to identify the new guest from here on. |
||||
|
||||
@constant kSecCSDedicatedHost Declares dedicated hosting for the given host. |
||||
In dedicated hosting, the host has exactly one guest (the one this call is |
||||
introducing), and the host will spend all of its time from here on running |
||||
that guest (or on its behalf). This declaration is irreversable for the lifetime |
||||
of the host. Note that this is a declaration about the given host, and is not |
||||
binding upon other hosts on either side of the hosting chain, though they in turn |
||||
may declare dedicated hosting if desired. |
||||
It is invalid to declare dedicated hosting if other guests have already been |
||||
introduced for this host, and it is invalid to introduce additional guests |
||||
for this host after this call. |
||||
@constant kSecCSGenerateGuestHash Ask the proxy to generate the binary identifier |
||||
(hash of CodeDirectory) from the copy on disk at the path given. This is not optimal |
||||
since an attacker with write access may be able to substitute a different copy just |
||||
in time, but it is convenient. For optimal security, the host should calculate the |
||||
hash from the loaded in-memory signature of its guest and pass the result as an |
||||
attribute with key kSecGuestAttributeHash. |
||||
*/ |
||||
CF_ENUM(uint32_t) { |
||||
kSecCSDedicatedHost = 1 << 0, |
||||
kSecCSGenerateGuestHash = 1 << 1, |
||||
}; |
||||
|
||||
OSStatus SecHostCreateGuest(SecGuestRef host, |
||||
uint32_t status, CFURLRef path, CFDictionaryRef __nullable attributes, |
||||
SecCSFlags flags, SecGuestRef * __nonnull newGuest); |
||||
|
||||
|
||||
/*!
|
||||
@function SecHostRemoveGuest |
||||
Announce that the guest with the given guestRef has permanently disappeared. |
||||
It removes all memory of the guest from the hosting system. You cannot remove |
||||
a dedicated guest. |
||||
|
||||
@param host The SecGuestRef that was used to create guest. You cannot specify |
||||
a proximate host (host of a host) here. However, the substitution for dedicated |
||||
guests described for SecHostCreateGuest also takes place here. |
||||
@param guest The handle for a Guest previously created with SecHostCreateGuest |
||||
that has not previously been destroyed. This guest is to be destroyed now. |
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in |
||||
CSCommon.h or certain other Security framework headers. |
||||
*/ |
||||
OSStatus SecHostRemoveGuest(SecGuestRef host, SecGuestRef guest, SecCSFlags flags); |
||||
|
||||
|
||||
/*!
|
||||
@function SecHostSelectGuest |
||||
Tell the Code Signing host subsystem that the calling thread will now act |
||||
on behalf of the given Guest. This must be a valid Guest previously created |
||||
with SecHostCreateGuest. |
||||
|
||||
@param guestRef The handle for a Guest previously created with SecHostCreateGuest |
||||
on whose behalf this thread will act from now on. This setting will be remembered |
||||
until it is changed (or the thread terminates). |
||||
To indicate that the thread will act on behalf of the Host itself (rather than |
||||
any Guest), pass kSecNoGuest. |
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in |
||||
CSCommon.h or certain other Security framework headers. |
||||
*/ |
||||
OSStatus SecHostSelectGuest(SecGuestRef guestRef, SecCSFlags flags); |
||||
|
||||
|
||||
/*!
|
||||
@function SecHostSelectedGuest |
||||
Retrieve the handle for the Guest currently selected for the calling thread. |
||||
|
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
@param guestRef Will be assigned the SecGuestRef currently in effect for |
||||
the calling thread. If no Guest is active on this thread (i.e. the thread |
||||
is acting for the Host), the return value is kSecNoGuest. |
||||
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in |
||||
CSCommon.h or certain other Security framework headers. |
||||
*/ |
||||
OSStatus SecHostSelectedGuest(SecCSFlags flags, SecGuestRef * __nonnull guestRef); |
||||
|
||||
|
||||
/*!
|
||||
@function SecHostSetGuestStatus |
||||
Updates the status of a particular guest. |
||||
|
||||
@param guestRef The handle for a Guest previously created with SecHostCreateGuest |
||||
on whose behalf this thread will act from now on. This setting will be remembered |
||||
until it is changed (or the thread terminates). |
||||
@param status The new Code Signing status word for the guest. The proxy enforces |
||||
the restrictions on changes to guest status; in particular, the kSecCodeStatusValid bit can only |
||||
be cleared, and the kSecCodeStatusHard and kSecCodeStatusKill flags can only be set. Pass the previous |
||||
guest status to indicate that no change is desired. |
||||
@param attributes An optional dictionary containing attributes to be used to distinguish |
||||
this guest from all guests of the caller. If given, it completely replaces the attributes |
||||
specified earlier. If NULL, previously established attributes are retained. |
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in |
||||
CSCommon.h or certain other Security framework headers. |
||||
*/ |
||||
OSStatus SecHostSetGuestStatus(SecGuestRef guestRef, |
||||
uint32_t status, CFDictionaryRef __nullable attributes, |
||||
SecCSFlags flags); |
||||
|
||||
|
||||
/*!
|
||||
@function SecHostSetHostingPort |
||||
Tells the Code Signing Hosting subsystem that the calling code will directly respond |
||||
to hosting inquiries over the given port. |
||||
|
||||
This API should be the first hosting API call made. With it, the calling code takes |
||||
direct responsibility for answering questions about its guests using the hosting IPC |
||||
services. The SecHostCreateGuest, SecHostDestroyGuest and SecHostSetGuestStatus calls |
||||
are not valid after this. The SecHostSelectGuest and SecHostSelectedGuest calls will |
||||
still work, and will use whatever SecGuestRefs the caller has assigned in its internal |
||||
data structures. |
||||
|
||||
This call cannot be undone; once it is made, record-and-forward facilities are |
||||
disabled for the lifetime of the calling code. |
||||
|
||||
@param hostingPort A Mach message port with send rights. This port will be recorded |
||||
and handed to parties interested in querying the host about its children. |
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in |
||||
CSCommon.h or certain other Security framework headers. |
||||
*/ |
||||
OSStatus SecHostSetHostingPort(mach_port_t hostingPort, SecCSFlags flags); |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif //_H_SECCODEHOST
|
@ -0,0 +1,948 @@
|
||||
/*
|
||||
* Copyright (c) 2010-2011,2014 Apple Inc. All Rights Reserved. |
||||
* |
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
#ifndef _SEC_CUSTOM_TRANSFORM_H__ |
||||
#define _SEC_CUSTOM_TRANSFORM_H__ |
||||
|
||||
#include <Security/SecTransform.h> |
||||
|
||||
// Blocks are required for custom transforms
|
||||
#ifdef __BLOCKS__ |
||||
|
||||
CF_EXTERN_C_BEGIN |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
/*!
|
||||
@header |
||||
|
||||
Custom transforms are an API that provides the ability to easily create new |
||||
transforms. The essential functions of a transform are created in a |
||||
collection of blocks. These blocks override the standard behavior of the |
||||
base transform; a custom transform with no overrides is a null transform |
||||
that merely passes through a data flow. |
||||
|
||||
A new transform type is created when calling the SecTransformRegister |
||||
function which registers the name of the new transform and sets up its |
||||
overrides. The SecTransformCreate function creates a new instance of a |
||||
registered custom transform. |
||||
|
||||
A sample custom transform is provided here, along with a basic test program. |
||||
This transform creates a Caesar cipher transform, one that simply adds a |
||||
value to every byte of the plaintext. |
||||
|
||||
-----cut here----- |
||||
<pre> |
||||
@textblock |
||||
//
|
||||
// CaesarXform.c
|
||||
//
|
||||
// Copyright (c) 2010-2011,2014 Apple Inc. All Rights Reserved.
|
||||
//
|
||||
//
|
||||
|
||||
#include <Security/SecCustomTransform.h> |
||||
#include <Security/SecTransform.h> |
||||
|
||||
// This is the unique name for the custom transform type.
|
||||
const CFStringRef kCaesarCipher = CFSTR("com.apple.caesarcipher"); |
||||
|
||||
// Name of the "key" attribute.
|
||||
const CFStringRef kKeyAttributeName = CFSTR("key"); |
||||
|
||||
// Shortcut to return a CFError.
|
||||
CFErrorRef invalid_input_error(void) |
||||
{ |
||||
return CFErrorCreate(kCFAllocatorDefault, kSecTransformErrorDomain, |
||||
kSecTransformErrorInvalidInput, NULL); |
||||
} |
||||
|
||||
// =========================================================================
|
||||
// Implementation of the Transform instance
|
||||
// =========================================================================
|
||||
static SecTransformInstanceBlock CaesarImplementation(CFStringRef name, |
||||
SecTransformRef newTransform, |
||||
SecTransformImplementationRef ref) |
||||
{ |
||||
|
||||
SecTransformInstanceBlock instanceBlock = |
||||
^{ |
||||
CFErrorRef result = NULL; |
||||
|
||||
// Every time a new instance of this custom transform class is
|
||||
// created, this block is called. This behavior means that any
|
||||
// block variables created in this block act like instance
|
||||
// variables for the new custom transform instance.
|
||||
__block int _key = 0; |
||||
|
||||
result = SecTransformSetAttributeAction(ref, |
||||
kSecTransformActionAttributeNotification, |
||||
kKeyAttributeName, |
||||
^(SecTransformAttributeRef name, CFTypeRef d) |
||||
{ |
||||
CFNumberGetValue((CFNumberRef)d, kCFNumberIntType, &_key); |
||||
return d; |
||||
}); |
||||
|
||||
if (result) |
||||
return result; |
||||
|
||||
// Create an override that will be called to process the input
|
||||
// data into the output data
|
||||
result = SecTransformSetDataAction(ref, |
||||
kSecTransformActionProcessData, |
||||
^(CFTypeRef d) |
||||
{ |
||||
if (NULL == d) // End of stream?
|
||||
return (CFTypeRef) NULL; // Just return a null.
|
||||
|
||||
char *dataPtr = (char *)CFDataGetBytePtr((CFDataRef)d); |
||||
|
||||
CFIndex dataLength = CFDataGetLength((CFDataRef)d); |
||||
|
||||
// Do the processing in memory. There are better ways to do
|
||||
// this but for showing how custom transforms work this is fine.
|
||||
char *buffer = (char *)malloc(dataLength); |
||||
if (NULL == buffer) |
||||
return (CFTypeRef) invalid_input_error(); // Return a CFErrorRef
|
||||
|
||||
// Do the work of the caesar cipher (Rot(n))
|
||||
|
||||
CFIndex i; |
||||
for (i = 0; i < dataLength; i++) |
||||
buffer[i] = dataPtr[i] + _key; |
||||
|
||||
return (CFTypeRef)CFDataCreateWithBytesNoCopy(NULL, (UInt8 *)buffer, |
||||
dataLength, kCFAllocatorMalloc); |
||||
}); |
||||
return result; |
||||
}; |
||||
|
||||
return Block_copy(instanceBlock); |
||||
} |
||||
|
||||
SecTransformRef CaesarTransformCreate(CFIndex k, CFErrorRef* error) |
||||
{ |
||||
SecTransformRef caesarCipher; |
||||
__block Boolean result = 1; |
||||
static dispatch_once_t registeredOK = 0; |
||||
|
||||
dispatch_once(®isteredOK, |
||||
^{ |
||||
result = SecTransformRegister(kCaesarCipher, &CaesarImplementation, error); |
||||
}); |
||||
|
||||
if (!result) |
||||
return NULL; |
||||
|
||||
caesarCipher = SecTransformCreate(kCaesarCipher, error); |
||||
if (NULL != caesarCipher) |
||||
{ |
||||
CFNumberRef keyNumber = CFNumberCreate(kCFAllocatorDefault, |
||||
kCFNumberIntType, &k); |
||||
SecTransformSetAttribute(caesarCipher, kKeyAttributeName, |
||||
keyNumber, error); |
||||
CFRelease(keyNumber); |
||||
} |
||||
|
||||
return caesarCipher; |
||||
} |
||||
|
||||
|
||||
// The second function shows how to use custom transform defined in the
|
||||
// previous function
|
||||
|
||||
// =========================================================================
|
||||
// Use a custom ROT-N (caesar cipher) transform
|
||||
// =========================================================================
|
||||
CFDataRef TestCaesar(CFDataRef theData, int rotNumber) |
||||
{ |
||||
CFDataRef result = NULL; |
||||
CFErrorRef error = NULL; |
||||
|
||||
if (NULL == theData) |
||||
return result; |
||||
|
||||
// Create an instance of the custom transform
|
||||
SecTransformRef caesarCipher = CaesarTransformCreate(rotNumber, &error); |
||||
if (NULL == caesarCipher || NULL != error) |
||||
return result; |
||||
|
||||
// Set the data to be transformed as the input to the custom transform
|
||||
SecTransformSetAttribute(caesarCipher, |
||||
kSecTransformInputAttributeName, theData, &error); |
||||
|
||||
if (NULL != error) |
||||
{ |
||||
CFRelease(caesarCipher); |
||||
return result; |
||||
} |
||||
|
||||
// Execute the transform synchronously
|
||||
result = (CFDataRef)SecTransformExecute(caesarCipher, &error); |
||||
CFRelease(caesarCipher); |
||||
|
||||
return result; |
||||
} |
||||
|
||||
#include <CoreFoundation/CoreFoundation.h> |
||||
|
||||
int main (int argc, const char *argv[]) |
||||
{ |
||||
CFDataRef testData, testResult; |
||||
UInt8 bytes[26]; |
||||
int i; |
||||
|
||||
// Create some test data, a string from A-Z
|
||||
|
||||
for (i = 0; i < sizeof(bytes); i++) |
||||
bytes[i] = 'A' + i; |
||||
|
||||
testData = CFDataCreate(kCFAllocatorDefault, bytes, sizeof(bytes)); |
||||
CFRetain(testData); |
||||
CFShow(testData); |
||||
|
||||
// Encrypt the test data
|
||||
testResult = TestCaesar(testData, 3); |
||||
|
||||
CFShow(testResult); |
||||
CFRelease(testData); |
||||
CFRelease(testResult); |
||||
return 0; |
||||
} |
||||
@/textblock |
||||
</pre> |
||||
|
||||
*/ |
||||
|
||||
/**************** Custom Transform attribute metadata ****************/ |
||||
|
||||
/*!
|
||||
@enum Custom Transform Attribute Metadata |
||||
@discussion |
||||
Within a transform, each of its attributes is a collection of |
||||
"metadata attributes", of which name and current value are two. The |
||||
value is directly visible from outside; the other metadata |
||||
attributes direct the behavior of the transform and |
||||
its function within its group. Each attribute may be tailored by setting its metadata. |
||||
|
||||
@const kSecTransformMetaAttributeValue |
||||
The actual value of the attribute. The attribute value has a default |
||||
value of NULL. |
||||
|
||||
@const kSecTransformMetaAttributeName |
||||
The name of the attribute. Attribute name is read only and may |
||||
not be used with the SecTransformSetAttributeBlock block. |
||||
|
||||
@const kSecTransformMetaAttributeRef |
||||
A direct reference to an attribute's value. This reference allows |
||||
for direct access to an attribute without having to look up the |
||||
attribute by name. If a transform commonly uses an attribute, using |
||||
a reference speeds up the use of that attribute. Attribute |
||||
references are not visible or valid from outside of the particular |
||||
transform instance. |
||||
|
||||
@const kSecTransformMetaAttributeRequired |
||||
Specifies if an attribute must have a non NULL value set or have an |
||||
incoming connection before the transform starts to execute. This |
||||
metadata has a default value of true for the input attribute, but |
||||
false for all other attributes. |
||||
|
||||
@const kSecTransformMetaAttributeRequiresOutboundConnection |
||||
Specifies if an attribute must have an outbound connection. This |
||||
metadata has a default value of true for the output attribute but is |
||||
false for all other attributes. |
||||
|
||||
@const kSecTransformMetaAttributeDeferred |
||||
Determines if the AttributeSetNotification notification or the |
||||
ProcessData blocks are deferred until SecExecuteTransform is called. |
||||
This metadata value has a default value of true for the input |
||||
attribute but is false for all other attributes. |
||||
|
||||
@const kSecTransformMetaAttributeStream |
||||
Specifies if the attribute should expect a series of values ending |
||||
with a NULL to specify the end of the data stream. This metadata has |
||||
a default value of true for the input and output attributes, but is |
||||
false for all other attributes. |
||||
|
||||
@const kSecTransformMetaAttributeCanCycle |
||||
A Transform group is a directed graph which is typically acyclic. |
||||
Some transforms need to work with cycles. For example, a transform |
||||
that emits a header and trailer around the data of another transform |
||||
must create a cycle. If this metadata set to true, no error is |
||||
returned if a cycle is detected for this attribute. |
||||
|
||||
@const kSecTransformMetaAttributeExternalize |
||||
Specifies if this attribute should be written out when creating the |
||||
external representation of this transform. This metadata has a |
||||
default value of true. |
||||
|
||||
@const kSecTransformMetaAttributeHasOutboundConnections |
||||
This metadata value is true if the attribute has an outbound |
||||
connection. This metadata is read only. |
||||
|
||||
@const kSecTransformMetaAttributeHasInboundConnection |
||||
This metadata value is true if the attribute has an inbound |
||||
connection. This metadata is read only. |
||||
*/ |
||||
|
||||
typedef CF_ENUM(CFIndex, SecTransformMetaAttributeType) |
||||
{ |
||||
kSecTransformMetaAttributeValue, |
||||
kSecTransformMetaAttributeName, |
||||
kSecTransformMetaAttributeRef, |
||||
kSecTransformMetaAttributeRequired, |
||||
kSecTransformMetaAttributeRequiresOutboundConnection, |
||||
kSecTransformMetaAttributeDeferred, |
||||
kSecTransformMetaAttributeStream, |
||||
kSecTransformMetaAttributeCanCycle, |
||||
kSecTransformMetaAttributeExternalize, |
||||
kSecTransformMetaAttributeHasOutboundConnections, |
||||
kSecTransformMetaAttributeHasInboundConnection |
||||
}; |
||||
|
||||
/*!
|
||||
@typedef SecTransformAttributeRef |
||||
|
||||
@abstract A direct reference to an attribute. Using an attribute |
||||
reference speeds up using an attribute's value by removing |
||||
the need to look |
||||
it up by name. |
||||
*/ |
||||
typedef CFTypeRef SecTransformAttributeRef; |
||||
|
||||
|
||||
/*!
|
||||
@typedef SecTransformStringOrAttributeRef |
||||
|
||||
@abstract This type signifies that either a CFStringRef or |
||||
a SecTransformAttributeRef may be used. |
||||
*/ |
||||
typedef CFTypeRef SecTransformStringOrAttributeRef; |
||||
|
||||
|
||||
/*!
|
||||
@typedef SecTransformActionBlock |
||||
|
||||
@abstract A block that overrides the default behavior of a |
||||
custom transform. |
||||
|
||||
@result If this block is used to overide the |
||||
kSecTransformActionExternalizeExtraData action then the |
||||
block should return a CFDictinaryRef of the custom |
||||
items to be exported. For all of other actions the |
||||
block should return NULL. If an error occurs for |
||||
any action, the block should return a CFErrorRef. |
||||
|
||||
@discussion A SecTransformTransformActionBlock block is used to |
||||
override |
||||
the default behavior of a custom transform. This block is |
||||
associated with the SecTransformOverrideTransformAction |
||||
block. |
||||
|
||||
The behaviors that can be overridden are: |
||||
|
||||
kSecTransformActionCanExecute |
||||
Determine if the transform has all of the data |
||||
needed to run. |
||||
|
||||
kSecTransformActionStartingExecution |
||||
Called just before running ProcessData. |
||||
|
||||
kSecTransformActionFinalize |
||||
Called just before deleting the custom transform. |
||||
|
||||
kSecTransformActionExternalizeExtraData |
||||
Called to allow for writing out custom data |
||||
to be exported. |
||||
|
||||
Example: |
||||
<pre> |
||||
@textblock |
||||
SecTransformImplementationRef ref; |
||||
CFErrorRef error = NULL; |
||||
|
||||
error = SecTransformSetTransformAction(ref, kSecTransformActionStartingExecution, |
||||
^{ |
||||
// This is where the work to initialize any data needed
|
||||
// before running
|
||||
CFErrorRef result = DoMyInitialization(); |
||||
return result; |
||||
}); |
||||
|
||||
SecTransformTransformActionBlock actionBlock = |
||||
^{ |
||||
// This is where the work to clean up any existing data
|
||||
// before running
|
||||
CFErrorRef result = DoMyFinalization(); |
||||
return result; |
||||
}; |
||||
|
||||
error = SecTransformSetTransformAction(ref, kSecTransformActionFinalize, |
||||
actionBlock); |
||||
@/textblock |
||||
</pre> |
||||
*/ |
||||
typedef CFTypeRef __nullable (^SecTransformActionBlock)(void); |
||||
|
||||
/*!
|
||||
@typedef SecTransformAttributeActionBlock |
||||
|
||||
@abstract A block used to override the default attribute handling |
||||
for when an attribute is set. |
||||
|
||||
@param attribute The attribute whose default is being overridden or NULL |
||||
if this is a generic notification override |
||||
|
||||
@param value Proposed new value for the attribute. |
||||
|
||||
@result The new value of the attribute if successful. If an |
||||
error occurred then a CFErrorRef is returned. If a transform |
||||
needs to have a CFErrorRef as the value of an attribute, |
||||
then the CFErrorRef needs to be placed into a container such |
||||
as a CFArrayRef, CFDictionaryRef etc. |
||||
|
||||
@discussion See the example program in this header for more details. |
||||
|
||||
*/ |
||||
typedef CFTypeRef __nullable (^SecTransformAttributeActionBlock)( |
||||
SecTransformAttributeRef attribute, |
||||
CFTypeRef value); |
||||
|
||||
/*!
|
||||
@typedef SecTransformDataBlock |
||||
|
||||
@abstract A block used to override the default data handling
|
||||
for a transform. |
||||
|
||||
@param data The data to be processed. When this block is used |
||||
to to implement the kSecTransformActionProcessData action, |
||||
the data is the input data that is to be processed into the |
||||
output data. When this block is used to implement the |
||||
kSecTransformActionInternalizeExtraData action, the data is |
||||
a CFDictionaryRef that contains the data that needs to be |
||||
imported. |
||||
|
||||
@result When this block is used to implment the
|
||||
kSecTransformActionProcessData action, the value returned |
||||
is to be the data that will be passed to the output |
||||
attribute. If an error occured while processing the input |
||||
data then the block should return a CFErrorRef. |
||||
|
||||
When this block is used to implement the |
||||
kSecTransformActionInternalizeExtraData action then this block |
||||
should return NULL or a CFErrorRef if an error occurred. |
||||
|
||||
@discussion See the example program for more details. |
||||
*/ |
||||
typedef CFTypeRef __nullable (^SecTransformDataBlock)(CFTypeRef data); |
||||
|
||||
/*!
|
||||
@typedef SecTransformInstanceBlock |
||||
|
||||
@abstract This is the block that is returned from an
|
||||
implementation of a CreateTransform function. |
||||
|
||||
@result A CFErrorRef if an error occurred or NULL. |
||||
|
||||
@discussion The instance block that is returned from the |
||||
developers CreateTransform function, defines
|
||||
the behavior of a custom attribute. Please |
||||
see the example at the head of this file. |
||||
|
||||
*/ |
||||
typedef CFErrorRef __nullable (^SecTransformInstanceBlock)(void); |
||||
|
||||
/*!
|
||||
@typedef SecTransformImplementationRef |
||||
|
||||
@abstract The SecTransformImplementationRef is a pointer to a block
|
||||
that implements an instance of a transform. |
||||
|
||||
*/ |
||||
typedef const struct OpaqueSecTransformImplementation* SecTransformImplementationRef; |
||||
|
||||
/*!
|
||||
@function SecTransformSetAttributeAction |
||||
|
||||
@abstract Be notified when a attribute is set. The supplied block is |
||||
called when the attribute is set. This can be done for a |
||||
specific named attribute or all attributes. |
||||
|
||||
@param ref A SecTransformImplementationRef that is bound to an instance |
||||
of a custom transform. |
||||
|
||||
@param action The behavior to be set. This can be one of the following |
||||
actions:
|
||||
|
||||
kSecTransformActionAttributeNotification - add a block that |
||||
is called when an attribute is set. If the name is NULL, |
||||
then the supplied block is called for all set attributes |
||||
except for ones that have a specific block as a handler. |
||||
|
||||
For example, if there is a handler for the attribute "foo" |
||||
and for all attributes, the "foo" handler is called when the |
||||
"foo" attribute is set, but all other attribute sets will |
||||
call the NULL handler. |
||||
|
||||
The kSecTransformActionProcessData action is a special case |
||||
of a SecTransformSetAttributeAction action. If this is |
||||
called on the input attribute then it will overwrite any |
||||
kSecTransformActionProcessData that was set. |
||||
|
||||
kSecTransformActionAttributeValidation Add a block that is |
||||
called to validate the input to an attribute. |
||||
|
||||
@param attribute |
||||
The name of the attribute that will be handled. An attribute |
||||
reference may also be given here. A NULL name indicates that |
||||
the supplied action is for all attributes. |
||||
|
||||
@param newAction |
||||
A SecTransformAttributeActionBlock which implements the |
||||
behavior. |
||||
|
||||
@result A CFErrorRef if an error occured NULL otherwise. |
||||
|
||||
@discussion This function may be called multiple times for either a |
||||
named attribute or for all attributes when the attribute |
||||
parameter is NULL. Each time the API is called it overwrites |
||||
what was there previously. |
||||
|
||||
*/ |
||||
CF_EXPORT __nullable |
||||
CFErrorRef SecTransformSetAttributeAction(SecTransformImplementationRef ref, |
||||
CFStringRef action, |
||||
SecTransformStringOrAttributeRef __nullable attribute, |
||||
SecTransformAttributeActionBlock newAction); |
||||
/*!
|
||||
@function SecTransformSetDataAction |
||||
|
||||
@abstract Change the way a custom transform will do data processing. |
||||
When the action parameter is kSecTransformActionProcessData |
||||
The newAction block will change the way that input data is |
||||
processed to become the output data. When the action |
||||
parameter is kSecTransformActionInternalizeExtraData it will |
||||
change the way a custom transform reads in data to be |
||||
imported into the transform. |
||||
|
||||
@param ref A SecTransformImplementationRef that is bound to an instance |
||||
of a custom transform. |
||||
|
||||
@param action The action being overridden. This value should be one of the |
||||
following: |
||||
kSecTransformActionProcessData |
||||
Change the way that input data is processed into the |
||||
output data. The default behavior is to simply copy |
||||
the input data to the output attribute. |
||||
|
||||
The kSecTransformActionProcessData action is really |
||||
a special case of a SecTransformSetAttributeAction |
||||
action. If you call this method with |
||||
kSecTransformActionProcessData it would overwrite |
||||
any kSecTransformActionAttributeNotification action |
||||
that was set proviously |
||||
|
||||
kSecTransformActionInternalizeExtraData |
||||
Change the way that custom externalized data is |
||||
imported into the transform. The default behavior |
||||
is to do nothing. |
||||
|
||||
@param newAction |
||||
A SecTransformDataBlock which implements the behavior. |
||||
|
||||
If the action parameter is kSecTransformActionProcessData then |
||||
this block will be called to process the input data into the |
||||
output data. |
||||
|
||||
if the action parameter is kSecTransformActionInternalizeExtraData then |
||||
this block will called to input custom data into the transform. |
||||
|
||||
@result A CFErrorRef is an error occured NULL otherwise. |
||||
|
||||
@discussion This API may be called multiple times. Each time the API is called
|
||||
it overwrites what was there previously. |
||||
|
||||
*/ |
||||
CF_EXPORT __nullable |
||||
CFErrorRef SecTransformSetDataAction(SecTransformImplementationRef ref, |
||||
CFStringRef action, |
||||
SecTransformDataBlock newAction); |
||||
|
||||
/*
|
||||
@function SecTransformSetTransformAction |
||||
|
||||
@abstract Change the way that transform deals with transform lifecycle |
||||
behaviors. |
||||
|
||||
@param ref A SecTransformImplementationRef that is bound to an instance |
||||
of a custom transform. It provides the neccessary context |
||||
for making the call to modify a custom transform. |
||||
|
||||
@param action Defines what behavior will be changed. The possible values |
||||
are: |
||||
|
||||
kSecTransformActionCanExecute |
||||
A CanExecute block is called before the transform |
||||
starts to execute. Returning NULL indicates that the |
||||
transform has all necessary parameters set up to be |
||||
able to execute. If there is a condition that |
||||
prevents this transform from executing, return a |
||||
CFError. The default behavior is to return NULL. |
||||
|
||||
kSecTransformActionStartingExecution |
||||
A StartingExecution block is called as a transform |
||||
starts execution but before any input is delivered. |
||||
Transform-specific initialization can be performed |
||||
in this block. |
||||
|
||||
kSecTransformActionFinalize |
||||
A Finalize block is called before a transform is |
||||
released. Any final cleanup can be performed in this |
||||
block. |
||||
|
||||
kSecTransformActionExternalizeExtraData |
||||
An ExternalizeExtraData block is called before a |
||||
transform is externalized. If there is any extra |
||||
work that the transform needs to do (e.g. copy data |
||||
from local variables to attributes) it can be |
||||
performed in this block. |
||||
|
||||
@param newAction |
||||
A SecTransformTransformActionBlock which implements the behavior. |
||||
|
||||
@result A CFErrorRef if an error occured NULL otherwise. |
||||
|
||||
*/ |
||||
CF_EXPORT __nullable |
||||
CFErrorRef SecTransformSetTransformAction(SecTransformImplementationRef ref, |
||||
CFStringRef action,
|
||||
SecTransformActionBlock newAction); |
||||
|
||||
/*!
|
||||
@function SecTranformCustomGetAttribute |
||||
|
||||
@abstract Allow a custom transform to get an attribute value |
||||
|
||||
@param ref A SecTransformImplementationRef that is bound to an instance |
||||
of a custom transform. |
||||
|
||||
@param attribute |
||||
The name or the attribute handle of the attribute whose |
||||
value is to be retrieved. |
||||
|
||||
@param type The type of data to be retrieved for the attribute. See the
|
||||
discussion on SecTransformMetaAttributeType for details. |
||||
|
||||
@result The value of the attribute. |
||||
|
||||
*/ |
||||
CF_EXPORT __nullable |
||||
CFTypeRef SecTranformCustomGetAttribute(SecTransformImplementationRef ref,
|
||||
SecTransformStringOrAttributeRef attribute, |
||||
SecTransformMetaAttributeType type) AVAILABLE_MAC_OS_X_VERSION_10_7_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_8; |
||||
|
||||
/*!
|
||||
@function SecTransformCustomGetAttribute |
||||
|
||||
@abstract Allow a custom transform to get an attribute value |
||||
|
||||
@param ref A SecTransformImplementationRef that is bound to an instance |
||||
of a custom transform. |
||||
|
||||
@param attribute |
||||
The name or the attribute handle of the attribute whose |
||||
value is to be retrieved. |
||||
|
||||
@param type The type of data to be retrieved for the attribute. See the
|
||||
discussion on SecTransformMetaAttributeType for details. |
||||
|
||||
@result The value of the attribute. |
||||
|
||||
*/ |
||||
CF_EXPORT __nullable |
||||
CFTypeRef SecTransformCustomGetAttribute(SecTransformImplementationRef ref,
|
||||
SecTransformStringOrAttributeRef attribute, |
||||
SecTransformMetaAttributeType type) __asm__("_SecTranformCustomGetAttribute"); |
||||
|
||||
/*!
|
||||
@function SecTransformCustomSetAttribute |
||||
|
||||
@abstract Allow a custom transform to set an attribute value |
||||
|
||||
@param ref A SecTransformImplementationRef that is bound to an instance |
||||
of a custom transform. |
||||
|
||||
@param attribute |
||||
The name or the attribute handle of the attribute whose |
||||
value is to be set. |
||||
|
||||
@param type The type of data to be retrieved for the attribute. See the |
||||
discussion on SecTransformMetaAttributeType for details. |
||||
|
||||
@param value The new value for the attribute |
||||
|
||||
@result A CFErrorRef if an error occured , NULL otherwise. |
||||
|
||||
@discussion Unlike the SecTransformSetAttribute API this API can set
|
||||
attribute values while a transform is executing. These |
||||
values are limited to the custom transform instance that |
||||
is bound to the ref parameter. |
||||
|
||||
*/ |
||||
CF_EXPORT __nullable |
||||
CFTypeRef SecTransformCustomSetAttribute(SecTransformImplementationRef ref, |
||||
SecTransformStringOrAttributeRef attribute, |
||||
SecTransformMetaAttributeType type, |
||||
CFTypeRef __nullable value); |
||||
/*!
|
||||
@function SecTransformPushbackAttribute |
||||
|
||||
@abstract Allows for putting a single value back for a specific |
||||
attribute. This will stop the flow of data into the |
||||
specified attribute until any attribute is changed for the |
||||
transform instance bound to the ref parameter. |
||||
|
||||
@param ref A SecTransformImplementationRef that is bound to an instance |
||||
of a custom transform. |
||||
|
||||
@param attribute |
||||
The name or the attribute handle of the attribute whose |
||||
value is to be pushed back. |
||||
|
||||
@param value The value being pushed back. |
||||
|
||||
@result A CFErrorRef if an error occured , NULL otherwise. |
||||
|
||||
*/ |
||||
CF_EXPORT __nullable |
||||
CFTypeRef SecTransformPushbackAttribute(SecTransformImplementationRef ref, |
||||
SecTransformStringOrAttributeRef attribute, |
||||
CFTypeRef value); |
||||
|
||||
/*!
|
||||
@typedef SecTransformCreateFP |
||||
|
||||
@abstract A function pointer to a function that will create a |
||||
new instance of a custom transform. |
||||
|
||||
@param name The name of the new custom transform. This name MUST be |
||||
unique. |
||||
|
||||
@param newTransform |
||||
The newly created transform Ref. |
||||
|
||||
@param ref A reference that is bound to an instance of a custom |
||||
transform. |
||||
|
||||
@result A SecTransformInstanceBlock that is used to create a new |
||||
instance of a custom transform. |
||||
|
||||
@discussion The CreateTransform function creates a new transform. The |
||||
SecTransformInstanceBlock that is returned from this |
||||
function provides the implementation of all of the overrides |
||||
necessary to create the custom transform. This returned |
||||
SecTransformInstanceBlock is also where the "instance" |
||||
variables for the custom transform may be defined. See the |
||||
example in the header section of this file for more detail. |
||||
*/ |
||||
|
||||
typedef SecTransformInstanceBlock __nonnull (*SecTransformCreateFP)(CFStringRef name, |
||||
SecTransformRef newTransform,
|
||||
SecTransformImplementationRef ref); |
||||
|
||||
/************** custom Transform transform override actions **************/ |
||||
|
||||
/*!
|
||||
@constant kSecTransformActionCanExecute |
||||
Overrides the standard behavior that checks to see if all of the |
||||
required attributes either have been set or are connected to |
||||
another transform. When overriding the default behavior the |
||||
developer can decided what the necessary data is to have for a |
||||
transform to be considered 'ready to run'. Returning NULL means |
||||
that the transform is ready to be run. If the transform is NOT |
||||
ready to run then the override should return a CFErrorRef |
||||
stipulating the error. |
||||
*/ |
||||
CF_EXPORT const CFStringRef kSecTransformActionCanExecute; |
||||
/*!
|
||||
@constant kSecTransformActionStartingExecution |
||||
Overrides the standard behavior that occurs just before starting |
||||
execution of a custom transform. This is typically overridden |
||||
to allow for initialization. This is used with the |
||||
SecTransformOverrideTransformAction block. |
||||
*/ |
||||
CF_EXPORT const CFStringRef kSecTransformActionStartingExecution; |
||||
|
||||
/*!
|
||||
@constant kSecTransformActionFinalize |
||||
Overrides the standard behavior that occurs just before deleting |
||||
a custom transform. This is typically overridden to allow for |
||||
memory clean up of a custom transform. This is used with the |
||||
SecTransformOverrideTransformAction block. |
||||
*/ |
||||
CF_EXPORT const CFStringRef kSecTransformActionFinalize; |
||||
|
||||
/*!
|
||||
|
||||
@constant kSecTransformActionExternalizeExtraData |
||||
Allows for adding to the data that is stored using an override |
||||
to the kSecTransformActionExternalizeExtraData block. The output |
||||
of this override is a dictionary that contains the custom |
||||
externalized data. A common use of this override is to write out |
||||
a version number of a custom transform. |
||||
*/ |
||||
CF_EXPORT const CFStringRef kSecTransformActionExternalizeExtraData; |
||||
|
||||
/*!
|
||||
@constant kSecTransformActionProcessData |
||||
Overrides the standard data processing for an attribute. This is |
||||
almost exclusively used for processing the input attribute as |
||||
the return value of their block sets the output attribute. This |
||||
is used with the SecTransformOverrideAttributeAction block. |
||||
*/ |
||||
CF_EXPORT const CFStringRef kSecTransformActionProcessData; |
||||
|
||||
/*!
|
||||
@constant kSecTransformActionInternalizeExtraData |
||||
Overrides the standard processing that occurs when externalized |
||||
data is used to create a transform. This is closely tied to the |
||||
kSecTransformActionExternalizeExtraData override. The 'normal' |
||||
attributes are read into the new transform and then this is |
||||
called to read in the items that were written out using |
||||
kSecTransformActionExternalizeExtraData override. A common use |
||||
of this override would be to read in the version number of the |
||||
externalized custom transform. |
||||
*/ |
||||
CF_EXPORT const CFStringRef kSecTransformActionInternalizeExtraData; |
||||
|
||||
/*!
|
||||
@constant SecTransformActionAttributeNotification |
||||
Allows a block to be called when an attribute is set. This |
||||
allows for caching the value as a block variable in the instance |
||||
block or transmogrifying the data to be set. This action is |
||||
where a custom transform would be able to do processing outside |
||||
of processing input to output as process data does. One the |
||||
data has been processed the action block can call |
||||
SecTransformCustomSetAttribute to update and other attribute. |
||||
*/ |
||||
CF_EXPORT const CFStringRef kSecTransformActionAttributeNotification; |
||||
|
||||
/*!
|
||||
@constant kSecTransformActionAttributeValidation |
||||
Allows a block to be called to validate the new value for an |
||||
attribute. The default is no validation and any CFTypeRef can |
||||
be used as the new value. The block should return NULL if the |
||||
value is ok to set on the attribute or a CFErrorRef otherwise. |
||||
|
||||
*/ |
||||
CF_EXPORT const CFStringRef kSecTransformActionAttributeValidation; |
||||
|
||||
/*!
|
||||
@function SecTransformRegister |
||||
|
||||
@abstract Register a new custom transform so that it may be used to
|
||||
process data |
||||
|
||||
@param uniqueName
|
||||
A unique name for this custom transform. It is recommended |
||||
that a reverse DNS name be used for the name of your custom |
||||
transform |
||||
|
||||
@param createTransformFunction
|
||||
A SecTransformCreateFP function pointer. The function must |
||||
return a SecTransformInstanceBlock block that block_copy has |
||||
been called on before returning the block. Failure to call |
||||
block_copy will cause undefined behavior. |
||||
|
||||
@param error This pointer is set if an error occurred. This value
|
||||
may be NULL if you do not want an error returned. |
||||
|
||||
@result True if the custom transform was registered false otherwise |
||||
|
||||
*/ |
||||
CF_EXPORT |
||||
Boolean SecTransformRegister(CFStringRef uniqueName,
|
||||
SecTransformCreateFP createTransformFunction, |
||||
CFErrorRef* error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecTransformCreate |
||||
|
||||
@abstract Creates a transform computation object. |
||||
|
||||
@param name The type of transform to create, must have been registered |
||||
by SecTransformRegister, or be a system pre-defined |
||||
transform type. |
||||
|
||||
@param error A pointer to a CFErrorRef. This pointer is set if an error |
||||
occurred. This value may be NULL if you do not want an |
||||
error returned. |
||||
|
||||
@result A pointer to a SecTransformRef object. This object must be |
||||
released with CFRelease when you are done with it. This |
||||
function returns NULL if an error occurred. |
||||
*/ |
||||
CF_EXPORT __nullable |
||||
SecTransformRef SecTransformCreate(CFStringRef name, CFErrorRef *error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
/*!
|
||||
@Function SecTransformNoData |
||||
|
||||
@abstract Returns back A CFTypeRef from inside a processData |
||||
override that says that while no data is being returned |
||||
the transform is still active and awaiting data. |
||||
|
||||
@result A 'special' value that allows that specifies that the |
||||
transform is still active and awaiting data. |
||||
|
||||
@discussion The standard behavior for the ProcessData override is that |
||||
it will receive a CFDataRef and it processes that data and |
||||
returns a CFDataRef that contains the processed data. When |
||||
there is no more data to process the ProcessData override |
||||
block is called one last time with a NULL CFDataRef. The |
||||
ProcessData block should/must return the NULL CFDataRef to |
||||
complete the processing. This model does not work well for |
||||
some transforms. For example a digest transform needs to see |
||||
ALL of the data that is being digested before it can send |
||||
out the digest value. |
||||
|
||||
If a ProcessData block has no data to return, it can return |
||||
SecTransformNoData(), which informs the transform system |
||||
that there is no data to pass on to the next transform. |
||||
|
||||
|
||||
*/ |
||||
CF_EXPORT |
||||
CFTypeRef SecTransformNoData(void); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
CF_EXTERN_C_END |
||||
|
||||
#endif // __BLOCKS__
|
||||
#endif // _SEC_CUSTOM_TRANSFORM_H__
|
@ -0,0 +1,76 @@
|
||||
#ifndef __SECDECODETRANSFORM_H__ |
||||
#define __SECDECODETRANSFORM_H__ |
||||
|
||||
/*
|
||||
* Copyright (c) 2010-2011 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
#include "SecEncodeTransform.h" |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
/*!
|
||||
@constant kSecDecodeTypeAttribute |
||||
Used with SecTransformGetAttribute to query the attribute type. |
||||
Returns one of the strings defined in the previous section. |
||||
*/ |
||||
|
||||
extern const CFStringRef kSecDecodeTypeAttribute; |
||||
|
||||
/*!
|
||||
@function SecDecodeTransformCreate |
||||
@abstract Creates an decode computation object. |
||||
@param DecodeType The type of digest to decode. You may pass NULL |
||||
for this parameter, in which case an appropriate |
||||
algorithm will be chosen for you. |
||||
@param error A pointer to a CFErrorRef. This pointer will be set |
||||
if an error occurred. This value may be NULL if you |
||||
do not want an error returned. |
||||
@result A pointer to a SecTransformRef object. This object must |
||||
be released with CFRelease when you are done with |
||||
it. This function will return NULL if an error |
||||
occurred. |
||||
@discussion This function creates a transform which computes a |
||||
decode. |
||||
*/ |
||||
|
||||
// See SecEncodeTransformCreate for encoding...
|
||||
__nullable |
||||
SecTransformRef SecDecodeTransformCreate(CFTypeRef DecodeType, |
||||
CFErrorRef* error |
||||
) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
|
||||
#endif |
@ -0,0 +1,154 @@
|
||||
#ifndef __TRANSFORM_DIGEST__ |
||||
#define __TRANSFORM_DIGEST__ |
||||
|
||||
|
||||
/*
|
||||
* Copyright (c) 2010-2011 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
#include "SecTransform.h" |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
/*!
|
||||
@abstract |
||||
Specifies an MD2 digest |
||||
*/ |
||||
extern const CFStringRef kSecDigestMD2; |
||||
|
||||
/*!
|
||||
@abstract |
||||
Specifies an MD4 digest |
||||
*/ |
||||
extern const CFStringRef kSecDigestMD4; |
||||
|
||||
/*!
|
||||
@abstract |
||||
Specifies an MD5 digest |
||||
*/ |
||||
extern const CFStringRef kSecDigestMD5; |
||||
|
||||
/*!
|
||||
@abstract |
||||
Specifies a SHA1 digest |
||||
*/ |
||||
extern const CFStringRef kSecDigestSHA1; |
||||
|
||||
/*!
|
||||
@abstract |
||||
Specifies a SHA2 digest. |
||||
*/ |
||||
extern const CFStringRef kSecDigestSHA2; |
||||
|
||||
/*!
|
||||
@abstract |
||||
Specifies an HMAC using the MD5 digest algorithm. |
||||
*/ |
||||
extern const CFStringRef kSecDigestHMACMD5; |
||||
|
||||
/*!
|
||||
@abstract |
||||
Specifies an HMAC using the SHA1 digest algorithm. |
||||
*/ |
||||
extern const CFStringRef kSecDigestHMACSHA1; |
||||
|
||||
/*!
|
||||
@abstract |
||||
Specifies an HMAC using one of the SHA2 digest algorithms. |
||||
*/ |
||||
extern const CFStringRef kSecDigestHMACSHA2; |
||||
|
||||
|
||||
/*!
|
||||
@constant kSecDigestTypeAttribute |
||||
Used with SecTransformGetAttribute to query the attribute type. |
||||
Returns one of the strings defined in the previous section. |
||||
*/ |
||||
extern const CFStringRef kSecDigestTypeAttribute; |
||||
|
||||
/*!
|
||||
@constant kSecDigestLengthAttribute |
||||
Used with SecTransformGetAttribute to query the length attribute. |
||||
Returns a CFNumberRef that contains the length. |
||||
*/ |
||||
extern const CFStringRef kSecDigestLengthAttribute; |
||||
|
||||
/*!
|
||||
@constant kSecDigestHMACKeyAttribute |
||||
When set and used with one of the HMAC digest types, sets the key |
||||
for the HMAC operation. The data type for this attribute must be |
||||
a CFDataRef. If this value is not set, the transform will assume |
||||
a zero length key. |
||||
*/ |
||||
extern const CFStringRef kSecDigestHMACKeyAttribute; |
||||
|
||||
/*!
|
||||
@function SecDigestTransformCreate |
||||
@abstract Creates a digest computation object. |
||||
@param digestType The type of digest to compute. You may pass NULL |
||||
for this parameter, in which case an appropriate |
||||
algorithm will be chosen for you. |
||||
@param digestLength The desired digest length. Note that certain |
||||
algorithms may only support certain sizes. You may |
||||
pass 0 for this parameter, in which case an |
||||
appropriate length will be chosen for you. |
||||
@param error A pointer to a CFErrorRef. This pointer will be set |
||||
if an error occurred. This value may be NULL if you |
||||
do not want an error returned. |
||||
@result A pointer to a SecTransformRef object. This object must |
||||
be released with CFRelease when you are done with |
||||
it. This function will return NULL if an error |
||||
occurred. |
||||
@discussion This function creates a transform which computes a |
||||
cryptographic digest. |
||||
*/ |
||||
|
||||
SecTransformRef SecDigestTransformCreate(CFTypeRef __nullable digestType, |
||||
CFIndex digestLength, |
||||
CFErrorRef* error |
||||
) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
|
||||
/*!
|
||||
@function SecDigestTransformGetTypeID |
||||
@abstract Return the CFTypeID of a SecDigestTransform |
||||
@result The CFTypeID |
||||
*/ |
||||
|
||||
CFTypeID SecDigestTransformGetTypeID() |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#ifdef __cplusplus |
||||
}; |
||||
#endif |
||||
|
||||
|
||||
#endif |
@ -0,0 +1,115 @@
|
||||
#ifndef __SECENCODETRANSFORM_H__ |
||||
#define __SECENCODETRANSFORM_H__ |
||||
|
||||
/*
|
||||
* Copyright (c) 2010-2011 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
#include "SecTransform.h" |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
/*!
|
||||
@abstract Specifies a base 64 encoding |
||||
*/ |
||||
extern const CFStringRef kSecBase64Encoding; |
||||
|
||||
/*!
|
||||
@abstract Specifies a base 32 encoding |
||||
*/ |
||||
extern const CFStringRef kSecBase32Encoding; |
||||
|
||||
/*!
|
||||
@abstract Specifies a compressed encoding. |
||||
*/ |
||||
extern const CFStringRef kSecZLibEncoding; |
||||
|
||||
/*!
|
||||
@constant kSecEncodeTypeAttribute |
||||
Used with SecTransformGetAttribute to query the attribute type. |
||||
Returns one of the strings defined in the previous section. |
||||
*/ |
||||
|
||||
extern const CFStringRef kSecEncodeTypeAttribute; |
||||
|
||||
|
||||
extern const CFStringRef kSecLineLength64; |
||||
extern const CFStringRef kSecLineLength76; |
||||
|
||||
/*!
|
||||
@constant kSecEncodeLineLengthAttribute |
||||
Used with SecTransformSetAttribute to set the length |
||||
of encoded Base32 or Base64 lines. Some systems will |
||||
not decode or otherwise deal with excessively long lines, |
||||
or may be defined to limit lines to specific lengths |
||||
(for example RFC1421 - 64, and RFC2045 - 76). |
||||
|
||||
The LineLengthAttribute may be set to any positive |
||||
value (via a CFNumberRef) to limit to a specific |
||||
length (values smaller then X for Base32 or Y for Base64 |
||||
are assume to be X or Y), or to zero for no specific |
||||
limit. Either of the string constants kSecLineLength64 |
||||
(RFC1421), or kSecLineLength76 (RFC2045) may be used to |
||||
set line lengths of 64 or 76 bytes. |
||||
*/ |
||||
extern const CFStringRef kSecEncodeLineLengthAttribute; |
||||
|
||||
extern const CFStringRef kSecCompressionRatio; |
||||
|
||||
/*!
|
||||
@function SecEncodeTransformCreate |
||||
@abstract Creates an encode computation object. |
||||
@param encodeType The type of digest to compute. You may pass NULL |
||||
for this parameter, in which case an appropriate |
||||
algorithm will be chosen for you. |
||||
@param error A pointer to a CFErrorRef. This pointer will be set |
||||
if an error occurred. This value may be NULL if you |
||||
do not want an error returned. |
||||
@result A pointer to a SecTransformRef object. This object must |
||||
be released with CFRelease when you are done with |
||||
it. This function will return NULL if an error |
||||
occurred. |
||||
@discussion This function creates a transform which computes an |
||||
encode. |
||||
*/ |
||||
|
||||
// See SecDecodeTransformCreate for decoding...
|
||||
__nullable |
||||
SecTransformRef SecEncodeTransformCreate(CFTypeRef encodeType, |
||||
CFErrorRef* error |
||||
) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
|
||||
#endif |
@ -0,0 +1,194 @@
|
||||
/*
|
||||
* Copyright (c) 2010-2011,2013 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecEncryptTransform |
||||
|
||||
This file defines a SecTransform that will do both asynchronous and synchronous |
||||
encryption. |
||||
|
||||
The key that is supplied to the SecTransform determines the type of encryption |
||||
to be used. |
||||
|
||||
*/ |
||||
#if !defined(__SEC_ENCRYPT_TRANSFORM__) |
||||
#define __SEC_ENCRYPT_TRANSFORM__ 1 |
||||
|
||||
#include <CoreFoundation/CoreFoundation.h> |
||||
#include <Security/SecKey.h> |
||||
#include "SecTransform.h" |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
/*! @abstract Indicates that no padding will be used when encrypting or decrypting. */ |
||||
extern const CFStringRef kSecPaddingNoneKey; |
||||
/*! Indicates that PKCS1 padding will be used when encrypting or decrypting. */ |
||||
extern const CFStringRef kSecPaddingPKCS1Key; |
||||
/*! Indicates that PKCS5 padding will be used when encrypting or decrypting. */ |
||||
extern const CFStringRef kSecPaddingPKCS5Key; |
||||
/*! Indicates that PKCS7 padding will be used when encrypting or decrypting. */ |
||||
extern const CFStringRef kSecPaddingPKCS7Key; |
||||
/*! Indicates that PKCS7 padding will be used when encrypting or decrypting. */ |
||||
extern const CFStringRef kSecPaddingOAEPKey |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_8,__IPHONE_NA); |
||||
/*! Indicates that no mode will be used when encrypting or decrypting. */ |
||||
extern const CFStringRef kSecModeNoneKey; |
||||
/*! Indicates that ECB mode will be used when encrypting or decrypting. */ |
||||
extern const CFStringRef kSecModeECBKey; |
||||
/*! Indicates that CBC mode will be used when encrypting or decrypting. */ |
||||
extern const CFStringRef kSecModeCBCKey; |
||||
/*! Indicates that CFB mode will be used when encrypting or decrypting. */ |
||||
extern const CFStringRef kSecModeCFBKey; |
||||
/*! Indicates that OFB mode will be used when encrypting or decrypting. */ |
||||
extern const CFStringRef kSecModeOFBKey; |
||||
|
||||
/*!
|
||||
@abstract |
||||
This attribute holds the encryption key for the transform. (ReadOnly) |
||||
*/ |
||||
extern const CFStringRef kSecEncryptKey; |
||||
|
||||
/*!
|
||||
@abstract |
||||
Key for setting padding. |
||||
@discussion |
||||
This key is optional. If you do not supply a value for this key, |
||||
an appropriate value will be supplied for you. |
||||
*/ |
||||
extern const CFStringRef kSecPaddingKey; |
||||
|
||||
/*!
|
||||
@abstract |
||||
Key for setting an initialization vector. |
||||
@discussion |
||||
This key is optional. If you do not supply a |
||||
value for this key, an appropriate value will be supplied for you. |
||||
*/ |
||||
extern const CFStringRef kSecIVKey; |
||||
|
||||
/*!
|
||||
@abstract |
||||
Specifies the encryption mode. |
||||
@discussion |
||||
This key is optional. If you do not supply this key, |
||||
an appropriate value will be supplied for you. |
||||
*/ |
||||
extern const CFStringRef kSecEncryptionMode; |
||||
|
||||
/*!
|
||||
@abstract |
||||
Specifies the OAEP message length. |
||||
@discussion |
||||
This should be set to a CFNumberRef when the padding is set to OAEP, |
||||
and a specific messages size is desired. If unset the minimum padding |
||||
will be added. It is ignored when the padding mode is not OAEP. |
||||
*/ |
||||
extern const CFStringRef kSecOAEPMessageLengthAttributeName |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_8,__IPHONE_NA); |
||||
/*!
|
||||
@abstract |
||||
Specifies the OAEP encoding paramaters |
||||
@discussion |
||||
This should be set to a CFDataRef when the padding is set to OAEP. |
||||
If unset a zero length CFDataRef is used. It is ignored by non |
||||
OAEP padding modes. |
||||
*/ |
||||
extern const CFStringRef kSecOAEPEncodingParametersAttributeName |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_8,__IPHONE_NA); |
||||
/*!
|
||||
@abstract |
||||
Specifies the OAEP MGF1 digest algorithm. |
||||
@discussion |
||||
This should be set to a digest algorithm when the padding is set to OAEP. |
||||
If unset SHA1 is used. It is ifnored by non OAEP padding modes. |
||||
*/ |
||||
extern const CFStringRef kSecOAEPMGF1DigestAlgorithmAttributeName |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_8,__IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecEncryptTransformCreate |
||||
@abstract Creates an encryption SecTransform object. |
||||
@param keyRef The key for the encryption operation |
||||
@param error A pointer to a CFErrorRef. This pointer will be set |
||||
if an error occurred. This value may be NULL if you |
||||
do not want an error returned. |
||||
@result A pointer to a SecTransformRef object. This object must |
||||
be released with CFRelease when you are done with |
||||
it. This function will return NULL if an error |
||||
occurred. |
||||
@discussion This function creates a transform which encrypts data. |
||||
*/ |
||||
|
||||
SecTransformRef SecEncryptTransformCreate(SecKeyRef keyRef, |
||||
CFErrorRef* error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecDecryptTransformCreate |
||||
@abstract Creates an encryption SecTransform object. |
||||
@param keyRef The key for the operation |
||||
@param error A pointer to a CFErrorRef. This pointer will be set |
||||
if an error occurred. This value may be NULL if you |
||||
do not want an error returned. |
||||
@result A pointer to a SecTransformRef object. This object must |
||||
be released with CFRelease when you are done with |
||||
it. This function will return NULL if an error |
||||
occurred. |
||||
@discussion This function creates a transform which encrypts data. |
||||
*/ |
||||
|
||||
SecTransformRef SecDecryptTransformCreate(SecKeyRef keyRef, |
||||
CFErrorRef* error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecDecryptTransformGetTypeID |
||||
@abstract Returns the CFTypeID for a decrypt transform. |
||||
@return the CFTypeID |
||||
*/ |
||||
|
||||
CFTypeID SecDecryptTransformGetTypeID() |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecEncryptTransformGetTypeID |
||||
@abstract Returns the CFTypeID for a decrypt transform. |
||||
@return the CFTypeID |
||||
*/ |
||||
|
||||
CFTypeID SecEncryptTransformGetTypeID() |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#ifdef __cplusplus |
||||
}; |
||||
#endif |
||||
|
||||
#endif /* ! __SEC_ENCRYPT_TRANSFORM__ */ |
@ -0,0 +1,204 @@
|
||||
/*
|
||||
* Copyright (c) 2002-2011 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecIdentity |
||||
The functions provided in SecIdentity implement a convenient way to match private keys with certificates. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SECIDENTITY_H_ |
||||
#define _SECURITY_SECIDENTITY_H_ |
||||
|
||||
#include <CoreFoundation/CFBase.h> |
||||
#include <CoreFoundation/CFArray.h> |
||||
#include <Security/SecBase.h> |
||||
#include <Security/cssmtype.h> |
||||
#include <AvailabilityMacros.h> |
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
/*!
