AppleX509TP Trust Policies

The trust policies implemented by the AppleX509TP CDSA module are shown in Table B-1. A pointer to a policy-specific option structure is placed in CSSM_FIELD.FieldValue.Data; this field is one of the fields in CSSM_TP_CALLERAUTH_CONTEXT.Policy.PolicyIds array.

**Table B-1** AppleX509TP trust policies
Policy	OID	Options	Description
Apple Basic	`CSSMOID_APPLE_X509_BASIC`	None	Basic X509-style certificate evaluation
SSL	`CSSMOID_APPLE_TP_SSL`	`CSSM_APPLE_TP_SSL_OPTIONS`	Basic X509 plus host name verification per RFC 2818
SMIME	`CSSMOID_APPLE_TP_SMIME`	`CSSM_APPLE_TP_SMIME_OPTIONS`	Basic X509 plus email address verification and KeyUsage enforcement per RFC 2632
Extensible Authentication Protocol (EAP)	`CSSMOID_APPLE_TP_EAP`	`CSSM_APPLE_TP_SSL_OPTIONS`	Functionally identical to SSL policy. A separate OID is provided to facilitate per-policy, per-certificate trust settings using the SecTrust mechanism
CRL Revocation	`CSSMOID_APPLE_TP_REVOCATION_CRL`	`CSSM_APPLE_TP_CRL_OPTIONS` (see option flags below)	Revocation using certificate revocation lists

CRL Policy Options

Certificate revocation list policy options are defined in the following structure:

typedef uint32 CSSM_APPLE_TP_CRL_OPT_FLAGS;

enum {

    // require CRL verification for each cert; default is "try"

    CSSM_TP_ACTION_REQUIRE_CRL_PER_CERT = 0x00000001,

    // enable fetch from network

    CSSM_TP_ACTION_FETCH_CRL_FROM_NET  = 0x00000002

};

typedef struct {

    // CSSM_APPLE_TP_CRL_OPTS_VERSION

    uint32                              Version

    CSSM_APPLE_TP_CRL_OPT_FLAGS         CrlFlags;

/*

    * When non-NULL, store CRLs fetched from net here.

    * This is most likely a pointer to one of the

    * CSSM_TP_CALLERAUTH_CONTEXT.DBList entries but that

    * is not a strict requirement.

*/

    CSSM_DL_DB_HANDLE_PTR               crlStore;

} CSSM_APPLE_TP_CRL_OPTIONS;

When the CSSM_TP_ACTION_REQUIRE_CRL_PER_CERT flag is set, a certificate is not valid unless every certificate in the certificate chain has been successfully verified using a certificate revocation list. This check is in addition to any other certificate-specific or policy-specific checks required for validation. When this flag is not set, CRLs are evaluated if they are available, but it is not an error if the trust policy module cannot find a CRL. In either case, the certificate is not considered valid if a CRL is found that indicates that any certificate in the certificate chain has been revoked.

Evaluating Multiple Policies

If multiple policies are specified, they are evaluated sequentially. In this case, the VerificationAbortOn field of the CSSM_TP_CALLERAUTH_CONTEXT structure specifies when to abort the verification process (see the “Trust Policy Services API” chapter in Common Security: CDSA and CSSM, version 2 (with corrigenda) from The Open Group (http://www.opengroup.org/security/cdsa.htm)). The AppleX509TP CDSA module supports the following values for the VerificationAbortOn field:

CSSM_TP_STOP_ON_NONE; continue to subsequent policies if one policy evaluation fails
CSSM_TP_STOP_ON_FIRST_FAIL; stop immediately if a policy evaluation fails
CSSM_TP_STOP_ON_POLICY; treated as the same as CSSM_TP_STOP_ON_FIRST_FAIL

< Previous PageNext Page >

Hide TOC

Did this document help you?
Yes: Tell us what works for you. It’s good, but: Report typos, inaccuracies, and so forth. It wasn’t helpful: Tell us what would have helped.