Skip to content
Permalink
67353d4e01
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Security/trust/headers/SecPolicyPriv.h

Go to file
 
 
Cannot retrieve contributors at this time
2240 lines (2111 sloc) 114 KB
Raw Blame
/*
* Copyright (c) 2003-2017 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*!
@header SecPolicyPriv
The functions provided in SecPolicyPriv provide an interface to various
X.509 certificate trust policies.
*/
#ifndef _SECURITY_SECPOLICYPRIV_H_
#define _SECURITY_SECPOLICYPRIV_H_
#include <Security/SecBase.h>
#include <Security/SecPolicy.h>
#include <Security/SecCertificate.h>
#include <CoreFoundation/CFArray.h>
#include <CoreFoundation/CFString.h>
#include <Availability.h>
#include <xpc/xpc.h>
__BEGIN_DECLS
CF_ASSUME_NONNULL_BEGIN
CF_IMPLICIT_BRIDGING_ENABLED
/*!
@enum Policy Constants (Private)
@discussion Predefined constants used to specify a policy.
*/
extern const CFStringRef kSecPolicyAppleMobileStore
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern const CFStringRef kSecPolicyAppleTestMobileStore
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern const CFStringRef kSecPolicyAppleEscrowService
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern const CFStringRef kSecPolicyAppleProfileSigner
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern const CFStringRef kSecPolicyAppleQAProfileSigner
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern const CFStringRef kSecPolicyAppleServerAuthentication
__OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
extern const CFStringRef kSecPolicyAppleIDValidationRecordSigning
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleSMPEncryption
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_8_0);
extern const CFStringRef kSecPolicyAppleTestSMPEncryption
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_8_0);
extern const CFStringRef kSecPolicyApplePCSEscrowService
__OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_7_0);
extern const CFStringRef kSecPolicyApplePPQSigning
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
extern const CFStringRef kSecPolicyAppleTestPPQSigning
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
extern const CFStringRef kSecPolicyAppleSWUpdateSigning
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
extern const CFStringRef kSecPolicyApplePackageSigning
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
extern const CFStringRef kSecPolicyAppleOSXProvisioningProfileSigning
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
extern const CFStringRef kSecPolicyAppleATVVPNProfileSigning
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
extern const CFStringRef kSecPolicyAppleAST2DiagnosticsServerAuth
__OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3);
extern const CFStringRef kSecPolicyAppleEscrowProxyServerAuth
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleFMiPServerAuth
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleMMCService
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleGSService
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyApplePPQService
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleHomeKitServerAuth
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleiPhoneActivation
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleiPhoneDeviceCertificate
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleFactoryDeviceCertificate
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleiAP
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleiTunesStoreURLBag
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleiPhoneApplicationSigning
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleiPhoneProfileApplicationSigning
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleiPhoneProvisioningProfileSigning
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleLockdownPairing
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleURLBag
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleOTATasking
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleMobileAsset
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleIDAuthority
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleGenericApplePinned
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleGenericAppleSSLPinned
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleSoftwareSigning
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleExternalDeveloper
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleOCSPSigner
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleIDSService
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleIDSServiceContext
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyApplePushService
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleLegacyPushService
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleTVOSApplicationSigning
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleUniqueDeviceIdentifierCertificate
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleEscrowProxyCompatibilityServerAuth
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleMMCSCompatibilityServerAuth
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleSecureIOStaticAsset
__OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1);
extern const CFStringRef kSecPolicyAppleWarsaw
__OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1);
extern const CFStringRef kSecPolicyAppleiCloudSetupServerAuth
__OSX_AVAILABLE(10.12.4) __IOS_AVAILABLE(10.3) __TVOS_AVAILABLE(10.2) __WATCHOS_AVAILABLE(3.2);
extern const CFStringRef kSecPolicyAppleiCloudSetupCompatibilityServerAuth
__OSX_AVAILABLE(10.12.4) __IOS_AVAILABLE(10.3) __TVOS_AVAILABLE(10.2) __WATCHOS_AVAILABLE(3.2);
extern const CFStringRef kSecPolicyAppleAppTransportSecurity
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
extern const CFStringRef kSecPolicyAppleMobileSoftwareUpdate
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
extern const CFStringRef kSecPolicyAppleMobileAssetDevelopment
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
extern const CFStringRef kSecPolicyAppleMacOSProfileApplicationSigning
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
extern const CFStringRef kSecPolicyAppleBasicAttestationSystem
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
extern const CFStringRef kSecPolicyAppleBasicAttestationUser
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
extern const CFStringRef kSecPolicyAppleiPhoneVPNApplicationSigning
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
extern const CFStringRef kSecPolicyAppleiAPSWAuth
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0));
extern const CFStringRef kSecPolicyAppleDemoDigitalCatalog
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0));
extern const CFStringRef kSecPolicyAppleAssetReceipt
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0));
extern const CFStringRef kSecPolicyAppleDeveloperIDPlusTicket
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0));
extern const CFStringRef kSecPolicyAppleComponentCertificate
API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0));
extern const CFStringRef kSecPolicyAppleKeyTransparency
API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0));
extern const CFStringRef kSecPolicyAppleAlisha
API_AVAILABLE(macos(10.15.4), ios(13.4), watchos(6.2), tvos(13.4));
extern const CFStringRef kSecPolicyAppleMeasuredBootPolicySigning
API_AVAILABLE(macos(10.15.4), ios(13.4), watchos(6.2), tvos(13.4));
extern const CFStringRef kSecPolicyApplePayQRCodeEncryption
API_AVAILABLE(macos(10.16), ios(14.0), watchos(7.0), tvos(14.0));
extern const CFStringRef kSecPolicyApplePayQRCodeSigning
API_AVAILABLE(macos(10.16), ios(14.0), watchos(7.0), tvos(14.0));
extern const CFStringRef kSecPolicyAppleAccessoryUpdateSigning
API_AVAILABLE(macos(10.16), ios(14.0), watchos(7.0), tvos(14.0));
extern const CFStringRef kSecPolicyAppleEscrowServiceIdKeySigning
API_AVAILABLE(macos(10.15.6), ios(13.5.5));
extern const CFStringRef kSecPolicyApplePCSEscrowServiceIdKeySigning
API_AVAILABLE(macos(10.15.6), ios(13.5.5));
extern const CFStringRef kSecPolicyAppleAggregateMetricTransparency
API_AVAILABLE(macos(10.15.6), ios(13.6), watchos(6.2), tvos(13.4));
extern const CFStringRef kSecPolicyAppleAggregateMetricEncryption
API_AVAILABLE(macos(11.1), ios(14.3), watchos(7.2), tvos(14.3));
extern const CFStringRef kSecPolicyAppleDeveloperIDInstaller
API_AVAILABLE(macos(12.0), ios(15.0), watchos(8.0), tvos(15.0));
extern const CFStringRef kSecPolicyAppleMacAppStoreInstaller
API_AVAILABLE(macos(12.0), ios(15.0), watchos(8.0), tvos(15.0));
extern const CFStringRef kSecPolicyAppleMacDistributionInstaller
API_AVAILABLE(macos(12.0), ios(15.0), watchos(8.0), tvos(15.0));
extern const CFStringRef kSecPolicyApplePayModelSigning
API_AVAILABLE(macos(11.3), ios(14.5), watchos(7.4), tvos(14.5));
extern const CFStringRef kSecPolicyAppleMDLTerminalAuth
API_AVAILABLE(macos(12.0), ios(15.0), watchos(8.0), tvos(15.0));
extern const CFStringRef kSecPolicyAppleCHIPUpdateSigning
API_AVAILABLE(macos(12.0), ios(15.0), watchos(8.0), tvos(15.0));
/*!
@enum Policy Name Constants (Private)
@discussion Predefined constants used to specify a SSL Pinning policy.
To be used with SecTrustSetPolicyName.