|
||||
@function SecIdentityGetTypeID |
||||
@abstract Returns the type identifier of SecIdentity instances. |
||||
@result The CFTypeID of SecIdentity instances. |
||||
*/ |
||||
CFTypeID SecIdentityGetTypeID(void) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecIdentityCreateWithCertificate |
||||
@abstract Creates a new identity reference for the given certificate, assuming the associated private key is in one of the specified keychains. |
||||
@param keychainOrArray A reference to an array of keychains to search, a single keychain, or NULL to search the user's default keychain search list. |
||||
@param certificateRef A certificate reference. |
||||
@param identityRef On return, an identity reference. You are responsible for releasing this reference by calling the CFRelease function. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecIdentityCreateWithCertificate( |
||||
CFTypeRef __nullable keychainOrArray, |
||||
SecCertificateRef certificateRef, |
||||
SecIdentityRef * __nonnull CF_RETURNS_RETAINED identityRef) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecIdentityCopyCertificate |
||||
@abstract Returns a reference to a certificate for the given identity reference. |
||||
@param identityRef An identity reference. |
||||
@param certificateRef On return, a reference to the found certificate. You are responsible for releasing this reference by calling the CFRelease function. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecIdentityCopyCertificate( |
||||
SecIdentityRef identityRef,
|
||||
SecCertificateRef * __nonnull CF_RETURNS_RETAINED certificateRef) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecIdentityCopyPrivateKey |
||||
@abstract Returns the private key associated with an identity. |
||||
@param identityRef An identity reference. |
||||
@param privateKeyRef On return, a reference to the private key for the given identity. You are responsible for releasing this reference by calling the CFRelease function. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecIdentityCopyPrivateKey( |
||||
SecIdentityRef identityRef,
|
||||
SecKeyRef * __nonnull CF_RETURNS_RETAINED privateKeyRef) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecIdentityCopyPreference |
||||
@abstract Returns the preferred identity for the specified name and key usage, optionally limiting the result to an identity issued by a certificate whose subject is one of the distinguished names in validIssuers. If a preferred identity does not exist, NULL is returned. |
||||
@param name A string containing a URI, RFC822 email address, DNS hostname, or other name which uniquely identifies the service requiring an identity. |
||||
@param keyUsage A CSSM_KEYUSE key usage value, as defined in cssmtype.h. Pass 0 to ignore this parameter. |
||||
@param validIssuers (optional) An array of CFDataRef instances whose contents are the subject names of allowable issuers, as returned by a call to SSLCopyDistinguishedNames (SecureTransport.h). Pass NULL if any issuer is allowed. |
||||
@param identity On return, a reference to the preferred identity, or NULL if none was found. You are responsible for releasing this reference by calling the CFRelease function. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This API is deprecated in 10.7. Please use the SecIdentityCopyPreferred API instead. |
||||
*/ |
||||
OSStatus SecIdentityCopyPreference(CFStringRef name, CSSM_KEYUSE keyUsage, CFArrayRef __nullable validIssuers, SecIdentityRef * __nonnull CF_RETURNS_RETAINED identity) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecIdentityCopyPreferred |
||||
@abstract Returns the preferred identity for the specified name and key usage, optionally limiting the result to an identity issued by a certificate whose subject is one of the distinguished names in validIssuers. If a preferred identity does not exist, NULL is returned. |
||||
@param name A string containing a URI, RFC822 email address, DNS hostname, or other name which uniquely identifies the service requiring an identity. |
||||
@param keyUsage A CFArrayRef value, containing items defined in SecItem.h Pass NULL to ignore this parameter. (kSecAttrCanEncrypt, kSecAttrCanDecrypt, kSecAttrCanDerive, kSecAttrCanSign, kSecAttrCanVerify, kSecAttrCanWrap, kSecAttrCanUnwrap) |
||||
@param validIssuers (optional) An array of CFDataRef instances whose contents are the subject names of allowable issuers, as returned by a call to SSLCopyDistinguishedNames (SecureTransport.h). Pass NULL if any issuer is allowed. |
||||
@param identity On return, a reference to the preferred identity, or NULL if none was found. You are responsible for releasing this reference by calling the CFRelease function. |
||||
@result An identity or NULL. if the preferred identity has not been set. Your code should then typically perform a search for possible identities using the SecItem APIs. |
||||
@discussion If a preferred identity has not been set for the supplied name, the returned identity reference will be NULL. Your code should then perform a search for possible identities, using the SecItemCopyMatching API. |
||||
*/ |
||||
__nullable |
||||
SecIdentityRef SecIdentityCopyPreferred(CFStringRef name, CFArrayRef __nullable keyUsage, CFArrayRef __nullable validIssuers) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecIdentitySetPreference |
||||
@abstract Sets the preferred identity for the specified name and key usage. |
||||
@param identity A reference to the identity which will be preferred. |
||||
@param name A string containing a URI, RFC822 email address, DNS hostname, or other name which uniquely identifies a service requiring this identity. |
||||
@param keyUsage A CSSM_KEYUSE key usage value, as defined in cssmtype.h. Pass 0 to specify any key usage. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This API is deprecated in 10.7. Please use the SecIdentitySetPreferred API instead. |
||||
*/ |
||||
OSStatus SecIdentitySetPreference(SecIdentityRef identity, CFStringRef name, CSSM_KEYUSE keyUsage) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecIdentitySetPreferred |
||||
@abstract Sets the preferred identity for the specified name and key usage. |
||||
@param identity A reference to the identity which will be preferred. If NULL is passed, any existing preference for the specified name is cleared instead. |
||||
@param name A string containing a URI, RFC822 email address, DNS hostname, or other name which uniquely identifies a service requiring this identity. |
||||
@param keyUsage A CFArrayRef value, containing items defined in SecItem.h Pass NULL to specify any key usage. (kSecAttrCanEncrypt, kSecAttrCanDecrypt, kSecAttrCanDerive, kSecAttrCanSign, kSecAttrCanVerify, kSecAttrCanWrap, kSecAttrCanUnwrap) |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/
|
||||
OSStatus SecIdentitySetPreferred(SecIdentityRef __nullable identity, CFStringRef name, CFArrayRef __nullable keyUsage) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecIdentityCopySystemIdentity |
||||
@abstract Obtain the system-wide SecIdentityRef associated with
|
||||
a specified domain. |
||||
@param domain Identifies the SecIdentityRef to be obtained, typically |
||||
in the form "com.apple.subdomain...".
|
||||
@param idRef On return, the system SecIdentityRef assicated with
|
||||
the specified domain. Caller must CFRelease this when
|
||||
finished with it.
|
||||
@param actualDomain (optional) The actual domain name of the
|
||||
the returned identity is returned here. This |
||||
may be different from the requested domain.
|
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion If no system SecIdentityRef exists for the specified |
||||
domain, a domain-specific alternate may be returned |
||||
instead, typically (but not exclusively) the
|
||||
kSecIdentityDomainDefault SecIdentityRef.
|
||||
*/ |
||||
OSStatus SecIdentityCopySystemIdentity( |
||||
CFStringRef domain,
|
||||
SecIdentityRef * __nonnull CF_RETURNS_RETAINED idRef, |
||||
CFStringRef * __nullable CF_RETURNS_RETAINED actualDomain) /* optional */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecIdentitySetSystemIdentity |
||||
@abstract Assign the supplied SecIdentityRef to the specified |
||||
domain. |
||||
@param domain Identifies the domain to which the specified
|
||||
SecIdentityRef will be assigned. |
||||
@param idRef (optional) The identity to be assigned to the specified
|
||||
domain. Pass NULL to delete a possible entry for the specified |
||||
domain; in this case, it is not an error if no identity |
||||
exists for the specified domain.
|
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion The caller must be running as root. |
||||
*/ |
||||
OSStatus SecIdentitySetSystemIdentity( |
||||
CFStringRef domain,
|
||||
SecIdentityRef __nullable idRef) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*
|
||||
* Defined system identity domains. |
||||
*/ |
||||
|
||||
/*!
|
||||
@const kSecIdentityDomainDefault The system-wide default identity. |
||||
*/ |
||||
extern const CFStringRef kSecIdentityDomainDefault __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@const kSecIdentityDomainKerberosKDC Kerberos KDC identity. |
||||
*/ |
||||
extern const CFStringRef kSecIdentityDomainKerberosKDC __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_SECIDENTITY_H_ */ |
@ -0,0 +1,91 @@
|
||||
/*
|
||||
* Copyright (c) 2002-2011 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecIdentitySearch |
||||
The functions provided in SecIdentitySearch implement a query for SecIdentity objects. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SECIDENTITYSEARCH_H_ |
||||
#define _SECURITY_SECIDENTITYSEARCH_H_ |
||||
|
||||
#include <Security/SecBase.h> |
||||
#include <Security/cssmtype.h> |
||||
#include <CoreFoundation/CFArray.h> |
||||
#include <CoreFoundation/CFDictionary.h> |
||||
#include <CoreFoundation/CFString.h> |
||||
#include <AvailabilityMacros.h> |
||||
|
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*!
|
||||
@typedef SecIdentitySearchRef |
||||
@abstract Contains information about an identity search. |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) OpaqueSecIdentitySearchRef *SecIdentitySearchRef; |
||||
|
||||
/*!
|
||||
@function SecIdentitySearchGetTypeID |
||||
@abstract Returns the type identifier of SecIdentitySearch instances. |
||||
@result The CFTypeID of SecIdentitySearch instances. |
||||
@discussion This API is deprecated in 10.7. The SecIdentitySearchRef type is no longer used. |
||||
*/ |
||||
CFTypeID SecIdentitySearchGetTypeID(void) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecIdentitySearchCreate |
||||
@abstract Creates a search reference for finding identities. |
||||
@param keychainOrArray An reference to an array of keychains to search, a single keychain, or NULL to search the user's default keychain search list. |
||||
@param keyUsage A CSSM_KEYUSE value, as defined in cssmtype.h. This value narrows the search to return only those identities which match the specified key usage. Pass a value of 0 to ignore key usage and return all available identities. Note that passing CSSM_KEYUSE_ANY limits the results to only those identities that can be used for every operation. |
||||
@param searchRef On return, an identity search reference. You must release the identity search reference by calling the CFRelease function. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion You can set values for key usage, and one or more keychains, to control the search for identities. You can use the returned search reference to obtain the remaining identities in subsequent calls to the SecIentitySearchCopyNext function. You must release the identity search reference by calling the CFRelease function. |
||||
This function is deprecated in Mac OS X 10.7 and later; to find identities which match a given key usage or other attributes, please use the SecItemCopyMatching API (see SecItem.h). |
||||
*/ |
||||
OSStatus SecIdentitySearchCreate(CFTypeRef __nullable keychainOrArray, CSSM_KEYUSE keyUsage, SecIdentitySearchRef * __nullable CF_RETURNS_RETAINED searchRef) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecIdentitySearchCopyNext |
||||
@abstract Finds the next identity matching the given search criteria, as previously specified by a call to SecIdentitySearchCreate or SecIdentitySearchCreateWithAttributes. |
||||
@param searchRef A reference to the current identity search. You create the identity search reference by calling either SecIdentitySearchCreate or SecIdentitySearchCreateWithAttributes. |
||||
@param identity On return, an identity reference for the next found identity, if any. You must call the CFRelease function when finished with the identity reference. |
||||
@result A result code. When there are no more identities found that match the search criteria, errSecItemNotFound is returned. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in Mac OS X 10.7 and later; to find identities which match specified attributes, please use the SecItemCopyMatching API (see SecItem.h). |
||||
*/ |
||||
OSStatus SecIdentitySearchCopyNext(SecIdentitySearchRef searchRef, SecIdentityRef * __nullable CF_RETURNS_RETAINED identity) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_SECIDENTITYSEARCH_H_ */ |
@ -0,0 +1,683 @@
|
||||
/*
|
||||
* Copyright (c) 2000-2011,2013-2014 Apple Inc. All Rights Reserved. |
||||
* |
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecImportExport |
||||
contains import/export functionality for keys and certificates. |
||||
*/ |
||||
#ifndef _SECURITY_SEC_IMPORT_EXPORT_H_ |
||||
#define _SECURITY_SEC_IMPORT_EXPORT_H_ |
||||
|
||||
#include <Security/cssmtype.h> |
||||
#include <Security/SecAccess.h> |
||||
#include <Security/SecKeychain.h> |
||||
#include <CoreFoundation/CoreFoundation.h> |
||||
#include <stdint.h> |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
/*
|
||||
* Supported import/export Formats |
||||
*/ |
||||
typedef CF_ENUM(uint32_t, SecExternalFormat) |
||||
{ |
||||
/*
|
||||
* When importing: unknown format |
||||
* When exporting: default format for item |
||||
*/ |
||||
kSecFormatUnknown = 0, |
||||
|
||||
/*
|
||||
* Public and Private Key formats. |
||||
* Default for export is kSecFormatOpenSSL. |
||||
*/ |
||||
kSecFormatOpenSSL, /* a.k.a. X509 for public keys */ |
||||
kSecFormatSSH, /* OpenSSH v.1 */ |
||||
kSecFormatBSAFE, |
||||
|
||||
/* Symmetric Key Formats */ |
||||
kSecFormatRawKey, /* raw unformatted key bits; default */ |
||||
|
||||
/* Formats for wrapped symmetric and private keys */ |
||||
kSecFormatWrappedPKCS8, |
||||
kSecFormatWrappedOpenSSL, /* traditional openssl */ |
||||
kSecFormatWrappedSSH, /* OpenSSH v.1 */ |
||||
kSecFormatWrappedLSH, |
||||
|
||||
/* Formats for certificates */ |
||||
kSecFormatX509Cert, /* DER encoded; default */ |
||||
|
||||
/* Aggregate Types */ |
||||
kSecFormatPEMSequence, /* sequence of certs and/or keys, implies PEM
|
||||
* armour. Default format for multiple items */ |
||||
kSecFormatPKCS7, /* sequence of certs */ |
||||
kSecFormatPKCS12, /* set of certs and private keys */ |
||||
kSecFormatNetscapeCertSequence, /* sequence of certs, form netscape-cert-sequence */ |
||||
|
||||
/* Added in Mac OS X 10.5 */ |
||||
kSecFormatSSHv2 /* OpenSSH v.2. Note that OpenSSH v2 private keys
|
||||
* are in format kSecFormatOpenSSL or |
||||
* kSecFormatWrappedOpenSSL. */ |
||||
}; |
||||
|
||||
/*
|
||||
* Indication of basic item type when importing. |
||||
*/ |
||||
typedef CF_ENUM(uint32_t, SecExternalItemType) { |
||||
kSecItemTypeUnknown, /* caller doesn't know what this is */ |
||||
kSecItemTypePrivateKey, |
||||
kSecItemTypePublicKey, |
||||
kSecItemTypeSessionKey, |
||||
kSecItemTypeCertificate, |
||||
kSecItemTypeAggregate /* PKCS7, PKCS12, kSecFormatPEMSequence, etc. */ |
||||
}; |
||||
|
||||
/*
|
||||
* Flags passed to SecKeychainItemExport() and SecKeychainItemImport(). |
||||
*/ |
||||
typedef CF_OPTIONS(uint32_t, SecItemImportExportFlags) |
||||
{ |
||||
kSecItemPemArmour = 0x00000001, /* exported blob is PEM formatted */ |
||||
}; |
||||
|
||||
/*
|
||||
* SecKeyRef-specific flags, specified in SecKeyImportExportParameters.flags |
||||
*/ |
||||
typedef CF_OPTIONS(uint32_t, SecKeyImportExportFlags) |
||||
{ |
||||
/*
|
||||
* When true, prevents the importing of more than one private key |
||||
* in a given SecKeychainItemImport(). |
||||
*/ |
||||
kSecKeyImportOnlyOne = 0x00000001, |
||||
|
||||
/*
|
||||
* When true, passphrase for import/export is obtained by user prompt |
||||
* instead of by caller-supplied data (SecKeyImportExportParameters.passphrase). |
||||
* This is the preferred method for obtaining a user-supplied passphrase |
||||
* as it avoids having the cleartext passphrase appear in the app's |
||||
* address space at any time. |
||||
*/ |
||||
kSecKeySecurePassphrase = 0x00000002, |
||||
|
||||
/*
|
||||
* When true, imported private keys will have no Access Control List |
||||
* (ACL) attached to them. In the absence of both this bit and the accessRef |
||||
* field in SecKeyImportExportParameters (see below), imported private |
||||
* keys are given a default ACL. |
||||
*/ |
||||
kSecKeyNoAccessControl = 0x00000004 |
||||
}; |
||||
|
||||
/*
|
||||
* Version of a SecKeyImportExportParameters. |
||||
*/ |
||||
#define SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION 0 |
||||
|
||||
/*
|
||||
* Parameters specific to SecKeyRefs. |
||||
*/ |
||||
typedef struct |
||||
{ |
||||
/* for import and export */ |
||||
uint32_t version; /* SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION */ |
||||
SecKeyImportExportFlags flags; /* SecKeyImportExportFlags bits */ |
||||
CFTypeRef passphrase; /* kSecFormatPKCS12, kSecFormatWrapped*
|
||||
* formats only. Legal types are |
||||
* CFStringRef and CFDataRef. */ |
||||
CFStringRef alertTitle; /* title of secure passphrase alert panel */ |
||||
CFStringRef alertPrompt; /* prompt in secure passphrase alert panel */ |
||||
|
||||
/* for import only */ |
||||
SecAccessRef __nullable accessRef; /* specifies the initial ACL of imported
|
||||
* key(s) */ |
||||
CSSM_KEYUSE keyUsage; /* CSSM_KEYUSE_DECRYPT, CSSM_KEYUSE_SIGN,
|
||||
* etc. */ |
||||
CSSM_KEYATTR_FLAGS keyAttributes; /* CSSM_KEYATTR_PERMANENT, etc. */ |
||||
} SecKeyImportExportParameters; |
||||
|
||||
|
||||
typedef struct |
||||
{ |
||||
/* for import and export */ |
||||
uint32_t version; /* SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION */ |
||||
SecKeyImportExportFlags flags; /* SecKeyImportExportFlags bits */ |
||||
CFTypeRef passphrase; /* kSecFormatPKCS12, kSecFormatWrapped*
|
||||
* formats only. Legal types are |
||||
* CFStringRef and CFDataRef. */ |
||||
CFStringRef alertTitle; /* title of secure passphrase alert panel */ |
||||
CFStringRef alertPrompt; /* prompt in secure passphrase alert panel */ |
||||
|
||||
/* for import only */ |
||||
SecAccessRef __nullable accessRef; /* specifies the initial ACL of imported
|
||||
* key(s) */ |
||||
CFArrayRef __nullable keyUsage; /* An Array containing usage attributes from SecItem.h, e.g.
|
||||
kSecAttrCanEncrypt;, kSecAttrCanDecrypt, kSecAttrCanDerive, etc. |
||||
*/ |
||||
|
||||
CFArrayRef __nullable keyAttributes; /* An array containing zero or more key attributes
|
||||
for an imported key. Possible values (from SecItem.h): |
||||
kSecAttrIsPermanent, kSecAttrIsSensitive, kSecAttrIsExtractable |
||||
Pass NULL in this field to use default attributes: |
||||
- kSecAttrIsPermanent if a keychain is specified |
||||
- kSecAttrIsSensitive for private keys |
||||
- kSecAttrIsExtractable by default |
||||
*/ |
||||
} SecItemImportExportKeyParameters; |
||||
|
||||
/*
|
||||
* SecKeychainItemExport() |
||||
* |
||||
* This function takes one or more SecKeychainItemRefs and creates an |
||||
* external representation of the item(s) in the form of a CFDataRef. |
||||
* Caller specifies the format of the external representation via a |
||||
* SecExternalFormat enum. Caller may specify kSecFormatUnknown for |
||||
* the format, in which case a the default format for the item |
||||
* being exported is used (as described in the SecExternalFormat enums). |
||||
* PEM armouring is optional and is specified by the kSecItemPemArmour |
||||
* flag in importFlags. |
||||
* |
||||
* If exactly one item is to be exported, the keychainItemOrArray argument |
||||
* can be a SecKeychainItem. Otherwise this argument is a CFArrayRef |
||||
* containing a number of SecKeychainItems. |
||||
* |
||||
* The exported item(s) is (are) returned to the caller via the |
||||
* CFDataRef *exportedData argument. Caller must CFRelease the result. |
||||
* |
||||
* The following SecKeychainItems may be exported: |
||||
* |
||||
* SecCertificateRef |
||||
* SecKeyRef |
||||
* SecIdentityRef |
||||
* |
||||
* |
||||
* Key-related SecKeyImportExportParameters fields |
||||
* ----------------------------------------------- |
||||
* |
||||
* When exporting SecKeyRefs in one of the wrapped formats |
||||
* (kSecFormatWrappedOpenSSL, kSecFormatWrappedSSH, |
||||
* kSecFormatWrappedPKCS8), or in PKCS12 format, caller must |
||||
* either explicitly specify the passphrase field or set |
||||
* the kSecKeySecurePassphrase bit in SecKeyImportExportFlags. |
||||
* |
||||
* If kSecKeySecurePassphrase is selected, caller can optionally |
||||
* specify strings for the passphrase panel's title bar and for |
||||
* the prompt which appears in the panel via the alertTitle and |
||||
* alertPrompt fields in SecKeyImportExportParameters. |
||||
* |
||||
* If an explicit passphrase is specified, note that PKCS12 |
||||
* explicitly requires that passphrases are in Unicode format; |
||||
* passing in a CFStringRef as the passphrase is the safest way |
||||
* to ensure that this requirement is met (and that the result |
||||
* will be compatible with other implementations). If a CFDataRef |
||||
* is supplied as the passphrase for a PKCS12 export operation, |
||||
* the referent data is assumed to be in UTF8 form and will be |
||||
* converted as appropriate. |
||||
* |
||||
* If no key items are being exported, the keyParams argument may be NULL. |
||||
* @discussion This API has been deprecated. Please us the SecItemExport API instead. |
||||
*/ |
||||
OSStatus SecKeychainItemExport( |
||||
CFTypeRef keychainItemOrArray, |
||||
SecExternalFormat outputFormat, |
||||
SecItemImportExportFlags flags, /* kSecItemPemArmor, etc. */ |
||||
const SecKeyImportExportParameters * __nullable keyParams, /* optional */ |
||||
CFDataRef * __nonnull CF_RETURNS_RETAINED exportedData) /* external representation returned here */ |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*
|
||||
* SecItemExport() |
||||
* |
||||
* This function takes one or more SecItemRefs and creates an |
||||
* external representation of the item(s) in the form of a CFDataRef. |
||||
* Caller specifies the format of the external representation via a |
||||
* SecExternalFormat enum. Caller may specify kSecFormatUnknown for |
||||
* the format, in which case a the default format for the item |
||||
* being exported is used (as described in the SecExternalFormat enums). |
||||
* PEM armouring is optional and is specified by the kSecItemPemArmour |
||||
* flag in importFlags. |
||||
* |
||||
* If exactly one item is to be exported, the keychainItemOrArray argument |
||||
* can be a SecKeychainItem. Otherwise this argument is a CFArrayRef |
||||
* containing a number of SecKeychainItems. |
||||
* |
||||
* The exported item(s) is (are) returned to the caller via the |
||||
* CFDataRef *exportedData argument. Caller must CFRelease the result. |
||||
* |
||||
* The following SecKeychainItems may be exported: |
||||
* |
||||
* SecCertificateRef |
||||
* SecKeyRef |
||||
* SecIdentityRef |
||||
* |
||||
* |
||||
* Key-related SecItemExport fields |
||||
* ----------------------------------------------- |
||||
* |
||||
* When exporting SecKeyRefs in one of the wrapped formats |
||||
* (kSecFormatWrappedOpenSSL, kSecFormatWrappedSSH, |
||||
* kSecFormatWrappedPKCS8), or in PKCS12 format, caller must |
||||
* either explicitly specify the passphrase field or set |
||||
* the kSecKeySecurePassphrase bit in SecKeyImportExportFlags. |
||||
* |
||||
* If kSecKeySecurePassphrase is selected, caller can optionally |
||||
* specify strings for the passphrase panel's title bar and for |
||||
* the prompt which appears in the panel via the alertTitle and |
||||
* alertPrompt fields in SecItemImportExportKeyParameters. |
||||
* |
||||
* If an explicit passphrase is specified, note that PKCS12 |
||||
* explicitly requires that passphrases are in Unicode format; |
||||
* passing in a CFStringRef as the passphrase is the safest way |
||||
* to ensure that this requirement is met (and that the result |
||||
* will be compatible with other implementations). If a CFDataRef |
||||
* is supplied as the passphrase for a PKCS12 export operation, |
||||
* the referent data is assumed to be in UTF8 form and will be |
||||
* converted as appropriate. |
||||
* |
||||
* If no key items are being exported, the keyParams argument may be NULL. |
||||
* |
||||
*/ |
||||
OSStatus SecItemExport( |
||||
CFTypeRef secItemOrArray, |
||||
SecExternalFormat outputFormat, |
||||
SecItemImportExportFlags flags, /* kSecItemPemArmor, etc. */ |
||||
const SecItemImportExportKeyParameters * __nullable keyParams, /* optional */ |
||||
CFDataRef * __nonnull CF_RETURNS_RETAINED exportedData) /* external representation returned here */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
/*
|
||||
* SecKeychainItemImport() |
||||
* |
||||
* This function takes a CFDataRef containing the external representation |
||||
* of one or more objects and creates SecKeychainItems corresponding to |
||||
* those objects and optionally imports those SecKeychainItems into a |
||||
* specified keychain. The format of the incoming representation is |
||||
* specified by one or more of the following: |
||||
* |
||||
* -- A SecExternalFormat. This optional in/out argument is used when |
||||
* the caller knows exactly what format the external representation |
||||
* is in. It's also used to return to the caller the format which the |
||||
* function actually determines the external representation to be in. |
||||
* A value of kSecFormatUnknown is specified on entry when the caller |
||||
* wishes to know the inferred format on return. |
||||
* |
||||
* -- A SecExternalItemType - optional, in/out. Used to specify what kind |
||||
* of item is in the incoming representation, if known by the caller. |
||||
* It's also used to return to the caller the item type which the |
||||
* function actually determines the external representation to contain. |
||||
* A value of kSecItemTypeUnknown is specified on entry when the caller |
||||
* wishes to know the inferred item type on return. |
||||
* |
||||
* -- fileNameOrExtension, a CFStringRef. This optional argument contains |
||||
* the name of the file from which the external representation was |
||||
* obtained; it can also be simply an extension like CFSTR(".p7r"). |
||||
* This is a convenience for apps like KeychainAccess which can import a |
||||
* number of different formats. |
||||
* |
||||
* The SecKeychainItemImport() call does its best to figure out what is |
||||
* in an incoming external item given the info provided by the above three |
||||
* arguments. In most cases, SecKeychainItemImport() can even figure out |
||||
* what's in an external item if none of these are specified, but it would |
||||
* be unwise for an application to count on that ability. |
||||
* |
||||
* PEM formatting is determined internally via inspection of the incoming |
||||
* data, so the kSecItemPemArmuor in the flags field is ignored. |
||||
* |
||||
* Zero, one, or both of the following occurs upon successful completion |
||||
* of this function: |
||||
* |
||||
* -- The imported item(s) is (are) imported to the specified importKeychain. |
||||
* If importKeychain is NULL, this step does not occur. |
||||
* |
||||
* -- The imported item(s) is (are) returned to the caller via the |
||||
* CFArrayRef *outItems argument. If outItems is NULL, this step |
||||
* does not occur. If outItems is NON-NULL, then *outItems will be |
||||
* a CFArrayRef containing a number of SecKeychainItems upon return. |
||||
* Caller must CFRelease the result. |
||||
* |
||||
* The possible types of returned SecKeychainItems are: |
||||
* |
||||
* SecCertificateRef |
||||
* SecKeyRef |
||||
* SecIdentityRef |
||||
* |
||||
* Note that when importing a PKCS12 blob, typically one SecIdentityRef |
||||
* and zero or more additional SecCertificateRefs are returned in |
||||
* outItems. No SecKeyRefs will appear there unless a key |
||||
* is found in the incoming blob with does not have a matching |
||||
* certificate. |
||||
* |
||||
* A typical case in which an app specifies the outItems |
||||
* argument and a NULL for importKeychain is when the app wishes to |
||||
* perform some user interaction, perhaps on a per-item basis, before |
||||
* committing to actually import the item(s). In this case, if the app |
||||
* does wish to proceed with the import, the standard import calls |
||||
* (SecCertificateAddToKeychain(), SecKeyAddToKeychain (implementation |
||||
* TBD)) would be used. |
||||
* |
||||
* Passing in NULL for both outItems and importKeychain |
||||
* is a perfectly acceptable way of using this function to determine, |
||||
* in a non-intrusive way, what is inside a given data blob. No effect |
||||
* other than returning inputFormat and/or itemType occurs in this |
||||
* case. |
||||
|
||||
* |
||||
* Key-related SecKeyImportExportParameters fields |
||||
* ----------------------------------------------- |
||||
* |
||||
* If importKeychain is NULL, the kSecKeyImportOnlyOne bit in the flags |
||||
* argument is ignored. Otherwise, if the kSecKeyImportOnlyOne bit is set, and |
||||
* there is more than one key in the incoming external representation, no |
||||
* items will be imported to the specified keychain and errSecMultipleKeys will |
||||
* be returned. |
||||
* |
||||
* The accessRef field allows the caller to specify the initial SecAccessRef |
||||
* for imported private keys. If more than one private key is being imported, |
||||
* all private keys get the same initial SecAccessRef. If this field is NULL |
||||
* when private keys are being imported, then the ACL attached to imported |
||||
* private keys depends on the kSecKeyNoAccessControl bit in the specified |
||||
* keyParams->flags. If this bit is 0, or keyParams is NULL, the default ACL |
||||
* will be used. If this bit is 1, no ACL will be attached to imported |
||||
* private keys. |
||||
* |
||||
* keyUsage and keyAttributes specify the low-level usage and attribute flags |
||||
* of imported keys. Each is a word of bits. The default value for keyUsage |
||||
* (used when keyParams is NULL or if keyParams->keyUsage is zero) is |
||||
* CSSM_KEYUSE_ANY. The default value for keyAttributes defaults is |
||||
* CSSM_KEYATTR_SENSITIVE | CSSM_KEYATTR_EXTRACTABLE; the CSSM_KEYATTR_PERMANENT |
||||
* bit is also added to the default if a non-NULL importKeychain is provided. |
||||
* |
||||
* The following are valid bits in keyAttributes: |
||||
* |
||||
* CSSM_KEYATTR_PERMANENT |
||||
* CSSM_KEYATTR_SENSITIVE |
||||
* CSSM_KEYATTR_EXTRACTABLE |
||||
* |
||||
* If the CSSM_KEYATTR_PERMANENT is set then the importKeychain argument must |
||||
* be valid or errSecInvalidKeychain will be returned if in fact any keys are found |
||||
* in the external representation. |
||||
* |
||||
* Note that if the caller does not set the CSSM_KEYATTR_EXTRACTABLE, this key |
||||
* will never be able to be extracted from the keychain in any form, not even |
||||
* in wrapped form. The CSSM_KEYATTR_SENSITIVE indicates that the key can only |
||||
* be extracted in wrapped form. |
||||
* |
||||
* The CSSM_KEYATTR_RETURN_xxx bits are always forced to |
||||
* CSSM_KEYATTR_RETURN_REF regardless of the specified keyAttributes |
||||
* field. |
||||
* |
||||
* When importing SecKeyRefs in one of the wrapped formats |
||||
* (kSecFormatWrappedOpenSSL, kSecFormatWrappedSSH, |
||||
* kSecFormatWrappedPKCS8), or in PKCS12 format, caller must |
||||
* either explicitly specify the passphrase field or set |
||||
* the kSecKeySecurePassphrase bit in SecKeyImportExportFlags. |
||||
* |
||||
* If kSecKeySecurePassphrase is selected, caller can optionally |
||||
* specify strings for the passphrase panel's title bar and for |
||||
* the prompt which appears in the panel via the alertTitle and |
||||
* alertPrompt fields in SecKeyImportExportParameters. |
||||
* |
||||
* If an explicit passphrase is specified, note that PKCS12 |
||||
* explicitly requires that passphrases are in Unicode format; |
||||
* passing in a CFStringRef as the passphrase is the safest way |
||||
* to ensure that this requirement is met (and that the result |
||||
* will be compatible with other implementations). If a CFDataRef |
||||
* is supplied as the passphrase for a PKCS12 export operation, |
||||
* the referent data is assumed to be in UTF8 form and will be |
||||
* converted as appropriate. |
||||
|
||||
* If no key items are being imported, the keyParams argument may be NULL. |
||||
* |
||||
* The SecItemImportExportFlags argument is currently unused; caller should pass |
||||
* in 0. |
||||
* |
||||
* @discussion This API has been deprecated. Please use the SecItemImport API instead. |
||||
*/ |
||||
OSStatus SecKeychainItemImport( |
||||
CFDataRef importedData, |
||||
CFStringRef __nullable fileNameOrExtension, /* optional */ |
||||
SecExternalFormat * __nullable inputFormat, /* optional, IN/OUT */ |
||||
SecExternalItemType * __nullable itemType, /* optional, IN/OUT */ |
||||
SecItemImportExportFlags flags, |
||||
const SecKeyImportExportParameters * __nullable keyParams, /* optional */ |
||||
SecKeychainRef __nullable importKeychain, /* optional */ |
||||
CFArrayRef * __nullable CF_RETURNS_RETAINED outItems) /* optional */ |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*
|
||||
* SecItemImport() |
||||
* |
||||
* This function takes a CFDataRef containing the external representation |
||||
* of one or more objects and creates SecKeychainItems corresponding to |
||||
* those objects and optionally imports those SecKeychainItems into a |
||||
* specified keychain. The format of the incoming representation is |
||||
* specified by one or more of the following: |
||||
* |
||||
* -- A SecExternalFormat. This optional in/out argument is used when |
||||
* the caller knows exactly what format the external representation |
||||
* is in. It's also used to return to the caller the format which the |
||||
* function actually determines the external representation to be in. |
||||
* A value of kSecFormatUnknown is specified on entry when the caller |
||||
* wishes to know the inferred format on return. |
||||
* |
||||
* -- A SecExternalItemType - optional, in/out. Used to specify what kind |
||||
* of item is in the incoming representation, if known by the caller. |
||||
* It's also used to return to the caller the item type which the |
||||
* function actually determines the external representation to contain. |
||||
* A value of kSecItemTypeUnknown is specified on entry when the caller |
||||
* wishes to know the inferred item type on return. |
||||
* |
||||
* -- fileNameOrExtension, a CFStringRef. This optional argument contains |
||||
* the name of the file from which the external representation was |
||||
* obtained; it can also be simply an extension like CFSTR(".p7r"). |
||||
* This is a convenience for apps like KeychainAccess which can import a |
||||
* number of different formats. |
||||
* |
||||
* The SecItemImport() call does its best to figure out what is |
||||
* in an incoming external item given the info provided by the above three |
||||
* arguments. In most cases, SecItemImport() can even figure out |
||||
* what's in an external item if none of these are specified, but it would |
||||
* be unwise for an application to count on that ability. |
||||
* |
||||
* PEM formatting is determined internally via inspection of the incoming |
||||
* data, so the kSecItemPemArmuor in the flags field is ignored. |
||||
* |
||||
* Zero, one, or both of the following occurs upon successful completion |
||||
* of this function: |
||||
* |
||||
* -- The imported item(s) is (are) imported to the specified importKeychain. |
||||
* If importKeychain is NULL, this step does not occur. |
||||
* |
||||
* -- The imported item(s) is (are) returned to the caller via the |
||||
* CFArrayRef *outItems argument. If outItems is NULL, this step |
||||
* does not occur. If outItems is NON-NULL, then *outItems will be |
||||
* a CFArrayRef containing a number of SecKeychainItems upon return. |
||||
* Caller must CFRelease the result. |
||||
* |
||||
* The possible types of returned SecKeychainItems are: |
||||
* |
||||
* SecCertificateRef |
||||
* SecKeyRef |
||||
* SecIdentityRef |
||||
* |
||||
* Note that when importing a PKCS12 blob, typically one SecIdentityRef |
||||
* and zero or more additional SecCertificateRefs are returned in |
||||
* outItems. No SecKeyRefs will appear there unless a key |
||||
* is found in the incoming blob with does not have a matching |
||||
* certificate. |
||||
* |
||||
* A typical case in which an app specifies the outItems |
||||
* argument and a NULL for importKeychain is when the app wishes to |
||||
* perform some user interaction, perhaps on a per-item basis, before |
||||
* committing to actually import the item(s). In this case, if the app |
||||
* does wish to proceed with the import, the standard import calls |
||||
* (SecCertificateAddToKeychain(), SecKeyAddToKeychain (implementation |
||||
* TBD)) would be used. |
||||
* |
||||
* Passing in NULL for both outItems and importKeychain |
||||
* is a perfectly acceptable way of using this function to determine, |
||||
* in a non-intrusive way, what is inside a given data blob. No effect |
||||
* other than returning inputFormat and/or itemType occurs in this |
||||
* case. |
||||
|
||||
* |
||||
* Key-related SecItemImportExportKeyParameters fields |
||||
* ----------------------------------------------- |
||||
* |
||||
* If importKeychain is NULL, the kSecKeyImportOnlyOne bit in the flags |
||||
* argument is ignored. Otherwise, if the kSecKeyImportOnlyOne bit is set, and |
||||
* there is more than one key in the incoming external representation, no |
||||
* items will be imported to the specified keychain and errSecMultipleKeys will |
||||
* be returned. |
||||
* |
||||
* The accessRef field allows the caller to specify the initial SecAccessRef |
||||
* for imported private keys. If more than one private key is being imported, |
||||
* all private keys get the same initial SecAccessRef. If this field is NULL |
||||
* when private keys are being imported, then the ACL attached to imported |
||||
* private keys depends on the kSecKeyNoAccessControl bit in the specified |
||||
* keyParams->flags. If this bit is 0, or keyParams is NULL, the default ACL |
||||
* will be used. If this bit is 1, no ACL will be attached to imported |
||||
* private keys. |
||||
* |
||||
* keyUsage and keyAttributes specify the low-level usage and attribute flags |
||||
* of imported keys. These fields contain a CFArray whose values are constants |
||||
* from SecItem.h. |
||||
* |
||||
* Possible values in the keyUsage array: |
||||
* |
||||
* kSecAttrCanEncrypt |
||||
* kSecAttrCanDecrypt |
||||
* kSecAttrCanDerive |
||||
* kSecAttrCanSign |
||||
* kSecAttrCanVerify |
||||
* kSecAttrCanWrap |
||||
* kSecAttrCanUnwrap |
||||
* |
||||
* If keyUsage is set to NULL, then any key usage is permitted. |
||||
* |
||||
* Possible values in the keyAttributes array: |
||||
* |
||||
* kSecAttrIsPermanent |
||||
* kSecAttrIsSensitive |
||||
* kSecAttrIsExtractable |
||||
* |
||||
* If keyAttributes is set to NULL, then default values are used: |
||||
* kSecAttrIsPermanent if an import keychain is specified |
||||
* kSecAttrIsSensitive for non-public keys |
||||
* kSecAttrIsExtractable |
||||
* |
||||
* If the kSecAttrIsPermanent attribute is set, then the |
||||
* importKeychain argument must be valid or errSecInvalidKeychain |
||||
* will be returned even if keys were able to be imported. |
||||
* |
||||
* Note that if the caller provides a keyAttributes array but |
||||
* does not set kSecAttrIsExtractable, this key will never be |
||||
* able to be extracted from the keychain in any form, not even |
||||
* in wrapped form. kSecAttrIsSensitive indicates that the key |
||||
* can only be extracted in wrapped form. |
||||
* |
||||
* When importing SecKeyRefs in one of the wrapped formats |
||||
* (kSecFormatWrappedOpenSSL, kSecFormatWrappedSSH, |
||||
* kSecFormatWrappedPKCS8), or in PKCS12 format, caller must |
||||
* either explicitly specify the passphrase field or set |
||||
* the kSecKeySecurePassphrase bit in SecKeyImportExportFlags. |
||||
* |
||||
* If kSecKeySecurePassphrase is selected, caller can optionally |
||||
* specify strings for the passphrase panel's title bar and for |
||||
* the prompt which appears in the panel via the alertTitle and |
||||
* alertPrompt fields in SecItemImportExportKeyParameters. |
||||
* |
||||
* If an explicit passphrase is specified, note that PKCS12 |
||||
* explicitly requires that passphrases are in Unicode format; |
||||
* passing in a CFStringRef as the passphrase is the safest way |
||||
* to ensure that this requirement is met (and that the result |
||||
* will be compatible with other implementations). If a CFDataRef |
||||
* is supplied as the passphrase for a PKCS12 export operation, |
||||
* the referent data is assumed to be in UTF8 form and will be |
||||
* converted as appropriate. |
||||
|
||||
* If no key items are being imported, the keyParams argument may be NULL. |
||||
* |
||||
* The SecItemImportExportFlags argument is currently unused; caller should pass |
||||
* in 0. |
||||
*/ |
||||
|
||||
OSStatus SecItemImport( |
||||
CFDataRef importedData, |
||||
CFStringRef __nullable fileNameOrExtension, /* optional */ |
||||
SecExternalFormat * __nullable inputFormat, /* optional, IN/OUT */ |
||||
SecExternalItemType * __nullable itemType, /* optional, IN/OUT */ |
||||
SecItemImportExportFlags flags, |
||||
const SecItemImportExportKeyParameters * __nullable keyParams, /* optional */ |
||||
SecKeychainRef __nullable importKeychain, /* optional */ |
||||
CFArrayRef * __nullable CF_RETURNS_RETAINED outItems) /* optional */ |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
/*!
|
||||
@enum Import/Export options |
||||
@discussion Predefined key constants used when passing dictionary-based arguments to import/export functions. |
||||
@constant kSecImportExportPassphrase Specifies a passphrase represented by a CFStringRef to be used when exporting to (or importing from) PKCS#12 format. |
||||
@constant kSecImportExportKeychain Specifies a keychain represented by a SecKeychainRef to be used as the target when importing from PKCS#12 format. |
||||
@constant kSecImportExportAccess Specifies an access represented by a SecAccessRef for the initial access (ACL) of a key imported from PKCS#12 format. |
||||
*/ |
||||
extern const CFStringRef kSecImportExportPassphrase; |
||||
extern const CFStringRef kSecImportExportKeychain; |
||||
extern const CFStringRef kSecImportExportAccess; |
||||
|
||||
/*!
|
||||
@enum Import/Export item description |
||||
@discussion Predefined key constants used by functions which return a CFArray with a CFDictionary per item. |
||||
@constant kSecImportItemLabel A CFStringRef representing the item label. This implementation specific identifier cannot be expected to have any format. |
||||
@constant kSecImportItemKeyID A CFDataRef representing the key id. Typically this is the SHA-1 digest of the public key. |
||||
@constant kSecImportItemIdentity A SecIdentityRef representing the identity. |
||||
@constant kSecImportItemTrust A SecTrustRef set up with all relevant certificates. Not guaranteed to succesfully evaluate. |
||||
@constant kSecImportItemCertChain A CFArrayRef holding all relevant certificates for this item's identity. |
||||
*/ |
||||
extern const CFStringRef kSecImportItemLabel; |
||||
extern const CFStringRef kSecImportItemKeyID; |
||||
extern const CFStringRef kSecImportItemTrust; |
||||
extern const CFStringRef kSecImportItemCertChain; |
||||
extern const CFStringRef kSecImportItemIdentity; |
||||
|
||||
/*!
|
||||
@function SecPKCS12Import |
||||
@abstract Imports the contents of a PKCS12 formatted blob. |
||||
@param pkcs12_data The PKCS12 data to be imported. |
||||
@param options A dictionary containing import options. A kSecImportExportPassphrase entry is required at minimum. Only password-based PKCS12 blobs are currently supported. |
||||
@param items On return, an array containing a dictionary for every item extracted. Use kSecImportItem constants to access specific elements of these dictionaries. Your code must CFRelease the array when it is no longer needed. |
||||
@result errSecSuccess in case of success. errSecDecode means either the blob can't be read or it is malformed. |
||||
errSecAuthFailed means an incorrect password was supplied, or data in the container is damaged. |
||||
*/ |
||||
OSStatus SecPKCS12Import(CFDataRef pkcs12_data, CFDictionaryRef options, CFArrayRef * __nonnull CF_RETURNS_RETAINED items); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif /* _SECURITY_SEC_IMPORT_EXPORT_H_ */ |
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,612 @@
|
||||
/*
|
||||
* Copyright (c) 2002-2014 Apple Inc. All Rights Reserved. |
||||
* |
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecKey |
||||
The functions provided in SecKey.h implement and manage a particular |
||||
type of keychain item that represents a key. A key can be stored in a |
||||
keychain, but a key can also be a transient object. |
||||
|
||||
You can use a key as a keychain item in most functions. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SECKEY_H_ |
||||
#define _SECURITY_SECKEY_H_ |
||||
|
||||
#include <dispatch/dispatch.h> |
||||
#include <Security/SecBase.h> |
||||
#include <Security/SecAccess.h> |
||||
#include <Security/cssmtype.h> |
||||
#include <CoreFoundation/CFBase.h> |
||||
#include <CoreFoundation/CFDictionary.h> |
||||
#include <sys/types.h> |
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
/*!
|
||||
@enum KeyItemAttributeConstants |
||||
@abstract Specifies keychain item attributes for keys. |
||||
@constant kSecKeyKeyClass type uint32 (CSSM_KEYCLASS), value |
||||
is one of CSSM_KEYCLASS_PUBLIC_KEY, CSSM_KEYCLASS_PRIVATE_KEY |
||||
or CSSM_KEYCLASS_SESSION_KEY. |
||||
@constant kSecKeyPrintName type blob, human readable name of |
||||
the key. Same as kSecLabelItemAttr for normal keychain items. |
||||
@constant kSecKeyAlias type blob, currently unused. |
||||
@constant kSecKeyPermanent type uint32, value is nonzero iff |
||||
this key is permanent (stored in some keychain). This is always |
||||
1. |
||||
@constant kSecKeyPrivate type uint32, value is nonzero iff this |
||||
key is protected by a user login or a password, or both. |
||||
@constant kSecKeyModifiable type uint32, value is nonzero iff |
||||
attributes of this key can be modified. |
||||
@constant kSecKeyLabel type blob, for private and public keys |
||||
this contains the hash of the public key. This is used to |
||||
associate certificates and keys. Its value matches the value |
||||
of the kSecPublicKeyHashItemAttr of a certificate and it's used |
||||
to construct an identity from a certificate and a key. |
||||
For symmetric keys this is whatever the creator of the key |
||||
passed in during the generate key call. |
||||
@constant kSecKeyApplicationTag type blob, currently unused. |
||||
@constant kSecKeyKeyCreator type data, the data points to a |
||||
CSSM_GUID structure representing the moduleid of the csp owning |
||||
this key. |
||||
@constant kSecKeyKeyType type uint32, value is a CSSM_ALGORITHMS |
||||
representing the algorithm associated with this key. |
||||
@constant kSecKeyKeySizeInBits type uint32, value is the number |
||||
of bits in this key. |
||||
@constant kSecKeyEffectiveKeySize type uint32, value is the |
||||
effective number of bits in this key. For example a des key |
||||
has a kSecKeyKeySizeInBits of 64 but a kSecKeyEffectiveKeySize |
||||
of 56. |
||||
@constant kSecKeyStartDate type CSSM_DATE. Earliest date from |
||||
which this key may be used. If the value is all zeros or not |
||||
present, no restriction applies. |
||||
@constant kSecKeyEndDate type CSSM_DATE. Latest date at |
||||
which this key may be used. If the value is all zeros or not |
||||
present, no restriction applies. |
||||
@constant kSecKeySensitive type uint32, iff value is nonzero |
||||
this key cannot be wrapped with CSSM_ALGID_NONE. |
||||
@constant kSecKeyAlwaysSensitive type uint32, value is nonzero |
||||
iff this key has always been marked sensitive. |
||||
@constant kSecKeyExtractable type uint32, value is nonzero iff |
||||
this key can be wrapped. |
||||
@constant kSecKeyNeverExtractable type uint32, value is nonzero |
||||
iff this key was never marked extractable. |
||||
@constant kSecKeyEncrypt type uint32, value is nonzero iff this |
||||
key can be used in an encrypt operation. |
||||
@constant kSecKeyDecrypt type uint32, value is nonzero iff this |
||||
key can be used in a decrypt operation. |
||||
@constant kSecKeyDerive type uint32, value is nonzero iff this |
||||
key can be used in a deriveKey operation. |
||||
@constant kSecKeySign type uint32, value is nonzero iff this |
||||
key can be used in a sign operation. |
||||
@constant kSecKeyVerify type uint32, value is nonzero iff this |
||||
key can be used in a verify operation. |
||||
@constant kSecKeySignRecover type uint32. |
||||
@constant kSecKeyVerifyRecover type uint32. |
||||
key can unwrap other keys. |
||||
@constant kSecKeyWrap type uint32, value is nonzero iff this |
||||
key can wrap other keys. |
||||
@constant kSecKeyUnwrap type uint32, value is nonzero iff this |
||||
key can unwrap other keys. |
||||
@discussion |
||||
The use of these enumerations has been deprecated. Please |
||||
use the equivalent items defined in SecItem.h |
||||
@@@. |
||||
*/ |
||||
CF_ENUM(int) |
||||
{ |
||||
kSecKeyKeyClass = 0, |
||||
kSecKeyPrintName = 1, |
||||
kSecKeyAlias = 2, |
||||
kSecKeyPermanent = 3, |
||||
kSecKeyPrivate = 4, |
||||
kSecKeyModifiable = 5, |
||||
kSecKeyLabel = 6, |
||||
kSecKeyApplicationTag = 7, |
||||
kSecKeyKeyCreator = 8, |
||||
kSecKeyKeyType = 9, |
||||
kSecKeyKeySizeInBits = 10, |
||||
kSecKeyEffectiveKeySize = 11, |
||||
kSecKeyStartDate = 12, |
||||
kSecKeyEndDate = 13, |
||||
kSecKeySensitive = 14, |
||||
kSecKeyAlwaysSensitive = 15, |
||||
kSecKeyExtractable = 16, |
||||
kSecKeyNeverExtractable = 17, |
||||
kSecKeyEncrypt = 18, |
||||
kSecKeyDecrypt = 19, |
||||
kSecKeyDerive = 20, |
||||
kSecKeySign = 21, |
||||
kSecKeyVerify = 22, |
||||
kSecKeySignRecover = 23, |
||||
kSecKeyVerifyRecover = 24, |
||||
kSecKeyWrap = 25, |
||||
kSecKeyUnwrap = 26 |
||||
}; |
||||
|
||||
/*!
|
||||
@enum SecCredentialType |
||||
@abstract Determines the type of credential returned by SecKeyGetCredentials. |
||||
@constant kSecCredentialTypeWithUI Operations with this key are allowed to present UI if required. |
||||
@constant kSecCredentialTypeNoUI Operations with this key are not allowed to present UI, and will fail if UI is required. |
||||
@constant kSecCredentialTypeDefault The default setting for determining whether to present UI is used. This setting can be changed with a call to SecKeychainSetUserInteractionAllowed. |
||||
*/ |
||||
typedef CF_ENUM(uint32, SecCredentialType) |
||||
{ |
||||
kSecCredentialTypeDefault = 0, |
||||
kSecCredentialTypeWithUI, |
||||
kSecCredentialTypeNoUI |
||||
}; |
||||
|
||||
/*!
|
||||
@typedef SecPadding |
||||
@abstract Supported padding types. |
||||
*/ |
||||
typedef CF_ENUM(uint32_t, SecPadding) |
||||
{ |
||||
kSecPaddingNone = 0, |
||||
kSecPaddingPKCS1 = 1, |
||||
|
||||
/* For SecKeyRawSign/SecKeyRawVerify only,
|
||||
ECDSA signature is raw byte format {r,s}, big endian. |
||||
First half is r, second half is s */ |
||||
kSecPaddingSigRaw = 0x4000, |
||||
|
||||
/* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is an MD2
|
||||
hash; standard ASN.1 padding will be done, as well as PKCS1 padding |
||||
of the underlying RSA operation. */ |
||||
kSecPaddingPKCS1MD2 = 0x8000, |
||||
|
||||
/* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is an MD5
|
||||
hash; standard ASN.1 padding will be done, as well as PKCS1 padding |
||||
of the underlying RSA operation. */ |
||||
kSecPaddingPKCS1MD5 = 0x8001, |
||||
|
||||
/* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA1
|
||||
hash; standard ASN.1 padding will be done, as well as PKCS1 padding |
||||
of the underlying RSA operation. */ |
||||
kSecPaddingPKCS1SHA1 = 0x8002, |
||||
}; |
||||
|
||||
/*!
|
||||
@typedef SecKeySizes |
||||
@abstract Supported key lengths. |
||||
*/ |
||||
typedef CF_ENUM(uint32_t, SecKeySizes) |
||||
{ |
||||
kSecDefaultKeySize = 0, |
||||
|
||||
// Symmetric Keysizes - default is currently kSecAES128 for AES.
|
||||
kSec3DES192 = 192, |
||||
kSecAES128 = 128, |
||||
kSecAES192 = 192, |
||||
kSecAES256 = 256, |
||||
|
||||
// Supported ECC Keys for Suite-B from RFC 4492 section 5.1.1.
|
||||
// default is currently kSecp256r1
|
||||
kSecp192r1 = 192, |
||||
kSecp256r1 = 256, |
||||
kSecp384r1 = 384, |
||||
kSecp521r1 = 521, // Yes, 521
|
||||
|
||||
// Boundaries for RSA KeySizes - default is currently 2048
|
||||
// RSA keysizes must be multiples of 8
|
||||
kSecRSAMin = 1024, |
||||
kSecRSAMax = 4096 |
||||
}; |
||||
|
||||
/*!
|
||||
@enum Key Parameter Constants |
||||
@discussion Predefined key constants used to get or set values in a dictionary. |
||||
These are used to provide explicit parameters to key generation functions |
||||
when non-default values are desired. See the description of the |
||||
SecKeyGeneratePair API for usage information. |
||||
@constant kSecPrivateKeyAttrs The value for this key is a CFDictionaryRef |
||||
containing attributes specific for the private key to be generated. |
||||
@constant kSecPublicKeyAttrs The value for this key is a CFDictionaryRef |
||||
containing attributes specific for the public key to be generated. |
||||
*/ |
||||
extern const CFStringRef kSecPrivateKeyAttrs |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_2_0); |
||||
extern const CFStringRef kSecPublicKeyAttrs |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_2_0); |
||||
|
||||
|
||||
/*!
|
||||
@function SecKeyGetTypeID |
||||
@abstract Returns the type identifier of SecKey instances. |
||||
@result The CFTypeID of SecKey instances. |
||||
*/ |
||||
CFTypeID SecKeyGetTypeID(void) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecKeyCreatePair |
||||
@abstract Creates an asymmetric key pair and stores it in a specified keychain. |
||||
@param keychainRef A reference to the keychain in which to store the private and public key items. Specify NULL for the default keychain. |
||||
@param algorithm An algorithm for the key pair. This parameter is ignored if a valid (non-zero) contextHandle is supplied. |
||||
@param keySizeInBits A key size for the key pair. This parameter is ignored if a valid (non-zero) contextHandle is supplied. |
||||
@param contextHandle (optional) A CSSM_CC_HANDLE, or 0. If this argument is supplied, the algorithm and keySizeInBits parameters are ignored. If extra parameters are needed to generate a key (some algorithms require this), you should create a context using CSSM_CSP_CreateKeyGenContext, using the CSPHandle obtained by calling SecKeychainGetCSPHandle. Then use CSSM_UpdateContextAttributes to add parameters, and dispose of the context using CSSM_DeleteContext after calling this function. |
||||
@param publicKeyUsage A bit mask indicating all permitted uses for the new public key. CSSM_KEYUSE bit mask values are defined in cssmtype.h. |
||||
@param publicKeyAttr A bit mask defining attribute values for the new public key. The bit mask values are equivalent to a CSSM_KEYATTR_FLAGS and are defined in cssmtype.h. |
||||
@param privateKeyUsage A bit mask indicating all permitted uses for the new private key. CSSM_KEYUSE bit mask values are defined in cssmtype.h. |
||||
@param privateKeyAttr A bit mask defining attribute values for the new private key. The bit mask values are equivalent to a CSSM_KEYATTR_FLAGS and are defined in cssmtype.h. |
||||
@param initialAccess (optional) A SecAccess object that determines the initial access rights to the private key. The public key is given "any/any" access rights by default. |
||||
@param publicKey (optional) On return, the keychain item reference of the generated public key. Use the SecKeyGetCSSMKey function to obtain the CSSM_KEY. The caller must call CFRelease on this value if it is returned. Pass NULL if a reference to this key is not required. |
||||
@param privateKey (optional) On return, the keychain item reference of the generated private key. Use the SecKeyGetCSSMKey function to obtain the CSSM_KEY. The caller must call CFRelease on this value if it is returned. Pass NULL if a reference to this key is not required. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This API is deprecated for 10.7. Please use the SecKeyGeneratePair API instead. |
||||
*/ |
||||
OSStatus SecKeyCreatePair( |
||||
SecKeychainRef __nullable keychainRef, |
||||
CSSM_ALGORITHMS algorithm, |
||||
uint32 keySizeInBits, |
||||
CSSM_CC_HANDLE contextHandle, |
||||
CSSM_KEYUSE publicKeyUsage, |
||||
uint32 publicKeyAttr, |
||||
CSSM_KEYUSE privateKeyUsage, |
||||
uint32 privateKeyAttr, |
||||
SecAccessRef __nullable initialAccess, |
||||
SecKeyRef* __nullable CF_RETURNS_RETAINED publicKey, |
||||
SecKeyRef* __nullable CF_RETURNS_RETAINED privateKey) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecKeyGenerate |
||||
@abstract Creates a symmetric key and optionally stores it in a specified keychain. |
||||
@param keychainRef (optional) A reference to the keychain in which to store the generated key. Specify NULL to generate a transient key. |
||||
@param algorithm An algorithm for the symmetric key. This parameter is ignored if a valid (non-zero) contextHandle is supplied. |
||||
@param keySizeInBits A key size for the key pair. This parameter is ignored if a valid (non-zero) contextHandle is supplied. |
||||
@param contextHandle (optional) A CSSM_CC_HANDLE, or 0. If this argument is supplied, the algorithm and keySizeInBits parameters are ignored. If extra parameters are needed to generate a key (some algorithms require this), you should create a context using CSSM_CSP_CreateKeyGenContext, using the CSPHandle obtained by calling SecKeychainGetCSPHandle. Then use CSSM_UpdateContextAttributes to add parameters, and dispose of the context using CSSM_DeleteContext after calling this function. |
||||
@param keyUsage A bit mask indicating all permitted uses for the new key. CSSM_KEYUSE bit mask values are defined in cssmtype.h. |
||||
@param keyAttr A bit mask defining attribute values for the new key. The bit mask values are equivalent to a CSSM_KEYATTR_FLAGS and are defined in cssmtype.h. |
||||
@param initialAccess (optional) A SecAccess object that determines the initial access rights for the key. This parameter is ignored if the keychainRef is NULL. |
||||
@param keyRef On return, a reference to the generated key. Use the SecKeyGetCSSMKey function to obtain the CSSM_KEY. The caller must call CFRelease on this value if it is returned. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This API is deprecated for 10.7. Please use the SecKeyGenerateSymmetric API instead. |
||||
*/ |
||||
OSStatus SecKeyGenerate( |
||||
SecKeychainRef __nullable keychainRef, |
||||
CSSM_ALGORITHMS algorithm, |
||||
uint32 keySizeInBits, |
||||
CSSM_CC_HANDLE contextHandle, |
||||
CSSM_KEYUSE keyUsage, |
||||
uint32 keyAttr, |
||||
SecAccessRef __nullable initialAccess, |
||||
SecKeyRef* __nullable CF_RETURNS_RETAINED keyRef) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecKeyGetCSSMKey |
||||
@abstract Returns a pointer to the CSSM_KEY for the given key item reference. |
||||
@param key A keychain key item reference. The key item must be of class type kSecPublicKeyItemClass, kSecPrivateKeyItemClass, or kSecSymmetricKeyItemClass. |
||||
@param cssmKey On return, a pointer to a CSSM_KEY structure for the given key. This pointer remains valid until the key reference is released. The caller should not attempt to modify or free this data. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion The CSSM_KEY is valid until the key item reference is released. This API is deprecated in 10.7. Its use should no longer be needed. |
||||
*/ |
||||
OSStatus SecKeyGetCSSMKey(SecKeyRef key, const CSSM_KEY * __nullable * __nonnull cssmKey) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;; |
||||
|
||||
/*!
