1 {
2 * Copyright (c) 2002-2010,2012-2013 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 }
23 { Pascal Translation Updated: Jonas Maebe, <jonas@freepascal.org>, September 2010 }
24 { Pascal Translation Update: Jonas Maebe <jonas@freepascal.org>, October 2012 }
25 { Pascal Translation Update: Jonas Maebe <jonas@freepascal.org>, August 2015 }
26 {
27 Modified for use with Free Pascal
28 Version 308
29 Please report any bugs to <gpc@microbizz.nl>
30 }
31
32 {$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
33 {$mode macpas}
34 {$modeswitch cblocks}
35 {$packenum 1}
36 {$macro on}
37 {$inline on}
38 {$calling mwpascal}
39
40 unit SecTrust;
41 interface
42 {$setc UNIVERSAL_INTERFACES_VERSION := $0400}
43 {$setc GAP_INTERFACES_VERSION := $0308}
44
45 {$ifc not defined USE_CFSTR_CONSTANT_MACROS}
46 {$setc USE_CFSTR_CONSTANT_MACROS := TRUE}
47 {$endc}
48
49 {$ifc defined CPUPOWERPC and defined CPUI386}
50 {$error Conflicting initial definitions for CPUPOWERPC and CPUI386}
51 {$endc}
52 {$ifc defined FPC_BIG_ENDIAN and defined FPC_LITTLE_ENDIAN}
53 {$error Conflicting initial definitions for FPC_BIG_ENDIAN and FPC_LITTLE_ENDIAN}
54 {$endc}
55
56 {$ifc not defined __ppc__ and defined CPUPOWERPC32}
57 {$setc __ppc__ := 1}
58 {$elsec}
59 {$setc __ppc__ := 0}
60 {$endc}
61 {$ifc not defined __ppc64__ and defined CPUPOWERPC64}
62 {$setc __ppc64__ := 1}
63 {$elsec}
64 {$setc __ppc64__ := 0}
65 {$endc}
66 {$ifc not defined __i386__ and defined CPUI386}
67 {$setc __i386__ := 1}
68 {$elsec}
69 {$setc __i386__ := 0}
70 {$endc}
71 {$ifc not defined __x86_64__ and defined CPUX86_64}
72 {$setc __x86_64__ := 1}
73 {$elsec}
74 {$setc __x86_64__ := 0}
75 {$endc}
76 {$ifc not defined __arm__ and defined CPUARM}
77 {$setc __arm__ := 1}
78 {$elsec}
79 {$setc __arm__ := 0}
80 {$endc}
81 {$ifc not defined __arm64__ and defined CPUAARCH64}
82 {$setc __arm64__ := 1}
83 {$elsec}
84 {$setc __arm64__ := 0}
85 {$endc}
86
87 {$ifc defined cpu64}
88 {$setc __LP64__ := 1}
89 {$elsec}
90 {$setc __LP64__ := 0}
91 {$endc}
92
93
94 {$ifc defined __ppc__ and __ppc__ and defined __i386__ and __i386__}
95 {$error Conflicting definitions for __ppc__ and __i386__}
96 {$endc}
97
98 {$ifc defined __ppc__ and __ppc__}
99 {$setc TARGET_CPU_PPC := TRUE}
100 {$setc TARGET_CPU_PPC64 := FALSE}
101 {$setc TARGET_CPU_X86 := FALSE}
102 {$setc TARGET_CPU_X86_64 := FALSE}
103 {$setc TARGET_CPU_ARM := FALSE}
104 {$setc TARGET_CPU_ARM64 := FALSE}
105 {$setc TARGET_OS_MAC := TRUE}
106 {$setc TARGET_OS_IPHONE := FALSE}
107 {$setc TARGET_IPHONE_SIMULATOR := FALSE}
108 {$setc TARGET_OS_EMBEDDED := FALSE}
109 {$elifc defined __ppc64__ and __ppc64__}
110 {$setc TARGET_CPU_PPC := FALSE}
111 {$setc TARGET_CPU_PPC64 := TRUE}
112 {$setc TARGET_CPU_X86 := FALSE}
113 {$setc TARGET_CPU_X86_64 := FALSE}
114 {$setc TARGET_CPU_ARM := FALSE}
115 {$setc TARGET_CPU_ARM64 := FALSE}
116 {$setc TARGET_OS_MAC := TRUE}
117 {$setc TARGET_OS_IPHONE := FALSE}
118 {$setc TARGET_IPHONE_SIMULATOR := FALSE}
119 {$setc TARGET_OS_EMBEDDED := FALSE}
120 {$elifc defined __i386__ and __i386__}
121 {$setc TARGET_CPU_PPC := FALSE}
122 {$setc TARGET_CPU_PPC64 := FALSE}
123 {$setc TARGET_CPU_X86 := TRUE}
124 {$setc TARGET_CPU_X86_64 := FALSE}
125 {$setc TARGET_CPU_ARM := FALSE}
126 {$setc TARGET_CPU_ARM64 := FALSE}
127 {$ifc defined iphonesim}
128 {$setc TARGET_OS_MAC := FALSE}
129 {$setc TARGET_OS_IPHONE := TRUE}
130 {$setc TARGET_IPHONE_SIMULATOR := TRUE}
131 {$elsec}