@constant kSecPolicyNameAppleAST2Service
@constant kSecPolicyNameAppleEscrowProxyService
@constant kSecPolicyNameAppleFMiPService
@constant kSecPolicyNameAppleGSService
@constant kSecPolicyNameAppleHomeKitService
@constant kSecPolicyNameAppleiCloudSetupService
@constant kSecPolicyNameAppleIDSService
@constant kSecPolicyNameAppleMMCSService
@constant kSecPolicyNameApplePPQService
@constant kSecPolicyNameApplePushService
@constant kSecPolicyNameAppleAIDCService
@constant kSecPolicyNameAppleMapsService
@constant kSecPolicyNameAppleHealthProviderService
@constant kSecPolicyNameAppleParsecService
@constant kSecPolicyNameAppleAMPService
@constant kSecPolicyNameAppleSiriService
@constant kSecPolicyNameAppleHomeAppClipUploadService
@constant kSecPolicyNameAppleUpdatesService
@constant kSecPolicyNameApplePushCertPortal
@constant kSecPolicyNameApplePotluckService
*/
extern const CFStringRef kSecPolicyNameAppleAST2Service
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
extern const CFStringRef kSecPolicyNameAppleEscrowProxyService
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
extern const CFStringRef kSecPolicyNameAppleFMiPService
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
extern const CFStringRef kSecPolicyNameAppleGSService
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
extern const CFStringRef kSecPolicyNameAppleHomeKitService
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
extern const CFStringRef kSecPolicyNameAppleiCloudSetupService
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
extern const CFStringRef kSecPolicyNameAppleIDSService
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
extern const CFStringRef kSecPolicyNameAppleMMCSService
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
extern const CFStringRef kSecPolicyNameApplePPQService
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
extern const CFStringRef kSecPolicyNameApplePushService
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
extern const CFStringRef kSecPolicyNameAppleAIDCService
__OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3);
extern const CFStringRef kSecPolicyNameAppleMapsService
__OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3);
extern const CFStringRef kSecPolicyNameAppleHealthProviderService
__OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3);
extern const CFStringRef kSecPolicyNameAppleParsecService
__OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3);
extern const CFStringRef kSecPolicyNameAppleAMPService
API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0));
extern const CFStringRef kSecPolicyNameAppleSiriService
API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0));
extern const CFStringRef kSecPolicyNameAppleHomeAppClipUploadService
API_AVAILABLE(macos(10.15.1), ios(13.2), watchos(6.1), tvos(13.1));
extern const CFStringRef kSecPolicyNameAppleUpdatesService
API_AVAILABLE(macos(10.15.4), ios(13.4), watchos(6.2), tvos(13.4));
extern const CFStringRef kSecPolicyNameApplePushCertPortal
API_AVAILABLE(macos(10.16), ios(14.0), watchos(7.0), tvos(14.0));
extern const CFStringRef kSecPolicyNameApplePotluckService
API_AVAILABLE(macos(12.0), ios(15.0), watchos(8.0), tvos(15.0));
/*!
@enum Policy Value Constants
@abstract Predefined property key constants used to get or set values in
a dictionary for a policy instance.
@discussion
All policies will have the following read-only value:
kSecPolicyOid (the policy object identifier)
Additional policy values which your code can optionally set:
kSecPolicyName (name which must be matched)
kSecPolicyClient (evaluate for client, rather than server)
kSecPolicyRevocationFlags (only valid for a revocation policy)
kSecPolicyRevocationFlags (only valid for a revocation policy)
kSecPolicyTeamIdentifier (only valid for a Passbook signing policy)
kSecPolicyContext (valid for policies below that take a context parameter)
kSecPolicyPolicyName (only valid for GenericApplePinned or
GenericAppleSSLPinned policies)
kSecPolicyIntermediateMarkerOid (only valid for GenericApplePinned or
GenericAppleSSLPinned policies)
kSecPolicyLeafMarkerOid (only valid for GenericApplePinned or
GenericAppleSSLPinned policies)
kSecPolicyRootDigest (only valid for the UniqueDeviceCertificate policy)
@constant kSecPolicyContext Specifies a CFDictionaryRef with keys and values
specified by the particular SecPolicyCreate function.
@constant kSecPolicyPolicyName Specifies a CFStringRef of the name of the
desired policy result.
@constant kSecPolicyIntermediateMarkerOid Specifies a CFStringRef of the
marker OID (in decimal format) required in the intermediate certificate.
@constant kSecPolicyLeafMarkerOid Specifies a CFStringRef of the
marker OID (in decimal format) required in the leaf certificate.
@constant kSecPolicyRootDigest Specifies a CFDataRef of digest required to
match the SHA-256 of the root certificate.
*/
extern const CFStringRef kSecPolicyContext
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyPolicyName
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyIntermediateMarkerOid
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyLeafMarkerOid
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyRootDigest
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
/*!
@enum Revocation Policy Constants
@abstract Predefined constants which allow you to specify how revocation
checking will be performed for a trust evaluation.
@constant kSecRevocationOnlineCheck If this flag is set, perform an online
revocation check, ignoring cached revocation results. This flag will not force
an online check if an online check was done within the last 5 minutes. Online
checks are only applicable to OCSP; this constant will not force a fresh
CRL download.
@constant kSecRevocationCheckIfTrusted If this flag is set, perform network-based
revocation checks only if the chain has no other validation errors. This flag
overrides SecTrustSetNetworkFetchAllowed and kSecRevocationNetworkAccessDisabled
for revocation checking (but not for intermediate fetching).
Note that this flag's behavior is not default because revoked certs produce Fatal
trust results, whereas most checks produce Recoverable trust results. If we skip
revocation checks on untrusted chains, the user may be able to ignore the failures
of a revoked cert.
*/
CF_ENUM(CFOptionFlags) {
kSecRevocationOnlineCheck = (1 << 5),
kSecRevocationCheckIfTrusted = (1 << 6),
};
/*!
@function SecPolicyCreateApplePinned
@abstract Returns a policy object for verifying Apple certificates.
@param policyName A string that identifies the policy name.
@param intermediateMarkerOID A string containing the decimal representation of the
extension OID in the intermediate certificate.
@param leafMarkerOID A string containing the decimal representation of the extension OID
in the leaf certificate.
@discussion The resulting policy uses the Basic X.509 policy with validity check and
pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID matching the intermediateMarkerOID
parameter.
* The leaf has a marker extension with OID matching the leafMarkerOID parameter.
* Revocation is checked via any available method.
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateApplePinned(CFStringRef policyName,
CFStringRef intermediateMarkerOID, CFStringRef leafMarkerOID)
__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
/*!
@function SecPolicyCreateAppleSSLPinned
@abstract Returns a policy object for verifying Apple SSL certificates.
@param policyName A string that identifies the service/policy name.
@param hostname hostname to verify the certificate name against.
@param intermediateMarkerOID A string containing the decimal representation of the
extension OID in the intermediate certificate. If NULL is passed, the default OID of
1.2.840.113635.100.6.2.12 is checked.
@param leafMarkerOID A string containing the decimal representation of the extension OID
in the leaf certificate.
@discussion The resulting policy uses the Basic X.509 policy with validity check and
pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID matching the intermediateMarkerOID
parameter, or 1.2.840.113635.100.6.2.12 if NULL is passed.
* The leaf has a marker extension with OID matching the leafMarkerOID parameter.
* The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension.
* The leaf has ExtendedKeyUsage with the ServerAuth OID.
* Revocation is checked via any available method.
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleSSLPinned(CFStringRef policyName, CFStringRef hostname,
CFStringRef __nullable intermediateMarkerOID, CFStringRef leafMarkerOID)
__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
/*!
@function SecPolicyCreateiPhoneActivation
@abstract Returns a policy object for verifying iPhone Activation
certificate chains.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in chain.
* The intermediate has Common Name "Apple iPhone Certification Authority".
* The leaf has Common Name "iPhone Activation".
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateiPhoneActivation(void);
/*!
@function SecPolicyCreateiPhoneDeviceCertificate
@abstract Returns a policy object for verifying iPhone Device certificate
chains.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs
* There are exactly 4 certs in chain.
* The first intermediate has Common Name "Apple iPhone Device CA".
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateiPhoneDeviceCertificate(void);
/*!
@function SecPolicyCreateFactoryDeviceCertificate
@abstract Returns a policy object for verifying Factory Device certificate
chains.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to the Factory Device CA.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateFactoryDeviceCertificate(void);
/*!
@function SecPolicyCreateiAP
@abstract Returns a policy object for verifying iAP certificate chains.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The leaf has notBefore date after 5/31/2006 midnight GMT.
* The leaf has Common Name beginning with "IPA_".
The intended use of this policy is that the caller pass in the
intermediates for iAP1 and iAP2 to SecTrustSetAnchorCertificates().
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateiAP(void);
/*!
@function SecPolicyCreateiTunesStoreURLBag
@abstract Returns a policy object for verifying iTunes Store URL bag
certificates.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to the iTMS CA.
* There are exactly 2 certs in the chain.
* The leaf has Organization "Apple Inc.".
* The leaf has Common Name "iTunes Store URL Bag".
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateiTunesStoreURLBag(void);
/*!
@function SecPolicyCreateEAP
@abstract Returns a policy object for verifying for 802.1x/EAP certificates.
@param server Passing true for this parameter create a policy for EAP
server certificates.
@param trustedServerNames Optional; if present, the hostname in the leaf
certificate must be in the trustedServerNames list. Note that contrary
to all other policies the trustedServerNames list entries can have wildcards
whilst the certificate cannot. This matches the existing deployments.
@discussion This policy uses the Basic X.509 policy with validity check but
disallowing network fetching. If trustedServerNames param is non-null, the
ExtendedKeyUsage extension, if present, of the leaf certificate is verified
to contain either the ServerAuth OID, if the server param is true or
ClientAuth OID, otherwise.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateEAP(Boolean server, CFArrayRef __nullable trustedServerNames);
/*!
@function SecPolicyCreateIPSec
@abstract Returns a policy object for evaluating IPSec certificate chains.
@param server Passing true for this parameter create a policy for IPSec
server certificates.
@param hostname Optional; if present, the policy will require the specified
hostname or ip address to match the hostname in the leaf certificate.
@discussion This policy uses the Basic X.509 policy with validity check.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateIPSec(Boolean server, CFStringRef __nullable hostname);
/*!