|
||||
@function SecKeyGetCSPHandle |
||||
@abstract Returns the CSSM_CSP_HANDLE for the given key reference. The handle is valid until the key reference is released. |
||||
@param keyRef A key reference. |
||||
@param cspHandle On return, the CSSM_CSP_HANDLE for the given keychain. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This API is deprecated in 10.7. Its use should no longer be needed. |
||||
*/ |
||||
OSStatus SecKeyGetCSPHandle(SecKeyRef keyRef, CSSM_CSP_HANDLE *cspHandle) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecKeyGetCredentials |
||||
@abstract For a given key, return a pointer to a CSSM_ACCESS_CREDENTIALS structure which will allow the key to be used. |
||||
@param keyRef The key for which a credential is requested. |
||||
@param operation The type of operation to be performed with this key. See "Authorization tag type" for defined operations (cssmtype.h). |
||||
@param credentialType The type of credential requested. |
||||
@param outCredentials On return, a pointer to a CSSM_ACCESS_CREDENTIALS structure. This pointer remains valid until the key reference is released. The caller should not attempt to modify or free this data. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeyGetCredentials( |
||||
SecKeyRef keyRef, |
||||
CSSM_ACL_AUTHORIZATION_TAG operation, |
||||
SecCredentialType credentialType, |
||||
const CSSM_ACCESS_CREDENTIALS * __nullable * __nonnull outCredentials) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecKeyGetBlockSize |
||||
@abstract Decrypt a block of ciphertext. |
||||
@param key The key for which the block length is requested. |
||||
@result The block length of the key in bytes. |
||||
@discussion If for example key is an RSA key the value returned by |
||||
this function is the size of the modulus. |
||||
*/ |
||||
size_t SecKeyGetBlockSize(SecKeyRef key) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecKeyGenerateSymmetric |
||||
@abstract Generates a random symmetric key with the specified length |
||||
and algorithm type. |
||||
|
||||
@param parameters A dictionary containing one or more key-value pairs. |
||||
See the discussion sections below for a complete overview of options. |
||||
@param error An optional pointer to a CFErrorRef. This value is set |
||||
if an error occurred. If not NULL, the caller is responsible for |
||||
releasing the CFErrorRef. |
||||
@result On return, a SecKeyRef reference to the symmetric key, or |
||||
NULL if the key could not be created. |
||||
|
||||
@discussion In order to generate a symmetric key, the parameters dictionary |
||||
must at least contain the following keys: |
||||
|
||||
* kSecAttrKeyType with a value of kSecAttrKeyTypeAES or any other |
||||
kSecAttrKeyType defined in SecItem.h |
||||
* kSecAttrKeySizeInBits with a value being a CFNumberRef containing |
||||
the requested key size in bits. Example sizes for AES keys are: |
||||
128, 192, 256, 512. |
||||
|
||||
To store the generated symmetric key in a keychain, set these keys: |
||||
* kSecUseKeychain (value is a SecKeychainRef) |
||||
* kSecAttrLabel (a user-visible label whose value is a CFStringRef, |
||||
e.g. "My App's Encryption Key") |
||||
* kSecAttrApplicationLabel (a label defined by your application, whose |
||||
value is a CFStringRef and which can be used to find this key in a |
||||
subsequent call to SecItemCopyMatching, e.g. "ID-1234567890-9876-0151") |
||||
|
||||
To specify the generated key's access control settings, set this key: |
||||
* kSecAttrAccess (value is a SecAccessRef) |
||||
|
||||
The keys below may be optionally set in the parameters dictionary |
||||
(with a CFBooleanRef value) to override the default usage values: |
||||
|
||||
* kSecAttrCanEncrypt (defaults to true if not explicitly specified) |
||||
* kSecAttrCanDecrypt (defaults to true if not explicitly specified) |
||||
* kSecAttrCanWrap (defaults to true if not explicitly specified) |
||||
* kSecAttrCanUnwrap (defaults to true if not explicitly specified) |
||||
|
||||
*/ |
||||
__nullable |
||||
SecKeyRef SecKeyGenerateSymmetric(CFDictionaryRef parameters, CFErrorRef *error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
|
||||
/*!
|
||||
@function SecKeyCreateFromData |
||||
@abstract Creates a symmetric key with the given data and sets the |
||||
algorithm type specified. |
||||
|
||||
@param parameters A dictionary containing one or more key-value pairs. |
||||
See the discussion sections below for a complete overview of options. |
||||
@result On return, a SecKeyRef reference to the symmetric key. |
||||
|
||||
@discussion In order to generate a symmetric key the parameters dictionary must |
||||
at least contain the following keys: |
||||
|
||||
* kSecAttrKeyType with a value of kSecAttrKeyTypeAES or any other |
||||
kSecAttrKeyType defined in SecItem.h |
||||
|
||||
The keys below may be optionally set in the parameters dictionary |
||||
(with a CFBooleanRef value) to override the default usage values: |
||||
|
||||
* kSecAttrCanEncrypt (defaults to true if not explicitly specified) |
||||
* kSecAttrCanDecrypt (defaults to true if not explicitly specified) |
||||
* kSecAttrCanWrap (defaults to true if not explicitly specified) |
||||
* kSecAttrCanUnwrap (defaults to true if not explicitly specified) |
||||
|
||||
*/ |
||||
__nullable |
||||
SecKeyRef SecKeyCreateFromData(CFDictionaryRef parameters, |
||||
CFDataRef keyData, CFErrorRef *error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
|
||||
/*!
|
||||
@function SecKeyGeneratePair |
||||
@abstract Generate a private/public keypair. |
||||
@param parameters A dictionary containing one or more key-value pairs. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). On success, |
||||
the result code will be errSecSuccess, and the output parameters will |
||||
contain the public SecKeyRef and private SecKeyRef. It is the caller's |
||||
responsibility to CFRelease these key references when finished with them. |
||||
|
||||
@discussion In order to generate a keypair the parameters dictionary must |
||||
at least contain the following keys: |
||||
|
||||
* kSecAttrKeyType with a value of kSecAttrKeyTypeRSA or any other |
||||
kSecAttrKeyType defined in SecItem.h |
||||
* kSecAttrKeySizeInBits with a value being a CFNumberRef containing |
||||
the requested key size in bits. Example sizes for RSA keys are: |
||||
512, 768, 1024, 2048. |
||||
|
||||
The values below may be set either in the top-level dictionary or in a |
||||
dictionary that is the value of the kSecPrivateKeyAttrs or |
||||
kSecPublicKeyAttrs key in the top-level dictionary. Setting these |
||||
attributes explicitly will override the defaults below. See SecItem.h |
||||
for detailed information on these attributes including the types of |
||||
the values. |
||||
|
||||
* kSecAttrLabel default NULL |
||||
* kSecUseKeychain default NULL, which specifies the default keychain |
||||
* kSecAttrApplicationTag default NULL |
||||
* kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits |
||||
* kSecAttrCanEncrypt default false for private keys, true for public keys |
||||
* kSecAttrCanDecrypt default true for private keys, false for public keys |
||||
* kSecAttrCanDerive default true |
||||
* kSecAttrCanSign default true for private keys, false for public keys |
||||
* kSecAttrCanVerify default false for private keys, true for public keys |
||||
* kSecAttrCanWrap default false for private keys, true for public keys |
||||
* kSecAttrCanUnwrap default true for private keys, false for public keys |
||||
|
||||
*/ |
||||
OSStatus SecKeyGeneratePair(CFDictionaryRef parameters, |
||||
SecKeyRef * __nullable CF_RETURNS_RETAINED publicKey, SecKeyRef * __nullable CF_RETURNS_RETAINED privateKey) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@typedef SecKeyGeneratePairBlock |
||||
@abstract Delivers the result from an asynchronous key pair generation. |
||||
@param publicKey - the public key generated. You must retain publicKey if you wish to use it after your block returns. |
||||
@param privateKey - the private key generated. You must retain publicKey if you wish to use it after your block returns. |
||||
@param error - Any errors returned. You must retain error if you wish to use it after your block returns. |
||||
*/ |
||||
|
||||
#ifdef __BLOCKS__ |
||||
typedef void (^SecKeyGeneratePairBlock)(SecKeyRef publicKey, SecKeyRef privateKey, CFErrorRef error); |
||||
|
||||
|
||||
/*!
|
||||
@function SecKeyGeneratePairAsync |
||||
@abstract Generate a private/public keypair returning the values in a callback. |
||||
@param parameters A dictionary containing one or more key-value pairs. |
||||
@param deliveryQueue A dispatch queue to be used to deliver the results. |
||||
@param result A callback function to result when the operation has completed. |
||||
@result On success the function returns NULL. |
||||
|
||||
@discussion In order to generate a keypair the parameters dictionary must |
||||
at least contain the following keys: |
||||
|
||||
* kSecAttrKeyType with a value being kSecAttrKeyTypeRSA or any other |
||||
kSecAttrKeyType defined in SecItem.h |
||||
* kSecAttrKeySizeInBits with a value being a CFNumberRef or CFStringRef |
||||
containing the requested key size in bits. Example sizes for RSA |
||||
keys are: 512, 768, 1024, 2048. |
||||
|
||||
Setting the following attributes explicitly will override the defaults below. |
||||
See SecItem.h for detailed information on these attributes including the types |
||||
of the values. |
||||
|
||||
* kSecAttrLabel default NULL |
||||
* kSecAttrIsPermanent if this key is present and has a Boolean |
||||
value of true, the key or key pair will be added to the default |
||||
keychain. |
||||
* kSecAttrApplicationTag default NULL |
||||
* kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits |
||||
* kSecAttrCanEncrypt default false for private keys, true for public keys |
||||
* kSecAttrCanDecrypt default true for private keys, false for public keys |
||||
* kSecAttrCanDerive default true |
||||
* kSecAttrCanSign default true for private keys, false for public keys |
||||
* kSecAttrCanVerify default false for private keys, true for public keys |
||||
* kSecAttrCanWrap default false for private keys, true for public keys |
||||
* kSecAttrCanUnwrap default true for private keys, false for public keys |
||||
|
||||
*/ |
||||
void SecKeyGeneratePairAsync(CFDictionaryRef parameters, |
||||
dispatch_queue_t deliveryQueue, SecKeyGeneratePairBlock result) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
#endif /* __BLOCKS__ */ |
||||
|
||||
// Derive, Wrap, and Unwrap
|
||||
|
||||
/*!
|
||||
@function SecKeyDeriveFromPassword |
||||
@abstract Derives a symmetric key from a password. |
||||
|
||||
@param password The password from which the keyis to be derived. |
||||
@param parameters A dictionary containing one or more key-value pairs. |
||||
@param error If the call fails this will contain the error code. |
||||
|
||||
@discussion In order to derive a key the parameters dictionary must contain at least contain the following keys: |
||||
* kSecAttrSalt - a CFData for the salt value for mixing in the pseudo-random rounds. |
||||
* kSecAttrPRF - the algorithm to use for the pseudo-random-function. |
||||
If 0, this defaults to kSecAttrPRFHmacAlgSHA1. Possible values are: |
||||
|
||||
* kSecAttrPRFHmacAlgSHA1 |
||||
* kSecAttrPRFHmacAlgSHA224 |
||||
* kSecAttrPRFHmacAlgSHA256 |
||||
* kSecAttrPRFHmacAlgSHA384 |
||||
* kSecAttrPRFHmacAlgSHA512 |
||||
|
||||
* kSecAttrRounds - the number of rounds to call the pseudo random function. |
||||
If 0, a count will be computed to average 1/10 of a second. |
||||
* kSecAttrKeySizeInBits with a value being a CFNumberRef |
||||
containing the requested key size in bits. Example sizes for RSA keys are: |
||||
512, 768, 1024, 2048. |
||||
|
||||
@result On success a SecKeyRef is returned. On failure this result is NULL and the |
||||
error parameter contains the reason. |
||||
|
||||
*/ |
||||
__nullable |
||||
SecKeyRef SecKeyDeriveFromPassword(CFStringRef password, |
||||
CFDictionaryRef parameters, CFErrorRef *error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecKeyWrapSymmetric |
||||
@abstract Wraps a symmetric key with a symmetric key. |
||||
|
||||
@param keyToWrap The key which is to be wrapped. |
||||
@param wrappingKey The key wrapping key. |
||||
@param parameters The parameter list to use for wrapping the key. |
||||
@param error If the call fails this will contain the error code. |
||||
|
||||
@result On success a CFDataRef is returned. On failure this result is NULL and the |
||||
error parameter contains the reason. |
||||
|
||||
@discussion In order to wrap a key the parameters dictionary may contain the following key: |
||||
* kSecSalt - a CFData for the salt value for the encrypt. |
||||
|
||||
*/ |
||||
__nullable |
||||
CFDataRef SecKeyWrapSymmetric(SecKeyRef keyToWrap, |
||||
SecKeyRef wrappingKey, CFDictionaryRef parameters, CFErrorRef *error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecKeyUnwrapSymmetric |
||||
@abstract Unwrap a wrapped symmetric key. |
||||
|
||||
@param keyToUnwrap The wrapped key to unwrap. |
||||
@param unwrappingKey The key unwrapping key. |
||||
@param parameters The parameter list to use for unwrapping the key. |
||||
@param error If the call fails this will contain the error code. |
||||
|
||||
@result On success a SecKeyRef is returned. On failure this result is NULL and the |
||||
error parameter contains the reason. |
||||
|
||||
@discussion In order to unwrap a key the parameters dictionary may contain the following key: |
||||
* kSecSalt - a CFData for the salt value for the decrypt. |
||||
|
||||
*/ |
||||
__nullable |
||||
SecKeyRef SecKeyUnwrapSymmetric(CFDataRef __nullable * __nonnull keyToUnwrap, |
||||
SecKeyRef unwrappingKey, CFDictionaryRef parameters, CFErrorRef *error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_SECKEY_H_ */ |
@ -0,0 +1,626 @@
|
||||
/*
|
||||
* Copyright (c) 2000-2004,2011,2013-2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecKeychain |
||||
SecKeychain implements a repository for securely storing items with publicly visible attributes by which to find the items. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SECKEYCHAIN_H_ |
||||
#define _SECURITY_SECKEYCHAIN_H_ |
||||
|
||||
#include <Security/SecBase.h> |
||||
#include <Security/cssmapple.h> |
||||
#include <CoreFoundation/CFArray.h> |
||||
#include <libkern/OSByteOrder.h> |
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*!
|
||||
@enum KeychainStatus |
||||
@abstract Defines the current status of a keychain. |
||||
@constant kSecUnlockStateStatus Indicates the keychain is unlocked. |
||||
@constant kSecReadPermStatus Indicates the keychain is readable. |
||||
@constant kSecWritePermStatus Indicates the keychain is writable. |
||||
*/ |
||||
CF_ENUM(UInt32) |
||||
{ |
||||
kSecUnlockStateStatus = 1, |
||||
kSecReadPermStatus = 2, |
||||
kSecWritePermStatus = 4 |
||||
}; |
||||
|
||||
#define SEC_KEYCHAIN_SETTINGS_VERS1 1 |
||||
|
||||
|
||||
/*!
|
||||
@typedef SecKeychainSettings |
||||
@abstract Contains keychain settings. |
||||
@field version An unsigned 32-bit integer representing the keychain version. |
||||
@field lockOnSleep A boolean value indicating whether the keychain locks when the system sleeps. |
||||
@field useLockInterval A boolean value indicating whether the keychain automatically locks after a certain period of time. |
||||
@field lockInterval An unsigned 32-bit integer representing the number of seconds before the keychain locks. |
||||
*/ |
||||
struct SecKeychainSettings |
||||
{
|
||||
UInt32 version;
|
||||
Boolean lockOnSleep; |
||||
Boolean useLockInterval; |
||||
UInt32 lockInterval; |
||||
}; |
||||
typedef struct SecKeychainSettings SecKeychainSettings; |
||||
|
||||
/*!
|
||||
@enum AuthenticationConstants |
||||
@abstract Defines constants you can use to identify the type of authentication to use for an Internet password. |
||||
@constant kSecAuthenticationTypeNTLM Specifies Windows NT LAN Manager authentication. |
||||
@constant kSecAuthenticationTypeMSN Specifies Microsoft Network default authentication. |
||||
@constant kSecAuthenticationTypeDPA Specifies Distributed Password authentication. |
||||
@constant kSecAuthenticationTypeRPA Specifies Remote Password authentication.
|
||||
@constant kSecAuthenticationTypeHTTPBasic Specifies HTTP Basic authentication. |
||||
@constant kSecAuthenticationTypeHTTPDigest Specifies HTTP Digest Access authentication. |
||||
@constant kSecAuthenticationTypeHTMLForm Specifies HTML form based authentication. |
||||
@constant kSecAuthenticationTypeDefault Specifies the default authentication type. |
||||
@constant kSecAuthenticationTypeAny Specifies that any authentication type is acceptable. When performing a search, use this constant to avoid constraining your search results to a particular authentication type. |
||||
*/ |
||||
#ifdef __LITTLE_ENDIAN__ |
||||
#define AUTH_TYPE_FIX_(x) OSSwapConstInt32(x) |
||||
#else |
||||
#define AUTH_TYPE_FIX_(x) (x) |
||||
#endif |
||||
|
||||
typedef CF_ENUM(FourCharCode, SecAuthenticationType) |
||||
{ |
||||
kSecAuthenticationTypeNTLM = AUTH_TYPE_FIX_ ('ntlm'), |
||||
kSecAuthenticationTypeMSN = AUTH_TYPE_FIX_ ('msna'), |
||||
kSecAuthenticationTypeDPA = AUTH_TYPE_FIX_ ('dpaa'), |
||||
kSecAuthenticationTypeRPA = AUTH_TYPE_FIX_ ('rpaa'), |
||||
kSecAuthenticationTypeHTTPBasic = AUTH_TYPE_FIX_ ('http'), |
||||
kSecAuthenticationTypeHTTPDigest = AUTH_TYPE_FIX_ ('httd'), |
||||
kSecAuthenticationTypeHTMLForm = AUTH_TYPE_FIX_ ('form'), |
||||
kSecAuthenticationTypeDefault = AUTH_TYPE_FIX_ ('dflt'), |
||||
kSecAuthenticationTypeAny = AUTH_TYPE_FIX_ ( 0 ) |
||||
}; |
||||
|
||||
/*!
|
||||
@enum ProtocolTypeConstants |
||||
@abstract Defines the protocol type associated with an AppleShare or Internet password. |
||||
@constant kSecProtocolTypeFTP Indicates FTP. |
||||
@constant kSecProtocolTypeFTPAccount Indicates FTP Account (client side), usage deprecated. |
||||
@constant kSecProtocolTypeHTTP Indicates HTTP.
|
||||
@constant kSecProtocolTypeIRC Indicates IRC. |
||||
@constant kSecProtocolTypeNNTP Indicates NNTP. |
||||
@constant kSecProtocolTypePOP3 Indicates POP3. |
||||
@constant kSecProtocolTypeSMTP Indicates SMTP. |
||||
@constant kSecProtocolTypeSOCKS Indicates SOCKS. |
||||
@constant kSecProtocolTypeIMAP Indicates IMAP. |
||||
@constant kSecProtocolTypeLDAP Indicates LDAP. |
||||
@constant kSecProtocolTypeAppleTalk Indicates AFP over AppleTalk. |
||||
@constant kSecProtocolTypeAFP Indicates AFP over TCP. |
||||
@constant kSecProtocolTypeTelnet Indicates Telnet. |
||||
@constant kSecProtocolTypeSSH Indicates SSH. |
||||
@constant kSecProtocolTypeFTPS Indicates FTPS (FTP over TLS/SSL). |
||||
@constant kSecProtocolTypeHTTPS Indicates HTTPS (HTTP over TLS/SSL). |
||||
@constant kSecProtocolTypeHTTPProxy Indicates HTTP proxy. |
||||
@constant kSecProtocolTypeHTTPSProxy Indicates HTTPS proxy. |
||||
@constant kSecProtocolTypeFTPProxy Indicates FTP proxy. |
||||
@constant kSecProtocolTypeSMB Indicates SMB. |
||||
@constant kSecProtocolTypeRTSP Indicates RTSP. |
||||
@constant kSecProtocolTypeRTSPProxy Indicates RTSP proxy. |
||||
@constant kSecProtocolTypeDAAP Indicates DAAP. |
||||
@constant kSecProtocolTypeEPPC Indicates EPPC (Remote Apple Events). |
||||
@constant kSecProtocolTypeIPP Indicates IPP. |
||||
@constant kSecProtocolTypeNNTPS Indicates NNTPS (NNTP over TLS/SSL). |
||||
@constant kSecProtocolTypeLDAPS Indicates LDAPS (LDAP over TLS/SSL). |
||||
@constant kSecProtocolTypeTelnetS Indicates Telnet over TLS/SSL. |
||||
@constant kSecProtocolTypeIMAPS Indicates IMAPS (IMAP4 over TLS/SSL). |
||||
@constant kSecProtocolTypeIRCS Indicates IRCS (IRC over TLS/SSL). |
||||
@constant kSecProtocolTypePOP3S Indicates POP3S (POP3 over TLS/SSL). |
||||
@constant kSecProtocolTypeCVSpserver Indicates CVS pserver. |
||||
@constant kSecProtocolTypeSVN Indicates Subversion. |
||||
@constant kSecProtocolTypeAny Indicates that any protocol is acceptable. When performing a search, use this constant to avoid constraining your search results to a particular protocol. |
||||
*/ |
||||
typedef CF_ENUM(FourCharCode, SecProtocolType) |
||||
{ |
||||
kSecProtocolTypeFTP = 'ftp ', |
||||
kSecProtocolTypeFTPAccount = 'ftpa', |
||||
kSecProtocolTypeHTTP = 'http', |
||||
kSecProtocolTypeIRC = 'irc ', |
||||
kSecProtocolTypeNNTP = 'nntp', |
||||
kSecProtocolTypePOP3 = 'pop3', |
||||
kSecProtocolTypeSMTP = 'smtp', |
||||
kSecProtocolTypeSOCKS = 'sox ', |
||||
kSecProtocolTypeIMAP = 'imap', |
||||
kSecProtocolTypeLDAP = 'ldap', |
||||
kSecProtocolTypeAppleTalk = 'atlk', |
||||
kSecProtocolTypeAFP = 'afp ', |
||||
kSecProtocolTypeTelnet = 'teln', |
||||
kSecProtocolTypeSSH = 'ssh ', |
||||
kSecProtocolTypeFTPS = 'ftps', |
||||
kSecProtocolTypeHTTPS = 'htps', |
||||
kSecProtocolTypeHTTPProxy = 'htpx', |
||||
kSecProtocolTypeHTTPSProxy = 'htsx', |
||||
kSecProtocolTypeFTPProxy = 'ftpx', |
||||
kSecProtocolTypeCIFS = 'cifs', |
||||
kSecProtocolTypeSMB = 'smb ', |
||||
kSecProtocolTypeRTSP = 'rtsp', |
||||
kSecProtocolTypeRTSPProxy = 'rtsx', |
||||
kSecProtocolTypeDAAP = 'daap', |
||||
kSecProtocolTypeEPPC = 'eppc', |
||||
kSecProtocolTypeIPP = 'ipp ', |
||||
kSecProtocolTypeNNTPS = 'ntps', |
||||
kSecProtocolTypeLDAPS = 'ldps', |
||||
kSecProtocolTypeTelnetS = 'tels', |
||||
kSecProtocolTypeIMAPS = 'imps', |
||||
kSecProtocolTypeIRCS = 'ircs', |
||||
kSecProtocolTypePOP3S = 'pops', |
||||
kSecProtocolTypeCVSpserver = 'cvsp', |
||||
kSecProtocolTypeSVN = 'svn ', |
||||
kSecProtocolTypeAny = 0 |
||||
}; |
||||
|
||||
/*!
|
||||
@enum KeychainEventConstants |
||||
@abstract Defines the keychain-related event. |
||||
@constant kSecLockEvent Indicates a keychain was locked. |
||||
@constant kSecUnlockEvent Indicates a keychain was unlocked. |
||||
@constant kSecAddEvent Indicates an item was added to a keychain. |
||||
@constant kSecDeleteEvent Indicates an item was deleted from a keychain. |
||||
@constant kSecUpdateEvent Indicates a keychain item was updated. |
||||
@constant kSecPasswordChangedEvent Indicates the keychain password was changed. |
||||
@constant kSecDefaultChangedEvent Indicates that a different keychain was specified as the default. |
||||
@constant kSecDataAccessEvent Indicates a process has accessed a keychain item's data. |
||||
@constant kSecKeychainListChangedEvent Indicates the list of keychains has changed. |
||||
@constant kSecTrustSettingsChangedEvent Indicates Trust Settings changed. |
||||
*/ |
||||
typedef CF_ENUM(UInt32, SecKeychainEvent) |
||||
{ |
||||
kSecLockEvent = 1, |
||||
kSecUnlockEvent = 2, |
||||
kSecAddEvent = 3, |
||||
kSecDeleteEvent = 4, |
||||
kSecUpdateEvent = 5, |
||||
kSecPasswordChangedEvent = 6, |
||||
kSecDefaultChangedEvent = 9, |
||||
kSecDataAccessEvent = 10, |
||||
kSecKeychainListChangedEvent = 11, |
||||
kSecTrustSettingsChangedEvent = 12 |
||||
}; |
||||
|
||||
/*!
|
||||
@enum KeychainEventConstants |
||||
@abstract Defines keychain event constants |
||||
@constant kSecLockEventMask If the bit specified by this mask is set, your callback function will be invoked when a keychain is locked. |
||||
@constant kSecUnlockEventMask If the bit specified by this mask is set, your callback function will be invoked when a keychain is unlocked. |
||||
@constant kSecAddEventMask If the bit specified by this mask is set, your callback function will be invoked when an item is added to a keychain. |
||||
@constant kSecDeleteEventMask If the bit specified by this mask is set, your callback function will be invoked when an item is deleted from a keychain. |
||||
@constant kSecUpdateEventMask If the bit specified by this mask is set, your callback function will be invoked when a keychain item is updated. |
||||
@constant kSecPasswordChangedEventMask If the bit specified by this mask is set, your callback function will be invoked when the keychain password is changed. |
||||
@constant kSecDefaultChangedEventMask If the bit specified by this mask is set, your callback function will be invoked when a different keychain is specified as the default. |
||||
@constant kSecDataAccessEventMask If the bit specified by this mask is set, your callback function will be invoked when a process accesses a keychain item's data. |
||||
@constant kSecTrustSettingsChangedEvent If the bit specified by this mask is set, your callback function will be invoked when there is a change in certificate Trust Settings.
|
||||
@constant kSecEveryEventMask If all the bits are set, your callback function will be invoked whenever any event occurs. |
||||
*/ |
||||
typedef CF_OPTIONS(UInt32, SecKeychainEventMask) |
||||
{ |
||||
kSecLockEventMask = 1 << kSecLockEvent, |
||||
kSecUnlockEventMask = 1 << kSecUnlockEvent, |
||||
kSecAddEventMask = 1 << kSecAddEvent, |
||||
kSecDeleteEventMask = 1 << kSecDeleteEvent, |
||||
kSecUpdateEventMask = 1 << kSecUpdateEvent, |
||||
kSecPasswordChangedEventMask = 1 << kSecPasswordChangedEvent, |
||||
kSecDefaultChangedEventMask = 1 << kSecDefaultChangedEvent, |
||||
kSecDataAccessEventMask = 1 << kSecDataAccessEvent, |
||||
kSecKeychainListChangedMask = 1 << kSecKeychainListChangedEvent, |
||||
kSecTrustSettingsChangedEventMask = 1 << kSecTrustSettingsChangedEvent, |
||||
kSecEveryEventMask = 0xffffffff |
||||
}; |
||||
|
||||
/*!
|
||||
@typedef SecKeychainCallbackInfo |
||||
@abstract Contains information about a keychain event.
|
||||
@field version The version of this structure. |
||||
@field item A reference to the keychain item associated with this event, if any. Note that some events do not involve a particular keychain item. |
||||
@field keychain A reference to the keychain in which the event occurred. |
||||
@field pid The id of the process that generated this event. |
||||
@discussion The SecKeychainCallbackInfo type represents a structure that contains information about the keychain event for which your application is being notified. For information on how to write a keychain event callback function, see SecKeychainCallback.
|
||||
*/ |
||||
struct SecKeychainCallbackInfo
|
||||
{ |
||||
UInt32 version; |
||||
SecKeychainItemRef __nonnull item; |
||||
SecKeychainRef __nonnull keychain; |
||||
pid_t pid; |
||||
}; |
||||
typedef struct SecKeychainCallbackInfo SecKeychainCallbackInfo; |
||||
|
||||
/*!
|
||||
@function SecKeychainGetTypeID |
||||
@abstract Returns the type identifier of SecKeychain instances. |
||||
@result The CFTypeID of SecKeychain instances. |
||||
*/ |
||||
CFTypeID SecKeychainGetTypeID(void); |
||||
|
||||
/*!
|
||||
@function SecKeychainGetVersion |
||||
@abstract Determines the version of the Keychain Manager installed on the userÕs system. |
||||
@param returnVers On return, a pointer to the version number of the Keychain Manager installed on the current system. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainGetVersion(UInt32 * __nonnull returnVers); |
||||
|
||||
#pragma mark ---- Keychain Management ---- |
||||
/*!
|
||||
@function SecKeychainOpen |
||||
@abstract Create a SecKeychainRef for a keychain at pathName. This keychain might |
||||
not currently exist, use SecKeychainGetStatus if you want to confirm the existence |
||||
of this keychain. |
||||
@param pathName The POSIX path to a keychain. |
||||
@param keychain On return, a pointer to the keychain reference. The memory that keychain occupies must be released by calling CFRelease when finished with it. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). In addition, errSecParam (-50) may be returned if the keychain parameter is invalid (NULL). |
||||
*/ |
||||
OSStatus SecKeychainOpen(const char *pathName, SecKeychainRef * __nonnull CF_RETURNS_RETAINED keychain); |
||||
|
||||
/*!
|
||||
@function SecKeychainCreate |
||||
@abstract Creates a new keychain. |
||||
@param pathName The POSIX path to a keychain file. |
||||
@param passwordLength An unsigned 32-bit integer representing the length of the password buffer. |
||||
@param password A pointer to the buffer containing the password. The password must be in canonical UTF8 encoding. |
||||
@param promptUser A boolean representing whether to display a password dialog to the user. |
||||
@param initialAccess An access reference. |
||||
@param keychain On return, a pointer to a keychain reference. The memory that keychain occupies must be released by calling CFRelease when finished with it. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). In addition, errSecParam (-50) may be returned if the keychain parameter is invalid (NULL). |
||||
*/ |
||||
OSStatus SecKeychainCreate(const char *pathName, UInt32 passwordLength, const void * __nullable password, Boolean promptUser, SecAccessRef __nullable initialAccess, SecKeychainRef * __nonnull CF_RETURNS_RETAINED keychain); |
||||
|
||||
/*!
|
||||
@function SecKeychainDelete |
||||
@abstract Removes one or more keychains from the current keychain searchlist, and deletes the keychain storage (if the keychains are file-based). |
||||
@param keychainOrArray A single keychain reference or a reference to an array of keychains to delete. IMPORTANT: SecKeychainDelete does not dispose the memory occupied by keychain references; use the CFRelease function when you are completely finished with a keychain. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). In addition, errSecInvalidKeychain (-25295) may be returned if the keychain parameter is invalid (NULL). |
||||
*/ |
||||
OSStatus SecKeychainDelete(SecKeychainRef __nullable keychainOrArray); |
||||
|
||||
/*!
|
||||
@function SecKeychainSetSettings |
||||
@abstract Changes the settings of a keychain. |
||||
@param keychain A reference to a keychain. |
||||
@param newSettings A pointer to the new keychain settings. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainSetSettings(SecKeychainRef __nullable keychain, const SecKeychainSettings *newSettings); |
||||
|
||||
/*!
|
||||
@function SecKeychainCopySettings |
||||
@abstract Copy the keychain settings. |
||||
@param keychain A reference to the keychain from which to copy its settings. |
||||
@param outSettings A pointer to a keychain settings structure. Since this structure is versioned, you must preallocate it and fill in the version of the structure. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainCopySettings(SecKeychainRef __nullable keychain, SecKeychainSettings *outSettings); |
||||
|
||||
/*!
|
||||
@function SecKeychainUnlock |
||||
@abstract Unlocks the specified keychain. |
||||
@param keychain A reference to the keychain to unlock. Pass NULL to specify the default keychain. If you pass NULL and the default keychain is currently locked, the keychain will appear as the default choice. If you pass a locked keychain, SecKeychainUnlock will use the password provided to unlock it. If the default keychain is currently unlocked, SecKeychainUnlock returns errSecSuccess.
|
||||
@param passwordLength An unsigned 32-bit integer representing the length of the password buffer. |
||||
@param password A buffer containing the password for the keychain. Pass NULL if the user password is unknown. In this case, SecKeychainUnlock displays the Unlock Keychain dialog box, and the authentication user interface associated with the keychain about to be unlocked. |
||||
@param usePassword A boolean indicating whether the password parameter is used. You should pass TRUE if it is used or FALSE if it is ignored. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion In most cases, your application does not need to call the SecKeychainUnlock function directly, since most Keychain Manager functions that require an unlocked keychain call SecKeychainUnlock automatically. If your application needs to verify that a keychain is unlocked, call the function SecKeychainGetStatus.
|
||||
*/ |
||||
OSStatus SecKeychainUnlock(SecKeychainRef __nullable keychain, UInt32 passwordLength, const void * __nullable password, Boolean usePassword); |
||||
|
||||
/*!
|
||||
@function SecKeychainLock |
||||
@abstract Locks the specified keychain.
|
||||
@param keychain A reference to the keychain to lock. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainLock(SecKeychainRef __nullable keychain); |
||||
|
||||
/*!
|
||||
@function SecKeychainLockAll |
||||
@abstract Locks all keychains belonging to the current user. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainLockAll(void); |
||||
|
||||
/*!
|
||||
@function SecKeychainCopyDefault |
||||
@abstract Retrieves a reference to the default keychain. |
||||
@param keychain On return, a pointer to the default keychain reference. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainCopyDefault(SecKeychainRef * __nonnull CF_RETURNS_RETAINED keychain); |
||||
|
||||
/*!
|
||||
@function SecKeychainSetDefault |
||||
@abstract Sets the default keychain.
|
||||
@param keychain A reference to the keychain to set as default. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). In addition, errSecParam (-50) may be returned if the keychain parameter is invalid (NULL). |
||||
*/ |
||||
OSStatus SecKeychainSetDefault(SecKeychainRef __nullable keychain); |
||||
|
||||
/*!
|
||||
@function SecKeychainCopySearchList |
||||
@abstract Retrieves a keychain search list. |
||||
@param searchList The returned list of keychains to search. When finished with the array, you must call CFRelease() to release the memory. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). In addition, errSecParam (-50) may be returned if the keychain list is not specified (NULL). |
||||
*/ |
||||
OSStatus SecKeychainCopySearchList(CFArrayRef * __nonnull CF_RETURNS_RETAINED searchList); |
||||
|
||||
/*!
|
||||
@function SecKeychainSetSearchList |
||||
@abstract Specifies the list of keychains to use in a keychain search list. |
||||
@param searchList The list of keychains to use in a search list when the SecKeychainCopySearchList function is called. An empty array clears the search list. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). In addition, errSecParam (-50) may be returned if the keychain list is not specified (NULL). |
||||
*/ |
||||
OSStatus SecKeychainSetSearchList(CFArrayRef searchList); |
||||
|
||||
|
||||
/*
|
||||
* New versions of {Copy,Get}{SearchList,Default} that address multiple preference domains. |
||||
* These calls subsume the old forms with domain == kPreferenceDomainUser. |
||||
*/ |
||||
typedef CF_ENUM(int, SecPreferencesDomain) { |
||||
kSecPreferencesDomainUser, /* user domain */ |
||||
kSecPreferencesDomainSystem, /* system (daemon) domain */ |
||||
kSecPreferencesDomainCommon, /* preferences to be merged to everyone */ |
||||
kSecPreferencesDomainDynamic /* dynamic searchlist (typically removable keychains like smartcards) */ |
||||
}; |
||||
|
||||
OSStatus SecKeychainCopyDomainDefault(SecPreferencesDomain domain, SecKeychainRef * __nonnull CF_RETURNS_RETAINED keychain); |
||||
OSStatus SecKeychainSetDomainDefault(SecPreferencesDomain domain, SecKeychainRef __nullable keychain); |
||||
OSStatus SecKeychainCopyDomainSearchList(SecPreferencesDomain domain, CFArrayRef * __nonnull CF_RETURNS_RETAINED searchList); |
||||
OSStatus SecKeychainSetDomainSearchList(SecPreferencesDomain domain, CFArrayRef searchList); |
||||
OSStatus SecKeychainSetPreferenceDomain(SecPreferencesDomain domain); |
||||
OSStatus SecKeychainGetPreferenceDomain(SecPreferencesDomain *domain); |
||||
|
||||
|
||||
/*!
|
||||
@function SecKeychainGetStatus |
||||
@abstract Retrieves status information for the specified keychain. |
||||
@param keychain A keychain reference. Pass NULL to specify the default keychain. |
||||
@param keychainStatus On return, a pointer to the status of the specified keychain. See KeychainStatus for valid status constants. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainGetStatus(SecKeychainRef __nullable keychain, SecKeychainStatus *keychainStatus); |
||||
|
||||
/*!
|
||||
@function SecKeychainGetPath |
||||
@abstract Get the path of the specified keychain. |
||||
@param keychain A reference to a keychain. |
||||
@param ioPathLength On input, a pointer to the size or the buffer pointed to by pathName. On return, the size of the buffer without the zero termination. |
||||
@param pathName On return, the POSIX path to the keychain. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainGetPath(SecKeychainRef __nullable keychain, UInt32 *ioPathLength, char *pathName); |
||||
|
||||
#pragma mark ---- Keychain Item Attribute Information ---- |
||||
/*!
|
||||
@function SecKeychainAttributeInfoForItemID |
||||
@abstract Obtains tags for all possible attributes for a given item class. |
||||
@param keychain A keychain reference. |
||||
@param itemID The relation identifier of the item tags (an itemID is a CSSM_DB_RECORDTYPE defined in cssmapple.h). |
||||
@param info On return, a pointer to the keychain attribute information. User should call the SecKeychainFreeAttributeInfo function to release the structure when done with it.
|
||||
@result A result code. See "Security Error Codes" (SecBase.h). In addition, errSecParam (-50) may be returned if not enough valid parameters were supplied (NULL). |
||||
@discussion Warning, this call returns more attributes than are support by the old style Keychain API and passing them into older calls will yield an invalid attribute error. The recommended call to retrieve the attribute values is the SecKeychainItemCopyAttributesAndData function. |
||||
*/ |
||||
OSStatus SecKeychainAttributeInfoForItemID(SecKeychainRef __nullable keychain, UInt32 itemID, SecKeychainAttributeInfo * __nullable * __nonnull info); |
||||
|
||||
/*!
|
||||
@function SecKeychainFreeAttributeInfo |
||||
@abstract Releases the memory acquired by calling the SecKeychainAttributeInfoForItemID function. |
||||
@param info A pointer to the keychain attribute information to release. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). In addition, errSecParam (-50) may be returned if not enough valid parameters were supplied (NULL). |
||||
*/ |
||||
OSStatus SecKeychainFreeAttributeInfo(SecKeychainAttributeInfo *info); |
||||
|
||||
#pragma mark ---- Keychain Manager Callbacks ---- |
||||
|
||||
/*!
|
||||
@typedef SecKeychainCallback |
||||
@abstract Defines a pointer to a customized callback function. You supply the customized callback function to do a callback tailored to your application's needs. |
||||
@param keychainEvent The keychain event that your application wishes to be notified of. See SecKeychainEvent for a description of possible values. The type of event that can trigger your callback depends on the bit mask you passed in the eventMask parameter of the function SecKeychainAddCallback. For more information, see the discussion.
|
||||
@param info A pointer to a structure of type SecKeychainCallbackInfo. On return, the structure contains information about the keychain event that occurred. The Keychain Manager passes this information to your callback function via the info parameter.
|
||||
@param context A pointer to application-defined storage that your application previously passed to the function SecKeychainAddCallback. You can use this value to perform operations like track which instance of a function is operating. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion If you name your function MyKeychainEventCallback, you would declare it like this: |
||||
OSStatus MyKeychainEventCallback ( |
||||
SecKeychainEvent keychainEvent,
|
||||
SecKeychainCallbackInfo *info,
|
||||
void *context); |
||||
|
||||
To add your callback function, use the SecKeychainAddCallback function. To remove your callback function, use the SecKeychainRemoveCallback function. |
||||
*/ |
||||
typedef OSStatus (*SecKeychainCallback)(SecKeychainEvent keychainEvent, SecKeychainCallbackInfo *info, void * __nullable context); |
||||
|
||||
/*!
|
||||
@function SecKeychainAddCallback |
||||
@abstract Registers your keychain event callback function |
||||
@param callbackFunction A pointer to your keychain event callback function, described in SecKeychainCallback. You indicate the type of keychain events you want to receive by passing a bit mask of the desired events in the eventMask parameter. |
||||
@param eventMask A bit mask indicating the keychain events that your application wishes to be notified of. See SecKeychainEventMask for a description of this bit mask. The Keychain Manager tests this mask to determine the keychain events that you wish to receive, and passes these events in the keychainEvent parameter of your callback function. See SecKeychainEvent for a description of these events. |
||||
@param userContext A pointer to application-defined storage that will be passed to your callback function. Your application can use this to associate any particular call of SecKeychainAddCallback with any particular call of your keychain event callback function. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainAddCallback(SecKeychainCallback callbackFunction, SecKeychainEventMask eventMask, void * __nullable userContext); |
||||
|
||||
/*!
|
||||
@function SecKeychainRemoveCallback |
||||
@abstract Unregisters your keychain event callback function. Once removed, keychain events won't be sent to the owner of the callback. |
||||
@param callbackFunction The callback function pointer to remove
|
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainRemoveCallback(SecKeychainCallback callbackFunction); |
||||
|
||||
#pragma mark ---- High Level Keychain Manager Calls ---- |
||||
/*!
|
||||
@function SecKeychainAddInternetPassword |
||||
@abstract Adds an Internet password to the specified keychain. |
||||
@param keychain A reference to a keychain in which to store an Internet password. Pass NULL to specify the user's default keychain. |
||||
@param serverNameLength The length of the buffer pointed to by serverName. |
||||
@param serverName A pointer to a string containing the server name associated with this password. |
||||
@param securityDomainLength The length of the buffer pointed to by securityDomain. |
||||
@param securityDomain A pointer to a string containing the security domain associated with this password, or NULL if there is no relevant security domain. |
||||
@param accountNameLength The length of the buffer pointed to by accountName. |
||||
@param accountName A pointer to a string containing the account name associated with this password. |
||||
@param pathLength The length of the buffer pointed to by path. |
||||
@param path A pointer to a string containing the path associated with this password, or NULL if there is no relevant path string. |
||||
@param port The TCP/IP port number. If no specific port number is associated with this item, pass 0. |
||||
@param protocol The protocol associated with this password. See SecProtocolType for a description of possible values. |
||||
@param authenticationType The authentication scheme used. See SecAuthenticationType for a description of possible values. Pass the constant kSecAuthenticationTypeDefault to specify the default authentication scheme.
|
||||
@param passwordLength The length of the buffer pointed to by passwordData. |
||||
@param passwordData A pointer to a buffer containing the password data to be stored in the keychain. |
||||
@param itemRef On return, a reference to the new keychain item. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion The SecKeychainAddInternetPassword function adds a new Internet server password to the specified keychain. Required parameters to identify the password are serverName and accountName (you cannot pass NULL for both parameters). In addition, some protocols may require an optional securityDomain when authentication is requested. SecKeychainAddInternetPassword optionally returns a reference to the newly added item.
|
||||
*/ |
||||
OSStatus SecKeychainAddInternetPassword(SecKeychainRef __nullable keychain, UInt32 serverNameLength, const char * __nullable serverName, UInt32 securityDomainLength, const char * __nullable securityDomain, UInt32 accountNameLength, const char * __nullable accountName, UInt32 pathLength, const char * __nullable path, UInt16 port, SecProtocolType protocol, SecAuthenticationType authenticationType, UInt32 passwordLength, const void *passwordData, SecKeychainItemRef * __nullable CF_RETURNS_RETAINED itemRef); |
||||
|
||||
/*!
|
||||
@function SecKeychainFindInternetPassword |
||||
@abstract Finds an Internet password based on the attributes passed. |
||||
@param keychainOrArray A reference to an array of keychains to search, a single keychain, or NULL to search the user's default keychain search list. |
||||
@param serverNameLength The length of the buffer pointed to by serverName. |
||||
@param serverName A pointer to a string containing the server name. |
||||
@param securityDomainLength The length of the buffer pointed to by securityDomain. |
||||
@param securityDomain A pointer to a string containing the security domain. This parameter is optional, as not all protocols will require it. |
||||
@param accountNameLength The length of the buffer pointed to by accountName. |
||||
@param accountName A pointer to a string containing the account name. |
||||
@param pathLength The length of the buffer pointed to by path. |
||||
@param path A pointer to a string containing the path. |
||||
@param port The TCP/IP port number. Pass 0 to ignore the port number. |
||||
@param protocol The protocol associated with this password. See SecProtocolType for a description of possible values. |
||||
@param authenticationType The authentication scheme used. See SecAuthenticationType for a description of possible values. Pass the constant kSecAuthenticationTypeDefault to specify the default authentication scheme.
|
||||
@param passwordLength On return, the length of the buffer pointed to by passwordData. |
||||
@param passwordData On return, a pointer to a data buffer containing the password. Your application must call SecKeychainItemFreeContent(NULL, passwordData) to release this data buffer when it is no longer needed. Pass NULL if you are not interested in retrieving the password data at this time, but simply want to find the item reference. |
||||
@param itemRef On return, a reference to the keychain item which was found. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion The SecKeychainFindInternetPassword function finds the first Internet password item which matches the attributes you provide. Most attributes are optional; you should pass only as many as you need to narrow the search sufficiently for your application's intended use. SecKeychainFindInternetPassword optionally returns a reference to the found item. |
||||
*/ |
||||
OSStatus SecKeychainFindInternetPassword(CFTypeRef __nullable keychainOrArray, UInt32 serverNameLength, const char * __nullable serverName, UInt32 securityDomainLength, const char * __nullable securityDomain, UInt32 accountNameLength, const char * __nullable accountName, UInt32 pathLength, const char * __nullable path, UInt16 port, SecProtocolType protocol, SecAuthenticationType authenticationType, UInt32 * __nullable passwordLength, void * __nullable * __nullable passwordData, SecKeychainItemRef * __nullable CF_RETURNS_RETAINED itemRef); |
||||
|
||||
/*!
|
||||
@function SecKeychainAddGenericPassword |
||||
@abstract Adds a generic password to the specified keychain. |
||||
@param keychain A reference to the keychain in which to store a generic password. Pass NULL to specify the user's default keychain. |
||||
@param serviceNameLength The length of the buffer pointed to by serviceName. |
||||
@param serviceName A pointer to a string containing the service name associated with this password. |
||||
@param accountNameLength The length of the buffer pointed to by accountName. |
||||
@param accountName A pointer to a string containing the account name associated with this password. |
||||
@param passwordLength The length of the buffer pointed to by passwordData. |
||||
@param passwordData A pointer to a buffer containing the password data to be stored in the keychain. |
||||
@param itemRef On return, a reference to the new keychain item. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion The SecKeychainAddGenericPassword function adds a new generic password to the default keychain. Required parameters to identify the password are serviceName and accountName, which are application-defined strings. SecKeychainAddGenericPassword optionally returns a reference to the newly added item.
|
||||
*/ |
||||
OSStatus SecKeychainAddGenericPassword(SecKeychainRef __nullable keychain, UInt32 serviceNameLength, const char * __nullable serviceName, UInt32 accountNameLength, const char * __nullable accountName, UInt32 passwordLength, const void *passwordData, SecKeychainItemRef * __nullable CF_RETURNS_RETAINED itemRef); |
||||
|
||||
/*!
|
||||
@function SecKeychainFindGenericPassword |
||||
@abstract Find a generic password based on the attributes passed. |
||||
@param keychainOrArray A reference to an array of keychains to search, a single keychain, or NULL to search the user's default keychain search list. |
||||
@param serviceNameLength The length of the buffer pointed to by serviceName. |
||||
@param serviceName A pointer to a string containing the service name. |
||||
@param accountNameLength The length of the buffer pointed to by accountName. |
||||
@param accountName A pointer to a string containing the account name. |
||||
@param passwordLength On return, the length of the buffer pointed to by passwordData. |
||||
@param passwordData On return, a pointer to a data buffer containing the password. Your application must call SecKeychainItemFreeContent(NULL, passwordData) to release this data buffer when it is no longer needed. Pass NULL if you are not interested in retrieving the password data at this time, but simply want to find the item reference. |
||||
@param itemRef On return, a reference to the keychain item which was found. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion The SecKeychainFindGenericPassword function finds the first generic password item which matches the attributes you provide. Most attributes are optional; you should pass only as many as you need to narrow the search sufficiently for your application's intended use. SecKeychainFindGenericPassword optionally returns a reference to the found item.
|
||||
*/ |
||||
OSStatus SecKeychainFindGenericPassword(CFTypeRef __nullable keychainOrArray, UInt32 serviceNameLength, const char * __nullable serviceName, UInt32 accountNameLength, const char * __nullable accountName, UInt32 * __nullable passwordLength, void * __nullable * __nullable passwordData, SecKeychainItemRef * __nullable CF_RETURNS_RETAINED itemRef); |
||||
|
||||
#pragma mark ---- Managing User Interaction ---- |
||||
/*!
|
||||
@function SecKeychainSetUserInteractionAllowed |
||||
@abstract Turns on or off any optional user interaction |
||||
@param state A boolean representing the state of user interaction. You should pass TRUE to allow user interaction, and FALSE to disallow user interaction |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainSetUserInteractionAllowed(Boolean state); |
||||
|
||||
/*!
|
||||
@function SecKeychainGetUserInteractionAllowed |
||||
@abstract Retrieves the current state of user interaction. |
||||
@param state On return, a pointer to the current state of user interaction. If this is TRUE then user interaction is allowed, if it is FALSE, then user interaction is not allowed. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainGetUserInteractionAllowed(Boolean *state); |
||||
|
||||
#pragma mark ---- CSSM Bridge Functions ---- |
||||
/*!
|
||||
@function SecKeychainGetCSPHandle |
||||
@abstract Returns the CSSM_CSP_HANDLE attachment for the given keychain reference. The handle is valid until the keychain reference is released. |
||||
@param keychain A keychain reference. |
||||
@param cspHandle On return, a pointer to the CSSM_CSP_HANDLE for the given keychain. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This API is deprecated for 10.7. It should nho longer be needed. |
||||
*/ |
||||
OSStatus SecKeychainGetCSPHandle(SecKeychainRef __nullable keychain, CSSM_CSP_HANDLE *cspHandle) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecKeychainGetDLDBHandle |
||||
@abstract Returns the CSSM_DL_DB_HANDLE for a given keychain reference. The handle is valid until the keychain reference is released. |
||||
@param keychain A keychain reference. |
||||
@param dldbHandle On return, a pointer to the CSSM_DL_DB_HANDLE for the given keychain. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This API is deprecated for 10.7. It should nho longer be needed. |
||||
*/ |
||||
OSStatus SecKeychainGetDLDBHandle(SecKeychainRef __nullable keychain, CSSM_DL_DB_HANDLE *dldbHandle) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
#pragma mark ---- Keychain Access Management ---- |
||||
/*!
|
||||
@function SecKeychainCopyAccess |
||||
@abstract Retrieves the access for a keychain.
|
||||
@param keychain A reference to the keychain from which to copy the access. |
||||
@param accessRef On return, a pointer to the access reference. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainCopyAccess(SecKeychainRef __nullable keychain, SecAccessRef * __nonnull CF_RETURNS_RETAINED access); |
||||
|
||||
/*!
|
||||
@function SecKeychainSetAccess |
||||
@abstract Sets the access for a keychain. |
||||
@param keychain A reference to the keychain for which to set the access. |
||||
@param accessRef An access reference. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainSetAccess(SecKeychainRef __nullable keychain, SecAccessRef access); |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_SECKEYCHAIN_H_ */ |
@ -0,0 +1,332 @@
|
||||
/* * Copyright (c) 2000-2008,2011-2014 Apple Inc. All Rights Reserved.
|
||||
* |
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecKeychainItem |
||||
SecKeychainItem implements an item which may be stored in a SecKeychain, with publicly |
||||
visible attributes and encrypted data. Access to the data of an item is protected |
||||
using strong cryptographic algorithms. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SECKEYCHAINITEM_H_ |
||||
#define _SECURITY_SECKEYCHAINITEM_H_ |
||||
|
||||
#include <AvailabilityMacros.h> |
||||
#include <CoreFoundation/CFData.h> |
||||
#include <Security/SecBase.h> |
||||
#include <Security/cssmapple.h> |
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*!
|
||||
@enum ItemClassConstants |
||||
@abstract Specifies a keychain item's class code. |
||||
@constant kSecInternetPasswordItemClass Indicates that the item is an Internet password. |
||||
@constant kSecGenericPasswordItemClass Indicates that the item is a generic password. |
||||
@constant kSecAppleSharePasswordItemClass Indicates that the item is an AppleShare password. |
||||
Note: AppleShare passwords are no longer used by OS X, starting in Leopard (10.5). Use of this item class is deprecated in OS X 10.9 and later; kSecInternetPasswordItemClass should be used instead when storing or looking up passwords for an Apple Filing Protocol (AFP) server. |
||||
@constant kSecCertificateItemClass Indicates that the item is a digital certificate. |
||||
@constant kSecPublicKeyItemClass Indicates that the item is a public key. |
||||
@constant kSecPrivateKeyItemClass Indicates that the item is a private key. |
||||
@constant kSecSymmetricKeyItemClass Indicates that the item is a symmetric key. |
||||
@discussion The SecItemClass enumeration defines constants your application can use to specify the type of the keychain item you wish to create, dispose, add, delete, update, copy, or locate. You can also use these constants with the tag constant SecItemAttr. |
||||
*/ |
||||
typedef CF_ENUM(FourCharCode, SecItemClass) |
||||
{ |
||||
kSecInternetPasswordItemClass = 'inet', |
||||
kSecGenericPasswordItemClass = 'genp', |
||||
kSecAppleSharePasswordItemClass CF_ENUM_DEPRECATED(10_0, 10_9, NA, NA) = 'ashp', |
||||
kSecCertificateItemClass = 0x80001000, |
||||
kSecPublicKeyItemClass = 0x0000000F, |
||||
kSecPrivateKeyItemClass = 0x00000010, |
||||
kSecSymmetricKeyItemClass = 0x00000011 |
||||
}; |
||||
|
||||
/*!
