AppleX509TP Trust Policies

The trust policies implemented by the AppleX509TP CDSA module are shown in Table A-1. A pointer to a policy-specific option structure is placed in CSSM_FIELD.FieldValue.Data; this field is one of the fields in CSSM_TP_CALLERAUTH_CONTEXT.Policy.PolicyIds array.

Table A-1  AppleX509TP trust policies

Policy

OID

Options

Description

Apple Basic

kSecPolicyAppleX509Basic

CSSMOID_APPLE_X509_BASIC

None

Basic X509-style certificate evaluation

SSL

kSecPolicyAppleSSL

CSSMOID_APPLE_TP_SSL

CSSM_APPLE_TP_SSL_OPTIONS

Basic X509 plus host name verification per RFC 2818

SMIME

kSecPolicyAppleSMIME

CSSMOID_APPLE_TP_SMIME

CSSM_APPLE_TP_SMIME_OPTIONS

Basic X509 plus email address verification and KeyUsage enforcement per RFC 2632

Extensible Authentication Protocol (EAP)

kSecPolicyAppleEAP

CSSMOID_APPLE_TP_EAP

CSSM_APPLE_TP_SSL_OPTIONS

Functionally identical to SSL policy. A separate OID is provided to facilitate per-policy, per-certificate trust settings using the SecTrust mechanism

CRL Revocation

CSSMOID_APPLE_TP_REVOCATION_CRL

CSSM_APPLE_TP_CRL_OPTIONS (see option flags below)

Revocation using certificate revocation lists

CRL Policy Options

Certificate revocation list policy options are defined in the following structure:

typedef uint32 CSSM_APPLE_TP_CRL_OPT_FLAGS;
enum {
    // require CRL verification for each cert; default is "try"
    CSSM_TP_ACTION_REQUIRE_CRL_PER_CERT = 0x00000001,
    // enable fetch from network
    CSSM_TP_ACTION_FETCH_CRL_FROM_NET  = 0x00000002
};
typedef struct {
    // CSSM_APPLE_TP_CRL_OPTS_VERSION
    uint32                              Version
    CSSM_APPLE_TP_CRL_OPT_FLAGS         CrlFlags;
    /*
    * When non-NULL, store CRLs fetched from net here.
    * This is most likely a pointer to one of the
    * CSSM_TP_CALLERAUTH_CONTEXT.DBList entries but that
    * is not a strict requirement.
    */
    CSSM_DL_DB_HANDLE_PTR               crlStore;
} CSSM_APPLE_TP_CRL_OPTIONS;

When the CSSM_TP_ACTION_REQUIRE_CRL_PER_CERT flag is set, a certificate is not valid unless every certificate in the certificate chain has been successfully verified using a certificate revocation list. This check is in addition to any other certificate-specific or policy-specific checks required for validation. When this flag is not set, CRLs are evaluated if they are available, but it is not an error if the trust policy module cannot find a CRL. In either case, the certificate is not considered valid if a CRL is found that indicates that any certificate in the certificate chain has been revoked.

Evaluating Multiple Policies

If multiple policies are specified, they are evaluated sequentially. In this case, the VerificationAbortOn field of the CSSM_TP_CALLERAUTH_CONTEXT structure specifies when to abort the verification process (see the “Trust Policy Services API” chapter in Common Security: CDSA and CSSM, version 2 (with corrigenda) from The Open Group (http://www.opengroup.org/security/cdsa.htm)). The AppleX509TP CDSA module supports the following values for the VerificationAbortOn field: