+ added GPCStrings to implicitunits so it gets cleaned/installed

  * merged:

r328 | jonas | 2010-09-17 15:16:21 +0200 (Fri, 17 Sep 2010) | 3 lines
Changed paths:
   M /trunk/MPPInterfaces/SecTrust.pas

  - {$align power}
  + translation credit

...
r327 | jonas | 2010-09-17 15:09:54 +0200 (Fri, 17 Sep 2010) | 2 lines
Changed paths:
   M /trunk/MPPInterfaces/cssmapple.pas

  - removed superfluous MW/GPC macro definitions from the implemenation

...
r326 | jonas | 2010-09-17 00:14:28 +0200 (Fri, 17 Sep 2010) | 6 lines
Changed paths:
   M /trunk/MPPInterfaces/MacTypes.pas
   A /trunk/MPPInterfaces/SecTrust.pas
   A /trunk/MPPInterfaces/certextensions.pas
   A /trunk/MPPInterfaces/cssmapple.pas
   A /trunk/MPPInterfaces/cssmconfig.pas
   A /trunk/MPPInterfaces/cssmerr.pas
   A /trunk/MPPInterfaces/cssmkrapi.pas
   A /trunk/MPPInterfaces/cssmtype.pas
   A /trunk/MPPInterfaces/x509defs.pas
   M /trunk/Scripts/Convert.pl

  + a bunch of Security.Framework headers, required by new Cocoa header
    translations
  + added a number of NULL-macros appearing in those headers to convert.pl
  + added UInt32_fix type to MacTypes because one of those headers contains
    a field with the name "Uint32" whose type is also UInt32.

...
r325 | jonas | 2010-09-17 00:10:14 +0200 (Fri, 17 Sep 2010) | 2 lines
Changed paths:
   M /trunk/MPPInterfaces/ColorSyncDeprecated.pas

  * added (hopefully correct) setting for packrecords C for GPC
...
r324 | jonas | 2010-09-17 00:05:41 +0200 (Fri, 17 Sep 2010) | 2 lines
Changed paths:
   M /trunk/MPPInterfaces/CFStringTokenizer.pas

  * fixed compilation with GPC

...
r323 | jonas | 2010-09-09 20:31:47 +0200 (Thu, 09 Sep 2010) | 2 lines
Changed paths:
   A /trunk/MPPInterfaces/CFStringTokenizer.pas

  + translation of CoreFoundation/CFStringTokenizer.h

git-svn-id: trunk@16002 -

.gitattributes

@@ -5723,6 +5723,7 @@ packages/univint/src/ScalerStreamTypes.pas svneol=native#text/plain
 packages/univint/src/Scrap.pas svneol=native#text/plain
 packages/univint/src/Script.pas svneol=native#text/plain
 packages/univint/src/SecBase.pas svneol=native#text/plain
+packages/univint/src/SecTrust.pas svneol=native#text/plain
 packages/univint/src/Sound.pas svneol=native#text/plain
 packages/univint/src/SpeechRecognition.pas svneol=native#text/plain
 packages/univint/src/SpeechSynthesis.pas svneol=native#text/plain
@@ -5756,6 +5757,12 @@ packages/univint/src/WSMethodInvocation.pas svneol=native#text/plain
 packages/univint/src/WSProtocolHandler.pas svneol=native#text/plain
 packages/univint/src/WSTypes.pas svneol=native#text/plain
 packages/univint/src/cblas.pas svneol=native#text/plain
+packages/univint/src/certextensions.pas svneol=native#text/plain
+packages/univint/src/cssmapple.pas svneol=native#text/plain
+packages/univint/src/cssmconfig.pas svneol=native#text/plain
+packages/univint/src/cssmerr.pas svneol=native#text/plain
+packages/univint/src/cssmkrapi.pas svneol=native#text/plain
+packages/univint/src/cssmtype.pas svneol=native#text/plain
 packages/univint/src/fenv.pas svneol=native#text/plain
 packages/univint/src/fp.pas svneol=native#text/plain
 packages/univint/src/gliContexts.pas svneol=native#text/plain
@@ -5766,6 +5773,7 @@ packages/univint/src/macglext.pas svneol=native#text/plain
 packages/univint/src/macglu.pas svneol=native#text/plain
 packages/univint/src/vBLAS.pas svneol=native#text/plain
 packages/univint/src/vDSP.pas svneol=native#text/plain
+packages/univint/src/x509defs.pas svneol=native#text/plain
 packages/univint/src/xattr.pas svneol=native#text/plain
 packages/unixutil/Makefile svneol=native#text/plain
 packages/unixutil/Makefile.fpc svneol=native#text/plain

packages/univint/Makefile.fpc

@@ -8,7 +8,7 @@ version=2.5.1
 
 [target]
 units=MacOSAll MacOS
-implicitunits=  ABActions ABAddressBook ABGlobals ABPeoplePicker ABTypedefs AEDataModel \
+implicitunits=ABActions ABAddressBook ABGlobals ABPeoplePicker ABTypedefs AEDataModel \
   AEHelpers AEInteraction AEMach AEObjects AEPackObject AERegistry \
   AEUserTermTypes AIFF ASDebugging ASRegistry ATSFont ATSLayoutTypes \
   ATSTypes ATSUnicodeDirectAccess ATSUnicodeDrawing ATSUnicodeFlattening \
@@ -54,6 +54,7 @@ implicitunits=  ABActions ABAddressBook ABGlobals ABPeoplePicker ABTypedefs AEDa
   DigitalHubRegistry Displays Drag DrawSprocket DriverServices \
   DriverSynchronization Endian Events FSEvents FileTypesAndCreators Files \
   Finder FinderRegistry FixMath Folders FontPanel FontSync Fonts GestaltEqu \
+  GPCStrings \
   HFSVolumes HIAccessibility HIArchive HIButtonViews HIClockView HIComboBox \
   HIContainerViews HIDataBrowser HIDisclosureViews HIGeometry HIImageViews \
   HILittleArrows HIMenuView HIMovieView HIObject HIPopupButton \
@@ -85,15 +86,17 @@ implicitunits=  ABActions ABAddressBook ABGlobals ABPeoplePicker ABTypedefs AEDa
   SCDynamicStoreKey SCNetwork SCNetworkConfiguration SCNetworkConnection \
   SCNetworkReachability SCPreferences SCPreferencesPath \
   SCPreferencesSetSpecific SCSI SCSchemaDefinitions SFNTLayoutTypes \
-  SFNTTypes ScalerStreamTypes Scrap Script SecBase Sound SpeechRecognition \
+  SFNTTypes ScalerStreamTypes Scrap Script SecBase SecTrust Sound \
+  SpeechRecognition \
   SpeechSynthesis StringCompare SystemConfiguration SystemSound TSMTE \
   TextCommon TextEdit TextEncodingConverter TextEncodingPlugin \
   TextInputSources TextServices TextUtils Threads Timer ToolUtils \
   Translation TranslationExtensions TranslationServices TypeSelect \
   URLAccess UTCUtils UTCoreTypes UTType UnicodeConverter UnicodeUtilities \
   UniversalAccess Video WSMethodInvocation WSProtocolHandler WSTypes cblas \
+  certextensions cssmapple cssmconfig cssmerr cssmkrapi cssmtype \
   fenv fp gliContexts gliDispatch gluContext macgl macglext macglu vBLAS \
-  vDSP xattr   
+  vDSP x509defs xattr 
 exampledirs=examples
 
 [libs]

packages/univint/src/CFStringTokenizer.pas

@@ -250,10 +250,10 @@ const
 	}	
     { Latin Transcription. Used with kCFStringTokenizerUnitWord or
         kCFStringTokenizerUnitWordBoundary }
-	kCFStringTokenizerAttributeLatinTranscription = 1 << 16;
+	kCFStringTokenizerAttributeLatinTranscription = 1 shl 16;
     { Language in BCP 47 string. Used with kCFStringTokenizerUnitSentence
 	   or kCFStringTokenizerUnitParagraph. }
-	kCFStringTokenizerAttributeLanguage = 1 << 17;
+	kCFStringTokenizerAttributeLanguage = 1 shl 17;
 
 {!
 	Token type
@@ -265,23 +265,23 @@ const
 	kCFStringTokenizerTokenNone = 0;
     
 	{ Normal token }
-	kCFStringTokenizerTokenNormal = 1 << 0;
+	kCFStringTokenizerTokenNormal = 1 shl 0;
     
 	{!
     Compound token which may contain subtokens but with no derived subtokens.
     Its subtokens can be obtained by calling CFStringTokenizerGetCurrentSubTokens.
     }
-	kCFStringTokenizerTokenHasSubTokensMask = 1 << 1;
+	kCFStringTokenizerTokenHasSubTokensMask = 1 shl 1;
     
 	{!
     Compound token which may contain derived subtokens. 
     Its subtokens and derived subtokens can be obtained by calling
     CFStringTokenizerGetCurrentSubTokens.
     }
-	kCFStringTokenizerTokenHasDerivedSubTokensMask = 1 << 2;
-	kCFStringTokenizerTokenHasHasNumbersMask = 1 << 3;
-	kCFStringTokenizerTokenHasNonLettersMask = 1 << 4;
-	kCFStringTokenizerTokenIsCJWordMask = 1 << 5;
+	kCFStringTokenizerTokenHasDerivedSubTokensMask = 1 shl 2;
+	kCFStringTokenizerTokenHasHasNumbersMask = 1 shl 3;
+	kCFStringTokenizerTokenHasNonLettersMask = 1 shl 4;
+	kCFStringTokenizerTokenIsCJWordMask = 1 shl 5;
 type
 	CFStringTokenizerTokenType = CFOptionFlags;
 

packages/univint/src/MacOS.pas

@@ -399,6 +399,7 @@ uses
   Scrap,
   Script,
   SecBase,
+  SecTrust,
   Sound,
   SpeechRecognition,
   SpeechSynthesis,
@@ -432,6 +433,12 @@ uses
   WSProtocolHandler,
   WSTypes,
   cblas,
+  certextensions,
+  cssmapple,
+  cssmconfig,
+  cssmerr,
+  cssmkrapi,
+  cssmtype,
   fenv,
   fp,
   gliContexts,
@@ -442,6 +449,7 @@ uses
   macglu,
   vBLAS,
   vDSP,
+  x509defs,
   xattr,
   GPCStrings;
 

packages/univint/src/MacOSAll.pas

@@ -218,6 +218,12 @@ interface
 {$i UnicodeConverter.pas}
 {unit cblas}
 {$i cblas.pas}
+{unit cssmconfig}
+{$i cssmconfig.pas}
+{unit cssmerr}
+{$i cssmerr.pas}
+{unit cssmtype}
+{$i cssmtype.pas}
 {unit fenv}
 {$i fenv.pas}
 {unit fp}
@@ -234,6 +240,8 @@ interface
 {$i vBLAS.pas}
 {unit vDSP}
 {$i vDSP.pas}
+{unit x509defs}
+{$i x509defs.pas}
 {unit xattr}
 {$i xattr.pas}
 {unit ABTypedefs}
@@ -450,6 +458,12 @@ interface
 {$i Video.pas}
 {unit WSTypes}
 {$i WSTypes.pas}
+{unit certextensions}
+{$i certextensions.pas}
+{unit cssmapple}
+{$i cssmapple.pas}
+{unit cssmkrapi}
+{$i cssmkrapi.pas}
 {unit gliDispatch}
 {$i gliDispatch.pas}
 {unit gluContext}
@@ -540,6 +554,8 @@ interface
 {$i QDOffscreen.pas}
 {unit Scrap}
 {$i Scrap.pas}
+{unit SecTrust}
+{$i SecTrust.pas}
 {unit TypeSelect}
 {$i TypeSelect.pas}
 {unit ABAddressBook}
@@ -1051,6 +1067,33 @@ procedure DisposeRoutineDescriptor( theUPP: UniversalProcPtr ); inline;
 begin
 end;
 