@function SecPolicyCreateAppleSWUpdateSigning
@abstract Returns a policy object for evaluating SW update signing certs.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate ExtendedKeyUsage Extension contains 1.2.840.113635.100.4.1.
* The leaf ExtendedKeyUsage extension contains 1.2.840.113635.100.4.1.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleSWUpdateSigning(void);
/*!
@function SecPolicyCreateApplePackageSigning
@abstract Returns a policy object for evaluating installer package signing certs.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The leaf KeyUsage extension has the digital signature bit set.
* The leaf ExtendedKeyUsage extension has the CodeSigning OID.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateApplePackageSigning(void);
/*!
@function SecPolicyCreateiPhoneApplicationSigning
@abstract Returns a policy object for evaluating signed application
signatures. This is for apps signed directly by the app store.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has Common Name "Apple iPhone Certification Authority".
* The leaf has Common Name "Apple iPhone OS Application Signing".
* The leaf has a marker extension with OID 1.2.840.113635.100.6.1.3 or OID
1.2.840.113635.100.6.1.6.
* The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID
or the CodeSigning OID.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateiPhoneApplicationSigning(void);
/*!
@function SecPolicyCreateiPhoneVPNApplicationSigning
@abstract Returns a policy object for evaluating signed VPN application
signatures. This is for VPN plugins signed directly by the VPN team.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has Common Name "Apple iPhone Certification Authority".
* The leaf has Common Name "Apple iPhone OS Application Signing".
* The leaf has a marker extension with 1.2.840.113635.100.6.1.6.
* The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID
or the CodeSigning OID.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateiPhoneVPNApplicationSigning(void)
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
/*!
@function SecPolicyCreateiPhoneProfileApplicationSigning
@abstract Returns a policy object for evaluating signed application
signatures. This policy is for certificates inside a UPP or regular
profile.
@discussion This policy uses the Basic X.509 policy with validity check and
pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID matching 1.2.840.113635.100.6.2.1 (WWDR CA).
* The leaf has a marker extension with OID matching one of the following:
* 1.2.840.113635.100.6.1.2 ("iPhone Developer" leaf)
* 1.2.840.113635.100.6.1.4 ("iPhone Distribution" leaf)
* 1.2.840.113635.100.6.1.25.1 ("TestFlight" leaf)
* On internal releases, 1.2.840.113635.100.6.1.25.2
* The leaf has an ExtendedKeyUsage OID matching 1.3.6.1.5.5.7.3.3 (CodeSigning EKU).
* Revocation is checked via any available method.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateiPhoneProfileApplicationSigning(void);
/*!
@function SecPolicyCreateMacOSProfileApplicationSigning
@abstract Returns a policy object for evaluating signed application
signatures. This policy is for certificates inside a UPP or regular
profile.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The leaf has a marker extension with OID matching one of the following:
* 1.2.840.113635.100.6.1.7 ("3rd Party Mac Developer Application" leaf)
* 1.2.840.113635.100.6.1.12 ("Mac Developer" leaf)
* 1.2.840.113635.100.6.1.13 ("Developer ID Application" leaf)
* 1.2.840.113635.100.6.22 ("Software Signing" leaf
* The leaf has an ExtendedKeyUsage OID matching 1.3.6.1.5.5.7.3.3 (CodeSigning EKU).
* Revocation is checked via any available method.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateMacOSProfileApplicationSigning(void)
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
/*!
@function SecPolicyCreateiPhoneProvisioningProfileSigning
@abstract Returns a policy object for evaluating provisioning profile signatures.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has Common Name "Apple iPhone Certification Authority".
* The leaf has Common Name "Apple iPhone OS Provisioning Profile Signing".
* If the device is not a production device and is running an internal
release, the leaf may have the Common Name "TEST Apple iPhone OS
Provisioning Profile Signing TEST".
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateiPhoneProvisioningProfileSigning(void);
/*!
@function SecPolicyCreateAppleTVOSApplicationSigning
@abstract Returns a policy object for evaluating signed application
signatures. This is for apps signed directly by the Apple TV app store,
and allows for both the prod and the dev/test certs.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
Test roots are never permitted.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
* The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or
the CodeSigning OID.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.1.24 or OID
1.2.840.113635.100.6.1.24.1.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleTVOSApplicationSigning(void);
/*!
@function SecPolicyCreateOCSPSigner
@abstract Returns a policy object for evaluating ocsp response signers.
@discussion This policy uses the Basic X.509 policy with validity check and
requires the leaf to have an ExtendedKeyUsage of OCSPSigning.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateOCSPSigner(void);
enum {
kSecSignSMIMEUsage = (1 << 0),
kSecKeyEncryptSMIMEUsage = (1 << 1),
kSecDataEncryptSMIMEUsage = (1 << 2),
kSecKeyExchangeDecryptSMIMEUsage = (1 << 3),
kSecKeyExchangeEncryptSMIMEUsage = (1 << 4),
kSecKeyExchangeBothSMIMEUsage = (1 << 5),
kSecAnyEncryptSMIME = kSecKeyEncryptSMIMEUsage | kSecDataEncryptSMIMEUsage |
kSecKeyExchangeDecryptSMIMEUsage | kSecKeyExchangeEncryptSMIMEUsage,
kSecIgnoreExpirationSMIMEUsage = (1 << 6)
};
/*!
@function SecPolicyCreateSMIME
@abstract Returns a policy object for evaluating S/MIME certificate chains.
@param smimeUsage Pass the bitwise or of one or more kSecXXXSMIMEUsage
flags, to indicate the intended usage of this certificate.
@param email Optional; if present, the policy will require the specified
email to match the email in the leaf certificate.
@discussion This policy uses the Basic X.509 policy with validity check and
requires the leaf to have
* a KeyUsage matching the smimeUsage,
* an ExtendedKeyUsage, if any, with the EmailProtection OID, and
* if the email param is specified, the email address in the RFC822Name in the
SubjectAlternativeName extension or in the Email Address field of the
Subject Name.
Note that temporal validity checking can be disabled with kSecIgnoreExpirationSMIMEUsage
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateSMIME(CFIndex smimeUsage, CFStringRef __nullable email);
/*!
@function SecPolicyCreateCodeSigning
@abstract Returns a policy object for evaluating code signing certificate chains.
@discussion This policy uses the Basic X.509 policy with validity check and
requires the leaf to have
* a KeyUsage with both the DigitalSignature and NonRepudiation bits set, and
* an ExtendedKeyUsage with the AnyExtendedKeyUsage OID or the CodeSigning OID.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateCodeSigning(void);
/*!
@function SecPolicyCreateLockdownPairing
@abstract basic x509 policy for checking lockdown pairing certificate chains.
@discussion This policy checks some of the Basic X.509 policy options with no
validity check. It explicitly allows for empty subjects.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateLockdownPairing(void);
/*!
@function SecPolicyCreateURLBag
@abstract Returns a policy object for evaluating certificate chains for signing URL bags.
@discussion This policy uses the Basic X.509 policy with no validity check and requires
that the leaf has ExtendedKeyUsage extension with the CodeSigning OID.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateURLBag(void);
/*!
@function SecPolicyCreateOTATasking
@abstract Returns a policy object for evaluating certificate chains for signing OTA Tasking.
@discussion This policy uses the Basic X.509 policy with validity check and
pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has Common Name "Apple iPhone Certification Authority".
* The leaf has Common Name "OTA Task Signing".
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateOTATasking(void);
/*!
@function SecPolicyCreateMobileAsset
@abstract Returns a policy object for evaluating certificate chains for signing Mobile Assets.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has Common Name "Apple iPhone Certification Authority".
* The leaf has Common Name "Asset Manifest Signing".
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateMobileAsset(void);
/*!
@function SecPolicyCreateMobileAssetDevelopment
@abstract Returns a policy object for evaluating certificate chains for signing development
Mobile Assets.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.18.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.55.1.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateMobileAssetDevelopment(void)
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
/*!
@function SecPolicyCreateAppleIDAuthorityPolicy
@abstract Returns a policy object for evaluating certificate chains for Apple ID Authority.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3
or OID 1.2.840.113635.100.6.2.7.
* The leaf has a marker extension with OID 1.2.840.113635.100.4.7.
* Revocation is checked via any available method.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleIDAuthorityPolicy(void);
/*!
@function SecPolicyCreateMacAppStoreReceipt
@abstract Returns a policy object for evaluating certificate chains for signing
Mac App Store Receipts.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
* The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.6.1.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.11.1.
* Revocation is checked via any available method.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateMacAppStoreReceipt(void);
/*!
@function SecPolicyCreatePassbookCardSigner
@abstract Returns a policy object for evaluating certificate chains for signing Passbook cards.
@param cardIssuer Required; must match name in marker extension.
@param teamIdentifier Optional; if present, the policy will require the specified
team ID to match the organizationalUnit field in the leaf certificate's subject.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.1.16 and containing the
cardIssuer.
* The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.14.
* The leaf has a Organizational Unit matching the TeamID.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreatePassbookCardSigner(CFStringRef cardIssuer,
CFStringRef __nullable teamIdentifier);
/*!