|
||||
@enum ItemAttributeConstants |
||||
@abstract Specifies keychain item attributes. |
||||
@constant kSecCreationDateItemAttr (read-only) Identifies the creation date attribute. You use this tag to get a value of type string that represents the date the item was created, expressed in Zulu Time format ("YYYYMMDDhhmmSSZ"). This format is identical to CSSM_DB_ATTRIBUTE_FORMAT_TIME_DATE (cssmtype.h). When specifying the creation date as input to a function (e.g. SecKeychainSearchCreateFromAttributes), you may alternatively provide a numeric value of type UInt32 or SInt64, expressed as seconds since 1/1/1904 (DateTimeUtils.h). |
||||
@constant kSecModDateItemAttr (read-only) Identifies the modification date attribute. You use this tag to get a value of type string that represents the last time the item was updated, expressed in Zulu Time format ("YYYYMMDDhhmmSSZ"). This format is identical to CSSM_DB_ATTRIBUTE_FORMAT_TIME_DATE (cssmtype.h). When specifying the modification date as input to a function (e.g. SecKeychainSearchCreateFromAttributes), you may alternatively provide a numeric value of type UInt32 or SInt64, expressed as seconds since 1/1/1904 (DateTimeUtils.h). |
||||
@constant kSecDescriptionItemAttr Identifies the description attribute. You use this tag to set or get a value of type string that represents a user-visible string describing this particular kind of item (e.g. "disk image password"). |
||||
@constant kSecCommentItemAttr Identifies the comment attribute. You use this tag to set or get a value of type string that represents a user-editable string containing comments for this item. |
||||
@constant kSecCreatorItemAttr Identifies the creator attribute. You use this tag to set or get a value of type FourCharCode that represents the item's creator. |
||||
@constant kSecTypeItemAttr Identifies the type attribute. You use this tag to set or get a value of type FourCharCode that represents the item's type. |
||||
@constant kSecScriptCodeItemAttr Identifies the script code attribute. You use this tag to set or get a value of type ScriptCode that represents the script code for all strings. (Note: use of this attribute is deprecated; string attributes should always be stored in UTF-8 encoding.) |
||||
@constant kSecLabelItemAttr Identifies the label attribute. You use this tag to set or get a value of type string that represents a user-editable string containing the label for this item. |
||||
@constant kSecInvisibleItemAttr Identifies the invisible attribute. You use this tag to set or get a value of type Boolean that indicates whether the item is invisible (i.e. should not be displayed). |
||||
@constant kSecNegativeItemAttr Identifies the negative attribute. You use this tag to set or get a value of type Boolean that indicates whether there is a valid password associated with this keychain item. This is useful if your application doesn't want a password for some particular service to be stored in the keychain, but prefers that it always be entered by the user. The item (typically invisible and with zero-length data) acts as a placeholder to say "don't use me." |
||||
@constant kSecCustomIconItemAttr Identifies the custom icon attribute. You use this tag to set or get a value of type Boolean that indicates whether the item has an application-specific icon. To do this, you must also set the attribute value identified by the tag kSecTypeItemAttr to a file type for which there is a corresponding icon in the desktop database, and set the attribute value identified by the tag kSecCreatorItemAttr to an appropriate application creator type. If a custom icon corresponding to the item's type and creator can be found in the desktop database, it will be displayed by Keychain Access. Otherwise, default icons are used. (Note: use of this attribute is deprecated; custom icons for keychain items are not supported in Mac OS X.) |
||||
@constant kSecAccountItemAttr Identifies the account attribute. You use this tag to set or get a string that represents the user account. This attribute applies to generic, Internet, and AppleShare password items. |
||||
@constant kSecServiceItemAttr Identifies the service attribute. You use this tag to set or get a string that represents the service associated with this item. This attribute is unique to generic password items. |
||||
@constant kSecGenericItemAttr Identifies the generic attribute. You use this tag to set or get a value of untyped bytes that represents a user-defined attribute. This attribute is unique to generic password items. |
||||
@constant kSecSecurityDomainItemAttr Identifies the security domain attribute. You use this tag to set or get a value that represents the Internet security domain. This attribute is unique to Internet password items. |
||||
@constant kSecServerItemAttr Identifies the server attribute. You use this tag to set or get a value of type string that represents the Internet server's domain name or IP address. This attribute is unique to Internet password items. |
||||
@constant kSecAuthenticationTypeItemAttr Identifies the authentication type attribute. You use this tag to set or get a value of type SecAuthenticationType that represents the Internet authentication scheme. This attribute is unique to Internet password items. |
||||
@constant kSecPortItemAttr Identifies the port attribute. You use this tag to set or get a value of type UInt32 that represents the Internet port number. This attribute is unique to Internet password items. |
||||
@constant kSecPathItemAttr Identifies the path attribute. You use this tag to set or get a string value that represents the path. This attribute is unique to Internet password items. |
||||
@constant kSecVolumeItemAttr Identifies the volume attribute. You use this tag to set or get a string value that represents the AppleShare volume. This attribute is unique to AppleShare password items. Note: AppleShare passwords are no longer used by OS X as of Leopard (10.5); Internet password items are used instead. |
||||
@constant kSecAddressItemAttr Identifies the address attribute. You use this tag to set or get a string value that represents the AppleTalk zone name, or the IP or domain name that represents the server address. This attribute is unique to AppleShare password items. Note: AppleShare passwords are no longer used by OS X as of Leopard (10.5); Internet password items are used instead. |
||||
@constant kSecSignatureItemAttr Identifies the server signature attribute. You use this tag to set or get a value of type SecAFPServerSignature that represents the server signature block. This attribute is unique to AppleShare password items. Note: AppleShare passwords are no longer used by OS X as of Leopard (10.5); Internet password items are used instead. |
||||
@constant kSecProtocolItemAttr Identifies the protocol attribute. You use this tag to set or get a value of type SecProtocolType that represents the Internet protocol. This attribute applies to AppleShare and Internet password items. |
||||
@constant kSecCertificateType Indicates a CSSM_CERT_TYPE type. |
||||
@constant kSecCertificateEncoding Indicates a CSSM_CERT_ENCODING type. |
||||
@constant kSecCrlType Indicates a CSSM_CRL_TYPE type. |
||||
@constant kSecCrlEncoding Indicates a CSSM_CRL_ENCODING type. |
||||
@constant kSecAlias Indicates an alias. |
||||
@discussion To obtain information about a certificate, use the CDSA Certificate Library (CL) API. To obtain information about a key, use the SecKeyGetCSSMKey function and the CDSA Cryptographic Service Provider (CSP) API. |
||||
*/ |
||||
typedef CF_ENUM(FourCharCode, SecItemAttr) |
||||
{ |
||||
kSecCreationDateItemAttr = 'cdat', |
||||
kSecModDateItemAttr = 'mdat', |
||||
kSecDescriptionItemAttr = 'desc', |
||||
kSecCommentItemAttr = 'icmt', |
||||
kSecCreatorItemAttr = 'crtr', |
||||
kSecTypeItemAttr = 'type', |
||||
kSecScriptCodeItemAttr = 'scrp', |
||||
kSecLabelItemAttr = 'labl', |
||||
kSecInvisibleItemAttr = 'invi', |
||||
kSecNegativeItemAttr = 'nega', |
||||
kSecCustomIconItemAttr = 'cusi', |
||||
kSecAccountItemAttr = 'acct', |
||||
kSecServiceItemAttr = 'svce', |
||||
kSecGenericItemAttr = 'gena', |
||||
kSecSecurityDomainItemAttr = 'sdmn', |
||||
kSecServerItemAttr = 'srvr', |
||||
kSecAuthenticationTypeItemAttr = 'atyp', |
||||
kSecPortItemAttr = 'port', |
||||
kSecPathItemAttr = 'path', |
||||
kSecVolumeItemAttr = 'vlme', |
||||
kSecAddressItemAttr = 'addr', |
||||
kSecSignatureItemAttr = 'ssig', |
||||
kSecProtocolItemAttr = 'ptcl', |
||||
kSecCertificateType = 'ctyp', |
||||
kSecCertificateEncoding = 'cenc', |
||||
kSecCrlType = 'crtp', |
||||
kSecCrlEncoding = 'crnc', |
||||
kSecAlias = 'alis' |
||||
}; |
||||
|
||||
/*!
|
||||
@typedef SecAFPServerSignature |
||||
@abstract Represents a 16-byte Apple File Protocol server signature block. |
||||
*/ |
||||
typedef UInt8 SecAFPServerSignature[16]; |
||||
|
||||
/*!
|
||||
@typedef SecPublicKeyHash |
||||
@abstract Represents a 20-byte public key hash. |
||||
*/ |
||||
typedef UInt8 SecPublicKeyHash[20]; |
||||
|
||||
#pragma mark ---- Keychain Item Management ---- |
||||
/*!
|
||||
@function SecKeychainItemGetTypeID |
||||
@abstract Returns the type identifier of SecKeychainItem instances. |
||||
@result The CFTypeID of SecKeychainItem instances. |
||||
*/ |
||||
CFTypeID SecKeychainItemGetTypeID(void); |
||||
|
||||
/*!
|
||||
@function SecKeychainItemModifyAttributesAndData |
||||
@abstract Updates an existing keychain item after changing its attributes or data. |
||||
@param itemRef A reference to the keychain item to modify. |
||||
@param attrList The list of attributes to modify, along with their new values. Pass NULL if you don't need to modify any attributes. |
||||
@param length The length of the buffer pointed to by data. |
||||
@param data Pointer to a buffer containing the data to store. Pass NULL if you don't need to modify the data. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion The keychain item is written to the keychain's permanent data store. If the keychain item has not previously been added to a keychain, a call to the SecKeychainItemModifyContent function does nothing and returns errSecSuccess. |
||||
*/ |
||||
OSStatus SecKeychainItemModifyAttributesAndData(SecKeychainItemRef itemRef, const SecKeychainAttributeList * __nullable attrList, UInt32 length, const void * __nullable data); |
||||
|
||||
/*!
|
||||
@function SecKeychainItemCreateFromContent |
||||
@abstract Creates a new keychain item from the supplied parameters. |
||||
@param itemClass A constant identifying the class of item to create. |
||||
@param attrList The list of attributes of the item to create. |
||||
@param length The length of the buffer pointed to by data. |
||||
@param data A pointer to a buffer containing the data to store. |
||||
@param initialAccess A reference to the access for this keychain item. |
||||
@param keychainRef A reference to the keychain in which to add the item. |
||||
@param itemRef On return, a pointer to a reference to the newly created keychain item (optional). When the item reference is no longer required, call CFRelease to deallocate memory occupied by the item. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). In addition, errSecParam (-50) may be returned if not enough valid parameters are supplied, or errSecAllocate (-108) if there is not enough memory in the current heap zone to create the object. |
||||
*/ |
||||
OSStatus SecKeychainItemCreateFromContent(SecItemClass itemClass, SecKeychainAttributeList *attrList, |
||||
UInt32 length, const void * __nullable data, SecKeychainRef __nullable keychainRef, |
||||
SecAccessRef __nullable initialAccess, SecKeychainItemRef * __nullable CF_RETURNS_RETAINED itemRef); |
||||
|
||||
/*!
|
||||
@function SecKeychainItemModifyContent |
||||
@abstract Updates an existing keychain item after changing its attributes or data. This call should only be used in conjunction with SecKeychainItemCopyContent(). |
||||
@param itemRef A reference to the keychain item to modify. |
||||
@param attrList The list of attributes to modify, along with their new values. Pass NULL if you don't need to modify any attributes. |
||||
@param length The length of the buffer pointed to by data. |
||||
@param data A pointer to a buffer containing the data to store. Pass NULL if you don't need to modify the data. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainItemModifyContent(SecKeychainItemRef itemRef, const SecKeychainAttributeList * __nullable attrList, UInt32 length, const void * __nullable data); |
||||
|
||||
/*!
|
||||
@function SecKeychainItemCopyContent |
||||
@abstract Copies the data and/or attributes stored in the given keychain item. It is recommended that you use SecKeychainItemCopyAttributesAndData(). You must call SecKeychainItemFreeContent when you no longer need the attributes and data. If you want to modify the attributes returned here, use SecKeychainModifyContent(). |
||||
@param itemRef A reference to the keychain item to modify. |
||||
@param itemClass On return, the item's class. Pass NULL if you don't require this information. |
||||
@param attrList On input, the list of attributes to retrieve. On output, the attributes are filled in. Pass NULL if you don't need to retrieve any attributes. You must call SecKeychainItemFreeContent when you no longer need the attributes. |
||||
@param length On return, the length of the buffer pointed to by outData. |
||||
@param outData On return, a pointer to a buffer containing the data in this item. Pass NULL if you don't need to retrieve the data. You must call SecKeychainItemFreeContent when you no longer need the data. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). In addition, errSecParam (-50) may be returned if not enough valid parameters are supplied. |
||||
*/ |
||||
OSStatus SecKeychainItemCopyContent(SecKeychainItemRef itemRef, SecItemClass * __nullable itemClass, SecKeychainAttributeList * __nullable attrList, UInt32 * __nullable length, void * __nullable * __nullable outData); |
||||
|
||||
/*!
|
||||
@function SecKeychainItemFreeContent |
||||
@abstract Releases the memory used by the keychain attribute list and the keychain data retrieved in a previous call to SecKeychainItemCopyContent. |
||||
@param attrList A pointer to the attribute list to release. Pass NULL to ignore this parameter. |
||||
@param data A pointer to the data buffer to release. Pass NULL to ignore this parameter. |
||||
*/ |
||||
OSStatus SecKeychainItemFreeContent(SecKeychainAttributeList * __nullable attrList, void * __nullable data); |
||||
|
||||
/*!
|
||||
@function SecKeychainItemCopyAttributesAndData |
||||
@abstract Copies the data and/or attributes stored in the given keychain item. You must call SecKeychainItemFreeAttributesAndData when you no longer need the attributes and data. If you want to modify the attributes returned here, use SecKeychainModifyAttributesAndData. |
||||
@param itemRef A reference to the keychain item to copy. |
||||
@param info A list of tags and formats of the attributes you wish to retrieve. Pass NULL if you don't need to retrieve any attributes. You can call SecKeychainAttributeInfoForItemID to obtain a list with all possible attribute tags and formats for the item's class. |
||||
@param itemClass On return, the item's class. Pass NULL if you don't require this information. |
||||
@param attrList On return, a pointer to the list of retrieved attributes. Pass NULL if you don't need to retrieve any attributes. You must call SecKeychainItemFreeAttributesAndData when you no longer need this list. |
||||
@param length On return, the length of the buffer pointed to by outData. |
||||
@param outData On return, a pointer to a buffer containing the data in this item. Pass NULL if you don't need to retrieve the data. You must call SecKeychainItemFreeAttributesAndData when you no longer need the data. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). In addition, errSecParam (-50) may be returned if not enough valid parameters are supplied. |
||||
*/ |
||||
OSStatus SecKeychainItemCopyAttributesAndData(SecKeychainItemRef itemRef, SecKeychainAttributeInfo * __nullable info, SecItemClass * __nullable itemClass, SecKeychainAttributeList * __nullable * __nullable attrList, UInt32 * __nullable length, void * __nullable * __nullable outData); |
||||
|
||||
/*!
|
||||
@function SecKeychainItemFreeAttributesAndData |
||||
@abstract Releases the memory used by the keychain attribute list and the keychain data retrieved in a previous call to SecKeychainItemCopyAttributesAndData. |
||||
@param attrList A pointer to the attribute list to release. Pass NULL to ignore this parameter. |
||||
@param data A pointer to the data buffer to release. Pass NULL to ignore this parameter. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainItemFreeAttributesAndData(SecKeychainAttributeList * __nullable attrList, void * __nullable data); |
||||
|
||||
/*!
|
||||
@function SecKeychainItemDelete |
||||
@abstract Deletes a keychain item from the default keychain's permanent data store. |
||||
@param itemRef A keychain item reference of the item to delete. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion If itemRef has not previously been added to the keychain, SecKeychainItemDelete does nothing and returns errSecSuccess. IMPORTANT: SecKeychainItemDelete does not dispose the memory occupied by the item reference itself; use the CFRelease function when you are completely finished with an item. |
||||
*/ |
||||
OSStatus SecKeychainItemDelete(SecKeychainItemRef itemRef); |
||||
|
||||
/*!
|
||||
@function SecKeychainItemCopyKeychain |
||||
@abstract Copies an existing keychain reference from a keychain item. |
||||
@param itemRef A keychain item reference. |
||||
@param keychainRef On return, the keychain reference for the specified item. Release this reference by calling the CFRelease function. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainItemCopyKeychain(SecKeychainItemRef itemRef, SecKeychainRef * __nonnull CF_RETURNS_RETAINED keychainRef); |
||||
|
||||
/*!
|
||||
@function SecKeychainItemCreateCopy |
||||
@abstract Copies a keychain item. |
||||
@param itemRef A reference to the keychain item to copy. |
||||
@param destKeychainRef A reference to the keychain in which to insert the copied keychain item. |
||||
@param initialAccess The initial access for the copied keychain item. |
||||
@param itemCopy On return, a reference to the copied keychain item. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainItemCreateCopy(SecKeychainItemRef itemRef, SecKeychainRef __nullable destKeychainRef, |
||||
SecAccessRef initialAccess, SecKeychainItemRef * __nonnull CF_RETURNS_RETAINED itemCopy); |
||||
|
||||
/*!
|
||||
@function SecKeychainItemCreatePersistentReference |
||||
@abstract Returns a CFDataRef which can be used as a persistent reference to the given keychain item. The data obtained can be turned back into a SecKeychainItemRef later by calling SecKeychainItemCopyFromPersistentReference(). |
||||
@param itemRef A reference to a keychain item. |
||||
@param persistentItemRef On return, a CFDataRef containing a persistent reference. You must release this data reference by calling the CFRelease function. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainItemCreatePersistentReference(SecKeychainItemRef itemRef, CFDataRef * __nonnull CF_RETURNS_RETAINED persistentItemRef); |
||||
|
||||
|
||||
/*!
|
||||
@function SecKeychainItemCopyFromPersistentReference |
||||
@abstract Returns a SecKeychainItemRef, given a persistent reference previously obtained by calling SecKeychainItemCreatePersistentReference(). |
||||
@param persistentItemRef A CFDataRef containing a persistent reference to a keychain item. |
||||
@param itemRef On return, a SecKeychainItemRef for the keychain item described by the persistent reference. You must release this item reference by calling the CFRelease function. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainItemCopyFromPersistentReference(CFDataRef persistentItemRef, SecKeychainItemRef * __nonnull CF_RETURNS_RETAINED itemRef); |
||||
|
||||
|
||||
#pragma mark ---- CSSM Bridge Functions ---- |
||||
/*!
|
||||
@function SecKeychainItemGetDLDBHandle |
||||
@abstract Returns the CSSM_DL_DB_HANDLE for a given keychain item reference. |
||||
@param keyItemRef A keychain item reference. |
||||
@param dldbHandle On return, a CSSM_DL_DB_HANDLE for the keychain database containing the given item. The handle is valid until the keychain reference is released. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This API is deprecated for 10.7. It should no longer be needed. |
||||
*/ |
||||
OSStatus SecKeychainItemGetDLDBHandle(SecKeychainItemRef keyItemRef, CSSM_DL_DB_HANDLE * __nonnull dldbHandle) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecKeychainItemGetUniqueRecordID |
||||
@abstract Returns a CSSM_DB_UNIQUE_RECORD for the given keychain item reference. |
||||
@param itemRef A keychain item reference. |
||||
@param uniqueRecordID On return, a pointer to a CSSM_DB_UNIQUE_RECORD structure for the given item. The unique record is valid until the item reference is released. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This API is deprecated for 10.7. It should no longer be needed. |
||||
*/ |
||||
OSStatus SecKeychainItemGetUniqueRecordID(SecKeychainItemRef itemRef, const CSSM_DB_UNIQUE_RECORD * __nullable * __nonnull uniqueRecordID) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
#pragma mark ---- Keychain Item Access Management ---- |
||||
/*!
|
||||
@function SecKeychainItemCopyAccess |
||||
@abstract Copies the access of a given keychain item. |
||||
@param itemRef A reference to a keychain item. |
||||
@param access On return, a reference to the keychain item's access. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainItemCopyAccess(SecKeychainItemRef itemRef, SecAccessRef * __nonnull CF_RETURNS_RETAINED access); |
||||
|
||||
/*!
|
||||
@function SecKeychainItemSetAccess |
||||
@abstract Sets the access of a given keychain item. |
||||
@param itemRef A reference to a keychain item. |
||||
@param access A reference to an access to replace the keychain item's current access. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecKeychainItemSetAccess(SecKeychainItemRef itemRef, SecAccessRef access); |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_SECKEYCHAINITEM_H_ */ |
@ -0,0 +1,80 @@
|
||||
/*
|
||||
* Copyright (c) 2000-2011 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecKeychainSearch |
||||
The functions provided in SecKeychainSearch implement a query of one or more keychains to search for a particular SecKeychainItem. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SECKEYCHAINSEARCH_H_ |
||||
#define _SECURITY_SECKEYCHAINSEARCH_H_ |
||||
|
||||
#include <Security/SecKeychainItem.h> |
||||
|
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*!
|
||||
@function SecKeychainSearchGetTypeID |
||||
@abstract Returns the type identifier of SecKeychainSearch instances. |
||||
@result The CFTypeID of SecKeychainSearch instances. |
||||
@discussion This API is deprecated in 10.7. The SecKeychainSearchRef type is no longer used. |
||||
*/ |
||||
CFTypeID SecKeychainSearchGetTypeID(void) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecKeychainSearchCreateFromAttributes |
||||
@abstract Creates a search reference matching a list of zero or more specified attributes in the specified keychain. |
||||
@param keychainOrArray An reference to an array of keychains to search, a single keychain or NULL to search the user's default keychain search list. |
||||
@param itemClass The keychain item class. |
||||
@param attrList A pointer to a list of zero or more keychain attribute records to match. Pass NULL to match any keychain attribute. |
||||
@param searchRef On return, a pointer to the current search reference. You are responsible for calling the CFRelease function to release this reference when finished with it. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in Mac OS X 10.7 and later; to find keychain items which match specified attributes, please use the SecItemCopyMatching API (see SecItem.h). |
||||
*/ |
||||
OSStatus SecKeychainSearchCreateFromAttributes(CFTypeRef __nullable keychainOrArray, SecItemClass itemClass, const SecKeychainAttributeList * __nullable attrList, SecKeychainSearchRef * __nonnull CF_RETURNS_RETAINED searchRef) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecKeychainSearchCopyNext |
||||
@abstract Finds the next keychain item matching the given search criteria. |
||||
@param searchRef A reference to the current search criteria. The search reference is created in the SecKeychainSearchCreateFromAttributes function and must be released by calling the CFRelease function when you are done with it. |
||||
@param itemRef On return, a pointer to a keychain item reference of the next matching keychain item, if any.
|
||||
@result A result code. When there are no more items that match the parameters specified to SecPolicySearchCreate, errSecItemNotFound is returned. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in Mac OS X 10.7 and later; to find keychain items which match specified attributes, please use the SecItemCopyMatching API (see SecItem.h). |
||||
*/ |
||||
OSStatus SecKeychainSearchCopyNext(SecKeychainSearchRef searchRef, SecKeychainItemRef * __nonnull CF_RETURNS_RETAINED itemRef) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_SECKEYCHAINSEARCH_H_ */ |
@ -0,0 +1,424 @@
|
||||
/*
|
||||
* Copyright (c) 2002-2014 Apple Inc. All Rights Reserved. |
||||
* |
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecPolicy |
||||
The functions provided in SecPolicy.h provide an interface to various |
||||
X.509 certificate trust policies. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SECPOLICY_H_ |
||||
#define _SECURITY_SECPOLICY_H_ |
||||
|
||||
#include <CoreFoundation/CFBase.h> |
||||
#include <CoreFoundation/CFDictionary.h> |
||||
#include <Security/SecBase.h> |
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
/*!
|
||||
@enum Policy Constants |
||||
@discussion Predefined constants used to specify a policy. |
||||
@constant kSecPolicyAppleX509Basic |
||||
@constant kSecPolicyAppleSSL |
||||
@constant kSecPolicyAppleSMIME |
||||
@constant kSecPolicyAppleEAP |
||||
@constant kSecPolicyAppleIPsec |
||||
@constant kSecPolicyAppleiChat |
||||
@constant kSecPolicyApplePKINITClient |
||||
@constant kSecPolicyApplePKINITServer |
||||
@constant kSecPolicyAppleCodeSigning |
||||
@constant kSecPolicyMacAppStoreReceipt |
||||
@constant kSecPolicyAppleIDValidation |
||||
@constant kSecPolicyAppleTimeStamping |
||||
@constant kSecPolicyAppleRevocation |
||||
@constant kSecPolicyApplePassbookSigning |
||||
@constant kSecPolicyApplePayIssuerEncryption |
||||
*/ |
||||
extern const CFStringRef kSecPolicyAppleX509Basic |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0); |
||||
extern const CFStringRef kSecPolicyAppleSSL |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0); |
||||
extern const CFStringRef kSecPolicyAppleSMIME |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0); |
||||
extern const CFStringRef kSecPolicyAppleEAP |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0); |
||||
extern const CFStringRef kSecPolicyAppleIPsec |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0); |
||||
extern const CFStringRef kSecPolicyAppleiChat |
||||
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA); |
||||
extern const CFStringRef kSecPolicyApplePKINITClient |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPolicyApplePKINITServer |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPolicyAppleCodeSigning |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0); |
||||
extern const CFStringRef kSecPolicyMacAppStoreReceipt |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_9_0); |
||||
extern const CFStringRef kSecPolicyAppleIDValidation |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0); |
||||
extern const CFStringRef kSecPolicyAppleTimeStamping |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_7_0); |
||||
extern const CFStringRef kSecPolicyAppleRevocation |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); |
||||
extern const CFStringRef kSecPolicyApplePassbookSigning |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); |
||||
extern const CFStringRef kSecPolicyApplePayIssuerEncryption |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); |
||||
|
||||
|
||||
/*!
|
||||
@enum Policy Value Constants |
||||
@abstract Predefined property key constants used to get or set values in |
||||
a dictionary for a policy instance. |
||||
@discussion |
||||
All policies will have the following read-only value: |
||||
kSecPolicyOid (the policy object identifier) |
||||
|
||||
Additional policy values which your code can optionally set: |
||||
kSecPolicyName (name which must be matched) |
||||
kSecPolicyClient (evaluate for client, rather than server) |
||||
kSecPolicyRevocationFlags (only valid for a revocation policy) |
||||
|
||||
@constant kSecPolicyOid Specifies the policy OID (value is a CFStringRef) |
||||
@constant kSecPolicyName Specifies a CFStringRef (or CFArrayRef of same) |
||||
containing a name which must be matched in the certificate to satisfy |
||||
this policy. For SSL/TLS, EAP, and IPSec policies, this specifies the |
||||
server name which must match the common name of the certificate. |
||||
For S/MIME, this specifies the RFC822 email address. |
||||
For Passbook signing, this specifies the pass signer. |
||||
@constant kSecPolicyClient Specifies a CFBooleanRef value that indicates |
||||
this evaluation should be for a client certificate. If not set (or |
||||
false), the policy evaluates the certificate as a server certificate. |
||||
@constant kSecPolicyRevocationFlags Specifies a CFNumberRef that holds a |
||||
kCFNumberCFIndexType bitmask value. See "Revocation Policy Constants" |
||||
for a description of individual bits in this value. |
||||
@constant kSecPolicyTeamIdentifier Specifies a CFStringRef containing a |
||||
team identifier which must be matched in the certificate to satisfy |
||||
this policy. For the Passbook signing policy, this string must match |
||||
the Organizational Unit field of the certificate subject. |
||||
*/ |
||||
extern const CFStringRef kSecPolicyOid |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0); |
||||
extern const CFStringRef kSecPolicyName |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0); |
||||
extern const CFStringRef kSecPolicyClient |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0); |
||||
extern const CFStringRef kSecPolicyRevocationFlags |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); |
||||
extern const CFStringRef kSecPolicyTeamIdentifier |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); |
||||
|
||||
|
||||
/*!
|
||||
@function SecPolicyGetTypeID |
||||
@abstract Returns the type identifier of SecPolicy instances. |
||||
@result The CFTypeID of SecPolicy instances. |
||||
*/ |
||||
CFTypeID SecPolicyGetTypeID(void) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecPolicyCopyProperties |
||||
@abstract Returns a dictionary of this policy's properties. |
||||
@param policyRef A policy reference. |
||||
@result A properties dictionary. See "Policy Value Constants" for a list |
||||
of currently defined property keys. It is the caller's responsibility to |
||||
CFRelease this reference when it is no longer needed. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function returns the properties for a policy, as set by the |
||||
policy's construction function or by a prior call to SecPolicySetProperties. |
||||
*/ |
||||
CFDictionaryRef SecPolicyCopyProperties(SecPolicyRef policyRef) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0); |
||||
|
||||
/*!
|
||||
@function SecPolicyCreateBasicX509 |
||||
@abstract Returns a policy object for the default X.509 policy. |
||||
@result A policy object. The caller is responsible for calling CFRelease |
||||
on this when it is no longer needed. |
||||
*/ |
||||
SecPolicyRef SecPolicyCreateBasicX509(void) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecPolicyCreateSSL |
||||
@abstract Returns a policy object for evaluating SSL certificate chains. |
||||
@param server Passing true for this parameter creates a policy for SSL |
||||
server certificates. |
||||
@param hostname (Optional) If present, the policy will require the specified |
||||
hostname to match the hostname in the leaf certificate. |
||||
@result A policy object. The caller is responsible for calling CFRelease |
||||
on this when it is no longer needed. |
||||
*/ |
||||
SecPolicyRef SecPolicyCreateSSL(Boolean server, CFStringRef __nullable hostname) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@enum Revocation Policy Constants |
||||
@abstract Predefined constants which allow you to specify how revocation |
||||
checking will be performed for a trust evaluation. |
||||
@constant kSecRevocationOCSPMethod If this flag is set, perform revocation |
||||
checking using OCSP (Online Certificate Status Protocol). |
||||
@constant kSecRevocationCRLMethod If this flag is set, perform revocation |
||||
checking using the CRL (Certificate Revocation List) method. |
||||
@constant kSecRevocationPreferCRL If this flag is set, then CRL revocation |
||||
checking will be preferred over OCSP (by default, OCSP is preferred.) |
||||
Note that this flag only matters if both revocation methods are specified. |
||||
@constant kSecRevocationRequirePositiveResponse If this flag is set, then |
||||
the policy will fail unless a verified positive response is obtained. If |
||||
the flag is not set, revocation checking is done on a "best attempt" basis, |
||||
where failure to reach the server is not considered fatal. |
||||
@constant kSecRevocationNetworkAccessDisabled If this flag is set, then |
||||
no network access is performed; only locally cached replies are consulted. |
||||
@constant kSecRevocationUseAnyAvailableMethod Specifies that either |
||||
OCSP or CRL may be used, depending on the method(s) specified in the |
||||
certificate and the value of kSecRevocationPreferCRL. |
||||
*/ |
||||
enum { |
||||
kSecRevocationOCSPMethod = (1 << 0), |
||||
kSecRevocationCRLMethod = (1 << 1), |
||||
kSecRevocationPreferCRL = (1 << 2), |
||||
kSecRevocationRequirePositiveResponse = (1 << 3), |
||||
kSecRevocationNetworkAccessDisabled = (1 << 4), |
||||
kSecRevocationUseAnyAvailableMethod = (kSecRevocationOCSPMethod | |
||||
kSecRevocationCRLMethod) |
||||
}; |
||||
|
||||
/*!
|
||||
@function SecPolicyCreateRevocation |
||||
@abstract Returns a policy object for checking revocation of certificates. |
||||
@result A policy object. The caller is responsible for calling CFRelease |
||||
on this when it is no longer needed. |
||||
@param revocationFlags Flags to specify revocation checking options. |
||||
@discussion Use this function to create a revocation policy with behavior |
||||
specified by revocationFlags. See the "Revocation Policy Constants" section |
||||
for a description of these flags. Note: it is usually not necessary to |
||||
create a revocation policy yourself unless you wish to override default |
||||
system behavior (e.g. to force a particular method, or to disable |
||||
revocation checking entirely.) |
||||
*/ |
||||
SecPolicyRef SecPolicyCreateRevocation(CFOptionFlags revocationFlags) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); |
||||
|
||||
/*!
|
||||
@function SecPolicyCreateWithProperties |
||||
@abstract Returns a policy object based on an object identifier for the |
||||
policy type. See the "Policy Constants" section for a list of defined |
||||
policy object identifiers. |
||||
@param policyIdentifier The identifier for the desired policy type. |
||||
@param properties (Optional) A properties dictionary. See "Policy Value |
||||
Constants" for a list of currently defined property keys. |
||||
@result The returned policy reference, or NULL if the policy could not be |
||||
created. |
||||
*/ |
||||
__nullable |
||||
SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier, |
||||
CFDictionaryRef __nullable properties) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
/*
|
||||
* Legacy functions (OS X only) |
||||
*/ |
||||
#if TARGET_OS_MAC && !TARGET_OS_IPHONE |
||||
#include <Security/cssmtype.h> |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
/*!
|
||||
@enum Policy Value Constants (OS X) |
||||
@discussion Predefined property key constants used to get or set values in |
||||
a dictionary for a policy instance. |
||||
|
||||
Some policy values may specify CFBooleanRef key usage constraints: |
||||
kSecPolicyKU_DigitalSignature |
||||
kSecPolicyKU_NonRepudiation |
||||
kSecPolicyKU_KeyEncipherment |
||||
kSecPolicyKU_DataEncipherment |
||||
kSecPolicyKU_KeyAgreement |
||||
kSecPolicyKU_KeyCertSign |
||||
kSecPolicyKU_CRLSign |
||||
kSecPolicyKU_EncipherOnly |
||||
kSecPolicyKU_DecipherOnly |
||||
|
||||
kSecPolicyKU policy values define certificate-level key purposes, |
||||
in contrast to the key-level definitions in SecItem.h |
||||
|
||||
For example, a key in a certificate might be acceptable to use for |
||||
signing a CRL, but not for signing another certificate. In either |
||||
case, this key would have the ability to sign (i.e. kSecAttrCanSign |
||||
is true), but may only sign for specific purposes allowed by these |
||||
policy constants. Similarly, a public key might have the capability |
||||
to perform encryption or decryption, but the certificate in which it |
||||
resides might have a decipher-only certificate policy. |
||||
|
||||
These constants correspond to values defined in RFC 5280, section |
||||
4.2.1.3 (Key Usage) which define the purpose of a key contained in a |
||||
certificate, in contrast to section 4.1.2.7 which define the uses that |
||||
a key is capable of. |
||||
|
||||
Note: these constants are not available on iOS. Your code should |
||||
avoid direct reliance on these values for making policy decisions |
||||
and use higher level policies where possible. |
||||
|
||||
@constant kSecPolicyKU_DigitalSignature Specifies that the certificate must |
||||
have a key usage that allows it to be used for signing. |
||||
@constant kSecPolicyKU_NonRepudiation Specifies that the certificate must |
||||
have a key usage that allows it to be used for non-repudiation. |
||||
@constant kSecPolicyKU_KeyEncipherment Specifies that the certificate must |
||||
have a key usage that allows it to be used for key encipherment. |
||||
@constant kSecPolicyKU_DataEncipherment Specifies that the certificate must |
||||
have a key usage that allows it to be used for data encipherment. |
||||
@constant kSecPolicyKU_KeyAgreement Specifies that the certificate must |
||||
have a key usage that allows it to be used for key agreement. |
||||
@constant kSecPolicyKU_KeyCertSign Specifies that the certificate must |
||||
have a key usage that allows it to be used for signing certificates. |
||||
@constant kSecPolicyKU_CRLSign Specifies that the certificate must |
||||
have a key usage that allows it to be used for signing CRLs. |
||||
@constant kSecPolicyKU_EncipherOnly Specifies that the certificate must |
||||
have a key usage that permits it to be used for encryption only. |
||||
@constant kSecPolicyKU_DecipherOnly Specifies that the certificate must |
||||
have a key usage that permits it to be used for decryption only. |
||||
*/ |
||||
extern const CFStringRef kSecPolicyKU_DigitalSignature |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPolicyKU_NonRepudiation |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPolicyKU_KeyEncipherment |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPolicyKU_DataEncipherment |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPolicyKU_KeyAgreement |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPolicyKU_KeyCertSign |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPolicyKU_CRLSign |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPolicyKU_EncipherOnly |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
extern const CFStringRef kSecPolicyKU_DecipherOnly |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecPolicyCreateWithOID |
||||
@abstract Returns a policy object based on an object identifier for the |
||||
policy type. See the "Policy Constants" section for a list of defined |
||||
policy object identifiers. |
||||
@param policyOID The OID of the desired policy. |
||||
@result The returned policy reference, or NULL if the policy could not be |
||||
created. |
||||
@discussion This function is deprecated in Mac OS X 10.9 and later; |
||||
use SecPolicyCreateWithProperties (or a more specific policy creation |
||||
function) instead. |
||||
*/ |
||||
__nullable |
||||
SecPolicyRef SecPolicyCreateWithOID(CFTypeRef policyOID) |
||||
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecPolicyGetOID |
||||
@abstract Returns a policy's object identifier. |
||||
@param policyRef A policy reference. |
||||
@param oid On return, a pointer to the policy's object identifier. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in Mac OS X 10.7 and later; |
||||
use SecPolicyCopyProperties instead. |
||||
*/ |
||||
OSStatus SecPolicyGetOID(SecPolicyRef policyRef, CSSM_OID *oid) |
||||
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecPolicyGetValue |
||||
@abstract Returns a policy's value. |
||||
@param policyRef A policy reference. |
||||
@param value On return, a pointer to the policy's value. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in Mac OS X 10.7 and later; |
||||
use SecPolicyCopyProperties instead. |
||||
*/ |
||||
OSStatus SecPolicyGetValue(SecPolicyRef policyRef, CSSM_DATA *value) |
||||
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecPolicySetValue |
||||
@abstract Sets a policy's value. |
||||
@param policyRef A policy reference. |
||||
@param value The value to be set into the policy object, replacing any |
||||
previous value. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in Mac OS X 10.7 and later. Policy |
||||
instances should be considered read-only; in cases where your code would |
||||
consider changing properties of a policy, it should instead create a new |
||||
policy instance with the desired properties. |
||||
*/ |
||||
OSStatus SecPolicySetValue(SecPolicyRef policyRef, const CSSM_DATA *value) |
||||
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecPolicySetProperties |
||||
@abstract Sets a policy's properties. |
||||
@param policyRef A policy reference. |
||||
@param properties A properties dictionary. See "Policy Value Constants" |
||||
for a list of currently defined property keys. This dictionary replaces the |
||||
policy's existing properties, if any. Note that the policy OID (specified |
||||
by kSecPolicyOid) is a read-only property of the policy and cannot be set. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in Mac OS X 10.9 and later. Policy |
||||
instances should be considered read-only; in cases where your code would |
||||
consider changing properties of a policy, it should instead create a new |
||||
policy instance with the desired properties. |
||||
*/ |
||||
OSStatus SecPolicySetProperties(SecPolicyRef policyRef, |
||||
CFDictionaryRef properties) |
||||
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecPolicyGetTPHandle |
||||
@abstract Returns the CSSM trust policy handle for the given policy. |
||||
@param policyRef A policy reference. |
||||
@param tpHandle On return, a pointer to a value of type CSSM_TP_HANDLE. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in Mac OS X 10.7 and later. |
||||
*/ |
||||
OSStatus SecPolicyGetTPHandle(SecPolicyRef policyRef, CSSM_TP_HANDLE *tpHandle) |
||||
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */ |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_SECPOLICY_H_ */ |
@ -0,0 +1,87 @@
|
||||
/*
|
||||
* Copyright (c) 2002-2004,2011,2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecPolicySearch |
||||
The functions provided in SecPolicySearch implement a query for SecPolicy objects. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SECPOLICYSEARCH_H_ |
||||
#define _SECURITY_SECPOLICYSEARCH_H_ |
||||
|
||||
#include <Security/SecBase.h> |
||||
#include <Security/cssmtype.h> |
||||
|
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*!
|
||||
@typedef SecPolicySearchRef |
||||
@abstract A reference to an opaque policy search structure. |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) OpaquePolicySearchRef *SecPolicySearchRef; |
||||
|
||||
/*!
|
||||
@function SecPolicySearchGetTypeID |
||||
@abstract Returns the type identifier of SecPolicySearch instances. |
||||
@result The CFTypeID of SecPolicySearch instances. |
||||
@discussion This API is deprecated in 10.7. The SecPolicySearchRef type is no longer used. |
||||
*/ |
||||
CFTypeID SecPolicySearchGetTypeID(void) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecPolicySearchCreate |
||||
@abstract Creates a search reference for finding a policy by specifying its object identifier. |
||||
@param certType The type of certificates a policy uses. |
||||
@param policyOID A pointer to a BER-encoded policy object identifier that uniquely specifies the policy. |
||||
@param value Unused. Pass NULL for this value. Use SecPolicySetValue to set per policy data. |
||||
@param searchRef On return, a pointer to a policy search reference. The policy search reference is used for subsequent calls to the SecCopyNextPolicy function to obtain the remaining trust policies. You are responsible for releasing the search reference by calling the CFRelease function when finished with it. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in 10.7. To create a SecPolicyRef, use one of the SecPolicyCreate functions in SecPolicy.h. |
||||
*/ |
||||
OSStatus SecPolicySearchCreate(CSSM_CERT_TYPE certType, const CSSM_OID *policyOID, const CSSM_DATA * __nullable value, SecPolicySearchRef * __nonnull CF_RETURNS_RETAINED searchRef) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*!
|
||||
@function SecPolicySearchCopyNext |
||||
@abstract Finds the next policy matching the given search criteria |
||||
@param searchRef A reference to the current policy search criteria. You create the policy search reference by a calling the SecPolicySearchCreate function. You are responsible for releasing the policy by calling the CFRelease function when finished with it. |
||||
@param policyRef On return, a pointer to a policy reference. |
||||
@result A result code. When there are no more policies that match the parameters specified to SecPolicySearchCreate, errSecPolicyNotFound is returned. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in 10.7. To create a SecPolicyRef, use one of the SecPolicyCreate functions in SecPolicy.h. |
||||
*/ |
||||
OSStatus SecPolicySearchCopyNext(SecPolicySearchRef searchRef, SecPolicyRef * __nonnull CF_RETURNS_RETAINED policyRef) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_SECPOLICY_H_ */ |
@ -0,0 +1,71 @@
|
||||
/*
|
||||
* Copyright (c) 2007-2009,2011 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecRandom |
||||
The functions provided in SecRandom.h implement high-level accessors |
||||
to cryptographically secure random numbers. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SECRANDOM_H_ |
||||
#define _SECURITY_SECRANDOM_H_ |
||||
|
||||
#include <Security/SecBase.h> |
||||
#include <stdint.h> |
||||
#include <sys/types.h> |
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
/*!
|
||||
@typedef SecRandomRef |
||||
@abstract Reference to a (psuedo) random number generator. |
||||
*/ |
||||
typedef const struct __SecRandom * SecRandomRef; |
||||
|
||||
/* This is a synonym for NULL, if you'd rather use a named constant. This
|
||||
refers to a cryptographically secure random number generator. */ |
||||
extern const SecRandomRef kSecRandomDefault |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecRandomCopyBytes |
||||
@abstract Return count random bytes in *bytes, allocated by the caller. |
||||
@result Return 0 on success or -1 if something went wrong, check errno |
||||
to find out the real error. |
||||
*/ |
||||
int SecRandomCopyBytes(SecRandomRef __nullable rnd, size_t count, uint8_t *bytes) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_SECRANDOM_H_ */ |
@ -0,0 +1,2 @@
|
||||
#include <Security/SecTransformReadTransform.h> |
||||
|
@ -0,0 +1,142 @@
|
||||
/*
|
||||
* Copyright (c) 2006,2011,2013-2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecRequirement |
||||
SecRequirement represents a condition or constraint (a "Code Requirement") |
||||
that code must satisfy to be considered valid for some purpose. |
||||
SecRequirement itself does not understand or care WHY such a constraint |
||||
is appropriate or useful; it is purely a tool for formulating, recording, |
||||
and evaluating it. |
||||
|
||||
Code Requirements are usually stored and retrieved in the form of a variable-length |
||||
binary Blob that can be encapsulated as a CFDataRef and safely stored in various |
||||
data structures. They can be formulated in a text form that can be compiled |
||||
into binary form and decompiled back into text form without loss of functionality |
||||
(though comments and formatting are not preserved). |
||||
*/ |
||||
#ifndef _H_SECREQUIREMENT |
||||
#define _H_SECREQUIREMENT |
||||
|
||||
#include <Security/CSCommon.h> |
||||
#include <Security/SecCertificate.h> |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*!
|
||||
@function SecRequirementGetTypeID |
||||
Returns the type identifier of all SecRequirement instances. |
||||
*/ |
||||
CFTypeID SecRequirementGetTypeID(void); |
||||
|
||||
|
||||
/*!
|
||||
@function SecRequirementCreateWithData |
||||
Create a SecRequirement object from binary form. |
||||
This is the effective inverse of SecRequirementCopyData. |
||||
|
||||
@param data A binary blob obtained earlier from a valid SecRequirement object |
||||
using the SecRequirementCopyData call. This is the only publicly supported |
||||
way to get such a data blob. |
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
@param requirement On successful return, contains a reference to a SecRequirement |
||||
object that behaves identically to the one the data blob was obtained from. |
||||
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in |
||||
CSCommon.h or certain other Security framework headers. |
||||
*/ |
||||
OSStatus SecRequirementCreateWithData(CFDataRef data, SecCSFlags flags, |
||||
SecRequirementRef * __nonnull CF_RETURNS_RETAINED requirement); |
||||
|
||||
|
||||
/*!
|
||||
@function SecRequirementCreateWithString |
||||
Create a SecRequirement object by compiling a valid text representation |
||||
of a requirement. |
||||
|
||||
@param text A CFString containing the text form of a (single) Code Requirement. |
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
@param requirement On successful return, contains a reference to a SecRequirement |
||||
object that implements the conditions described in text. |
||||
@param errors An optional pointer to a CFErrorRef variable. If the call fails |
||||
(and something other than errSecSuccess is returned), and this argument is non-NULL, |
||||
a CFErrorRef is stored there further describing the nature and circumstances |
||||
of the failure. The caller must CFRelease() this error object when done with it. |
||||
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in |
||||
CSCommon.h or certain other Security framework headers. |
||||
*/ |
||||
OSStatus SecRequirementCreateWithString(CFStringRef text, SecCSFlags flags, |
||||
SecRequirementRef * __nonnull CF_RETURNS_RETAINED requirement); |
||||
|
||||
OSStatus SecRequirementCreateWithStringAndErrors(CFStringRef text, SecCSFlags flags, |
||||
CFErrorRef *errors, SecRequirementRef * __nonnull CF_RETURNS_RETAINED requirement); |
||||
|
||||
|
||||
/*!
|
||||
@function SecRequirementCopyData |
||||
Extracts a stable, persistent binary form of a SecRequirement. |
||||
This is the effective inverse of SecRequirementCreateWithData. |
||||
|
||||
@param requirement A valid SecRequirement object. |
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
@param data On successful return, contains a reference to a CFData object |
||||
containing a binary blob that can be fed to SecRequirementCreateWithData |
||||
to recreate a SecRequirement object with identical behavior. |
||||
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in |
||||
CSCommon.h or certain other Security framework headers. |
||||
*/ |
||||
OSStatus SecRequirementCopyData(SecRequirementRef requirement, SecCSFlags flags, |
||||
CFDataRef * __nonnull CF_RETURNS_RETAINED data); |
||||
|
||||
|
||||
/*!
|
||||
@function SecRequirementCopyString |
||||
Converts a SecRequirement object into text form. |
||||
This is the effective inverse of SecRequirementCreateWithString. |
||||
|
||||
Repeated application of this function may produce text that differs in |
||||
formatting, may contain different source comments, and may perform its |
||||
validation functions in different order. However, it is guaranteed that |
||||
recompiling the text using SecRequirementCreateWithString will produce a |
||||
SecRequirement object that behaves identically to the one you start with. |
||||
|
||||
@param requirement A valid SecRequirement object. |
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
@param text On successful return, contains a reference to a CFString object |
||||
containing a text representation of the requirement. |
||||
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in |
||||
CSCommon.h or certain other Security framework headers. |
||||
*/ |
||||
OSStatus SecRequirementCopyString(SecRequirementRef requirement, SecCSFlags flags, |
||||
CFStringRef * __nonnull CF_RETURNS_RETAINED text); |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif //_H_SECREQUIREMENT
|
@ -0,0 +1,102 @@
|
||||
#ifndef __TRANSFORM_SIGN_VERIFY__ |
||||
#define __TRANSFORM_SIGN_VERIFY__ |
||||
|
||||
|
||||
/*
|
||||
* Copyright (c) 2010-2011 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
#include "SecTransform.h" |
||||
#include <Security/SecBase.h> |
||||
|
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
extern const CFStringRef kSecKeyAttributeName, kSecSignatureAttributeName, kSecInputIsAttributeName; |
||||
// WARNING: kSecInputIsRaw is frequently cryptographically unsafe (for example if you don't blind a DSA or ECDSA signature you give away the key very quickly), please only use it if you really know the math.
|
||||
extern const CFStringRef kSecInputIsPlainText, kSecInputIsDigest, kSecInputIsRaw; |
||||
// Supported optional attributes: kSecDigestTypeAttribute (kSecDigestMD2, kSecDigestMD4, kSecDigestMD5, kSecDigestSHA1, kSecDigestSHA2), kSecDigestLengthAttribute
|
||||
|
||||
/*!
|
||||
@function SecSignTransformCreate |
||||
@abstract Creates a sign computation object. |
||||
@param key A SecKey with the private key used for signing. |
||||
@param error A pointer to a CFErrorRef. This pointer will be set |
||||
if an error occurred. This value may be NULL if you |
||||
do not want an error returned. |
||||
@result A pointer to a SecTransformRef object. This object must |
||||
be released with CFRelease when you are done with |
||||
it. This function will return NULL if an error |
||||
occurred. |
||||
@discussion This function creates a transform which computes a |
||||
cryptographic signature. The InputIS defaults to kSecInputIsPlainText, |
||||
and the DigestType and DigestLength default to something appropriate for |
||||
the type of key you have supplied. |
||||
*/ |
||||
|
||||
__nullable |
||||
SecTransformRef SecSignTransformCreate(SecKeyRef key, |
||||
CFErrorRef* error |
||||
) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecVerifyTransformCreate |
||||
@abstract Creates a verify computation object. |
||||
@param key A SecKey with the public key used for signing. |
||||
@param signature A CFDataRef with the signature. This value may be |
||||
NULL, and you may connect a transform to kSecTransformSignatureAttributeName |
||||
to supply it from another signature. |
||||
@param error A pointer to a CFErrorRef. This pointer will be set |
||||
if an error occurred. This value may be NULL if you |
||||
do not want an error returned. |
||||
@result A pointer to a SecTransformRef object. This object must |
||||
be released with CFRelease when you are done with |
||||
it. This function will return NULL if an error |
||||
occurred. |
||||
@discussion This function creates a transform which verifies a |
||||
cryptographic signature. The InputIS defaults to kSecInputIsPlainText, |
||||
and the DigestType and DigestLength default to something appropriate for |
||||
the type of key you have supplied. |
||||
*/ |
||||
|
||||
__nullable |
||||
SecTransformRef SecVerifyTransformCreate(SecKeyRef key, |
||||
CFDataRef __nullable signature, |
||||
CFErrorRef* error |
||||
) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#ifdef __cplusplus |
||||
}; |
||||
#endif |
||||
|
||||
|
||||
#endif |
@ -0,0 +1,168 @@
|
||||
/*
|
||||
* Copyright (c) 2006,2011-2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecStaticCode |
||||
SecStaticCode represents the Code Signing identity of code in the file system. |
||||
This includes applications, tools, frameworks, plugins, scripts, and so on. |
||||
Note that arbitrary files will be considered scripts of unknown provenance; |
||||
and thus it is possible to handle most files as if they were code, though that is |
||||
not necessarily a good idea. |
||||
|
||||
Normally, each SecCode has a specific SecStaticCode that holds its static signing |
||||
data. Informally, that is the SecStaticCode the SecCode "was made from" (by its host). |
||||
There is however no viable link in the other direction - given a SecStaticCode, |
||||
it is not possible to find, enumerate, or control any SecCode that originated from it. |
||||
There might not be any at a given point in time; or there might be many. |
||||
*/ |
||||
#ifndef _H_SECSTATICCODE |
||||
#define _H_SECSTATICCODE |
||||
|
||||
#include <Security/CSCommon.h> |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*!
|
||||
@function SecStaticCodeGetTypeID |
||||
Returns the type identifier of all SecStaticCode instances. |
||||
*/ |
||||
CFTypeID SecStaticCodeGetTypeID(void); |
||||
|
||||
|
||||
/*!
|
||||
@function SecStaticCodeCreateWithPath |
||||
Given a path to a file system object, create a SecStaticCode object representing |
||||
the code at that location, if possible. Such a SecStaticCode is not inherently |
||||
linked to running code in the system. |
||||
|
||||
It is possible to create a SecStaticCode object from an unsigned code object. |
||||
Most uses of such an object will return the errSecCSUnsigned error. However, |
||||
SecCodeCopyPath and SecCodeCopySigningInformation can be safely applied to such objects. |
||||
|
||||
@param path A path to a location in the file system. Only file:// URLs are
|
||||
currently supported. For bundles, pass a URL to the root directory of the |
||||
bundle. For single files, pass a URL to the file. If you pass a URL to the |
||||
main executable of a bundle, the bundle as a whole will be generally recognized. |
||||
Caution: Paths containing embedded // or /../ within a bundle's directory
|
||||
may cause the bundle to be misconstrued. If you expect to submit such paths, |
||||
first clean them with realpath(3) or equivalent. |
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
@param attributes A CFDictionary containing additional attributes of the code sought. |
||||
@param staticCode On successful return, contains a reference to the StaticCode object |
||||
representing the code at path. Unchanged on error. |
||||
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in |
||||
CSCommon.h or certain other Security framework headers. |
||||
|
||||
@constant kSecCodeAttributeArchitecture Specifies the Mach-O architecture of code desired. |
||||
This can be a CFString containing a canonical architecture name ("i386" etc.), or a CFNumber |
||||
specifying an architecture numerically (see mach/machine.h). This key is ignored if the code |
||||
is not in Mach-O binary form. If the code is Mach-O but not universal ("thin"), the architecture |
||||
specified must agree with the actual file contents. |
||||
@constant kSecCodeAttributeSubarchitecture If the architecture is specified numerically |
||||
(using the kSecCodeAttributeArchitecture key), specifies any sub-architecture by number. |
||||
This key is ignored if no main architecture is specified; if it is specified by name; or |
||||
if the code is not in Mach-O form. |
||||
@constant kSecCodeAttributeUniversalFileOffset The offset of a Mach-O specific slice of a universal Mach-O file. |
||||
*/ |
||||
extern const CFStringRef kSecCodeAttributeArchitecture; |
||||
extern const CFStringRef kSecCodeAttributeSubarchitecture; |
||||
extern const CFStringRef kSecCodeAttributeUniversalFileOffset; |
||||
extern const CFStringRef kSecCodeAttributeBundleVersion; |
||||
|
||||
OSStatus SecStaticCodeCreateWithPath(CFURLRef path, SecCSFlags flags, SecStaticCodeRef * __nonnull CF_RETURNS_RETAINED staticCode); |
||||
|
||||
OSStatus SecStaticCodeCreateWithPathAndAttributes(CFURLRef path, SecCSFlags flags, CFDictionaryRef attributes, |
||||
SecStaticCodeRef * __nonnull CF_RETURNS_RETAINED staticCode); |
||||
|
||||
|
||||
/*!
|
||||
@function SecStaticCodeCheckValidity |
||||
Performs static validation on the given SecStaticCode object. The call obtains and |
||||
verifies the signature on the code object. It checks the validity of all |
||||
sealed components (including resources, if any). It validates the code against |
||||
a SecRequirement if one is given. The call succeeds if all these conditions |
||||
are satisfactory. It fails otherwise. |
||||
|
||||
This call is only secure if the code is not subject to concurrent modification, |
||||
and the outcome is only valid as long as the code is unmodified thereafter. |
||||
Consider this carefully if the underlying file system has dynamic characteristics, |
||||
such as a network file system, union mount, FUSE, etc. |
||||
|
||||
@param staticCode The code object to be validated. |
||||
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. |
||||
|
||||
@constant kSecCSCheckAllArchitectures |
||||
For multi-architecture (universal) Mach-O programs, validate all architectures |
||||
included. By default, only the native architecture is validated. |
||||
@constant kSecCSNoDnotValidateExecutable |
||||
Do not validate the contents of the main executable. This is normally done. |
||||
@constant kSecCSNoNotValidateResources |
||||
Do not validate the presence and contents of all bundle resources (if any). |
||||
By default, a mismatch in any bundle resource causes validation to fail. |
||||
@constant kSecCSCheckNestedCode |
||||
For code in bundle form, locate and recursively check embedded code. Only code |
||||
in standard locations is considered. |
||||
@constant kSecCSStrictValidate |
||||
For code in bundle form, perform additional checks to verify that the bundle |
||||
is not structured in a way that would allow tampering, and reject any resource |
||||
envelope that introduces weaknesses into the signature. |
||||
|
||||
@param requirement On optional code requirement specifying additional conditions |
||||
the staticCode object must satisfy to be considered valid. If NULL, no additional |
||||
requirements are imposed. |
||||
@param errors An optional pointer to a CFErrorRef variable. If the call fails |
||||
(something other than errSecSuccess is returned), and this argument is non-NULL, |
||||
a CFErrorRef is stored there further describing the nature and circumstances |
||||
of the failure. The caller must CFRelease() this error object when done with it. |
||||
@result If validation succeeds, errSecSuccess. If validation fails, an OSStatus value |
||||
documented in CSCommon.h or certain other Security framework headers. |
||||
*/ |
||||
CF_ENUM(uint32_t) { |
||||
kSecCSCheckAllArchitectures = 1 << 0, |
||||
kSecCSDoNotValidateExecutable = 1 << 1, |
||||
kSecCSDoNotValidateResources = 1 << 2, |
||||
kSecCSBasicValidateOnly = kSecCSDoNotValidateExecutable | kSecCSDoNotValidateResources, |
||||
kSecCSCheckNestedCode = 1 << 3, |
||||
kSecCSStrictValidate = 1 << 4, |
||||
kSecCSFullReport = 1 << 5, |
||||
kSecCSCheckGatekeeperArchitectures = (1 << 6) | kSecCSCheckAllArchitectures, |
||||
kSecCSRestrictSymlinks = 1 << 7, |
||||
}; |
||||
|
||||
OSStatus SecStaticCodeCheckValidity(SecStaticCodeRef staticCode, SecCSFlags flags, |
||||
SecRequirementRef __nullable requirement); |
||||
|
||||
OSStatus SecStaticCodeCheckValidityWithErrors(SecStaticCodeRef staticCode, SecCSFlags flags, |
||||
SecRequirementRef __nullable requirement, CFErrorRef *errors); |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif //_H_SECSTATICCODE
|
@ -0,0 +1,113 @@
|
||||
/*
|
||||
* Copyright (c) 2008-2009,2011 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SECTASK_H_ |
||||
#define _SECURITY_SECTASK_H_ |
||||
|
||||
#include <CoreFoundation/CoreFoundation.h> |
||||
#include <mach/message.h> |
||||
#include <Security/SecCode.h> |
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
/*!
|
||||
@typedef SecTaskRef |
||||
@abstract CFType used for representing a task |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) __SecTask *SecTaskRef; |
||||
|
||||
/*!
|
||||
@function SecTaskGetTypeID |
||||
@abstract Returns the type ID for CF instances of SecTask. |
||||
@result A CFTypeID for SecTask |
||||
*/ |
||||
CFTypeID SecTaskGetTypeID(void); |
||||
|
||||
/*!
|
||||
@function SecTaskCreateWithAuditToken |
||||
@abstract Create a SecTask object for the task that sent the mach message |
||||
represented by the audit token. |
||||
@param token The audit token of a mach message |
||||
@result The newly created SecTask object or NULL on error. The caller must |
||||
CFRelease the returned object. |
||||
*/ |
||||
__nullable |
||||
SecTaskRef SecTaskCreateWithAuditToken(CFAllocatorRef __nullable allocator, audit_token_t token); |
||||
|
||||
/*!
|
||||
@function SecTaskCreateFromSelf |
||||
@abstract Create a SecTask object for the current task. |
||||
@result The newly created SecTask object or NULL on error. The caller must |
||||
CFRelease the returned object. |
||||
*/ |
||||
__nullable |
||||
SecTaskRef SecTaskCreateFromSelf(CFAllocatorRef __nullable allocator); |
||||
|
||||
/*!
|
||||
@function SecTaskCopyValueForEntitlement |
||||
@abstract Returns the value of a single entitlement for the represented
|
||||
task. |
||||
@param task A previously created SecTask object |
||||
@param entitlement The name of the entitlement to be fetched |
||||
@param error On a NULL return, this may be contain a CFError describing |
||||
the problem. This argument may be NULL if the caller is not interested in |
||||
detailed errors. |
||||
@result The value of the specified entitlement for the process or NULL if |
||||
the entitlement value could not be retrieved. The type of the returned |
||||
value will depend on the entitlement specified. The caller must release |
||||
the returned object. |
||||
@discussion A NULL return may indicate an error, or it may indicate that |
||||
the entitlement is simply not present. In the latter case, no CFError is |
||||
returned. |
||||
*/ |
||||
__nullable |
||||
CFTypeRef SecTaskCopyValueForEntitlement(SecTaskRef task, CFStringRef entitlement, CFErrorRef *error); |
||||
|
||||
/*!
|
||||
@function SecTaskCopyValuesForEntitlements |
||||
@abstract Returns the values of multiple entitlements for the represented
|
||||
task. |
||||
@param task A previously created SecTask object |
||||
@param entitlements An array of entitlement names to be fetched |
||||
@param error On a NULL return, this will contain a CFError describing |
||||
the problem. This argument may be NULL if the caller is not interested in |
||||
detailed errors. If a requested entitlement is not present for the
|
||||
returned dictionary, the entitlement is not set on the task. The caller |
||||
must CFRelease the returned value |
||||
*/ |
||||
__nullable |
||||
CFDictionaryRef SecTaskCopyValuesForEntitlements(SecTaskRef task, CFArrayRef entitlements, CFErrorRef *error); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_SECTASK_H_ */ |
@ -0,0 +1,620 @@
|
||||
/*
|
||||
* Copyright (c) 2010-2012 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
#ifndef _SEC_TRANSFORM_H__ |
||||
#define _SEC_TRANSFORM_H__ |
||||
|
||||
#include <CoreFoundation/CoreFoundation.h> |
||||
|
||||
CF_EXTERN_C_BEGIN |
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
/*!