+{implementation of unit cssmerr}
+
+{$ifc TARGET_OS_MAC}
+
+
+function CSSM_ERRCODE(arg: UInt32): UInt32; inline;
+begin
+  CSSM_ERRCODE:=(arg - CSSM_BASE_ERROR) and (CSSM_ERRORCODE_MODULE_EXTENT - 1)
+end;
+
+function CSSM_ERRBASE(arg: UInt32): UInt32; inline;
+begin
+  CSSM_ERRBASE:=((arg - CSSM_BASE_ERROR) and not(CSSM_ERRORCODE_MODULE_EXTENT - 1)) + CSSM_BASE_ERROR
+end;
+
+function CSSM_ERR_IS_CONVERTIBLE(arg: UInt32): Boolean; inline;
+begin
+  CSSM_ERR_IS_CONVERTIBLE:=CSSM_ERRCODE(arg) < CSSM_ERRORCODE_COMMON_EXTENT
+end;
+
+function CSSM_ERR_TAG(code, base: UInt32): UInt32; inline;
+begin
+  CSSM_ERR_TAG:=CSSM_ERRCODE(code) + base
+end;
+
+{$endc} {TARGET_OS_MAC}
+
 {implementation of unit CFByteOrders}
 
 
@@ -1709,6 +1752,31 @@ begin
 end;
 
 
+{$endc} {TARGET_OS_MAC}
+
+{implementation of unit cssmapple}
+
+{$ifc TARGET_OS_MAC}
+
+
+
+function CSSM_ACL_AUTHORIZATION_PREAUTH(slot: UInt32): UInt32; inline;
+begin
+  CSSM_ACL_AUTHORIZATION_PREAUTH:=CSSM_ACL_AUTHORIZATION_PREAUTH_BASE + slot
+end;
+
+function CSSM_ACL_AUTHORIZATION_PREAUTH_SLOT(auth: UInt32): UInt32; inline;
+begin
+  CSSM_ACL_AUTHORIZATION_PREAUTH_SLOT:=auth - CSSM_ACL_AUTHORIZATION_PREAUTH_BASE
+end;
+
+function CSSM_ACL_AUTHORIZATION_IS_PREAUTH(auth: UInt32): Boolean; inline;
+begin
+  CSSM_ACL_AUTHORIZATION_IS_PREAUTH:=
+    (auth >= CSSM_ACL_AUTHORIZATION_PREAUTH_BASE) and
+    (auth < CSSM_ACL_AUTHORIZATION_PREAUTH_END)
+end;
+
 {$endc} {TARGET_OS_MAC}
 
 {implementation of unit CFString}

packages/univint/src/MacTypes.pas

@@ -214,6 +214,7 @@ type
     SIGNEDBYTE = SInt8;
     UNSIGNEDWORD = UInt16;
     SIGNEDWORD = SInt16;
+    UInt32_fix = UInt32;
 
 type
 {$ifc TARGET_CPU_64}
@@ -223,7 +224,8 @@ type
     UNSIGNEDLONG = UInt32;
     SIGNEDLONG = SInt32;
 {$endc}
-
+    MacPtrUInt = UNSIGNEDLONG;
+    MacPtrSInt = SIGNEDLONG;
 
