PageRenderTime 273ms CodeModel.GetById 47ms app.highlight 6ms RepoModel.GetById 0ms app.codeStats 1ms

/packages/univint/src/cssmapple.pas

https://github.com/slibre/freepascal
Pascal | 1333 lines | 555 code | 165 blank | 613 comment | 0 complexity | 6584a90232495951f8526a9ed4d63d02 MD5 | raw file
Possible License(s): LGPL-2.0, LGPL-2.1, LGPL-3.0

Large files files are truncated, but you can click here to view the full file

   1{
   2 * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
   3 * 
   4 * @APPLE_LICENSE_HEADER_START@
   5 * 
   6 * This file contains Original Code and/or Modifications of Original Code
   7 * as defined in and that are subject to the Apple Public Source License
   8 * Version 2.0 (the 'License'). You may not use this file except in
   9 * compliance with the License. Please obtain a copy of the License at
  10 * http://www.opensource.apple.com/apsl/ and read it before using this
  11 * file.
  12 * 
  13 * The Original Code and all software distributed under the License are
  14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18 * Please see the License for the specific language governing rights and
  19 * limitations under the License.
  20 * 
  21 * @APPLE_LICENSE_HEADER_END@
  22 *
  23 * cssmapple.h -- CSSM features specific to Apple's Implementation
  24 }
  25{  Pascal Translation Updated:  Jonas Maebe, <jonas@freepascal.org>, September 2010 }
  26{  Pascal Translation Update: Jonas Maebe <jonas@freepascal.org>, October 2012 }
  27
  28{
  29    Modified for use with Free Pascal
  30    Version 308
  31    Please report any bugs to <gpc@microbizz.nl>
  32}
  33
  34{$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
  35{$mode macpas}
  36{$packenum 1}
  37{$macro on}
  38{$inline on}
  39{$calling mwpascal}
  40
  41unit cssmapple;
  42interface
  43{$setc UNIVERSAL_INTERFACES_VERSION := $0400}
  44{$setc GAP_INTERFACES_VERSION := $0308}
  45
  46{$ifc not defined USE_CFSTR_CONSTANT_MACROS}
  47    {$setc USE_CFSTR_CONSTANT_MACROS := TRUE}
  48{$endc}
  49
  50{$ifc defined CPUPOWERPC and defined CPUI386}
  51	{$error Conflicting initial definitions for CPUPOWERPC and CPUI386}
  52{$endc}
  53{$ifc defined FPC_BIG_ENDIAN and defined FPC_LITTLE_ENDIAN}
  54	{$error Conflicting initial definitions for FPC_BIG_ENDIAN and FPC_LITTLE_ENDIAN}
  55{$endc}
  56
  57{$ifc not defined __ppc__ and defined CPUPOWERPC32}
  58	{$setc __ppc__ := 1}
  59{$elsec}
  60	{$setc __ppc__ := 0}
  61{$endc}
  62{$ifc not defined __ppc64__ and defined CPUPOWERPC64}
  63	{$setc __ppc64__ := 1}
  64{$elsec}
  65	{$setc __ppc64__ := 0}
  66{$endc}
  67{$ifc not defined __i386__ and defined CPUI386}
  68	{$setc __i386__ := 1}
  69{$elsec}
  70	{$setc __i386__ := 0}
  71{$endc}
  72{$ifc not defined __x86_64__ and defined CPUX86_64}
  73	{$setc __x86_64__ := 1}
  74{$elsec}
  75	{$setc __x86_64__ := 0}
  76{$endc}
  77{$ifc not defined __arm__ and defined CPUARM}
  78	{$setc __arm__ := 1}
  79{$elsec}
  80	{$setc __arm__ := 0}
  81{$endc}
  82
  83{$ifc defined cpu64}
  84  {$setc __LP64__ := 1}
  85{$elsec}
  86  {$setc __LP64__ := 0}
  87{$endc}
  88
  89
  90{$ifc defined __ppc__ and __ppc__ and defined __i386__ and __i386__}
  91	{$error Conflicting definitions for __ppc__ and __i386__}
  92{$endc}
  93
  94{$ifc defined __ppc__ and __ppc__}
  95	{$setc TARGET_CPU_PPC := TRUE}
  96	{$setc TARGET_CPU_PPC64 := FALSE}
  97	{$setc TARGET_CPU_X86 := FALSE}
  98	{$setc TARGET_CPU_X86_64 := FALSE}
  99	{$setc TARGET_CPU_ARM := FALSE}
 100	{$setc TARGET_OS_MAC := TRUE}
 101	{$setc TARGET_OS_IPHONE := FALSE}
 102	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
 103	{$setc TARGET_OS_EMBEDDED := FALSE}
 104{$elifc defined __ppc64__ and __ppc64__}
 105	{$setc TARGET_CPU_PPC := FALSE}
 106	{$setc TARGET_CPU_PPC64 := TRUE}
 107	{$setc TARGET_CPU_X86 := FALSE}
 108	{$setc TARGET_CPU_X86_64 := FALSE}
 109	{$setc TARGET_CPU_ARM := FALSE}
 110	{$setc TARGET_OS_MAC := TRUE}
 111	{$setc TARGET_OS_IPHONE := FALSE}
 112	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
 113	{$setc TARGET_OS_EMBEDDED := FALSE}
 114{$elifc defined __i386__ and __i386__}
 115	{$setc TARGET_CPU_PPC := FALSE}
 116	{$setc TARGET_CPU_PPC64 := FALSE}
 117	{$setc TARGET_CPU_X86 := TRUE}
 118	{$setc TARGET_CPU_X86_64 := FALSE}
 119	{$setc TARGET_CPU_ARM := FALSE}
 120{$ifc defined(iphonesim)}
 121 	{$setc TARGET_OS_MAC := FALSE}
 122	{$setc TARGET_OS_IPHONE := TRUE}
 123	{$setc TARGET_IPHONE_SIMULATOR := TRUE}
 124{$elsec}
 125	{$setc TARGET_OS_MAC := TRUE}
 126	{$setc TARGET_OS_IPHONE := FALSE}
 127	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
 128{$endc}
 129	{$setc TARGET_OS_EMBEDDED := FALSE}
 130{$elifc defined __x86_64__ and __x86_64__}
 131	{$setc TARGET_CPU_PPC := FALSE}
 132	{$setc TARGET_CPU_PPC64 := FALSE}
 133	{$setc TARGET_CPU_X86 := FALSE}
 134	{$setc TARGET_CPU_X86_64 := TRUE}
 135	{$setc TARGET_CPU_ARM := FALSE}
 136	{$setc TARGET_OS_MAC := TRUE}
 137	{$setc TARGET_OS_IPHONE := FALSE}
 138	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
 139	{$setc TARGET_OS_EMBEDDED := FALSE}
 140{$elifc defined __arm__ and __arm__}
 141	{$setc TARGET_CPU_PPC := FALSE}
 142	{$setc TARGET_CPU_PPC64 := FALSE}
 143	{$setc TARGET_CPU_X86 := FALSE}
 144	{$setc TARGET_CPU_X86_64 := FALSE}
 145	{$setc TARGET_CPU_ARM := TRUE}
 146	{ will require compiler define when/if other Apple devices with ARM cpus ship }
 147	{$setc TARGET_OS_MAC := FALSE}
 148	{$setc TARGET_OS_IPHONE := TRUE}
 149	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
 150	{$setc TARGET_OS_EMBEDDED := TRUE}
 151{$elsec}
 152	{$error __ppc__ nor __ppc64__ nor __i386__ nor __x86_64__ nor __arm__ is defined.}
 153{$endc}
 154
 155{$ifc defined __LP64__ and __LP64__ }
 156  {$setc TARGET_CPU_64 := TRUE}
 157{$elsec}
 158  {$setc TARGET_CPU_64 := FALSE}
 159{$endc}
 160
 161{$ifc defined FPC_BIG_ENDIAN}
 162	{$setc TARGET_RT_BIG_ENDIAN := TRUE}
 163	{$setc TARGET_RT_LITTLE_ENDIAN := FALSE}
 164{$elifc defined FPC_LITTLE_ENDIAN}
 165	{$setc TARGET_RT_BIG_ENDIAN := FALSE}
 166	{$setc TARGET_RT_LITTLE_ENDIAN := TRUE}
 167{$elsec}
 168	{$error Neither FPC_BIG_ENDIAN nor FPC_LITTLE_ENDIAN are defined.}
 169{$endc}
 170{$setc ACCESSOR_CALLS_ARE_FUNCTIONS := TRUE}
 171{$setc CALL_NOT_IN_CARBON := FALSE}
 172{$setc OLDROUTINENAMES := FALSE}
 173{$setc OPAQUE_TOOLBOX_STRUCTS := TRUE}
 174{$setc OPAQUE_UPP_TYPES := TRUE}
 175{$setc OTCARBONAPPLICATION := TRUE}