|
||||
@header |
||||
|
||||
To better follow this header, you should understand the following |
||||
terms: |
||||
|
||||
Transform A transform converts data from one form to another. |
||||
Digests, encryption and decryption are all examples |
||||
of transforms. Each transform performs a single |
||||
operation. |
||||
Transform |
||||
Group A transform group is a directed (typically) acyclic
|
||||
graph of transforms. Results from a transform flow
|
||||
to the next Transform in the graph, and so on until
|
||||
the end of the graph is reached.
|
||||
|
||||
Attribute Transforms may have one or more attributes. These |
||||
attributes are parameters for the transforms and |
||||
may affect the operation of the transform. The value |
||||
of an attribute may be set with static data or from |
||||
the value of an attribute in another transform |
||||
by connecting the attributes using the
|
||||
SecTransformConnectTransforms API. |
||||
|
||||
External |
||||
Representation Transforms may be created programmatically or from |
||||
an external representation. External representations |
||||
may be created from existing transforms. |
||||
|
||||
There are many types of transforms available. These are documented |
||||
in their own headers. The functions in this header are applicable |
||||
to all transforms. |
||||
|
||||
*/ |
||||
|
||||
|
||||
/*!
|
||||
@constant kSecTransformErrorDomain
|
||||
The domain for CFErrorRefs created by Transforms |
||||
*/ |
||||
CF_EXPORT const CFStringRef kSecTransformErrorDomain; |
||||
|
||||
/*!
|
||||
@constant kSecTransformPreviousErrorKey |
||||
If multiple errors occurred, the CFErrorRef that |
||||
is returned from a Transfo]rm API will have a userInfo |
||||
dictionary and that dictionary will have the previous |
||||
error keyed by the kSecTransformPreviousErrorKey. |
||||
*/ |
||||
CF_EXPORT const CFStringRef kSecTransformPreviousErrorKey; |
||||
|
||||
/*!
|
||||
@constant kSecTransformAbortOriginatorKey |
||||
The value of this key will be the transform that caused |
||||
the transform chain to abort. |
||||
*/ |
||||
CF_EXPORT const CFStringRef kSecTransformAbortOriginatorKey; |
||||
|
||||
|
||||
/**************** Transform Error Codes ****************/ |
||||
/*!
|
||||
@enum Security Transform Error Codes |
||||
@discussion |
||||
@const kSecTransformErrorAttributeNotFound |
||||
The attribute was not found. |
||||
|
||||
@const kSecTransformErrorInvalidOperation |
||||
An invalid operation was attempted. |
||||
|
||||
@const kSecTransformErrorNotInitializedCorrectly |
||||
A required initialization is missing. It |
||||
is most likely a missing required attribute. |
||||
|
||||
@const kSecTransformErrorMoreThanOneOutput |
||||
A transform has an internal routing error |
||||
that has caused multiple outputs instead
|
||||
of a single discrete output. This will |
||||
occur if SecTransformExecute has already
|
||||
been called. |
||||
|
||||
@const kSecTransformErrorInvalidInputDictionary |
||||
A dictionary given to
|
||||
SecTransformCreateFromExternalRepresentation has invalid data. |
||||
|
||||
@const kSecTransformErrorInvalidAlgorithm |
||||
A transform that needs an algorithm as an attribute |
||||
i.e the Sign and Verify transforms, received an invalid
|
||||
algorithm. |
||||
|
||||
@const kSecTransformErrorInvalidLength |
||||
A transform that needs a length such as a digest
|
||||
transform has been given an invalid length. |
||||
|
||||
@const kSecTransformErrorInvalidType |
||||
An invalid type has been set on an attribute. |
||||
|
||||
@const kSecTransformErrorInvalidInput |
||||
The input set on a transform is invalid. This can |
||||
occur if the data set for an attribute does not |
||||
meet certain requirements such as correct key
|
||||
usage for signing data. |
||||
|
||||
@const kSecTransformErrorNameAlreadyRegistered |
||||
A custom transform of a particular name has already |
||||
been registered. |
||||
|
||||
@const kSecTransformErrorUnsupportedAttribute |
||||
An illegal action such as setting a read only
|
||||
attribute has occurred. |
||||
|
||||
@const kSecTransformOperationNotSupportedOnGroup |
||||
An illegal action on a group transform such as |
||||
trying to call SecTransformSetAttribute has occurred. |
||||
|
||||
@const kSecTransformErrorMissingParameter |
||||
A transform is missing a required attribute. |
||||
|
||||
@const kSecTransformErrorInvalidConnection |
||||
A SecTransformConnectTransforms was called with |
||||
transforms in different groups. |
||||
|
||||
@const kSecTransformTransformIsExecuting |
||||
An illegal operation was called on a Transform |
||||
while it was executing. Please see the sequencing documentation |
||||
in the discussion area of the SecTransformExecute API |
||||
|
||||
@const kSecTransformInvalidOverride |
||||
An illegal override was given to a custom transform |
||||
|
||||
@const kSecTransformTransformIsNotRegistered |
||||
A custom transform was asked to be created but the transform |
||||
has not been registered. |
||||
|
||||
@const kSecTransformErrorAbortInProgress |
||||
The abort attribute has been set and the transform is in the |
||||
process of shutting down |
||||
|
||||
@const kSecTransformErrorAborted |
||||
The transform was aborted.
|
||||
|
||||
@const kSecTransformInvalidArgument |
||||
An invalid argument was given to a Transform API |
||||
|
||||
|
||||
*/ |
||||
|
||||
CF_ENUM(CFIndex) |
||||
{ |
||||
kSecTransformErrorAttributeNotFound = 1, |
||||
kSecTransformErrorInvalidOperation = 2, |
||||
kSecTransformErrorNotInitializedCorrectly = 3, |
||||
kSecTransformErrorMoreThanOneOutput = 4, |
||||
kSecTransformErrorInvalidInputDictionary = 5, |
||||
kSecTransformErrorInvalidAlgorithm = 6, |
||||
kSecTransformErrorInvalidLength = 7, |
||||
kSecTransformErrorInvalidType = 8, |
||||
kSecTransformErrorInvalidInput = 10, |
||||
kSecTransformErrorNameAlreadyRegistered = 11, |
||||
kSecTransformErrorUnsupportedAttribute = 12, |
||||
kSecTransformOperationNotSupportedOnGroup = 13, |
||||
kSecTransformErrorMissingParameter = 14, |
||||
kSecTransformErrorInvalidConnection = 15, |
||||
kSecTransformTransformIsExecuting = 16, |
||||
kSecTransformInvalidOverride = 17, |
||||
kSecTransformTransformIsNotRegistered = 18, |
||||
kSecTransformErrorAbortInProgress = 19, |
||||
kSecTransformErrorAborted = 20, |
||||
kSecTransformInvalidArgument = 21 |
||||
|
||||
}; |
||||
|
||||
typedef CFTypeRef SecTransformRef; |
||||
typedef CFTypeRef SecGroupTransformRef; |
||||
|
||||
/*!
|
||||
@function SecTransformGetTypeID |
||||
@abstract Return the CFTypeID for a SecTransform. |
||||
@result The CFTypeID |
||||
*/ |
||||
|
||||
CF_EXPORT CFTypeID SecTransformGetTypeID(void); |
||||
|
||||
/*!
|
||||
@function SecGroupTransformGetTypeID |
||||
@abstract Return the CFTypeID for a SecTransformGroup. |
||||
@result The CFTypeID |
||||
*/ |
||||
|
||||
|
||||
CF_EXPORT CFTypeID SecGroupTransformGetTypeID(void); |
||||
|
||||
|
||||
/**************** Transform Attribute Names ****************/ |
||||
/*!
|
||||
@constant kSecTransformInputAttributeName |
||||
The name of the input attribute. |
||||
*/ |
||||
CF_EXPORT const CFStringRef kSecTransformInputAttributeName __OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
/*!
|
||||
@constant kSecTransformOutputAttributeName |
||||
The name of the output attribute. |
||||
*/ |
||||
CF_EXPORT const CFStringRef kSecTransformOutputAttributeName __OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
/*!
|
||||
@constant kSecTransformDebugAttributeName |
||||
Set this attribute to a CFWriteStream. |
||||
This will signal the transform to write debugging
|
||||
information to the stream. |
||||
If this attribute is set to kCFBooleanTrue then |
||||
the debugging data will be written out to |
||||
stderr. |
||||
*/ |
||||
CF_EXPORT const CFStringRef kSecTransformDebugAttributeName __OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
/*!
|
||||
@constant kSecTransformTransformName |
||||
The name of the transform. |
||||
*/ |
||||
CF_EXPORT const CFStringRef kSecTransformTransformName __OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
/*!
|
||||
@constant kSecTransformAbortAttributeName |
||||
The name of the abort attribute. |
||||
*/ |
||||
CF_EXPORT const CFStringRef kSecTransformAbortAttributeName __OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecTransformCreateFromExternalRepresentation |
||||
|
||||
@abstract Creates a transform instance from a CFDictionary of |
||||
parameters. |
||||
|
||||
@param dictionary The dictionary of parameters. |
||||
|
||||
@param error An optional pointer to a CFErrorRef. This value is
|
||||
set if an error occurred. If not NULL the caller is
|
||||
responsible for releasing the CFErrorRef.
|
||||
|
||||
@result A pointer to a SecTransformRef object. You |
||||
must release the object with CFRelease when you are done |
||||
with it. A NULL will be returned if an error occurred during
|
||||
initialization, and if the error parameter
|
||||
is non-null, it contains the specific error data. |
||||
|
||||
*/ |
||||
CF_EXPORT __nullable |
||||
SecTransformRef SecTransformCreateFromExternalRepresentation( |
||||
CFDictionaryRef dictionary, |
||||
CFErrorRef *error)
|
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecTransformCopyExternalRepresentation |
||||
|
||||
@abstract Create a CFDictionaryRef that contains enough |
||||
information to be able to recreate a transform. |
||||
|
||||
@param transformRef The transformRef to be externalized. |
||||
|
||||
@discussion This function returns a CFDictionaryRef that contains |
||||
sufficient information to be able to recreate this |
||||
transform. You can pass this CFDictionaryRef to |
||||
SecTransformCreateFromExternalRepresentation
|
||||
to be able to recreate the transform. The dictionary |
||||
can also be written out to disk using the techniques |
||||
described here. |
||||
|
||||
http://developer.apple.com/mac/library/documentation/CoreFoundation/Conceptual/CFPropertyLists/Articles/Saving.html
|
||||
*/ |
||||
|
||||
CF_EXPORT
|
||||
CFDictionaryRef SecTransformCopyExternalRepresentation( |
||||
SecTransformRef transformRef)
|
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecTransformCreateGroupTransform |
||||
|
||||
@abstract Create a SecGroupTransformRef that acts as a
|
||||
container for a set of connected transforms. |
||||
|
||||
@result A reference to a SecGroupTransform. |
||||
|
||||
@discussion A SecGroupTransformRef is a container for all of |
||||
the transforms that are in a directed graph.
|
||||
A SecGroupTransformRef can be used with
|
||||
SecTransformExecute, SecTransformExecuteAsync |
||||
and SecTransformCopyExternalRepresentation |
||||
APIs. While the intention is that a
|
||||
SecGroupTransformRef willwork just like a S |
||||
SecTransformRef that is currently not the case.
|
||||
Using a SecGroupTransformRef with the
|
||||
SecTransformConnectTransforms,
|
||||
SecTransformSetAttribute and
|
||||
SecTransformGetAttribute is undefined. |
||||
*/ |
||||
CF_EXPORT
|
||||
SecGroupTransformRef SecTransformCreateGroupTransform(void); |
||||
|
||||
/*!
|
||||
@function SecTransformConnectTransforms |
||||
|
||||
@abstract Pipe fitting for transforms. |
||||
|
||||
@param sourceTransformRef |
||||
The transform that sends the data to the
|
||||
destinationTransformRef. |
||||
|
||||
@param sourceAttributeName |
||||
The name of the attribute in the sourceTransformRef that
|
||||
supplies the data to the destinationTransformRef. |
||||
Any attribute of the transform may be used as a source.
|
||||
|
||||
@param destinationTransformRef |
||||
The transform that has one of its attributes |
||||
be set with the data from the sourceTransformRef
|
||||
parameter. |
||||
|
||||
@param destinationAttributeName |
||||
The name of the attribute within the
|
||||
destinationTransformRef whose data is set with the
|
||||
data from the sourceTransformRef sourceAttributeName
|
||||
attribute. Any attribute of the transform may be set.
|
||||
|
||||
|
||||
@param group In order to ensure referential integrity, transforms
|
||||
are chained together into a directed graph and
|
||||
placed into a group. Each transform that makes up the
|
||||
graph must be placed into the same group. After |
||||
a SecTransformRef has been placed into a group by |
||||
calling the SecTransformConnectTransforms it may be |
||||
released as the group will retain the transform. |
||||
CFRelease the group after you execute |
||||
it, or when you determine you will never execute it. |
||||
|
||||
In the example below, the output of trans1 is |
||||
set to be the input of trans2. The output of trans2 |
||||
is set to be the input of trans3. Since the |
||||
same group was used for the connections, the three |
||||
transforms are in the same group. |
||||
|
||||
<pre> |
||||
@textblock |
||||
SecGroupTransformRef group =SecTransformCreateGroupTransform(); |
||||
CFErrorRef error = NULL; |
||||
|
||||
SecTransformRef trans1; // previously created using a
|
||||
// Transform construction API
|
||||
// like SecEncryptTransformCreate
|
||||
|
||||
SecTransformRef trans2; // previously created using a
|
||||
// Transform construction API
|
||||
// like SecEncryptTransformCreate
|
||||
|
||||
SecTransformRef trans3; // previously created using a
|
||||
// Transform construction API
|
||||
// like SecEncryptTransformCreate
|
||||
|
||||
|
||||
SecTransformConnectTransforms(trans1, kSecTransformOutputAttributeName, |
||||
trans2, kSecTransformInputAttributeName, |
||||
group, &error); |
||||
|
||||
SecTransformConnectTransforms(trans2, kSecTransformOutputAttributeName, |
||||
trans3, kSecTransformInputAttributeName. |
||||
group, &error); |
||||
CFRelease(trans1); |
||||
CFRelease(trans2); |
||||
CFRelease(trans3); |
||||
|
||||
CFDataRef = (CFDataRef)SecTransformExecute(group, &error, NULL, NULL); |
||||
CFRelease(group);
|
||||
@/textblock |
||||
</pre> |
||||
|
||||
@param error An optional pointer to a CFErrorRef. This value |
||||
is set if an error occurred. If not NULL, the caller
|
||||
is responsible for releasing the CFErrorRef. |
||||
|
||||
@result The value returned is SecGroupTransformRef parameter. |
||||
This will allow for chaining calls to
|
||||
SecTransformConnectTransforms.
|
||||
|
||||
@discussion This function places transforms into a group by attaching |
||||
the value of an attribute of one transform to the
|
||||
attribute of another transform. Typically the attribute
|
||||
supplying the data is the kSecTransformAttrOutput
|
||||
attribute but that is not a requirement. It can be used to
|
||||
set an attribute like Salt with the output attribute of
|
||||
a random number transform. This function returns an
|
||||
error and the named attribute will not be changed if
|
||||
SecTransformExecute had previously been called on the
|
||||
transform. |
||||
*/ |
||||
|
||||
CF_EXPORT __nullable |
||||
SecGroupTransformRef SecTransformConnectTransforms(SecTransformRef sourceTransformRef, |
||||
CFStringRef sourceAttributeName, |
||||
SecTransformRef destinationTransformRef, |
||||
CFStringRef destinationAttributeName, |
||||
SecGroupTransformRef group, |
||||
CFErrorRef *error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecTransformSetAttribute |
||||
|
||||
@abstract Set a static value as the value of an attribute in a
|
||||
transform. This is useful for things like iteration
|
||||
counts and other non-changing values. |
||||
|
||||
@param transformRef The transform whose attribute is to be set. |
||||
|
||||
@param key The name of the attribute to be set. |
||||
|
||||
@param value The static value to set for the named attribute. |
||||
|
||||
@param error An optional pointer to a CFErrorRef. This value |
||||
is set if an error occurred. If not NULL the caller
|
||||
is responsible for releasing the CFErrorRef. |
||||
|
||||
@result Returns true if the call succeeded. If an error occurred, |
||||
the error parameter has more information |
||||
about the failure case. |
||||
|
||||
@discussion This API allows for setting static data into an
|
||||
attribute for a transform. This is in contrast to |
||||
the SecTransformConnectTransforms function which sets derived |
||||
data. This function will return an error and the
|
||||
named attribute will not be changed if SecTransformExecute
|
||||
has been called on the transform. |
||||
*/ |
||||
|
||||
CF_EXPORT
|
||||
Boolean SecTransformSetAttribute(SecTransformRef transformRef, |
||||
CFStringRef key, |
||||
CFTypeRef value, |
||||
CFErrorRef *error) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecTransformGetAttribute |
||||
|
||||
@abstract Get the current value of a transform attribute. |
||||
|
||||
@param transformRef The transform whose attribute value will be retrieved. |
||||
|
||||
@param key The name of the attribute to retrieve. |
||||
|
||||
@result The value of an attribute. If this attribute |
||||
is being set as the output of another transform |
||||
and SecTransformExecute has not been called on the |
||||
transform or if the attribute does not exists |
||||
then NULL will be returned. |
||||
|
||||
@discussion This may be called after SecTransformExecute.
|
||||
*/ |
||||
|
||||
CF_EXPORT __nullable |
||||
CFTypeRef SecTransformGetAttribute(SecTransformRef transformRef, |
||||
CFStringRef key)
|
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA);
|
||||
|
||||
/*!
|
||||
@function SecTransformFindByName |
||||
|
||||
@abstract Finds a member of a transform group by its name. |
||||
|
||||
@param transform The transform group to be searched. |
||||
|
||||
@param name The name of the transform to be found. |
||||
|
||||
@discussion When a transform instance is created it will be given a |
||||
unique name. This name can be used to find that instance |
||||
in a group. While it is possible to change this unique |
||||
name using the SecTransformSetAttribute API, developers |
||||
should not do so. This allows |
||||
SecTransformFindTransformByName to work correctly. |
||||
|
||||
@result The transform group member, or NULL if the member |
||||
was not found. |
||||
*/ |
||||
|
||||
CF_EXPORT __nullable |
||||
SecTransformRef SecTransformFindByName(SecGroupTransformRef transform,
|
||||
CFStringRef name) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA);
|
||||
|
||||
/*!
|
||||
@function SecTransformExecute |
||||
|
||||
@abstract Executes a Transform or transform group synchronously. |
||||
|
||||
@param transformRef The transform to execute. |
||||
|
||||
@param errorRef An optional pointer to a CFErrorRef. This value |
||||
will be set if an error occurred during |
||||
initialization or execution of the transform or group.
|
||||
If not NULL the caller will be responsible for releasing
|
||||
the returned CFErrorRef.
|
||||
|
||||
@result This is the result of the transform. The specific value
|
||||
is determined by the transform being executed. |
||||
|
||||
@discussion There are two phases that occur when executing a
|
||||
transform. The first phase checks to see if the tranforms |
||||
have all of their required attributes set. |
||||
If a GroupTransform is being executed, then a required
|
||||
attribute for a transform is valid if it is connected |
||||
to another attribute that supplies the required value. |
||||
If any of the required attributes are not set or connected |
||||
then SecTransformExecute will not run the transform but will
|
||||
return NULL and the apporiate error is placed in the |
||||
error parameter if it is not NULL. |
||||
|
||||
The second phase is the actual execution of the transform. |
||||
SecTransformExecute executes the transform or
|
||||
GroupTransform and when all of the processing is completed
|
||||
it returns the result. If an error occurs during
|
||||
execution, then all processing will stop and NULL will be
|
||||
returned and the appropriate error will be placed in the
|
||||
error parameter if it is not NULL.
|
||||
*/ |
||||
|
||||
CF_EXPORT CF_RETURNS_RETAINED |
||||
CFTypeRef SecTransformExecute(SecTransformRef transformRef, CFErrorRef* errorRef)
|
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA) CF_RETURNS_RETAINED; |
||||
|
||||
/*!
|
||||
@typedef SecMessageBlock |
||||
|
||||
@abstract A SecMessageBlock is used by a transform instance to |
||||
deliver messages during asynchronous operations. |
||||
|
||||
@param message A CFType containing the message. This is where |
||||
either intermediate or final results are returned. |
||||
|
||||
@param error If an error occurred, this will contain a CFErrorRef, |
||||
otherwise this will be NULL. If not NULL the caller
|
||||
is responsible for releasing the CFErrorRef. |
||||
|
||||
@param isFinal If set the message returned is the final result
|
||||
otherwise it is an intermediate result. |
||||
*/ |
||||
|
||||
typedef void (^SecMessageBlock)(CFTypeRef __nullable message, CFErrorRef __nullable error, |
||||
Boolean isFinal);
|
||||
|
||||
/*!
|
||||
@function SecTransformExecuteAsync |
||||
|
||||
@abstract Executes Transform or transform group asynchronously. |
||||
|
||||
|
||||
@param transformRef The transform to execute. |
||||
|
||||
@param deliveryQueue |
||||
A dispatch queue on which to deliver the results of
|
||||
this transform.
|
||||
|
||||
@param deliveryBlock |
||||
A SecMessageBlock to asynchronously receive the
|
||||
results of the transform.
|
||||
|
||||
@discussion SecTransformExecuteAsync works just like the
|
||||
SecTransformExecute API except that it
|
||||
returns results to the deliveryBlock. There
|
||||
may be multple results depending on the transform. |
||||
The block knows that the processing is complete |
||||
when the isFinal parameter is set to true. If an
|
||||
error occurs the block's error parameter is |
||||
set and the isFinal parameter will be set to |
||||
true. |
||||
*/ |
||||
|
||||
CF_EXPORT |
||||
void SecTransformExecuteAsync(SecTransformRef transformRef, |
||||
dispatch_queue_t deliveryQueue, |
||||
SecMessageBlock deliveryBlock)
|
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
CF_EXTERN_C_END |
||||
|
||||
#endif /* _SEC_TRANSFORM_H__ */ |
@ -0,0 +1,72 @@
|
||||
/*
|
||||
* Copyright (c) 2010-2011 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
#ifndef _SEC_TRANSFORM_READ_TRANSFORM_H |
||||
#define _SEC_TRANSFORM_READ_TRANSFORM_H |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
#include <Security/SecTransform.h> |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
/*!
|
||||
@header |
||||
|
||||
The read transform reads bytes from a instance. The bytes are |
||||
sent as CFDataRef instances to the OUTPUT attribute of the |
||||
transform. |
||||
|
||||
This transform recognizes the following additional attributes |
||||
that can be used to modify its behavior: |
||||
|
||||
MAX_READSIZE (expects CFNumber): changes the maximum number of |
||||
bytes the transform will attempt to read from the stream. Note |
||||
that the transform may deliver fewer bytes than this depending |
||||
on the stream being used. |
||||
*/ |
||||
|
||||
/*!
|
||||
@function SecTransformCreateReadTransformWithReadStream |
||||
|
||||
@abstract Creates a read transform from a CFReadStreamRef |
||||
|
||||
@param inputStream The stream that is to be opened and read from when |
||||
the chain executes. |
||||
*/ |
||||
|
||||
SecTransformRef SecTransformCreateReadTransformWithReadStream(CFReadStreamRef inputStream) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#ifdef __cplusplus |
||||
}; |
||||
#endif |
||||
|
||||
#endif |
||||
|
@ -0,0 +1,700 @@
|
||||
/*
|
||||
* Copyright (c) 2002-2014 Apple Inc. All Rights Reserved. |
||||
* |
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecTrust |
||||
The functions and data types in SecTrust implement trust computation |
||||
and allow the caller to apply trust decisions to the evaluation. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SECTRUST_H_ |
||||
#define _SECURITY_SECTRUST_H_ |
||||
|
||||
#include <Security/SecBase.h> |
||||
#include <CoreFoundation/CoreFoundation.h> |
||||
#include <AvailabilityMacros.h> |
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
/*!
|
||||
@typedef SecTrustResultType |
||||
@abstract Specifies the trust result type. |
||||
@discussion SecTrustResultType results have two dimensions. They specify |
||||
both whether evaluation suceeded and whether this is because of a user |
||||
decision. The commonly expected result is kSecTrustResultUnspecified, |
||||
which indicates a positive result that wasn't decided by the user. The |
||||
common failure is kSecTrustResultRecoverableTrustFailure, which means a |
||||
negative result. kSecTrustResultProceed and kSecTrustResultDeny are the |
||||
positive and negative result respectively when decided by the user. User |
||||
decisions are persisted through the use of SecTrustCopyExceptions() and |
||||
SecTrustSetExceptions(). Finally, kSecTrustResultFatalTrustFailure is a |
||||
negative result that must not be circumvented. |
||||
@constant kSecTrustResultInvalid Indicates an invalid setting or result. |
||||
This result usually means that SecTrustEvaluate has not yet been called. |
||||
@constant kSecTrustResultProceed Indicates you may proceed. This value |
||||
may be returned by the SecTrustEvaluate function or stored as part of |
||||
the user trust settings. |
||||
@constant kSecTrustResultConfirm Indicates confirmation with the user |
||||
is required before proceeding. Important: this value is no longer returned |
||||
or supported by SecTrustEvaluate or the SecTrustSettings API starting in |
||||
OS X 10.5; its use is deprecated in OS X 10.9 and later, as well as in iOS. |
||||
@constant kSecTrustResultDeny Indicates a user-configured deny; do not |
||||
proceed. This value may be returned by the SecTrustEvaluate function |
||||
or stored as part of the user trust settings. |
||||
@constant kSecTrustResultUnspecified Indicates the evaluation succeeded |
||||
and the certificate is implicitly trusted, but user intent was not |
||||
explicitly specified. This value may be returned by the SecTrustEvaluate |
||||
function or stored as part of the user trust settings. |
||||
@constant kSecTrustResultRecoverableTrustFailure Indicates a trust policy |
||||
failure which can be overridden by the user. This value may be returned |
||||
by the SecTrustEvaluate function but not stored as part of the user |
||||
trust settings. |
||||
@constant kSecTrustResultFatalTrustFailure Indicates a trust failure |
||||
which cannot be overridden by the user. This value may be returned by the |
||||
SecTrustEvaluate function but not stored as part of the user trust |
||||
settings. |
||||
@constant kSecTrustResultOtherError Indicates a failure other than that |
||||
of trust evaluation. This value may be returned by the SecTrustEvaluate |
||||
function but not stored as part of the user trust settings. |
||||
*/ |
||||
|
||||
typedef uint32_t SecTrustResultType; |
||||
enum { |
||||
kSecTrustResultInvalid = 0, |
||||
kSecTrustResultProceed = 1, |
||||
kSecTrustResultConfirm CF_ENUM_DEPRECATED(10_0, 10_9, NA, NA) = 2, |
||||
kSecTrustResultDeny = 3, |
||||
kSecTrustResultUnspecified = 4, |
||||
kSecTrustResultRecoverableTrustFailure = 5, |
||||
kSecTrustResultFatalTrustFailure = 6, |
||||
kSecTrustResultOtherError = 7 |
||||
}; |
||||
|
||||
/*!
|
||||
@typedef SecTrustRef |
||||
@abstract CFType used for performing X.509 certificate trust evaluations. |
||||
*/ |
||||
typedef struct CF_BRIDGED_TYPE(id) __SecTrust *SecTrustRef; |
||||
|
||||
/*!
|
||||
@enum Trust Property Constants |
||||
@discussion Predefined key constants used to obtain values in a |
||||
per-certificate dictionary of trust evaluation results, |
||||
as retrieved from a call to SecTrustCopyProperties. |
||||
@constant kSecPropertyTypeTitle Specifies a key whose value is a |
||||
CFStringRef containing the title (display name) of this certificate. |
||||
@constant kSecPropertyTypeError Specifies a key whose value is a |
||||
CFStringRef containing the reason for a trust evaluation failure. |
||||
*/ |
||||
extern const CFStringRef kSecPropertyTypeTitle |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0); |
||||
extern const CFStringRef kSecPropertyTypeError |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0); |
||||
|
||||
/*!
|
||||
@enum Trust Result Constants |
||||
@discussion Predefined key constants used to obtain values in a |
||||
dictionary of trust evaluation results for a certificate chain, |
||||
as retrieved from a call to SecTrustCopyResult. |
||||
@constant kSecTrustEvaluationDate |
||||
This key will be present if a trust evaluation has been performed |
||||
and results are available. Its value is a CFDateRef representing |
||||
when the evaluation for this trust object took place. |
||||
@constant kSecTrustExtendedValidation |
||||
This key will be present and have a value of kCFBooleanTrue |
||||
if this chain was validated for EV. |
||||
@constant kSecTrustOrganizationName |
||||
Organization name field of subject of leaf certificate. This |
||||
field is meant to be displayed to the user as the validated |
||||
name of the company or entity that owns the certificate if the |
||||
kSecTrustExtendedValidation key is present. |
||||
@constant kSecTrustResultValue |
||||
This key will be present if a trust evaluation has been performed. |
||||
Its value is a CFNumberRef representing the SecTrustResultType result |
||||
for the evaluation. |
||||
@constant kSecTrustRevocationChecked |
||||
This key will be present iff this chain had its revocation checked. |
||||
The value will be a kCFBooleanTrue if revocation checking was |
||||
successful and none of the certificates in the chain were revoked. |
||||
The value will be kCFBooleanFalse if no current revocation status |
||||
could be obtained for one or more certificates in the chain due |
||||
to connection problems or timeouts. This is a hint to a client |
||||
to retry revocation checking at a later time. |
||||
@constant kSecTrustRevocationValidUntilDate |
||||
This key will be present iff kSecTrustRevocationChecked has a |
||||
value of kCFBooleanTrue. The value will be a CFDateRef representing |
||||
the earliest date at which the revocation info for one of the |
||||
certificates in this chain might change. |
||||
*/ |
||||
extern const CFStringRef kSecTrustEvaluationDate |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); |
||||
extern const CFStringRef kSecTrustExtendedValidation |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); |
||||
extern const CFStringRef kSecTrustOrganizationName |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); |
||||
extern const CFStringRef kSecTrustResultValue |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); |
||||
extern const CFStringRef kSecTrustRevocationChecked |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); |
||||
extern const CFStringRef kSecTrustRevocationValidUntilDate |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); |
||||
|
||||
#ifdef __BLOCKS__ |
||||
/*!
|
||||
@typedef SecTrustCallback |
||||
@abstract Delivers the result from an asynchronous trust evaluation. |
||||
@param trustRef A reference to the trust object which has been evaluated. |
||||
@param trustResult The trust result of the evaluation. Additional status |
||||
information can be obtained by calling SecTrustCopyProperties(). |
||||
*/ |
||||
typedef void (^SecTrustCallback)(SecTrustRef trustRef, SecTrustResultType trustResult); |
||||
#endif /* __BLOCKS__ */ |
||||
|
||||
|
||||
/*!
|
||||
@function SecTrustGetTypeID |
||||
@abstract Returns the type identifier of SecTrust instances. |
||||
@result The CFTypeID of SecTrust instances. |
||||
*/ |
||||
CFTypeID SecTrustGetTypeID(void) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecTrustCreateWithCertificates |
||||
@abstract Creates a trust object based on the given certificates and |
||||
policies. |
||||
@param certificates The group of certificates to verify. This can either |
||||
be a CFArrayRef of SecCertificateRef objects or a single SecCertificateRef |
||||
@param policies An array of one or more policies. You may pass a |
||||
SecPolicyRef to represent a single policy. |
||||
@param trust On return, a pointer to the trust management reference. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion If multiple policies are passed in, all policies must verify |
||||
for the chain to be considered valid. |
||||
*/ |
||||
OSStatus SecTrustCreateWithCertificates(CFTypeRef certificates, |
||||
CFTypeRef __nullable policies, SecTrustRef * __nonnull CF_RETURNS_RETAINED trust) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecTrustSetPolicies |
||||
@abstract Set the policies for which trust should be verified. |
||||
@param trust A trust reference. |
||||
@param policies An array of one or more policies. You may pass a |
||||
SecPolicyRef to represent a single policy. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function will invalidate the existing trust result, |
||||
requiring a fresh evaluation for the newly-set policies. |
||||
*/ |
||||
OSStatus SecTrustSetPolicies(SecTrustRef trust, CFTypeRef policies) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_6_0); |
||||
|
||||
/*!
|
||||
@function SecTrustCopyPolicies |
||||
@abstract Returns an array of policies used for this evaluation. |
||||
@param trust A reference to a trust object. |
||||
@param policies On return, an array of policies used by this trust. |
||||
Call the CFRelease function to release this reference. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecTrustCopyPolicies(SecTrustRef trust, CFArrayRef * __nonnull CF_RETURNS_RETAINED policies) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_7_0); |
||||
|
||||
/*!
|
||||
@function SecTrustSetNetworkFetchAllowed |
||||
@abstract Specifies whether a trust evaluation is permitted to fetch missing |
||||
intermediate certificates from the network. |
||||
@param trust A trust reference. |
||||
@param allowFetch If true, and a certificate's issuer is not present in the |
||||
trust reference but its network location is known, the evaluation is permitted |
||||
to attempt to download it automatically. Pass false to disable network fetch |
||||
for this trust evaluation. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion By default, network fetch of missing certificates is enabled if |
||||
the trust evaluation includes the SSL policy, otherwise it is disabled. |
||||
*/ |
||||
OSStatus SecTrustSetNetworkFetchAllowed(SecTrustRef trust, |
||||
Boolean allowFetch) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); |
||||
|
||||
/*!
|
||||
@function SecTrustGetNetworkFetchAllowed |
||||
@abstract Returns whether a trust evaluation is permitted to fetch missing |
||||
intermediate certificates from the network. |
||||
@param trust A trust reference. |
||||
@param allowFetch On return, the boolean pointed to by this parameter is |
||||
set to true if the evaluation is permitted to download missing certificates. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion By default, network fetch of missing certificates is enabled if |
||||
the trust evaluation includes the SSL policy, otherwise it is disabled. |
||||
*/ |
||||
OSStatus SecTrustGetNetworkFetchAllowed(SecTrustRef trust, |
||||
Boolean *allowFetch) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); |
||||
|
||||
/*!
|
||||
@function SecTrustSetAnchorCertificates |
||||
@abstract Sets the anchor certificates for a given trust. |
||||
@param trust A reference to a trust object. |
||||
@param anchorCertificates An array of anchor certificates. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion Calling this function without also calling |
||||
SecTrustSetAnchorCertificatesOnly() will disable trusting any |
||||
anchors other than the ones in anchorCertificates. |
||||
*/ |
||||
OSStatus SecTrustSetAnchorCertificates(SecTrustRef trust, |
||||
CFArrayRef anchorCertificates) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecTrustSetAnchorCertificatesOnly |
||||
@abstract Reenables trusting anchor certificates in addition to those |
||||
passed in via the SecTrustSetAnchorCertificates API. |
||||
@param trust A reference to a trust object. |
||||
@param anchorCertificatesOnly If true, disables trusting any anchors other |
||||
than the ones passed in via SecTrustSetAnchorCertificates(). If false, |
||||
the built in anchor certificates are also trusted. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecTrustSetAnchorCertificatesOnly(SecTrustRef trust, |
||||
Boolean anchorCertificatesOnly) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecTrustCopyCustomAnchorCertificates |
||||
@abstract Returns an array of custom anchor certificates used by a given |
||||
trust, as set by a prior call to SecTrustSetAnchorCertificates, or NULL if |
||||
no custom anchors have been specified. |
||||
@param trust A reference to a trust object. |
||||
@param anchors On return, an array of custom anchor certificates (roots) |
||||
used by this trust, or NULL if no custom anchors have been specified. Call |
||||
the CFRelease function to release this reference. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecTrustCopyCustomAnchorCertificates(SecTrustRef trust, |
||||
CFArrayRef * __nonnull CF_RETURNS_RETAINED anchors) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_7_0); |
||||
|
||||
/*!
|
||||
@function SecTrustSetVerifyDate |
||||
@abstract Set the date for which the trust should be verified. |
||||
@param trust A reference to a trust object. |
||||
@param verifyDate The date for which to verify trust. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function lets you evaluate certificate validity for a |
||||
given date (for example, to determine if a signature was valid on the date |
||||
it was signed, even if the certificate has since expired.) If this function |
||||
is not called, the time at which SecTrustEvaluate() is called is used |
||||
implicitly as the verification time. |
||||
*/ |
||||
OSStatus SecTrustSetVerifyDate(SecTrustRef trust, CFDateRef verifyDate) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecTrustGetVerifyTime |
||||
@abstract Returns the verify time. |
||||
4 |
||||
@result A CFAbsoluteTime value representing the time at which certificates |
||||
should be checked for validity. |
||||
@discussion This function retrieves the verification time for the given |
||||
trust reference, as set by a prior call to SecTrustSetVerifyDate(). If the |
||||
verification time has not been set, this function returns a value of 0, |
||||
indicating that the current date/time is implicitly used for verification. |
||||
*/ |
||||
CFAbsoluteTime SecTrustGetVerifyTime(SecTrustRef trust) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecTrustEvaluate |
||||
@abstract Evaluates a trust reference synchronously. |
||||
@param trust A reference to the trust object to evaluate. |
||||
@param result A pointer to a result type. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function will completely evaluate trust before returning, |
||||
possibly including network access to fetch intermediate certificates or to |
||||
perform revocation checking. Since this function can block during those |
||||
operations, you should call it from within a function that is placed on a |
||||
dispatch queue, or in a separate thread from your application's main |
||||
run loop. Alternatively, you can use the SecTrustEvaluateAsync function. |
||||
*/ |
||||
OSStatus SecTrustEvaluate(SecTrustRef trust, SecTrustResultType * __nullable result) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0); |
||||
|
||||
#ifdef __BLOCKS__ |
||||
/*!
|
||||
@function SecTrustEvaluateAsync |
||||
@abstract Evaluates a trust reference asynchronously. |
||||
@param trust A reference to the trust object to evaluate. |
||||
@param queue A dispatch queue on which the result callback should be |
||||
executed. Pass NULL to use the current dispatch queue. |
||||
@param result A SecTrustCallback block which will be executed when the |
||||
trust evaluation is complete. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecTrustEvaluateAsync(SecTrustRef trust, |
||||
dispatch_queue_t __nullable queue, SecTrustCallback result) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0); |
||||
#endif |
||||
|
||||
/*!
|
||||
@function SecTrustGetTrustResult |
||||
@param trust A reference to a trust object. |
||||
@param result A pointer to the result from the most recent call to |
||||
SecTrustEvaluate for this trust reference. If SecTrustEvaluate has not been |
||||
called or trust parameters have changed, the result is kSecTrustResultInvalid. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function replaces SecTrustGetResult for the purpose of |
||||
obtaining the current evaluation result of a given trust reference. |
||||
*/ |
||||
OSStatus SecTrustGetTrustResult(SecTrustRef trust, |
||||
SecTrustResultType *result) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0); |
||||
|
||||
/*!
|
||||
@function SecTrustCopyPublicKey |
||||
@abstract Return the public key for a leaf certificate after it has |
||||
been evaluated. |
||||
@param trust A reference to the trust object which has been evaluated. |
||||
@result The certificate's public key, or NULL if it the public key could |
||||
not be extracted (this can happen with DSA certificate chains if the |
||||
parameters in the chain cannot be found). The caller is responsible |
||||
for calling CFRelease on the returned key when it is no longer needed. |
||||
*/ |
||||
__nullable |
||||
SecKeyRef SecTrustCopyPublicKey(SecTrustRef trust) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecTrustGetCertificateCount |
||||
@abstract Returns the number of certificates in an evaluated certificate |
||||
chain. |
||||
@param trust A reference to a trust object. |
||||
@result The number of certificates in the trust chain, including the anchor. |
||||
@discussion Important: if the trust reference has not yet been evaluated, |
||||
this function will evaluate it first before returning. If speed is critical, |
||||
you may want to call SecTrustGetTrustResult first to make sure that a |
||||
result other than kSecTrustResultInvalid is present for the trust object. |
||||
*/ |
||||
CFIndex SecTrustGetCertificateCount(SecTrustRef trust) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecTrustGetCertificateAtIndex |
||||
@abstract Returns a certificate from the trust chain. |
||||
@param trust Reference to a trust object. |
||||
@param ix The index of the requested certificate. Indices run from 0 |
||||
(leaf) to the anchor (or last certificate found if no anchor was found). |
||||
The leaf cert (index 0) is always present regardless of whether the trust |
||||
reference has been evaluated or not. |
||||
@result A SecCertificateRef for the requested certificate. |
||||
*/ |
||||
__nullable |
||||
SecCertificateRef SecTrustGetCertificateAtIndex(SecTrustRef trust, CFIndex ix) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecTrustCopyExceptions |
||||
@abstract Returns an opaque cookie which will allow future evaluations |
||||
of the current certificate to succeed. |
||||
@param trust A reference to an evaluated trust object. |
||||
@result An opaque cookie which when passed to SecTrustSetExceptions() will |
||||
cause a call to SecTrustEvaluate() return kSecTrustResultProceed. This |
||||
will happen upon subsequent evaluation of the current certificate unless |
||||
some new error starts happening that wasn't being reported when the cookie |
||||
was returned from this function (for example, if the certificate expires |
||||
then evaluation will start failing again until a new cookie is obtained.) |
||||
@discussion Normally this API should only be called once the errors have |
||||
been presented to the user and the user decided to trust the current |
||||
certificate chain regardless of the errors being presented, for the |
||||
current application/server/protocol combination. |
||||
*/ |
||||
CFDataRef SecTrustCopyExceptions(SecTrustRef trust) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_4_0); |
||||
|
||||
/*!
|
||||
@function SecTrustSetExceptions |
||||
@abstract Set a trust cookie to be used for evaluating this certificate chain. |
||||
@param trust A reference to a trust object. |
||||
@param exceptions An exceptions cookie as returned by a call to |
||||
SecTrustCopyExceptions() in the past. |
||||
@result Upon calling SecTrustEvaluate(), any failures that where present at the |
||||
time the exceptions object was created are ignored, and instead of returning |
||||
kSecTrustResultRecoverableTrustFailure, kSecTrustResultProceed will be returned |
||||
(if the certificate for which exceptions was created matches the current leaf |
||||
certificate). |
||||
@result Returns true if the exceptions cookies was valid and matches the current |
||||
leaf certificate, false otherwise. This function will invalidate the existing |
||||
trust result, requiring a subsequent evaluation for the newly-set exceptions. |
||||
Note that this function returning true doesn't mean the caller can skip calling |
||||
SecTrustEvaluate, as there may be new errors since the exceptions cookie was |
||||
created (for example, a certificate may have subsequently expired.) |
||||
@discussion Clients of this interface will need to establish the context of this |
||||
exception to later decide when this exception cookie is to be used. |
||||
Examples of this context would be the server we are connecting to, the ssid |
||||
of the wireless network for which this cert is needed, the account for which |
||||
this cert should be considered valid, and so on. |
||||
*/ |
||||
bool SecTrustSetExceptions(SecTrustRef trust, CFDataRef exceptions) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_4_0); |
||||
|
||||
/*!
|
||||
@function SecTrustCopyProperties |
||||
@abstract Return a property array for this trust evaluation. |
||||
@param trust A reference to a trust object. If the trust has not been |
||||
evaluated, the returned property array will be empty. |
||||
@result A property array. It is the caller's responsibility to CFRelease |
||||
the returned array when it is no longer needed. |
||||
@discussion This function returns an ordered array of CFDictionaryRef |
||||
instances for each certificate in the chain. Indices run from 0 (leaf) to |
||||
the anchor (or last certificate found if no anchor was found.) See the |
||||
"Trust Property Constants" section for a list of currently defined keys. |
||||
*/ |
||||
__nullable |
||||
CFArrayRef SecTrustCopyProperties(SecTrustRef trust) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); |
||||
|
||||
/*!
|
||||
@function SecTrustCopyResult |
||||
@abstract Returns a dictionary containing information about the |
||||
evaluated certificate chain for use by clients. |
||||
@param trust A reference to a trust object. |
||||
@result A dictionary with various fields that can be displayed to the user, |
||||
or NULL if no additional info is available or the trust has not yet been |
||||
validated. The caller is responsible for calling CFRelease on the value |
||||
returned when it is no longer needed. |
||||
@discussion Returns a dictionary for the overall trust evaluation. See the |
||||
"Trust Result Constants" section for a list of currently defined keys. |
||||
*/ |
||||
__nullable |
||||
CFDictionaryRef SecTrustCopyResult(SecTrustRef trust) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); |
||||
|
||||
/*!
|
||||
@function SecTrustSetOCSPResponse |
||||
@abstract Attach OCSPResponse data to a trust object. |
||||
@param trust A reference to a trust object. |
||||
@param responseData This may be either a CFData object containing a single |
||||
DER-encoded OCSPResponse (per RFC 2560), or a CFArray of these. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion Allows the caller to provide OCSPResponse data (which may be |
||||
obtained during a TLS/SSL handshake, per RFC 3546) as input to a trust |
||||
evaluation. If this data is available, it can obviate the need to contact |
||||
an OCSP server for current revocation information. |
||||
*/ |
||||
OSStatus SecTrustSetOCSPResponse(SecTrustRef trust, CFTypeRef __nullable responseData) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
/*
|
||||
* Legacy functions (OS X only) |
||||
*/ |
||||
#if TARGET_OS_MAC && !TARGET_OS_IPHONE |
||||
#include <Security/cssmtype.h> |
||||
#include <Security/cssmapple.h> |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
CF_IMPLICIT_BRIDGING_ENABLED |
||||
|
||||
/*!
|
||||
@typedef SecTrustUserSetting |
||||
@abstract Specifies a user-specified trust setting value. |
||||
@discussion Deprecated in OS X 10.9. User trust settings are managed by |
||||
functions in SecTrustSettings.h (starting with OS X 10.5), and by the |
||||
SecTrustCopyExceptions and SecTrustSetExceptions functions (starting with |
||||
iOS 4 and OS X 10.9). The latter two functions are recommended for both OS X |
||||
and iOS, as they avoid the need to explicitly specify these values. |
||||
*/ |
||||
typedef SecTrustResultType SecTrustUserSetting |
||||
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_9, __IPHONE_NA, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@typedef SecTrustOptionFlags |
||||
@abstract Options for customizing trust evaluation. |
||||
@constant kSecTrustOptionAllowExpired Allow expired certificates. |
||||
@constant kSecTrustOptionLeafIsCA Allow CA as leaf certificate. |
||||
@constant kSecTrustOptionFetchIssuerFromNet Allow network fetch of CA cert. |
||||
@constant kSecTrustOptionAllowExpiredRoot Allow expired roots. |
||||
@constant kSecTrustOptionRequireRevPerCert Require positive revocation |
||||
check per certificate. |
||||
@constant kSecTrustOptionUseTrustSettings Use TrustSettings instead of |
||||
anchors. |
||||
@constant kSecTrustOptionImplicitAnchors Properly self-signed certs are |
||||
treated as anchors implicitly. |
||||
*/ |
||||
typedef CF_OPTIONS(uint32_t, SecTrustOptionFlags) |
||||
{ |
||||
kSecTrustOptionAllowExpired = 0x00000001, |
||||
kSecTrustOptionLeafIsCA = 0x00000002, |
||||
kSecTrustOptionFetchIssuerFromNet = 0x00000004, |
||||
kSecTrustOptionAllowExpiredRoot = 0x00000008, |
||||
kSecTrustOptionRequireRevPerCert = 0x00000010, |
||||
kSecTrustOptionUseTrustSettings = 0x00000020, |
||||
kSecTrustOptionImplicitAnchors = 0x00000040 |
||||
}; |
||||
|
||||
/*!
|
||||
@function SecTrustSetOptions |
||||
@abstract Sets optional flags for customizing a trust evaluation. |
||||
@param trustRef A trust reference. |
||||
@param options Flags to change evaluation behavior for this trust. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is not available on iOS. Use SecTrustSetExceptions |
||||
and SecTrustCopyExceptions to modify default trust results, and |
||||
SecTrustSetNetworkFetchAllowed to specify whether missing CA certificates |
||||
can be fetched from the network. |
||||
*/ |
||||
OSStatus SecTrustSetOptions(SecTrustRef trustRef, SecTrustOptionFlags options) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecTrustSetParameters |
||||
@abstract Sets the action and action data for a trust object. |
||||
@param trustRef The reference to the trust to change. |
||||
@param action A trust action. |
||||
@param actionData A reference to data associated with this action. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in OS X 10.7 and later, where it |
||||
was replaced by SecTrustSetOptions, and is not available on iOS. Your code |
||||
should use SecTrustSetExceptions and SecTrustCopyExceptions to modify default |
||||
trust results, and SecTrustSetNetworkFetchAllowed to specify whether missing |
||||
CA certificates can be fetched from the network. |
||||
*/ |
||||
OSStatus SecTrustSetParameters(SecTrustRef trustRef, |
||||
CSSM_TP_ACTION action, CFDataRef actionData) |
||||
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecTrustSetKeychains |
||||
@abstract Sets the keychains for a given trust object. |
||||
@param trust A reference to a trust object. |
||||
@param keychainOrArray A reference to an array of keychains to search, a |
||||
single keychain, or NULL to use the default keychain search list. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion By default, the user's keychain search list and the system |
||||
anchors keychain are searched for certificates to complete the chain. You |
||||
can specify a zero-element array if you do not want any keychains searched. |
||||
Note: this function is not applicable to iOS. |
||||
*/ |
||||
OSStatus SecTrustSetKeychains(SecTrustRef trust, CFTypeRef __nullable keychainOrArray) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecTrustGetResult |
||||
@abstract Returns detailed information on the outcome of an evaluation. |
||||
@param trustRef A reference to a trust object. |
||||
@param result A pointer to the result from the call to SecTrustEvaluate. |
||||
@param certChain On return, a pointer to the certificate chain used to |
||||
validate the input certificate. Call the CFRelease function to release |
||||
this pointer. |
||||
@param statusChain On return, a pointer to the status of the certificate |
||||
chain. Do not attempt to free this pointer; it remains valid until the |
||||
trust is destroyed or the next call to SecTrustEvaluate. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in OS X 10.7 and later, |
||||
and is not available on iOS. |
||||
To get the complete certificate chain, use SecTrustGetCertificateCount and |
||||
SecTrustGetCertificateAtIndex. To get detailed status information for each |
||||
certificate, use SecTrustCopyProperties. To get the overall trust result |
||||
for the evaluation, use SecTrustGetTrustResult. |
||||
*/ |
||||
OSStatus SecTrustGetResult(SecTrustRef trustRef, SecTrustResultType * __nullable result, |
||||
CFArrayRef * __nonnull CF_RETURNS_RETAINED certChain, CSSM_TP_APPLE_EVIDENCE_INFO * __nullable * __nonnull statusChain) |
||||
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecTrustGetCssmResult |
||||
@abstract Gets the CSSM trust result. |
||||
@param trust A reference to a trust. |
||||
@param result On return, a pointer to the CSSM trust result. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in OS X 10.7 and later, |
||||
and is not available on iOS. |
||||
To get detailed status information for each certificate, use |
||||
SecTrustCopyProperties. To get the overall trust result for the evaluation, |
||||
use SecTrustGetTrustResult. |
||||
*/ |
||||
OSStatus SecTrustGetCssmResult(SecTrustRef trust, |
||||
CSSM_TP_VERIFY_CONTEXT_RESULT_PTR __nullable * __nonnull result) |
||||
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecTrustGetCssmResultCode |
||||
@abstract Gets the result code from the most recent call to SecTrustEvaluate |
||||
for the specified trust. |
||||
@param trust A reference to a trust. |
||||
@param resultCode On return, the result code produced by the most recent |
||||
evaluation of the given trust (cssmerr.h). The value of resultCode is |
||||
undefined if SecTrustEvaluate has not been called. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). Returns |
||||
errSecTrustNotAvailable if SecTrustEvaluate has not been called for the |
||||
specified trust. |
||||
@discussion This function is deprecated in OS X 10.7 and later, |
||||
and is not available on iOS. |
||||
To get detailed status information for each certificate, use |
||||
SecTrustCopyProperties. To get the overall trust result for the evaluation, |
||||
use SecTrustGetTrustResult. |
||||
*/ |
||||
OSStatus SecTrustGetCssmResultCode(SecTrustRef trust, OSStatus *resultCode) |
||||
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecTrustGetTPHandle |
||||
@abstract Gets the CSSM trust handle |
||||
@param trust A reference to a trust. |
||||
@param handle On return, a CSSM trust handle. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is deprecated in OS X 10.7 and later. |
||||
*/ |
||||
OSStatus SecTrustGetTPHandle(SecTrustRef trust, CSSM_TP_HANDLE *handle) |
||||
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA); |
||||
|
||||
/*!
|
||||
@function SecTrustCopyAnchorCertificates |
||||
@abstract Returns an array of default anchor (root) certificates used by |
||||
the system. |
||||
@param anchors On return, an array containing the system's default anchors |
||||
(roots). Call the CFRelease function to release this pointer. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
@discussion This function is not available on iOS, as certificate data |
||||
for system-trusted roots is currently unavailable on that platform. |
||||
*/ |
||||
OSStatus SecTrustCopyAnchorCertificates(CFArrayRef * __nonnull CF_RETURNS_RETAINED anchors) |
||||
__OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_NA); |
||||
|
||||
CF_IMPLICIT_BRIDGING_DISABLED |
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */ |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_SECTRUST_H_ */ |
@ -0,0 +1,322 @@
|
||||
/*
|
||||
* Copyright (c) 2006,2011,2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*
|
||||
* SecTrustSettings.h - Public interface for manipulation of certificate
|
||||
* Trust Settings.
|
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SEC_TRUST_SETTINGS_H_ |
||||
#define _SECURITY_SEC_TRUST_SETTINGS_H_ |
||||
|
||||
#include <CoreFoundation/CoreFoundation.h> |
||||
#include <Security/cssmtype.h> |
||||
#include <Security/SecKeychain.h> |
||||
#include <Security/SecPolicy.h> |
||||
#include <Security/SecCertificate.h> |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*
|
||||
* Any certificate (cert) which resides in a keychain can have associated with
|
||||
* it a set of Trust Settings. Trust Settings specify conditions in which a
|
||||
* given cert can be trusted or explicitly distrusted. A "trusted" cert is |
||||
* either a root (self-signed) cert that, when a cert chain verifies back to that |
||||
* root, the entire cert chain is trusted; or a non-root cert that does not need
|
||||
* to verify to a trusted root cert (which is normally the case when verifying a
|
||||
* cert chain). An "explicitly distrusted" cert is one which will, when encountered
|
||||
* during the evaluation of a cert chain, cause immediate and unconditional failure
|
||||
* of the verify operation.
|
||||
*
|
||||
* Trust Settings are configurable by the user; they can apply on three levels |
||||
* (called domains): |
||||
* |
||||
* -- Per-user. |
||||
* -- Locally administered, system-wide. Administrator privileges are required |
||||
* to make changes to this domain. |
||||
* -- System. These Trust Settings are immutable and comprise the set of trusted |
||||
* root certificates supplied in Mac OS X.
|
||||
* |
||||
* Per-user Trust Settings override locally administered Trust Settings, which
|
||||
* in turn override the System Trust Settings.
|
||||
* |
||||
* Each cert's Trust Settings are expressed as a CFArray which includes any
|
||||
* number (including zero) of CFDictionaries, each of which comprises one set of |
||||
* Usage Constraints. Each Usage Constraints dictionary contains zero or one of
|
||||
* each the following components: |
||||
* |
||||
* key = kSecTrustSettingsPolicy value = SecPolicyRef |
||||
* key = kSecTrustSettingsApplication value = SecTrustedApplicationRef |
||||
* key = kSecTrustSettingsPolicyString value = CFString, policy-specific |
||||
* key = kSecTrustSettingsKeyUsage value = CFNumber, an SInt32 key usage |
||||
*
|
||||
* A given Usage Constraints dictionary applies to a given cert if *all* of the
|
||||
* usage constraint components specified in the dictionary match the usage of
|
||||
* the cert being evaluated; when this occurs, the value of the
|
||||
* kSecTrustSettingsResult entry in the dictionary, shown below, is the effective |
||||
* trust setting for the cert.
|
||||
* |
||||
* key = kSecTrustSettingsResult value = CFNumber, an SInt32 SecTrustSettingsResult |
||||
* |
||||
* The overall Trust Settings of a given cert are the sum of all such Usage
|
||||
* Constraints CFDictionaries: Trust Settings for a given usage apply if *any*
|
||||
* of the CFDictionaries in the cert's Trust Settings array satisfies |
||||
* the specified usage. Thus, when a cert has multiple Usage Constraints
|
||||
* dictionaries in its Trust Settings array, the overall Trust Settings |
||||
* for the cert are |
||||
* |
||||
* (Usage Constraint 0 component 0 AND Usage Constraint 0 component 1 ...) |
||||
* -- OR -- |
||||
* (Usage Constraint 1 component 0 AND Usage Constraint 1 component 1 ...) |
||||
* -- OR -- |
||||
* ... |
||||
* |
||||
* Notes on the various Usage Constraints components: |
||||
* |
||||
* kSecTrustSettingsPolicy Specifies a cert verification policy, e.g., SSL,
|
||||
* SMIME, etc. |
||||
* kSecTrustSettingsApplication Specifies the application performing the cert
|
||||
* verification. |
||||
* kSecTrustSettingsPolicyString Policy-specific. For the SMIME policy, this is
|
||||
* an email address.
|
||||
* For the SSL policy, this is a host name. |
||||
* kSecTrustSettingsKeyUsage A bitfield indicating key operations (sign,
|
||||
* encrypt, etc.) for which this Usage Constraint
|
||||
* apply. Values are defined below as the
|
||||
* SecTrustSettingsKeyUsage enum.
|
||||
* kSecTrustSettingsResult The resulting trust value. If not present this has a |
||||
* default of kSecTrustSettingsResultTrustRoot, meaning
|
||||
* "trust this root cert". Other legal values are: |
||||
* kSecTrustSettingsResultTrustAsRoot : trust non-root |
||||
* cert as if it were a trusted root.
|
||||
* kSecTrustSettingsResultDeny : explicitly distrust this |
||||
* cert.
|
||||
* kSecTrustSettingsResultUnspecified : neither trust nor |
||||
* distrust; can be used to specify an "Allowed error"
|
||||
* (see below) without assigning trust to a specific
|
||||
* cert.