 
 {$ifc TARGET_RT_BIG_ENDIAN}

packages/univint/src/SecTrust.pas

@@ -0,0 +1,435 @@
+{
+ * Copyright (c) 2002-2009 Apple Inc. All Rights Reserved.
+ * 
+ * @APPLE_LICENSE_HEADER_START@
+ * 
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ * 
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ * 
+ * @APPLE_LICENSE_HEADER_END@
+ }
+{       Pascal Translation Updated:  Jonas Maebe, <[email protected]>, September 2010 }
+{
+    Modified for use with Free Pascal
+    Version 308
+    Please report any bugs to <[email protected]>
+}
+
+{$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
+{$mode macpas}
+{$packenum 1}
+{$macro on}
+{$inline on}
+{$calling mwpascal}
+
+unit SecTrust;
+interface
+{$setc UNIVERSAL_INTERFACES_VERSION := $0400}
+{$setc GAP_INTERFACES_VERSION := $0308}
+
+{$ifc not defined USE_CFSTR_CONSTANT_MACROS}
+    {$setc USE_CFSTR_CONSTANT_MACROS := TRUE}
+{$endc}
+
+{$ifc defined CPUPOWERPC and defined CPUI386}
+	{$error Conflicting initial definitions for CPUPOWERPC and CPUI386}
+{$endc}
+{$ifc defined FPC_BIG_ENDIAN and defined FPC_LITTLE_ENDIAN}
+	{$error Conflicting initial definitions for FPC_BIG_ENDIAN and FPC_LITTLE_ENDIAN}
+{$endc}
+
+{$ifc not defined __ppc__ and defined CPUPOWERPC32}
+	{$setc __ppc__ := 1}
+{$elsec}
+	{$setc __ppc__ := 0}
+{$endc}
+{$ifc not defined __ppc64__ and defined CPUPOWERPC64}
+	{$setc __ppc64__ := 1}
+{$elsec}
+	{$setc __ppc64__ := 0}
+{$endc}
+{$ifc not defined __i386__ and defined CPUI386}
+	{$setc __i386__ := 1}
+{$elsec}
+	{$setc __i386__ := 0}
+{$endc}
+{$ifc not defined __x86_64__ and defined CPUX86_64}
+	{$setc __x86_64__ := 1}
+{$elsec}
+	{$setc __x86_64__ := 0}
+{$endc}
+{$ifc not defined __arm__ and defined CPUARM}
+	{$setc __arm__ := 1}
+{$elsec}
+	{$setc __arm__ := 0}
+{$endc}
+
+{$ifc defined cpu64}
+  {$setc __LP64__ := 1}
+{$elsec}
+  {$setc __LP64__ := 0}
+{$endc}
+
+
+{$ifc defined __ppc__ and __ppc__ and defined __i386__ and __i386__}
+	{$error Conflicting definitions for __ppc__ and __i386__}
+{$endc}
+
+{$ifc defined __ppc__ and __ppc__}
+	{$setc TARGET_CPU_PPC := TRUE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __ppc64__ and __ppc64__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := TRUE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __i386__ and __i386__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := TRUE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+{$ifc defined(iphonesim)}
+ 	{$setc TARGET_OS_MAC := FALSE}
+	{$setc TARGET_OS_IPHONE := TRUE}
+	{$setc TARGET_IPHONE_SIMULATOR := TRUE}
+{$elsec}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$endc}
+{$elifc defined __x86_64__ and __x86_64__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := TRUE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __arm__ and __arm__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := TRUE}
+	{ will require compiler define when/if other Apple devices with ARM cpus ship }
+	{$setc TARGET_OS_MAC := FALSE}
+	{$setc TARGET_OS_IPHONE := TRUE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elsec}
+	{$error __ppc__ nor __ppc64__ nor __i386__ nor __x86_64__ nor __arm__ is defined.}
+{$endc}
+
+{$ifc defined __LP64__ and __LP64__ }
+  {$setc TARGET_CPU_64 := TRUE}
+{$elsec}
+  {$setc TARGET_CPU_64 := FALSE}
+{$endc}
+
+{$ifc defined FPC_BIG_ENDIAN}
+	{$setc TARGET_RT_BIG_ENDIAN := TRUE}
+	{$setc TARGET_RT_LITTLE_ENDIAN := FALSE}
+{$elifc defined FPC_LITTLE_ENDIAN}
+	{$setc TARGET_RT_BIG_ENDIAN := FALSE}
+	{$setc TARGET_RT_LITTLE_ENDIAN := TRUE}
+{$elsec}
+	{$error Neither FPC_BIG_ENDIAN nor FPC_LITTLE_ENDIAN are defined.}
+{$endc}
+{$setc ACCESSOR_CALLS_ARE_FUNCTIONS := TRUE}
+{$setc CALL_NOT_IN_CARBON := FALSE}
+{$setc OLDROUTINENAMES := FALSE}
+{$setc OPAQUE_TOOLBOX_STRUCTS := TRUE}
+{$setc OPAQUE_UPP_TYPES := TRUE}
+{$setc OTCARBONAPPLICATION := TRUE}
+{$setc OTKERNEL := FALSE}
+{$setc PM_USE_SESSION_APIS := TRUE}
+{$setc TARGET_API_MAC_CARBON := TRUE}
+{$setc TARGET_API_MAC_OS8 := FALSE}
+{$setc TARGET_API_MAC_OSX := TRUE}
+{$setc TARGET_CARBON := TRUE}
+{$setc TARGET_CPU_68K := FALSE}
+{$setc TARGET_CPU_MIPS := FALSE}
+{$setc TARGET_CPU_SPARC := FALSE}
+{$setc TARGET_OS_UNIX := FALSE}
+{$setc TARGET_OS_WIN32 := FALSE}
+{$setc TARGET_RT_MAC_68881 := FALSE}
+{$setc TARGET_RT_MAC_CFM := FALSE}
+{$setc TARGET_RT_MAC_MACHO := TRUE}
+{$setc TYPED_FUNCTION_POINTERS := TRUE}
+{$setc TYPE_BOOL := FALSE}
+{$setc TYPE_EXTENDED := FALSE}
+{$setc TYPE_LONGLONG := TRUE}
+uses MacTypes,SecBase,cssmtype,cssmapple,CFBase,CFArray,CFData,CFDate;
+{$endc} {not MACOSALLINCLUDE}
+
+
+
+{!
+	@header SecTrust
+	The functions and data types in SecTrust implement trust computation and allow the user to apply trust decisions to the trust configuration.
+}
+
+
+{!
+	@typedef SecTrustResultType
+	@abstract Specifies the trust result type.
+	@constant kSecTrustResultInvalid Indicates an invalid setting or result.
+	@constant kSecTrustResultProceed Indicates you may proceed.  This value may be returned by the SecTrustEvaluate function or stored as part of the user trust settings. 
+	@constant kSecTrustResultConfirm Indicates confirmation with the user is required before proceeding.  This value may be returned by the SecTrustEvaluate function or stored as part of the user trust settings. 
+	@constant kSecTrustResultDeny Indicates a user-configured deny; do not proceed. This value may be returned by the SecTrustEvaluate function or stored as part of the user trust settings. 
+	@constant kSecTrustResultUnspecified Indicates user intent is unknown. This value may be returned by the SecTrustEvaluate function or stored as part of the user trust settings. 
+	@constant kSecTrustResultRecoverableTrustFailure Indicates a trust framework failure; retry after fixing inputs. This value may be returned by the SecTrustEvaluate function but not stored as part of the user trust settings. 
+	@constant kSecTrustResultFatalTrustFailure Indicates a trust framework failure; no "easy" fix. This value may be returned by the SecTrustEvaluate function but not stored as part of the user trust settings.
+	@constant kSecTrustResultOtherError Indicates a failure other than that of trust evaluation. This value may be returned by the SecTrustEvaluate function but not stored as part of the user trust settings.
+ }
+type
+	SecTrustResultType = UInt32;
+
+const
+	kSecTrustResultInvalid = 0;
+	kSecTrustResultProceed = 1;
+	kSecTrustResultConfirm = 2;
+	kSecTrustResultDeny = 3;
+	kSecTrustResultUnspecified = 4;
+	kSecTrustResultRecoverableTrustFailure = 5;
+	kSecTrustResultFatalTrustFailure = 6;
+	kSecTrustResultOtherError = 7;
+
+{!
+	@typedef SecTrustUserSetting
+	@abstract Specifies user-specified trust settings.
+}
+type
+	SecTrustUserSetting = SecTrustResultType;
+
+{!
+	@typedef SecTrustRef
+	@abstract A pointer to an opaque trust management structure.
+}
+type
+	SecTrustRef = ^OpaqueSecTrustRef; { an opaque type }
+	{ already defined in SecBase 
+	OpaqueSecTrustRef = record end; }
+
+{!
+	@function SecTrustGetTypeID
+	@abstract Returns the type identifier of SecTrust instances.
+	@result The CFTypeID of SecTrust instances.
+}
+function SecTrustGetTypeID: CFTypeID; external name '_SecTrustGetTypeID';
+
+{!
+	@function SecTrustCreateWithCertificates
+	@abstract Creates a trust based on the given certificates and policies.
+    @param certificates The group of certificates to verify.
+    @param policies An array of one or more policies. You may pass a SecPolicyRef to represent a single policy.
+	@param trustRef On return, a pointer to the trust management reference.
+	@result A result code. See "Security Error Codes" (SecBase.h).
+}
+function SecTrustCreateWithCertificates( certificates: CFArrayRef; policies: CFTypeRef; var trustRef: SecTrustRef ): OSStatus; external name '_SecTrustCreateWithCertificates';
+
+{!
+    @function SecTrustSetPolicies
+    @abstract Set (replace) the set of policies to evaluate.
+    @param trust The reference to the trust to change.
+    @param policies An array of one or more policies. A single SecPolicyRef may also be passed, representing an array of one policy.
+    @result A result code. See "Security Error Codes" (SecBase.h).
+}    
+function SecTrustSetPolicies( trust: SecTrustRef; policies: CFTypeRef ): OSStatus; external name '_SecTrustSetPolicies';
+
+{!
+	@function SecTrustSetParameters
+	@abstract Sets the action and action data for a trust.
+	@param trustRef The reference to the trust to change.
+	@param action A CSSM trust action.
+	@param actionData A reference to action data.
+	@result A result code. See "Security Error Codes" (SecBase.h).
+ }
+function SecTrustSetParameters( trustRef: SecTrustRef; action: CSSM_TP_ACTION; actionData: CFDataRef ): OSStatus; external name '_SecTrustSetParameters';
+
+{!
+	@function SecTrustSetAnchorCertificates