@function SecPolicyCreateMobileStoreSigner
@abstract Returns a policy object for evaluating Mobile Store certificate chains.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has Common Name "Apple System Integration 2 Certification Authority".
* The leaf has KeyUsage with the DigitalSignature bit set.
* The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.12.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateMobileStoreSigner(void);
/*!
@function SecPolicyCreateTestMobileStoreSigner
@abstract Returns a policy object for evaluating Test Mobile Store certificate chains.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has Common Name "Apple System Integration 2 Certification Authority".
* The leaf has KeyUsage with the DigitalSignature bit set.
* The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.12.1.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateTestMobileStoreSigner(void);
/*!
@function SecPolicyCreateEscrowServiceSigner
@abstract Returns a policy object for evaluating Escrow Service certificate chains.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* There are exactly 2 certs in the chain.
* The leaf has KeyUsage with the KeyEncipherment bit set.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateEscrowServiceSigner(void);
/*!
@function SecPolicyCreatePCSEscrowServiceSigner
@abstract Returns a policy object for evaluating PCS Escrow Service certificate chains.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* There are exactly 2 certs in the chain.
* The leaf has KeyUsage with the KeyEncipherment bit set.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreatePCSEscrowServiceSigner(void);
/*!
@function SecPolicyCreateOSXProvisioningProfileSigning
@abstract Returns a policy object for evaluating certificate chains for signing OS X
Provisioning Profiles.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
* The leaf has KeyUsage with the DigitalSignature bit set.
* The leaf has a marker extension with OID 1.2.840.113635.100.4.11.
* Revocation is checked via OCSP.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void);
/*!
@function SecPolicyCreateConfigurationProfileSigner
@abstract Returns a policy object for evaluating certificate chains for signing
Configuration Profiles.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.3.
* The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.16, or on non-GM
builds only, OID 1.2.840.113635.100.4.17.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateConfigurationProfileSigner(void);
/*!
@function SecPolicyCreateQAConfigurationProfileSigner
@abstract Returns a policy object for evaluating certificate chains for signing
QA Configuration Profiles. On GM builds, this function returns the same
policy as SecPolicyCreateConfigurationProfileSigner.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.3.
* The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.17.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateQAConfigurationProfileSigner(void);
/*!
@function SecPolicyCreateAppleIDValidationRecordSigningPolicy
@abstract Returns a policy object for evaluating certificate chains for signing
Apple ID Validation Records.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3
or OID 1.2.840.113635.100.6.2.10.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.25.
* Revocation is checked via OCSP.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void);
/*!
@function SecPolicyCreateAppleSMPEncryption
@abstract Returns a policy object for evaluating SMP certificate chains.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.13.
* The leaf has KeyUsage with the KeyEncipherment bit set.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.30.
* Revocation is checked via OCSP.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleSMPEncryption(void);
/*!
@function SecPolicyCreateTestAppleSMPEncryption
@abstract Returns a policy object for evaluating Test SMP certificate chains.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to a Test Apple Root with ECC public key certificate.
* There are exactly 3 certs in the chain.
* The intermediate has Common Name "Test Apple System Integration CA - ECC".
* The leaf has KeyUsage with the KeyEncipherment bit set.
* Revocation is checked via OCSP.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateTestAppleSMPEncryption(void);
/*!
@function SecPolicyCreateApplePPQSigning
@abstract Returns a policy object for verifying production PPQ Signing certificates.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has Common Name "Apple System Integration 2 Certification
Authority".
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
* The leaf has KeyUsage with the DigitalSignature bit set.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.38.2.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateApplePPQSigning(void);
/*!
@function SecPolicyCreateTestApplePPQSigning
@abstract Returns a policy object for verifying test PPQ Signing certificates. On
customer builds, this function returns the same policy as SecPolicyCreateApplePPQSigning.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has Common Name "Apple System Integration 2 Certification
Authority".
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
* The leaf has KeyUsage with the DigitalSignature bit set.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.38.1.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateTestApplePPQSigning(void);
/*!
@function SecPolicyCreateAppleIDSService
@abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.27.4.2 or,
if Test Roots are allowed, OID 1.2.840.113635.100.6.27.4.1.
* The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
extension.
* The leaf has ExtendedKeyUsage with the ServerAuth OID.
* Revocation is checked via any available method.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef __nullable hostname);
/*!
@function SecPolicyCreateAppleIDSServiceContext
@abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
@param hostname Required; hostname to verify the certificate name against.
@param context Optional; if present, "AppleServerAuthenticationAllowUATIDS" with value
Boolean true will allow Test Apple roots on internal releases.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.27.4.2 or,
if Test Roots are allowed, OID 1.2.840.113635.100.6.27.4.1.
* The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension.
* The leaf has ExtendedKeyUsage with the ServerAuth OID.
* Revocation is checked via any available method.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDictionaryRef __nullable context);
/*!
@function SecPolicyCreateApplePushService
@abstract Ensure we're appropriately pinned to the Apple Push service (SSL + Apple restrictions)
@param hostname Required; hostname to verify the certificate name against.
@param context Optional; if present, "AppleServerAuthenticationAllowUATAPN" with value
Boolean true will allow Test Apple roots on internal releases.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.27.5.2 or,
if Test Roots are allowed, OID 1.2.840.113635.100.6.27.5.1.
* The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension.
* The leaf has ExtendedKeyUsage with the ServerAuth OID.
* Revocation is checked via any available method.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryRef __nullable context);
/*!
@function SecPolicyCreateApplePushServiceLegacy
@abstract Ensure we're appropriately pinned to the Push service (via Entrust)
@param hostname Required; hostname to verify the certificate name against.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to an Entrust Intermediate.
* The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension.
* The leaf has ExtendedKeyUsage with the ServerAuth OID.
* Revocation is checked via any available method.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateApplePushServiceLegacy(CFStringRef hostname);
/*!
@function SecPolicyCreateAppleMMCSService
@abstract Ensure we're appropriately pinned to the MMCS service (SSL + Apple restrictions)
@param hostname Required; hostname to verify the certificate name against.
@param context Optional; if present, "AppleServerAuthenticationAllowUATMMCS" with value
Boolean true will allow Test Apple roots and test OIDs on internal releases.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.27.11.2 or, if
enabled, OID 1.2.840.113635.100.6.27.11.1.
* The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension.
* The leaf has ExtendedKeyUsage with the ServerAuth OID.
* Revocation is checked via any available method.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname, CFDictionaryRef __nullable context);
/*!
@function SecPolicyCreateAppleCompatibilityMMCSService
@abstract Ensure we're appropriately pinned to the MMCS service using compatibility certs
@param hostname Required; hostname to verify the certificate name against.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to the GeoTrust Global CA
* The intermediate has a subject public key info hash matching the public key of
the Apple IST CA G1 intermediate.
* The chain length is 3.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.27.11.2 or
OID 1.2.840.113635.100.6.27.11.1.
* The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension.
* The leaf has ExtendedKeyUsage with the ServerAuth OID.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleCompatibilityMMCSService(CFStringRef hostname)
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
/*!
@function SecPolicyCreateAppleGSService
@abstract Ensure we're appropriately pinned to the GS service (SSL + Apple restrictions)
@param hostname Required; hostname to verify the certificate name against.
@param context Optional; if present, "AppleServerAuthenticationAllowUATGS" with value
Boolean true will allow Test Apple roots on internal releases.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.27.2.
* The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension.
* The leaf has ExtendedKeyUsage with the ServerAuth OID.
* Revocation is checked via any available method.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef __nullable context)
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
/*!
@function SecPolicyCreateApplePPQService
@abstract Ensure we're appropriately pinned to the PPQ service (SSL + Apple restrictions)
@param hostname Required; hostname to verify the certificate name against.
@param context Optional; if present, "AppleServerAuthenticationAllowUATPPQ" with value
Boolean true will allow Test Apple roots on internal releases.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.27.3.2 or,
if Test Roots are allowed, OID 1.2.840.113635.100.6.27.3.1.
* The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension.
* The leaf has ExtendedKeyUsage with the ServerAuth OID.
* Revocation is checked via any available method.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRef __nullable context)
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
/*!
@function SecPolicyCreateAppleAST2Service
@abstract Ensure we're appropriately pinned to the AST2 Diagnostic service (SSL + Apple restrictions)
@param hostname Required; hostname to verify the certificate name against.
@param context Optional; if present, "AppleServerAuthenticationAllowUATAST2" with value
Boolean true will allow Test Apple roots on internal releases.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.27.8.2 or,
if Test Roots are allowed, OID 1.2.840.113635.100.6.27.8.1.
* The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension.
* The leaf has ExtendedKeyUsage with the ServerAuth OID.
* Revocation is checked via any available method.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleAST2Service(CFStringRef hostname, CFDictionaryRef __nullable context)
__OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3);
/*!
@function SecPolicyCreateAppleEscrowProxyService
@abstract Ensure we're appropriately pinned to the iCloud Escrow Proxy service (SSL + Apple restrictions)
@param hostname Required; hostname to verify the certificate name against.
@param context Optional; if present, "AppleServerAuthenticationAllowUATEscrow" with value
Boolean true will allow Test Apple roots on internal releases.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.27.7.2 or,
if Test Roots are allowed, OID 1.2.840.113635.100.6.27.7.1.