132 {$setc TARGET_OS_MAC := TRUE}
133 {$setc TARGET_OS_IPHONE := FALSE}
134 {$setc TARGET_IPHONE_SIMULATOR := FALSE}
135 {$endc}
136 {$setc TARGET_OS_EMBEDDED := FALSE}
137 {$elifc defined __x86_64__ and __x86_64__}
138 {$setc TARGET_CPU_PPC := FALSE}
139 {$setc TARGET_CPU_PPC64 := FALSE}
140 {$setc TARGET_CPU_X86 := FALSE}
141 {$setc TARGET_CPU_X86_64 := TRUE}
142 {$setc TARGET_CPU_ARM := FALSE}
143 {$setc TARGET_CPU_ARM64 := FALSE}
144 {$ifc defined iphonesim}
145 {$setc TARGET_OS_MAC := FALSE}
146 {$setc TARGET_OS_IPHONE := TRUE}
147 {$setc TARGET_IPHONE_SIMULATOR := TRUE}
148 {$elsec}
149 {$setc TARGET_OS_MAC := TRUE}
150 {$setc TARGET_OS_IPHONE := FALSE}
151 {$setc TARGET_IPHONE_SIMULATOR := FALSE}
152 {$endc}
153 {$setc TARGET_OS_EMBEDDED := FALSE}
154 {$elifc defined __arm__ and __arm__}
155 {$setc TARGET_CPU_PPC := FALSE}
156 {$setc TARGET_CPU_PPC64 := FALSE}
157 {$setc TARGET_CPU_X86 := FALSE}
158 {$setc TARGET_CPU_X86_64 := FALSE}
159 {$setc TARGET_CPU_ARM := TRUE}
160 {$setc TARGET_CPU_ARM64 := FALSE}
161 {$setc TARGET_OS_MAC := FALSE}
162 {$setc TARGET_OS_IPHONE := TRUE}
163 {$setc TARGET_IPHONE_SIMULATOR := FALSE}
164 {$setc TARGET_OS_EMBEDDED := TRUE}
165 {$elifc defined __arm64__ and __arm64__}
166 {$setc TARGET_CPU_PPC := FALSE}
167 {$setc TARGET_CPU_PPC64 := FALSE}
168 {$setc TARGET_CPU_X86 := FALSE}
169 {$setc TARGET_CPU_X86_64 := FALSE}
170 {$setc TARGET_CPU_ARM := FALSE}
171 {$setc TARGET_CPU_ARM64 := TRUE}
172 {$ifc defined ios}
173 {$setc TARGET_OS_MAC := FALSE}
174 {$setc TARGET_OS_IPHONE := TRUE}
175 {$setc TARGET_OS_EMBEDDED := TRUE}
176 {$elsec}
177 {$setc TARGET_OS_MAC := TRUE}
178 {$setc TARGET_OS_IPHONE := FALSE}
179 {$setc TARGET_OS_EMBEDDED := FALSE}
180 {$endc}
181 {$setc TARGET_IPHONE_SIMULATOR := FALSE}
182 {$elsec}
183 {$error __ppc__ nor __ppc64__ nor __i386__ nor __x86_64__ nor __arm__ nor __arm64__ is defined.}
184 {$endc}
185
186 {$ifc defined __LP64__ and __LP64__ }
187 {$setc TARGET_CPU_64 := TRUE}
188 {$elsec}
189 {$setc TARGET_CPU_64 := FALSE}
190 {$endc}
191
192 {$ifc defined FPC_BIG_ENDIAN}
193 {$setc TARGET_RT_BIG_ENDIAN := TRUE}
194 {$setc TARGET_RT_LITTLE_ENDIAN := FALSE}
195 {$elifc defined FPC_LITTLE_ENDIAN}
196 {$setc TARGET_RT_BIG_ENDIAN := FALSE}
197 {$setc TARGET_RT_LITTLE_ENDIAN := TRUE}
198 {$elsec}
199 {$error Neither FPC_BIG_ENDIAN nor FPC_LITTLE_ENDIAN are defined.}
200 {$endc}
201 {$setc ACCESSOR_CALLS_ARE_FUNCTIONS := TRUE}
202 {$setc CALL_NOT_IN_CARBON := FALSE}
203 {$setc OLDROUTINENAMES := FALSE}
204 {$setc OPAQUE_TOOLBOX_STRUCTS := TRUE}
205 {$setc OPAQUE_UPP_TYPES := TRUE}
206 {$setc OTCARBONAPPLICATION := TRUE}
207 {$setc OTKERNEL := FALSE}
208 {$setc PM_USE_SESSION_APIS := TRUE}
209 {$setc TARGET_API_MAC_CARBON := TRUE}
210 {$setc TARGET_API_MAC_OS8 := FALSE}
211 {$setc TARGET_API_MAC_OSX := TRUE}
212 {$setc TARGET_CARBON := TRUE}
213 {$setc TARGET_CPU_68K := FALSE}
214 {$setc TARGET_CPU_MIPS := FALSE}
215 {$setc TARGET_CPU_SPARC := FALSE}
216 {$setc TARGET_OS_UNIX := FALSE}
217 {$setc TARGET_OS_WIN32 := FALSE}
218 {$setc TARGET_RT_MAC_68881 := FALSE}
219 {$setc TARGET_RT_MAC_CFM := FALSE}
220 {$setc TARGET_RT_MAC_MACHO := TRUE}
221 {$setc TYPED_FUNCTION_POINTERS := TRUE}
222 {$setc TYPE_BOOL := FALSE}
223 {$setc TYPE_EXTENDED := FALSE}
224 {$setc TYPE_LONGLONG := TRUE}
225 uses MacTypes,SecBase,cssmtype,cssmapple,CFBase,CFArray,CFData,CFDate,CFDictionary;
226 {$endc} {not MACOSALLINCLUDE}
227
228
229 {!