+	@abstract Sets the anchor certificates for a given trust.
+	@param trust A reference to a trust.
+	@param anchorCertificates An array of anchor certificates.
+	@result A result code. See "Security Error Codes" (SecBase.h).
+}
+function SecTrustSetAnchorCertificates( trust: SecTrustRef; anchorCertificates: CFArrayRef ): OSStatus; external name '_SecTrustSetAnchorCertificates';
+
+{!
+	@function SecTrustSetAnchorCertificatesOnly
+	@abstract Reenables trusting anchor certificates in addition to those passed in
+    via the SecTrustSetAnchorCertificates API.
+	@param trust A reference to a trust object.
+	@param anchorCertificatesOnly If true, disables trusting any anchors other
+    than the ones passed in via SecTrustSetAnchorCertificates().  If false,
+    the built in anchor certificates are also trusted.
+	@result A result code.  See "Security Error Codes" (SecBase.h).
+}
+function SecTrustSetAnchorCertificatesOnly( trust: SecTrustRef; anchorCertificatesOnly: Boolean ): OSStatus; external name '_SecTrustSetAnchorCertificatesOnly';
+
+{!
+	@function SecTrustSetKeychains
+	@abstract Sets the keychains for a given trust.
+	@param trust A reference to a trust.
+    @param keychainOrArray A reference to an array of keychains to search, a single keychain or NULL to search the user's default keychain search list.
+	@result A result code. See "Security Error Codes" (SecBase.h).
+}
+function SecTrustSetKeychains( trust: SecTrustRef; keychainOrArray: CFTypeRef ): OSStatus; external name '_SecTrustSetKeychains';
+
+{!
+	@function SecTrustSetVerifyDate
+	@abstract Specifies the date for verification of a given trust.
+	@param trust A reference to the trust to verify.
+	@param verifyDate The date to verify.
+	@result A result code. See "Security Error Codes" (SecBase.h).
+}
+function SecTrustSetVerifyDate( trust: SecTrustRef; verifyDate: CFDateRef ): OSStatus; external name '_SecTrustSetVerifyDate';
+
+{!
+	@function SecTrustGetVerifyTime
+	@abstract Returns the verify time.
+	@param trust A reference to the trust object to verify.
+	@result A CFAbsoluteTime value representing the time at which certificates
+	should be checked for validity.
+}
+function SecTrustGetVerifyTime( trust: SecTrustRef ): CFAbsoluteTime; external name '_SecTrustGetVerifyTime';
+
+{!
+	@function SecTrustEvaluate
+	@abstract Evaluates a trust.
+	@param trust A reference to the trust to evaluate.
+	@param result A pointer to a result type.
+	@result A result code. See "Security Error Codes" (SecBase.h).	
+}
+function SecTrustEvaluate( trust: SecTrustRef; var result: SecTrustResultType ): OSStatus; external name '_SecTrustEvaluate';
+
+{!
+	@function SecTrustGetResult
+	@abstract Returns detail information on the outcome of a call to SecTrustEvaluate.
+	@param trustRef A reference to a trust.
+	@param result A pointer to the result from the call to SecTrustEvaluate.
+	@param certChain On return, a pointer to the certificate chain used to validate the input certificate. Call the CFRelease function to release this pointer.
+	@param statusChain On return, a pointer to the status of the certificate chain. Do not attempt to free this pointer; it remains valid until the trust is destroyed or the next call to SecTrustEvaluate.
+	@result A result code. See "Security Error Codes" (SecBase.h).
+}
+function SecTrustGetResult( trustRef: SecTrustRef; var result: SecTrustResultType; var certChain: CFArrayRef; statusChain: CSSM_TP_APPLE_EVIDENCE_INFOArrayPtr): OSStatus; external name '_SecTrustGetResult';
+
+{!
+	@function SecTrustGetCssmResult
+	@abstract Gets the CSSM trust result.
+	@param trust A reference to a trust.
+	@param result On return, a pointer to the CSSM trust result.
+	@result A result code. See "Security Error Codes" (SecBase.h).
+}
+function SecTrustGetCssmResult( trust: SecTrustRef; var result: CSSM_TP_VERIFY_CONTEXT_RESULT_PTR ): OSStatus; external name '_SecTrustGetCssmResult';
+
+{!
+	@function SecTrustGetCssmResultCode
+	@abstract Gets the result code from the most recent call to SecTrustEvaluate for the specified trust.
+	@param trust A reference to a trust.
+	@param resultCode On return, the result code produced by the most recent evaluation of the given trust (cssmerr.h). The value of resultCode is undefined if SecTrustEvaluate has not been called.
+	@result A result code. See "Security Error Codes" (SecBase.h). Returns errSecTrustNotAvailable if SecTrustEvaluate has not been called for the specified trust.
+}
+function SecTrustGetCssmResultCode( trust: SecTrustRef; var resultCode: OSStatus ): OSStatus; external name '_SecTrustGetCssmResultCode';
+
+{!
+	@function SecTrustGetTPHandle
+	@abstract Gets the CSSM trust handle
+	@param trust A reference to a trust.
+	@param handle On return, a CSSM trust handle.
+	@result A result code. See "Security Error Codes" (SecBase.h).
+}
+function SecTrustGetTPHandle( trust: SecTrustRef; var handle: CSSM_TP_HANDLE ): OSStatus; external name '_SecTrustGetTPHandle';
+
+{!
+    @function SecTrustCopyPolicies
+    @abstract Returns an array of policies used by a given trust.
+    @param trust  A reference to a trust.
+    @param policies On return, an array of policies used by this trust. Call the CFRelease function to release this reference.
+    @result A result code. See "Security Error Codes" (SecBase.h).
+}    
+function SecTrustCopyPolicies( trust: SecTrustRef; var policies: CFArrayRef ): OSStatus; external name '_SecTrustCopyPolicies';
+
+{!
+    @function SecTrustCopyCustomAnchorCertificates
+    @abstract Returns an array of custom anchor certificates used by a given trust, as set by a prior call to SecTrustSetAnchorCertificates, or NULL if no custom anchors have been specified.
+    @param trust  A reference to a trust.
+    @param anchors On return, an array of custom anchor certificates (roots) used by this trust, or NULL if no custom anchors have been specified. Call the CFRelease function to release this reference.
+    @result A result code. See "Security Error Codes" (SecBase.h).
+	@availability Mac OS X version 10.5.
+}    
+function SecTrustCopyCustomAnchorCertificates( trust: SecTrustRef; var anchors: CFArrayRef ): OSStatus; external name '_SecTrustCopyCustomAnchorCertificates';
+
+{!
+    @function SecTrustCopyAnchorCertificates
+    @abstract Returns an array of default anchor (root) certificates used by the system.
+    @param anchors On return, an array containing the system's default anchors (roots). Call the CFRelease function to release this pointer.
+    @result A result code. See "Security Error Codes" (SecBase.h).
+}
+function SecTrustCopyAnchorCertificates( var anchors: CFArrayRef ): OSStatus; external name '_SecTrustCopyAnchorCertificates';
+
+{!
+	@function SecTrustGetCSSMAnchorCertificates
+	@abstract Retrieves the CSSM anchor certificates.
+	@param cssmAnchors A pointer to an array of anchor certificates.
+	@param cssmAnchorCount A pointer to the number of certificates in anchors.
+	@result A result code. See "Security Error Codes" (SecBase.h).
+	@availability Mac OS X version 10.4. Deprecated in Mac OS X version 10.5.
+}
+function SecTrustGetCSSMAnchorCertificates( {const} cssmAnchors: CSSM_DATAArrayPtr; var cssmAnchorCount: UInt32 ): OSStatus; external name '_SecTrustGetCSSMAnchorCertificates';
+(* DEPRECATED_IN_MAC_OS_X_VERSION_10_5_AND_LATER *)
+
+{!
+	@function SecTrustGetUserTrust
+	@abstract Gets the user-specified trust settings of a certificate and policy.
+	@param certificate A reference to a certificate.
+	@param policy A reference to a policy.
+	@param trustSetting On return, a pointer to the user specified trust settings.
+	@result A result code. See "Security Error Codes" (SecBase.h).
+	@availability Mac OS X version 10.4. Deprecated in Mac OS X version 10.5.
+}
+function SecTrustGetUserTrust( certificate: SecCertificateRef; policy: SecPolicyRef; var trustSetting: SecTrustUserSetting ): OSStatus; external name '_SecTrustGetUserTrust';
+(* DEPRECATED_IN_MAC_OS_X_VERSION_10_5_AND_LATER *)
+
+{!
+	@function SecTrustSetUserTrust
+	@abstract Sets the user-specified trust settings of a certificate and policy.
+	@param certificate A reference to a certificate.
+	@param policy A reference to a policy.
+	@param trustSetting The user-specified trust settings.
+	@result A result code. See "Security Error Codes" (SecBase.h).
+	@availability Mac OS X version 10.4. Deprecated in Mac OS X version 10.5.
+	@discussion as of Mac OS version 10.5, this will result in a call to 
+	 SecTrustSettingsSetTrustSettings(). 
+}
+function SecTrustSetUserTrust( certificate: SecCertificateRef; policy: SecPolicyRef; trustSetting: SecTrustUserSetting ): OSStatus; external name '_SecTrustSetUserTrust';
+(* DEPRECATED_IN_MAC_OS_X_VERSION_10_5_AND_LATER *)
+
+{$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
+
+end.
+{$endc} {not MACOSALLINCLUDE}