 176{$setc OTKERNEL := FALSE}
 177{$setc PM_USE_SESSION_APIS := TRUE}
 178{$setc TARGET_API_MAC_CARBON := TRUE}
 179{$setc TARGET_API_MAC_OS8 := FALSE}
 180{$setc TARGET_API_MAC_OSX := TRUE}
 181{$setc TARGET_CARBON := TRUE}
 182{$setc TARGET_CPU_68K := FALSE}
 183{$setc TARGET_CPU_MIPS := FALSE}
 184{$setc TARGET_CPU_SPARC := FALSE}
 185{$setc TARGET_OS_UNIX := FALSE}
 186{$setc TARGET_OS_WIN32 := FALSE}
 187{$setc TARGET_RT_MAC_68881 := FALSE}
 188{$setc TARGET_RT_MAC_CFM := FALSE}
 189{$setc TARGET_RT_MAC_MACHO := TRUE}
 190{$setc TYPED_FUNCTION_POINTERS := TRUE}
 191{$setc TYPE_BOOL := FALSE}
 192{$setc TYPE_EXTENDED := FALSE}
 193{$setc TYPE_LONGLONG := TRUE}
 194uses MacTypes,MacOSXPosix,cssmerr,cssmtype,x509defs,certextensions;
 195{$endc} {not MACOSALLINCLUDE}
 196
 197
 198{$ifc TARGET_OS_MAC}
 199
 200{$packrecords c}
 201
 202
 203{ Guids for standard Apple addin modules. }
 204
 205{ CSSM itself: (87191ca0-0fc9-11d4-849a-000502b52122) }
 206var gGuidCssm: CSSM_GUID; external name '_gGuidCssm'; (* attribute const *)
 207
 208{ File based DL (aka "Keychain DL"): (87191ca1-0fc9-11d4-849a-000502b52122) }
 209var gGuidAppleFileDL: CSSM_GUID; external name '_gGuidAppleFileDL'; (* attribute const *)
 210
 211{ Core CSP (local space): (87191ca2-0fc9-11d4-849a-000502b52122) }
 212var gGuidAppleCSP: CSSM_GUID; external name '_gGuidAppleCSP'; (* attribute const *)
 213
 214{ Secure CSP/DL (aka "Keychain CSPDL): (87191ca3-0fc9-11d4-849a-000502b52122) }
 215var gGuidAppleCSPDL: CSSM_GUID; external name '_gGuidAppleCSPDL'; (* attribute const *)
 216
 217{ X509 Certificate CL: (87191ca4-0fc9-11d4-849a-000502b52122) }
 218var gGuidAppleX509CL: CSSM_GUID; external name '_gGuidAppleX509CL'; (* attribute const *)
 219
 220{ X509 Certificate TP: (87191ca5-0fc9-11d4-849a-000502b52122) }
 221var gGuidAppleX509TP: CSSM_GUID; external name '_gGuidAppleX509TP'; (* attribute const *)
 222
 223{ DLAP/OpenDirectory access DL: (87191ca6-0fc9-11d4-849a-000502b52122) }
 224var gGuidAppleLDAPDL: CSSM_GUID; external name '_gGuidAppleLDAPDL'; (* attribute const *)
 225
 226{ TP for ".mac" related policies: (87191ca7-0fc9-11d4-849a-000502b52122) }
 227var gGuidAppleDotMacTP: CSSM_GUID; external name '_gGuidAppleDotMacTP'; (* attribute const *)
 228
 229{ Smartcard CSP/DL: (87191ca8-0fc9-11d4-849a-000502b52122) }
 230var gGuidAppleSdCSPDL: CSSM_GUID; external name '_gGuidAppleSdCSPDL'; (* attribute const *)
 231
 232{ DL for ".mac" certificate access: (87191ca9-0fc9-11d4-849a-000502b52122) }
 233var gGuidAppleDotMacDL: CSSM_GUID; external name '_gGuidAppleDotMacDL'; (* attribute const *)
 234
 235
 236{ Apple defined WORDID values }
 237const
 238	CSSM_WORDID_KEYCHAIN_PROMPT = CSSM_WORDID_VENDOR_START;
 239	CSSM_WORDID_KEYCHAIN_LOCK = CSSM_WORDID_VENDOR_START + 1;
 240	CSSM_WORDID_KEYCHAIN_CHANGE_LOCK = CSSM_WORDID_VENDOR_START + 2;
 241	CSSM_WORDID_PROCESS = CSSM_WORDID_VENDOR_START + 3;
 242	CSSM_WORDID__RESERVED_1 = CSSM_WORDID_VENDOR_START + 4;		{ was used in 10.2 test seeds; no longer in use }
 243	CSSM_WORDID_SYMMETRIC_KEY = CSSM_WORDID_VENDOR_START + 5;
 244	CSSM_WORDID_SYSTEM = CSSM_WORDID_VENDOR_START + 6;
 245	CSSM_WORDID_KEY = CSSM_WORDID_VENDOR_START + 7;
 246	CSSM_WORDID_PIN = CSSM_WORDID_VENDOR_START + 8;
 247	CSSM_WORDID_PREAUTH = CSSM_WORDID_VENDOR_START + 9;
 248	CSSM_WORDID_PREAUTH_SOURCE = CSSM_WORDID_VENDOR_START + 10;
 249	CSSM_WORDID_ASYMMETRIC_KEY = CSSM_WORDID_VENDOR_START + 11;
 250	CSSM_WORDID__FIRST_UNUSED = CSSM_WORDID_VENDOR_START + 12;
 251
 252{ Apple defined ACL subject and credential types }
 253const
 254	CSSM_ACL_SUBJECT_TYPE_KEYCHAIN_PROMPT = CSSM_WORDID_KEYCHAIN_PROMPT;
 255	CSSM_ACL_SUBJECT_TYPE_PROCESS = CSSM_WORDID_PROCESS;
 256	CSSM_ACL_SUBJECT_TYPE_CODE_SIGNATURE = CSSM_WORDID_SIGNATURE;
 257	CSSM_ACL_SUBJECT_TYPE_COMMENT = CSSM_WORDID_COMMENT;
 258	CSSM_ACL_SUBJECT_TYPE_SYMMETRIC_KEY = CSSM_WORDID_SYMMETRIC_KEY;
 259	CSSM_ACL_SUBJECT_TYPE_PREAUTH = CSSM_WORDID_PREAUTH;
 260	CSSM_ACL_SUBJECT_TYPE_PREAUTH_SOURCE = CSSM_WORDID_PREAUTH_SOURCE;
 261	CSSM_ACL_SUBJECT_TYPE_ASYMMETRIC_KEY = CSSM_WORDID_ASYMMETRIC_KEY;
 262
 263const
 264	CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT = CSSM_WORDID_KEYCHAIN_PROMPT;
 265	CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK = CSSM_WORDID_KEYCHAIN_LOCK;
 266	CSSM_SAMPLE_TYPE_KEYCHAIN_CHANGE_LOCK = CSSM_WORDID_KEYCHAIN_CHANGE_LOCK;
 267	CSSM_SAMPLE_TYPE_PROCESS = CSSM_WORDID_PROCESS;
 268	CSSM_SAMPLE_TYPE_COMMENT = CSSM_WORDID_COMMENT;
 269	CSSM_SAMPLE_TYPE_RETRY_ID = CSSM_WORDID_PROPAGATE;
 270	CSSM_SAMPLE_TYPE_SYMMETRIC_KEY = CSSM_WORDID_SYMMETRIC_KEY;
 271	CSSM_SAMPLE_TYPE_PREAUTH = CSSM_WORDID_PREAUTH;
 272	CSSM_SAMPLE_TYPE_ASYMMETRIC_KEY = CSSM_WORDID_ASYMMETRIC_KEY;
 273	// there is no CSSM_SAMPLE_TYPE_PREAUTH_SOURCE
 274
 275
 276{ Apple-defined ACL authorization tags }
 277const
 278	CSSM_ACL_AUTHORIZATION_CHANGE_ACL = CSSM_ACL_AUTHORIZATION_TAG_VENDOR_DEFINED_START;
 279	CSSM_ACL_AUTHORIZATION_CHANGE_OWNER = CSSM_ACL_AUTHORIZATION_TAG_VENDOR_DEFINED_START + 1;
 280	
 281	// the "pre-auth" tags form a contiguous range of (up to) 64K pre-authorizations
 282	CSSM_ACL_AUTHORIZATION_PREAUTH_BASE = CSSM_ACL_AUTHORIZATION_TAG_VENDOR_DEFINED_START + $1000000;
 283	CSSM_ACL_AUTHORIZATION_PREAUTH_END = CSSM_ACL_AUTHORIZATION_PREAUTH_BASE + $10000;
 284
 285{ pre-authorization conversions (auth-tag to slot and back) }
 286{
 287#define CSSM_ACL_AUTHORIZATION_PREAUTH(slot) \
 288		(CSSM_ACL_AUTHORIZATION_PREAUTH_BASE + (slot))
 289#define CSSM_ACL_AUTHORIZATION_PREAUTH_SLOT(auth) \
 290		((auth) - CSSM_ACL_AUTHORIZATION_PREAUTH_BASE)
 291#define CSSM_ACL_AUTHORIZATION_IS_PREAUTH(auth) \
 292		((auth) >= CSSM_ACL_AUTHORIZATION_PREAUTH_BASE && \
 293		 (auth) < CSSM_ACL_AUTHORIZATION_PREAUTH_END)
 294}
 295
 296
 297function CSSM_ACL_AUTHORIZATION_PREAUTH(slot: UInt32): UInt32; inline;
 298function CSSM_ACL_AUTHORIZATION_PREAUTH_SLOT(auth: UInt32): UInt32; inline;
 299function CSSM_ACL_AUTHORIZATION_IS_PREAUTH(auth: UInt32): Boolean; inline;
 300
 301
 302{ Parameters and structures for Apple-defined ACL subjects and samples }
 303
 304const
 305{ types of code signatures - item 1 of CSSM_ACL_SUBJECT_TYPE_CODE_SIGNATURE subjects }
 306	CSSM_ACL_CODE_SIGNATURE_INVALID = 0; { standard OS X code signature }
 307	CSSM_ACL_CODE_SIGNATURE_OSX = 1;		{ standard OS X code signature }
 308
 309{ ACL subjects of type PROCESS }
 310
 311const
 312{ PROCESS_SUBJECT mask fields }
 313	CSSM_ACL_MATCH_UID = $01;			{ match userid against uid field }
 314	CSSM_ACL_MATCH_GID = $02;			{ match groupid against gid field }
 315	CSSM_ACL_MATCH_HONOR_ROOT = $100;	{ let root (uid 0) match any userid }
 316	CSSM_ACL_MATCH_BITS = CSSM_ACL_MATCH_UID or CSSM_ACL_MATCH_GID;
 317
 318const
 319{ PROCESS_SUBJECT structure version field }
 320	CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION = $101;
 321
 322type
 323	cssm_acl_process_subject_selectorPtr = ^cssm_acl_process_subject_selector;
 324	cssm_acl_process_subject_selector = record
 325{ PROCESS_SUBJECT selector }
 326		version: UInt16;			{ version of this selector }
 327		mask: UInt16;			{ active fields mask }
 328		uid: UInt32;				{ effective user id match }
 329		gid: UInt32;				{ effective group id match }
 330	end;
 331
 332{ ACL subjects of type KEYCHAIN_PROMPT }
 333
 334const
 335{ KEYCHAIN_PROMPT structure version field }
 336	CSSM_ACL_KEYCHAIN_PROMPT_CURRENT_VERSION = $101;
 337
 338const
 339{ KEYCHAIN_PROMPT operational flags }
 340	CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE = $0001; { require re-entering of passphrase }
 341	{ the following bits are ignored by 10.4 and earlier }
 342	CSSM_ACL_KEYCHAIN_PROMPT_UNSIGNED = $0010;			{ prompt for unsigned clients }
 343	CSSM_ACL_KEYCHAIN_PROMPT_UNSIGNED_ACT = $0020;		{ UNSIGNED bit overrides system default }
 344	CSSM_ACL_KEYCHAIN_PROMPT_INVALID = $0040;			{ prompt for invalid signed clients }
 345	CSSM_ACL_KEYCHAIN_PROMPT_INVALID_ACT = $0080;		{ INVALID bit overrides system default }
 346
 347type
 348	cssm_acl_keychain_prompt_selectorPtr = ^cssm_acl_keychain_prompt_selector;
 349	cssm_acl_keychain_prompt_selector = record
 350{ KEYCHAIN_PROMPT selector }
 351		version: UInt16;			{ version of this selector }
 352		flags: UInt16;			{ flag bits }
 353	end;
 354
 355{ ACL subjects of type CSSM_ACL_SUBJECT_TYPE_PREAUTH_SOURCE }
 356type
 357	CSSM_ACL_PREAUTH_TRACKING_STATE = UInt32;
 358const
 359{ preauth tracking state }
 360	CSSM_ACL_PREAUTH_TRACKING_COUNT_MASK = $ff;		{ mask for count status }
 361	CSSM_ACL_PREAUTH_TRACKING_BLOCKED = 0;		{ retries exhausted; the slot is blocked }
 362	{ 0 .. 255 is a count of (re)tries remaining }
 363	
 364	{ bits or'ed into any count given }
 365	CSSM_ACL_PREAUTH_TRACKING_UNKNOWN = $40000000; { status of slot is unknown (ignore count) }
 366	CSSM_ACL_PREAUTH_TRACKING_AUTHORIZED = $80000000; { the slot is currently authorized (or'ed in) }
 367
 368
 369{ Apple defined values of a CSSM_DB_ACCESS_TYPE }
 370const
 371	CSSM_DB_ACCESS_RESET = $10000;	{ clear pre-authentications (or'ed bit) }
 372
 373
 374{ Apple defined algorithm IDs }
 375const
 376	CSSM_ALGID_APPLE_YARROW = CSSM_ALGID_VENDOR_DEFINED;
 377	CSSM_ALGID_AES = CSSM_ALGID_VENDOR_DEFINED + 1;				{ RijnDael }
 378	CSSM_ALGID_FEE = CSSM_ALGID_VENDOR_DEFINED + 2;				{ FEE Key Generation } 
 379	CSSM_ALGID_FEE_MD5 = CSSM_ALGID_VENDOR_DEFINED + 3;			{ FEE/ElGamal signature w/ MD5 hash }
 380	CSSM_ALGID_FEE_SHA1 = CSSM_ALGID_VENDOR_DEFINED + 4;		{ FEE/ElGamal signature w/ SHA1 hash }
 381	CSSM_ALGID_FEED = CSSM_ALGID_VENDOR_DEFINED + 5;			{ 1:1 FEE asymmetric encryption }
 382	CSSM_ALGID_FEEDEXP = CSSM_ALGID_VENDOR_DEFINED + 6;			{ 2:1 FEE asymmetric encryption }
 383	CSSM_ALGID_ASC = CSSM_ALGID_VENDOR_DEFINED + 7;				{ Apple Secure Compression }
 384	CSSM_ALGID_SHA1HMAC_LEGACY = CSSM_ALGID_VENDOR_DEFINED + 8;	{ HMAC/SHA1, legacy compatible }
 385	CSSM_ALGID_KEYCHAIN_KEY = CSSM_ALGID_VENDOR_DEFINED + 9;	{ derive or manipulate keychain master keys }
 386	CSSM_ALGID_PKCS12_PBE_ENCR = CSSM_ALGID_VENDOR_DEFINED + 10;	{ PKCS12, encrypt/decrypt key }
 387	CSSM_ALGID_PKCS12_PBE_MAC = CSSM_ALGID_VENDOR_DEFINED + 11;	{ PKCS12, MAC key }
 388	CSSM_ALGID_SECURE_PASSPHRASE = CSSM_ALGID_VENDOR_DEFINED + 12;   { passphrase acquired by SecurityServer }
 389	CSSM_ALGID_PBE_OPENSSL_MD5 = CSSM_ALGID_VENDOR_DEFINED + 13; { traditional openssl key derivation }
 390	CSSM_ALGID_SHA256 = CSSM_ALGID_VENDOR_DEFINED + 14;			{ 256-bit SHA2 }
 391	CSSM_ALGID_SHA384 = CSSM_ALGID_VENDOR_DEFINED + 15;			{ 384-bit SHA2 }
 392	CSSM_ALGID_SHA512 = CSSM_ALGID_VENDOR_DEFINED + 16;			{ 512-bit SHA2 }
 393	CSSM_ALGID_ENTROPY_DEFAULT = CSSM_ALGID_VENDOR_DEFINED + 17;	{ default entropy source of (CSP) device, if any }
 394	CSSM_ALGID_SHA224 = CSSM_ALGID_VENDOR_DEFINED + 18;			{ SHA2, 224 bit }
 395	CSSM_ALGID_SHA224WithRSA = CSSM_ALGID_VENDOR_DEFINED + 19;	{ RSA signature on SHA224 digest }
 396	CSSM_ALGID_SHA256WithRSA = CSSM_ALGID_VENDOR_DEFINED + 20;	{ RSA signature on SHA256 digest }
 397	CSSM_ALGID_SHA384WithRSA = CSSM_ALGID_VENDOR_DEFINED + 21;	{ RSA signature on SHA384 digest }
 398	CSSM_ALGID_SHA512WithRSA = CSSM_ALGID_VENDOR_DEFINED + 22;	{ RSA signature on SHA512 digest }
 399	CSSM_ALGID_OPENSSH1 = CSSM_ALGID_VENDOR_DEFINED + 23;		{ OpenSSH v1 RSA key wrapping }
 400	CSSM_ALGID_SHA224WithECDSA = CSSM_ALGID_VENDOR_DEFINED + 24;	{ ECDSA signature on SHA224 digest }
 401	CSSM_ALGID_SHA256WithECDSA = CSSM_ALGID_VENDOR_DEFINED + 25;	{ ECDSA signature on SHA256 digest }
 402	CSSM_ALGID_SHA384WithECDSA = CSSM_ALGID_VENDOR_DEFINED + 26;	{ ECDSA signature on SHA384 digest }
 403	CSSM_ALGID_SHA512WithECDSA = CSSM_ALGID_VENDOR_DEFINED + 27;	{ ECDSA signature on SHA512 digest }
 404	CSSM_ALGID_ECDSA_SPECIFIED = CSSM_ALGID_VENDOR_DEFINED + 28;	{ ECDSA with separate digest algorithm specifier }
 405	CSSM_ALGID_ECDH_X963_KDF = CSSM_ALGID_VENDOR_DEFINED + 29;	{ ECDH with X9.63 key derivation }
 406	CSSM_ALGID__FIRST_UNUSED = CSSM_ALGID_VENDOR_DEFINED + 30;
 407
 408{ Apple defined padding }
 409const
 410{ RFC 2246 section E.2 for SSLv2 rollback detection }
 411	CSSM_PADDING_APPLE_SSLv2 = CSSM_PADDING_VENDOR_DEFINED;
 412
 413
 414{ Apple defined keyblob formats }
 415const
 416	CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED = $80000000;
 417const
 418{ X509 SubjectPublicKeyInfo }
 419	CSSM_KEYBLOB_RAW_FORMAT_X509 = CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED;
 420	{ OpenSSH v1 }
 421	CSSM_KEYBLOB_RAW_FORMAT_OPENSSH = CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED + 1;		
 422	{ openssl-style DSA private key }
 423	CSSM_KEYBLOB_RAW_FORMAT_OPENSSL = CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED + 2;
 424	{ OpenSSH v2 }
 425	CSSM_KEYBLOB_RAW_FORMAT_OPENSSH2 = CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED + 3;
 426