* The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension.
* The leaf has ExtendedKeyUsage with the ServerAuth OID.
* Revocation is checked via any available method.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleEscrowProxyService(CFStringRef hostname, CFDictionaryRef __nullable context)
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
/*!
@function SecPolicyCreateAppleCompatibilityEscrowProxyService
@abstract Ensure we're appropriately pinned to the iCloud Escrow Proxy service using compatibility certs
@param hostname Required; hostname to verify the certificate name against.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to the GeoTrust Global CA
* The intermediate has a subject public key info hash matching the public key of
the Apple IST CA G1 intermediate.
* The chain length is 3.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.27.7.2 or,
if UAT is enabled with a defaults write (internal devices only),
OID 1.2.840.113635.100.6.27.7.1.
* The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension.
* The leaf has ExtendedKeyUsage with the ServerAuth OID.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleCompatibilityEscrowProxyService(CFStringRef hostname)
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
/*!
@function SecPolicyCreateAppleFMiPService
@abstract Ensure we're appropriately pinned to the Find My iPhone service (SSL + Apple restrictions)
@param hostname Required; hostname to verify the certificate name against.
@param context Optional; if present, "AppleServerAuthenticationAllowUATFMiP" with value
Boolean true will allow Test Apple roots on internal releases.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.27.6.2 or,
if Test Roots are allowed, OID 1.2.840.113635.100.6.27.6.1.
* The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension.
* The leaf has ExtendedKeyUsage with the ServerAuth OID.
* Revocation is checked via any available method.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleFMiPService(CFStringRef hostname, CFDictionaryRef __nullable context)
__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
/*!
@function SecPolicyCreateAppleSSLService
@abstract Ensure we're appropriately pinned to an Apple server (SSL + Apple restrictions)
@param hostname Optional; hostname to verify the certificate name against.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.27.1
* The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension.
* The leaf has ExtendedKeyUsage, if any, with the ServerAuth OID.
* Revocation is checked via any available method.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef __nullable hostname);
/*!
@function SecPolicyCreateAppleTimeStamping
@abstract Returns a policy object for evaluating time stamping certificate chains.
@discussion This policy uses the Basic X.509 policy with validity check
and requires the leaf has ExtendedKeyUsage with the TimeStamping OID.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleTimeStamping(void);
/*!
@function SecPolicyCreateApplePayIssuerEncryption
@abstract Returns a policy object for evaluating Apple Pay Issuer Encryption certificate chains.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has Common Name "Apple Worldwide Developer Relations CA - G2".
* The leaf has KeyUsage with the KeyEncipherment bit set.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.39.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void)
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
/*!
@function SecPolicyCreateAppleATVVPNProfileSigning
@abstract Returns a policy object for evaluating Apple TV VPN Profile certificate chains.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.43.
* Revocation is checked via OCSP.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void)
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
/*!
@function SecPolicyCreateAppleHomeKitServerAuth
@abstract Ensure we're appropriately pinned to the HomeKit service (SSL + Apple restrictions)
@param hostname Required; hostname to verify the certificate name against.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.16
* The leaf has a marker extension with OID 1.2.840.113635.100.6.27.9.
* The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension.
* The leaf has ExtendedKeyUsage with the ServerAuth OID.
* Revocation is checked via any available method.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname)
__OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3);
/*!
@function SecPolicyCreateAppleExternalDeveloper
@abstract Returns a policy object for verifying Apple-issued external developer
certificates.
@discussion The resulting policy uses the Basic X.509 policy with validity check and
pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID matching 1.2.840.113635.100.6.2.1
(WWDR CA) or 1.2.840.113635.100.6.2.6 (Developer ID CA).
* The leaf has a marker extension with OID matching one of the following:
* 1.2.840.113635.100.6.1.2 ("iPhone Developer" leaf)
* 1.2.840.113635.100.6.1.4 ("iPhone Distribution" leaf)
* 1.2.840.113635.100.6.1.5 ("Safari Developer" leaf)
* 1.2.840.113635.100.6.1.7 ("3rd Party Mac Developer Application" leaf)
* 1.2.840.113635.100.6.1.8 ("3rd Party Mac Developer Installer" leaf)
* 1.2.840.113635.100.6.1.12 ("Mac Developer" leaf)
* 1.2.840.113635.100.6.1.13 ("Developer ID Application" leaf)
* 1.2.840.113635.100.6.1.14 ("Developer ID Installer" leaf)
* The leaf has an ExtendedKeyUsage OID matching one of the following:
* 1.3.6.1.5.5.7.3.3 (CodeSigning EKU)
* 1.2.840.113635.100.4.8 ("Safari Developer" EKU)
* 1.2.840.113635.100.4.9 ("3rd Party Mac Developer Installer" EKU)
* 1.2.840.113635.100.4.13 ("Developer ID Installer" EKU)
* Revocation is checked via any available method.
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleExternalDeveloper(void)
__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
/*!
@function SecPolicyCreateAppleSoftwareSigning
@abstract Returns a policy object for verifying the Apple Software Signing certificate.
@discussion The resulting policy uses the Basic X.509 policy with no validity check and
pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has the Common Name "Apple Code Signing Certification Authority".
* The leaf has a marker extension with OID matching 1.2.840.113635.100.6.22.
* The leaf has an ExtendedKeyUsage OID matching 1.3.6.1.5.5.7.3.3 (Code Signing).
* Revocation is checked via any available method.
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleSoftwareSigning(void)
__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
/*!
@function SecPolicyGetName
@abstract Returns a policy's name.
@param policy A policy reference.
@result A policy name.
*/
__nullable CFStringRef SecPolicyGetName(SecPolicyRef policy)
__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
/*!
@function SecPolicyGetOidString
@abstract Returns a policy's oid in string decimal format.
@param policy A policy reference.
@result A policy oid.
*/
CFStringRef SecPolicyGetOidString(SecPolicyRef policy)
__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
/*!
@function SecPolicyCreateAppleUniqueDeviceCertificate
@abstract Returns a policy object for verifying Unique Device Identifier Certificates.
@param testRootHash Optional; The SHA-256 fingerprint of a test root for pinning.
@discussion The resulting policy uses the Basic X.509 policy with no validity check and
pinning options:
* The chain is anchored to the SEP Root CA. Internal releases allow the chain to be
anchored to the testRootHash input if the value true is set for the key
"ApplePinningAllowTestCertsUCRT" in the com.apple.security preferences for the user
of the calling application.
* There are exactly 3 certs in the chain.
* The intermediate has an extension with OID matching 1.2.840.113635.100.6.44 and value
of "ucrt".
* The leaf has a marker extension with OID matching 1.2.840.113635.100.10.1.
* RSA key sizes are disallowed. EC key sizes are P-256 or larger.
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleUniqueDeviceCertificate(CFDataRef __nullable testRootHash)
__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
/*!
@function SecPolicyCreateAppleWarsaw
@abstract Returns a policy object for verifying signed Warsaw assets.
@discussion The resulting policy uses the Basic X.509 policy with validity check and
pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has an extension with OID matching 1.2.840.113635.100.6.2.14.
* The leaf has a marker extension with OID matching 1.2.840.113635.100.6.29.
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleWarsaw(void)
__OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1);
/*!
@function SecPolicyCreateAppleSecureIOStaticAsset
@abstract Returns a policy object for verifying signed static assets for Secure IO.
@discussion The resulting policy uses the Basic X.509 policy with no validity check and
pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has an extension with OID matching 1.2.840.113635.100.6.2.10.
* The leaf has a marker extension with OID matching 1.2.840.113635.100.6.50.
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleSecureIOStaticAsset(void)
__OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1);
/*!
@function SecPolicyCreateAppleiCloudSetupService
@abstract Ensure we're appropriately pinned to the iCloud Setup service (SSL + Apple restrictions)
@param hostname Required; hostname to verify the certificate name against.
@param context Optional; if present, "AppleServerAuthenticationAllowUATiCloudSetup" with value
Boolean true will allow Test Apple roots and test OIDs on internal releases.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.27.15.2 or, if
enabled, OID 1.2.840.113635.100.6.27.15.1.
* The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension.
* The leaf has ExtendedKeyUsage with the ServerAuth OID.
* Revocation is checked via any available method.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleiCloudSetupService(CFStringRef hostname, CFDictionaryRef __nullable context)
__OSX_AVAILABLE(10.12.4) __IOS_AVAILABLE(10.3) __TVOS_AVAILABLE(10.2) __WATCHOS_AVAILABLE(3.2);
/*!
@function SecPolicyCreateAppleCompatibilityiCloudSetupService
@abstract Ensure we're appropriately pinned to the iCloud Setup service using compatibility certs
@param hostname Required; hostname to verify the certificate name against.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
* The chain is anchored to the GeoTrust Global CA
* The intermediate has a subject public key info hash matching the public key of
the Apple IST CA G1 intermediate.
* The chain length is 3.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.27.15.2 or
OID 1.2.840.113635.100.6.27.15.1.
* The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension.