|
||||
* |
||||
* Another optional component in a Usage Constraints dictionary is a CSSM_RETURN |
||||
* which, if encountered during certificate verification, is ignored for that |
||||
* cert. These "allowed error" values are constrained by Usage Constraints as |
||||
* described above; a Usage Constraint dictionary with no constraints but with |
||||
* an Allowed Error value causes that error to always be allowed when the cert |
||||
* is being evaluated. |
||||
* |
||||
* The "allowed error" entry in a Usage Constraints dictionary is formatted
|
||||
* as follows: |
||||
*
|
||||
* key = kSecTrustSettingsAllowedError value = CFNumber, an SInt32 CSSM_RETURN
|
||||
* |
||||
* Note that if kSecTrustSettingsResult value of kSecTrustSettingsResultUnspecified |
||||
* is *not* present for a Usage Constraints dictionary with no Usage
|
||||
* Constraints, the default of kSecTrustSettingsResultTrustRoot is assumed. To
|
||||
* specify a kSecTrustSettingsAllowedError without explicitly trusting (or
|
||||
* distrusting) the associated cert, specify kSecTrustSettingsResultUnspecified
|
||||
* for the kSecTrustSettingsResult component.
|
||||
* |
||||
* Note that an empty Trust Settings array means "always trust this cert, |
||||
* with a resulting kSecTrustSettingsResult of kSecTrustSettingsResultTrustRoot". |
||||
* An empty Trust Settings array is definitely not the same as *no* Trust
|
||||
* Settings, which means "this cert must be verified to a known trusted cert".
|
||||
* |
||||
* Note the distinction between kSecTrustSettingsResultTrustRoot and |
||||
* kSecTrustSettingsResultTrustAsRoot; the former can only be applied to
|
||||
* root (self-signed) certs; the latter can only be applied to non-root
|
||||
* certs. This also means that an empty TrustSettings array for a non-root |
||||
* cert is invalid, since the default value for kSecTrustSettingsResult is |
||||
* kSecTrustSettingsResultTrustRoot, which is invalid for a non-root cert.
|
||||
* |
||||
* Authentication |
||||
* -------------- |
||||
*
|
||||
* When making changes to the per-user Trust Settings, the user will be
|
||||
* prompted with an alert panel asking for authentication via user name a
|
||||
* password (or other credentials normally used for login). This means
|
||||
* that it is not possible to modify per-user Trust Settings when not
|
||||
* running in a GUI environment (i.e. the user is not logged in via
|
||||
* Loginwindow).
|
||||
*
|
||||
* When making changes to the system-wide Trust Settings, the user will be
|
||||
* prompted with an alert panel asking for an administrator's name and
|
||||
* password, unless the calling process is running as root in which case |
||||
* no futher authentication is needed. |
||||
*/ |
||||
|
||||
/*
|
||||
* The keys in one Usage Constraints dictionary. |
||||
*/ |
||||
#define kSecTrustSettingsPolicy CFSTR("kSecTrustSettingsPolicy") |
||||
#define kSecTrustSettingsApplication CFSTR("kSecTrustSettingsApplication") |
||||
#define kSecTrustSettingsPolicyString CFSTR("kSecTrustSettingsPolicyString") |
||||
#define kSecTrustSettingsKeyUsage CFSTR("kSecTrustSettingsKeyUsage") |
||||
#define kSecTrustSettingsAllowedError CFSTR("kSecTrustSettingsAllowedError") |
||||
#define kSecTrustSettingsResult CFSTR("kSecTrustSettingsResult") |
||||
|
||||
/*
|
||||
* Key usage bits, the value for Usage Constraints key kSecTrustSettingsKeyUsage. |
||||
*/ |
||||
typedef CF_OPTIONS(uint32, SecTrustSettingsKeyUsage) { |
||||
/* sign/verify data */ |
||||
kSecTrustSettingsKeyUseSignature = 0x00000001,
|
||||
/* bulk encryption */ |
||||
kSecTrustSettingsKeyUseEnDecryptData = 0x00000002,
|
||||
/* key wrap/unwrap */ |
||||
kSecTrustSettingsKeyUseEnDecryptKey = 0x00000004,
|
||||
/* sign/verify cert */ |
||||
kSecTrustSettingsKeyUseSignCert = 0x00000008,
|
||||
/* sign/verify CRL and OCSP */ |
||||
kSecTrustSettingsKeyUseSignRevocation = 0x00000010,
|
||||
/* key exchange, e.g., Diffie-Hellman */ |
||||
kSecTrustSettingsKeyUseKeyExchange = 0x00000020,
|
||||
/* any usage (the default if this value is not specified) */ |
||||
kSecTrustSettingsKeyUseAny = 0xffffffff
|
||||
}; |
||||
|
||||
/*
|
||||
* The effective Trust Setting result. |
||||
*/ |
||||
typedef CF_ENUM(uint32, SecTrustSettingsResult) { |
||||
kSecTrustSettingsResultInvalid = 0, /* Never valid in a Trust Settings array or
|
||||
* in an API call. */ |
||||
kSecTrustSettingsResultTrustRoot, /* Root cert is explicitly trusted */ |
||||
kSecTrustSettingsResultTrustAsRoot, /* Non-root cert is explicitly trusted */ |
||||
kSecTrustSettingsResultDeny, /* Cert is explicitly distrusted */ |
||||
kSecTrustSettingsResultUnspecified /* Neither trusted nor distrusted; evaluation
|
||||
* proceeds as usual */ |
||||
}; |
||||
|
||||
/*
|
||||
* Specify user, local administrator, or system domain Trust Settings.
|
||||
* Note that kSecTrustSettingsDomainSystem settings are read-only, even by |
||||
* root.
|
||||
*/ |
||||
typedef CF_ENUM(uint32, SecTrustSettingsDomain) { |
||||
kSecTrustSettingsDomainUser = 0, |
||||
kSecTrustSettingsDomainAdmin, |
||||
kSecTrustSettingsDomainSystem |
||||
}; |
||||
|
||||
/*
|
||||
* SecCertificateRef value indicating the default Root Certificate Trust Settings
|
||||
* for a given domain. When evaluating Trust Settings for a root cert in
|
||||
* a given domain, *and* no matching explicit Trust Settings exists for the
|
||||
* root cert in questions, *and* default Root Cert Trust Settings exist |
||||
* in that domain which matches the evaluation condition, then the
|
||||
* SecTrustSettingsResult for that default Trust Setting (if not
|
||||
* kSecTrustSettingsResultUnspecified) will apply.
|
||||
* |
||||
* This can be used e.g. by a system administrator to explicilty distrust all
|
||||
* of the root certs in the (immutable) system domain for a specific policy.
|
||||
* |
||||
* This const is passed as the 'SecCertificateRef certRef' argument to
|
||||
* SecTrustSettingsCopyTrustSettings(), SecTrustSettingsSetTrustSettings(), |
||||
* and SecTrustSettingsRemoveTrustSettings(), and
|
||||
* SecTrustSettingsCopyModificationDate().
|
||||
*/ |
||||
#define kSecTrustSettingsDefaultRootCertSetting ((SecCertificateRef)-1) |
||||
|
||||
/*
|
||||
* Obtain Trust Settings for specified cert. |
||||
* Caller must CFRelease() the returned CFArray.
|
||||
* Returns errSecItemNotFound if no Trust settings exist for the cert. |
||||
*/ |
||||
OSStatus SecTrustSettingsCopyTrustSettings( |
||||
SecCertificateRef certRef,
|
||||
SecTrustSettingsDomain domain,
|
||||
CFArrayRef * __nonnull CF_RETURNS_RETAINED trustSettings); /* RETURNED */ |
||||
|
||||
/*
|
||||
* Specify Trust Settings for specified cert. If specified cert |
||||
* already has Trust Settings in the specified domain, they will
|
||||
* be replaced. |
||||
* The trustSettingsDictOrArray parameter is either a CFDictionary, |
||||
* a CFArray of them, or NULL. NULL indicates "always trust this |
||||
* root cert regardless of usage". |
||||
*/ |
||||
OSStatus SecTrustSettingsSetTrustSettings( |
||||
SecCertificateRef certRef,
|
||||
SecTrustSettingsDomain domain,
|
||||
CFTypeRef __nullable trustSettingsDictOrArray); |
||||
|
||||
/*
|
||||
* Delete Trust Settings for specified cert.
|
||||
* Returns errSecItemNotFound if no Trust settings exist for the cert. |
||||
*/ |
||||
OSStatus SecTrustSettingsRemoveTrustSettings( |
||||
SecCertificateRef certRef,
|
||||
SecTrustSettingsDomain domain);
|
||||
|
||||
/*
|
||||
* Obtain an array of all certs which have Trust Settings in the
|
||||
* specified domain. Elements in the returned certArray are |
||||
* SecCertificateRefs.
|
||||
* Caller must CFRelease() the returned array. |
||||
* Returns errSecNoTrustSettings if no trust settings exist |
||||
* for the specified domain.
|
||||
*/ |
||||
OSStatus SecTrustSettingsCopyCertificates( |
||||
SecTrustSettingsDomain domain,
|
||||
CFArrayRef * __nullable CF_RETURNS_RETAINED certArray); |
||||
|
||||
/*
|
||||
* Obtain the time at which a specified cert's Trust Settings |
||||
* were last modified. Caller must CFRelease the result.
|
||||
* Returns errSecItemNotFound if no Trust Settings exist for specified
|
||||
* cert and domain.
|
||||
*/ |
||||
OSStatus SecTrustSettingsCopyModificationDate( |
||||
SecCertificateRef certRef,
|
||||
SecTrustSettingsDomain domain, |
||||
CFDateRef * __nonnull CF_RETURNS_RETAINED modificationDate); /* RETURNED */ |
||||
|
||||
/*
|
||||
* Obtain an external, portable representation of the specified
|
||||
* domain's TrustSettings. Caller must CFRelease the returned data.
|
||||
* Returns errSecNoTrustSettings if no trust settings exist |
||||
* for the specified domain.
|
||||
*/ |
||||
OSStatus SecTrustSettingsCreateExternalRepresentation( |
||||
SecTrustSettingsDomain domain, |
||||
CFDataRef * __nonnull CF_RETURNS_RETAINED trustSettings); |
||||
|
||||
/*
|
||||
* Import trust settings, obtained via SecTrustSettingsCreateExternalRepresentation, |
||||
* into the specified domain.
|
||||
*/ |
||||
OSStatus SecTrustSettingsImportExternalRepresentation( |
||||
SecTrustSettingsDomain domain, |
||||
CFDataRef trustSettings); |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif /* _SECURITY_SEC_TRUST_SETTINGS_H_ */ |
||||
|
@ -0,0 +1,85 @@
|
||||
/*
|
||||
* Copyright (c) 2002-2004,2011-2012,2014 Apple Inc. All Rights Reserved. |
||||
* |
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecTrustedApplication |
||||
The functions provided in SecTrustedApplication implement an object representing an application in a |
||||
SecAccess object. |
||||
*/ |
||||
|
||||
#ifndef _SECURITY_SECTRUSTEDAPPLICATION_H_ |
||||
#define _SECURITY_SECTRUSTEDAPPLICATION_H_ |
||||
|
||||
#include <Security/SecBase.h> |
||||
#include <CoreFoundation/CoreFoundation.h> |
||||
|
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
CF_ASSUME_NONNULL_BEGIN |
||||
|
||||
/*!
|
||||
@function SecTrustedApplicationGetTypeID |
||||
@abstract Returns the type identifier of SecTrustedApplication instances. |
||||
@result The CFTypeID of SecTrustedApplication instances. |
||||
*/ |
||||
CFTypeID SecTrustedApplicationGetTypeID(void); |
||||
|
||||
/*!
|
||||
@function SecTrustedApplicationCreateFromPath |
||||
@abstract Creates a trusted application reference based on the trusted application specified by path. |
||||
@param path The path to the application or tool to trust. For application bundles, use the |
||||
path to the bundle directory. Pass NULL to refer to yourself, i.e. the application or tool |
||||
making this call. |
||||
@param app On return, a pointer to the trusted application reference. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecTrustedApplicationCreateFromPath(const char * __nullable path, SecTrustedApplicationRef * __nonnull CF_RETURNS_RETAINED app); |
||||
|
||||
/*!
|
||||
@function SecTrustedApplicationCopyData |
||||
@abstract Retrieves the data of a given trusted application reference |
||||
@param appRef A trusted application reference to retrieve data from |
||||
@param data On return, a pointer to a data reference of the trusted application. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecTrustedApplicationCopyData(SecTrustedApplicationRef appRef, CFDataRef * __nonnull CF_RETURNS_RETAINED data); |
||||
|
||||
/*!
|
||||
@function SecTrustedApplicationSetData |
||||
@abstract Sets the data of a given trusted application reference |
||||
@param appRef A trusted application reference. |
||||
@param data A reference to the data to set in the trusted application. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
OSStatus SecTrustedApplicationSetData(SecTrustedApplicationRef appRef, CFDataRef data); |
||||
|
||||
CF_ASSUME_NONNULL_END |
||||
|
||||
#if defined(__cplusplus) |
||||
} |
||||
#endif |
||||
|
||||
#endif /* !_SECURITY_SECTRUSTEDAPPLICATION_H_ */ |
@ -0,0 +1,224 @@
|
||||
#ifndef __SECURE_DOWNLOAD__ |
||||
#define __SECURE_DOWNLOAD__ |
||||
|
||||
#if defined(__cplusplus) |
||||
extern "C" { |
||||
#endif |
||||
|
||||
/*
|
||||
* Copyright (c) 2006,2011,2013-2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/*!
|
||||
@header SecureDownload |
||||
@abstract Used by clients to implement Apple's Verified Download System. |
||||
|
||||
Please note that a succesful check does not guarantee anything about |
||||
the safety of the file being downloaded. Rather, it simply checks to make sure |
||||
that the contents of the file being downloaded exactly matches the contents |
||||
of the file when the ticket was originally generated. |
||||
|
||||
To use, do the following: |
||||
1: Download the secure download ticket. |
||||
2: Pass the ticket to SecureDownloadCreateWithTicket. On error, call |
||||
SecureDownloadGetTrustRef to return data that will help you figure |
||||
out why the ticket was bad. |
||||
3: If SecureDownloadCreateWithTicket returns errSecSuccess, call SecureDownloadCopyURLs |
||||
to return a list of data download locations. Begin downloading data from |
||||
the first URL in the list. If that download fails, try downloading from |
||||
the second URL, and so forth. |
||||
4: Each time you receive data, call SecureDownloadReceivedData. |
||||
5: Once all data has been received, call SecureDownloadFinished. |
||||
6: Release the SecureDownloadRef by calling SecureDownloadRelease. |
||||
*/ |
||||
|
||||
|
||||
|
||||
#include <CoreFoundation/CoreFoundation.h> |
||||
#include <Security/SecBase.h> |
||||
|
||||
|
||||
|
||||
typedef struct OpaqueSecureDownload *SecureDownloadRef; |
||||
|
||||
enum { |
||||
errSecureDownloadInvalidTicket = -20052, |
||||
errSecureDownloadInvalidDownload = -20053 |
||||
}; |
||||
|
||||
/*!
|
||||
@enum _SecureDownloadSetupCallbackResult |
||||
@discussion This type is used to indicate whether or not a |
||||
signer should be evaluated. |
||||
@constant kSecureDownloadDoNotEvaluateSigner Indicates that the signer should not be evaluated. |
||||
@constant kSecureDownloadEvaluateSigner Indicates that the signer should be evaluated. |
||||
@constant kSecureDownloadFailEvaluation Indicates that evaluation should fail immediately. |
||||
*/ |
||||
|
||||
typedef enum _SecureDownloadTrustCallbackResult
|
||||
{ |
||||
kSecureDownloadDoNotEvaluateSigner = 0, |
||||
kSecureDownloadEvaluateSigner = 1, |
||||
kSecureDownloadFailEvaluation = 2 |
||||
} SecureDownloadTrustCallbackResult; |
||||
|
||||
/*!
|
||||
@typedef SecureDownloadTrustSetupCallback |
||||
@discussion This callback is used to determine whether trust for a particular |
||||
signer should be evaluated. |
||||
@param trustRef The trustRef for this evaluation |
||||
@param setupContext user defined. |
||||
@result A SecureDownloadTrustCallbackResult (see). |
||||
*/ |
||||
|
||||
typedef SecureDownloadTrustCallbackResult(*SecureDownloadTrustSetupCallback) |
||||
(SecTrustRef trustRef, void* setupContext); |
||||
|
||||
/*!
|
||||
@typedef SecureDownloadTrustEvaluateCallback |
||||
@discussion This callback is used called after trust has been evaluated. |
||||
@param trustRef The trustRef for this evaluation |
||||
@param result The result of the evaluation (See the SecTrust documentation). |
||||
@param evaluateContext user defined. |
||||
@result A SecTrustResultType. Return the value passed in result if you |
||||
do not want to change the evaluation result. |
||||
*/ |
||||
|
||||
typedef SecTrustResultType(*SecureDownloadTrustEvaluateCallback) |
||||
(SecTrustRef trustRef, SecTrustResultType result, |
||||
void *evaluateContext); |
||||
|
||||
/*!
|
||||
@function SecureDownloadCreateWithTicket |
||||
@abstract Create a SecureDownloadRef for use during the Secure Download process. |
||||
@param ticket The download ticket. |
||||
@param setupCallback Called before trust is verified for each signer of the ticket. |
||||
This allows the user to modify the SecTrustRef if needed |
||||
(see the SecTrust documentation). Returns a SecureDownloadTrustCallbackResult (see). |
||||
@param setupContext User defined. Passed as a parameter to the setupCallback. |
||||
@param evaluateCallback Called after SecTrustEvaluate has been called for a |
||||
signer if the result was not trusted. This allows |
||||
the developer to query the user as to whether or not |
||||
to trust the signer. Returns a SecTrustResultType |
||||
@param evaluateContext User defined. Passed as a parameter to the evaluate callback. |
||||
@param downloadRef The returned reference. |
||||
@result Returns errSecureDownloadInvalidTicket if the ticket was invalid. Otherwise |
||||
see "Security Error Codes" (SecBase.h). |
||||
. |
||||
*/ |
||||
|
||||
OSStatus SecureDownloadCreateWithTicket (CFDataRef ticket, |
||||
SecureDownloadTrustSetupCallback setup, |
||||
void* setupContext, |
||||
SecureDownloadTrustEvaluateCallback evaluate, |
||||
void* evaluateContext, |
||||
SecureDownloadRef* downloadRef); |
||||
|
||||
/*!
|
||||
@function SecureDownloadCopyURLs |
||||
@abstract Return a list of URL's from which the data can be downloaded. The first |
||||
URL in the list is the preferred download location. The other URL's are |
||||
backup locations in case earlier locations in the list could not be |
||||
accessed. |
||||
@param downloadRef A SecureDownloadRef instance. |
||||
@param urls On return, the list of URL's to download. Format is a CFArray of CFURL's. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
|
||||
OSStatus SecureDownloadCopyURLs (SecureDownloadRef downloadRef, CFArrayRef* urls); |
||||
|
||||
/*!
|
||||
@function SecureDownloadCopyName |
||||
@abstract Return the printable name of this download ticket. |
||||
@param downloadRef A SecureDownloadRef instance. |
||||
@param name On output, the download name. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
|
||||
OSStatus SecureDownloadCopyName (SecureDownloadRef downloadRef, CFStringRef* name); |
||||
|
||||
/*!
|
||||
@function SecureDownloadCopyCreationDate |
||||
@abstract Return the date the downlooad ticket was created. |
||||
@param downloadRef A SecureDownloadRef instance. |
||||
@param name On output, the creation date. |
||||
@result A result code. |
||||
*/ |
||||
|
||||
OSStatus SecureDownloadCopyCreationDate (SecureDownloadRef downloadRef, CFDateRef* date); |
||||
|
||||
/*!
|
||||
@function SecureDownloadGetDownloadSize |
||||
@abstract Return the size of the expected download. |
||||
@param downloadRef A SecureDownloadRef instance. |
||||
@param size On output, the size of the download. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
|
||||
OSStatus SecureDownloadGetDownloadSize (SecureDownloadRef downloadRef, SInt64 *downloadSize); |
||||
|
||||
/*!
|
||||
@function SecureDownloadUpdateWithData |
||||
@abstract Check data received during Secure Download for validity. |
||||
Call this function each time data is received. |
||||
@param downloadRef A SecureDownloadRef instance. |
||||
@param data The data to check. |
||||
@result Returns errSecureDownloadInvalidDownload if data is invalid. Otherwise |
||||
see "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
|
||||
OSStatus SecureDownloadUpdateWithData (SecureDownloadRef downloadRef, CFDataRef data); |
||||
|
||||
/*!
|
||||
@function SecureDownloadFinished |
||||
@abstract Concludes the secure download process. Call this after all data has been received. |
||||
@param downloadRef A SecureDownloadRef instance. |
||||
@result Returns errSecureDownloadInvalidDownload if data is invalid. Otherwise |
||||
see "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
|
||||
OSStatus SecureDownloadFinished (SecureDownloadRef downloadRef); |
||||
|
||||
/*!
|
||||
@function SecureDownloadRelease |
||||
@abstract Releases a SecureDownloadRef. |
||||
@param downloadRef The SecureDownloadRef to release. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
|
||||
OSStatus SecureDownloadRelease (SecureDownloadRef downloadRef); |
||||
|
||||
/*!
|
||||
@function SecureDownloadCopyTicketLocation |
||||
@abstract Copies the ticket location from an x-securedownload URL. |
||||
@param url The x-securedownload URL. |
||||
@param ticketLocation On exit, the URL of the ticket. |
||||
@result A result code. See "Security Error Codes" (SecBase.h). |
||||
*/ |
||||
|
||||
OSStatus SecureDownloadCopyTicketLocation (CFURLRef url, CFURLRef *ticketLocation); |
||||
|
||||
#if defined(__cplusplus) |
||||
}; |
||||
#endif |
||||
|
||||
#endif |
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,106 @@
|
||||
/*
|
||||
* Copyright (c) 2000-2011,2013-2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
*/ |
||||
|
||||
/* CDSA */ |
||||
#include <Security/cssmconfig.h> |
||||
#include <Security/cssmapple.h> |
||||
#include <Security/certextensions.h> |
||||
#include <Security/cssm.h> |
||||
#include <Security/cssmaci.h> |
||||
#include <Security/cssmapi.h> |
||||
#include <Security/cssmcli.h> |
||||
#include <Security/cssmcspi.h> |
||||
#include <Security/cssmdli.h> |
||||
#include <Security/cssmerr.h> |
||||
#include <Security/cssmkrapi.h> |
||||
#include <Security/cssmkrspi.h> |
||||
#include <Security/cssmspi.h> |
||||
#include <Security/cssmtpi.h> |
||||
#include <Security/cssmtype.h> |
||||
#include <Security/emmspi.h> |
||||
#include <Security/emmtype.h> |
||||
#include <Security/mds.h> |
||||
#include <Security/mds_schema.h> |
||||
#include <Security/oidsalg.h> |
||||
#include <Security/oidsattr.h> |
||||
#include <Security/oidsbase.h> |
||||
#include <Security/oidscert.h> |
||||
#include <Security/oidscrl.h> |
||||
#include <Security/x509defs.h> |
||||
|
||||
/* Security */ |
||||
#include <Security/SecBase.h> |
||||
#include <Security/SecAccess.h> |
||||
#include <Security/SecAccessControl.h> |
||||
#include <Security/SecACL.h> |
||||
#include <Security/SecCertificate.h> |
||||
#include <Security/SecCertificateOIDs.h> |
||||
#include <Security/SecIdentity.h> |
||||
#include <Security/SecIdentitySearch.h> |
||||
#include <Security/SecItem.h> |
||||
#include <Security/SecKey.h> |
||||
#include <Security/SecKeychain.h> |
||||
#include <Security/SecKeychainItem.h> |
||||
#include <Security/SecKeychainSearch.h> |
||||
#include <Security/SecPolicy.h> |
||||
#include <Security/SecPolicySearch.h> |
||||
#include <Security/SecTrust.h> |
||||
#include <Security/SecTrustedApplication.h> |
||||
#include <Security/SecTrustSettings.h> |
||||
#include <Security/SecImportExport.h> |
||||
#include <Security/SecRandom.h> |
||||
|
||||
/* Code Signing */ |
||||
#include <Security/SecStaticCode.h> |
||||
#include <Security/SecCode.h> |
||||
#include <Security/SecCodeHost.h> |
||||
#include <Security/SecRequirement.h> |
||||
#include <Security/SecTask.h> |
||||
|
||||
/* Authorization */ |
||||
#include <Security/Authorization.h> |
||||
#include <Security/AuthorizationTags.h> |
||||
#include <Security/AuthorizationDB.h> |
||||
|
||||
/* CMS */ |
||||
#include <Security/CMSDecoder.h> |
||||
#include <Security/CMSEncoder.h> |
||||
|
||||
/* Secure Transport */ |
||||
#include <Security/CipherSuite.h> |
||||
#include <Security/SecureTransport.h> |
||||
|
||||
#ifdef __BLOCKS__ |
||||
#include <Security/SecTransform.h> |
||||
#include <Security/SecCustomTransform.h> |
||||
#include <Security/SecDecodeTransform.h> |
||||
#include <Security/SecDigestTransform.h> |
||||
#include <Security/SecEncodeTransform.h> |
||||
#include <Security/SecEncryptTransform.h> |
||||
#include <Security/SecSignVerifyTransform.h> |
||||
#include <Security/SecReadTransform.h> |
||||
#endif |
||||
|
||||
/* DER */ |
||||
#include <Security/oids.h> |
||||
|
@ -0,0 +1,640 @@
|
||||
/*
|
||||
* Copyright (c) 2000-2004,2011,2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
* |
||||
* CertExtensions.h -- X.509 Cert Extensions as C structs |
||||
*/ |
||||
|
||||
#ifndef _CERT_EXTENSIONS_H_ |
||||
#define _CERT_EXTENSIONS_H_ |
||||
|
||||
#include <Security/cssmtype.h> |
||||
|
||||
/***
|
||||
*** Structs for declaring extension-specific data.
|
||||
***/ |
||||
|
||||
/*
|
||||
* GeneralName, used in AuthorityKeyID, SubjectAltName, and
|
||||
* IssuerAltName.
|
||||
* |
||||
* For now, we just provide explicit support for the types which are |
||||
* represented as IA5Strings, OIDs, and octet strings. Constructed types |
||||
* such as EDIPartyName and x400Address are not explicitly handled |
||||
* right now and must be encoded and decoded by the caller. (See exception |
||||
* for Name and OtherName, below). In those cases the CE_GeneralName.name.Data field
|
||||
* represents the BER contents octets; CE_GeneralName.name.Length is the
|
||||
* length of the contents; the tag of the field is not needed - the BER
|
||||
* encoding uses context-specific implicit tagging. The berEncoded field
|
||||
* is set to CSSM_TRUE in these case. Simple types have berEncoded = CSSM_FALSE.
|
||||
* |
||||
* In the case of a GeneralName in the form of a Name, we parse the Name |
||||
* into a CSSM_X509_NAME and place a pointer to the CSSM_X509_NAME in the |
||||
* CE_GeneralName.name.Data field. CE_GeneralName.name.Length is set to
|
||||
* sizeof(CSSM_X509_NAME). In this case berEncoded is false.
|
||||
* |
||||
* In the case of a GeneralName in the form of a OtherName, we parse the fields |
||||
* into a CE_OtherName and place a pointer to the CE_OtherName in the |
||||
* CE_GeneralName.name.Data field. CE_GeneralName.name.Length is set to
|
||||
* sizeof(CE_OtherName). In this case berEncoded is false.
|
||||
* |
||||
* GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName |
||||
* |
||||
* GeneralName ::= CHOICE { |
||||
* otherName [0] OtherName |
||||
* rfc822Name [1] IA5String, |
||||
* dNSName [2] IA5String, |
||||
* x400Address [3] ORAddress, |
||||
* directoryName [4] Name, |
||||
* ediPartyName [5] EDIPartyName, |
||||
* uniformResourceIdentifier [6] IA5String, |
||||
* iPAddress [7] OCTET STRING, |
||||
* registeredID [8] OBJECT IDENTIFIER} |
||||
* |
||||
* OtherName ::= SEQUENCE { |
||||
* type-id OBJECT IDENTIFIER, |
||||
* value [0] EXPLICIT ANY DEFINED BY type-id } |
||||
* |
||||
* EDIPartyName ::= SEQUENCE { |
||||
* nameAssigner [0] DirectoryString OPTIONAL, |
||||
* partyName [1] DirectoryString } |
||||
*/ |
||||
typedef enum __CE_GeneralNameType { |
||||
GNT_OtherName = 0, |
||||
GNT_RFC822Name, |
||||
GNT_DNSName, |
||||
GNT_X400Address, |
||||
GNT_DirectoryName, |
||||
GNT_EdiPartyName, |
||||
GNT_URI, |
||||
GNT_IPAddress, |
||||
GNT_RegisteredID |
||||
} CE_GeneralNameType; |
||||
|
||||
typedef struct __CE_OtherName { |
||||
CSSM_OID typeId; |
||||
CSSM_DATA value; // unparsed, BER-encoded
|
||||
} CE_OtherName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef struct __CE_GeneralName { |
||||
CE_GeneralNameType nameType; // GNT_RFC822Name, etc.
|
||||
CSSM_BOOL berEncoded; |
||||
CSSM_DATA name;
|
||||
} CE_GeneralName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef struct __CE_GeneralNames { |
||||
uint32 numNames; |
||||
CE_GeneralName *generalName;
|
||||
} CE_GeneralNames DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
|
||||
|
||||
/*
|
||||
* id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } |
||||
* |
||||
* AuthorityKeyIdentifier ::= SEQUENCE { |
||||
* keyIdentifier [0] KeyIdentifier OPTIONAL, |
||||
* authorityCertIssuer [1] GeneralNames OPTIONAL, |
||||
* authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } |
||||
* |
||||
* KeyIdentifier ::= OCTET STRING |
||||
* |
||||
* CSSM OID = CSSMOID_AuthorityKeyIdentifier |
||||
*/ |
||||
typedef struct __CE_AuthorityKeyID { |
||||
CSSM_BOOL keyIdentifierPresent; |
||||
CSSM_DATA keyIdentifier; |
||||
CSSM_BOOL generalNamesPresent; |
||||
CE_GeneralNames *generalNames; |
||||
CSSM_BOOL serialNumberPresent; |
||||
CSSM_DATA serialNumber; |
||||
} CE_AuthorityKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*
|
||||
* id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } |
||||
* SubjectKeyIdentifier ::= KeyIdentifier |
||||
* |
||||
* CSSM OID = CSSMOID_SubjectKeyIdentifier |
||||
*/ |
||||
typedef CSSM_DATA CE_SubjectKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*
|
||||
* id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } |
||||
* |
||||
* KeyUsage ::= BIT STRING { |
||||
* digitalSignature (0), |
||||
* nonRepudiation (1), |
||||
* keyEncipherment (2), |
||||
* dataEncipherment (3), |
||||
* keyAgreement (4), |
||||
* keyCertSign (5), |
||||
* cRLSign (6), |
||||
* encipherOnly (7), |
||||
* decipherOnly (8) } |
||||
* |
||||
* CSSM OID = CSSMOID_KeyUsage |
||||
* |
||||
*/ |
||||
typedef uint16 CE_KeyUsage DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
#define CE_KU_DigitalSignature 0x8000 |
||||
#define CE_KU_NonRepudiation 0x4000 |
||||
#define CE_KU_KeyEncipherment 0x2000 |
||||
#define CE_KU_DataEncipherment 0x1000 |
||||
#define CE_KU_KeyAgreement 0x0800 |
||||
#define CE_KU_KeyCertSign 0x0400 |
||||
#define CE_KU_CRLSign 0x0200 |
||||
#define CE_KU_EncipherOnly 0x0100 |
||||
#define CE_KU_DecipherOnly 0x0080 |
||||
|
||||
/*
|
||||
* id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 } |
||||
* |
||||
* -- reasonCode ::= { CRLReason } |
||||
* |
||||
* CRLReason ::= ENUMERATED { |
||||
* unspecified (0), |
||||
* keyCompromise (1), |
||||
* cACompromise (2), |
||||
* affiliationChanged (3), |
||||
* superseded (4), |
||||
* cessationOfOperation (5), |
||||
* certificateHold (6), |
||||
* removeFromCRL (8) } |
||||
* |
||||
* CSSM OID = CSSMOID_CrlReason |
||||
* |
||||
*/ |
||||
typedef uint32 CE_CrlReason DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
#define CE_CR_Unspecified 0 |
||||
#define CE_CR_KeyCompromise 1 |
||||
#define CE_CR_CACompromise 2 |
||||
#define CE_CR_AffiliationChanged 3 |
||||
#define CE_CR_Superseded 4 |
||||
#define CE_CR_CessationOfOperation 5 |
||||
#define CE_CR_CertificateHold 6 |
||||
#define CE_CR_RemoveFromCRL 8 |
||||
|
||||
/*
|
||||
* id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } |
||||
* |
||||
* SubjectAltName ::= GeneralNames |
||||
* |
||||
* CSSM OID = CSSMOID_SubjectAltName |
||||
* |
||||
* GeneralNames defined above. |
||||
*/ |
||||
|
||||
/*
|
||||
* id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} |
||||
* |
||||
* ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId* |
||||
* |
||||
* KeyPurposeId ::= OBJECT IDENTIFIER |
||||
* |
||||
* CSSM OID = CSSMOID_ExtendedKeyUsage |
||||
*/ |
||||
typedef struct __CE_ExtendedKeyUsage { |
||||
uint32 numPurposes; |
||||
CSSM_OID_PTR purposes; // in Intel pre-encoded format
|
||||
} CE_ExtendedKeyUsage; |
||||
|
||||
/*
|
||||
* id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } |
||||
* |
||||
* BasicConstraints ::= SEQUENCE { |
||||
* cA BOOLEAN DEFAULT FALSE, |
||||
* pathLenConstraint INTEGER (0..MAX) OPTIONAL } |
||||
* |
||||
* CSSM OID = CSSMOID_BasicConstraints |
||||
*/ |
||||
typedef struct __CE_BasicConstraints { |
||||
CSSM_BOOL cA; |
||||
CSSM_BOOL pathLenConstraintPresent; |
||||
uint32 pathLenConstraint; |
||||
} CE_BasicConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
|
||||
|
||||
/*
|
||||
* id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } |
||||
* |
||||
* certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation |
||||
* |
||||
* PolicyInformation ::= SEQUENCE { |
||||
* policyIdentifier CertPolicyId, |
||||
* policyQualifiers SEQUENCE SIZE (1..MAX) OF |
||||
* PolicyQualifierInfo OPTIONAL } |
||||
* |
||||
* CertPolicyId ::= OBJECT IDENTIFIER |
||||
* |
||||
* PolicyQualifierInfo ::= SEQUENCE { |
||||
* policyQualifierId PolicyQualifierId, |
||||
* qualifier ANY DEFINED BY policyQualifierId }
|
||||
* |
||||
* -- policyQualifierIds for Internet policy qualifiers |
||||
* |
||||
* id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } |
||||
* id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } |
||||
* id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } |
||||
* |
||||
* PolicyQualifierId ::= |
||||
* OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) |
||||
* |
||||
* Qualifier ::= CHOICE { |
||||
* cPSuri CPSuri, |
||||
* userNotice UserNotice } |
||||
* |
||||
* CPSuri ::= IA5String |
||||
* |
||||
* UserNotice ::= SEQUENCE { |
||||
* noticeRef NoticeReference OPTIONAL, |
||||
* explicitText DisplayText OPTIONAL} |
||||
* |
||||
* NoticeReference ::= SEQUENCE { |
||||
* organization DisplayText, |
||||
* noticeNumbers SEQUENCE OF INTEGER } |
||||
* |
||||
* DisplayText ::= CHOICE { |
||||
* visibleString VisibleString (SIZE (1..200)), |
||||
* bmpString BMPString (SIZE (1..200)), |
||||
* utf8String UTF8String (SIZE (1..200)) } |
||||
* |
||||
* CSSM OID = CSSMOID_CertificatePolicies |
||||
* |
||||
* We only support down to the level of Qualifier, and then only the CPSuri |
||||
* choice. UserNotice is transmitted to and from this library as a raw |
||||
* CSSM_DATA containing the BER-encoded UserNotice sequence.
|
||||
*/ |
||||
|
||||
typedef struct __CE_PolicyQualifierInfo { |
||||
CSSM_OID policyQualifierId; // CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE
|
||||
CSSM_DATA qualifier; // CSSMOID_QT_CPS: IA5String contents
|
||||
// CSSMOID_QT_UNOTICE : Sequence contents
|
||||
} CE_PolicyQualifierInfo DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef struct __CE_PolicyInformation { |
||||
CSSM_OID certPolicyId; |
||||
uint32 numPolicyQualifiers; // size of *policyQualifiers;
|
||||
CE_PolicyQualifierInfo *policyQualifiers; |
||||
} CE_PolicyInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef struct __CE_CertPolicies { |
||||
uint32 numPolicies; // size of *policies;
|
||||
CE_PolicyInformation *policies; |
||||
} CE_CertPolicies DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*
|
||||
* netscape-cert-type, a bit string. |
||||
* |
||||
* CSSM OID = CSSMOID_NetscapeCertType |
||||
* |
||||
* Bit fields defined in oidsattr.h: CE_NCT_SSL_Client, etc. |
||||
*/ |
||||
typedef uint16 CE_NetscapeCertType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*
|
||||
* CRLDistributionPoints. |
||||
* |
||||
* id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 } |
||||
* |
||||
* cRLDistributionPoints ::= { |
||||
* CRLDistPointsSyntax } |
||||
* |
||||
* CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint |
||||
* |
||||
* NOTE: RFC 2459 claims that the tag for the optional DistributionPointName |
||||
* is IMPLICIT as shown here, but in practice it is EXPLICIT. It has to be - |
||||
* because the underlying type also uses an implicit tag for distinguish |
||||
* between CHOICEs. |
||||
* |
||||
* DistributionPoint ::= SEQUENCE { |
||||
* distributionPoint [0] DistributionPointName OPTIONAL, |
||||
* reasons [1] ReasonFlags OPTIONAL, |
||||
* cRLIssuer [2] GeneralNames OPTIONAL } |
||||
* |
||||
* DistributionPointName ::= CHOICE { |
||||
* fullName [0] GeneralNames, |
||||
* nameRelativeToCRLIssuer [1] RelativeDistinguishedName } |
||||
* |
||||
* ReasonFlags ::= BIT STRING { |
||||
* unused (0), |
||||
* keyCompromise (1), |
||||
* cACompromise (2), |
||||
* affiliationChanged (3), |
||||
* superseded (4), |
||||
* cessationOfOperation (5), |
||||
* certificateHold (6) } |
||||
* |
||||
* CSSM OID = CSSMOID_CrlDistributionPoints |
||||
*/ |
||||
|
||||
/*
|
||||
* Note that this looks similar to CE_CrlReason, but that's an enum and this |
||||
* is an OR-able bit string. |
||||
*/ |
||||
typedef uint8 CE_CrlDistReasonFlags DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
#define CE_CD_Unspecified 0x80 |
||||
#define CE_CD_KeyCompromise 0x40 |
||||
#define CE_CD_CACompromise 0x20 |
||||
#define CE_CD_AffiliationChanged 0x10 |
||||
#define CE_CD_Superseded 0x08 |
||||
#define CE_CD_CessationOfOperation 0x04 |
||||
#define CE_CD_CertificateHold 0x02 |
||||
|
||||
typedef enum __CE_CrlDistributionPointNameType { |
||||
CE_CDNT_FullName, |
||||
CE_CDNT_NameRelativeToCrlIssuer |
||||
} CE_CrlDistributionPointNameType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef struct __CE_DistributionPointName { |
||||
CE_CrlDistributionPointNameType nameType; |
||||
union { |
||||
CE_GeneralNames *fullName; |
||||
CSSM_X509_RDN_PTR rdn; |
||||
} dpn; |
||||
} CE_DistributionPointName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*
|
||||
* The top-level CRLDistributionPoint. |
||||
* All fields are optional; NULL pointers indicate absence.
|
||||
*/ |
||||
typedef struct __CE_CRLDistributionPoint { |
||||
CE_DistributionPointName *distPointName; |
||||
CSSM_BOOL reasonsPresent; |
||||
CE_CrlDistReasonFlags reasons; |
||||
CE_GeneralNames *crlIssuer; |
||||
} CE_CRLDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef struct __CE_CRLDistPointsSyntax { |
||||
uint32 numDistPoints; |
||||
CE_CRLDistributionPoint *distPoints; |
||||
} CE_CRLDistPointsSyntax DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*
|
||||
* Authority Information Access and Subject Information Access. |
||||
* |
||||
* CSSM OID = CSSMOID_AuthorityInfoAccess |
||||
* CSSM OID = CSSMOID_SubjectInfoAccess |
||||
* |
||||
* SubjAuthInfoAccessSyntax ::= |
||||
* SEQUENCE SIZE (1..MAX) OF AccessDescription |
||||
*
|
||||
* AccessDescription ::= SEQUENCE { |
||||
* accessMethod OBJECT IDENTIFIER, |
||||
* accessLocation GeneralName } |
||||
*/ |
||||
typedef struct __CE_AccessDescription { |
||||
CSSM_OID accessMethod; |
||||
CE_GeneralName accessLocation; |
||||
} CE_AccessDescription DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef struct __CE_AuthorityInfoAccess { |
||||
uint32 numAccessDescriptions; |
||||
CE_AccessDescription *accessDescriptions; |
||||
} CE_AuthorityInfoAccess DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*
|
||||
* Qualified Certificate Statement support, per RFC 3739. |
||||
* |
||||
* First, NameRegistrationAuthorities, a component of |
||||
* SemanticsInformation; it's the same as a GeneralNames -
|
||||
* a sequence of GeneralName.
|
||||
*/ |
||||
typedef CE_GeneralNames CE_NameRegistrationAuthorities DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*
|
||||
* SemanticsInformation, identified as the qcType field |
||||
* of a CE_QC_Statement for statementId value id-qcs-pkixQCSyntax-v2. |
||||
* Both fields optional; at least one must be present.
|
||||
*/ |
||||
typedef struct __CE_SemanticsInformation { |
||||
CSSM_OID *semanticsIdentifier;
|
||||
CE_NameRegistrationAuthorities *nameRegistrationAuthorities; |
||||
} CE_SemanticsInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*
|
||||
* One Qualified Certificate Statement.
|
||||
* The statementId OID is required; zero or one of {semanticsInfo,
|
||||
* otherInfo} can be valid, depending on the value of statementId.
|
||||
* For statementId id-qcs-pkixQCSyntax-v2 (CSSMOID_OID_QCS_SYNTAX_V2),
|
||||
* the semanticsInfo field may be present; otherwise, DER-encoded |
||||
* information may be present in otherInfo. Both semanticsInfo and |
||||
* otherInfo are optional.