230 @header SecTrust
231 The functions and data types in SecTrust implement trust computation
232 and allow the caller to apply trust decisions to the evaluation.
233 }
234
235
236 {!
237 @typedef SecTrustResultType
238 @abstract Specifies the trust result type.
239 @discussion SecTrustResultType results have two dimensions. They specify
240 both whether evaluation suceeded and whether this is because of a user
241 decision. The commonly expected result is kSecTrustResultUnspecified,
242 which indicates a positive result that wasn't decided by the user. The
243 common failure is kSecTrustResultRecoverableTrustFailure, which means a
244 negative result. kSecTrustResultProceed and kSecTrustResultDeny are the
245 positive and negative result respectively when decided by the user. User
246 decisions are persisted through the use of SecTrustCopyExceptions() and
247 SecTrustSetExceptions(). Finally, kSecTrustResultFatalTrustFailure is a
248 negative result that must not be circumvented.
249 @constant kSecTrustResultInvalid Indicates an invalid setting or result.
250 This result usually means that SecTrustEvaluate has not yet been called.
251 @constant kSecTrustResultProceed Indicates you may proceed. This value
252 may be returned by the SecTrustEvaluate function or stored as part of
253 the user trust settings.
254 @constant kSecTrustResultConfirm Indicates confirmation with the user
255 is required before proceeding. Important: this value is no longer returned
256 or supported by SecTrustEvaluate or the SecTrustSettings API starting in
257 OS X 10.5; its use is deprecated in OS X 10.9 and later, as well as in iOS.
258 @constant kSecTrustResultDeny Indicates a user-configured deny; do not
259 proceed. This value may be returned by the SecTrustEvaluate function
260 or stored as part of the user trust settings.
261 @constant kSecTrustResultUnspecified Indicates the evaluation succeeded
262 and the certificate is implicitly trusted, but user intent was not
263 explicitly specified. This value may be returned by the SecTrustEvaluate
264 function or stored as part of the user trust settings.
265 @constant kSecTrustResultRecoverableTrustFailure Indicates a trust policy
266 failure which can be overridden by the user. This value may be returned
267 by the SecTrustEvaluate function but not stored as part of the user
268 trust settings.
269 @constant kSecTrustResultFatalTrustFailure Indicates a trust failure
270 which cannot be overridden by the user. This value may be returned by the
271 SecTrustEvaluate function but not stored as part of the user trust
272 settings.
273 @constant kSecTrustResultOtherError Indicates a failure other than that
274 of trust evaluation. This value may be returned by the SecTrustEvaluate
275 function but not stored as part of the user trust settings.
276 }
277
278 type
279 SecTrustResultType = UInt32;
280 const
281 kSecTrustResultInvalid = 0;
282 kSecTrustResultProceed = 1;
283 kSecTrustResultConfirm = 2;
284 kSecTrustResultDeny = 3;
285 kSecTrustResultUnspecified = 4;
286 kSecTrustResultRecoverableTrustFailure = 5;
287 kSecTrustResultFatalTrustFailure = 6;
288 kSecTrustResultOtherError = 7; (* CF_ENUM_DEPRECATED(10_0, 10_9, NA, NA) *)
289
290 {!
291 @typedef SecTrustRef
292 @abstract CFType used for performing X.509 certificate trust evaluations.
293 }
294 type
295 SecTrustRef = ^OpaqueSecTrustRef; { an opaque type }
296 { already defined in SecBase
297 __SecTrust = record end; }
298
299 {!
300 @enum Trust Property Constants
301 @discussion Predefined key constants used to obtain values in a
302 per-certificate dictionary of trust evaluation results,
303 as retrieved from a call to SecTrustCopyProperties.
304 @constant kSecPropertyTypeTitle Specifies a key whose value is a
305 CFStringRef containing the title (display name) of this certificate.
306 @constant kSecPropertyTypeError Specifies a key whose value is a
307 CFStringRef containing the reason for a trust evaluation failure.
308 }
309 var kSecPropertyTypeTitle: CFTypeRef; external name '_kSecPropertyTypeTitle'; (* attribute const *)
310 (* __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0) *)
311 var kSecPropertyTypeError: CFTypeRef; external name '_kSecPropertyTypeError'; (* attribute const *)
312 (* __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0) *)
313
314 {!
315 @enum Trust Result Constants
316 @discussion Predefined key constants used to obtain values in a
317 dictionary of trust evaluation results for a certificate chain,
318 as retrieved from a call to SecTrustCopyResult.
319 @constant kSecTrustEvaluationDate
320 This key will be present if a trust evaluation has been performed
321 and results are available. Its value is a CFDateRef representing
322 when the evaluation for this trust object took place.
323 @constant kSecTrustExtendedValidation
324 This key will be present and have a value of kCFBooleanTrue
325 if this chain was validated for EV.
326 @constant kSecTrustOrganizationName
327 Organization name field of subject of leaf certificate. This
328 field is meant to be displayed to the user as the validated
329 name of the company or entity that owns the certificate if the
330 kSecTrustExtendedValidation key is present.
331 @constant kSecTrustResultValue
332 This key will be present if a trust evaluation has been performed.
333 Its value is a CFNumberRef representing the SecTrustResultType result
334 for the evaluation.