* The leaf has ExtendedKeyUsage with the ServerAuth OID.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleCompatibilityiCloudSetupService(CFStringRef hostname)
__OSX_AVAILABLE(10.12.4) __IOS_AVAILABLE(10.3) __TVOS_AVAILABLE(10.2) __WATCHOS_AVAILABLE(3.2);
/*!
@function SecPolicyCreateAppleAppTransportSecurity
@abstract Ensure all certs in the evaluation meet ATS minimums
@discussion This policy is meant to be used alongside an SSL policy in order to enforce App Transport Security certificate rules:
* All certificates use either RSA key sizes of 2048-bits or larger or EC key sizes of 256-bits or larger.
* All certificates use SHA-256 or better for signature hash algorithms.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleAppTransportSecurity(void)
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
/*!
@function SecPolicyCreateMobileSoftwareUpdate
@abstract Returns a policy object for evaluating certificate chains for signing Mobile Software Updates.
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.18.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.57.2, or on internal releases,
1.2.840.113635.100.6.57.1.
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateMobileSoftwareUpdate(void)
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
/*!
@function SecPolicyCreateAppleBasicAttestationSystem
@abstract Returns a policy object for verifying Basic Attestation Authority SCRT-attested certs
@param testRootHash Optional; The SHA-256 fingerprint of a test root for pinning.
@discussion The resulting policy uses the Basic X.509 policy with validity check and
pinning options:
* The chain is anchored to the Basic Attestation System Root CA.
* There are exactly 3 certs in the chain.
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleBasicAttestationSystem(CFDataRef __nullable testRootHash)
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
/*!
@function SecPolicyCreateAppleBasicAttestationUser
@abstract Returns a policy object for verifying Basic Attestation Authority UCRT-attested certs
@param testRootHash Optional; The SHA-256 fingerprint of a test root for pinning.
@discussion The resulting policy uses the Basic X.509 policy with validity check and
pinning options:
* The chain is anchored to the Basic Attestation User Root CA.
* There are exactly 3 certs in the chain.
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleBasicAttestationUser(CFDataRef __nullable testRootHash)
__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
/*!
@function SecPolicyCreateiAPSWAuth
@abstract Returns a policy object for verifying iAP Software Auth certificates
@discussion The resulting policy uses the Basic X.509 policy with no validity check
and pinning options:
* There are exactly 2 certs in the chain.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.59.1
The intended use of this policy is that the caller pass in the
SW Auth root to SecTrustSetAnchorCertificates().
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateiAPSWAuth(void)
__OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3);
/*!
@function SecPolicyCreateDemoDigitalCatalog
@abstract Returns a policy object for evaluating certificate chains for signing Digital
Catalog manifests for Demo units.
@discussion This policy uses the Basic X.509 policy with validity check and
pinning options:
* There are exactly 3 certs in the chain.
* The intermediate has common name "DemoUnit CA"
* The leaf has a marker extension with OID 1.2.840.113635.100.6.60
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateDemoDigitalCatalogSigning(void)
__OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3);
/*!
@function SecPolicyCreateAppleAssetReceipt
@abstract Returns a policy object for evaluating certificate chains for signing Asset Receipts
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.61.
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleAssetReceipt(void)
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0));
/*!
@function SecPolicyCreateAppleDeveloperIDPlustTicket
@abstract Returns a policy object for evaluating certificate chains for signing Developer ID+ Tickets
@discussion This policy uses the Basic X.509 policy with no validity check
and pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.17.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.1.30.
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleDeveloperIDPlusTicket(void)
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0));
/*!
@function SecPolicyCreateiAPSWAuthWithExpiration
@abstract Returns a policy object for verifying iAP Software Auth certificates
@param checkExpiration Determines whether the policy checks expiration on the certificates
@discussion The resulting policy uses the Basic X.509 policy and pinning options:
* There are exactly 2 certs in the chain.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.59.1
The intended use of this policy is that the caller pass in the
SW Auth root to SecTrustSetAnchorCertificates().
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateiAPSWAuthWithExpiration(bool checkExpiration)
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0));
/*!
@function SecPolicyCreateAppleFDRProvisioning
@abstract Returns a policy object for verifying FDR Provisioning certificates
@discussion The resulting policy uses the Basic X.509 policy with no validity check.
The intended use of this policy is that the caller pass in the FDR root to SecTrustSetAnchorCertificates().
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleFDRProvisioning(void)
API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0));
/*!
@function SecPolicyCreateAppleComponentCertificate
@abstract Returns a policy object for verifying Component certs
@param testRootHash Optional; The SHA-256 fingerprint of a test root for pinning.
@discussion The resulting policy uses the Basic X.509 policy with validity check and
pinning options:
* The chain is anchored to the Component Root CA.
* There are exactly 3 certs in the chain.
* The leaf and intermediate each have a marker extension with OID matching 1.2.840.113635.100.11.1
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleComponentCertificate(CFDataRef __nullable testRootHash)
API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0));
/*!
@function SecPolicyCreateAppleKeyTransparency
@abstract Returns a policy object for verifying Apple certificates.
@param applicationId A string that identifies the applicationId.
@discussion The resulting policy uses the Basic X.509 policy with no validity check and
pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.3".
* The leaf has a marker extension with OID 1.2.840.113635.100.6.69.1 and value
matching the applicationId.
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleKeyTransparency(CFStringRef applicationId)
API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0));
/*!
@function SecPolicyCreateAlisha
@abstract Returns a policy object for verifying Alisha certificates.
@discussion The resulting policy uses the Basic X.509 policy with no validity check and
pinning options:
* EC key sizes are P-256 or larger.
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAlisha(void)
API_AVAILABLE(macos(10.15.4), ios(13.4), watchos(6.2), tvos(13.4));
extern const CFStringRef kSecPolicyAppleEscrowServiceIdKeySigning
API_AVAILABLE(macos(10.15.6), ios(13.5.5));
extern const CFStringRef kSecPolicyApplePCSEscrowServiceIdKeySigning
API_AVAILABLE(macos(10.15.6), ios(13.5.5));
/*!
@function SecPolicyCreateMeasuredBootPolicySigning
@abstract Returns a policy object for verifying Measured Boot Policy Signing certificates.
@discussion The resulting policy uses the Basic X.509 policy with no validity check and
pinning options:
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.24.17.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.26.6.1
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
Because this policy does not pin the anchors, the caller must use SecTrustSetAnchorCertificates with
the expected roots.
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateMeasuredBootPolicySigning(void)
API_AVAILABLE(macos(10.15.4), ios(13.4), watchos(6.2), tvos(13.4));
/*!
@function SecPolicyCreateApplePayQRCodeEncryption
@abstract Returns a policy object for verifying ApplePay QRCode Encryption certificates
@discussion The resulting policy uses the Basic X.509 policy with validity check and
pinning options:
* The root matches the "Apple External EC Root", or on internal builds, "Test Apple External EC Root"
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.22.
* The leaf has a marker extension with OID 1.2.840.113635.100.13.3
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
* Revocation is checked via any available method
Because the "Apple External" roots are not trusted by default, the caller must use
SecTrustSetAnchorCertificates with the expected roots.
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateApplePayQRCodeEncryption(void)
API_AVAILABLE(macos(10.16), ios(14.0), watchos(7.0), tvos(14.0));
/*!
@function SecPolicyCreateApplePayQRCodeSigning
@abstract Returns a policy object for verifying ApplePay QRCode Signing certificates
@discussion The resulting policy uses the Basic X.509 policy with validity check and
pinning options:
* The root matches the "Apple External EC Root", or on internal builds, "Test Apple External EC Root"
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.22.
* The leaf has a marker extension with OID 1.2.840.113635.100.12.12
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
* Revocation is checked via any available method
Because the "Apple External" roots are not trusted by default, the caller must use
SecTrustSetAnchorCertificates with the expected roots.
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateApplePayQRCodeSigning(void)
API_AVAILABLE(macos(10.16), ios(14.0), watchos(7.0), tvos(14.0));
/*!
@function SecPolicyCreateAppleAccessoryUpdateSigning
@abstract Returns a policy object for verifying Accessory Firmware Update Signing certificates
@discussion The resulting policy uses the Basic X.509 policy with no validity check and
pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.17.
* The leaf has a marker extension with OID 1.2.840.113635.100.12.9, or, if
"AllowAccessoryUpdateSigningBeta" is set to true in the com.apple.security
preference/defaults domain, OID 1.2.840.113635.100.12.10
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
* Revocation is checked via any available method
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleAccessoryUpdateSigning(void)
API_AVAILABLE(macos(10.16), ios(14.0), watchos(7.0), tvos(14.0));
/*!
@function SecPolicyCreateAggregateMetricTransparency
@abstract Returns a policy object for verifying Aggregate Metric Transparency certificates
@param facilitator A boolean to indicate whether the facilitator or partner transparency
certificate is being checked.
@discussion The resulting policy uses the Basic X.509 policy with validity check and
pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.26.
* The leaf has a marker extension with OID 1.2.840.113635.100.12.17 if facilitator is true or
1.2.840.113635.100.12.18 if facilitator is false. The contents of this marker extension
are not checked.
* Revocation is checked via any available method.