 427{ Apple adds some "common" error codes. CDSA does not define an official start value for this. }
 428const
 429	CSSM_CUSTOM_COMMON_ERROR_EXTENT = $00e0;
 430	CSSM_ERRCODE_NO_USER_INTERACTION = $00e0;
 431	CSSM_ERRCODE_USER_CANCELED = $00e1;
 432	CSSM_ERRCODE_SERVICE_NOT_AVAILABLE = $00e2;
 433	CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION = $00e3;
 434	CSSM_ERRCODE_DEVICE_RESET = $00e4;
 435	CSSM_ERRCODE_DEVICE_FAILED = $00e5;
 436	CSSM_ERRCODE_IN_DARK_WAKE = $00e6;
 437
 438const
 439	CSSMERR_CSSM_NO_USER_INTERACTION = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION;
 440	CSSMERR_AC_NO_USER_INTERACTION = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION;
 441	CSSMERR_CSP_NO_USER_INTERACTION = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION;
 442	CSSMERR_CL_NO_USER_INTERACTION = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION;
 443	CSSMERR_DL_NO_USER_INTERACTION = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION;
 444	CSSMERR_TP_NO_USER_INTERACTION = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION;
 445	CSSMERR_CSSM_USER_CANCELED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED;
 446	CSSMERR_AC_USER_CANCELED = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED;
 447	CSSMERR_CSP_USER_CANCELED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED;
 448	CSSMERR_CL_USER_CANCELED = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED;
 449	CSSMERR_DL_USER_CANCELED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED;
 450	CSSMERR_TP_USER_CANCELED = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED;
 451	CSSMERR_CSSM_SERVICE_NOT_AVAILABLE = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE;
 452	CSSMERR_AC_SERVICE_NOT_AVAILABLE = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE;
 453	CSSMERR_CSP_SERVICE_NOT_AVAILABLE = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE;
 454	CSSMERR_CL_SERVICE_NOT_AVAILABLE = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE;
 455	CSSMERR_DL_SERVICE_NOT_AVAILABLE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE;
 456	CSSMERR_TP_SERVICE_NOT_AVAILABLE = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE;
 457	CSSMERR_CSSM_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION;
 458	CSSMERR_AC_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION;
 459	CSSMERR_CSP_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION;
 460	CSSMERR_CL_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION;
 461	CSSMERR_DL_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION;
 462	CSSMERR_TP_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION;
 463	CSSMERR_CSSM_DEVICE_RESET = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET;
 464	CSSMERR_AC_DEVICE_RESET = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET;
 465	CSSMERR_CSP_DEVICE_RESET = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET;
 466	CSSMERR_CL_DEVICE_RESET = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET;
 467	CSSMERR_DL_DEVICE_RESET = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET;
 468	CSSMERR_TP_DEVICE_RESET = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET;
 469	CSSMERR_CSSM_DEVICE_FAILED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED;
 470	CSSMERR_AC_DEVICE_FAILED = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED;
 471	CSSMERR_CSP_DEVICE_FAILED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED;
 472	CSSMERR_CL_DEVICE_FAILED = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED;
 473	CSSMERR_DL_DEVICE_FAILED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED;
 474	CSSMERR_TP_DEVICE_FAILED = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED;
 475	CSSMERR_CSSM_IN_DARK_WAKE = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE;
 476	CSSMERR_AC_IN_DARK_WAKE = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE;
 477	CSSMERR_CSP_IN_DARK_WAKE = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE;
 478	CSSMERR_CL_IN_DARK_WAKE = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE;
 479	CSSMERR_DL_IN_DARK_WAKE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE;
 480	CSSMERR_TP_IN_DARK_WAKE = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE;
 481
 482{ AppleCSPDL, AppleCSP private error codes. }
 483const
 484	CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT = CSSM_CSP_PRIVATE_ERROR + 0;
 485	{
 486	 * An attempt was made to use a public key which is incomplete due to 
 487	 * the lack of algorithm-specific parameters.
 488	 }
 489	CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE = CSSM_CSP_PRIVATE_ERROR + 1;
 490	
 491	{ a code signature match failed }
 492	CSSMERR_CSP_APPLE_SIGNATURE_MISMATCH = CSSM_CSP_PRIVATE_ERROR + 2;
 493	
 494	{ Key StartDate/EndDate invalid }
 495	CSSMERR_CSP_APPLE_INVALID_KEY_START_DATE = CSSM_CSP_PRIVATE_ERROR + 3;
 496	CSSMERR_CSP_APPLE_INVALID_KEY_END_DATE = CSSM_CSP_PRIVATE_ERROR + 4;
 497	
 498	{ Keychain Syncing error codes }
 499	CSSMERR_CSPDL_APPLE_DL_CONVERSION_ERROR = CSSM_CSP_PRIVATE_ERROR + 5;
 500
 501	{ SSLv2 padding check: rollback attack detected }
 502	CSSMERR_CSP_APPLE_SSLv2_ROLLBACK = CSSM_CSP_PRIVATE_ERROR + 6;
 503
 504
 505{ AppleFileDL record types. }
 506const
 507	CSSM_DL_DB_RECORD_GENERIC_PASSWORD = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 0;
 508	CSSM_DL_DB_RECORD_INTERNET_PASSWORD = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 1;
 509	CSSM_DL_DB_RECORD_APPLESHARE_PASSWORD = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 2;
 510	CSSM_DL_DB_RECORD_X509_CERTIFICATE = CSSM_DB_RECORDTYPE_APP_DEFINED_START + $1000;
 511	CSSM_DL_DB_RECORD_USER_TRUST = CSSM_DB_RECORDTYPE_APP_DEFINED_START + $1000 + 1;
 512	CSSM_DL_DB_RECORD_X509_CRL = CSSM_DB_RECORDTYPE_APP_DEFINED_START + $1000 + 2;
 513	CSSM_DL_DB_RECORD_UNLOCK_REFERRAL = CSSM_DB_RECORDTYPE_APP_DEFINED_START + $1000 + 3;
 514	CSSM_DL_DB_RECORD_EXTENDED_ATTRIBUTE = CSSM_DB_RECORDTYPE_APP_DEFINED_START + $1000 + 4;
 515	CSSM_DL_DB_RECORD_METADATA = CSSM_DB_RECORDTYPE_APP_DEFINED_START + $8000;
 516
 517{ AppleFileDL extentions: passthrough ids }
 518const
 519// Toggle whether or not to autocommit after modifying the database.
 520	// The input parameter is a CSSM_BOOL, where TRUE turns autocommit on
 521	// and FALSE turns it off.
 522	CSSM_APPLEFILEDL_TOGGLE_AUTOCOMMIT = 0;
 523	
 524	// Commit any pending changes to the database.
 525	CSSM_APPLEFILEDL_COMMIT = 1;
 526	
 527	// Rollback and discard any pending changes to the database.