packages/univint/src/certextensions.pas

@@ -0,0 +1,800 @@
+{
+ * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
+ * 
+ * @APPLE_LICENSE_HEADER_START@
+ * 
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ * 
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ * 
+ * @APPLE_LICENSE_HEADER_END@
+ *
+ * CertExtensions.h -- X.509 Cert Extensions as C structs
+ }
+{       Pascal Translation Updated:  Jonas Maebe, <[email protected]>, September 2010 }
+{
+    Modified for use with Free Pascal
+    Version 308
+    Please report any bugs to <[email protected]>
+}
+
+{$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
+{$mode macpas}
+{$packenum 1}
+{$macro on}
+{$inline on}
+{$calling mwpascal}
+
+unit certextensions;
+interface
+{$setc UNIVERSAL_INTERFACES_VERSION := $0400}
+{$setc GAP_INTERFACES_VERSION := $0308}
+
+{$ifc not defined USE_CFSTR_CONSTANT_MACROS}
+    {$setc USE_CFSTR_CONSTANT_MACROS := TRUE}
+{$endc}
+
+{$ifc defined CPUPOWERPC and defined CPUI386}
+	{$error Conflicting initial definitions for CPUPOWERPC and CPUI386}
+{$endc}
+{$ifc defined FPC_BIG_ENDIAN and defined FPC_LITTLE_ENDIAN}
+	{$error Conflicting initial definitions for FPC_BIG_ENDIAN and FPC_LITTLE_ENDIAN}
+{$endc}
+
+{$ifc not defined __ppc__ and defined CPUPOWERPC32}
+	{$setc __ppc__ := 1}
+{$elsec}
+	{$setc __ppc__ := 0}
+{$endc}
+{$ifc not defined __ppc64__ and defined CPUPOWERPC64}
+	{$setc __ppc64__ := 1}
+{$elsec}
+	{$setc __ppc64__ := 0}
+{$endc}
+{$ifc not defined __i386__ and defined CPUI386}
+	{$setc __i386__ := 1}
+{$elsec}
+	{$setc __i386__ := 0}
+{$endc}
+{$ifc not defined __x86_64__ and defined CPUX86_64}
+	{$setc __x86_64__ := 1}
+{$elsec}
+	{$setc __x86_64__ := 0}
+{$endc}
+{$ifc not defined __arm__ and defined CPUARM}
+	{$setc __arm__ := 1}
+{$elsec}
+	{$setc __arm__ := 0}
+{$endc}
+
+{$ifc defined cpu64}
+  {$setc __LP64__ := 1}
+{$elsec}
+  {$setc __LP64__ := 0}
+{$endc}
+
+
+{$ifc defined __ppc__ and __ppc__ and defined __i386__ and __i386__}
+	{$error Conflicting definitions for __ppc__ and __i386__}
+{$endc}
+
+{$ifc defined __ppc__ and __ppc__}
+	{$setc TARGET_CPU_PPC := TRUE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __ppc64__ and __ppc64__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := TRUE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __i386__ and __i386__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := TRUE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+{$ifc defined(iphonesim)}
+ 	{$setc TARGET_OS_MAC := FALSE}
+	{$setc TARGET_OS_IPHONE := TRUE}
+	{$setc TARGET_IPHONE_SIMULATOR := TRUE}
+{$elsec}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$endc}
+{$elifc defined __x86_64__ and __x86_64__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := TRUE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __arm__ and __arm__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := TRUE}
+	{ will require compiler define when/if other Apple devices with ARM cpus ship }
+	{$setc TARGET_OS_MAC := FALSE}
+	{$setc TARGET_OS_IPHONE := TRUE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elsec}
+	{$error __ppc__ nor __ppc64__ nor __i386__ nor __x86_64__ nor __arm__ is defined.}
+{$endc}
+
+{$ifc defined __LP64__ and __LP64__ }
+  {$setc TARGET_CPU_64 := TRUE}
+{$elsec}
+  {$setc TARGET_CPU_64 := FALSE}
+{$endc}
+
+{$ifc defined FPC_BIG_ENDIAN}
+	{$setc TARGET_RT_BIG_ENDIAN := TRUE}
+	{$setc TARGET_RT_LITTLE_ENDIAN := FALSE}
+{$elifc defined FPC_LITTLE_ENDIAN}
+	{$setc TARGET_RT_BIG_ENDIAN := FALSE}
+	{$setc TARGET_RT_LITTLE_ENDIAN := TRUE}
+{$elsec}
+	{$error Neither FPC_BIG_ENDIAN nor FPC_LITTLE_ENDIAN are defined.}
+{$endc}
+{$setc ACCESSOR_CALLS_ARE_FUNCTIONS := TRUE}
+{$setc CALL_NOT_IN_CARBON := FALSE}
+{$setc OLDROUTINENAMES := FALSE}
+{$setc OPAQUE_TOOLBOX_STRUCTS := TRUE}
+{$setc OPAQUE_UPP_TYPES := TRUE}
+{$setc OTCARBONAPPLICATION := TRUE}
+{$setc OTKERNEL := FALSE}
+{$setc PM_USE_SESSION_APIS := TRUE}
+{$setc TARGET_API_MAC_CARBON := TRUE}
+{$setc TARGET_API_MAC_OS8 := FALSE}
+{$setc TARGET_API_MAC_OSX := TRUE}
+{$setc TARGET_CARBON := TRUE}
+{$setc TARGET_CPU_68K := FALSE}
+{$setc TARGET_CPU_MIPS := FALSE}
+{$setc TARGET_CPU_SPARC := FALSE}
+{$setc TARGET_OS_UNIX := FALSE}
+{$setc TARGET_OS_WIN32 := FALSE}
+{$setc TARGET_RT_MAC_68881 := FALSE}
+{$setc TARGET_RT_MAC_CFM := FALSE}
+{$setc TARGET_RT_MAC_MACHO := TRUE}
+{$setc TYPED_FUNCTION_POINTERS := TRUE}
+{$setc TYPE_BOOL := FALSE}
+{$setc TYPE_EXTENDED := FALSE}
+{$setc TYPE_LONGLONG := TRUE}
+uses MacTypes,cssmtype,x509defs;
+{$endc} {not MACOSALLINCLUDE}
+
+
+{$ifc TARGET_OS_MAC}
+
+{$packrecords c}
+
+{**
+ *** Structs for declaring extension-specific data. 
+ **}
+
+{
+ * GeneralName, used in AuthorityKeyID, SubjectAltName, and 
+ * IssuerAltName. 
+ *
+ * For now, we just provide explicit support for the types which are
+ * represented as IA5Strings, OIDs, and octet strings. Constructed types
+ * such as EDIPartyName and x400Address are not explicitly handled
+ * right now and must be encoded and decoded by the caller. (See exception
+ * for Name and OtherName, below). In those cases the CE_GeneralName.name.Data field 
+ * represents the BER contents octets; CE_GeneralName.name.Length is the 
+ * length of the contents; the tag of the field is not needed - the BER 
+ * encoding uses context-specific implicit tagging. The berEncoded field 
+ * is set to CSSM_TRUE in these case. Simple types have berEncoded = CSSM_FALSE. 
+ *
+ * In the case of a GeneralName in the form of a Name, we parse the Name
+ * into a CSSM_X509_NAME and place a pointer to the CSSM_X509_NAME in the
+ * CE_GeneralName.name.Data field. CE_GeneralName.name.Length is set to 
+ * sizeof(CSSM_X509_NAME). In this case berEncoded is false. 
+ *
+ * In the case of a GeneralName in the form of a OtherName, we parse the fields
+ * into a CE_OtherName and place a pointer to the CE_OtherName in the
+ * CE_GeneralName.name.Data field. CE_GeneralName.name.Length is set to 
+ * sizeof(CE_OtherName). In this case berEncoded is false. 
+ *
+ *      GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+ *
+ *      GeneralName ::= CHOICE (
+ *           otherName                       [0]     OtherName
+ *           rfc822Name                      [1]     IA5String,
+ *           dNSName                         [2]     IA5String,
+ *           x400Address                     [3]     ORAddress,
+ *           directoryName                   [4]     Name,
+ *           ediPartyName                    [5]     EDIPartyName,
+ *           uniformResourceIdentifier       [6]     IA5String,
+ *           iPAddress                       [7]     OCTET STRING,
+ *           registeredID                    [8]     OBJECT IDENTIFIER)
+ *
+ *      OtherName ::= SEQUENCE (
+ *           type-id    OBJECT IDENTIFIER,
+ *           value      [0] EXPLICIT ANY DEFINED BY type-id )
+ *
+ *      EDIPartyName ::= SEQUENCE (
+ *           nameAssigner            [0]     DirectoryString OPTIONAL,
+ *           partyName               [1]     DirectoryString )
+ }
+type
+  CE_GeneralNameType = UInt32;
+const
+	GNT_OtherName = 0;
+	GNT_RFC822Name = 1;
+	GNT_DNSName = 2;
+	GNT_X400Address = 3;
+	GNT_DirectoryName = 4;
+	GNT_EdiPartyName = 5;
+	GNT_URI = 6;
+	GNT_IPAddress = 7;
+	GNT_RegisteredID = 8;
+
+type
+	CE_OtherNamePtr = ^CE_OtherName;
+	CE_OtherName = record
+		typeId: CSSM_OID;
+		value: CSSM_DATA;		// unparsed, BER-encoded
+	end;
+
+type
+  CE_GeneralNamePtr = ^CE_GeneralName;
+	CE_GeneralName = record
+		nameType: CE_GeneralNameType;	// GNT_RFC822Name, etc.
+		berEncoded: CSSM_BOOL;
+		name: CSSM_DATA;
+	end;
+
+type
+  CE_GeneralNamesPtr = ^CE_GeneralNames;
+	CE_GeneralNames = record
+		numNames: UInt32;
+		generalName: CE_GeneralNamePtr;
+	end;	
+
+{
+ * id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  ( id-ce 35 )
+ *
+ *   AuthorityKeyIdentifier ::= SEQUENCE (
+ *     keyIdentifier             [0] KeyIdentifier           OPTIONAL,
+ *     authorityCertIssuer       [1] GeneralNames            OPTIONAL,
+ *     authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  )
+ *
+ *   KeyIdentifier ::= OCTET STRING
+ *
+ * CSSM OID = CSSMOID_AuthorityKeyIdentifier
+ }
+type
+  CE_AuthorityKeyIDPtr = ^CE_AuthorityKeyID;
+	CE_AuthorityKeyID = record
+		keyIdentifierPresent: CSSM_BOOL;
+		keyIdentifier: CSSM_DATA;
+		generalNamesPresent: CSSM_BOOL;
+		generalNames: CE_GeneralNamesPtr;
+		serialNumberPresent: CSSM_BOOL;
+		serialNumber: CSSM_DATA;
+	end;
+
+{
+ * id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  ( id-ce 14 )
+ *   SubjectKeyIdentifier ::= KeyIdentifier
+ *
+ * CSSM OID = CSSMOID_SubjectKeyIdentifier
+ }
+type
+	CE_SubjectKeyID = CSSM_DATA;
+
+{
+ * id-ce-keyUsage OBJECT IDENTIFIER ::=  ( id-ce 15 )
+ *
+ *     KeyUsage ::= BIT STRING (
+ *          digitalSignature        (0),
+ *          nonRepudiation          (1),
+ *          keyEncipherment         (2),
+ *          dataEncipherment        (3),
+ *          keyAgreement            (4),
+ *          keyCertSign             (5),
+ *          cRLSign                 (6),
+ *          encipherOnly            (7),
+ *          decipherOnly            (8) )
+ *
+ * CSSM OID = CSSMOID_KeyUsage
+ *
+ }
+type
+	CE_KeyUsage = UInt16;
+
+const
+	CE_KU_DigitalSignature = $8000;
+const
+	CE_KU_NonRepudiation = $4000;
+const
+	CE_KU_KeyEncipherment = $2000;
+const
+	CE_KU_DataEncipherment = $1000;
+const
+	CE_KU_KeyAgreement = $0800;
+const
+	CE_KU_KeyCertSign = $0400;
+const
+	CE_KU_CRLSign = $0200;
+const
+	CE_KU_EncipherOnly = $0100;
+const
+	CE_KU_DecipherOnly = $0080;
+
+{
+ *  id-ce-cRLReason OBJECT IDENTIFIER ::= ( id-ce 21 )
+ *
+ *   -- reasonCode ::= ( CRLReason )
+ *
+ *   CRLReason ::= ENUMERATED (
+ *  	unspecified             (0),
+ *      keyCompromise           (1),
+ *     	cACompromise            (2),
+ *    	affiliationChanged      (3),
+ *   	superseded              (4),
+ *  	cessationOfOperation    (5),
+ * 		certificateHold         (6),
+ *		removeFromCRL           (8) )
+ *
+ * CSSM OID = CSSMOID_CrlReason
+ *
+ }
+type
+	CE_CrlReason = UInt32;
+
+const
+	CE_CR_Unspecified = 0;
+const
+	CE_CR_KeyCompromise = 1;
+const
+	CE_CR_CACompromise = 2;
+const
+	CE_CR_AffiliationChanged = 3;
+const
+	CE_CR_Superseded = 4;
+const
+	CE_CR_CessationOfOperation = 5;
+const
+	CE_CR_CertificateHold = 6;
+const
+	CE_CR_RemoveFromCRL = 8;
+
+{
+ * id-ce-subjectAltName OBJECT IDENTIFIER ::=  ( id-ce 17 )
+ *
+ *      SubjectAltName ::= GeneralNames
+ *
+ * CSSM OID = CSSMOID_SubjectAltName
+ *
+ * GeneralNames defined above.
+ }
+
+{
+ *  id-ce-extKeyUsage OBJECT IDENTIFIER ::= (id-ce 37)
+ *
+ *   ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId*
+ *
+ *  KeyPurposeId ::= OBJECT IDENTIFIER
+ *
+ * CSSM OID = CSSMOID_ExtendedKeyUsage
+ }
+type
+  CE_ExtendedKeyUsagePtr = ^CE_ExtendedKeyUsage;
+	CE_ExtendedKeyUsage = record
+		numPurposes: UInt32;
+		purposes: CSSM_OID_PTR;		// in Intel pre-encoded format
+	end;
+
+{
+ * id-ce-basicConstraints OBJECT IDENTIFIER ::=  ( id-ce 19 )
+ *
+ * BasicConstraints ::= SEQUENCE (
+ *       cA                      BOOLEAN DEFAULT FALSE,
+ *       pathLenConstraint       INTEGER (0..MAX) OPTIONAL )
+ *
+ * CSSM OID = CSSMOID_BasicConstraints
+ }
+type
+  CE_BasicConstraintsPtr = ^CE_BasicConstraints;
+	CE_BasicConstraints = record
+		cA: CSSM_BOOL;
+		pathLenConstraintPresent: CSSM_BOOL;
+		pathLenConstraint: UInt32;