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
* Require a positive CT verification result.
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAggregateMetricTransparency(bool facilitator)
API_AVAILABLE(macos(10.15.6), ios(13.6), watchos(6.2), tvos(13.4));
/*!
@function SecPolicyCreateAggregateMetricEncryption
@abstract Returns a policy object for verifying Aggregate Metric Encryption certificates
@param facilitator A boolean to indicate whether the facilitator or partner encryption
certificate is being checked.
@discussion The resulting policy uses the Basic X.509 policy with validity check and
pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.26.
* The leaf has a marker extension with OID 1.2.840.113635.100.15.2 if facilitator is true or
1.2.840.113635.100.15.3 if facilitator is false.
* Revocation is checked via any available method.
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
* Require a positive CT verification result using the non-TLS CT log list
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAggregateMetricEncryption(bool facilitator)
API_AVAILABLE(macos(11.1), ios(14.3), watchos(7.2), tvos(14.3));
/*!
@function SecPolicyCreateDeveloperIDInstaller
@abstract Returns a policy object for verifying DeveloperID Installer signing certificates
@discussion The resulting policy uses the Basic X.509 policy with no validity check and
pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.6.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.1.14.
* The leaf has EKU with OID 1.2.840.113635.100.4.13.
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
* Revocation is checked via any available method
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateDeveloperIDInstaller(void)
API_AVAILABLE(macos(12.0), ios(15.0), watchos(8.0), tvos(15.0));
/*!
@function SecPolicyCreateMacAppStoreInstaller
@abstract Returns a policy object for verifying Mac App Store Installer signing certificates
@discussion The resulting policy uses the Basic X.509 policy with no validity check and
pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.1.10, or, if QA
is enabled, 1.2.840.113635.100.6.1.10.1.
* The leaf has EKU with OID 1.2.840.113635.100.4.10.
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
* Revocation is checked via any available method
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateMacAppStoreInstaller(void)
API_AVAILABLE(macos(12.0), ios(15.0), watchos(8.0), tvos(15.0));
/*!
@function SecPolicyCreate MacDistributionInstaller
@abstract Returns a policy object for verifying Mac Distribution Installer signing certificates
@discussion The resulting policy uses the Basic X.509 policy with validity check and
pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
* The leaf has a marker extension with OID 1.2.840.113635.100.6.1.8.
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
* Revocation is checked via any available method
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateMacDistributionInstaller(void)
API_AVAILABLE(macos(12.0), ios(15.0), watchos(8.0), tvos(15.0));
/*!
@function SecPolicyCreateSSLWithKeyUsage
@abstract Returns a policy object for evaluating SSL certificate chains (with key usage enforcement)
@param server Passing true for this parameter creates a policy for SSL
server certificates.
@param hostname (Optional) If present, the policy will require the specified
hostname to match the hostname in the leaf certificate.
@param keyUsage SecKeyUsage flags (see SecCertificatePriv.h) that the server certificate must have specified.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateSSLWithKeyUsage(Boolean server, CFStringRef __nullable hostname, uint32_t keyUsage)
API_AVAILABLE(macos(11.3), ios(14.5), watchos(7.4), tvos(14.5));
/*!
@function SecPolicySetSHA256Pins
@abstract Sets the SubjectPublicKeyInfo (SPKI) pins.
@param policy The policy to modify.
@param leafSPKISHA256 An array of SHA256 hashes of permitted leaf SPKIs. Passing NULL will remove any previous pins.
@param caSPKISHA256 An array of SHA256 hashes of CA SPKIs. Passing NULL will remove any previous pins.
@discussion Pins replace any existing pins set on the policy.
Setting leaf pins will require that the SPKI in the leaf certificate validated must match at least one of the array of leafSPKISHA256 pins.
Setting CA pins will require that at an SPKI in at least one CA certificate in the built chain from the leaf certificate to a trusted anchor certificate
matches at least one of the array of caSPKISHA256 pins.
*/
void SecPolicySetSHA256Pins(SecPolicyRef policy, CFArrayRef _Nullable leafSPKISHA256, CFArrayRef _Nullable caSPKISHA256)
API_AVAILABLE(macos(11.3), ios(14.5), watchos(7.4), tvos(14.5));
/*!
@function SecPolicyCreateApplePayModelSigning
@abstract Returns a policy object for verifying ApplePay Model Signing certificates
@param checkExpiration A boolean to indicate whether the policy should check for expiration.
@discussion The resulting policy uses the Basic X.509 policy with optional validity check and
pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.17.
* The leaf has a marker extension with OID 1.2.840.113635.100.12.20
* Revocation is checked via any available method.
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateApplePayModelSigning(bool checkExpiration)
API_AVAILABLE(macos(11.3), ios(14.5), watchos(7.4), tvos(14.5));
/*!
@function SecPolicyCreateMDLTerminalAuth
@abstract Returns a policy object for verifying MDL Terminal Authentication certificates
@param checkExtension A boolean to indicate whether the policy should check for the
mdlTerminalAuth () extension in the leaf.
@param leafIsCA A boolean to indicate whether the policy should check that the leaf has
a basicConstraints extension with CA=TRUE.
@discussion The resulting policy uses the Basic X.509 policy with no validity check and
pinning options:
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
The intended use of this policy is that the caller pass in the trusted roots to SecTrustSetAnchorCertificates().
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateMDLTerminalAuth(bool checkExtension, bool leafIsCA)
API_AVAILABLE(macos(12.0), ios(15.0), watchos(8.0), tvos(15.0));
/*!
@function SecPolicyCreateAppleCHIPUpdateSigning
@abstract Returns a policy object for verifying CHIP Firmware Update Signing certificates
@discussion The resulting policy uses the Basic X.509 policy with no validity check and
pinning options:
* The chain is anchored to any of the Apple Root CAs.
* There are exactly 3 certs in the chain.
* The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.17.
* The leaf has a marker extension with OID 1.2.840.113635.100.12.25, or, if
"AllowCHIPUpdateSigningBeta" is set to true in the com.apple.security
preference/defaults domain, OID 1.2.840.113635.100.12.26
* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
* Revocation is checked via any available method
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleCHIPUpdateSigning(void)
API_AVAILABLE(macos(12.0), ios(15.0), watchos(8.0), tvos(15.0));
/*
* Legacy functions (OS X only)
*/
#if TARGET_OS_OSX
/*!
@function SecPolicyCopy
@abstract Returns a copy of a policy reference based on certificate type and OID.
@param certificateType A certificate type.
@param policyOID The OID of the policy you want to find. This is a required parameter. See oidsalg.h to see a list of policy OIDs.
@param policy The returned policy reference. This is a required parameter.
@result A result code. See "Security Error Codes" (SecBase.h).
@discussion This function is deprecated in Mac OS X 10.7 and later;
to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h.
*/
OSStatus SecPolicyCopy(CSSM_CERT_TYPE certificateType, const CSSM_OID *policyOID, SecPolicyRef * __nonnull CF_RETURNS_RETAINED policy)
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
/* Given a unified SecPolicyRef, return a copy with a legacy
C++ ItemImpl-based Policy instance. Only for internal use;
legacy references cannot be used by SecPolicy API functions. */
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateItemImplInstance(SecPolicyRef policy);
/* Given a CSSM_OID pointer, return a string which can be passed
to SecPolicyCreateWithProperties. The return value can be NULL
if no supported policy was found for the OID argument. */
__nullable
CFStringRef SecPolicyGetStringForOID(CSSM_OID* oid)
API_DEPRECATED("No longer supported", macos(10.5,10.14));
/*!
@function SecPolicyCreateAppleTimeStampingAndRevocationPolicies
@abstract Create timeStamping policy array from a given set of policies by applying identical revocation behavior
@param policyOrArray can be a SecPolicyRef or a CFArray of SecPolicyRef
@discussion This function is deprecated in macOS 10.13 and later. Your code should call SecPolicyCreateAppleTimeStamping
and SecPolicyCreateRevocation instead to obtain these policies, then insert them into an array as needed.
*/
__nullable CF_RETURNS_RETAINED
CFArrayRef SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray)
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_10, __MAC_10_13, __IPHONE_NA, __IPHONE_NA);
#endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */
/* MARK: WARNING: The following constants and functions are for project use
* within the Security project and are subject to change without warning */
/*!
@enum Policy Check Keys
@discussion Keys that represent various checks that can be done in a trust
policy. Use outside of the Security project at your own peril.