 528	CSSM_APPLEFILEDL_ROLLBACK = 2;
 529
 530{ UNLOCK_REFERRAL "type" attribute values }
 531const
 532	CSSM_APPLE_UNLOCK_TYPE_KEY_DIRECT = 1;	// master secret key stored directly
 533	CSSM_APPLE_UNLOCK_TYPE_WRAPPED_PRIVATE = 2;		// master key wrapped by public key
 534
 535{ Apple DL private error codes. }
 536const
 537{ The OpenParameters argument passed to CSSM_DL_DbCreate or CSSM_DL_DbOpen
 538	   was neither NULL nor a pointer to a valid CSSM_APPLEDL_OPEN_PARAMETERS
 539	   structure. }
 540	CSSMERR_APPLEDL_INVALID_OPEN_PARAMETERS = CSSM_DL_PRIVATE_ERROR + 0;
 541	
 542	{ an operation failed because the disk was full }
 543	CSSMERR_APPLEDL_DISK_FULL = CSSM_DL_PRIVATE_ERROR + 1;
 544	
 545	{ an operation failed because a disk quota was exceeded }
 546	CSSMERR_APPLEDL_QUOTA_EXCEEDED = CSSM_DL_PRIVATE_ERROR + 2;
 547	
 548	{ an operation failed because a file was too large }
 549	CSSMERR_APPLEDL_FILE_TOO_BIG = CSSM_DL_PRIVATE_ERROR + 3;
 550    
 551    { a keychain database's internal information ("blob") is invalid }
 552	CSSMERR_APPLEDL_INVALID_DATABASE_BLOB = CSSM_DL_PRIVATE_ERROR + 4;
 553	CSSMERR_APPLEDL_INVALID_KEY_BLOB = CSSM_DL_PRIVATE_ERROR + 5;
 554    
 555    { the internal data format version for a database's internal information ("blob") is invalid }
 556	CSSMERR_APPLEDL_INCOMPATIBLE_DATABASE_BLOB = CSSM_DL_PRIVATE_ERROR + 6;
 557	CSSMERR_APPLEDL_INCOMPATIBLE_KEY_BLOB = CSSM_DL_PRIVATE_ERROR + 7;
 558
 559{ Apple X509TP private error codes. }
 560const
 561{ Host name mismatch }
 562	CSSMERR_APPLETP_HOSTNAME_MISMATCH = CSSM_TP_PRIVATE_ERROR + 0;
 563	{ Non-understood extension with Critical flag true }
 564	CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN = CSSM_TP_PRIVATE_ERROR + 1;
 565	{ Basic Constraints extension required per policy, but not present }
 566	CSSMERR_APPLETP_NO_BASIC_CONSTRAINTS = CSSM_TP_PRIVATE_ERROR + 2;
 567	{ Invalid BasicConstraints.CA }
 568	CSSMERR_APPLETP_INVALID_CA = CSSM_TP_PRIVATE_ERROR + 3;
 569	{ Invalid Authority Key ID }
 570	CSSMERR_APPLETP_INVALID_AUTHORITY_ID = CSSM_TP_PRIVATE_ERROR + 4;
 571	{ Invalid Subject Key ID }
 572	CSSMERR_APPLETP_INVALID_SUBJECT_ID = CSSM_TP_PRIVATE_ERROR + 5;
 573	{ Invalid Key Usage for policy }
 574	CSSMERR_APPLETP_INVALID_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 6;
 575	{ Invalid Extended Key Usage for policy }
 576	CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 7;
 577	{ Invalid Subject/Authority Key ID Linkage }
 578	CSSMERR_APPLETP_INVALID_ID_LINKAGE = CSSM_TP_PRIVATE_ERROR + 8;
 579	{ PathLengthConstraint exceeded }
 580	CSSMERR_APPLETP_PATH_LEN_CONSTRAINT = CSSM_TP_PRIVATE_ERROR + 9;
 581	{ Cert group terminated at a root cert which did not self-verify }
 582	CSSMERR_APPLETP_INVALID_ROOT = CSSM_TP_PRIVATE_ERROR + 10;
 583	{ CRL expired/not valid yet }
 584	CSSMERR_APPLETP_CRL_EXPIRED = CSSM_TP_PRIVATE_ERROR + 11;
 585	CSSMERR_APPLETP_CRL_NOT_VALID_YET = CSSM_TP_PRIVATE_ERROR + 12;
 586	{ Cannot find appropriate CRL }
 587	CSSMERR_APPLETP_CRL_NOT_FOUND = CSSM_TP_PRIVATE_ERROR + 13;
 588	{ specified CRL server down }
 589	CSSMERR_APPLETP_CRL_SERVER_DOWN = CSSM_TP_PRIVATE_ERROR + 14;
 590	{ illegible CRL distribution point URL }
 591	CSSMERR_APPLETP_CRL_BAD_URI = CSSM_TP_PRIVATE_ERROR + 15;
 592	{ Unknown critical cert/CRL extension }
 593	CSSMERR_APPLETP_UNKNOWN_CERT_EXTEN = CSSM_TP_PRIVATE_ERROR + 16;
 594	CSSMERR_APPLETP_UNKNOWN_CRL_EXTEN = CSSM_TP_PRIVATE_ERROR + 17;
 595	{ CRL not verifiable to anchor or root }
 596	CSSMERR_APPLETP_CRL_NOT_TRUSTED = CSSM_TP_PRIVATE_ERROR + 18;
 597	{ CRL verified to untrusted root }
 598	CSSMERR_APPLETP_CRL_INVALID_ANCHOR_CERT = CSSM_TP_PRIVATE_ERROR + 19;
 599	{ CRL failed policy verification }
 600	CSSMERR_APPLETP_CRL_POLICY_FAIL = CSSM_TP_PRIVATE_ERROR + 20;
 601	{ IssuingDistributionPoint extension violation }
 602	CSSMERR_APPLETP_IDP_FAIL = CSSM_TP_PRIVATE_ERROR + 21;
 603	{ Cert not found at specified issuerAltName }
 604	CSSMERR_APPLETP_CERT_NOT_FOUND_FROM_ISSUER = CSSM_TP_PRIVATE_ERROR + 22;
 605	{ Bad cert obtained from specified issuerAltName }
 606	CSSMERR_APPLETP_BAD_CERT_FROM_ISSUER = CSSM_TP_PRIVATE_ERROR + 23;
 607	{ S/MIME Email address mismatch }
 608	CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND = CSSM_TP_PRIVATE_ERROR + 24;
 609	{ Appropriate S/MIME ExtendedKeyUsage not found }
 610	CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE = CSSM_TP_PRIVATE_ERROR + 25;
 611	{ S/MIME KeyUsage incompatibility }
 612	CSSMERR_APPLETP_SMIME_BAD_KEY_USE = CSSM_TP_PRIVATE_ERROR + 26;
 613	{ S/MIME, cert with KeyUsage flagged !critical }
 614	CSSMERR_APPLETP_SMIME_KEYUSAGE_NOT_CRITICAL = CSSM_TP_PRIVATE_ERROR + 27;
 615	{ S/MIME, leaf with empty subject name and no email addrs
 616	 * in SubjectAltName }
 617	CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS = CSSM_TP_PRIVATE_ERROR + 28;
 618	{ S/MIME, leaf with empty subject name, SubjectAltName 
 619	 * not critical }
 620	CSSMERR_APPLETP_SMIME_SUBJ_ALT_NAME_NOT_CRIT = CSSM_TP_PRIVATE_ERROR + 29;
 621	{ Appropriate SSL ExtendedKeyUsage not found }
 622	CSSMERR_APPLETP_SSL_BAD_EXT_KEY_USE = CSSM_TP_PRIVATE_ERROR + 30;
 623	{ unparseable OCSP response }
 624	CSSMERR_APPLETP_OCSP_BAD_RESPONSE = CSSM_TP_PRIVATE_ERROR + 31;
 625	{ unparseable OCSP request }
 626	CSSMERR_APPLETP_OCSP_BAD_REQUEST = CSSM_TP_PRIVATE_ERROR + 32;
 627	{ OCSP service unavailable }
 628	CSSMERR_APPLETP_OCSP_UNAVAILABLE = CSSM_TP_PRIVATE_ERROR + 33;
 629	{ OCSP status: cert unrecognized }
 630	CSSMERR_APPLETP_OCSP_STATUS_UNRECOGNIZED = CSSM_TP_PRIVATE_ERROR + 34;
 631	{ revocation check not successful for each cert }
 632	CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK = CSSM_TP_PRIVATE_ERROR + 35;
 633	{ general network error }
 634	CSSMERR_APPLETP_NETWORK_FAILURE = CSSM_TP_PRIVATE_ERROR + 36;
 635	{ OCSP response not verifiable to anchor or root }
 636	CSSMERR_APPLETP_OCSP_NOT_TRUSTED = CSSM_TP_PRIVATE_ERROR + 37;
 637	{ OCSP response verified to untrusted root }
 638	CSSMERR_APPLETP_OCSP_INVALID_ANCHOR_CERT = CSSM_TP_PRIVATE_ERROR + 38;
 639	{ OCSP response signature error }
 640	CSSMERR_APPLETP_OCSP_SIG_ERROR = CSSM_TP_PRIVATE_ERROR + 39;
 641	{ No signer for OCSP response found }
 642	CSSMERR_APPLETP_OCSP_NO_SIGNER = CSSM_TP_PRIVATE_ERROR + 40;
 643	{ OCSP responder status: malformed request }
 644	CSSMERR_APPLETP_OCSP_RESP_MALFORMED_REQ = CSSM_TP_PRIVATE_ERROR + 41;
 645	{ OCSP responder status: internal error }
 646	CSSMERR_APPLETP_OCSP_RESP_INTERNAL_ERR = CSSM_TP_PRIVATE_ERROR + 42;
 647	{ OCSP responder status: try later }
 648	CSSMERR_APPLETP_OCSP_RESP_TRY_LATER = CSSM_TP_PRIVATE_ERROR + 43;
 649	{ OCSP responder status: signature required }
 650	CSSMERR_APPLETP_OCSP_RESP_SIG_REQUIRED = CSSM_TP_PRIVATE_ERROR + 44;
 651	{ OCSP responder status: unauthorized }
 652	CSSMERR_APPLETP_OCSP_RESP_UNAUTHORIZED = CSSM_TP_PRIVATE_ERROR + 45;
 653	{ OCSP response nonce did not match request }
 654	CSSMERR_APPLETP_OCSP_NONCE_MISMATCH = CSSM_TP_PRIVATE_ERROR + 46;
 655	{ Illegal cert chain length for Code Signing  }
 656	CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH = CSSM_TP_PRIVATE_ERROR + 47;
 657	{ Missing Basic Constraints for Code Signing }
 658	CSSMERR_APPLETP_CS_NO_BASIC_CONSTRAINTS = CSSM_TP_PRIVATE_ERROR + 48;
 659	{ Bad PathLengthConstraint for Code Signing }
 660	CSSMERR_APPLETP_CS_BAD_PATH_LENGTH = CSSM_TP_PRIVATE_ERROR + 49;
 661	{ Missing ExtendedKeyUsage for Code Signing }
 662	CSSMERR_APPLETP_CS_NO_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 50;
 663	{ Development style Code Signing Cert Detected }
 664	CSSMERR_APPLETP_CODE_SIGN_DEVELOPMENT = CSSM_TP_PRIVATE_ERROR + 51;
 665	{ Illegal cert chain length for Resource Signing  }
 666	CSSMERR_APPLETP_RS_BAD_CERT_CHAIN_LENGTH = CSSM_TP_PRIVATE_ERROR + 52;
 667	{ bad extended key usage for Resource Signing }
 668	CSSMERR_APPLETP_RS_BAD_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 53;
 669	{ Trust Setting: deny }
 670	CSSMERR_APPLETP_TRUST_SETTING_DENY = CSSM_TP_PRIVATE_ERROR + 54;
 671	{ invalid empty SubjectName }
 672	CSSMERR_APPLETP_INVALID_EMPTY_SUBJECT = CSSM_TP_PRIVATE_ERROR + 55;
 673	{ unknown critical Qualified Cert Statement ID }
 674	CSSMERR_APPLETP_UNKNOWN_QUAL_CERT_STATEMENT = CSSM_TP_PRIVATE_ERROR + 56;
 675	{ Missing required extension }