335 @constant kSecTrustRevocationChecked
336 This key will be present iff this chain had its revocation checked.
337 The value will be a kCFBooleanTrue if revocation checking was
338 successful and none of the certificates in the chain were revoked.
339 The value will be kCFBooleanFalse if no current revocation status
340 could be obtained for one or more certificates in the chain due
341 to connection problems or timeouts. This is a hint to a client
342 to retry revocation checking at a later time.
343 @constant kSecTrustRevocationValidUntilDate
344 This key will be present iff kSecTrustRevocationChecked has a
345 value of kCFBooleanTrue. The value will be a CFDateRef representing
346 the earliest date at which the revocation info for one of the
347 certificates in this chain might change.
348 }
349 var kSecTrustEvaluationDate: CFTypeRef; external name '_kSecTrustEvaluationDate'; (* attribute const *)
350 (* __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0) *)
351 var kSecTrustExtendedValidation: CFTypeRef; external name '_kSecTrustExtendedValidation'; (* attribute const *)
352 (* __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0) *)
353 var kSecTrustOrganizationName: CFTypeRef; external name '_kSecTrustOrganizationName'; (* attribute const *)
354 (* __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0) *)
355 var kSecTrustResultValue: CFTypeRef; external name '_kSecTrustResultValue'; (* attribute const *)
356 (* __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0) *)
357 var kSecTrustRevocationChecked: CFTypeRef; external name '_kSecTrustRevocationChecked'; (* attribute const *)
358 (* __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0) *)
359 var kSecTrustRevocationValidUntilDate: CFTypeRef; external name '_kSecTrustRevocationValidUntilDate'; (* attribute const *)
360 (* __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0) *)
361
362
363 {!
364 @function SecTrustGetTypeID
365 @abstract Returns the type identifier of SecTrust instances.
366 @result The CFTypeID of SecTrust instances.
367 }
SecTrustGetTypeIDnull368 function SecTrustGetTypeID: CFTypeID; external name '_SecTrustGetTypeID';
369 (* __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0) *)
370
371 {!
372 @function SecTrustCreateWithCertificates
373 @abstract Creates a trust object based on the given certificates and
374 policies.
375 @param certificates The group of certificates to verify. This can either
376 be a CFArrayRef of SecCertificateRef objects or a single SecCertificateRef
377 @param policies An array of one or more policies. You may pass a
378 SecPolicyRef to represent a single policy.
379 @param trust On return, a pointer to the trust management reference.
380 @result A result code. See "Security Error Codes" (SecBase.h).
381 @discussion If multiple policies are passed in, all policies must verify
382 for the chain to be considered valid.
383 }
SecTrustCreateWithCertificatesnull384 function SecTrustCreateWithCertificates( certificates: CFTypeRef; policies: CFTypeRef; var trustref: SecTrustRef ): OSStatus; external name '_SecTrustCreateWithCertificates';
385 (* __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0) *)
386
387 {!
388 @function SecTrustSetPolicies
389 @abstract Set the policies for which trust should be verified.
390 @param trust A trust reference.
391 @param policies An array of one or more policies. You may pass a
392 SecPolicyRef to represent a single policy.
393 @result A result code. See "Security Error Codes" (SecBase.h).
394 @discussion This function will invalidate the existing trust result,
395 requiring a fresh evaluation for the newly-set policies.
396 }
SecTrustSetPoliciesnull397 function SecTrustSetPolicies( trust: SecTrustRef; policies: CFTypeRef ): OSStatus; external name '_SecTrustSetPolicies';
398 (* __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_6_0) *)
399
400 {!
401 @function SecTrustCopyPolicies
402 @abstract Returns an array of policies used for this evaluation.
403 @param trust A reference to a trust object.
404 @param policies On return, an array of policies used by this trust.
405 Call the CFRelease function to release this reference.
406 @result A result code. See "Security Error Codes" (SecBase.h).
407 }
SecTrustCopyPoliciesnull408 function SecTrustCopyPolicies( trust: SecTrustRef; var policies: CFArrayRef ): OSStatus; external name '_SecTrustCopyPolicies';
409 (* __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_7_0) *)
410
411 {!
412 @function SecTrustSetNetworkFetchAllowed
413 @abstract Specifies whether a trust evaluation is permitted to fetch missing
414 intermediate certificates from the network.
415 @param trust A trust reference.
416 @param allowFetch If true, and a certificate's issuer is not present in the
417 trust reference but its network location is known, the evaluation is permitted
418 to attempt to download it automatically. Pass false to disable network fetch
419 for this trust evaluation.
420 @result A result code. See "Security Error Codes" (SecBase.h).
421 @discussion By default, network fetch of missing certificates is enabled if
422 the trust evaluation includes the SSL policy, otherwise it is disabled.
423 }
SecTrustSetNetworkFetchAllowednull424 function SecTrustSetNetworkFetchAllowed( trust: SecTrustRef; allowFetch: Boolean ): OSStatus; external name '_SecTrustSetNetworkFetchAllowed';
425 (* __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0) *)
426
427 {!
428 @function SecTrustGetNetworkFetchAllowed
429 @abstract Returns whether a trust evaluation is permitted to fetch missing
430 intermediate certificates from the network.
431 @param trust A trust reference.
432 @param allowFetch On return, the boolean pointed to by this parameter is
433 set to true if the evaluation is permitted to download missing certificates.
434 @result A result code. See "Security Error Codes" (SecBase.h).
435 @discussion By default, network fetch of missing certificates is enabled if
436 the trust evaluation includes the SSL policy, otherwise it is disabled.