*/
extern const CFStringRef kSecPolicyCheckAnchorApple;
extern const CFStringRef kSecPolicyCheckAnchorSHA256;
extern const CFStringRef kSecPolicyCheckAnchorTrusted;
extern const CFStringRef kSecPolicyCheckBasicCertificateProcessing;
extern const CFStringRef kSecPolicyCheckBasicConstraints;
extern const CFStringRef kSecPolicyCheckBasicConstraintsCA;
extern const CFStringRef kSecPolicyCheckBasicConstraintsPathLen;
extern const CFStringRef kSecPolicyCheckBlackListedKey;
extern const CFStringRef kSecPolicyCheckBlackListedLeaf;
extern const CFStringRef kSecPolicyCheckCertificatePolicy;
extern const CFStringRef kSecPolicyCheckChainLength;
extern const CFStringRef kSecPolicyCheckCriticalExtensions;
extern const CFStringRef kSecPolicyCheckCTRequired;
extern const CFStringRef kSecPolicyCheckDuplicateExtension;
extern const CFStringRef kSecPolicyCheckEAPTrustedServerNames;
extern const CFStringRef kSecPolicyCheckEmail;
extern const CFStringRef kSecPolicyCheckExtendedKeyUsage;
extern const CFStringRef kSecPolicyCheckExtendedValidation;
extern const CFStringRef kSecPolicyCheckGrayListedKey;
extern const CFStringRef kSecPolicyCheckGrayListedLeaf;
extern const CFStringRef kSecPolicyCheckLeafSPKISHA256;
extern const CFStringRef kSecPolicyCheckIdLinkage;
extern const CFStringRef kSecPolicyCheckIntermediateCountry;
extern const CFStringRef kSecPolicyCheckIntermediateEKU;
extern const CFStringRef kSecPolicyCheckIntermediateMarkerOid;
extern const CFStringRef kSecPolicyCheckIntermediateMarkerOidWithoutValueCheck;
extern const CFStringRef kSecPolicyCheckIntermediateOrganization;
extern const CFStringRef kSecPolicyCheckIntermediateSPKISHA256;
extern const CFStringRef kSecPolicyCheckCAspkiSHA256;
extern const CFStringRef kSecPolicyCheckIssuerCommonName;
extern const CFStringRef kSecPolicyCheckIssuerPolicyConstraints;
extern const CFStringRef kSecPolicyCheckIssuerNameConstraints;
extern const CFStringRef kSecPolicyCheckKeySize;
extern const CFStringRef kSecPolicyCheckKeyUsage;
extern const CFStringRef kSecPolicyCheckLeafMarkerOid;
extern const CFStringRef kSecPolicyCheckLeafMarkerOidWithoutValueCheck;
extern const CFStringRef kSecPolicyCheckLeafMarkersProdAndQA;
extern const CFStringRef kSecPolicyCheckMissingIntermediate;
extern const CFStringRef kSecPolicyCheckNameConstraints;
extern const CFStringRef kSecPolicyCheckNoNetworkAccess;
extern const CFStringRef kSecPolicyCheckNonEmptySubject;
extern const CFStringRef kSecPolicyCheckNonTlsCTRequired;
extern const CFStringRef kSecPolicyCheckNotCA;
extern const CFStringRef kSecPolicyCheckNotValidBefore;
extern const CFStringRef kSecPolicyCheckPinningRequired;
extern const CFStringRef kSecPolicyCheckPolicyConstraints;
extern const CFStringRef kSecPolicyCheckRevocation;
extern const CFStringRef kSecPolicyCheckRevocationIfTrusted;
extern const CFStringRef kSecPolicyCheckRevocationOnline;
extern const CFStringRef kSecPolicyCheckRevocationResponseRequired;
extern const CFStringRef kSecPolicyCheckSSLHostname;
extern const CFStringRef kSecPolicyCheckServerAuthEKU;
extern const CFStringRef kSecPolicyCheckSignatureHashAlgorithms;
extern const CFStringRef kSecPolicyCheckSubjectCommonName;
extern const CFStringRef kSecPolicyCheckSubjectCommonNamePrefix;
extern const CFStringRef kSecPolicyCheckSubjectCommonNameTEST;
extern const CFStringRef kSecPolicyCheckSubjectOrganization;
extern const CFStringRef kSecPolicyCheckSubjectOrganizationalUnit;
extern const CFStringRef kSecPolicyCheckSystemTrustedCTRequired;
extern const CFStringRef kSecPolicyCheckSystemTrustedWeakHash;
extern const CFStringRef kSecPolicyCheckSystemTrustedWeakKey;
extern const CFStringRef kSecPolicyCheckTemporalValidity;
extern const CFStringRef kSecPolicyCheckUnparseableExtension;
extern const CFStringRef kSecPolicyCheckUsageConstraints;
extern const CFStringRef kSecPolicyCheckValidityPeriodMaximums;
extern const CFStringRef kSecPolicyCheckValidRoot;
extern const CFStringRef kSecPolicyCheckWeakKeySize;
extern const CFStringRef kSecPolicyCheckWeakSignature;
/* Special option for checking Apple Anchors */
extern const CFStringRef kSecPolicyAppleAnchorIncludeTestRoots;
/* Special option for checking Prod and QA Markers */
extern const CFStringRef kSecPolicyLeafMarkerProd;
extern const CFStringRef kSecPolicyLeafMarkerQA;
/* Special option for checking Revocation */
extern const CFStringRef kSecPolicyCheckRevocationOCSP;
extern const CFStringRef kSecPolicyCheckRevocationCRL;
extern const CFStringRef kSecPolicyCheckRevocationAny;
/* Policy Names */
extern const CFStringRef kSecPolicyNameX509Basic;
extern const CFStringRef kSecPolicyNameSSLServer;
extern const CFStringRef kSecPolicyNameSSLClient;
extern const CFStringRef kSecPolicyNameEAPServer;
extern const CFStringRef kSecPolicyNameEAPClient;
extern const CFStringRef kSecPolicyNameIPSecServer;
extern const CFStringRef kSecPolicyNameIPSecClient;
extern const CFStringRef kSecPolicyNameSMIME;
extern const CFStringRef kSecPolicyNameCodeSigning;
extern const CFStringRef kSecPolicyNameTimeStamping;
extern const CFStringRef kSecPolicyNameOCSPSigner;
/*!
@function SecPolicyCreateEscrowServiceIdKeySigning
@abstract Returns a policy object for verifying Escrow Service ID keys.
@discussion The resulting policy uses the Basic X.509 policy with no validity check and
pinning options:
* The chain is anchored to the current Escrow Roots in the OTAPKI asset.
* There are exactly 2 certs in the chain.
* The leaf has KeyUsage with the DigitalSignature bit set.
* CN matching the name generated by escrow service.
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateEscrowServiceIdKeySigning(void)
API_AVAILABLE(macos(10.15.6), ios(13.6));
/*!
@function SecPolicyCreatePCSEscrowServiceIdKeySigning
@abstract Returns a policy object for verifying PCS Escrow Service ID keys.
@discussion The resulting policy uses the Basic X.509 policy with no validity check and
pinning options:
* The chain is anchored to the current Escrow Roots in the OTAPKI asset.
* There are exactly 2 certs in the chain.
* The leaf has KeyUsage with the DigitalSignature bit set.
* CN matching the name generated by escrow service.
@result A policy object. The caller is responsible for calling CFRelease on this when
it is no longer needed.
*/
__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreatePCSEscrowServiceIdKeySigning(void)
API_AVAILABLE(macos(10.15.6), ios(13.6));
/*
* MARK: SecPolicyCheckCert functions
*/
bool SecPolicyCheckCertSSLHostname(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertEmail(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertTemporalValidity(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertWeakKeySize(SecCertificateRef cert, CFTypeRef __nullable pvcValue);
bool SecPolicyCheckCertKeyUsage(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertExtendedKeyUsage(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertSubjectCommonName(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertSubjectCommonNamePrefix(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertSubjectCommonNameTEST(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertSubjectOrganization(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertSubjectOrganizationalUnit(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertNotValidBefore(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertEAPTrustedServerNames(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertLeafMarkerOid(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertLeafMarkerOidWithoutValueCheck(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertLeafMarkersProdAndQA(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertNonEmptySubject(SecCertificateRef cert, CFTypeRef __nullable pvcValue);
bool SecPolicyCheckCertKeySize(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertWeakSignature(SecCertificateRef cert, CFTypeRef __nullable pvcValue);
bool SecPolicyCheckCertSignatureHashAlgorithms(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertCertificatePolicy(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertCriticalExtensions(SecCertificateRef cert, CFTypeRef __nullable pvcValue);
bool SecPolicyCheckCertSubjectCountry(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertUnparseableExtension(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertNotCA(SecCertificateRef cert, CFTypeRef pvcValue);
bool SecPolicyCheckCertDuplicateExtension(SecCertificateRef cert, CFTypeRef pvcValue);
void SecPolicySetName(SecPolicyRef policy, CFStringRef policyName);
__nullable CFArrayRef SecPolicyXPCArrayCopyArray(xpc_object_t xpc_policies, CFErrorRef *error);
void SecPolicySetOptionsValue(SecPolicyRef policy, CFStringRef key, CFTypeRef value);
bool SecDNSIsTLD(CFStringRef reference);
CFDataRef CreateCFDataFromBase64CFString(CFStringRef base64string);
CFArrayRef parseNSPinnedDomains(CFDictionaryRef nsPinnedDomainsDict, CFStringRef hostName, CFStringRef nsPinnedIdentityType);
void SecPolicyReconcilePinningRequiredIfInfoSpecified(CFMutableDictionaryRef options);
CF_IMPLICIT_BRIDGING_DISABLED
CF_ASSUME_NONNULL_END
__END_DECLS
#endif /* !_SECURITY_SECPOLICYPRIV_H_ */