 676	CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION = CSSM_TP_PRIVATE_ERROR + 57;
 677	{ Extended key usage not marked critical }
 678	CSSMERR_APPLETP_EXT_KEYUSAGE_NOT_CRITICAL = CSSM_TP_PRIVATE_ERROR + 58;
 679
 680{ Apple .mac TP private error codes. }
 681const
 682{ cert request queued }
 683	CSSMERR_APPLE_DOTMAC_REQ_QUEUED = CSSM_TP_PRIVATE_ERROR + 100;
 684	{ cert request redirected }
 685	CSSMERR_APPLE_DOTMAC_REQ_REDIRECT = CSSM_TP_PRIVATE_ERROR + 101;
 686	{ general server-reported error }
 687	CSSMERR_APPLE_DOTMAC_REQ_SERVER_ERR = CSSM_TP_PRIVATE_ERROR + 102;
 688	{ server-reported parameter error }
 689	CSSMERR_APPLE_DOTMAC_REQ_SERVER_PARAM = CSSM_TP_PRIVATE_ERROR + 103;
 690	{ server-reported authorization error }
 691	CSSMERR_APPLE_DOTMAC_REQ_SERVER_AUTH = CSSM_TP_PRIVATE_ERROR + 104;
 692	{ server-reported unimplemented }
 693	CSSMERR_APPLE_DOTMAC_REQ_SERVER_UNIMPL = CSSM_TP_PRIVATE_ERROR + 105;
 694	{ server-reported not available }
 695	CSSMERR_APPLE_DOTMAC_REQ_SERVER_NOT_AVAIL = CSSM_TP_PRIVATE_ERROR + 106;
 696	{ server-reported already exists }
 697	CSSMERR_APPLE_DOTMAC_REQ_SERVER_ALREADY_EXIST = CSSM_TP_PRIVATE_ERROR + 107;
 698	{ server-reported service error }
 699	CSSMERR_APPLE_DOTMAC_REQ_SERVER_SERVICE_ERROR = CSSM_TP_PRIVATE_ERROR + 108;
 700	{ request already pending for specified user }
 701	CSSMERR_APPLE_DOTMAC_REQ_IS_PENDING = CSSM_TP_PRIVATE_ERROR + 109;
 702	{ no request pending for specified user }
 703	CSSMERR_APPLE_DOTMAC_NO_REQ_PENDING = CSSM_TP_PRIVATE_ERROR + 110;
 704	{ CSR failed to verify }
 705	CSSMERR_APPLE_DOTMAC_CSR_VERIFY_FAIL = CSSM_TP_PRIVATE_ERROR + 111;
 706	{ server reported failed consistency check }
 707	CSSMERR_APPLE_DOTMAC_FAILED_CONSISTENCY_CHECK = CSSM_TP_PRIVATE_ERROR + 112;
 708
 709const
 710	CSSM_APPLEDL_OPEN_PARAMETERS_VERSION = 1;
 711
 712type
 713	cssm_appledl_open_parameters_mask = SInt32;
 714const
 715	kCSSM_APPLEDL_MASK_MODE = 1 shl 0;
 716
 717{ Pass a CSSM_APPLEDL_OPEN_PARAMETERS_PTR as the OpenParameters argument to
 718   CSSM_DL_DbCreate or CSSM_DL_DbOpen.  When using this struct, you must zero
 719   out the entire struct before setting any additional parameters to ensure
 720   forward compatibility.  }
 721type
 722	CSSM_APPLEDL_OPEN_PARAMETERS_PTR = ^cssm_appledl_open_parameters;
 723	CSSM_APPLEDL_OPEN_PARAMETERSPtr = ^cssm_appledl_open_parameters;
 724	cssm_appledl_open_parameters = record
 725		length: UInt32;	{ Should be sizeof(CSSM_APPLEDL_OPEN_PARAMETERS). }
 726		version: UInt32;	{ Should be CSSM_APPLEDL_OPEN_PARAMETERS_VERSION. }
 727
 728	{ If no OpenParameters are specified, autoCommit is on (!CSSM_FALSE) by default.
 729	   When autoCommit is on (!CSSM_FALSE), changes made to the Db are written to disk
 730	   before returning from each function.
 731	   When autoCommit is off (CSSM_FALSE), changes made to the database are not guaranteed
 732	   to be written to disk until the Db is closed.  This is useful for bulk writes.
 733	   Be aware that if autoCommit is off, changes made in previous calls to the DL might
 734	   get rolled back if a new modification operation fails. }
 735		autoCommit: CSSM_BOOL;
 736
 737	{ Mask marking which of the following fields are to be used. }
 738		mask: UInt32;
 739
 740	{ When calling DbCreate, the initial mode to create the database file with; ignored on DbOpen.  You must set the kCSSM_APPLEDL_MASK_MODE bit in mask or mode is ignored.  }
 741		mode: mode_t;
 742	end;
 743
 744
 745{ AppleCSPDL passthough ids }
 746const
 747{ Tell the SecurityServer to lock the database specified by the DLDBHandle argument.
 748	   The InputParams and OutputParams arguments are ignored. }
 749	CSSM_APPLECSPDL_DB_LOCK = 0;
 750
 751	{ Tell the SecurityServer to unlock the database specified by the DLDBHandle argument.
 752	   The InputParameters argument is a CSSM_DATA_PTR containing the password, or NULL if
 753	   the SecurityServer should prompt for the password.
 754	   The OutputParams argument is ignored.
 755	   The SecurityServer will put up UI (though the SecurityAgent) when this function is called
 756	   iff InputParameters is NULL.  }
 757	CSSM_APPLECSPDL_DB_UNLOCK = 1;
 758
 759	{ Ask the SecurityServer to get the db settings specified for the database
 760	   specified by the DLDBHandle argument.  The settings are returned in the OutputParameters argument.
 761	   The OutputParameters argument is a pointer to a CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS_PTR.
 762	   Upon successful completion, the AppleCSPDL will have allocated a
 763	   CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS structure using the application-specified
 764	   allocators for the DL attachment specified by the DLDBHandle argument.  The structure will contain
 765	   the current database settings for the specified database.  The client should free the
 766	   CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS_PTR after it has finished using it.
 767	   The InputParameters argument is ignored.
 768	   The SecurityServer might put up UI (though the SecurityAgent) when this function is called.  }
 769	CSSM_APPLECSPDL_DB_GET_SETTINGS = 2;
 770
 771	{ Tell the SecurityServer to set the db settings specified in InputParameters on the database
 772	   specified by the DLDBHandle argument.
 773	   The InputParameters argument is a const CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS * containing
 774	   the new settings for the specified database.
 775	   The OutputParams argument is ignored.
 776	   The SecurityServer might put up UI (though the SecurityAgent) when this function is called.  }
 777	CSSM_APPLECSPDL_DB_SET_SETTINGS = 3;
 778
 779	{ Ask the SecurityServer whether the database specified by the DLDBHandle argument is locked.
 780	   The InputParameters argument is ignored.
 781	   The OutputParameters argument is a pointer to a CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR.
 782	   Upon successful completion, the AppleCSPDL will have allocated a
 783	   CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS structure using the application-specified
 784	   allocators for the DL attachment specified by the DLDBHandle argument.  The structure will contain
 785	   the current lock status for the specified database.  The client should free the
 786	   CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR after it has finished using it.
 787	   The SecurityServer will put up UI (though the SecurityAgent) when this function is called. }
 788	CSSM_APPLECSPDL_DB_IS_LOCKED = 4;
 789
 790	{ Tell the SecurityServer to change the password for the database specified by
 791	   the DLDBHandle.
 792
 793	   The InputParameters argument is a const CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS * containing
 794	   a CSSM_ACCESS_CREDENTIALS * which determines how the password will be changed.  If the
 795	   accessCredentials are NULL, the SecurityAgent will prompt for the old and the new password for the
 796	   specified database.  If credentials are specified, there should be 2 entries:
 797	   1. a 3-element list containing:
 798	   CSSM_WORDID_KEYCHAIN_LOCK, CSSM_SAMPLE_TYPE_PASSWORD, and the old password.
 799	   2. a 3-element list containing:
 800	   CSSM_WORDID_KEYCHAIN_CHANGE_LOCK, CSSM_SAMPLE_TYPE_PASSWORD, and the new password.
 801
 802	   The OutputParams argument is ignored.
 803	   The SecurityServer might put up UI (though the SecurityAgent) when this function is called.  }
 804	CSSM_APPLECSPDL_DB_CHANGE_PASSWORD = 5;
 805	
 806	{ Return the SecurityServer database handle for the database specified by the DLDBHandle }
 807	CSSM_APPLECSPDL_DB_GET_HANDLE = 6;
 808	
 809	{ Given a CSSM_KEY for the CSPDL, return the SecurityServer key handle }
 810	CSSM_APPLESCPDL_CSP_GET_KEYHANDLE = 7;
 811	CSSM_APPLE_PRIVATE_CSPDL_CODE_8 = 8;
 812	CSSM_APPLE_PRIVATE_CSPDL_CODE_9 = 9;
 813	CSSM_APPLE_PRIVATE_CSPDL_CODE_10 = 10;
 814	CSSM_APPLE_PRIVATE_CSPDL_CODE_11 = 11;
 815	CSSM_APPLE_PRIVATE_CSPDL_CODE_12 = 12;
 816	CSSM_APPLE_PRIVATE_CSPDL_CODE_13 = 13;
 817	CSSM_APPLE_PRIVATE_CSPDL_CODE_14 = 14;
 818	CSSM_APPLE_PRIVATE_CSPDL_CODE_15 = 15;
 819	CSSM_APPLE_PRIVATE_CSPDL_CODE_16 = 16;
 820	
 821	{ Given a CSSM_KEY_PTR in any format, obtain the SHA-1 hash of the 
 822	 * associated key blob. 