437 }
SecTrustGetNetworkFetchAllowednull438 function SecTrustGetNetworkFetchAllowed( trust: SecTrustRef; var allowFetch: Boolean ): OSStatus; external name '_SecTrustGetNetworkFetchAllowed';
439 (* __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0) *)
440
441 {!
442 @function SecTrustSetAnchorCertificates
443 @abstract Sets the anchor certificates for a given trust.
444 @param trust A reference to a trust object.
445 @param anchorCertificates An array of anchor certificates.
446 @result A result code. See "Security Error Codes" (SecBase.h).
447 @discussion Calling this function without also calling
448 SecTrustSetAnchorCertificatesOnly() will disable trusting any
449 anchors other than the ones in anchorCertificates.
450 }
SecTrustSetAnchorCertificatesnull451 function SecTrustSetAnchorCertificates( trust: SecTrustRef; anchorCertificates: CFArrayRef ): OSStatus; external name '_SecTrustSetAnchorCertificates';
452 (* __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0) *)
453
454 {!
455 @function SecTrustSetAnchorCertificatesOnly
456 @abstract Reenables trusting anchor certificates in addition to those
457 passed in via the SecTrustSetAnchorCertificates API.
458 @param trust A reference to a trust object.
459 @param anchorCertificatesOnly If true, disables trusting any anchors other
460 than the ones passed in via SecTrustSetAnchorCertificates(). If false,
461 the built in anchor certificates are also trusted.
462 @result A result code. See "Security Error Codes" (SecBase.h).
463 }
SecTrustSetAnchorCertificatesOnlynull464 function SecTrustSetAnchorCertificatesOnly( trust: SecTrustRef; anchorCertificatesOnly: Boolean ): OSStatus; external name '_SecTrustSetAnchorCertificatesOnly';
465 (* __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0) *)
466
467 {!
468 @function SecTrustCopyCustomAnchorCertificates
469 @abstract Returns an array of custom anchor certificates used by a given
470 trust, as set by a prior call to SecTrustSetAnchorCertificates, or NULL if
471 no custom anchors have been specified.
472 @param trust A reference to a trust object.
473 @param anchors On return, an array of custom anchor certificates (roots)
474 used by this trust, or NULL if no custom anchors have been specified. Call
475 the CFRelease function to release this reference.
476 @result A result code. See "Security Error Codes" (SecBase.h).
477 }
SecTrustCopyCustomAnchorCertificatesnull478 function SecTrustCopyCustomAnchorCertificates( trust: SecTrustRef; var anchors: CFArrayRef ): OSStatus; external name '_SecTrustCopyCustomAnchorCertificates';
479 (* __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_7_0) *)
480
481 {!
482 @function SecTrustSetVerifyDate
483 @abstract Set the date for which the trust should be verified.
484 @param trust A reference to a trust object.
485 @param verifyDate The date for which to verify trust.
486 @result A result code. See "Security Error Codes" (SecBase.h).
487 @discussion This function lets you evaluate certificate validity for a
488 given date (for example, to determine if a signature was valid on the date
489 it was signed, even if the certificate has since expired.) If this function
490 is not called, the time at which SecTrustEvaluate() is called is used
491 implicitly as the verification time.
492 }
SecTrustSetVerifyDatenull493 function SecTrustSetVerifyDate( trust: SecTrustRef; verifyDate: CFDateRef ): OSStatus; external name '_SecTrustSetVerifyDate';
494 (* __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0) *)
495
496 {!
497 @function SecTrustGetVerifyTime
498 @abstract Returns the verify time.
499 @param trust A reference to the trust object being verified.
500 @result A CFAbsoluteTime value representing the time at which certificates
501 should be checked for validity.
502 @discussion This function retrieves the verification time for the given
503 trust reference, as set by a prior call to SecTrustSetVerifyDate(). If the
504 verification time has not been set, this function returns a value of 0,
505 indicating that the current date/time is implicitly used for verification.
506 }
SecTrustGetVerifyTimenull507 function SecTrustGetVerifyTime( trust: SecTrustRef ): CFAbsoluteTime; external name '_SecTrustGetVerifyTime';
508 (* __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0) *)
509
510 {!
511 @function SecTrustEvaluate
512 @abstract Evaluates a trust reference synchronously.
513 @param trust A reference to the trust object to evaluate.
514 @param result A pointer to a result type.
515 @result A result code. See "Security Error Codes" (SecBase.h).
516 @discussion This function will completely evaluate trust before returning,
517 possibly including network access to fetch intermediate certificates or to
518 perform revocation checking. Since this function can block during those
519 operations, you should call it from within a function that is placed on a
520 dispatch queue, or in a separate thread from your application's main
521 run loop. Alternatively, you can use the SecTrustEvaluateAsync function.
522 }
SecTrustEvaluatenull523 function SecTrustEvaluate( trust: SecTrustRef; var result: SecTrustResultType ): OSStatus; external name '_SecTrustEvaluate';
524 (* __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0) *)
525
526
527 {!
528 @function SecTrustGetTrustResult
529 @param trust A reference to a trust object.
530 @param result A pointer to the result from the most recent call to
531 SecTrustEvaluate for this trust reference. If SecTrustEvaluate has not been
532 called or trust parameters have changed, the result is kSecTrustResultInvalid.
533 @result A result code. See "Security Error Codes" (SecBase.h).
534 @discussion This function replaces SecTrustGetResult for the purpose of
535 obtaining the current evaluation result of a given trust reference.