+	end;	
+
+{
+ * id-ce-certificatePolicies OBJECT IDENTIFIER ::=  ( id-ce 32 )
+ *
+ *   certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
+ *
+ *   PolicyInformation ::= SEQUENCE (
+ *        policyIdentifier   CertPolicyId,
+ *        policyQualifiers   SEQUENCE SIZE (1..MAX) OF
+ *                                PolicyQualifierInfo OPTIONAL )
+ *
+ *   CertPolicyId ::= OBJECT IDENTIFIER
+ *
+ *   PolicyQualifierInfo ::= SEQUENCE (
+ *        policyQualifierId  PolicyQualifierId,
+ *        qualifier          ANY DEFINED BY policyQualifierId ) 
+ *
+ *   -- policyQualifierIds for Internet policy qualifiers
+ *
+ *   id-qt          OBJECT IDENTIFIER ::=  ( id-pkix 2 )
+ *   id-qt-cps      OBJECT IDENTIFIER ::=  ( id-qt 1 )
+ *   id-qt-unotice  OBJECT IDENTIFIER ::=  ( id-qt 2 )
+ *
+ *   PolicyQualifierId ::=
+ *        OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
+ *
+ *   Qualifier ::= CHOICE (
+ *        cPSuri           CPSuri,
+ *        userNotice       UserNotice )
+ *
+ *   CPSuri ::= IA5String
+ *
+ *   UserNotice ::= SEQUENCE (
+ *        noticeRef        NoticeReference OPTIONAL,
+ *        explicitText     DisplayText OPTIONAL)
+ *
+ *   NoticeReference ::= SEQUENCE (
+ *        organization     DisplayText,
+ *        noticeNumbers    SEQUENCE OF INTEGER )
+ *
+ *   DisplayText ::= CHOICE (
+ *        visibleString    VisibleString  (SIZE (1..200)),
+ *        bmpString        BMPString      (SIZE (1..200)),
+ *        utf8String       UTF8String     (SIZE (1..200)) )
+ *
+ *  CSSM OID = CSSMOID_CertificatePolicies
+ *
+ * We only support down to the level of Qualifier, and then only the CPSuri
+ * choice. UserNotice is transmitted to and from this library as a raw
+ * CSSM_DATA containing the BER-encoded UserNotice sequence. 
+ }
+
+type
+  CE_PolicyQualifierInfoPtr = ^CE_PolicyQualifierInfo;
+	CE_PolicyQualifierInfo = record
+		policyQualifierId: CSSM_OID;			// CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE
+		qualifier: CSSM_DATA;					// CSSMOID_QT_CPS: IA5String contents
+											// CSSMOID_QT_UNOTICE : Sequence contents
+	end;
+
+type
+  CE_PolicyInformationPtr = ^CE_PolicyInformation;
+	CE_PolicyInformation = record
+		certPolicyId: CSSM_OID;
+		numPolicyQualifiers: UInt32;	// size of *policyQualifiers;
+		policyQualifiers: CE_PolicyQualifierInfoPtr;
+	end;
+
+type
+  CE_CertPoliciesPtr = ^CE_CertPolicies;
+	CE_CertPolicies = record
+		numPolicies: UInt32;			// size of *policies;
+		policies: CE_PolicyInformationPtr;
+	end;
+
+{
+ * netscape-cert-type, a bit string.
+ *
+ * CSSM OID = CSSMOID_NetscapeCertType
+ *
+ * Bit fields defined in oidsattr.h: CE_NCT_SSL_Client, etc.
+ }
+type
+	CE_NetscapeCertType = UInt16;
+
+{
+ * CRLDistributionPoints.
+ *
+ *   id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::=  ( id-ce 31 )
+ *
+ *   cRLDistributionPoints ::= (
+ *        CRLDistPointsSyntax )
+ *
+ *   CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
+ *
+ *   NOTE: RFC 2459 claims that the tag for the optional DistributionPointName
+ *   is IMPLICIT as shown here, but in practice it is EXPLICIT. It has to be -
+ *   because the underlying type also uses an implicit tag for distinguish
+ *   between CHOICEs.
+ *
+ *   DistributionPoint ::= SEQUENCE (
+ *        distributionPoint       [0]     DistributionPointName OPTIONAL,
+ *        reasons                 [1]     ReasonFlags OPTIONAL,
+ *        cRLIssuer               [2]     GeneralNames OPTIONAL )
+ *
+ *   DistributionPointName ::= CHOICE (
+ *        fullName                [0]     GeneralNames,
+ *        nameRelativeToCRLIssuer [1]     RelativeDistinguishedName )
+ *
+ *   ReasonFlags ::= BIT STRING (
+ *        unused                  (0),
+ *        keyCompromise           (1),
+ *        cACompromise            (2),
+ *        affiliationChanged      (3),
+ *        superseded              (4),
+ *        cessationOfOperation    (5),
+ *        certificateHold         (6) )
+ *
+ * CSSM OID = CSSMOID_CrlDistributionPoints
+ }
+ 
+{
+ * Note that this looks similar to CE_CrlReason, but that's an enum and this
+ * is an OR-able bit string.
+ }
+type
+	CE_CrlDistReasonFlags = UInt8;
+
+const
+	CE_CD_Unspecified = $80;
+const
+	CE_CD_KeyCompromise = $40;
+const
+	CE_CD_CACompromise = $20;
+const
+	CE_CD_AffiliationChanged = $10;
+const
+	CE_CD_Superseded = $08;
+const
+	CE_CD_CessationOfOperation = $04;
+const
+	CE_CD_CertificateHold = $02;
+
+type
+  CE_CrlDistributionPointNameType = UInt32;
+const
+	CE_CDNT_FullName = 0;
+	CE_CDNT_NameRelativeToCrlIssuer = 1;
+
+type
+  __embedded_dpn = record
+    case Integer of
+      0: (fullName: CE_GeneralNamesPtr);
+      1: (rdn: CSSM_X509_RDN_PTR);
+  end;
+
+	CE_DistributionPointNamePtr = ^CE_DistributionPointName;
+	CE_DistributionPointName = record
+		nameType: CE_CrlDistributionPointNameType;
+		dpn: __embedded_dpn;
+	end;
+
+{
+ * The top-level CRLDistributionPoint.
+ * All fields are optional; NULL pointers indicate absence. 
+ }
+type
+	CE_CRLDistributionPointPtr = ^CE_CRLDistributionPoint;
+	CE_CRLDistributionPoint = record
+		distPointName: CE_DistributionPointNamePtr;
+		reasonsPresent: CSSM_BOOL;
+		reasons: CE_CrlDistReasonFlags;
+		crlIssuer: CE_GeneralNamesPtr;
+	end;
+
+type
+	CE_CRLDistPointsSyntaxPtr = ^CE_CRLDistPointsSyntax;
+	CE_CRLDistPointsSyntax = record
+		numDistPoints: UInt32;
+		distPoints: CE_CRLDistributionPointPtr;
+	end;
+
+{ 
+ * Authority Information Access and Subject Information Access.
+ *
+ * CSSM OID = CSSMOID_AuthorityInfoAccess
+ * CSSM OID = CSSMOID_SubjectInfoAccess
+ *
+ * SubjAuthInfoAccessSyntax  ::=
+ *		SEQUENCE SIZE (1..MAX) OF AccessDescription
+ * 
+ * AccessDescription  ::=  SEQUENCE (
+ *		accessMethod          OBJECT IDENTIFIER,
+ *		accessLocation        GeneralName  )
+ }
+type
+	CE_AccessDescriptionPtr = ^CE_AccessDescription;
+	CE_AccessDescription = record
+		accessMethod: CSSM_OID;
+		accessLocation: CE_GeneralName;
+	end;
+
+type
+	CE_AuthorityInfoAccessPtr = ^CE_AuthorityInfoAccess;
+	CE_AuthorityInfoAccess = record
+		numAccessDescriptions: UInt32;
+		accessDescriptions: CE_AccessDescriptionPtr;
+	end;
+
+{
+ * Qualified Certificate Statement support, per RFC 3739.
+ *
+ * First, NameRegistrationAuthorities, a component of
+ * SemanticsInformation; it's the same as a GeneralNames - 
+ * a sequence of GeneralName. 
+ }
+type
+  CE_NameRegistrationAuthoritiesPtr = ^CE_NameRegistrationAuthorities;
+	CE_NameRegistrationAuthorities = CE_GeneralNames;
+
+{
+ * SemanticsInformation, identified as the qcType field
+ * of a CE_QC_Statement for statementId value id-qcs-pkixQCSyntax-v2.
+ * Both fields optional; at least one must be present. 
+ }
+type
+	CE_SemanticsInformationPtr = ^CE_SemanticsInformation;
+	CE_SemanticsInformation = record
+		semanticsIdentifier: CSSM_OIDPtr;	
+		nameRegistrationAuthorities: CE_NameRegistrationAuthoritiesPtr;
+	end;
+
+{ 
+ * One Qualified Certificate Statement. 
+ * The statementId OID is required; zero or one of (semanticsInfo, 
+ * otherInfo) can be valid, depending on the value of statementId. 
+ * For statementId id-qcs-pkixQCSyntax-v2 (CSSMOID_OID_QCS_SYNTAX_V2), 
+ * the semanticsInfo field may be present; otherwise, DER-encoded
+ * information may be present in otherInfo. Both semanticsInfo and
+ * otherInfo are optional. 
+ }
+type
+	CE_QC_StatementPtr = ^CE_QC_Statement;
+	CE_QC_Statement = record
+		statementId: CSSM_OID;
+		semanticsInfo: CE_SemanticsInformationPtr;
+		otherInfo: CSSM_DATAPtr;
+	end;
+
+{
+ * The top-level Qualified Certificate Statements extension.
+ }
+type
+	CE_QC_StatementsPtr = ^CE_QC_Statements;
+	CE_QC_Statements = record
+		numQCStatements: UInt32;
+		qcStatements: CE_QC_StatementPtr;
+	end;
+
+{** CRL extensions **}
+
+{
+ * cRLNumber, an integer.
+ *
+ * CSSM OID = CSSMOID_CrlNumber
+ }
+type
+	CE_CrlNumber = UInt32;
+
+{
+ * deltaCRLIndicator, an integer.
+ *
+ * CSSM OID = CSSMOID_DeltaCrlIndicator
+ }
+type
+	CE_DeltaCrl = UInt32;
+
+{
+ * IssuingDistributionPoint
+ *
+ * id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= ( id-ce 28 )
+ *
+ * issuingDistributionPoint ::= SEQUENCE (
+ *      distributionPoint       [0] DistributionPointName OPTIONAL,
+ *		onlyContainsUserCerts   [1] BOOLEAN DEFAULT FALSE,
+ *      onlyContainsCACerts     [2] BOOLEAN DEFAULT FALSE,
+ *      onlySomeReasons         [3] ReasonFlags OPTIONAL,
+ *      indirectCRL             [4] BOOLEAN DEFAULT FALSE )
+ *
+ * CSSM OID = CSSMOID_IssuingDistributionPoint
+ }
+type
+	CE_IssuingDistributionPointPtr = ^CE_IssuingDistributionPoint;
+	CE_IssuingDistributionPoint = record
+		distPointName: CE_DistributionPointNamePtr;		// optional
+		onlyUserCertsPresent: CSSM_BOOL;
+		onlyUserCerts: CSSM_BOOL;
+		onlyCACertsPresent: CSSM_BOOL;
+		onlyCACerts: CSSM_BOOL;
+		onlySomeReasonsPresent: CSSM_BOOL;
+		onlySomeReasons: CE_CrlDistReasonFlags;
+		indirectCrlPresent: CSSM_BOOL;
+		indirectCrl: CSSM_BOOL;
+	end;
+
+{
+ * An enumerated list identifying one of the above per-extension
+ * structs.
+ }
+type
+  CE_DataType = UInt32;
+const
+	DT_AuthorityKeyID = 0;			// CE_AuthorityKeyID
+	DT_SubjectKeyID = 1;			// CE_SubjectKeyID
+	DT_KeyUsage = 2;				// CE_KeyUsage
+	DT_SubjectAltName = 3;			// implies CE_GeneralName
+	DT_IssuerAltName = 4;			// implies CE_GeneralName
+	DT_ExtendedKeyUsage = 5;		// CE_ExtendedKeyUsage
+	DT_BasicConstraints = 6;		// CE_BasicConstraints
+	DT_CertPolicies = 7;			// CE_CertPolicies
+	DT_NetscapeCertType = 8;		// CE_NetscapeCertType
+	DT_CrlNumber = 9;				// CE_CrlNumber
+	DT_DeltaCrl = 10;				// CE_DeltaCrl
+	DT_CrlReason = 11;				// CE_CrlReason
+	DT_CrlDistributionPoints = 12;	// CE_CRLDistPointsSyntax
+	DT_IssuingDistributionPoint = 13;// CE_IssuingDistributionPoint
+	DT_AuthorityInfoAccess = 14;		// CE_AuthorityInfoAccess
+	DT_Other = 15;					// unknown, raw data as a CSSM_DATA
+	DT_QC_Statements = 16;			// CE_QC_Statements
+
+
+{
+ * One unified representation of all the cert adn CRL extensions we know about.
+ }
+type
+  CE_DataPtr = ^CE_Data;
+  CE_Data = record
+    case CE_DataType of
+      DT_AuthorityKeyID: (authorityKeyID: CE_AuthorityKeyID);
+      DT_SubjectKeyID: (subjectKeyID: CE_SubjectKeyID);
+      DT_KeyUsage: (keyUsage: CE_KeyUsage);
+      DT_SubjectAltName: (subjectAltName: CE_GeneralNames);
+      DT_IssuerAltName: (issuerAltName: CE_GeneralNames);
+      DT_ExtendedKeyUsage: (extendedKeyUsage: CE_ExtendedKeyUsage);
+      DT_BasicConstraints: (basicConstraints: CE_BasicConstraints);
+      DT_CertPolicies: (certPolicies: CE_CertPolicies);
+      DT_NetscapeCertType: (netscapeCertType: CE_NetscapeCertType);
+      DT_CrlNumber: (crlNumber: CE_CrlNumber);
+      DT_DeltaCrl: (deltaCrl: CE_DeltaCrl);
+      DT_CrlReason: (crlReason: CE_CrlReason);
+      DT_CrlDistributionPoints: (crlDistPoints: CE_CRLDistPointsSyntax);
+      DT_IssuingDistributionPoint: (issuingDistPoint: CE_IssuingDistributionPoint);
+      DT_AuthorityInfoAccess: (authorityInfoAccess: CE_AuthorityInfoAccess);
+      DT_QC_Statements: (qualifiedCertStatements: CE_QC_Statements);
+      65535: (rawData: CSSM_DATA); // unknown, not decoded
+  end;
+
+
+type
+	CE_DataAndTypePtr = ^CE_DataAndType;
+	CE_DataAndType = record
+		typ: CE_DataType;
+		extension: CE_Data;
+		critical: CSSM_BOOL;
+	end;
+
+{$endc} {TARGET_OS_MAC}
+{$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
+
+end.
+{$endc} {not MACOSALLINCLUDE}