 823	 * Key is specified in CSSM_CSP_CreatePassThroughContext.
 824	 * Hash is allocated bythe CSP, in the App's memory, and returned
 825	 * in *outData. }
 826	CSSM_APPLECSP_KEYDIGEST = $100;
 827
 828
 829{ AppleCSPDL passthough parameters }
 830type
 831	CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS_PTR = ^cssm_applecspdl_db_settings_parameters;
 832	CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERSPtr = ^cssm_applecspdl_db_settings_parameters;
 833	cssm_applecspdl_db_settings_parameters = record
 834		idleTimeout: UInt32;				// seconds idle timeout lock
 835		lockOnSleep: UInt8;				// lock database when system sleeps
 836	end;
 837
 838{ AppleCSPDL passthough parameters }
 839type
 840	CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR = ^cssm_applecspdl_db_is_locked_parameters;
 841	CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERSPtr = ^cssm_applecspdl_db_is_locked_parameters;
 842	cssm_applecspdl_db_is_locked_parameters = record
 843		isLocked: UInt8;				// True iff the database is locked
 844	end;
 845
 846{ AppleCSPDL passthough parameters }
 847type
 848	CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS_PTR = ^cssm_applecspdl_db_change_password_parameters;
 849	CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERSPtr = ^cssm_applecspdl_db_change_password_parameters;
 850	cssm_applecspdl_db_change_password_parameters = record
 851		accessCredentials: CSSM_ACCESS_CREDENTIALSPtr;
 852	end;
 853
 854{ Custom wrapped key formats }
 855const
 856	CSSM_KEYBLOB_WRAPPED_FORMAT_APPLE_CUSTOM = 100;
 857	CSSM_KEYBLOB_WRAPPED_FORMAT_OPENSSL = 101;			// traditional openssl 
 858	CSSM_KEYBLOB_WRAPPED_FORMAT_OPENSSH1 = 102;			// OpenSSH v1
 859
 860{
 861 * Custom context attributes for AppleCSP.
 862 }
 863const
 864	CSSM_ATTRIBUTE_VENDOR_DEFINED = $800000;
 865
 866const
 867{ 
 868	 * Public Key attribute for use with CSSM_ALGID_FEED.
 869	 }
 870	CSSM_ATTRIBUTE_PUBLIC_KEY = (CSSM_ATTRIBUTE_DATA_KEY or (CSSM_ATTRIBUTE_VENDOR_DEFINED + 0));
 871			
 872	{
 873	 * FEE key attributes.
 874	 * See CSSM_FEE_PRIME_TYPE_xxx, CSSM_FEE_CURVE_TYPE_xxx enums, below.
 875	 }
 876	CSSM_ATTRIBUTE_FEE_PRIME_TYPE = (CSSM_ATTRIBUTE_DATA_UINT32 or (CSSM_ATTRIBUTE_VENDOR_DEFINED + 1));
 877	CSSM_ATTRIBUTE_FEE_CURVE_TYPE = (CSSM_ATTRIBUTE_DATA_UINT32 or (CSSM_ATTRIBUTE_VENDOR_DEFINED + 2));
 878			
 879	{
 880	 * Apple Secure Compression (ComCryption) optimization.
 881	 * See CSSM_ASC_OPTIMIZE_xxx, enums, below.
 882	 }
 883	CSSM_ATTRIBUTE_ASC_OPTIMIZATION = (CSSM_ATTRIBUTE_DATA_UINT32 or (CSSM_ATTRIBUTE_VENDOR_DEFINED + 3));
 884			
 885	{
 886	 * RSA blinding. Value is integer, nonzero (blinding on) or zero.
 887	 }
 888	CSSM_ATTRIBUTE_RSA_BLINDING = (CSSM_ATTRIBUTE_DATA_UINT32 or (CSSM_ATTRIBUTE_VENDOR_DEFINED + 4));
 889			
 890	{
 891	 * Additional public key from which to obtain algorithm-specific
 892	 * parameters.
 893	 }
 894	CSSM_ATTRIBUTE_PARAM_KEY = (CSSM_ATTRIBUTE_DATA_KEY or (CSSM_ATTRIBUTE_VENDOR_DEFINED + 5));
 895			
 896	{
 897	 * Prompt string for CSSM_ALGID_SECURE_PASSPHRASE key acquisition.
 898	 * Data is a UTF8-encoded external representation of a CFString. 
 899	 }
 900	CSSM_ATTRIBUTE_PROMPT = (CSSM_ATTRIBUTE_DATA_CSSM_DATA or (CSSM_ATTRIBUTE_VENDOR_DEFINED + 6));
 901
 902	{
 903	 * Alert panel title for CSSM_ALGID_SECURE_PASSPHRASE key acquisition.
 904	 * Data is a UTF8-encoded external representation of a CFString. 
 905	 }
 906	CSSM_ATTRIBUTE_ALERT_TITLE = (CSSM_ATTRIBUTE_DATA_CSSM_DATA or (CSSM_ATTRIBUTE_VENDOR_DEFINED + 7));
 907
 908	{
 909	 * Boolean to specify whether secure passphrase is being used to encrypt or to 
 910	 * recover data. In the former case the user will be prompted to enter the 
 911	 * passphrase twice. Value is integer, nonzero (verify passphrase) or zero.
 912	 }
 913	CSSM_ATTRIBUTE_VERIFY_PASSPHRASE = (CSSM_ATTRIBUTE_DATA_UINT32 or (CSSM_ATTRIBUTE_VENDOR_DEFINED + 8));
 914
 915{
 916 * FEE key pair prime modulus types.
 917 }
 918const
 919	CSSM_FEE_PRIME_TYPE_DEFAULT = 0;	{ default per key size }
 920	CSSM_FEE_PRIME_TYPE_MERSENNE = 1;		{ (2 ** q) - 1�}
 921	CSSM_FEE_PRIME_TYPE_FEE = 2;			{ (2 ** q) - k }
 922	CSSM_FEE_PRIME_TYPE_GENERAL = 3;			{ random prime }
 923
 924{
 925 * FEE curve types. Comments refer to equation
 926 *
 927 *    y**2 = x**3 + c(x**2) + ax + b
 928 }
 929const
 930	CSSM_FEE_CURVE_TYPE_DEFAULT = 0;	{ default per key size }
 931	CSSM_FEE_CURVE_TYPE_MONTGOMERY = 1;		{ a==1, b==0 }
 932	CSSM_FEE_CURVE_TYPE_WEIERSTRASS = 2;	{ c==0. IEEE P1363 compliant. }
 933	CSSM_FEE_CURVE_TYPE_ANSI_X9_62 = 3;		{ ANSI X9.62 compatible }
 934
 935{
 936 * Apple Secure Compression (ComCryption) optimization attributes.
 937 }
 938const
 939	CSSM_ASC_OPTIMIZE_DEFAULT = 0;
 940	CSSM_ASC_OPTIMIZE_SIZE = 1;				{ max compression (currently the default) }
 941	CSSM_ASC_OPTIMIZE_SECURITY = 2;			{ currently not implemented }
 942	CSSM_ASC_OPTIMIZE_TIME = 3;				{ min runtime }
 943	CSSM_ASC_OPTIMIZE_TIME_SIZE = 4;		{ implies loss of security }
 944	CSSM_ASC_OPTIMIZE_ASCII = 5;			{ optimized for ASCC text, not implemented }
 945
 946{
 947 * Apple custom CSSM_KEYATTR_FLAGS.
 948 }
 949const
 950{
 951	 * When set, indicates a public key which is incomplete (though
 952	 * still valid) due to the lack of algorithm-specific parameters.
 953	 }
 954	CSSM_KEYATTR_PARTIAL = $00010000;
 955	
 956	{
 957	 * When set, public keys are stored encrypted. Default is to store
 958	 * public keys in the clear. AppleCSPDL only.
 959	 }
 960	CSSM_KEYATTR_PUBLIC_KEY_ENCRYPT = $00020000;
 961
 962{
 963 * Name/OID pair used in CSSM_APPLE_TP_CERT_REQUEST
 964 }
 965type
 966	CSSM_APPLE_TP_NAME_OIDPtr = ^CSSM_APPLE_TP_NAME_OID;
 967	CSSM_APPLE_TP_NAME_OID = record
 968		strng: {const} CStringPtr;
 969		oid: {const} CSSM_OIDPtr;
 970	end;
 971
 972{ 
 973 * Certificate request passed to CSSM_TP_SubmitCredRequest() in the
 974 * CSSM_TP_AUTHORITY_REQUEST_TYPE.Requests field. Used for requesting
 975 * both locally-generated certs (CSSMOID_APPLE_TP_LOCAL_CERT_GEN) and
 976 * cert signing requests (CSSMOID_APPLE_TP_CSR_GEN). 