|
||||
*/ |
||||
typedef struct __CE_QC_Statement { |
||||
CSSM_OID statementId; |
||||
CE_SemanticsInformation *semanticsInfo; |
||||
CSSM_DATA *otherInfo; |
||||
} CE_QC_Statement DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*
|
||||
* The top-level Qualified Certificate Statements extension. |
||||
*/ |
||||
typedef struct __CE_QC_Statements { |
||||
uint32 numQCStatements; |
||||
CE_QC_Statement *qcStatements; |
||||
} CE_QC_Statements DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*** CRL extensions ***/ |
||||
|
||||
/*
|
||||
* cRLNumber, an integer. |
||||
* |
||||
* CSSM OID = CSSMOID_CrlNumber |
||||
*/ |
||||
typedef uint32 CE_CrlNumber; |
||||
|
||||
/*
|
||||
* deltaCRLIndicator, an integer. |
||||
* |
||||
* CSSM OID = CSSMOID_DeltaCrlIndicator |
||||
*/ |
||||
typedef uint32 CE_DeltaCrl; |
||||
|
||||
/*
|
||||
* IssuingDistributionPoint |
||||
* |
||||
* id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } |
||||
* |
||||
* issuingDistributionPoint ::= SEQUENCE { |
||||
* distributionPoint [0] DistributionPointName OPTIONAL, |
||||
* onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, |
||||
* onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, |
||||
* onlySomeReasons [3] ReasonFlags OPTIONAL, |
||||
* indirectCRL [4] BOOLEAN DEFAULT FALSE } |
||||
* |
||||
* CSSM OID = CSSMOID_IssuingDistributionPoint |
||||
*/ |
||||
typedef struct __CE_IssuingDistributionPoint { |
||||
CE_DistributionPointName *distPointName; // optional
|
||||
CSSM_BOOL onlyUserCertsPresent; |
||||
CSSM_BOOL onlyUserCerts; |
||||
CSSM_BOOL onlyCACertsPresent; |
||||
CSSM_BOOL onlyCACerts; |
||||
CSSM_BOOL onlySomeReasonsPresent; |
||||
CE_CrlDistReasonFlags onlySomeReasons; |
||||
CSSM_BOOL indirectCrlPresent; |
||||
CSSM_BOOL indirectCrl; |
||||
} CE_IssuingDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
|
||||
|
||||
/*
|
||||
* NameConstraints |
||||
* |
||||
* id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } |
||||
* |
||||
* NameConstraints ::= SEQUENCE { |
||||
* permittedSubtrees [0] GeneralSubtrees OPTIONAL, |
||||
* excludedSubtrees [1] GeneralSubtrees OPTIONAL } |
||||
* |
||||
* GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree |
||||
* |
||||
* GeneralSubtree ::= SEQUENCE { |
||||
* base GeneralName, |
||||
* minimum [0] BaseDistance DEFAULT 0, |
||||
* maximum [1] BaseDistance OPTIONAL } |
||||
* |
||||
* BaseDistance ::= INTEGER (0..MAX) |
||||
*/ |
||||
typedef struct __CE_GeneralSubtree { |
||||
CE_GeneralNames *base; |
||||
uint32 minimum; // default=0
|
||||
CSSM_BOOL maximumPresent; |
||||
uint32 maximum; // optional
|
||||
} CE_GeneralSubtree DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef struct __CE_GeneralSubtrees { |
||||
uint32 numSubtrees; |
||||
CE_GeneralSubtree *subtrees; |
||||
} CE_GeneralSubtrees DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef struct __CE_NameConstraints { |
||||
CE_GeneralSubtrees *permitted; // optional
|
||||
CE_GeneralSubtrees *excluded; // optional
|
||||
} CE_NameConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*
|
||||
* PolicyMappings |
||||
* |
||||
* id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } |
||||
* |
||||
* PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { |
||||
* issuerDomainPolicy CertPolicyId, |
||||
* subjectDomainPolicy CertPolicyId } |
||||
* |
||||
* Note that both issuer and subject policy OIDs are required, |
||||
* and are stored by value in this structure. |
||||
*/ |
||||
typedef struct __CE_PolicyMapping { |
||||
CSSM_OID issuerDomainPolicy; |
||||
CSSM_OID subjectDomainPolicy; |
||||
} CE_PolicyMapping DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef struct __CE_PolicyMappings { |
||||
uint32 numPolicyMappings; |
||||
CE_PolicyMapping *policyMappings; |
||||
} CE_PolicyMappings DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*
|
||||
* PolicyConstraints |
||||
* |
||||
* id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } |
||||
* |
||||
* PolicyConstraints ::= SEQUENCE { |
||||
* requireExplicitPolicy [0] SkipCerts OPTIONAL, |
||||
* inhibitPolicyMapping [1] SkipCerts OPTIONAL } |
||||
* |
||||
* SkipCerts ::= INTEGER (0..MAX) |
||||
*/ |
||||
typedef struct __CE_PolicyConstraints { |
||||
CSSM_BOOL requireExplicitPolicyPresent; |
||||
uint32 requireExplicitPolicy; // optional
|
||||
CSSM_BOOL inhibitPolicyMappingPresent; |
||||
uint32 inhibitPolicyMapping; // optional
|
||||
} CE_PolicyConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*
|
||||
* InhibitAnyPolicy, an integer. |
||||
* |
||||
* CSSM OID = CSSMOID_InhibitAnyPolicy |
||||
*/ |
||||
typedef uint32 CE_InhibitAnyPolicy DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
/*
|
||||
* An enumerated list identifying one of the above per-extension |
||||
* structs. |
||||
*/ |
||||
typedef enum __CE_DataType { |
||||
DT_AuthorityKeyID, // CE_AuthorityKeyID
|
||||
DT_SubjectKeyID, // CE_SubjectKeyID
|
||||
DT_KeyUsage, // CE_KeyUsage
|
||||
DT_SubjectAltName, // implies CE_GeneralName
|
||||
DT_IssuerAltName, // implies CE_GeneralName
|
||||
DT_ExtendedKeyUsage, // CE_ExtendedKeyUsage
|
||||
DT_BasicConstraints, // CE_BasicConstraints
|
||||
DT_CertPolicies, // CE_CertPolicies
|
||||
DT_NetscapeCertType, // CE_NetscapeCertType
|
||||
DT_CrlNumber, // CE_CrlNumber
|
||||
DT_DeltaCrl, // CE_DeltaCrl
|
||||
DT_CrlReason, // CE_CrlReason
|
||||
DT_CrlDistributionPoints, // CE_CRLDistPointsSyntax
|
||||
DT_IssuingDistributionPoint,// CE_IssuingDistributionPoint
|
||||
DT_AuthorityInfoAccess, // CE_AuthorityInfoAccess
|
||||
DT_Other, // unknown, raw data as a CSSM_DATA
|
||||
DT_QC_Statements, // CE_QC_Statements
|
||||
DT_NameConstraints, // CE_NameConstraints
|
||||
DT_PolicyMappings, // CE_PolicyMappings
|
||||
DT_PolicyConstraints, // CE_PolicyConstraints
|
||||
DT_InhibitAnyPolicy // CE_InhibitAnyPolicy
|
||||
} CE_DataType; |
||||
|
||||
/*
|
||||
* One unified representation of all the cert and CRL extensions we know about. |
||||
*/ |
||||
typedef union { |
||||
CE_AuthorityKeyID authorityKeyID; |
||||
CE_SubjectKeyID subjectKeyID; |
||||
CE_KeyUsage keyUsage; |
||||
CE_GeneralNames subjectAltName; |
||||
CE_GeneralNames issuerAltName; |
||||
CE_ExtendedKeyUsage extendedKeyUsage; |
||||
CE_BasicConstraints basicConstraints; |
||||
CE_CertPolicies certPolicies; |
||||
CE_NetscapeCertType netscapeCertType; |
||||
CE_CrlNumber crlNumber; |
||||
CE_DeltaCrl deltaCrl; |
||||
CE_CrlReason crlReason; |
||||
CE_CRLDistPointsSyntax crlDistPoints; |
||||
CE_IssuingDistributionPoint issuingDistPoint; |
||||
CE_AuthorityInfoAccess authorityInfoAccess; |
||||
CE_QC_Statements qualifiedCertStatements; |
||||
CE_NameConstraints nameConstraints; |
||||
CE_PolicyMappings policyMappings; |
||||
CE_PolicyConstraints policyConstraints; |
||||
CE_InhibitAnyPolicy inhibitAnyPolicy; |
||||
CSSM_DATA rawData; // unknown, not decoded
|
||||
} CE_Data DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef struct __CE_DataAndType { |
||||
CE_DataType type; |
||||
CE_Data extension; |
||||
CSSM_BOOL critical; |
||||
} CE_DataAndType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
#endif /* _CERT_EXTENSIONS_H_ */ |
@ -0,0 +1,35 @@
|
||||
/*
|
||||
* Copyright (c) 1999-2001,2004,2011,2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
* |
||||
* cssm.h -- Common Security Services Manager Interface |
||||
*/ |
||||
|
||||
#ifndef _CSSM_H_ |
||||
#define _CSSM_H_ 1 |
||||
|
||||
#include <Security/cssmtype.h> |
||||
#include <Security/emmtype.h> |
||||
#include <Security/cssmapi.h> |
||||
#include <Security/cssmerr.h> |
||||
#include <Security/cssmapple.h> |
||||
|
||||
#endif /* _CSSM_H_ */ |
@ -0,0 +1,60 @@
|
||||
/*
|
||||
* Copyright (c) 1999-2001,2004,2011,2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
* |
||||
* cssmaci.h -- Sevice Provider Interface for Access Control Module |
||||
*/ |
||||
|
||||
#ifndef _CSSMACI_H_ |
||||
#define _CSSMACI_H_ 1 |
||||
|
||||
#include <Security/cssmtype.h> |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
typedef struct cssm_spi_ac_funcs { |
||||
CSSM_RETURN (CSSMACI *AuthCompute) |
||||
(CSSM_AC_HANDLE ACHandle, |
||||
const CSSM_TUPLEGROUP *BaseAuthorizations, |
||||
const CSSM_TUPLEGROUP *Credentials, |
||||
uint32 NumberOfRequestors, |
||||
const CSSM_LIST *Requestors, |
||||
const CSSM_LIST *RequestedAuthorizationPeriod, |
||||
const CSSM_LIST *RequestedAuthorization, |
||||
CSSM_TUPLEGROUP_PTR AuthorizationResult); |
||||
CSSM_RETURN (CSSMACI *PassThrough) |
||||
(CSSM_AC_HANDLE ACHandle, |
||||
CSSM_TP_HANDLE TPHandle, |
||||
CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DL_DB_LIST *DBList, |
||||
uint32 PassThroughId, |
||||
const void *InputParams, |
||||
void **OutputParams); |
||||
} CSSM_SPI_AC_FUNCS DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_SPI_AC_FUNCS_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif /* _CSSMACI_H_ */ |
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,242 @@
|
||||
/*
|
||||
* Copyright (c) 1999-2001,2004,2011,2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
* |
||||
* cssmcli.h -- Service Provider Interface for Certificate Library Modules |
||||
*/ |
||||
|
||||
#ifndef _CSSMCLI_H_ |
||||
#define _CSSMCLI_H_ 1 |
||||
|
||||
#include <Security/cssmtype.h> |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
typedef struct cssm_spi_cl_funcs { |
||||
CSSM_RETURN (CSSMCLI *CertCreateTemplate) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
uint32 NumberOfFields, |
||||
const CSSM_FIELD *CertFields, |
||||
CSSM_DATA_PTR CertTemplate); |
||||
CSSM_RETURN (CSSMCLI *CertGetAllTemplateFields) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
const CSSM_DATA *CertTemplate, |
||||
uint32 *NumberOfFields, |
||||
CSSM_FIELD_PTR *CertFields); |
||||
CSSM_RETURN (CSSMCLI *CertSign) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DATA *CertTemplate, |
||||
const CSSM_FIELD *SignScope, |
||||
uint32 ScopeSize, |
||||
CSSM_DATA_PTR SignedCert); |
||||
CSSM_RETURN (CSSMCLI *CertVerify) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DATA *CertToBeVerified, |
||||
const CSSM_DATA *SignerCert, |
||||
const CSSM_FIELD *VerifyScope, |
||||
uint32 ScopeSize); |
||||
CSSM_RETURN (CSSMCLI *CertVerifyWithKey) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DATA *CertToBeVerified); |
||||
CSSM_RETURN (CSSMCLI *CertGetFirstFieldValue) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
const CSSM_DATA *Cert, |
||||
const CSSM_OID *CertField, |
||||
CSSM_HANDLE_PTR ResultsHandle, |
||||
uint32 *NumberOfMatchedFields, |
||||
CSSM_DATA_PTR *Value); |
||||
CSSM_RETURN (CSSMCLI *CertGetNextFieldValue) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_HANDLE ResultsHandle, |
||||
CSSM_DATA_PTR *Value); |
||||
CSSM_RETURN (CSSMCLI *CertAbortQuery) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_HANDLE ResultsHandle); |
||||
CSSM_RETURN (CSSMCLI *CertGetKeyInfo) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
const CSSM_DATA *Cert, |
||||
CSSM_KEY_PTR *Key); |
||||
CSSM_RETURN (CSSMCLI *CertGetAllFields) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
const CSSM_DATA *Cert, |
||||
uint32 *NumberOfFields, |
||||
CSSM_FIELD_PTR *CertFields); |
||||
CSSM_RETURN (CSSMCLI *FreeFields) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
uint32 NumberOfFields, |
||||
CSSM_FIELD_PTR *FieldArray); |
||||
CSSM_RETURN (CSSMCLI *FreeFieldValue) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
const CSSM_OID *CertOrCrlOid, |
||||
CSSM_DATA_PTR Value); |
||||
CSSM_RETURN (CSSMCLI *CertCache) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
const CSSM_DATA *Cert, |
||||
CSSM_HANDLE_PTR CertHandle); |
||||
CSSM_RETURN (CSSMCLI *CertGetFirstCachedFieldValue) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_HANDLE CertHandle, |
||||
const CSSM_OID *CertField, |
||||
CSSM_HANDLE_PTR ResultsHandle, |
||||
uint32 *NumberOfMatchedFields, |
||||
CSSM_DATA_PTR *Value); |
||||
CSSM_RETURN (CSSMCLI *CertGetNextCachedFieldValue) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_HANDLE ResultsHandle, |
||||
CSSM_DATA_PTR *Value); |
||||
CSSM_RETURN (CSSMCLI *CertAbortCache) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_HANDLE CertHandle); |
||||
CSSM_RETURN (CSSMCLI *CertGroupToSignedBundle) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CERTGROUP *CertGroupToBundle, |
||||
const CSSM_CERT_BUNDLE_HEADER *BundleInfo, |
||||
CSSM_DATA_PTR SignedBundle); |
||||
CSSM_RETURN (CSSMCLI *CertGroupFromVerifiedBundle) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CERT_BUNDLE *CertBundle, |
||||
const CSSM_DATA *SignerCert, |
||||
CSSM_CERTGROUP_PTR *CertGroup); |
||||
CSSM_RETURN (CSSMCLI *CertDescribeFormat) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
uint32 *NumberOfFields, |
||||
CSSM_OID_PTR *OidList); |
||||
CSSM_RETURN (CSSMCLI *CrlCreateTemplate) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
uint32 NumberOfFields, |
||||
const CSSM_FIELD *CrlTemplate, |
||||
CSSM_DATA_PTR NewCrl); |
||||
CSSM_RETURN (CSSMCLI *CrlSetFields) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
uint32 NumberOfFields, |
||||
const CSSM_FIELD *CrlTemplate, |
||||
const CSSM_DATA *OldCrl, |
||||
CSSM_DATA_PTR ModifiedCrl); |
||||
CSSM_RETURN (CSSMCLI *CrlAddCert) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DATA *Cert, |
||||
uint32 NumberOfFields, |
||||
const CSSM_FIELD *CrlEntryFields, |
||||
const CSSM_DATA *OldCrl, |
||||
CSSM_DATA_PTR NewCrl); |
||||
CSSM_RETURN (CSSMCLI *CrlRemoveCert) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
const CSSM_DATA *Cert, |
||||
const CSSM_DATA *OldCrl, |
||||
CSSM_DATA_PTR NewCrl); |
||||
CSSM_RETURN (CSSMCLI *CrlSign) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DATA *UnsignedCrl, |
||||
const CSSM_FIELD *SignScope, |
||||
uint32 ScopeSize, |
||||
CSSM_DATA_PTR SignedCrl); |
||||
CSSM_RETURN (CSSMCLI *CrlVerify) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DATA *CrlToBeVerified, |
||||
const CSSM_DATA *SignerCert, |
||||
const CSSM_FIELD *VerifyScope, |
||||
uint32 ScopeSize); |
||||
CSSM_RETURN (CSSMCLI *CrlVerifyWithKey) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DATA *CrlToBeVerified); |
||||
CSSM_RETURN (CSSMCLI *IsCertInCrl) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
const CSSM_DATA *Cert, |
||||
const CSSM_DATA *Crl, |
||||
CSSM_BOOL *CertFound); |
||||
CSSM_RETURN (CSSMCLI *CrlGetFirstFieldValue) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
const CSSM_DATA *Crl, |
||||
const CSSM_OID *CrlField, |
||||
CSSM_HANDLE_PTR ResultsHandle, |
||||
uint32 *NumberOfMatchedFields, |
||||
CSSM_DATA_PTR *Value); |
||||
CSSM_RETURN (CSSMCLI *CrlGetNextFieldValue) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_HANDLE ResultsHandle, |
||||
CSSM_DATA_PTR *Value); |
||||
CSSM_RETURN (CSSMCLI *CrlAbortQuery) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_HANDLE ResultsHandle); |
||||
CSSM_RETURN (CSSMCLI *CrlGetAllFields) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
const CSSM_DATA *Crl, |
||||
uint32 *NumberOfCrlFields, |
||||
CSSM_FIELD_PTR *CrlFields); |
||||
CSSM_RETURN (CSSMCLI *CrlCache) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
const CSSM_DATA *Crl, |
||||
CSSM_HANDLE_PTR CrlHandle); |
||||
CSSM_RETURN (CSSMCLI *IsCertInCachedCrl) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
const CSSM_DATA *Cert, |
||||
CSSM_HANDLE CrlHandle, |
||||
CSSM_BOOL *CertFound, |
||||
CSSM_DATA_PTR CrlRecordIndex); |
||||
CSSM_RETURN (CSSMCLI *CrlGetFirstCachedFieldValue) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_HANDLE CrlHandle, |
||||
const CSSM_DATA *CrlRecordIndex, |
||||
const CSSM_OID *CrlField, |
||||
CSSM_HANDLE_PTR ResultsHandle, |
||||
uint32 *NumberOfMatchedFields, |
||||
CSSM_DATA_PTR *Value); |
||||
CSSM_RETURN (CSSMCLI *CrlGetNextCachedFieldValue) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_HANDLE ResultsHandle, |
||||
CSSM_DATA_PTR *Value); |
||||
CSSM_RETURN (CSSMCLI *CrlGetAllCachedRecordFields) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_HANDLE CrlHandle, |
||||
const CSSM_DATA *CrlRecordIndex, |
||||
uint32 *NumberOfFields, |
||||
CSSM_FIELD_PTR *CrlFields); |
||||
CSSM_RETURN (CSSMCLI *CrlAbortCache) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_HANDLE CrlHandle); |
||||
CSSM_RETURN (CSSMCLI *CrlDescribeFormat) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
uint32 *NumberOfFields, |
||||
CSSM_OID_PTR *OidList); |
||||
CSSM_RETURN (CSSMCLI *PassThrough) |
||||
(CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
uint32 PassThroughId, |
||||
const void *InputParams, |
||||
void **OutputParams); |
||||
} CSSM_SPI_CL_FUNCS DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_SPI_CL_FUNCS_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif /* _CSSMCLI_H_ */ |
@ -0,0 +1,95 @@
|
||||
/*
|
||||
* Copyright (c) 2000-2001,2003-2004,2007,2011-2012 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
* |
||||
* cssmconfig.h -- Platform specific defines and typedefs for cdsa. |
||||
*/ |
||||
|
||||
#ifndef _CSSMCONFIG_H_ |
||||
#define _CSSMCONFIG_H_ 1 |
||||
|
||||
#include <AvailabilityMacros.h> |
||||
#include <TargetConditionals.h> |
||||
#include <ConditionalMacros.h> |
||||
|
||||
|
||||
/* #if defined(TARGET_API_MAC_OS8) || defined(TARGET_API_MAC_CARBON) || defined(TARGET_API_MAC_OSX) */ |
||||
#if defined(TARGET_OS_MAC) |
||||
#include <sys/types.h> |
||||
#include <stdint.h> |
||||
#else |
||||
#error Unknown API architecture. |
||||
#endif |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
#ifndef _SINT64 |
||||
typedef int64_t sint64; |
||||
#define _SINT64 |
||||
#endif |
||||
#ifndef _UINT64 |
||||
typedef uint64_t uint64; |
||||
#define _UINT64 |
||||
#endif |
||||
#ifndef _SINT32 |
||||
typedef int32_t sint32; |
||||
#define _SINT32 |
||||
#endif |
||||
#ifndef _SINT16 |
||||
typedef int16_t sint16; |
||||
#define _SINT16 |
||||
#endif |
||||
#ifndef _SINT8 |
||||
typedef int8_t sint8; |
||||
#define _SINT8 |
||||
#endif |
||||
#ifndef _UINT32 |
||||
typedef uint32_t uint32; |
||||
#define _UINT32 |
||||
#endif |
||||
#ifndef _UINT16 |
||||
typedef uint16_t uint16; |
||||
#define _UINT16 |
||||
#endif |
||||
#ifndef _UINT8 |
||||
typedef uint8_t uint8; |
||||
#define _UINT8 |
||||
#endif |
||||
|
||||
typedef intptr_t CSSM_INTPTR; |
||||
typedef size_t CSSM_SIZE; |
||||
|
||||
#define CSSMACI |
||||
#define CSSMAPI |
||||
#define CSSMCLI |
||||
#define CSSMCSPI |
||||
#define CSSMDLI |
||||
#define CSSMKRI |
||||
#define CSSMSPI |
||||
#define CSSMTPI |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif /* _CSSMCONFIG_H_ */ |
@ -0,0 +1,367 @@
|
||||
/*
|
||||
* Copyright (c) 1999-2001,2004,2011,2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
* |
||||
* cssmcspi.h -- Service Provider Interface for |
||||
* Cryptographic Service Provider Modules |
||||
*/ |
||||
|
||||
#ifndef _CSSMCSPI_H_ |
||||
#define _CSSMCSPI_H_ 1 |
||||
|
||||
#include <Security/cssmspi.h> |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
typedef struct cssm_spi_csp_funcs { |
||||
CSSM_RETURN (CSSMCSPI *EventNotify) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CONTEXT_EVENT Event, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context); |
||||
CSSM_RETURN (CSSMCSPI *QuerySize) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
CSSM_BOOL Encrypt, |
||||
uint32 QuerySizeCount, |
||||
CSSM_QUERY_SIZE_DATA_PTR DataBlock); |
||||
CSSM_RETURN (CSSMCSPI *SignData) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
const CSSM_DATA *DataBufs, |
||||
uint32 DataBufCount, |
||||
CSSM_ALGORITHMS DigestAlgorithm, |
||||
CSSM_DATA_PTR Signature); |
||||
CSSM_RETURN (CSSMCSPI *SignDataInit) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context); |
||||
CSSM_RETURN (CSSMCSPI *SignDataUpdate) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DATA *DataBufs, |
||||
uint32 DataBufCount); |
||||
CSSM_RETURN (CSSMCSPI *SignDataFinal) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
CSSM_DATA_PTR Signature); |
||||
CSSM_RETURN (CSSMCSPI *VerifyData) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
const CSSM_DATA *DataBufs, |
||||
uint32 DataBufCount, |
||||
CSSM_ALGORITHMS DigestAlgorithm, |
||||
const CSSM_DATA *Signature); |
||||
CSSM_RETURN (CSSMCSPI *VerifyDataInit) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context); |
||||
CSSM_RETURN (CSSMCSPI *VerifyDataUpdate) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DATA *DataBufs, |
||||
uint32 DataBufCount); |
||||
CSSM_RETURN (CSSMCSPI *VerifyDataFinal) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DATA *Signature); |
||||
CSSM_RETURN (CSSMCSPI *DigestData) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
const CSSM_DATA *DataBufs, |
||||
uint32 DataBufCount, |
||||
CSSM_DATA_PTR Digest); |
||||
CSSM_RETURN (CSSMCSPI *DigestDataInit) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context); |
||||
CSSM_RETURN (CSSMCSPI *DigestDataUpdate) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DATA *DataBufs, |
||||
uint32 DataBufCount); |
||||
CSSM_RETURN (CSSMCSPI *DigestDataClone) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
CSSM_CC_HANDLE ClonedCCHandle); |
||||
CSSM_RETURN (CSSMCSPI *DigestDataFinal) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
CSSM_DATA_PTR Digest); |
||||
CSSM_RETURN (CSSMCSPI *GenerateMac) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
const CSSM_DATA *DataBufs, |
||||
uint32 DataBufCount, |
||||
CSSM_DATA_PTR Mac); |
||||
CSSM_RETURN (CSSMCSPI *GenerateMacInit) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context); |
||||
CSSM_RETURN (CSSMCSPI *GenerateMacUpdate) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DATA *DataBufs, |
||||
uint32 DataBufCount); |
||||
CSSM_RETURN (CSSMCSPI *GenerateMacFinal) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
CSSM_DATA_PTR Mac); |
||||
CSSM_RETURN (CSSMCSPI *VerifyMac) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
const CSSM_DATA *DataBufs, |
||||
uint32 DataBufCount, |
||||
const CSSM_DATA *Mac); |
||||
CSSM_RETURN (CSSMCSPI *VerifyMacInit) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context); |
||||
CSSM_RETURN (CSSMCSPI *VerifyMacUpdate) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DATA *DataBufs, |
||||
uint32 DataBufCount); |
||||
CSSM_RETURN (CSSMCSPI *VerifyMacFinal) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DATA *Mac); |
||||
CSSM_RETURN (CSSMCSPI *EncryptData) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
const CSSM_DATA *ClearBufs, |
||||
uint32 ClearBufCount, |
||||
CSSM_DATA_PTR CipherBufs, |
||||
uint32 CipherBufCount, |
||||
CSSM_SIZE *bytesEncrypted, |
||||
CSSM_DATA_PTR RemData, |
||||
CSSM_PRIVILEGE Privilege); |
||||
CSSM_RETURN (CSSMCSPI *EncryptDataInit) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
CSSM_PRIVILEGE Privilege); |
||||
CSSM_RETURN (CSSMCSPI *EncryptDataUpdate) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DATA *ClearBufs, |
||||
uint32 ClearBufCount, |
||||
CSSM_DATA_PTR CipherBufs, |
||||
uint32 CipherBufCount, |
||||
CSSM_SIZE *bytesEncrypted); |
||||
CSSM_RETURN (CSSMCSPI *EncryptDataFinal) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
CSSM_DATA_PTR RemData); |
||||
CSSM_RETURN (CSSMCSPI *DecryptData) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
const CSSM_DATA *CipherBufs, |
||||
uint32 CipherBufCount, |
||||
CSSM_DATA_PTR ClearBufs, |
||||
uint32 ClearBufCount, |
||||
CSSM_SIZE *bytesDecrypted, |
||||
CSSM_DATA_PTR RemData, |
||||
CSSM_PRIVILEGE Privilege); |
||||
CSSM_RETURN (CSSMCSPI *DecryptDataInit) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
CSSM_PRIVILEGE Privilege); |
||||
CSSM_RETURN (CSSMCSPI *DecryptDataUpdate) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DATA *CipherBufs, |
||||
uint32 CipherBufCount, |
||||
CSSM_DATA_PTR ClearBufs, |
||||
uint32 ClearBufCount, |
||||
CSSM_SIZE *bytesDecrypted); |
||||
CSSM_RETURN (CSSMCSPI *DecryptDataFinal) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
CSSM_DATA_PTR RemData); |
||||
CSSM_RETURN (CSSMCSPI *QueryKeySizeInBits) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
const CSSM_KEY *Key, |
||||
CSSM_KEY_SIZE_PTR KeySize); |
||||
CSSM_RETURN (CSSMCSPI *GenerateKey) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
uint32 KeyUsage, |
||||
uint32 KeyAttr, |
||||
const CSSM_DATA *KeyLabel, |
||||
const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry, |
||||
CSSM_KEY_PTR Key, |
||||
CSSM_PRIVILEGE Privilege); |
||||
CSSM_RETURN (CSSMCSPI *GenerateKeyPair) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
uint32 PublicKeyUsage, |
||||
uint32 PublicKeyAttr, |
||||
const CSSM_DATA *PublicKeyLabel, |
||||
CSSM_KEY_PTR PublicKey, |
||||
uint32 PrivateKeyUsage, |
||||
uint32 PrivateKeyAttr, |
||||
const CSSM_DATA *PrivateKeyLabel, |
||||
const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry, |
||||
CSSM_KEY_PTR PrivateKey, |
||||
CSSM_PRIVILEGE Privilege); |
||||
CSSM_RETURN (CSSMCSPI *GenerateRandom) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
CSSM_DATA_PTR RandomNumber); |
||||
CSSM_RETURN (CSSMCSPI *GenerateAlgorithmParams) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
uint32 ParamBits, |
||||
CSSM_DATA_PTR Param, |
||||
uint32 *NumberOfUpdatedAttibutes, |
||||
CSSM_CONTEXT_ATTRIBUTE_PTR *UpdatedAttributes); |
||||
CSSM_RETURN (CSSMCSPI *WrapKey) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
const CSSM_ACCESS_CREDENTIALS *AccessCred, |
||||
const CSSM_KEY *Key, |
||||
const CSSM_DATA *DescriptiveData, |
||||
CSSM_WRAP_KEY_PTR WrappedKey, |
||||
CSSM_PRIVILEGE Privilege); |
||||
CSSM_RETURN (CSSMCSPI *UnwrapKey) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
const CSSM_KEY *PublicKey, |
||||
const CSSM_WRAP_KEY *WrappedKey, |
||||
uint32 KeyUsage, |
||||
uint32 KeyAttr, |
||||
const CSSM_DATA *KeyLabel, |
||||
const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry, |
||||
CSSM_KEY_PTR UnwrappedKey, |
||||
CSSM_DATA_PTR DescriptiveData, |
||||
CSSM_PRIVILEGE Privilege); |
||||
CSSM_RETURN (CSSMCSPI *DeriveKey) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
CSSM_DATA_PTR Param, |
||||
uint32 KeyUsage, |
||||
uint32 KeyAttr, |
||||
const CSSM_DATA *KeyLabel, |
||||
const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry, |
||||
CSSM_KEY_PTR DerivedKey); |
||||
CSSM_RETURN (CSSMCSPI *FreeKey) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_ACCESS_CREDENTIALS *AccessCred, |
||||
CSSM_KEY_PTR KeyPtr, |
||||
CSSM_BOOL Delete); |
||||
CSSM_RETURN (CSSMCSPI *PassThrough) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_CONTEXT *Context, |
||||
uint32 PassThroughId, |
||||
const void *InData, |
||||
void **OutData); |
||||
CSSM_RETURN (CSSMCSPI *Login) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_ACCESS_CREDENTIALS *AccessCred, |
||||
const CSSM_DATA *LoginName, |
||||
const void *Reserved); |
||||
CSSM_RETURN (CSSMCSPI *Logout) |
||||
(CSSM_CSP_HANDLE CSPHandle); |
||||
CSSM_RETURN (CSSMCSPI *ChangeLoginAcl) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_ACCESS_CREDENTIALS *AccessCred, |
||||
const CSSM_ACL_EDIT *AclEdit); |
||||
CSSM_RETURN (CSSMCSPI *ObtainPrivateKeyFromPublicKey) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_KEY *PublicKey, |
||||
CSSM_KEY_PTR PrivateKey); |
||||
CSSM_RETURN (CSSMCSPI *RetrieveUniqueId) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_DATA_PTR UniqueID); |
||||
CSSM_RETURN (CSSMCSPI *RetrieveCounter) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_DATA_PTR Counter); |
||||
CSSM_RETURN (CSSMCSPI *VerifyDevice) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_DATA *DeviceCert); |
||||
CSSM_RETURN (CSSMCSPI *GetTimeValue) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_ALGORITHMS TimeAlgorithm, |
||||
CSSM_DATA *TimeData); |
||||
CSSM_RETURN (CSSMCSPI *GetOperationalStatistics) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_CSP_OPERATIONAL_STATISTICS *Statistics); |
||||
CSSM_RETURN (CSSMCSPI *GetLoginAcl) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_STRING *SelectionTag, |
||||
uint32 *NumberOfAclInfos, |
||||
CSSM_ACL_ENTRY_INFO_PTR *AclInfos); |
||||
CSSM_RETURN (CSSMCSPI *GetKeyAcl) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_KEY *Key, |
||||
const CSSM_STRING *SelectionTag, |
||||
uint32 *NumberOfAclInfos, |
||||
CSSM_ACL_ENTRY_INFO_PTR *AclInfos); |
||||
CSSM_RETURN (CSSMCSPI *ChangeKeyAcl) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_ACCESS_CREDENTIALS *AccessCred, |
||||
const CSSM_ACL_EDIT *AclEdit, |
||||
const CSSM_KEY *Key); |
||||
CSSM_RETURN (CSSMCSPI *GetKeyOwner) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_KEY *Key, |
||||
CSSM_ACL_OWNER_PROTOTYPE_PTR Owner); |
||||
CSSM_RETURN (CSSMCSPI *ChangeKeyOwner) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_ACCESS_CREDENTIALS *AccessCred, |
||||
const CSSM_KEY *Key, |
||||
const CSSM_ACL_OWNER_PROTOTYPE *NewOwner); |
||||
CSSM_RETURN (CSSMCSPI *GetLoginOwner) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
CSSM_ACL_OWNER_PROTOTYPE_PTR Owner); |
||||
CSSM_RETURN (CSSMCSPI *ChangeLoginOwner) |
||||
(CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_ACCESS_CREDENTIALS *AccessCred, |
||||
const CSSM_ACL_OWNER_PROTOTYPE *NewOwner); |
||||
} CSSM_SPI_CSP_FUNCS DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_SPI_CSP_FUNCS_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif /* _CSSMCSPI_H_ */ |
@ -0,0 +1,151 @@
|
||||
/*
|
||||
* Copyright (c) 1999-2001,2004,2011,2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
* |
||||
* cssmdli.h -- Service Provider Interface for Data Store Modules |
||||
*/ |
||||
|
||||
#ifndef _CSSMDLI_H_ |
||||
#define _CSSMDLI_H_ 1 |
||||
|
||||
#include <Security/cssmtype.h> |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
typedef struct cssm_spi_dl_funcs { |
||||
CSSM_RETURN (CSSMDLI *DbOpen) |
||||
(CSSM_DL_HANDLE DLHandle, |
||||
const char *DbName, |
||||
const CSSM_NET_ADDRESS *DbLocation, |
||||
CSSM_DB_ACCESS_TYPE AccessRequest, |
||||
const CSSM_ACCESS_CREDENTIALS *AccessCred, |
||||
const void *OpenParameters, |
||||
CSSM_DB_HANDLE *DbHandle); |
||||
CSSM_RETURN (CSSMDLI *DbClose) |
||||
(CSSM_DL_DB_HANDLE DLDBHandle); |
||||
CSSM_RETURN (CSSMDLI *DbCreate) |
||||
(CSSM_DL_HANDLE DLHandle, |
||||
const char *DbName, |
||||
const CSSM_NET_ADDRESS *DbLocation, |
||||
const CSSM_DBINFO *DBInfo, |
||||
CSSM_DB_ACCESS_TYPE AccessRequest, |
||||
const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry, |
||||
const void *OpenParameters, |
||||
CSSM_DB_HANDLE *DbHandle); |
||||
CSSM_RETURN (CSSMDLI *DbDelete) |
||||
(CSSM_DL_HANDLE DLHandle, |
||||
const char *DbName, |
||||
const CSSM_NET_ADDRESS *DbLocation, |
||||
const CSSM_ACCESS_CREDENTIALS *AccessCred); |
||||
CSSM_RETURN (CSSMDLI *CreateRelation) |
||||
(CSSM_DL_DB_HANDLE DLDBHandle, |
||||
CSSM_DB_RECORDTYPE RelationID, |
||||
const char *RelationName, |
||||
uint32 NumberOfAttributes, |
||||
const CSSM_DB_SCHEMA_ATTRIBUTE_INFO *pAttributeInfo, |
||||
uint32 NumberOfIndexes, |
||||
const CSSM_DB_SCHEMA_INDEX_INFO *pIndexInfo); |
||||
CSSM_RETURN (CSSMDLI *DestroyRelation) |
||||
(CSSM_DL_DB_HANDLE DLDBHandle, |
||||
CSSM_DB_RECORDTYPE RelationID); |
||||
CSSM_RETURN (CSSMDLI *Authenticate) |
||||
(CSSM_DL_DB_HANDLE DLDBHandle, |
||||
CSSM_DB_ACCESS_TYPE AccessRequest, |
||||
const CSSM_ACCESS_CREDENTIALS *AccessCred); |
||||
CSSM_RETURN (CSSMDLI *GetDbAcl) |
||||
(CSSM_DL_DB_HANDLE DLDBHandle, |
||||
const CSSM_STRING *SelectionTag, |
||||
uint32 *NumberOfAclInfos, |
||||
CSSM_ACL_ENTRY_INFO_PTR *AclInfos); |
||||
CSSM_RETURN (CSSMDLI *ChangeDbAcl) |
||||
(CSSM_DL_DB_HANDLE DLDBHandle, |
||||
const CSSM_ACCESS_CREDENTIALS *AccessCred, |
||||
const CSSM_ACL_EDIT *AclEdit); |
||||
CSSM_RETURN (CSSMDLI *GetDbOwner) |
||||
(CSSM_DL_DB_HANDLE DLDBHandle, |
||||
CSSM_ACL_OWNER_PROTOTYPE_PTR Owner); |
||||
CSSM_RETURN (CSSMDLI *ChangeDbOwner) |
||||
(CSSM_DL_DB_HANDLE DLDBHandle, |
||||
const CSSM_ACCESS_CREDENTIALS *AccessCred, |
||||
const CSSM_ACL_OWNER_PROTOTYPE *NewOwner); |
||||
CSSM_RETURN (CSSMDLI *GetDbNames) |
||||
(CSSM_DL_HANDLE DLHandle, |
||||
CSSM_NAME_LIST_PTR *NameList); |
||||
CSSM_RETURN (CSSMDLI *GetDbNameFromHandle) |
||||
(CSSM_DL_DB_HANDLE DLDBHandle, |
||||
char **DbName); |
||||
CSSM_RETURN (CSSMDLI *FreeNameList) |
||||
(CSSM_DL_HANDLE DLHandle, |
||||
CSSM_NAME_LIST_PTR NameList); |
||||
CSSM_RETURN (CSSMDLI *DataInsert) |
||||
(CSSM_DL_DB_HANDLE DLDBHandle, |
||||
CSSM_DB_RECORDTYPE RecordType, |
||||
const CSSM_DB_RECORD_ATTRIBUTE_DATA *Attributes, |
||||
const CSSM_DATA *Data, |
||||
CSSM_DB_UNIQUE_RECORD_PTR *UniqueId); |
||||
CSSM_RETURN (CSSMDLI *DataDelete) |
||||
(CSSM_DL_DB_HANDLE DLDBHandle, |
||||
const CSSM_DB_UNIQUE_RECORD *UniqueRecordIdentifier); |
||||
CSSM_RETURN (CSSMDLI *DataModify) |
||||
(CSSM_DL_DB_HANDLE DLDBHandle, |
||||
CSSM_DB_RECORDTYPE RecordType, |
||||
CSSM_DB_UNIQUE_RECORD_PTR UniqueRecordIdentifier, |
||||
const CSSM_DB_RECORD_ATTRIBUTE_DATA *AttributesToBeModified, |
||||
const CSSM_DATA *DataToBeModified, |
||||
CSSM_DB_MODIFY_MODE ModifyMode); |
||||
CSSM_RETURN (CSSMDLI *DataGetFirst) |
||||
(CSSM_DL_DB_HANDLE DLDBHandle, |
||||
const CSSM_QUERY *Query, |
||||
CSSM_HANDLE_PTR ResultsHandle, |
||||
CSSM_DB_RECORD_ATTRIBUTE_DATA_PTR Attributes, |
||||
CSSM_DATA_PTR Data, |
||||
CSSM_DB_UNIQUE_RECORD_PTR *UniqueId); |
||||
CSSM_RETURN (CSSMDLI *DataGetNext) |
||||
(CSSM_DL_DB_HANDLE DLDBHandle, |
||||
CSSM_HANDLE ResultsHandle, |
||||
CSSM_DB_RECORD_ATTRIBUTE_DATA_PTR Attributes, |
||||
CSSM_DATA_PTR Data, |
||||
CSSM_DB_UNIQUE_RECORD_PTR *UniqueId); |
||||
CSSM_RETURN (CSSMDLI *DataAbortQuery) |
||||
(CSSM_DL_DB_HANDLE DLDBHandle, |
||||
CSSM_HANDLE ResultsHandle); |
||||
CSSM_RETURN (CSSMDLI *DataGetFromUniqueRecordId) |
||||
(CSSM_DL_DB_HANDLE DLDBHandle, |
||||
const CSSM_DB_UNIQUE_RECORD *UniqueRecord, |
||||
CSSM_DB_RECORD_ATTRIBUTE_DATA_PTR Attributes, |
||||
CSSM_DATA_PTR Data); |
||||
CSSM_RETURN (CSSMDLI *FreeUniqueRecord) |
||||
(CSSM_DL_DB_HANDLE DLDBHandle, |
||||
CSSM_DB_UNIQUE_RECORD_PTR UniqueRecord); |
||||
CSSM_RETURN (CSSMDLI *PassThrough) |
||||
(CSSM_DL_DB_HANDLE DLDBHandle, |
||||
uint32 PassThroughId, |
||||
const void *InputParams, |
||||
void **OutputParams); |
||||
} CSSM_SPI_DL_FUNCS DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_SPI_DL_FUNCS_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif /* _CSSMDLI_H_ */ |
@ -0,0 +1,823 @@
|
||||
/*
|
||||
* Copyright (c) 1999-2002,2004,2011,2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
* |
||||
* cssmerr.h -- Error Code Definitions for CSSM |
||||
*/ |
||||
|
||||
#ifndef _CSSMERR_H_ |
||||
#define _CSSMERR_H_ 1 |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
|
||||
/*
|
||||
* NOTE: To translate CSSM error codes into something vaguely |
||||
* human-readable, use the cssmPerror function in cssmapple.h. |
||||
* This function will also decode other Security layer errors |
||||
* (i.e. those with names like kSec...). |
||||
*/ |
||||
|
||||
|
||||
/* Common error codes. */ |
||||
enum { |
||||
CSSM_BASE_ERROR = -0x7FFF0000 /* 0x80010000 */ |
||||
}; |
||||
|
||||
enum { |
||||
CSSM_ERRORCODE_MODULE_EXTENT = 0x00000800, |
||||
CSSM_ERRORCODE_CUSTOM_OFFSET = 0x00000400, |
||||
CSSM_ERRORCODE_COMMON_EXTENT = 0x100 |
||||
}; |
||||
|
||||
/* Macros for convertible error code manipulation. */ |
||||
#define CSSM_ERRCODE(CODE) \ |
||||
(((CODE) - CSSM_BASE_ERROR) & (CSSM_ERRORCODE_MODULE_EXTENT - 1))
|
||||
|
||||
#define CSSM_ERRBASE(CODE) \ |
||||
((((CODE) - CSSM_BASE_ERROR) & ~(CSSM_ERRORCODE_MODULE_EXTENT - 1)) + CSSM_BASE_ERROR)
|
||||
|
||||
#define CSSM_ERR_IS_CONVERTIBLE(CODE) \ |
||||
(CSSM_ERRCODE(CODE) < CSSM_ERRORCODE_COMMON_EXTENT) |
||||
|
||||
#define CSSM_ERR_TAG(CODE, BASE) \ |
||||
(CSSM_ERRCODE(CODE) + (BASE)) |
||||
|
||||
/* Error Bases for different module types. */ |
||||
enum { |
||||
CSSM_CSSM_BASE_ERROR = CSSM_BASE_ERROR, |
||||
CSSM_CSSM_PRIVATE_ERROR = CSSM_BASE_ERROR + CSSM_ERRORCODE_CUSTOM_OFFSET, |
||||
CSSM_CSP_BASE_ERROR = CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_MODULE_EXTENT, |
||||
CSSM_CSP_PRIVATE_ERROR = CSSM_CSP_BASE_ERROR + CSSM_ERRORCODE_CUSTOM_OFFSET, |
||||
CSSM_DL_BASE_ERROR = CSSM_CSP_BASE_ERROR + CSSM_ERRORCODE_MODULE_EXTENT, |
||||
CSSM_DL_PRIVATE_ERROR = CSSM_DL_BASE_ERROR + CSSM_ERRORCODE_CUSTOM_OFFSET, |
||||
CSSM_CL_BASE_ERROR = CSSM_DL_BASE_ERROR + CSSM_ERRORCODE_MODULE_EXTENT, |
||||
CSSM_CL_PRIVATE_ERROR = CSSM_CL_BASE_ERROR + CSSM_ERRORCODE_CUSTOM_OFFSET, |
||||
CSSM_TP_BASE_ERROR = CSSM_CL_BASE_ERROR + CSSM_ERRORCODE_MODULE_EXTENT, |
||||
CSSM_TP_PRIVATE_ERROR = CSSM_TP_BASE_ERROR + CSSM_ERRORCODE_CUSTOM_OFFSET , |
||||
CSSM_KR_BASE_ERROR = CSSM_TP_BASE_ERROR + CSSM_ERRORCODE_MODULE_EXTENT, |
||||
CSSM_KR_PRIVATE_ERROR = CSSM_KR_BASE_ERROR + CSSM_ERRORCODE_CUSTOM_OFFSET, |
||||
CSSM_AC_BASE_ERROR = CSSM_KR_BASE_ERROR + CSSM_ERRORCODE_MODULE_EXTENT, |
||||
CSSM_AC_PRIVATE_ERROR = CSSM_AC_BASE_ERROR + CSSM_ERRORCODE_CUSTOM_OFFSET |
||||
}; |
||||
|
||||
/* XXX @@@ MDS Error Bases same as DL for now. */ |
||||
enum { |
||||
CSSM_MDS_BASE_ERROR = CSSM_CSP_BASE_ERROR + CSSM_ERRORCODE_MODULE_EXTENT, |
||||
CSSM_MDS_PRIVATE_ERROR = CSSM_MDS_BASE_ERROR + CSSM_ERRORCODE_CUSTOM_OFFSET |
||||
}; |
||||
|
||||
/* General Error Values. */ |
||||
enum { |
||||
CSSMERR_CSSM_INVALID_ADDIN_HANDLE = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + 1, |
||||
CSSMERR_CSSM_NOT_INITIALIZED = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + 2, |
||||
CSSMERR_CSSM_INVALID_HANDLE_USAGE = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + 3, |
||||
CSSMERR_CSSM_PVC_REFERENT_NOT_FOUND = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + 4, |
||||
CSSMERR_CSSM_FUNCTION_INTEGRITY_FAIL = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + 5 |
||||
}; |
||||
|
||||
/* Common Error Codes For All Module Types. */ |
||||
enum { |
||||
CSSM_ERRCODE_INTERNAL_ERROR = 0x0001, |
||||
CSSM_ERRCODE_MEMORY_ERROR = 0x0002, |
||||
CSSM_ERRCODE_MDS_ERROR = 0x0003, |
||||
CSSM_ERRCODE_INVALID_POINTER = 0x0004, |
||||
CSSM_ERRCODE_INVALID_INPUT_POINTER = 0x0005, |
||||
CSSM_ERRCODE_INVALID_OUTPUT_POINTER = 0x0006, |
||||
CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED = 0x0007, |
||||
CSSM_ERRCODE_SELF_CHECK_FAILED = 0x0008, |
||||
CSSM_ERRCODE_OS_ACCESS_DENIED = 0x0009, |
||||
CSSM_ERRCODE_FUNCTION_FAILED = 0x000A, |
||||
CSSM_ERRCODE_MODULE_MANIFEST_VERIFY_FAILED = 0x000B, |
||||
CSSM_ERRCODE_INVALID_GUID = 0x000C |
||||
}; |
||||
|
||||
/* Common Error Codes for ACLs */ |
||||
enum { |
||||
CSSM_ERRCODE_OPERATION_AUTH_DENIED = 0x0020, |
||||
CSSM_ERRCODE_OBJECT_USE_AUTH_DENIED = 0x0021, |
||||
CSSM_ERRCODE_OBJECT_MANIP_AUTH_DENIED = 0x0022, |
||||
CSSM_ERRCODE_OBJECT_ACL_NOT_SUPPORTED = 0x0023, |
||||
CSSM_ERRCODE_OBJECT_ACL_REQUIRED = 0x0024, |
||||
CSSM_ERRCODE_INVALID_ACCESS_CREDENTIALS = 0x0025, |
||||
CSSM_ERRCODE_INVALID_ACL_BASE_CERTS = 0x0026, |
||||
CSSM_ERRCODE_ACL_BASE_CERTS_NOT_SUPPORTED = 0x0027, |
||||
CSSM_ERRCODE_INVALID_SAMPLE_VALUE = 0x0028, |
||||
CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED = 0x0029, |
||||
CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE = 0x002A, |
||||
CSSM_ERRCODE_ACL_SUBJECT_TYPE_NOT_SUPPORTED = 0x002B, |
||||
CSSM_ERRCODE_INVALID_ACL_CHALLENGE_CALLBACK = 0x002C, |
||||
CSSM_ERRCODE_ACL_CHALLENGE_CALLBACK_FAILED = 0x002D, |
||||
CSSM_ERRCODE_INVALID_ACL_ENTRY_TAG = 0x002E, |
||||
CSSM_ERRCODE_ACL_ENTRY_TAG_NOT_FOUND = 0x002F, |
||||
CSSM_ERRCODE_INVALID_ACL_EDIT_MODE = 0x0030, |
||||
CSSM_ERRCODE_ACL_CHANGE_FAILED = 0x0031, |
||||
CSSM_ERRCODE_INVALID_NEW_ACL_ENTRY = 0x0032, |
||||
CSSM_ERRCODE_INVALID_NEW_ACL_OWNER = 0x0033, |
||||
CSSM_ERRCODE_ACL_DELETE_FAILED = 0x0034, |
||||
CSSM_ERRCODE_ACL_REPLACE_FAILED = 0x0035, |
||||
CSSM_ERRCODE_ACL_ADD_FAILED = 0x0036 |
||||
}; |
||||
|
||||
/* Common Error Codes for Specific Data Types */ |
||||
enum { |
||||
CSSM_ERRCODE_INVALID_CONTEXT_HANDLE = 0x0040, |
||||
CSSM_ERRCODE_INCOMPATIBLE_VERSION = 0x0041, |
||||
CSSM_ERRCODE_INVALID_CERTGROUP_POINTER = 0x0042, |
||||
CSSM_ERRCODE_INVALID_CERT_POINTER = 0x0043, |
||||
CSSM_ERRCODE_INVALID_CRL_POINTER = 0x0044, |
||||
CSSM_ERRCODE_INVALID_FIELD_POINTER = 0x0045, |
||||
CSSM_ERRCODE_INVALID_DATA = 0x0046, |
||||
CSSM_ERRCODE_CRL_ALREADY_SIGNED = 0x0047, |
||||
CSSM_ERRCODE_INVALID_NUMBER_OF_FIELDS = 0x0048, |
||||
CSSM_ERRCODE_VERIFICATION_FAILURE = 0x0049, |
||||
CSSM_ERRCODE_INVALID_DB_HANDLE = 0x004A, |
||||
CSSM_ERRCODE_PRIVILEGE_NOT_GRANTED = 0x004B, |
||||
CSSM_ERRCODE_INVALID_DB_LIST = 0x004C, |
||||
CSSM_ERRCODE_INVALID_DB_LIST_POINTER = 0x004D, |
||||
CSSM_ERRCODE_UNKNOWN_FORMAT = 0x004E, |
||||
CSSM_ERRCODE_UNKNOWN_TAG = 0x004F, |
||||
CSSM_ERRCODE_INVALID_CSP_HANDLE = 0x0050, |
||||
CSSM_ERRCODE_INVALID_DL_HANDLE = 0x0051, |
||||
CSSM_ERRCODE_INVALID_CL_HANDLE = 0x0052, |
||||
CSSM_ERRCODE_INVALID_TP_HANDLE = 0x0053, |
||||
CSSM_ERRCODE_INVALID_KR_HANDLE = 0x0054, |
||||
CSSM_ERRCODE_INVALID_AC_HANDLE = 0x0055, |
||||
CSSM_ERRCODE_INVALID_PASSTHROUGH_ID = 0x0056, |
||||
CSSM_ERRCODE_INVALID_NETWORK_ADDR = 0x0057, |
||||
CSSM_ERRCODE_INVALID_CRYPTO_DATA = 0x0058 |
||||
}; |
||||
|
||||
/* CSSM Error Values Derived from Common Error Codes For All Module Types. */ |
||||
enum { |
||||
CSSMERR_CSSM_INTERNAL_ERROR = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INTERNAL_ERROR, |
||||
CSSMERR_CSSM_MEMORY_ERROR = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_MEMORY_ERROR, |
||||
CSSMERR_CSSM_MDS_ERROR = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_MDS_ERROR, |
||||
CSSMERR_CSSM_INVALID_POINTER = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INVALID_POINTER, |
||||
CSSMERR_CSSM_INVALID_INPUT_POINTER = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INVALID_INPUT_POINTER, |
||||
CSSMERR_CSSM_INVALID_OUTPUT_POINTER = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INVALID_OUTPUT_POINTER, |
||||
CSSMERR_CSSM_FUNCTION_NOT_IMPLEMENTED = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED, |
||||
CSSMERR_CSSM_SELF_CHECK_FAILED = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_SELF_CHECK_FAILED, |
||||
CSSMERR_CSSM_OS_ACCESS_DENIED = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_OS_ACCESS_DENIED, |
||||
CSSMERR_CSSM_FUNCTION_FAILED = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_FUNCTION_FAILED, |
||||
CSSMERR_CSSM_MODULE_MANIFEST_VERIFY_FAILED = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_MODULE_MANIFEST_VERIFY_FAILED, |
||||
CSSMERR_CSSM_INVALID_GUID = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INVALID_GUID |
||||
}; |
||||
|
||||
/* CSSM Error Values for Specific Data Types. */ |
||||
enum { |
||||
CSSMERR_CSSM_INVALID_CONTEXT_HANDLE = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INVALID_CONTEXT_HANDLE, |
||||
CSSMERR_CSSM_INCOMPATIBLE_VERSION = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INCOMPATIBLE_VERSION, |
||||
CSSMERR_CSSM_PRIVILEGE_NOT_GRANTED = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_PRIVILEGE_NOT_GRANTED |
||||
}; |
||||
|
||||
/* CSSM Module-Specific Error Values */ |
||||
enum { |
||||
CSSM_CSSM_BASE_CSSM_ERROR = |
||||
CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + 0x10, |
||||
CSSMERR_CSSM_SCOPE_NOT_SUPPORTED = CSSM_CSSM_BASE_CSSM_ERROR + 1, |
||||
CSSMERR_CSSM_PVC_ALREADY_CONFIGURED = CSSM_CSSM_BASE_CSSM_ERROR + 2, |
||||
CSSMERR_CSSM_INVALID_PVC = CSSM_CSSM_BASE_CSSM_ERROR + 3, |
||||
CSSMERR_CSSM_EMM_LOAD_FAILED = CSSM_CSSM_BASE_CSSM_ERROR + 4, |
||||
CSSMERR_CSSM_EMM_UNLOAD_FAILED = CSSM_CSSM_BASE_CSSM_ERROR + 5, |
||||
CSSMERR_CSSM_ADDIN_LOAD_FAILED = CSSM_CSSM_BASE_CSSM_ERROR + 6, |
||||
CSSMERR_CSSM_INVALID_KEY_HIERARCHY = CSSM_CSSM_BASE_CSSM_ERROR + 7, |
||||
CSSMERR_CSSM_ADDIN_UNLOAD_FAILED = CSSM_CSSM_BASE_CSSM_ERROR + 8, |
||||
CSSMERR_CSSM_LIB_REF_NOT_FOUND = CSSM_CSSM_BASE_CSSM_ERROR + 9, |
||||
CSSMERR_CSSM_INVALID_ADDIN_FUNCTION_TABLE = CSSM_CSSM_BASE_CSSM_ERROR + 10, |
||||
CSSMERR_CSSM_EMM_AUTHENTICATE_FAILED = CSSM_CSSM_BASE_CSSM_ERROR + 11, |
||||
CSSMERR_CSSM_ADDIN_AUTHENTICATE_FAILED = CSSM_CSSM_BASE_CSSM_ERROR + 12, |
||||
CSSMERR_CSSM_INVALID_SERVICE_MASK = CSSM_CSSM_BASE_CSSM_ERROR + 13, |
||||
CSSMERR_CSSM_MODULE_NOT_LOADED = CSSM_CSSM_BASE_CSSM_ERROR + 14, |
||||
CSSMERR_CSSM_INVALID_SUBSERVICEID = CSSM_CSSM_BASE_CSSM_ERROR + 15, |
||||
CSSMERR_CSSM_BUFFER_TOO_SMALL = CSSM_CSSM_BASE_CSSM_ERROR + 16, |
||||
CSSMERR_CSSM_INVALID_ATTRIBUTE = CSSM_CSSM_BASE_CSSM_ERROR + 17, |
||||
CSSMERR_CSSM_ATTRIBUTE_NOT_IN_CONTEXT = CSSM_CSSM_BASE_CSSM_ERROR + 18, |
||||
CSSMERR_CSSM_MODULE_MANAGER_INITIALIZE_FAIL = CSSM_CSSM_BASE_CSSM_ERROR + 19, |
||||
CSSMERR_CSSM_MODULE_MANAGER_NOT_FOUND = CSSM_CSSM_BASE_CSSM_ERROR + 20, |
||||
CSSMERR_CSSM_EVENT_NOTIFICATION_CALLBACK_NOT_FOUND = CSSM_CSSM_BASE_CSSM_ERROR + 21 |
||||
}; |
||||
|
||||
/* CSP Error Values Derived from Common Error Codes For All Module Types. */ |
||||
enum { |
||||
CSSMERR_CSP_INTERNAL_ERROR = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INTERNAL_ERROR, |
||||
CSSMERR_CSP_MEMORY_ERROR = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_MEMORY_ERROR, |
||||
CSSMERR_CSP_MDS_ERROR = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_MDS_ERROR, |
||||
CSSMERR_CSP_INVALID_POINTER = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_POINTER, |
||||
CSSMERR_CSP_INVALID_INPUT_POINTER = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_INPUT_POINTER, |
||||
CSSMERR_CSP_INVALID_OUTPUT_POINTER = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_OUTPUT_POINTER, |
||||
CSSMERR_CSP_FUNCTION_NOT_IMPLEMENTED = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED, |
||||
CSSMERR_CSP_SELF_CHECK_FAILED = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_SELF_CHECK_FAILED, |
||||
CSSMERR_CSP_OS_ACCESS_DENIED = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_OS_ACCESS_DENIED, |
||||
CSSMERR_CSP_FUNCTION_FAILED = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_FUNCTION_FAILED |
||||
}; |
||||
|
||||
/* CSP Error Values Derived from ACL-based Error Codes. */ |
||||
enum { |
||||
CSSMERR_CSP_OPERATION_AUTH_DENIED = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_OPERATION_AUTH_DENIED, |
||||
CSSMERR_CSP_OBJECT_USE_AUTH_DENIED = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_OBJECT_USE_AUTH_DENIED, |
||||
CSSMERR_CSP_OBJECT_MANIP_AUTH_DENIED = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_OBJECT_MANIP_AUTH_DENIED, |
||||
CSSMERR_CSP_OBJECT_ACL_NOT_SUPPORTED = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_OBJECT_ACL_NOT_SUPPORTED, |
||||
CSSMERR_CSP_OBJECT_ACL_REQUIRED = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_OBJECT_ACL_REQUIRED, |
||||
CSSMERR_CSP_INVALID_ACCESS_CREDENTIALS = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_ACCESS_CREDENTIALS, |
||||
CSSMERR_CSP_INVALID_ACL_BASE_CERTS = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_BASE_CERTS, |
||||
CSSMERR_CSP_ACL_BASE_CERTS_NOT_SUPPORTED = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_BASE_CERTS_NOT_SUPPORTED, |
||||
CSSMERR_CSP_INVALID_SAMPLE_VALUE = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_SAMPLE_VALUE, |
||||
CSSMERR_CSP_SAMPLE_VALUE_NOT_SUPPORTED = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED, |
||||
CSSMERR_CSP_INVALID_ACL_SUBJECT_VALUE = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE, |
||||
CSSMERR_CSP_ACL_SUBJECT_TYPE_NOT_SUPPORTED = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_SUBJECT_TYPE_NOT_SUPPORTED, |
||||
CSSMERR_CSP_INVALID_ACL_CHALLENGE_CALLBACK = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_CHALLENGE_CALLBACK, |
||||
CSSMERR_CSP_ACL_CHALLENGE_CALLBACK_FAILED = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_CHALLENGE_CALLBACK_FAILED, |
||||
CSSMERR_CSP_INVALID_ACL_ENTRY_TAG = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_ENTRY_TAG, |
||||
CSSMERR_CSP_ACL_ENTRY_TAG_NOT_FOUND = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_ENTRY_TAG_NOT_FOUND, |
||||
CSSMERR_CSP_INVALID_ACL_EDIT_MODE = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_EDIT_MODE, |
||||
CSSMERR_CSP_ACL_CHANGE_FAILED = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_CHANGE_FAILED, |
||||
CSSMERR_CSP_INVALID_NEW_ACL_ENTRY = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_NEW_ACL_ENTRY, |
||||
CSSMERR_CSP_INVALID_NEW_ACL_OWNER = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_NEW_ACL_OWNER, |
||||
CSSMERR_CSP_ACL_DELETE_FAILED = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_DELETE_FAILED, |
||||
CSSMERR_CSP_ACL_REPLACE_FAILED = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_REPLACE_FAILED, |
||||
CSSMERR_CSP_ACL_ADD_FAILED = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_ADD_FAILED |
||||
}; |
||||
|
||||
/* CSP Error Values for Specific Data Types. */ |
||||
enum { |
||||
CSSMERR_CSP_INVALID_CONTEXT_HANDLE = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_CONTEXT_HANDLE, |
||||
CSSMERR_CSP_PRIVILEGE_NOT_GRANTED = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_PRIVILEGE_NOT_GRANTED, |
||||
CSSMERR_CSP_INVALID_DATA = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_DATA, |
||||
CSSMERR_CSP_INVALID_PASSTHROUGH_ID = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_PASSTHROUGH_ID, |
||||
CSSMERR_CSP_INVALID_CRYPTO_DATA = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_CRYPTO_DATA |
||||
}; |
||||
|
||||
/* CSP Module-Specific Error Values */ |
||||
enum { |
||||
/* General CSP Error Values */ |
||||
CSSM_CSP_BASE_CSP_ERROR = |
||||
CSSM_CSP_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT, |
||||
CSSMERR_CSP_INPUT_LENGTH_ERROR = CSSM_CSP_BASE_CSP_ERROR + 1, |
||||
CSSMERR_CSP_OUTPUT_LENGTH_ERROR = CSSM_CSP_BASE_CSP_ERROR + 2, |
||||
CSSMERR_CSP_PRIVILEGE_NOT_SUPPORTED = CSSM_CSP_BASE_CSP_ERROR + 3, |
||||
CSSMERR_CSP_DEVICE_ERROR = CSSM_CSP_BASE_CSP_ERROR + 4, |
||||
CSSMERR_CSP_DEVICE_MEMORY_ERROR = CSSM_CSP_BASE_CSP_ERROR + 5, |
||||
CSSMERR_CSP_ATTACH_HANDLE_BUSY = CSSM_CSP_BASE_CSP_ERROR + 6, |
||||
CSSMERR_CSP_NOT_LOGGED_IN = CSSM_CSP_BASE_CSP_ERROR + 7, |
||||
CSSMERR_CSP_INVALID_KEY = CSSM_CSP_BASE_CSP_ERROR + 16, |
||||
CSSMERR_CSP_INVALID_KEY_REFERENCE = CSSM_CSP_BASE_CSP_ERROR + 17, |
||||
CSSMERR_CSP_INVALID_KEY_CLASS = CSSM_CSP_BASE_CSP_ERROR + 18, |
||||
CSSMERR_CSP_ALGID_MISMATCH = CSSM_CSP_BASE_CSP_ERROR + 19, |
||||
CSSMERR_CSP_KEY_USAGE_INCORRECT = CSSM_CSP_BASE_CSP_ERROR + 20, |
||||
CSSMERR_CSP_KEY_BLOB_TYPE_INCORRECT = CSSM_CSP_BASE_CSP_ERROR + 21, |
||||
CSSMERR_CSP_KEY_HEADER_INCONSISTENT = CSSM_CSP_BASE_CSP_ERROR + 22, |
||||
CSSMERR_CSP_UNSUPPORTED_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 23, |
||||
CSSMERR_CSP_UNSUPPORTED_KEY_SIZE = CSSM_CSP_BASE_CSP_ERROR + 24, |
||||
CSSMERR_CSP_INVALID_KEY_POINTER = CSSM_CSP_BASE_CSP_ERROR + 25, |