536 }
SecTrustGetTrustResultnull537 function SecTrustGetTrustResult( trust: SecTrustRef; var result: SecTrustResultType ): OSStatus; external name '_SecTrustGetTrustResult';
538 (* __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0) *)
539
540 {!
541 @function SecTrustCopyPublicKey
542 @abstract Return the public key for a leaf certificate after it has
543 been evaluated.
544 @param trust A reference to the trust object which has been evaluated.
545 @result The certificate's public key, or NULL if it the public key could
546 not be extracted (this can happen with DSA certificate chains if the
547 parameters in the chain cannot be found). The caller is responsible
548 for calling CFRelease on the returned key when it is no longer needed.
549 }
SecTrustCopyPublicKeynull550 function SecTrustCopyPublicKey( trust: SecTrustRef ): SecKeyRef; external name '_SecTrustCopyPublicKey';
551 (* __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0) *)
552
553 {!
554 @function SecTrustGetCertificateCount
555 @abstract Returns the number of certificates in an evaluated certificate
556 chain.
557 @param trust A reference to a trust object.
558 @result The number of certificates in the trust chain, including the anchor.
559 @discussion Important: if the trust reference has not yet been evaluated,
560 this function will evaluate it first before returning. If speed is critical,
561 you may want to call SecTrustGetTrustResult first to make sure that a
562 result other than kSecTrustResultInvalid is present for the trust object.
563 }
SecTrustGetCertificateCountnull564 function SecTrustGetCertificateCount( trust: SecTrustRef ): CFIndex; external name '_SecTrustGetCertificateCount';
565 (* __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0) *)
566
567 {!
568 @function SecTrustGetCertificateAtIndex
569 @abstract Returns a certificate from the trust chain.
570 @param trust Reference to a trust object.
571 @param ix The index of the requested certificate. Indices run from 0
572 (leaf) to the anchor (or last certificate found if no anchor was found).
573 The leaf cert (index 0) is always present regardless of whether the trust
574 reference has been evaluated or not.
575 @result A SecCertificateRef for the requested certificate.
576 }
SecTrustGetCertificateAtIndexnull577 function SecTrustGetCertificateAtIndex( trust: SecTrustRef; ix: CFIndex ): SecCertificateRef; external name '_SecTrustGetCertificateAtIndex';
578 (* __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0) *)
579
580 {!
581 @function SecTrustCopyExceptions
582 @abstract Returns an opaque cookie which will allow future evaluations
583 of the current certificate to succeed.
584 @param trust A reference to an evaluated trust object.
585 @result An opaque cookie which when passed to SecTrustSetExceptions() will
586 cause a call to SecTrustEvaluate() return kSecTrustResultProceed. This
587 will happen upon subsequent evaluation of the current certificate unless
588 some new error starts happening that wasn't being reported when the cookie
589 was returned from this function (for example, if the certificate expires
590 then evaluation will start failing again until a new cookie is obtained.)
591 @discussion Normally this API should only be called once the errors have
592 been presented to the user and the user decided to trust the current
593 certificate chain regardless of the errors being presented, for the
594 current application/server/protocol combination.
595 }
SecTrustCopyExceptionsnull596 function SecTrustCopyExceptions( trust: SecTrustRef ): CFDataRef; external name '_SecTrustCopyExceptions';
597 (* __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_4_0) *)
598
599 {!
600 @function SecTrustSetExceptions
601 @abstract Set a trust cookie to be used for evaluating this certificate chain.
602 @param trust A reference to a trust object.
603 @param exceptions An exceptions cookie as returned by a call to
604 SecTrustCopyExceptions() in the past.
605 @result Upon calling SecTrustEvaluate(), any failures that where present at the
606 time the exceptions object was created are ignored, and instead of returning
607 kSecTrustResultRecoverableTrustFailure, kSecTrustResultProceed will be returned
608 (if the certificate for which exceptions was created matches the current leaf
609 certificate).
610 @result Returns true if the exceptions cookies was valid and matches the current
611 leaf certificate, false otherwise. This function will invalidate the existing
612 trust result, requiring a subsequent evaluation for the newly-set exceptions.
613 Note that this function returning true doesn't mean the caller can skip calling
614 SecTrustEvaluate, as there may be new errors since the exceptions cookie was
615 created (for example, a certificate may have subsequently expired.)
616 @discussion Clients of this interface will need to establish the context of this
617 exception to later decide when this exception cookie is to be used.
618 Examples of this context would be the server we are connecting to, the ssid
619 of the wireless network for which this cert is needed, the account for which
620 this cert should be considered valid, and so on.
621 }
SecTrustSetExceptionsnull622 function SecTrustSetExceptions( trust: SecTrustRef; exceptions: CFDataRef ): CBool; external name '_SecTrustSetExceptions';
623 (* __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_4_0) *)
624
625 {!
626 @function SecTrustCopyProperties
627 @abstract Return a property array for this trust evaluation.
628 @param trust A reference to a trust object. If the trust has not been
629 evaluated, the returned property array will be empty.
630 @result A property array. It is the caller's responsibility to CFRelease
631 the returned array when it is no longer needed.
632 @discussion This function returns an ordered array of CFDictionaryRef
633 instances for each certificate in the chain. Indices run from 0 (leaf) to
634 the anchor (or last certificate found if no anchor was found.) See the
635 "Trust Property Constants" section for a list of currently defined keys.
636 }
SecTrustCopyPropertiesnull637 function SecTrustCopyProperties( trust: SecTrustRef ): CFArrayRef; external name '_SecTrustCopyProperties';
638 (* __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0) *)
639
640 {!