packages/univint/src/cssmapple.pas

@@ -0,0 +1,1315 @@
+{
+ * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
+ * 
+ * @APPLE_LICENSE_HEADER_START@
+ * 
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ * 
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ * 
+ * @APPLE_LICENSE_HEADER_END@
+ *
+ * cssmapple.h -- CSSM features specific to Apple's Implementation
+ }
+{       Pascal Translation Updated:  Jonas Maebe, <[email protected]>, September 2010 }
+{
+    Modified for use with Free Pascal
+    Version 308
+    Please report any bugs to <[email protected]>
+}
+
+{$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
+{$mode macpas}
+{$packenum 1}
+{$macro on}
+{$inline on}
+{$calling mwpascal}
+
+unit cssmapple;
+interface
+{$setc UNIVERSAL_INTERFACES_VERSION := $0400}
+{$setc GAP_INTERFACES_VERSION := $0308}
+
+{$ifc not defined USE_CFSTR_CONSTANT_MACROS}
+    {$setc USE_CFSTR_CONSTANT_MACROS := TRUE}
+{$endc}
+
+{$ifc defined CPUPOWERPC and defined CPUI386}
+	{$error Conflicting initial definitions for CPUPOWERPC and CPUI386}
+{$endc}
+{$ifc defined FPC_BIG_ENDIAN and defined FPC_LITTLE_ENDIAN}
+	{$error Conflicting initial definitions for FPC_BIG_ENDIAN and FPC_LITTLE_ENDIAN}
+{$endc}
+
+{$ifc not defined __ppc__ and defined CPUPOWERPC32}
+	{$setc __ppc__ := 1}
+{$elsec}
+	{$setc __ppc__ := 0}
+{$endc}
+{$ifc not defined __ppc64__ and defined CPUPOWERPC64}
+	{$setc __ppc64__ := 1}
+{$elsec}
+	{$setc __ppc64__ := 0}
+{$endc}
+{$ifc not defined __i386__ and defined CPUI386}
+	{$setc __i386__ := 1}
+{$elsec}
+	{$setc __i386__ := 0}
+{$endc}
+{$ifc not defined __x86_64__ and defined CPUX86_64}
+	{$setc __x86_64__ := 1}
+{$elsec}
+	{$setc __x86_64__ := 0}
+{$endc}
+{$ifc not defined __arm__ and defined CPUARM}
+	{$setc __arm__ := 1}
+{$elsec}
+	{$setc __arm__ := 0}
+{$endc}
+
+{$ifc defined cpu64}
+  {$setc __LP64__ := 1}
+{$elsec}
+  {$setc __LP64__ := 0}
+{$endc}
+
+
+{$ifc defined __ppc__ and __ppc__ and defined __i386__ and __i386__}
+	{$error Conflicting definitions for __ppc__ and __i386__}
+{$endc}
+
+{$ifc defined __ppc__ and __ppc__}
+	{$setc TARGET_CPU_PPC := TRUE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __ppc64__ and __ppc64__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := TRUE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __i386__ and __i386__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := TRUE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+{$ifc defined(iphonesim)}
+ 	{$setc TARGET_OS_MAC := FALSE}
+	{$setc TARGET_OS_IPHONE := TRUE}
+	{$setc TARGET_IPHONE_SIMULATOR := TRUE}
+{$elsec}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$endc}
+{$elifc defined __x86_64__ and __x86_64__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := TRUE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __arm__ and __arm__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := TRUE}
+	{ will require compiler define when/if other Apple devices with ARM cpus ship }
+	{$setc TARGET_OS_MAC := FALSE}
+	{$setc TARGET_OS_IPHONE := TRUE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elsec}
+	{$error __ppc__ nor __ppc64__ nor __i386__ nor __x86_64__ nor __arm__ is defined.}
+{$endc}
+
+{$ifc defined __LP64__ and __LP64__ }
+  {$setc TARGET_CPU_64 := TRUE}
+{$elsec}
+  {$setc TARGET_CPU_64 := FALSE}
+{$endc}
+
+{$ifc defined FPC_BIG_ENDIAN}
+	{$setc TARGET_RT_BIG_ENDIAN := TRUE}
+	{$setc TARGET_RT_LITTLE_ENDIAN := FALSE}
+{$elifc defined FPC_LITTLE_ENDIAN}
+	{$setc TARGET_RT_BIG_ENDIAN := FALSE}
+	{$setc TARGET_RT_LITTLE_ENDIAN := TRUE}
+{$elsec}
+	{$error Neither FPC_BIG_ENDIAN nor FPC_LITTLE_ENDIAN are defined.}
+{$endc}
+{$setc ACCESSOR_CALLS_ARE_FUNCTIONS := TRUE}
+{$setc CALL_NOT_IN_CARBON := FALSE}
+{$setc OLDROUTINENAMES := FALSE}
+{$setc OPAQUE_TOOLBOX_STRUCTS := TRUE}
+{$setc OPAQUE_UPP_TYPES := TRUE}
+{$setc OTCARBONAPPLICATION := TRUE}
+{$setc OTKERNEL := FALSE}
+{$setc PM_USE_SESSION_APIS := TRUE}
+{$setc TARGET_API_MAC_CARBON := TRUE}
+{$setc TARGET_API_MAC_OS8 := FALSE}
+{$setc TARGET_API_MAC_OSX := TRUE}
+{$setc TARGET_CARBON := TRUE}
+{$setc TARGET_CPU_68K := FALSE}
+{$setc TARGET_CPU_MIPS := FALSE}
+{$setc TARGET_CPU_SPARC := FALSE}
+{$setc TARGET_OS_UNIX := FALSE}
+{$setc TARGET_OS_WIN32 := FALSE}
+{$setc TARGET_RT_MAC_68881 := FALSE}
+{$setc TARGET_RT_MAC_CFM := FALSE}
+{$setc TARGET_RT_MAC_MACHO := TRUE}
+{$setc TYPED_FUNCTION_POINTERS := TRUE}
+{$setc TYPE_BOOL := FALSE}
+{$setc TYPE_EXTENDED := FALSE}
+{$setc TYPE_LONGLONG := TRUE}
+uses MacTypes,MacOSXPosix,cssmerr,cssmtype,x509defs,certextensions;
+{$endc} {not MACOSALLINCLUDE}
+
+
+{$ifc TARGET_OS_MAC}
+
+{$packrecords c}
+
+
+{ Guids for standard Apple addin modules. }
+
+{ CSSM itself: (87191ca0-0fc9-11d4-849a-000502b52122) }
+var gGuidCssm: CSSM_GUID; external name '_gGuidCssm'; (* attribute const *)
+
+{ File based DL (aka "Keychain DL"): (87191ca1-0fc9-11d4-849a-000502b52122) }
+var gGuidAppleFileDL: CSSM_GUID; external name '_gGuidAppleFileDL'; (* attribute const *)
+
+{ Core CSP (local space): (87191ca2-0fc9-11d4-849a-000502b52122) }
+var gGuidAppleCSP: CSSM_GUID; external name '_gGuidAppleCSP'; (* attribute const *)
+
+{ Secure CSP/DL (aka "Keychain CSPDL): (87191ca3-0fc9-11d4-849a-000502b52122) }
+var gGuidAppleCSPDL: CSSM_GUID; external name '_gGuidAppleCSPDL'; (* attribute const *)
+
+{ X509 Certificate CL: (87191ca4-0fc9-11d4-849a-000502b52122) }
+var gGuidAppleX509CL: CSSM_GUID; external name '_gGuidAppleX509CL'; (* attribute const *)
+
+{ X509 Certificate TP: (87191ca5-0fc9-11d4-849a-000502b52122) }
+var gGuidAppleX509TP: CSSM_GUID; external name '_gGuidAppleX509TP'; (* attribute const *)
+
+{ DLAP/OpenDirectory access DL: (87191ca6-0fc9-11d4-849a-000502b52122) }
+var gGuidAppleLDAPDL: CSSM_GUID; external name '_gGuidAppleLDAPDL'; (* attribute const *)
+
+{ TP for ".mac" related policies: (87191ca7-0fc9-11d4-849a-000502b52122) }
+var gGuidAppleDotMacTP: CSSM_GUID; external name '_gGuidAppleDotMacTP'; (* attribute const *)
+
+{ Smartcard CSP/DL: (87191ca8-0fc9-11d4-849a-000502b52122) }
+var gGuidAppleSdCSPDL: CSSM_GUID; external name '_gGuidAppleSdCSPDL'; (* attribute const *)
+
+{ DL for ".mac" certificate access: (87191ca9-0fc9-11d4-849a-000502b52122) }
+var gGuidAppleDotMacDL: CSSM_GUID; external name '_gGuidAppleDotMacDL'; (* attribute const *)
+
+
+{ Apple defined WORDID values }
+const
+	CSSM_WORDID_KEYCHAIN_PROMPT = CSSM_WORDID_VENDOR_START;
+	CSSM_WORDID_KEYCHAIN_LOCK = CSSM_WORDID_VENDOR_START + 1;
+	CSSM_WORDID_KEYCHAIN_CHANGE_LOCK = CSSM_WORDID_VENDOR_START + 2;
+	CSSM_WORDID_PROCESS = CSSM_WORDID_VENDOR_START + 3;
+	CSSM_WORDID__RESERVED_1 = CSSM_WORDID_VENDOR_START + 4;		{ was used in 10.2 test seeds; no longer in use }
+	CSSM_WORDID_SYMMETRIC_KEY = CSSM_WORDID_VENDOR_START + 5;
+	CSSM_WORDID_SYSTEM = CSSM_WORDID_VENDOR_START + 6;
+	CSSM_WORDID_KEY = CSSM_WORDID_VENDOR_START + 7;
+	CSSM_WORDID_PIN = CSSM_WORDID_VENDOR_START + 8;
+	CSSM_WORDID_PREAUTH = CSSM_WORDID_VENDOR_START + 9;
+	CSSM_WORDID_PREAUTH_SOURCE = CSSM_WORDID_VENDOR_START + 10;
+	CSSM_WORDID_ASYMMETRIC_KEY = CSSM_WORDID_VENDOR_START + 11;
+	CSSM_WORDID__FIRST_UNUSED = CSSM_WORDID_VENDOR_START + 12;
+
+{ Apple defined ACL subject and credential types }
+const
+	CSSM_ACL_SUBJECT_TYPE_KEYCHAIN_PROMPT = CSSM_WORDID_KEYCHAIN_PROMPT;
+	CSSM_ACL_SUBJECT_TYPE_PROCESS = CSSM_WORDID_PROCESS;
+	CSSM_ACL_SUBJECT_TYPE_CODE_SIGNATURE = CSSM_WORDID_SIGNATURE;
+	CSSM_ACL_SUBJECT_TYPE_COMMENT = CSSM_WORDID_COMMENT;
+	CSSM_ACL_SUBJECT_TYPE_SYMMETRIC_KEY = CSSM_WORDID_SYMMETRIC_KEY;
+	CSSM_ACL_SUBJECT_TYPE_PREAUTH = CSSM_WORDID_PREAUTH;
+	CSSM_ACL_SUBJECT_TYPE_PREAUTH_SOURCE = CSSM_WORDID_PREAUTH_SOURCE;
+	CSSM_ACL_SUBJECT_TYPE_ASYMMETRIC_KEY = CSSM_WORDID_ASYMMETRIC_KEY;
+
+const