||||
CSSMERR_CSP_INVALID_KEYUSAGE_MASK = CSSM_CSP_BASE_CSP_ERROR + 26, |
||||
CSSMERR_CSP_UNSUPPORTED_KEYUSAGE_MASK = CSSM_CSP_BASE_CSP_ERROR + 27, |
||||
CSSMERR_CSP_INVALID_KEYATTR_MASK = CSSM_CSP_BASE_CSP_ERROR + 28, |
||||
CSSMERR_CSP_UNSUPPORTED_KEYATTR_MASK = CSSM_CSP_BASE_CSP_ERROR + 29, |
||||
CSSMERR_CSP_INVALID_KEY_LABEL = CSSM_CSP_BASE_CSP_ERROR + 30, |
||||
CSSMERR_CSP_UNSUPPORTED_KEY_LABEL = CSSM_CSP_BASE_CSP_ERROR + 31, |
||||
CSSMERR_CSP_INVALID_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 32, |
||||
|
||||
/* CSP Vector of Buffers Error Values. */ |
||||
CSSMERR_CSP_INVALID_DATA_COUNT = CSSM_CSP_BASE_CSP_ERROR + 40, |
||||
CSSMERR_CSP_VECTOR_OF_BUFS_UNSUPPORTED = CSSM_CSP_BASE_CSP_ERROR + 41, |
||||
CSSMERR_CSP_INVALID_INPUT_VECTOR = CSSM_CSP_BASE_CSP_ERROR + 42, |
||||
CSSMERR_CSP_INVALID_OUTPUT_VECTOR = CSSM_CSP_BASE_CSP_ERROR + 43, |
||||
|
||||
/* CSP Cryptographic Context Error Values. */ |
||||
CSSMERR_CSP_INVALID_CONTEXT = CSSM_CSP_BASE_CSP_ERROR + 48, |
||||
CSSMERR_CSP_INVALID_ALGORITHM = CSSM_CSP_BASE_CSP_ERROR + 49, |
||||
CSSMERR_CSP_INVALID_ATTR_KEY = CSSM_CSP_BASE_CSP_ERROR + 54, |
||||
CSSMERR_CSP_MISSING_ATTR_KEY = CSSM_CSP_BASE_CSP_ERROR + 55, |
||||
CSSMERR_CSP_INVALID_ATTR_INIT_VECTOR = CSSM_CSP_BASE_CSP_ERROR + 56, |
||||
CSSMERR_CSP_MISSING_ATTR_INIT_VECTOR = CSSM_CSP_BASE_CSP_ERROR + 57, |
||||
CSSMERR_CSP_INVALID_ATTR_SALT = CSSM_CSP_BASE_CSP_ERROR + 58, |
||||
CSSMERR_CSP_MISSING_ATTR_SALT = CSSM_CSP_BASE_CSP_ERROR + 59, |
||||
CSSMERR_CSP_INVALID_ATTR_PADDING = CSSM_CSP_BASE_CSP_ERROR + 60, |
||||
CSSMERR_CSP_MISSING_ATTR_PADDING = CSSM_CSP_BASE_CSP_ERROR + 61, |
||||
CSSMERR_CSP_INVALID_ATTR_RANDOM = CSSM_CSP_BASE_CSP_ERROR + 62, |
||||
CSSMERR_CSP_MISSING_ATTR_RANDOM = CSSM_CSP_BASE_CSP_ERROR + 63, |
||||
CSSMERR_CSP_INVALID_ATTR_SEED = CSSM_CSP_BASE_CSP_ERROR + 64, |
||||
CSSMERR_CSP_MISSING_ATTR_SEED = CSSM_CSP_BASE_CSP_ERROR + 65, |
||||
CSSMERR_CSP_INVALID_ATTR_PASSPHRASE = CSSM_CSP_BASE_CSP_ERROR + 66, |
||||
CSSMERR_CSP_MISSING_ATTR_PASSPHRASE = CSSM_CSP_BASE_CSP_ERROR + 67, |
||||
CSSMERR_CSP_INVALID_ATTR_KEY_LENGTH = CSSM_CSP_BASE_CSP_ERROR + 68, |
||||
CSSMERR_CSP_MISSING_ATTR_KEY_LENGTH = CSSM_CSP_BASE_CSP_ERROR + 69, |
||||
CSSMERR_CSP_INVALID_ATTR_BLOCK_SIZE = CSSM_CSP_BASE_CSP_ERROR + 70, |
||||
CSSMERR_CSP_MISSING_ATTR_BLOCK_SIZE = CSSM_CSP_BASE_CSP_ERROR + 71, |
||||
CSSMERR_CSP_INVALID_ATTR_OUTPUT_SIZE = CSSM_CSP_BASE_CSP_ERROR + 100, |
||||
CSSMERR_CSP_MISSING_ATTR_OUTPUT_SIZE = CSSM_CSP_BASE_CSP_ERROR + 101, |
||||
CSSMERR_CSP_INVALID_ATTR_ROUNDS = CSSM_CSP_BASE_CSP_ERROR + 102, |
||||
CSSMERR_CSP_MISSING_ATTR_ROUNDS = CSSM_CSP_BASE_CSP_ERROR + 103, |
||||
CSSMERR_CSP_INVALID_ATTR_ALG_PARAMS = CSSM_CSP_BASE_CSP_ERROR + 104, |
||||
CSSMERR_CSP_MISSING_ATTR_ALG_PARAMS = CSSM_CSP_BASE_CSP_ERROR + 105, |
||||
CSSMERR_CSP_INVALID_ATTR_LABEL = CSSM_CSP_BASE_CSP_ERROR + 106, |
||||
CSSMERR_CSP_MISSING_ATTR_LABEL = CSSM_CSP_BASE_CSP_ERROR + 107, |
||||
CSSMERR_CSP_INVALID_ATTR_KEY_TYPE = CSSM_CSP_BASE_CSP_ERROR + 108, |
||||
CSSMERR_CSP_MISSING_ATTR_KEY_TYPE = CSSM_CSP_BASE_CSP_ERROR + 109, |
||||
CSSMERR_CSP_INVALID_ATTR_MODE = CSSM_CSP_BASE_CSP_ERROR + 110, |
||||
CSSMERR_CSP_MISSING_ATTR_MODE = CSSM_CSP_BASE_CSP_ERROR + 111, |
||||
CSSMERR_CSP_INVALID_ATTR_EFFECTIVE_BITS = CSSM_CSP_BASE_CSP_ERROR + 112, |
||||
CSSMERR_CSP_MISSING_ATTR_EFFECTIVE_BITS = CSSM_CSP_BASE_CSP_ERROR + 113, |
||||
CSSMERR_CSP_INVALID_ATTR_START_DATE = CSSM_CSP_BASE_CSP_ERROR + 114, |
||||
CSSMERR_CSP_MISSING_ATTR_START_DATE = CSSM_CSP_BASE_CSP_ERROR + 115, |
||||
CSSMERR_CSP_INVALID_ATTR_END_DATE = CSSM_CSP_BASE_CSP_ERROR + 116, |
||||
CSSMERR_CSP_MISSING_ATTR_END_DATE = CSSM_CSP_BASE_CSP_ERROR + 117, |
||||
CSSMERR_CSP_INVALID_ATTR_VERSION = CSSM_CSP_BASE_CSP_ERROR + 118, |
||||
CSSMERR_CSP_MISSING_ATTR_VERSION = CSSM_CSP_BASE_CSP_ERROR + 119, |
||||
CSSMERR_CSP_INVALID_ATTR_PRIME = CSSM_CSP_BASE_CSP_ERROR + 120, |
||||
CSSMERR_CSP_MISSING_ATTR_PRIME = CSSM_CSP_BASE_CSP_ERROR + 121, |
||||
CSSMERR_CSP_INVALID_ATTR_BASE = CSSM_CSP_BASE_CSP_ERROR + 122, |
||||
CSSMERR_CSP_MISSING_ATTR_BASE = CSSM_CSP_BASE_CSP_ERROR + 123, |
||||
CSSMERR_CSP_INVALID_ATTR_SUBPRIME = CSSM_CSP_BASE_CSP_ERROR + 124, |
||||
CSSMERR_CSP_MISSING_ATTR_SUBPRIME = CSSM_CSP_BASE_CSP_ERROR + 125, |
||||
CSSMERR_CSP_INVALID_ATTR_ITERATION_COUNT = CSSM_CSP_BASE_CSP_ERROR + 126, |
||||
CSSMERR_CSP_MISSING_ATTR_ITERATION_COUNT = CSSM_CSP_BASE_CSP_ERROR + 127, |
||||
CSSMERR_CSP_INVALID_ATTR_DL_DB_HANDLE = CSSM_CSP_BASE_CSP_ERROR + 128, |
||||
CSSMERR_CSP_MISSING_ATTR_DL_DB_HANDLE = CSSM_CSP_BASE_CSP_ERROR + 129, |
||||
CSSMERR_CSP_INVALID_ATTR_ACCESS_CREDENTIALS = CSSM_CSP_BASE_CSP_ERROR + 130, |
||||
CSSMERR_CSP_MISSING_ATTR_ACCESS_CREDENTIALS = CSSM_CSP_BASE_CSP_ERROR + 131, |
||||
CSSMERR_CSP_INVALID_ATTR_PUBLIC_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 132, |
||||
CSSMERR_CSP_MISSING_ATTR_PUBLIC_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 133, |
||||
CSSMERR_CSP_INVALID_ATTR_PRIVATE_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 134, |
||||
CSSMERR_CSP_MISSING_ATTR_PRIVATE_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 135, |
||||
CSSMERR_CSP_INVALID_ATTR_SYMMETRIC_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 136, |
||||
CSSMERR_CSP_MISSING_ATTR_SYMMETRIC_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 137, |
||||
CSSMERR_CSP_INVALID_ATTR_WRAPPED_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 138, |
||||
CSSMERR_CSP_MISSING_ATTR_WRAPPED_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 139, |
||||
|
||||
/* CSP Staged Cryptographic API Error Values. */ |
||||
CSSMERR_CSP_STAGED_OPERATION_IN_PROGRESS = CSSM_CSP_BASE_CSP_ERROR + 72, |
||||
CSSMERR_CSP_STAGED_OPERATION_NOT_STARTED = CSSM_CSP_BASE_CSP_ERROR + 73, |
||||
CSSMERR_CSP_VERIFY_FAILED = CSSM_CSP_BASE_CSP_ERROR + 74, |
||||
CSSMERR_CSP_INVALID_SIGNATURE = CSSM_CSP_BASE_CSP_ERROR + 75, |
||||
CSSMERR_CSP_QUERY_SIZE_UNKNOWN = CSSM_CSP_BASE_CSP_ERROR + 76, |
||||
CSSMERR_CSP_BLOCK_SIZE_MISMATCH = CSSM_CSP_BASE_CSP_ERROR + 77, |
||||
CSSMERR_CSP_PRIVATE_KEY_NOT_FOUND = CSSM_CSP_BASE_CSP_ERROR + 78, |
||||
CSSMERR_CSP_PUBLIC_KEY_INCONSISTENT = CSSM_CSP_BASE_CSP_ERROR + 79, |
||||
CSSMERR_CSP_DEVICE_VERIFY_FAILED = CSSM_CSP_BASE_CSP_ERROR + 80, |
||||
CSSMERR_CSP_INVALID_LOGIN_NAME = CSSM_CSP_BASE_CSP_ERROR + 81, |
||||
CSSMERR_CSP_ALREADY_LOGGED_IN = CSSM_CSP_BASE_CSP_ERROR + 82, |
||||
CSSMERR_CSP_PRIVATE_KEY_ALREADY_EXISTS = CSSM_CSP_BASE_CSP_ERROR + 83, |
||||
CSSMERR_CSP_KEY_LABEL_ALREADY_EXISTS = CSSM_CSP_BASE_CSP_ERROR + 84, |
||||
CSSMERR_CSP_INVALID_DIGEST_ALGORITHM = CSSM_CSP_BASE_CSP_ERROR + 85, |
||||
CSSMERR_CSP_CRYPTO_DATA_CALLBACK_FAILED = CSSM_CSP_BASE_CSP_ERROR + 86 |
||||
}; |
||||
|
||||
|
||||
/* TP Error Values Derived from Common Error Codes For All Module Types. */ |
||||
enum { |
||||
CSSMERR_TP_INTERNAL_ERROR = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INTERNAL_ERROR, |
||||
CSSMERR_TP_MEMORY_ERROR = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_MEMORY_ERROR, |
||||
CSSMERR_TP_MDS_ERROR = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_MDS_ERROR, |
||||
CSSMERR_TP_INVALID_POINTER = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_POINTER, |
||||
CSSMERR_TP_INVALID_INPUT_POINTER = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_INPUT_POINTER, |
||||
CSSMERR_TP_INVALID_OUTPUT_POINTER = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_OUTPUT_POINTER, |
||||
CSSMERR_TP_FUNCTION_NOT_IMPLEMENTED = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED, |
||||
CSSMERR_TP_SELF_CHECK_FAILED = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_SELF_CHECK_FAILED, |
||||
CSSMERR_TP_OS_ACCESS_DENIED = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_OS_ACCESS_DENIED, |
||||
CSSMERR_TP_FUNCTION_FAILED = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_FUNCTION_FAILED, |
||||
CSSMERR_TP_INVALID_CONTEXT_HANDLE = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_CONTEXT_HANDLE, |
||||
CSSMERR_TP_INVALID_DATA = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_DATA, |
||||
CSSMERR_TP_INVALID_DB_LIST = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_LIST, |
||||
CSSMERR_TP_INVALID_CERTGROUP_POINTER = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_CERTGROUP_POINTER, |
||||
CSSMERR_TP_INVALID_CERT_POINTER = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_CERT_POINTER, |
||||
CSSMERR_TP_INVALID_CRL_POINTER = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_CRL_POINTER, |
||||
CSSMERR_TP_INVALID_FIELD_POINTER = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_FIELD_POINTER, |
||||
CSSMERR_TP_INVALID_NETWORK_ADDR = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_NETWORK_ADDR, |
||||
CSSMERR_TP_CRL_ALREADY_SIGNED = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_CRL_ALREADY_SIGNED, |
||||
CSSMERR_TP_INVALID_NUMBER_OF_FIELDS = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_NUMBER_OF_FIELDS, |
||||
CSSMERR_TP_VERIFICATION_FAILURE = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_VERIFICATION_FAILURE, |
||||
CSSMERR_TP_INVALID_DB_HANDLE = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_HANDLE, |
||||
CSSMERR_TP_UNKNOWN_FORMAT = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_UNKNOWN_FORMAT, |
||||
CSSMERR_TP_UNKNOWN_TAG = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_UNKNOWN_TAG, |
||||
CSSMERR_TP_INVALID_PASSTHROUGH_ID = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_PASSTHROUGH_ID, |
||||
CSSMERR_TP_INVALID_CSP_HANDLE = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_CSP_HANDLE, |
||||
CSSMERR_TP_INVALID_DL_HANDLE = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_DL_HANDLE, |
||||
CSSMERR_TP_INVALID_CL_HANDLE = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_CL_HANDLE, |
||||
CSSMERR_TP_INVALID_DB_LIST_POINTER = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_LIST_POINTER |
||||
}; |
||||
|
||||
/* TP Module-Specific Error Values */ |
||||
enum { |
||||
CSSM_TP_BASE_TP_ERROR = |
||||
CSSM_TP_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT, |
||||
CSSMERR_TP_INVALID_CALLERAUTH_CONTEXT_POINTER = CSSM_TP_BASE_TP_ERROR + 1, |
||||
CSSMERR_TP_INVALID_IDENTIFIER_POINTER = CSSM_TP_BASE_TP_ERROR + 2, |
||||
CSSMERR_TP_INVALID_KEYCACHE_HANDLE = CSSM_TP_BASE_TP_ERROR + 3, |
||||
CSSMERR_TP_INVALID_CERTGROUP = CSSM_TP_BASE_TP_ERROR + 4, |
||||
CSSMERR_TP_INVALID_CRLGROUP = CSSM_TP_BASE_TP_ERROR + 5, |
||||
CSSMERR_TP_INVALID_CRLGROUP_POINTER = CSSM_TP_BASE_TP_ERROR + 6, |
||||
CSSMERR_TP_AUTHENTICATION_FAILED = CSSM_TP_BASE_TP_ERROR + 7, |
||||
CSSMERR_TP_CERTGROUP_INCOMPLETE = CSSM_TP_BASE_TP_ERROR + 8, |
||||
CSSMERR_TP_CERTIFICATE_CANT_OPERATE = CSSM_TP_BASE_TP_ERROR + 9, |
||||
CSSMERR_TP_CERT_EXPIRED = CSSM_TP_BASE_TP_ERROR + 10, |
||||
CSSMERR_TP_CERT_NOT_VALID_YET = CSSM_TP_BASE_TP_ERROR + 11, |
||||
CSSMERR_TP_CERT_REVOKED = CSSM_TP_BASE_TP_ERROR + 12, |
||||
CSSMERR_TP_CERT_SUSPENDED = CSSM_TP_BASE_TP_ERROR + 13, |
||||
CSSMERR_TP_INSUFFICIENT_CREDENTIALS = CSSM_TP_BASE_TP_ERROR + 14, |
||||
CSSMERR_TP_INVALID_ACTION = CSSM_TP_BASE_TP_ERROR + 15, |
||||
CSSMERR_TP_INVALID_ACTION_DATA = CSSM_TP_BASE_TP_ERROR + 16, |
||||
CSSMERR_TP_INVALID_ANCHOR_CERT = CSSM_TP_BASE_TP_ERROR + 18, |
||||
CSSMERR_TP_INVALID_AUTHORITY = CSSM_TP_BASE_TP_ERROR + 19, |
||||
CSSMERR_TP_VERIFY_ACTION_FAILED = CSSM_TP_BASE_TP_ERROR + 20, |
||||
CSSMERR_TP_INVALID_CERTIFICATE = CSSM_TP_BASE_TP_ERROR + 21, |
||||
CSSMERR_TP_INVALID_CERT_AUTHORITY = CSSM_TP_BASE_TP_ERROR + 22, |
||||
CSSMERR_TP_INVALID_CRL_AUTHORITY = CSSM_TP_BASE_TP_ERROR + 23, |
||||
CSSMERR_TP_INVALID_CRL_ENCODING = CSSM_TP_BASE_TP_ERROR + 24, |
||||
CSSMERR_TP_INVALID_CRL_TYPE = CSSM_TP_BASE_TP_ERROR + 25, |
||||
CSSMERR_TP_INVALID_CRL = CSSM_TP_BASE_TP_ERROR + 26, |
||||
CSSMERR_TP_INVALID_FORM_TYPE = CSSM_TP_BASE_TP_ERROR + 27, |
||||
CSSMERR_TP_INVALID_ID = CSSM_TP_BASE_TP_ERROR + 28, |
||||
CSSMERR_TP_INVALID_IDENTIFIER = CSSM_TP_BASE_TP_ERROR + 29, |
||||
CSSMERR_TP_INVALID_INDEX = CSSM_TP_BASE_TP_ERROR + 30, |
||||
CSSMERR_TP_INVALID_NAME = CSSM_TP_BASE_TP_ERROR + 31, |
||||
CSSMERR_TP_INVALID_POLICY_IDENTIFIERS = CSSM_TP_BASE_TP_ERROR + 32, |
||||
CSSMERR_TP_INVALID_TIMESTRING = CSSM_TP_BASE_TP_ERROR + 33, |
||||
CSSMERR_TP_INVALID_REASON = CSSM_TP_BASE_TP_ERROR + 34, |
||||
CSSMERR_TP_INVALID_REQUEST_INPUTS = CSSM_TP_BASE_TP_ERROR + 35, |
||||
CSSMERR_TP_INVALID_RESPONSE_VECTOR = CSSM_TP_BASE_TP_ERROR + 36, |
||||
CSSMERR_TP_INVALID_SIGNATURE = CSSM_TP_BASE_TP_ERROR + 37, |
||||
CSSMERR_TP_INVALID_STOP_ON_POLICY = CSSM_TP_BASE_TP_ERROR + 38, |
||||
CSSMERR_TP_INVALID_CALLBACK = CSSM_TP_BASE_TP_ERROR + 39, |
||||
CSSMERR_TP_INVALID_TUPLE = CSSM_TP_BASE_TP_ERROR + 40, |
||||
CSSMERR_TP_NOT_SIGNER = CSSM_TP_BASE_TP_ERROR + 41, |
||||
CSSMERR_TP_NOT_TRUSTED = CSSM_TP_BASE_TP_ERROR + 42, |
||||
CSSMERR_TP_NO_DEFAULT_AUTHORITY = CSSM_TP_BASE_TP_ERROR + 43, |
||||
CSSMERR_TP_REJECTED_FORM = CSSM_TP_BASE_TP_ERROR + 44, |
||||
CSSMERR_TP_REQUEST_LOST = CSSM_TP_BASE_TP_ERROR + 45, |
||||
CSSMERR_TP_REQUEST_REJECTED = CSSM_TP_BASE_TP_ERROR + 46, |
||||
CSSMERR_TP_UNSUPPORTED_ADDR_TYPE = CSSM_TP_BASE_TP_ERROR + 47, |
||||
CSSMERR_TP_UNSUPPORTED_SERVICE = CSSM_TP_BASE_TP_ERROR + 48, |
||||
CSSMERR_TP_INVALID_TUPLEGROUP_POINTER = CSSM_TP_BASE_TP_ERROR + 49, |
||||
CSSMERR_TP_INVALID_TUPLEGROUP = CSSM_TP_BASE_TP_ERROR + 50 |
||||
}; |
||||
|
||||
/* AC Error Values Derived from Common Error Codes For All Module Types. */ |
||||
enum { |
||||
CSSMERR_AC_INTERNAL_ERROR = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INTERNAL_ERROR, |
||||
CSSMERR_AC_MEMORY_ERROR = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_MEMORY_ERROR, |
||||
CSSMERR_AC_MDS_ERROR = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_MDS_ERROR, |
||||
CSSMERR_AC_INVALID_POINTER = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_POINTER, |
||||
CSSMERR_AC_INVALID_INPUT_POINTER = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_INPUT_POINTER, |
||||
CSSMERR_AC_INVALID_OUTPUT_POINTER = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_OUTPUT_POINTER, |
||||
CSSMERR_AC_FUNCTION_NOT_IMPLEMENTED = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED, |
||||
CSSMERR_AC_SELF_CHECK_FAILED = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_SELF_CHECK_FAILED, |
||||
CSSMERR_AC_OS_ACCESS_DENIED = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_OS_ACCESS_DENIED, |
||||
CSSMERR_AC_FUNCTION_FAILED = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_FUNCTION_FAILED, |
||||
CSSMERR_AC_INVALID_CONTEXT_HANDLE = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_CONTEXT_HANDLE, |
||||
CSSMERR_AC_INVALID_DATA = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_DATA, |
||||
CSSMERR_AC_INVALID_DB_LIST = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_LIST, |
||||
CSSMERR_AC_INVALID_PASSTHROUGH_ID = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_PASSTHROUGH_ID, |
||||
CSSMERR_AC_INVALID_DL_HANDLE = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_DL_HANDLE, |
||||
CSSMERR_AC_INVALID_CL_HANDLE = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_CL_HANDLE, |
||||
CSSMERR_AC_INVALID_TP_HANDLE = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_TP_HANDLE, |
||||
CSSMERR_AC_INVALID_DB_HANDLE = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_HANDLE, |
||||
CSSMERR_AC_INVALID_DB_LIST_POINTER = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_LIST_POINTER |
||||
}; |
||||
|
||||
/* AC Module-Specific Error Values */ |
||||
enum { |
||||
CSSM_AC_BASE_AC_ERROR = |
||||
CSSM_AC_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT, |
||||
CSSMERR_AC_INVALID_BASE_ACLS = CSSM_AC_BASE_AC_ERROR + 1, |
||||
CSSMERR_AC_INVALID_TUPLE_CREDENTIALS = CSSM_AC_BASE_AC_ERROR + 2, |
||||
CSSMERR_AC_INVALID_ENCODING = CSSM_AC_BASE_AC_ERROR + 3, |
||||
CSSMERR_AC_INVALID_VALIDITY_PERIOD = CSSM_AC_BASE_AC_ERROR + 4, |
||||
CSSMERR_AC_INVALID_REQUESTOR = CSSM_AC_BASE_AC_ERROR + 5, |
||||
CSSMERR_AC_INVALID_REQUEST_DESCRIPTOR = CSSM_AC_BASE_AC_ERROR + 6 |
||||
}; |
||||
|
||||
/* CL Error Values Derived from Common Error Codes For All Module Types. */ |
||||
enum { |
||||
CSSMERR_CL_INTERNAL_ERROR = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INTERNAL_ERROR, |
||||
CSSMERR_CL_MEMORY_ERROR = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_MEMORY_ERROR, |
||||
CSSMERR_CL_MDS_ERROR = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_MDS_ERROR, |
||||
CSSMERR_CL_INVALID_POINTER = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_POINTER, |
||||
CSSMERR_CL_INVALID_INPUT_POINTER = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_INPUT_POINTER, |
||||
CSSMERR_CL_INVALID_OUTPUT_POINTER = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_OUTPUT_POINTER, |
||||
CSSMERR_CL_FUNCTION_NOT_IMPLEMENTED = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED, |
||||
CSSMERR_CL_SELF_CHECK_FAILED = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_SELF_CHECK_FAILED, |
||||
CSSMERR_CL_OS_ACCESS_DENIED = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_OS_ACCESS_DENIED, |
||||
CSSMERR_CL_FUNCTION_FAILED = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_FUNCTION_FAILED, |
||||
CSSMERR_CL_INVALID_CONTEXT_HANDLE = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_CONTEXT_HANDLE, |
||||
CSSMERR_CL_INVALID_CERTGROUP_POINTER = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_CERTGROUP_POINTER, |
||||
CSSMERR_CL_INVALID_CERT_POINTER = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_CERT_POINTER, |
||||
CSSMERR_CL_INVALID_CRL_POINTER = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_CRL_POINTER, |
||||
CSSMERR_CL_INVALID_FIELD_POINTER = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_FIELD_POINTER, |
||||
CSSMERR_CL_INVALID_DATA = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_DATA, |
||||
CSSMERR_CL_CRL_ALREADY_SIGNED = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_CRL_ALREADY_SIGNED, |
||||
CSSMERR_CL_INVALID_NUMBER_OF_FIELDS = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_NUMBER_OF_FIELDS, |
||||
CSSMERR_CL_VERIFICATION_FAILURE = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_VERIFICATION_FAILURE, |
||||
CSSMERR_CL_UNKNOWN_FORMAT = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_UNKNOWN_FORMAT, |
||||
CSSMERR_CL_UNKNOWN_TAG = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_UNKNOWN_TAG, |
||||
CSSMERR_CL_INVALID_PASSTHROUGH_ID = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_PASSTHROUGH_ID |
||||
}; |
||||
|
||||
/* CL Module-Specific Error Values */ |
||||
enum { |
||||
CSSM_CL_BASE_CL_ERROR = |
||||
CSSM_CL_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT, |
||||
CSSMERR_CL_INVALID_BUNDLE_POINTER = CSSM_CL_BASE_CL_ERROR + 1, |
||||
CSSMERR_CL_INVALID_CACHE_HANDLE = CSSM_CL_BASE_CL_ERROR + 2, |
||||
CSSMERR_CL_INVALID_RESULTS_HANDLE = CSSM_CL_BASE_CL_ERROR + 3, |
||||
CSSMERR_CL_INVALID_BUNDLE_INFO = CSSM_CL_BASE_CL_ERROR + 4, |
||||
CSSMERR_CL_INVALID_CRL_INDEX = CSSM_CL_BASE_CL_ERROR + 5, |
||||
CSSMERR_CL_INVALID_SCOPE = CSSM_CL_BASE_CL_ERROR + 6, |
||||
CSSMERR_CL_NO_FIELD_VALUES = CSSM_CL_BASE_CL_ERROR + 7, |
||||
CSSMERR_CL_SCOPE_NOT_SUPPORTED = CSSM_CL_BASE_CL_ERROR + 8 |
||||
}; |
||||
|
||||
/* DL Error Values Derived from Common Error Codes For All Module Types. */ |
||||
enum { |
||||
CSSMERR_DL_INTERNAL_ERROR = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INTERNAL_ERROR, |
||||
CSSMERR_DL_MEMORY_ERROR = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_MEMORY_ERROR, |
||||
CSSMERR_DL_MDS_ERROR = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_MDS_ERROR, |
||||
CSSMERR_DL_INVALID_POINTER = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_POINTER, |
||||
CSSMERR_DL_INVALID_INPUT_POINTER = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_INPUT_POINTER, |
||||
CSSMERR_DL_INVALID_OUTPUT_POINTER = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_OUTPUT_POINTER, |
||||
CSSMERR_DL_FUNCTION_NOT_IMPLEMENTED = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED, |
||||
CSSMERR_DL_SELF_CHECK_FAILED = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_SELF_CHECK_FAILED, |
||||
CSSMERR_DL_OS_ACCESS_DENIED = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_OS_ACCESS_DENIED, |
||||
CSSMERR_DL_FUNCTION_FAILED = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_FUNCTION_FAILED, |
||||
CSSMERR_DL_INVALID_CSP_HANDLE = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_CSP_HANDLE, |
||||
CSSMERR_DL_INVALID_DL_HANDLE = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_DL_HANDLE, |
||||
CSSMERR_DL_INVALID_CL_HANDLE = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_CL_HANDLE, |
||||
CSSMERR_DL_INVALID_DB_LIST_POINTER = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_LIST_POINTER |
||||
}; |
||||
|
||||
/* DL Error Values Derived from ACL-based Error Codes. */ |
||||
enum { |
||||
CSSMERR_DL_OPERATION_AUTH_DENIED = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_OPERATION_AUTH_DENIED, |
||||
CSSMERR_DL_OBJECT_USE_AUTH_DENIED = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_OBJECT_USE_AUTH_DENIED, |
||||
CSSMERR_DL_OBJECT_MANIP_AUTH_DENIED = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_OBJECT_MANIP_AUTH_DENIED, |
||||
CSSMERR_DL_OBJECT_ACL_NOT_SUPPORTED = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_OBJECT_ACL_NOT_SUPPORTED, |
||||
CSSMERR_DL_OBJECT_ACL_REQUIRED = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_OBJECT_ACL_REQUIRED, |
||||
CSSMERR_DL_INVALID_ACCESS_CREDENTIALS = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_ACCESS_CREDENTIALS, |
||||
CSSMERR_DL_INVALID_ACL_BASE_CERTS = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_BASE_CERTS, |
||||
CSSMERR_DL_ACL_BASE_CERTS_NOT_SUPPORTED = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_BASE_CERTS_NOT_SUPPORTED, |
||||
CSSMERR_DL_INVALID_SAMPLE_VALUE = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_SAMPLE_VALUE, |
||||
CSSMERR_DL_SAMPLE_VALUE_NOT_SUPPORTED = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED, |
||||
CSSMERR_DL_INVALID_ACL_SUBJECT_VALUE = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE, |
||||
CSSMERR_DL_ACL_SUBJECT_TYPE_NOT_SUPPORTED = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_SUBJECT_TYPE_NOT_SUPPORTED, |
||||
CSSMERR_DL_INVALID_ACL_CHALLENGE_CALLBACK = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_CHALLENGE_CALLBACK, |
||||
CSSMERR_DL_ACL_CHALLENGE_CALLBACK_FAILED = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_CHALLENGE_CALLBACK_FAILED, |
||||
CSSMERR_DL_INVALID_ACL_ENTRY_TAG = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_ENTRY_TAG, |
||||
CSSMERR_DL_ACL_ENTRY_TAG_NOT_FOUND = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_ENTRY_TAG_NOT_FOUND, |
||||
CSSMERR_DL_INVALID_ACL_EDIT_MODE = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_EDIT_MODE, |
||||
CSSMERR_DL_ACL_CHANGE_FAILED = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_CHANGE_FAILED, |
||||
CSSMERR_DL_INVALID_NEW_ACL_ENTRY = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_NEW_ACL_ENTRY, |
||||
CSSMERR_DL_INVALID_NEW_ACL_OWNER = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_NEW_ACL_OWNER, |
||||
CSSMERR_DL_ACL_DELETE_FAILED = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_DELETE_FAILED, |
||||
CSSMERR_DL_ACL_REPLACE_FAILED = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_REPLACE_FAILED, |
||||
CSSMERR_DL_ACL_ADD_FAILED = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_ADD_FAILED |
||||
}; |
||||
|
||||
/* DL Error Values for Specific Data Types. */ |
||||
enum { |
||||
CSSMERR_DL_INVALID_DB_HANDLE = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_HANDLE, |
||||
CSSMERR_DL_INVALID_PASSTHROUGH_ID = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_PASSTHROUGH_ID, |
||||
CSSMERR_DL_INVALID_NETWORK_ADDR = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_NETWORK_ADDR |
||||
}; |
||||
|
||||
/* DL Module-Specific Error Values */ |
||||
enum { |
||||
CSSM_DL_BASE_DL_ERROR = |
||||
CSSM_DL_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT, |
||||
CSSMERR_DL_DATABASE_CORRUPT = CSSM_DL_BASE_DL_ERROR + 1, |
||||
CSSMERR_DL_INVALID_RECORD_INDEX = CSSM_DL_BASE_DL_ERROR + 8, |
||||
CSSMERR_DL_INVALID_RECORDTYPE = CSSM_DL_BASE_DL_ERROR + 9, |
||||
CSSMERR_DL_INVALID_FIELD_NAME = CSSM_DL_BASE_DL_ERROR + 10, |
||||
CSSMERR_DL_UNSUPPORTED_FIELD_FORMAT = CSSM_DL_BASE_DL_ERROR + 11, |
||||
CSSMERR_DL_UNSUPPORTED_INDEX_INFO = CSSM_DL_BASE_DL_ERROR + 12, |
||||
CSSMERR_DL_UNSUPPORTED_LOCALITY = CSSM_DL_BASE_DL_ERROR + 13, |
||||
CSSMERR_DL_UNSUPPORTED_NUM_ATTRIBUTES = CSSM_DL_BASE_DL_ERROR + 14, |
||||
CSSMERR_DL_UNSUPPORTED_NUM_INDEXES = CSSM_DL_BASE_DL_ERROR + 15, |
||||
CSSMERR_DL_UNSUPPORTED_NUM_RECORDTYPES = CSSM_DL_BASE_DL_ERROR + 16, |
||||
CSSMERR_DL_UNSUPPORTED_RECORDTYPE = CSSM_DL_BASE_DL_ERROR + 17, |
||||
CSSMERR_DL_FIELD_SPECIFIED_MULTIPLE = CSSM_DL_BASE_DL_ERROR + 18, |
||||
CSSMERR_DL_INCOMPATIBLE_FIELD_FORMAT = CSSM_DL_BASE_DL_ERROR + 19, |
||||
CSSMERR_DL_INVALID_PARSING_MODULE = CSSM_DL_BASE_DL_ERROR + 20, |
||||
CSSMERR_DL_INVALID_DB_NAME = CSSM_DL_BASE_DL_ERROR + 22, |
||||
CSSMERR_DL_DATASTORE_DOESNOT_EXIST = CSSM_DL_BASE_DL_ERROR + 23, |
||||
CSSMERR_DL_DATASTORE_ALREADY_EXISTS = CSSM_DL_BASE_DL_ERROR + 24, |
||||
CSSMERR_DL_DB_LOCKED = CSSM_DL_BASE_DL_ERROR + 25, |
||||
CSSMERR_DL_DATASTORE_IS_OPEN = CSSM_DL_BASE_DL_ERROR + 26, |
||||
CSSMERR_DL_RECORD_NOT_FOUND = CSSM_DL_BASE_DL_ERROR + 27, |
||||
CSSMERR_DL_MISSING_VALUE = CSSM_DL_BASE_DL_ERROR + 28, |
||||
CSSMERR_DL_UNSUPPORTED_QUERY = CSSM_DL_BASE_DL_ERROR + 29, |
||||
CSSMERR_DL_UNSUPPORTED_QUERY_LIMITS = CSSM_DL_BASE_DL_ERROR + 30, |
||||
CSSMERR_DL_UNSUPPORTED_NUM_SELECTION_PREDS = CSSM_DL_BASE_DL_ERROR + 31, |
||||
CSSMERR_DL_UNSUPPORTED_OPERATOR = CSSM_DL_BASE_DL_ERROR + 33, |
||||
CSSMERR_DL_INVALID_RESULTS_HANDLE = CSSM_DL_BASE_DL_ERROR + 34, |
||||
CSSMERR_DL_INVALID_DB_LOCATION = CSSM_DL_BASE_DL_ERROR + 35, |
||||
CSSMERR_DL_INVALID_ACCESS_REQUEST = CSSM_DL_BASE_DL_ERROR + 36, |
||||
CSSMERR_DL_INVALID_INDEX_INFO = CSSM_DL_BASE_DL_ERROR + 37, |
||||
CSSMERR_DL_INVALID_SELECTION_TAG = CSSM_DL_BASE_DL_ERROR + 38, |
||||
CSSMERR_DL_INVALID_NEW_OWNER = CSSM_DL_BASE_DL_ERROR + 39, |
||||
CSSMERR_DL_INVALID_RECORD_UID = CSSM_DL_BASE_DL_ERROR + 40, |
||||
CSSMERR_DL_INVALID_UNIQUE_INDEX_DATA = CSSM_DL_BASE_DL_ERROR + 41, |
||||
CSSMERR_DL_INVALID_MODIFY_MODE = CSSM_DL_BASE_DL_ERROR + 42, |
||||
CSSMERR_DL_INVALID_OPEN_PARAMETERS = CSSM_DL_BASE_DL_ERROR + 43, |
||||
CSSMERR_DL_RECORD_MODIFIED = CSSM_DL_BASE_DL_ERROR + 44, |
||||
CSSMERR_DL_ENDOFDATA = CSSM_DL_BASE_DL_ERROR + 45, |
||||
CSSMERR_DL_INVALID_QUERY = CSSM_DL_BASE_DL_ERROR + 46, |
||||
CSSMERR_DL_INVALID_VALUE = CSSM_DL_BASE_DL_ERROR + 47, |
||||
CSSMERR_DL_MULTIPLE_VALUES_UNSUPPORTED = CSSM_DL_BASE_DL_ERROR + 48, |
||||
CSSMERR_DL_STALE_UNIQUE_RECORD = CSSM_DL_BASE_DL_ERROR + 49 |
||||
}; |
||||
|
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif /* _CSSMERR_H_ */ |
@ -0,0 +1,243 @@
|
||||
/*
|
||||
* Copyright (c) 1999-2001,2004,2011,2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
* |
||||
* cssmkrapi.h -- Application Programmers Interface for Key Recovery Modules |
||||
*/ |
||||
|
||||
#ifndef _CSSMKRAPI_H_ |
||||
#define _CSSMKRAPI_H_ 1 |
||||
|
||||
#include <Security/cssmtype.h> |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
typedef uint32 CSSM_KRSP_HANDLE; /* Key Recovery Service Provider Handle */ |
||||
|
||||
typedef struct cssm_kr_name { |
||||
uint8 Type; /* namespace type */ |
||||
uint8 Length; /* name string length */ |
||||
char *Name; /* name string */ |
||||
} CSSM_KR_NAME DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef struct cssm_kr_profile { |
||||
CSSM_KR_NAME UserName; /* name of the user */ |
||||
CSSM_CERTGROUP_PTR UserCertificate; /* public key certificate of the user */ |
||||
CSSM_CERTGROUP_PTR KRSCertChain; /* cert chain for the KRSP coordinator */ |
||||
uint8 LE_KRANum; /* number of KRA cert chains in the following list */ |
||||
CSSM_CERTGROUP_PTR LE_KRACertChainList; /* list of Law enforcement KRA certificate chains */ |
||||
uint8 ENT_KRANum; /* number of KRA cert chains in the following list */ |
||||
CSSM_CERTGROUP_PTR ENT_KRACertChainList; /* list of Enterprise KRA certificate chains */ |
||||
uint8 INDIV_KRANum; /* number of KRA cert chains in the following list */ |
||||
CSSM_CERTGROUP_PTR INDIV_KRACertChainList; /* list of Individual KRA certificate chains */ |
||||
CSSM_DATA_PTR INDIV_AuthenticationInfo; /* authentication information for individual key recovery */ |
||||
uint32 KRSPFlags; /* flag values to be interpreted by KRSP */ |
||||
CSSM_DATA_PTR KRSPExtensions; /* reserved for extensions specific to KRSPs */ |
||||
} CSSM_KR_PROFILE DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_KR_PROFILE_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef struct cssm_kr_wrappedproductinfo { |
||||
CSSM_VERSION StandardVersion; |
||||
CSSM_STRING StandardDescription; |
||||
CSSM_VERSION ProductVersion; |
||||
CSSM_STRING ProductDescription; |
||||
CSSM_STRING ProductVendor; |
||||
uint32 ProductFlags; |
||||
} CSSM_KR_WRAPPEDPRODUCT_INFO DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_KR_WRAPPEDPRODUCT_INFO_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef struct cssm_krsubservice { |
||||
uint32 SubServiceId; |
||||
char *Description; /* Description of this sub service */ |
||||
CSSM_KR_WRAPPEDPRODUCT_INFO WrappedProduct; |
||||
} CSSM_KRSUBSERVICE, *CSSM_KRSUBSERVICE_PTR; |
||||
|
||||
typedef uint32 CSSM_KR_POLICY_TYPE; |
||||
#define CSSM_KR_INDIV_POLICY (0x00000001) |
||||
#define CSSM_KR_ENT_POLICY (0x00000002) |
||||
#define CSSM_KR_LE_MAN_POLICY (0x00000003) |
||||
#define CSSM_KR_LE_USE_POLICY (0x00000004) |
||||
|
||||
typedef uint32 CSSM_KR_POLICY_FLAGS; |
||||
|
||||
#define CSSM_KR_INDIV (0x00000001) |
||||
#define CSSM_KR_ENT (0x00000002) |
||||
#define CSSM_KR_LE_MAN (0x00000004) |
||||
#define CSSM_KR_LE_USE (0x00000008) |
||||
#define CSSM_KR_LE (CSSM_KR_LE_MAN | CSSM_KR_LE_USE) |
||||
#define CSSM_KR_OPTIMIZE (0x00000010) |
||||
#define CSSM_KR_DROP_WORKFACTOR (0x00000020) |
||||
|
||||
typedef struct cssm_kr_policy_list_item { |
||||
struct kr_policy_list_item *next; |
||||
CSSM_ALGORITHMS AlgorithmId; |
||||
CSSM_ENCRYPT_MODE Mode; |
||||
uint32 MaxKeyLength; |
||||
uint32 MaxRounds; |
||||
uint8 WorkFactor; |
||||
CSSM_KR_POLICY_FLAGS PolicyFlags; |
||||
CSSM_CONTEXT_TYPE AlgClass; |
||||
} CSSM_KR_POLICY_LIST_ITEM DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_KR_POLICY_LIST_ITEM_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef struct cssm_kr_policy_info { |
||||
CSSM_BOOL krbNotAllowed; |
||||
uint32 numberOfEntries; |
||||
CSSM_KR_POLICY_LIST_ITEM *policyEntry; |
||||
} CSSM_KR_POLICY_INFO DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_KR_POLICY_INFO_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
|
||||
/* Key Recovery Module Mangement Operations */ |
||||
|
||||
CSSM_RETURN CSSMAPI |
||||
CSSM_KR_SetEnterpriseRecoveryPolicy (const CSSM_DATA *RecoveryPolicyFileName, |
||||
const CSSM_ACCESS_CREDENTIALS *OldPassPhrase, |
||||
const CSSM_ACCESS_CREDENTIALS *NewPassPhrase) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
|
||||
/* Key Recovery Context Operations */ |
||||
|
||||
CSSM_RETURN CSSMAPI |
||||
CSSM_KR_CreateRecoveryRegistrationContext (CSSM_KRSP_HANDLE KRSPHandle, |
||||
CSSM_CC_HANDLE *NewContext) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
CSSM_RETURN CSSMAPI |
||||
CSSM_KR_CreateRecoveryEnablementContext (CSSM_KRSP_HANDLE KRSPHandle, |
||||
const CSSM_KR_PROFILE *LocalProfile, |
||||
const CSSM_KR_PROFILE *RemoteProfile, |
||||
CSSM_CC_HANDLE *NewContext) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
CSSM_RETURN CSSMAPI |
||||
CSSM_KR_CreateRecoveryRequestContext (CSSM_KRSP_HANDLE KRSPHandle, |
||||
const CSSM_KR_PROFILE *LocalProfile, |
||||
CSSM_CC_HANDLE *NewContext) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
CSSM_RETURN CSSMAPI |
||||
CSSM_KR_GetPolicyInfo (CSSM_CC_HANDLE CCHandle, |
||||
CSSM_KR_POLICY_FLAGS *EncryptionProhibited, |
||||
uint32 *WorkFactor) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
|
||||
/* Key Recovery Registration Operations */ |
||||
|
||||
CSSM_RETURN CSSMAPI |
||||
CSSM_KR_RegistrationRequest (CSSM_CC_HANDLE RecoveryRegistrationContext, |
||||
const CSSM_DATA *KRInData, |
||||
const CSSM_ACCESS_CREDENTIALS *AccessCredentials, |
||||
CSSM_KR_POLICY_FLAGS KRFlags, |
||||
sint32 *EstimatedTime, |
||||
CSSM_HANDLE_PTR ReferenceHandle) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
CSSM_RETURN CSSMAPI |
||||
CSSM_KR_RegistrationRetrieve (CSSM_KRSP_HANDLE KRSPHandle, |
||||
CSSM_HANDLE ReferenceHandle, |
||||
const CSSM_ACCESS_CREDENTIALS *AccessCredentials, |
||||
sint32 *EstimatedTime, |
||||
CSSM_KR_PROFILE_PTR KRProfile) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
|
||||
/* Key Recovery Enablement Operations */ |
||||
|
||||
CSSM_RETURN CSSMAPI |
||||
CSSM_KR_GenerateRecoveryFields (CSSM_CC_HANDLE KeyRecoveryContext, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DATA *KRSPOptions, |
||||
CSSM_KR_POLICY_FLAGS KRFlags, |
||||
CSSM_DATA_PTR KRFields, |
||||
CSSM_CC_HANDLE *NewCCHandle) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
CSSM_RETURN CSSMAPI |
||||
CSSM_KR_ProcessRecoveryFields (CSSM_CC_HANDLE KeyRecoveryContext, |
||||
CSSM_CC_HANDLE CryptoContext, |
||||
const CSSM_DATA *KRSPOptions, |
||||
CSSM_KR_POLICY_FLAGS KRFlags, |
||||
const CSSM_DATA *KRFields, |
||||
CSSM_CC_HANDLE *NewCryptoContext) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
|
||||
/* Key Recovery Request Operations */ |
||||
|
||||
CSSM_RETURN CSSMAPI |
||||
CSSM_KR_RecoveryRequest (CSSM_CC_HANDLE RecoveryRequestContext, |
||||
const CSSM_DATA *KRInData, |
||||
const CSSM_ACCESS_CREDENTIALS *AccessCredentials, |
||||
sint32 *EstimatedTime, |
||||
CSSM_HANDLE_PTR ReferenceHandle) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
CSSM_RETURN CSSMAPI |
||||
CSSM_KR_RecoveryRetrieve (CSSM_KRSP_HANDLE KRSPHandle, |
||||
CSSM_HANDLE ReferenceHandle, |
||||
const CSSM_ACCESS_CREDENTIALS *AccessCredentials, |
||||
sint32 *EstimatedTime, |
||||
CSSM_HANDLE_PTR CacheHandle, |
||||
uint32 *NumberOfRecoveredKeys) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
CSSM_RETURN CSSMAPI |
||||
CSSM_KR_GetRecoveredObject (CSSM_KRSP_HANDLE KRSPHandle, |
||||
CSSM_HANDLE CacheHandle, |
||||
uint32 IndexInResults, |
||||
CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry, |
||||
uint32 Flags, |
||||
CSSM_KEY_PTR RecoveredKey, |
||||
CSSM_DATA_PTR OtherInfo) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
CSSM_RETURN CSSMAPI |
||||
CSSM_KR_RecoveryRequestAbort (CSSM_KRSP_HANDLE KRSPHandle, |
||||
CSSM_HANDLE CacheHandle) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
CSSM_RETURN CSSMAPI |
||||
CSSM_KR_QueryPolicyInfo (CSSM_KRSP_HANDLE KRSPHandle, |
||||
CSSM_ALGORITHMS AlgorithmID, |
||||
CSSM_ENCRYPT_MODE Mode, |
||||
CSSM_CONTEXT_TYPE Class, |
||||
CSSM_KR_POLICY_INFO_PTR *PolicyInfoData) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
|
||||
/* Extensibility Functions */ |
||||
|
||||
CSSM_RETURN CSSMAPI |
||||
CSSM_KR_PassThrough (CSSM_KRSP_HANDLE KRSPHandle, |
||||
CSSM_CC_HANDLE KeyRecoveryContext, |
||||
CSSM_CC_HANDLE CryptoContext, |
||||
uint32 PassThroughId, |
||||
const void *InputParams, |
||||
void **OutputParams) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif /* _CSSMKRAPI_H_ */ |
@ -0,0 +1,111 @@
|
||||
/*
|
||||
* Copyright (c) 1999-2001,2004,2011,2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
* |
||||
* cssmkrspi.h -- Service Provider Interface for Key Recovery Modules |
||||
*/ |
||||
|
||||
#ifndef _CSSMKRSPI_H_ |
||||
#define _CSSMKRSPI_H_ 1 |
||||
|
||||
#include <Security/cssmtype.h> |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
/* Data types for Key Recovery SPI */ |
||||
|
||||
typedef struct cssm_spi_kr_funcs { |
||||
CSSM_RETURN (CSSMKRI *RegistrationRequest) |
||||
(CSSM_KRSP_HANDLE KRSPHandle, |
||||
CSSM_CC_HANDLE KRRegistrationContextHandle, |
||||
const CSSM_CONTEXT *KRRegistrationContext, |
||||
const CSSM_DATA *KRInData, |
||||
const CSSM_ACCESS_CREDENTIALS *AccessCredentials, |
||||
CSSM_KR_POLICY_FLAGS KRFlags, |
||||
sint32 *EstimatedTime, |
||||
CSSM_HANDLE_PTR ReferenceHandle); |
||||
CSSM_RETURN (CSSMKRI *RegistrationRetrieve) |
||||
(CSSM_KRSP_HANDLE KRSPHandle, |
||||
CSSM_HANDLE ReferenceHandle, |
||||
sint32 *EstimatedTime, |
||||
CSSM_KR_PROFILE_PTR KRProfile); |
||||
CSSM_RETURN (CSSMKRI *GenerateRecoveryFields) |
||||
(CSSM_KRSP_HANDLE KRSPHandle, |
||||
CSSM_CC_HANDLE KREnablementContextHandle, |
||||
const CSSM_CONTEXT *KREnablementContext, |
||||
CSSM_CC_HANDLE CryptoContextHandle, |
||||
const CSSM_CONTEXT *CryptoContext, |
||||
const CSSM_DATA *KRSPOptions, |
||||
CSSM_KR_POLICY_FLAGS KRFlags, |
||||
CSSM_DATA_PTR KRFields); |
||||
CSSM_RETURN (CSSMKRI *ProcessRecoveryFields) |
||||
(CSSM_KRSP_HANDLE KRSPHandle, |
||||
CSSM_CC_HANDLE KREnablementContextHandle, |
||||
const CSSM_CONTEXT *KREnablementContext, |
||||
CSSM_CC_HANDLE CryptoContextHandle, |
||||
const CSSM_CONTEXT *CryptoContext, |
||||
const CSSM_DATA *KRSPOptions, |
||||
CSSM_KR_POLICY_FLAGS KRFlags, |
||||
const CSSM_DATA *KRFields); |
||||
CSSM_RETURN (CSSMKRI *RecoveryRequest) |
||||
(CSSM_KRSP_HANDLE KRSPHandle, |
||||
CSSM_CC_HANDLE KRRequestContextHandle, |
||||
const CSSM_CONTEXT *KRRequestContext, |
||||
const CSSM_DATA *KRInData, |
||||
const CSSM_ACCESS_CREDENTIALS *AccessCredentials, |
||||
sint32 *EstimatedTime, |
||||
CSSM_HANDLE_PTR ReferenceHandle); |
||||
CSSM_RETURN (CSSMKRI *RecoveryRetrieve) |
||||
(CSSM_KRSP_HANDLE KRSPHandle, |
||||
CSSM_HANDLE ReferenceHandle, |
||||
sint32 *EstimatedTime, |
||||
CSSM_HANDLE_PTR CacheHandle, |
||||
uint32 *NumberOfRecoveredKeys); |
||||
CSSM_RETURN (CSSMKRI *GetRecoveredObject) |
||||
(CSSM_KRSP_HANDLE KRSPHandle, |
||||
CSSM_HANDLE CacheHandle, |
||||
uint32 IndexInResults, |
||||
CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry, |
||||
uint32 Flags, |
||||
CSSM_KEY_PTR RecoveredKey, |
||||
CSSM_DATA_PTR OtherInfo); |
||||
CSSM_RETURN (CSSMKRI *RecoveryRequestAbort) |
||||
(CSSM_KRSP_HANDLE KRSPHandle, |
||||
CSSM_HANDLE ResultsHandle); |
||||
CSSM_RETURN (CSSMKRI *PassThrough) |
||||
(CSSM_KRSP_HANDLE KRSPHandle, |
||||
CSSM_CC_HANDLE KeyRecoveryContextHandle, |
||||
const CSSM_CONTEXT *KeyRecoveryContext, |
||||
CSSM_CC_HANDLE CryptoContextHandle, |
||||
const CSSM_CONTEXT *CryptoContext, |
||||
uint32 PassThroughId, |
||||
const void *InputParams, |
||||
void **OutputParams); |
||||
} CSSM_SPI_KR_FUNCS DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_SPI_KR_FUNCS_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif /* _CSSMKRSPI_H_ */ |
@ -0,0 +1,132 @@
|
||||
/*
|
||||
* Copyright (c) 1999-2001,2003-2004,2011-2012,2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
* |
||||
* cssmspi.h -- Service Provider Interface for CSSM Modules |
||||
*/ |
||||
|
||||
#ifndef _CSSMSPI_H_ |
||||
#define _CSSMSPI_H_ 1 |
||||
|
||||
#include <Security/cssmtype.h> |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
typedef CSSM_RETURN (CSSMAPI *CSSM_SPI_ModuleEventHandler) |
||||
(const CSSM_GUID *ModuleGuid, |
||||
void *CssmNotifyCallbackCtx, |
||||
uint32 SubserviceId, |
||||
CSSM_SERVICE_TYPE ServiceType, |
||||
CSSM_MODULE_EVENT EventType); |
||||
|
||||
typedef uint32 CSSM_CONTEXT_EVENT; |
||||
enum { |
||||
CSSM_CONTEXT_EVENT_CREATE = 1, |
||||
CSSM_CONTEXT_EVENT_DELETE = 2, |
||||
CSSM_CONTEXT_EVENT_UPDATE = 3 |
||||
}; |
||||
|
||||
typedef struct cssm_module_funcs { |
||||
CSSM_SERVICE_TYPE ServiceType; |
||||
uint32 NumberOfServiceFuncs; |
||||
const CSSM_PROC_ADDR *ServiceFuncs; |
||||
} CSSM_MODULE_FUNCS DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_MODULE_FUNCS_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef void *(CSSMAPI *CSSM_UPCALLS_MALLOC) |
||||
(CSSM_HANDLE AddInHandle, |
||||
size_t size) DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef void (CSSMAPI *CSSM_UPCALLS_FREE) |
||||
(CSSM_HANDLE AddInHandle, |
||||
void *memblock) DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef void *(CSSMAPI *CSSM_UPCALLS_REALLOC) |
||||
(CSSM_HANDLE AddInHandle, |
||||
void *memblock, |
||||
size_t size) DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef void *(CSSMAPI *CSSM_UPCALLS_CALLOC) |
||||
(CSSM_HANDLE AddInHandle, |
||||
size_t num, |
||||
size_t size) DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
typedef struct cssm_upcalls { |
||||
CSSM_UPCALLS_MALLOC malloc_func; |
||||
CSSM_UPCALLS_FREE free_func; |
||||
CSSM_UPCALLS_REALLOC realloc_func; |
||||
CSSM_UPCALLS_CALLOC calloc_func; |
||||
CSSM_RETURN (CSSMAPI *CcToHandle_func) |
||||
(CSSM_CC_HANDLE Cc, |
||||
CSSM_MODULE_HANDLE_PTR ModuleHandle); |
||||
CSSM_RETURN (CSSMAPI *GetModuleInfo_func) |
||||
(CSSM_MODULE_HANDLE Module, |
||||
CSSM_GUID_PTR Guid, |
||||
CSSM_VERSION_PTR Version, |
||||
uint32 *SubServiceId, |
||||
CSSM_SERVICE_TYPE *SubServiceType, |
||||
CSSM_ATTACH_FLAGS *AttachFlags, |
||||
CSSM_KEY_HIERARCHY *KeyHierarchy, |
||||
CSSM_API_MEMORY_FUNCS_PTR AttachedMemFuncs, |
||||
CSSM_FUNC_NAME_ADDR_PTR FunctionTable, |
||||
uint32 NumFunctions); |
||||
} CSSM_UPCALLS DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_UPCALLS_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
CSSM_RETURN CSSMSPI |
||||
CSSM_SPI_ModuleLoad (const CSSM_GUID *CssmGuid, |
||||
const CSSM_GUID *ModuleGuid, |
||||
CSSM_SPI_ModuleEventHandler CssmNotifyCallback, |
||||
void *CssmNotifyCallbackCtx) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
CSSM_RETURN CSSMSPI |
||||
CSSM_SPI_ModuleUnload (const CSSM_GUID *CssmGuid, |
||||
const CSSM_GUID *ModuleGuid, |
||||
CSSM_SPI_ModuleEventHandler CssmNotifyCallback, |
||||
void *CssmNotifyCallbackCtx) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
CSSM_RETURN CSSMSPI |
||||
CSSM_SPI_ModuleAttach (const CSSM_GUID *ModuleGuid, |
||||
const CSSM_VERSION *Version, |
||||
uint32 SubserviceID, |
||||
CSSM_SERVICE_TYPE SubServiceType, |
||||
CSSM_ATTACH_FLAGS AttachFlags, |
||||
CSSM_MODULE_HANDLE ModuleHandle, |
||||
CSSM_KEY_HIERARCHY KeyHierarchy, |
||||
const CSSM_GUID *CssmGuid, |
||||
const CSSM_GUID *ModuleManagerGuid, |
||||
const CSSM_GUID *CallerGuid, |
||||
const CSSM_UPCALLS *Upcalls, |
||||
CSSM_MODULE_FUNCS_PTR *FuncTbl) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
CSSM_RETURN CSSMSPI |
||||
CSSM_SPI_ModuleDetach (CSSM_MODULE_HANDLE ModuleHandle) |
||||
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif /* _CSSMSPI_H_ */ |
@ -0,0 +1,202 @@
|
||||
/*
|
||||
* Copyright (c) 1999-2001,2004,2011,2014 Apple Inc. All Rights Reserved. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_START@ |
||||
*
|
||||
* This file contains Original Code and/or Modifications of Original Code |
||||
* as defined in and that are subject to the Apple Public Source License |
||||
* Version 2.0 (the 'License'). You may not use this file except in |
||||
* compliance with the License. Please obtain a copy of the License at |
||||
* http://www.opensource.apple.com/apsl/ and read it before using this
|
||||
* file. |
||||
*
|
||||
* The Original Code and all software distributed under the License are |
||||
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
||||
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
||||
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
||||
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
||||
* Please see the License for the specific language governing rights and |
||||
* limitations under the License. |
||||
*
|
||||
* @APPLE_LICENSE_HEADER_END@ |
||||
* |
||||
* cssmtpi.h -- Service Provider Interface for Trust Policy Modules |
||||
*/ |
||||
|
||||
#ifndef _CSSMTPI_H_ |
||||
#define _CSSMTPI_H_ 1 |
||||
|
||||
#include <Security/cssmtype.h> |
||||
|
||||
#ifdef __cplusplus |
||||
extern "C" { |
||||
#endif |
||||
|
||||
typedef struct cssm_spi_tp_funcs { |
||||
CSSM_RETURN (CSSMTPI *SubmitCredRequest) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
const CSSM_TP_AUTHORITY_ID *PreferredAuthority, |
||||
CSSM_TP_AUTHORITY_REQUEST_TYPE RequestType, |
||||
const CSSM_TP_REQUEST_SET *RequestInput, |
||||
const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthContext, |
||||
sint32 *EstimatedTime, |
||||
CSSM_DATA_PTR ReferenceIdentifier); |
||||
CSSM_RETURN (CSSMTPI *RetrieveCredResult) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
const CSSM_DATA *ReferenceIdentifier, |
||||
const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthCredentials, |
||||
sint32 *EstimatedTime, |
||||
CSSM_BOOL *ConfirmationRequired, |
||||
CSSM_TP_RESULT_SET_PTR *RetrieveOutput); |
||||
CSSM_RETURN (CSSMTPI *ConfirmCredResult) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
const CSSM_DATA *ReferenceIdentifier, |
||||
const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthCredentials, |
||||
const CSSM_TP_CONFIRM_RESPONSE *Responses, |
||||
const CSSM_TP_AUTHORITY_ID *PreferredAuthority); |
||||
CSSM_RETURN (CSSMTPI *ReceiveConfirmation) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
const CSSM_DATA *ReferenceIdentifier, |
||||
CSSM_TP_CONFIRM_RESPONSE_PTR *Responses, |
||||
sint32 *ElapsedTime); |
||||
CSSM_RETURN (CSSMTPI *CertReclaimKey) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
const CSSM_CERTGROUP *CertGroup, |
||||
uint32 CertIndex, |
||||
CSSM_LONG_HANDLE KeyCacheHandle, |
||||
CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry); |
||||
CSSM_RETURN (CSSMTPI *CertReclaimAbort) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
CSSM_LONG_HANDLE KeyCacheHandle); |
||||
CSSM_RETURN (CSSMTPI *FormRequest) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
const CSSM_TP_AUTHORITY_ID *PreferredAuthority, |
||||
CSSM_TP_FORM_TYPE FormType, |
||||
CSSM_DATA_PTR BlankForm); |
||||
CSSM_RETURN (CSSMTPI *FormSubmit) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
CSSM_TP_FORM_TYPE FormType, |
||||
const CSSM_DATA *Form, |
||||
const CSSM_TP_AUTHORITY_ID *ClearanceAuthority, |
||||
const CSSM_TP_AUTHORITY_ID *RepresentedAuthority, |
||||
CSSM_ACCESS_CREDENTIALS_PTR Credentials); |
||||
CSSM_RETURN (CSSMTPI *CertGroupVerify) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_CERTGROUP *CertGroupToBeVerified, |
||||
const CSSM_TP_VERIFY_CONTEXT *VerifyContext, |
||||
CSSM_TP_VERIFY_CONTEXT_RESULT_PTR VerifyContextResult); |
||||
CSSM_RETURN (CSSMTPI *CertCreateTemplate) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
CSSM_CL_HANDLE CLHandle, |
||||
uint32 NumberOfFields, |
||||
const CSSM_FIELD *CertFields, |
||||
CSSM_DATA_PTR CertTemplate); |
||||
CSSM_RETURN (CSSMTPI *CertGetAllTemplateFields) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
CSSM_CL_HANDLE CLHandle, |
||||
const CSSM_DATA *CertTemplate, |
||||
uint32 *NumberOfFields, |
||||
CSSM_FIELD_PTR *CertFields); |
||||
CSSM_RETURN (CSSMTPI *CertSign) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DATA *CertTemplateToBeSigned, |
||||
const CSSM_CERTGROUP *SignerCertGroup, |
||||
const CSSM_TP_VERIFY_CONTEXT *SignerVerifyContext, |
||||
CSSM_TP_VERIFY_CONTEXT_RESULT_PTR SignerVerifyResult, |
||||
CSSM_DATA_PTR SignedCert); |
||||
CSSM_RETURN (CSSMTPI *CrlVerify) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_ENCODED_CRL *CrlToBeVerified, |
||||
const CSSM_CERTGROUP *SignerCertGroup, |
||||
const CSSM_TP_VERIFY_CONTEXT *VerifyContext, |
||||
CSSM_TP_VERIFY_CONTEXT_RESULT_PTR RevokerVerifyResult); |
||||
CSSM_RETURN (CSSMTPI *CrlCreateTemplate) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
CSSM_CL_HANDLE CLHandle, |
||||
uint32 NumberOfFields, |
||||
const CSSM_FIELD *CrlFields, |
||||
CSSM_DATA_PTR NewCrlTemplate); |
||||
CSSM_RETURN (CSSMTPI *CertRevoke) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_DATA *OldCrlTemplate, |
||||
const CSSM_CERTGROUP *CertGroupToBeRevoked, |
||||
const CSSM_CERTGROUP *RevokerCertGroup, |
||||
const CSSM_TP_VERIFY_CONTEXT *RevokerVerifyContext, |
||||
CSSM_TP_VERIFY_CONTEXT_RESULT_PTR RevokerVerifyResult, |
||||
CSSM_TP_CERTCHANGE_REASON Reason, |
||||
CSSM_DATA_PTR NewCrlTemplate); |
||||
CSSM_RETURN (CSSMTPI *CertRemoveFromCrlTemplate) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_DATA *OldCrlTemplate, |
||||
const CSSM_CERTGROUP *CertGroupToBeRemoved, |
||||
const CSSM_CERTGROUP *RevokerCertGroup, |
||||
const CSSM_TP_VERIFY_CONTEXT *RevokerVerifyContext, |
||||
CSSM_TP_VERIFY_CONTEXT_RESULT_PTR RevokerVerifyResult, |
||||
CSSM_DATA_PTR NewCrlTemplate); |
||||
CSSM_RETURN (CSSMTPI *CrlSign) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_ENCODED_CRL *CrlToBeSigned, |
||||
const CSSM_CERTGROUP *SignerCertGroup, |
||||
const CSSM_TP_VERIFY_CONTEXT *SignerVerifyContext, |
||||
CSSM_TP_VERIFY_CONTEXT_RESULT_PTR SignerVerifyResult, |
||||
CSSM_DATA_PTR SignedCrl); |
||||
CSSM_RETURN (CSSMTPI *ApplyCrlToDb) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_ENCODED_CRL *CrlToBeApplied, |
||||
const CSSM_CERTGROUP *SignerCertGroup, |
||||
const CSSM_TP_VERIFY_CONTEXT *ApplyCrlVerifyContext, |
||||
CSSM_TP_VERIFY_CONTEXT_RESULT_PTR ApplyCrlVerifyResult); |
||||
CSSM_RETURN (CSSMTPI *CertGroupConstruct) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CSP_HANDLE CSPHandle, |
||||
const CSSM_DL_DB_LIST *DBList, |
||||
const void *ConstructParams, |
||||
const CSSM_CERTGROUP *CertGroupFrag, |
||||
CSSM_CERTGROUP_PTR *CertGroup); |
||||
CSSM_RETURN (CSSMTPI *CertGroupPrune) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
CSSM_CL_HANDLE CLHandle, |
||||
const CSSM_DL_DB_LIST *DBList, |
||||
const CSSM_CERTGROUP *OrderedCertGroup, |
||||
CSSM_CERTGROUP_PTR *PrunedCertGroup); |
||||
CSSM_RETURN (CSSMTPI *CertGroupToTupleGroup) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
CSSM_CL_HANDLE CLHandle, |
||||
const CSSM_CERTGROUP *CertGroup, |
||||
CSSM_TUPLEGROUP_PTR *TupleGroup); |
||||
CSSM_RETURN (CSSMTPI *TupleGroupToCertGroup) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
CSSM_CL_HANDLE CLHandle, |
||||
const CSSM_TUPLEGROUP *TupleGroup, |
||||
CSSM_CERTGROUP_PTR *CertTemplates); |
||||
CSSM_RETURN (CSSMTPI *PassThrough) |
||||
(CSSM_TP_HANDLE TPHandle, |
||||
CSSM_CL_HANDLE CLHandle, |
||||
CSSM_CC_HANDLE CCHandle, |
||||
const CSSM_DL_DB_LIST *DBList, |
||||
uint32 PassThroughId, |
||||
const void *InputParams, |
||||
void **OutputParams); |
||||
} CSSM_SPI_TP_FUNCS DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_SPI_TP_FUNCS_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; |
||||
|
||||
#ifdef __cplusplus |
||||
} |
||||
#endif |
||||
|
||||
#endif /* _CSSMTPI_H_ */ |
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in new issue