1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
//! Security Policies support.
use core_foundation::base::CFOptionFlags;
use core_foundation::base::TCFType;
use core_foundation::string::CFString;
use security_framework_sys::base::errSecParam;
use security_framework_sys::base::SecPolicyRef;
use security_framework_sys::policy::*;
use std::fmt;
use std::ptr;

use crate::secure_transport::SslProtocolSide;
use crate::Error;

declare_TCFType! {
    /// A type representing a certificate validation policy.
    SecPolicy, SecPolicyRef
}
impl_TCFType!(SecPolicy, SecPolicyRef, SecPolicyGetTypeID);

unsafe impl Sync for SecPolicy {}
unsafe impl Send for SecPolicy {}

impl fmt::Debug for SecPolicy {
    #[cold]
    fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result {
        fmt.debug_struct("SecPolicy").finish()
    }
}

bitflags::bitflags! {
    /// The flags used to specify revocation policy options.
    #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
    pub struct RevocationPolicy: CFOptionFlags {
        /// Perform revocation checking using OCSP (Online Certificate Status Protocol).
        const OCSP_METHOD = kSecRevocationOCSPMethod;
        /// Perform revocation checking using the CRL (Certification Revocation List) method.
        const CRL_METHOD = kSecRevocationCRLMethod;
        /// Prefer CRL revocation checking over OCSP; by default, OCSP is preferred.
        const PREFER_CRL = kSecRevocationPreferCRL;
        /// Require a positive response to pass the policy.
        const REQUIRE_POSITIVE_RESPONSE = kSecRevocationRequirePositiveResponse;
        /// Consult only locally cached replies; do not use network access.
        const NETWORK_ACCESS_DISABLED = kSecRevocationNetworkAccessDisabled;
        /// Perform either OCSP or CRL checking.
        const USE_ANY_METHOD_AVAILABLE = kSecRevocationUseAnyAvailableMethod;
    }
}

impl SecPolicy {
    /// Creates a `SecPolicy` for evaluating SSL certificate chains.
    ///
    /// The side which you are evaluating should be provided (i.e. pass `SslSslProtocolSide::SERVER` if
    /// you are a client looking to validate a server's certificate chain).
    pub fn create_ssl(protocol_side: SslProtocolSide, hostname: Option<&str>) -> Self {
        let hostname = hostname.map(CFString::new);
        let hostname = hostname
            .as_ref()
            .map(|s| s.as_concrete_TypeRef())
            .unwrap_or(ptr::null_mut());
        let is_server = protocol_side == SslProtocolSide::SERVER;
        unsafe {
            let policy = SecPolicyCreateSSL(is_server as _, hostname);
            Self::wrap_under_create_rule(policy)
        }
    }

    /// Creates a `SecPolicy` for checking revocation of certificates.
    ///
    /// If you do not specify this policy creating a `SecTrust` object, the system defaults
    /// will be used during evaluation.
    pub fn create_revocation(options: RevocationPolicy) -> crate::Result<Self> {
        let policy = unsafe { SecPolicyCreateRevocation(options.bits()) };

        if policy.is_null() {
            Err(Error::from_code(errSecParam))
        } else {
            Ok(unsafe { Self::wrap_under_create_rule(policy) })
        }
    }

    /// Returns a policy object for the default X.509 policy.
    #[must_use]
    pub fn create_x509() -> Self {
        unsafe {
            let policy = SecPolicyCreateBasicX509();
            Self::wrap_under_create_rule(policy)
        }
    }
}

#[cfg(test)]
mod test {
    use crate::policy::SecPolicy;
    use crate::secure_transport::SslProtocolSide;

    #[test]
    fn create_ssl() {
        SecPolicy::create_ssl(SslProtocolSide::SERVER, Some("certifi.org"));
    }
}