641 @function SecTrustCopyResult
642 @abstract Returns a dictionary containing information about the
643 evaluated certificate chain for use by clients.
644 @param trust A reference to a trust object.
645 @result A dictionary with various fields that can be displayed to the user,
646 or NULL if no additional info is available or the trust has not yet been
647 validated. The caller is responsible for calling CFRelease on the value
648 returned when it is no longer needed.
649 @discussion Returns a dictionary for the overall trust evaluation. See the
650 "Trust Result Constants" section for a list of currently defined keys.
651 }
SecTrustCopyResultnull652 function SecTrustCopyResult( trust: SecTrustRef ): CFDictionaryRef; external name '_SecTrustCopyResult';
653 (* __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0) *)
654
655 {!
656 @function SecTrustSetOCSPResponse
657 @abstract Attach OCSPResponse data to a trust object.
658 @param trust A reference to a trust object.
659 @param responseData This may be either a CFData object containing a single
660 DER-encoded OCSPResponse (per RFC 2560), or a CFArray of these.
661 @result A result code. See "Security Error Codes" (SecBase.h).
662 @discussion Allows the caller to provide OCSPResponse data (which may be
663 obtained during a TLS/SSL handshake, per RFC 3546) as input to a trust
664 evaluation. If this data is available, it can obviate the need to contact
665 an OCSP server for current revocation information.
666 }
SecTrustSetOCSPResponsenull667 function SecTrustSetOCSPResponse( trust: SecTrustRef; responseData: CFTypeRef ): OSStatus; external name '_SecTrustSetOCSPResponse';
668 (* __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0) *)
669
670
671 {
672 * Legacy functions (OS X only)
673 }
674 {$ifc TARGET_OS_MAC}
675
676 {!
677 @typedef SecTrustUserSetting
678 @abstract Specifies a user-specified trust setting value.
679 @discussion Deprecated in OS X 10.9. User trust settings are managed by
680 functions in SecTrustSettings.h (starting with OS X 10.5), and by the
681 SecTrustCopyExceptions and SecTrustSetExceptions functions (starting with
682 iOS 4 and OS X 10.9). The latter two functions are recommended for both OS X
683 and iOS, as they avoid the need to explicitly specify these values.
684 }
685 type
686 SecTrustUserSetting = SecTrustResultType;
687 (* __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_9, __IPHONE_NA, __IPHONE_NA) *)
688
689 {!
690 @typedef SecTrustOptionFlags
691 @abstract Options for customizing trust evaluation.
692 @constant kSecTrustOptionAllowExpired Allow expired certificates.
693 @constant kSecTrustOptionLeafIsCA Allow CA as leaf certificate.
694 @constant kSecTrustOptionFetchIssuerFromNet Allow network fetch of CA cert.
695 @constant kSecTrustOptionAllowExpiredRoot Allow expired roots.
696 @constant kSecTrustOptionRequireRevPerCert Require positive revocation
697 check per certificate.
698 @constant kSecTrustOptionUseTrustSettings Use TrustSettings instead of
699 anchors.
700 @constant kSecTrustOptionImplicitAnchors Properly self-signed certs are
701 treated as anchors implicitly.
702 }
703 type
704 SecTrustOptionFlagsPtr = ^SecTrustOptionFlags;
705 SecTrustOptionFlags = UInt32;
706 const
707 kSecTrustOptionAllowExpired = $00000001;
708 kSecTrustOptionLeafIsCA = $00000002;
709 kSecTrustOptionFetchIssuerFromNet = $00000004;
710 kSecTrustOptionAllowExpiredRoot = $00000008;
711 kSecTrustOptionRequireRevPerCert = $00000010;
712 kSecTrustOptionUseTrustSettings = $00000020;
713 kSecTrustOptionImplicitAnchors = $00000040;
714
715 {!
716 @function SecTrustSetOptions
717 @abstract Sets optional flags for customizing a trust evaluation.
718 @param trustRef A trust reference.
719 @param options Flags to change evaluation behavior for this trust.
720 @result A result code. See "Security Error Codes" (SecBase.h).
721 @discussion This function is not available on iOS. Use SecTrustSetExceptions
722 and SecTrustCopyExceptions to modify default trust results, and
723 SecTrustSetNetworkFetchAllowed to specify whether missing CA certificates
724 can be fetched from the network.
725 }
SecTrustSetOptionsnull726 function SecTrustSetOptions( trustRef: SecTrustRef; options: SecTrustOptionFlags ): OSStatus; external name '_SecTrustSetOptions';
727 (* __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA) *)
728
729 {!
730 @function SecTrustSetParameters
731 @abstract Sets the action and action data for a trust object.
732 @param trustRef The reference to the trust to change.
733 @param action A trust action.
734 @param actionData A reference to data associated with this action.
735 @result A result code. See "Security Error Codes" (SecBase.h).
736 @discussion This function is deprecated in OS X 10.7 and later, where it
737 was replaced by SecTrustSetOptions, and is not available on iOS. Your code
738 should use SecTrustSetExceptions and SecTrustCopyExceptions to modify default
739 trust results, and SecTrustSetNetworkFetchAllowed to specify whether missing
740 CA certificates can be fetched from the network.
741 }
SecTrustSetParametersnull742 function SecTrustSetParameters( trustRef: SecTrustRef; action: CSSM_TP_ACTION; actionData: CFDataRef ): OSStatus; external name '_SecTrustSetParameters';
743 (* __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) *)
744
745 {!