 977 }
 978type
 979	CSSM_APPLE_TP_CERT_REQUESTPtr = ^CSSM_APPLE_TP_CERT_REQUEST;
 980	CSSM_APPLE_TP_CERT_REQUEST = record
 981		cspHand: CSSM_CSP_HANDLE;		// sign with this CSP
 982		clHand: CSSM_CL_HANDLE;			// and this CL
 983		serialNumber: UInt32;
 984		numSubjectNames: UInt32;// size subjectNames[]
 985		subjectNames: CSSM_APPLE_TP_NAME_OIDPtr;	
 986	
 987	{
 988	 * Issuer name can be expressed in the simplified CSSM_APPLE_TP_NAME_OID
 989	 * array, as is the subject name, or as an CSSM_X509_NAME, which is 
 990	 * typically obtained from a signing cert. 
 991	 * Exactly one of (issuerNames, issuerNameX509) must be non-NULL. 
 992	 }
 993		numIssuerNames: UInt32;	// size issuerNames[]
 994		issuerNames: CSSM_APPLE_TP_NAME_OIDPtr;   // optional; NULL implies root 
 995											//    (signer == subject)
 996		issuerNameX509: CSSM_X509_NAME_PTR;		
 997		certPublicKey: {const} CSSM_KEYPtr;
 998		issuerPrivateKey: {const} CSSM_KEYPtr;
 999	
1000	{ Unfortunately there is no practical way to map any algorithm
1001	 * to its appropriate OID, and we need both.... }
1002		signatureAlg: CSSM_ALGORITHMS;   // e.g., CSSM_ALGID_SHA1WithRSA
1003		signatureOid: CSSM_OID;	// e.g., CSSMOID_SHA1WithRSA
1004		notBefore: UInt32;		// relative to "now"
1005		notAfter: UInt32;
1006		numExtensions: UInt32;
1007		extensions: CE_DataAndTypePtr;	// optional
1008	
1009	{ 
1010	 * Optional challenge string for CSSMOID_APPLE_TP_CSR_GEN.
1011	 }
1012		challengeString: {const} CStringPtr;
1013	end;
1014
1015{ 
1016 * Options for X509TP's CSSM_TP_CertGroupVerify for policy CSSMOID_APPLE_TP_SSL. 
1017 * A pointer to, and length of, one of these is optionally placed in 
1018 * CSSM_TP_VERIFY_CONTEXT.Cred->Policy.PolicyIds[n].FieldValue.
1019 }
1020const
1021	CSSM_APPLE_TP_SSL_OPTS_VERSION = 1;
1022
1023{
1024 * Values for CSSM_APPLE_TP_SSL_OPTIONS.flags.
1025 *
1026 * Set this flag when evaluating a client cert.
1027 }
1028const
1029	CSSM_APPLE_TP_SSL_CLIENT = $00000001;
1030
1031type
1032	CSSM_APPLE_TP_SSL_OPTIONSPtr = ^CSSM_APPLE_TP_SSL_OPTIONS;
1033	CSSM_APPLE_TP_SSL_OPTIONS = record
1034		Version: UInt32;        // CSSM_APPLE_TP_SSL_OPTS_VERSION
1035
1036	{ 
1037	 * The domain name of the server (e.g., "store.apple.com".) In the 
1038	 * SSL and TLS protocols, this must match the common name of the 
1039	 * subject cert. Expressed as a C string, optionally NULL terminated
1040	 * if it is NULL terminated, the length field should include the NULL).
1041	 }
1042		ServerNameLen: UInt32;
1043		ServerName: {const} CStringPtr;    // optional
1044	
1045	{ new fields for struct version 1 }
1046		Flags: UInt32;
1047	end;
1048
1049{ 
1050 * Options for X509TP's CSSM_TP_CertGroupVerify for policy 
1051 * CSSMOID_APPLE_TP_REVOCATION_CRL. A pointer to, and length of, one 
1052 * of these is optionally placed in 
1053 * CSSM_TP_VERIFY_CONTEXT.Cred->Policy.PolicyIds[n].FieldValue.
1054 }
1055const
1056	CSSM_APPLE_TP_CRL_OPTS_VERSION = 0;
1057
1058type
1059	CSSM_APPLE_TP_CRL_OPT_FLAGS = UInt32;
1060const
1061// require CRL verification for each cert; default is "try"
1062	CSSM_TP_ACTION_REQUIRE_CRL_PER_CERT = $00000001;	
1063	// enable fetch from network
1064	CSSM_TP_ACTION_FETCH_CRL_FROM_NET = $00000002;
1065	// if set and positive OCSP verify for given cert, no further revocation
1066	// checking need be done on that cert
1067	CSSM_TP_ACTION_CRL_SUFFICIENT = $00000004;
1068	// require CRL verification for certs which claim a CRL provider
1069	CSSM_TP_ACTION_REQUIRE_CRL_IF_PRESENT = $00000008;
1070
1071type
1072	CSSM_APPLE_TP_CRL_OPTIONSPtr = ^CSSM_APPLE_TP_CRL_OPTIONS;
1073	CSSM_APPLE_TP_CRL_OPTIONS = record
1074		Version: UInt32;        // CSSM_APPLE_TP_CRL_OPTS_VERSION
1075		CrlFlags: CSSM_APPLE_TP_CRL_OPT_FLAGS;
1076	
1077	{
1078	 * When non-NULL, store CRLs fetched from net here.
1079	 * This is most likely a pointer to one of the  
1080	 * CSSM_TP_CALLERAUTH_CONTEXT.DBList entries but that
1081	 * is not a strict requirement.
1082	 }
1083		crlStore: CSSM_DL_DB_HANDLE_PTR;
1084	end;
1085
1086{ 
1087 * Options for X509TP's CSSM_TP_CertGroupVerify for policy 
1088 * CSSMOID_APPLE_TP_SMIME. A pointer to, and length of, one 
1089 * of these is optionally placed in 
1090 * CSSM_TP_VERIFY_CONTEXT.Cred->Policy.PolicyIds[n].FieldValue.
1091 }
1092const
1093	CSSM_APPLE_TP_SMIME_OPTS_VERSION = 0;
1094type
1095	CSSM_APPLE_TP_SMIME_OPTIONSPtr = ^CSSM_APPLE_TP_SMIME_OPTIONS;
1096	CSSM_APPLE_TP_SMIME_OPTIONS = record
1097		Version: UInt32;        // CSSM_APPLE_TP_SMIME_OPTS_VERSION
1098
1099	{ 
1100	 * Intended usage of the leaf cert. The cert's KeyUsage extension,
1101	 * if present, must be a superset of this.
1102	 }
1103		IntendedUsage: CE_KeyUsage;
1104	
1105	{ 
1106	 * The email address of the sender. If there is an email address
1107	 * in the sender's cert, that email address must match this one.
1108	 * Both (email address in the cert, and this one) are optional.
1109	 * Expressed as a C string, optionally NULL terminated (i.e.,
1110	 * SenderEmail[SenderEmailLen - 1] may or may not be NULL).
1111	 }
1112		SenderEmailLen: UInt32;
1113		SenderEmail: {const} CStringPtr;    // optional
1114	end;
1115
1116
1117{
1118 * Optional ActionData for all X509TP CertGroupVerify policies.
1119 * A pointer to, and length of, one of these is optionally placed in 
1120 * CSSM_TP_VERIFY_CONTEXT.ActionData.
1121 }
1122type
1123	CSSM_APPLE_TP_ACTION_FLAGS = UInt32;
1124const
1125	CSSM_TP_ACTION_ALLOW_EXPIRED = $00000001;	// allow expired certs
1126	CSSM_TP_ACTION_LEAF_IS_CA = $00000002;	// first cert is a CA 
1127	CSSM_TP_ACTION_FETCH_CERT_FROM_NET = $00000004;	// enable net fetch of CA cert
1128	CSSM_TP_ACTION_ALLOW_EXPIRED_ROOT = $00000008; 	// allow expired roots
1129	CSSM_TP_ACTION_REQUIRE_REV_PER_CERT = $00000010; 	// require positive revocation
1130														//   check per cert
1131	CSSM_TP_ACTION_TRUST_SETTINGS = $00000020;	// use TrustSettings instead of 
1132														//   anchors
1133	CSSM_TP_ACTION_IMPLICIT_ANCHORS = $00000040;	// properly self-signed certs are
1134														//   treated as anchors implicitly
1135
1136const
1137	CSSM_APPLE_TP_ACTION_VERSION = 0;
1138type
1139	CSSM_APPLE_TP_ACTION_DATAPtr = ^CSSM_APPLE_TP_ACTION_DATA;
1140	CSSM_APPLE_TP_ACTION_DATA = record
1141		Version: UInt32; 		// CSSM_APPLE_TP_ACTION_VERSION
1142		ActionFlags: CSSM_APPLE_TP_ACTION_FLAGS;	// CSSM_TP_ACTION_ALLOW_EXPIRED, etc.
1143	end;
1144
1145{
1146 * Per-cert evidence returned from CSSM_TP_CertGroupVerify.
1147 * An array of these is presented in CSSM_TP_VERIFY_CONTEXT_RESULT.Evidence[2]. 
1148 * Same number of these as in the cert group in Evidence[1].
1149 }
1150 
1151{ First, an array of bits indicating various status of the cert. }
1152type
1153	CSSM_TP_APPLE_CERT_STATUS = UInt32;
1154const
1155	CSSM_CERT_STATUS_EXPIRED = $00000001;
1156	CSSM_CERT_STATUS_NOT_VALID_YET = $00000002;
1157	CSSM_CERT_STATUS_IS…

Large files files are truncated, but you can click here to view the full file