1/* 2 * Copyright (c) 2004-2011 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24/* 25 * dotMacTp.h - private SPI for .mac TP 26 */ 27 28#ifndef _DOT_MAC_TP_H_ 29#define _DOT_MAC_TP_H_ 30 31#include <Security/cssmtype.h> 32#include <Security/x509defs.h> 33#include <Security/oidsalg.h> 34 35#ifdef __cplusplus 36extern "C" { 37#endif 38 39/* 40 * Some hard-coded constants related to .mac Cert acquisition. 41 */ 42#define DOT_MAC_KEY_ALG CSSM_ALGID_RSA /* alg of the key */ 43#define DOT_MAC_KEY_SIZE 1024 /* key size in bits */ 44#define DOT_MAC_CSR_SIGNATURE_ALGID CSSM_ALGID_SHA1WithRSA /* sig alg of the CSR */ 45#define DOT_MAC_CSR_SIGNATURE_ALGOID CSSMOID_SHA1WithRSA /* ditto */ 46#define DOT_MAC_DOMAIN "mac.com" 47 48/* By default, sign requests go to http://certmgmt.mac.com/sign */ 49#define DOT_MAC_SIGN_SCHEMA "http://" 50#define DOT_MAC_SIGN_HOST_NAME "certmgmt" /* default server */ 51#define DOT_MAC_SIGN_PATH "/signing" 52 53/* By default, archive requests go to https://certmgmt.mac.com/archive (<rdar://7557730>) */ 54#define DOT_MAC_ARCHIVE_SCHEMA "https://" 55#define DOT_MAC_ARCHIVE_HOST_NAME "certmgmt" /* default server */ 56#define DOT_MAC_ARCHIVE_PATH "/archive" 57 58/* Certificate Type Tags, as seen in the XMLRPC interface */ 59#define DOT_MAC_CERT_TYPE_ICHAT "iChat" 60#define DOT_MAC_CERT_TYPE_SHARED_SERVICES "dmSharedServices" 61#define DOT_MAC_CERT_TYPE_EMAIL_SIGNING "dmEmailSigning" 62#define DOT_MAC_CERT_TYPE_EMAIL_ENCRYPT "dmEmailEncryption" 63 64/* By default, lookup requests go to http://certinfo.mac.com/ */ 65#define DOT_MAC_LOOKUP_SCHEMA "http://" 66#define DOT_MAC_LOOKUP_HOST_NAME "certinfo" /* default server */ 67 68/* 69 * Paths for per-cert-type lookups. 70 * These are for backwards compatibility, not used in Treadstone. 71 */ 72#define DOT_MAC_LOOKUP_ID_PATH "/locate?ichat?" 73#define DOT_MAC_LOOKUP_SIGN_PATH "/lookup/email?" 74#define DOT_MAC_LOOKUP_ENCRYPT_PATH "/lookup/emailencrypt?" 75 76/* 77 * Cert lookup, Treadstone form. 78 * The full URL is of the form 79 * http://certinfo.mac.com/locate?accountName&type=certType 80 * 81 * E.g. 82 * http://certinfo.mac.com/locate?foobar&type=dmSharedServices 83 */ 84#define DOT_MAC_LOOKUP_PATH "/locate?" 85/* then user name */ 86#define DOT_MAC_LOOKUP_TYPE "&type=" 87/* then cert type tag string */ 88 89/* optional lookup arguments */ 90#define DOT_MAC_LOOKUP_INCLUDE "&include=" 91#define DOT_MAC_LOOKUP_INCLUDE_EXPIRED "expired" 92#define DOT_MAC_LOOKUP_INCLUDE_REVOKED "revoked" 93#define DOT_MAC_LOOKUP_INCLUDE_ALL "all" 94 95/* 96 * Contents of CSSM_APPLE_DOTMAC_TP_CERT_REQUEST.flags. 97 */ 98enum { 99 /* 100 * Do not post the actual request. Generally used in conjunction with 101 * CSSM_DOTMAC_TP_RETURN_CSR. 102 */ 103 CSSM_DOTMAC_TP_DO_NOT_POST = 0x00000001, 104 105 /* 106 * Return the generated CSR in CSSM_APPLE_DOTMAC_TP_CERT_REQUEST.Csr. 107 */ 108 CSSM_DOTMAC_TP_RETURN_CSR = 0x00000002, 109 110 /* 111 * Post a renew request instead of new. 112 */ 113 CSSM_DOTMAC_TP_SIGN_RENEW = 0x00000004, 114 115 /* 116 * Use existing CSR from CSSM_APPLE_DOTMAC_TP_CERT_REQUEST.Csr. 117 */ 118 CSSM_DOTMAC_TP_EXIST_CSR = 0x00000008, 119 120 /* 121 * Ask the server if a request is pending; for lookup only. 122 * When set, just does a query, doesn't return any data. 123 */ 124 CSSM_DOTMAC_TP_IS_REQ_PENDING = 0x00000010 125}; 126 127/* version of CSSM_APPLE_DOTMAC_TP_CERT_REQUEST */ 128#define CSSM_DOT_MAC_TP_REQ_VERSION 0 129 130/* 131 * Cert request passed to CSSM_TP_SubmitCredRequest() in the 132 * CSSM_TP_AUTHORITY_REQUEST_TYPE.Requests field. 