746 @function SecTrustSetKeychains
747 @abstract Sets the keychains for a given trust object.
748 @param trust A reference to a trust object.
749 @param keychainOrArray A reference to an array of keychains to search, a
750 single keychain, or NULL to use the default keychain search list.
751 @result A result code. See "Security Error Codes" (SecBase.h).
752 @discussion By default, the user's keychain search list and the system
753 anchors keychain are searched for certificates to complete the chain. You
754 can specify a zero-element array if you do not want any keychains searched.
755 Note: this function is not applicable to iOS.
756 }
SecTrustSetKeychainsnull757 function SecTrustSetKeychains( trust: SecTrustRef; keychainOrArray: CFTypeRef ): OSStatus; external name '_SecTrustSetKeychains';
758 (* __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_NA) *)
759
760 {!
761 @function SecTrustGetResult
762 @abstract Returns detailed information on the outcome of an evaluation.
763 @param trustRef A reference to a trust object.
764 @param result A pointer to the result from the call to SecTrustEvaluate.
765 @param certChain On return, a pointer to the certificate chain used to
766 validate the input certificate. Call the CFRelease function to release
767 this pointer.
768 @param statusChain On return, a pointer to the status of the certificate
769 chain. Do not attempt to free this pointer; it remains valid until the
770 trust is destroyed or the next call to SecTrustEvaluate.
771 @result A result code. See "Security Error Codes" (SecBase.h).
772 @discussion This function is deprecated in OS X 10.7 and later,
773 and is not available on iOS.
774 To get the complete certificate chain, use SecTrustGetCertificateCount and
775 SecTrustGetCertificateAtIndex. To get detailed status information for each
776 certificate, use SecTrustCopyProperties. To get the overall trust result
777 for the evaluation, use SecTrustGetTrustResult.
778 }
SecTrustGetResultnull779 function SecTrustGetResult( trustRef: SecTrustRef; var result: SecTrustResultType; var certChain: CFArrayRef; statusChain: CSSM_TP_APPLE_EVIDENCE_INFOArrayPtr): OSStatus; external name '_SecTrustGetResult';
780 (* __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) *)
781
782 {!
783 @function SecTrustGetCssmResult
784 @abstract Gets the CSSM trust result.
785 @param trust A reference to a trust.
786 @param result On return, a pointer to the CSSM trust result.
787 @result A result code. See "Security Error Codes" (SecBase.h).
788 @discussion This function is deprecated in OS X 10.7 and later,
789 and is not available on iOS.
790 To get detailed status information for each certificate, use
791 SecTrustCopyProperties. To get the overall trust result for the evaluation,
792 use SecTrustGetTrustResult.
793 }
SecTrustGetCssmResultnull794 function SecTrustGetCssmResult( trust: SecTrustRef; var result: CSSM_TP_VERIFY_CONTEXT_RESULT_PTR ): OSStatus; external name '_SecTrustGetCssmResult';
795 (* __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) *)
796
797 {!
798 @function SecTrustGetCssmResultCode
799 @abstract Gets the result code from the most recent call to SecTrustEvaluate
800 for the specified trust.
801 @param trust A reference to a trust.
802 @param resultCode On return, the result code produced by the most recent
803 evaluation of the given trust (cssmerr.h). The value of resultCode is
804 undefined if SecTrustEvaluate has not been called.
805 @result A result code. See "Security Error Codes" (SecBase.h). Returns
806 errSecTrustNotAvailable if SecTrustEvaluate has not been called for the
807 specified trust.
808 @discussion This function is deprecated in OS X 10.7 and later,
809 and is not available on iOS.
810 To get detailed status information for each certificate, use
811 SecTrustCopyProperties. To get the overall trust result for the evaluation,
812 use SecTrustGetTrustResult.
813 }
SecTrustGetCssmResultCodenull814 function SecTrustGetCssmResultCode( trust: SecTrustRef; var resultCode: OSStatus ): OSStatus; external name '_SecTrustGetCssmResultCode';
815 (* __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) *)
816
817 {!
818 @function SecTrustGetTPHandle
819 @abstract Gets the CSSM trust handle
820 @param trust A reference to a trust.
821 @param handle On return, a CSSM trust handle.
822 @result A result code. See "Security Error Codes" (SecBase.h).
823 @discussion This function is deprecated in OS X 10.7 and later.
824 }
SecTrustGetTPHandlenull825 function SecTrustGetTPHandle( trust: SecTrustRef; var handle: CSSM_TP_HANDLE ): OSStatus; external name '_SecTrustGetTPHandle';
826 (* __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) *)
827
828 {!
829 @function SecTrustCopyAnchorCertificates
830 @abstract Returns an array of default anchor (root) certificates used by
831 the system.
832 @param anchors On return, an array containing the system's default anchors
833 (roots). Call the CFRelease function to release this pointer.
834 @result A result code. See "Security Error Codes" (SecBase.h).
835 @discussion This function is not available on iOS, as certificate data
836 for system-trusted roots is currently unavailable on that platform.
837 }
SecTrustCopyAnchorCertificatesnull838 function SecTrustCopyAnchorCertificates( var anchors: CFArrayRef ): OSStatus; external name '_SecTrustCopyAnchorCertificates';
839 (* __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_NA) *)
840
841 {$endc} {TARGET_OS_MAC}
842
843 {$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
844
845 end.
846 {$endc} {not MACOSALLINCLUDE}
847