133 */ 134typedef struct { 135 uint32 version; 136 CSSM_CSP_HANDLE cspHand; // sign with this CSP 137 CSSM_CL_HANDLE clHand; // and this CL 138 uint32 numTypeValuePairs; // size of typeValuePairs[] 139 CSSM_X509_TYPE_VALUE_PAIR_PTR typeValuePairs; // user name, etc. 140 CSSM_KEY *publicKey; // included in CSR 141 CSSM_KEY *privateKey; // signs the CSR 142 CSSM_DATA userName; // UTF8 encoded user name 143 CSSM_DATA password; // UTF8 encoded password 144 uint32 flags; 145 CSSM_DATA csr; // optional in/out 146} CSSM_APPLE_DOTMAC_TP_CERT_REQUEST; 147 148/* 149 * Additional CSSM_TP_AUTHORITY_REQUEST_TYPE values 150 */ 151#define CSSM_TP_AUTHORITY_REQUEST_PRIVATE 0x80000000 152enum 153{ 154 /* cert lookup, using userName in a CSSM_APPLE_DOTMAC_TP_CERT_REQUEST */ 155 CSSM_TP_AUTHORITY_REQUEST_CERTLOOKUP = CSSM_TP_AUTHORITY_REQUEST_PRIVATE + 0 156}; 157 158/* Cert type, analogous to CertTypeTag in the Treadstone spec */ 159#define CSSM_DOT_MAC_TYPE_UNSPECIFIED 0 160#define CSSM_DOT_MAC_TYPE_ICHAT 1 161#define CSSM_DOT_MAC_TYPE_SHARED_SERVICES 2 162#define CSSM_DOT_MAC_TYPE_EMAIL_ENCRYPT 3 163#define CSSM_DOT_MAC_TYPE_EMAIL_SIGNING 4 164 165typedef uint32 DotMacCertTypeTag; 166 167/* 168 * An archive List operation returns an array of these in the 169 * CSSM_APPLE_DOTMAC_TP_ARCHIVE_REQUEST.list field. Caller must 170 * free all contents, including the array itself, with its 171 * CSSM-registered free() callback. 172 */ 173typedef struct { 174 CSSM_DATA archiveName; // UTF8 encoded archive name 175 CSSM_DATA timeString; // UNIX timestring 176} DotMacArchive; 177 178/* 179 * Archive format for CSSM_DOT_MAC_TP_ARCHIVE_REQ_VERSION_2. 180 * Since this is allocated and returned, we can't just have a 181 * version in the DotMacArchive struct. 182 */ 183typedef struct { 184 CSSM_DATA archiveName; // UTF8 encoded archive name 185 CSSM_DATA timeString; // UNIX timestring 186 DotMacCertTypeTag certTypeTag; // iChat, SharedServices, etc. 187 CSSM_DATA serialNumber; // certificate serial number 188} DotMacArchive_v2; 189 190/* 191 * Archive request passed to CSSM_TP_SubmitCredRequest() in the 192 * CSSM_TP_AUTHORITY_REQUEST_TYPE.Requests field. 193 */ 194 195/* request version for Tiger and previous */ 196#define CSSM_DOT_MAC_TP_ARCHIVE_REQ_VERSION 0 197#define CSSM_DOT_MAC_TP_ARCHIVE_REQ_VERSION_v1 0 198/* request version for Leopard with the Treadstone XMLRPC */ 199#define CSSM_DOT_MAC_TP_ARCHIVE_REQ_VERSION_v2 1 200 201typedef struct { 202 uint32 version; // CSSM_DOT_MAC_TP_ARCHIVE_REQ_VERSION[_v2] 203 CSSM_DATA userName; // UTF8 encoded user name required for all 204 CSSM_DATA password; // UTF8 encoded password required for all 205 CSSM_DATA archiveName; // UTF8 encoded archive name: store, fetch, remove 206 CSSM_DATA timeString; // UNIX timestring, store only 207 208 /* 209 * On archive store, caller places the PKCS12 PFX to store here. 210 * On archive fetch, the fetched PKCS12 PFX is returned here. App must free 211 * the referent data via the CSSM-registered free() callback. 212 */ 213 CSSM_DATA pfx; 214 215 /* 216 * Archive list only: see comments above for DotMacArchive 217 * *archives is returned for a version 0 archive request; 218 * *archives_v2 is returned for subsequent requests. 219 */ 220 unsigned numArchives; 221 DotMacArchive *archives; 222 223 /* remainder added for CSSM_DOT_MAC_TP_ARCHIVE_REQ_VERSION_v2 */ 224 DotMacArchive_v2 *archives_v2; 225 DotMacCertTypeTag certTypeTag; 226 CSSM_DATA serialNumber; // cert serial number, store only 227 228} CSSM_APPLE_DOTMAC_TP_ARCHIVE_REQUEST; 229 230#ifdef __cplusplus 231} 232#endif 233 234#endif /* _DOT_MAC_TP_H_ */ 235 236