+	CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT = CSSM_WORDID_KEYCHAIN_PROMPT;
+	CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK = CSSM_WORDID_KEYCHAIN_LOCK;
+	CSSM_SAMPLE_TYPE_KEYCHAIN_CHANGE_LOCK = CSSM_WORDID_KEYCHAIN_CHANGE_LOCK;
+	CSSM_SAMPLE_TYPE_PROCESS = CSSM_WORDID_PROCESS;
+	CSSM_SAMPLE_TYPE_COMMENT = CSSM_WORDID_COMMENT;
+	CSSM_SAMPLE_TYPE_RETRY_ID = CSSM_WORDID_PROPAGATE;
+	CSSM_SAMPLE_TYPE_SYMMETRIC_KEY = CSSM_WORDID_SYMMETRIC_KEY;
+	CSSM_SAMPLE_TYPE_PREAUTH = CSSM_WORDID_PREAUTH;
+	CSSM_SAMPLE_TYPE_ASYMMETRIC_KEY = CSSM_WORDID_ASYMMETRIC_KEY;
+	// there is no CSSM_SAMPLE_TYPE_PREAUTH_SOURCE
+
+
+{ Apple-defined ACL authorization tags }
+const
+	CSSM_ACL_AUTHORIZATION_CHANGE_ACL = CSSM_ACL_AUTHORIZATION_TAG_VENDOR_DEFINED_START;
+	CSSM_ACL_AUTHORIZATION_CHANGE_OWNER = CSSM_ACL_AUTHORIZATION_TAG_VENDOR_DEFINED_START + 1;
+	
+	// the "pre-auth" tags form a contiguous range of (up to) 64K pre-authorizations
+	CSSM_ACL_AUTHORIZATION_PREAUTH_BASE = CSSM_ACL_AUTHORIZATION_TAG_VENDOR_DEFINED_START + $1000000;
+	CSSM_ACL_AUTHORIZATION_PREAUTH_END = CSSM_ACL_AUTHORIZATION_PREAUTH_BASE + $10000;
+
+{ pre-authorization conversions (auth-tag to slot and back) }
+{
+#define CSSM_ACL_AUTHORIZATION_PREAUTH(slot) \
+		(CSSM_ACL_AUTHORIZATION_PREAUTH_BASE + (slot))
+#define CSSM_ACL_AUTHORIZATION_PREAUTH_SLOT(auth) \
+		((auth) - CSSM_ACL_AUTHORIZATION_PREAUTH_BASE)
+#define CSSM_ACL_AUTHORIZATION_IS_PREAUTH(auth) \
+		((auth) >= CSSM_ACL_AUTHORIZATION_PREAUTH_BASE && \
+		 (auth) < CSSM_ACL_AUTHORIZATION_PREAUTH_END)
+}
+
+
+function CSSM_ACL_AUTHORIZATION_PREAUTH(slot: UInt32): UInt32; inline;
+function CSSM_ACL_AUTHORIZATION_PREAUTH_SLOT(auth: UInt32): UInt32; inline;
+function CSSM_ACL_AUTHORIZATION_IS_PREAUTH(auth: UInt32): Boolean; inline;
+
+
+{ Parameters and structures for Apple-defined ACL subjects and samples }
+
+const
+{ types of code signatures - item 1 of CSSM_ACL_SUBJECT_TYPE_CODE_SIGNATURE subjects }
+	CSSM_ACL_CODE_SIGNATURE_INVALID = 0; { standard OS X code signature }
+	CSSM_ACL_CODE_SIGNATURE_OSX = 1;		{ standard OS X code signature }
+
+{ ACL subjects of type PROCESS }
+
+const
+{ PROCESS_SUBJECT mask fields }
+	CSSM_ACL_MATCH_UID = $01;			{ match userid against uid field }
+	CSSM_ACL_MATCH_GID = $02;			{ match groupid against gid field }
+	CSSM_ACL_MATCH_HONOR_ROOT = $100;	{ let root (uid 0) match any userid }
+	CSSM_ACL_MATCH_BITS = CSSM_ACL_MATCH_UID or CSSM_ACL_MATCH_GID;
+
+const
+{ PROCESS_SUBJECT structure version field }
+	CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION = $101;
+
+type
+	cssm_acl_process_subject_selectorPtr = ^cssm_acl_process_subject_selector;
+	cssm_acl_process_subject_selector = record
+{ PROCESS_SUBJECT selector }
+		version: UInt16;			{ version of this selector }
+		mask: UInt16;			{ active fields mask }
+		uid: UInt32;				{ effective user id match }
+		gid: UInt32;				{ effective group id match }
+	end;
+
+{ ACL subjects of type KEYCHAIN_PROMPT }
+
+const
+{ KEYCHAIN_PROMPT structure version field }
+	CSSM_ACL_KEYCHAIN_PROMPT_CURRENT_VERSION = $101;
+
+const
+{ KEYCHAIN_PROMPT operational flags }
+	CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE = $0001; { require re-entering of passphrase }
+	{ the following bits are ignored by 10.4 and earlier }
+	CSSM_ACL_KEYCHAIN_PROMPT_UNSIGNED = $0010;			{ prompt for unsigned clients }
+	CSSM_ACL_KEYCHAIN_PROMPT_UNSIGNED_ACT = $0020;		{ UNSIGNED bit overrides system default }
+	CSSM_ACL_KEYCHAIN_PROMPT_INVALID = $0040;			{ prompt for invalid signed clients }
+	CSSM_ACL_KEYCHAIN_PROMPT_INVALID_ACT = $0080;		{ INVALID bit overrides system default }
+
+type
+	cssm_acl_keychain_prompt_selectorPtr = ^cssm_acl_keychain_prompt_selector;
+	cssm_acl_keychain_prompt_selector = record
+{ KEYCHAIN_PROMPT selector }
+		version: UInt16;			{ version of this selector }
+		flags: UInt16;			{ flag bits }
+	end;
+
+{ ACL subjects of type CSSM_ACL_SUBJECT_TYPE_PREAUTH_SOURCE }
+type
+	CSSM_ACL_PREAUTH_TRACKING_STATE = UInt32;
+const
+{ preauth tracking state }
+	CSSM_ACL_PREAUTH_TRACKING_COUNT_MASK = $ff;		{ mask for count status }
+	CSSM_ACL_PREAUTH_TRACKING_BLOCKED = 0;		{ retries exhausted; the slot is blocked }
+	{ 0 .. 255 is a count of (re)tries remaining }
+	
+	{ bits or'ed into any count given }
+	CSSM_ACL_PREAUTH_TRACKING_UNKNOWN = $40000000; { status of slot is unknown (ignore count) }
+	CSSM_ACL_PREAUTH_TRACKING_AUTHORIZED = $80000000; { the slot is currently authorized (or'ed in) }
+
+
+{ Apple defined values of a CSSM_DB_ACCESS_TYPE }
+const
+	CSSM_DB_ACCESS_RESET = $10000;	{ clear pre-authentications (or'ed bit) }
+
+
+{ Apple defined algorithm IDs }
+const
+	CSSM_ALGID_APPLE_YARROW = CSSM_ALGID_VENDOR_DEFINED;
+	CSSM_ALGID_AES = CSSM_ALGID_VENDOR_DEFINED + 1;				{ RijnDael }
+	CSSM_ALGID_FEE = CSSM_ALGID_VENDOR_DEFINED + 2;				{ FEE Key Generation } 
+	CSSM_ALGID_FEE_MD5 = CSSM_ALGID_VENDOR_DEFINED + 3;			{ FEE/ElGamal signature w/ MD5 hash }
+	CSSM_ALGID_FEE_SHA1 = CSSM_ALGID_VENDOR_DEFINED + 4;		{ FEE/ElGamal signature w/ SHA1 hash }
+	CSSM_ALGID_FEED = CSSM_ALGID_VENDOR_DEFINED + 5;			{ 1:1 FEE asymmetric encryption }
+	CSSM_ALGID_FEEDEXP = CSSM_ALGID_VENDOR_DEFINED + 6;			{ 2:1 FEE asymmetric encryption }
+	CSSM_ALGID_ASC = CSSM_ALGID_VENDOR_DEFINED + 7;				{ Apple Secure Compression }
+	CSSM_ALGID_SHA1HMAC_LEGACY = CSSM_ALGID_VENDOR_DEFINED + 8;	{ HMAC/SHA1, legacy compatible }
+	CSSM_ALGID_KEYCHAIN_KEY = CSSM_ALGID_VENDOR_DEFINED + 9;	{ derive or manipulate keychain master keys }
+	CSSM_ALGID_PKCS12_PBE_ENCR = CSSM_ALGID_VENDOR_DEFINED + 10;	{ PKCS12, encrypt/decrypt key }
+	CSSM_ALGID_PKCS12_PBE_MAC = CSSM_ALGID_VENDOR_DEFINED + 11;	{ PKCS12, MAC key }
+	CSSM_ALGID_SECURE_PASSPHRASE = CSSM_ALGID_VENDOR_DEFINED + 12;   { passphrase acquired by SecurityServer }
+	CSSM_ALGID_PBE_OPENSSL_MD5 = CSSM_ALGID_VENDOR_DEFINED + 13; { traditional openssl key derivation }
+	CSSM_ALGID_SHA256 = CSSM_ALGID_VENDOR_DEFINED + 14;			{ 256-bit SHA2 }
+	CSSM_ALGID_SHA384 = CSSM_ALGID_VENDOR_DEFINED + 15;			{ 384-bit SHA2 }
+	CSSM_ALGID_SHA512 = CSSM_ALGID_VENDOR_DEFINED + 16;			{ 512-bit SHA2 }
+	CSSM_ALGID_ENTROPY_DEFAULT = CSSM_ALGID_VENDOR_DEFINED + 17;	{ default entropy source of (CSP) device, if any }
+	CSSM_ALGID_SHA224 = CSSM_ALGID_VENDOR_DEFINED + 18;			{ SHA2, 224 bit }
+	CSSM_ALGID_SHA224WithRSA = CSSM_ALGID_VENDOR_DEFINED + 19;	{ RSA signature on SHA224 digest }
+	CSSM_ALGID_SHA256WithRSA = CSSM_ALGID_VENDOR_DEFINED + 20;	{ RSA signature on SHA256 digest }
+	CSSM_ALGID_SHA384WithRSA = CSSM_ALGID_VENDOR_DEFINED + 21;	{ RSA signature on SHA384 digest }
+	CSSM_ALGID_SHA512WithRSA = CSSM_ALGID_VENDOR_DEFINED + 22;	{ RSA signature on SHA512 digest }
+	CSSM_ALGID_OPENSSH1 = CSSM_ALGID_VENDOR_DEFINED + 23;		{ OpenSSH v1 RSA key wrapping }
+	CSSM_ALGID_SHA224WithECDSA = CSSM_ALGID_VENDOR_DEFINED + 24;	{ ECDSA signature on SHA224 digest }
+	CSSM_ALGID_SHA256WithECDSA = CSSM_ALGID_VENDOR_DEFINED + 25;	{ ECDSA signature on SHA256 digest }
+	CSSM_ALGID_SHA384WithECDSA = CSSM_ALGID_VENDOR_DEFINED + 26;	{ ECDSA signature on SHA384 digest }
+	CSSM_ALGID_SHA512WithECDSA = CSSM_ALGID_VENDOR_DEFINED + 27;	{ ECDSA signature on SHA512 digest }
+	CSSM_ALGID_ECDSA_SPECIFIED = CSSM_ALGID_VENDOR_DEFINED + 28;	{ ECDSA with separate digest algorithm specifier }
+	CSSM_ALGID_ECDH_X963_KDF = CSSM_ALGID_VENDOR_DEFINED + 29;	{ ECDH with X9.63 key derivation }
+	CSSM_ALGID__FIRST_UNUSED = CSSM_ALGID_VENDOR_DEFINED + 30;
+
+{ Apple defined padding }
+const
+{ RFC 2246 section E.2 for SSLv2 rollback detection }
+	CSSM_PADDING_APPLE_SSLv2 = CSSM_PADDING_VENDOR_DEFINED;
+
+
+{ Apple defined keyblob formats }
+const
+	CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED = $80000000;
+const
+{ X509 SubjectPublicKeyInfo }
+	CSSM_KEYBLOB_RAW_FORMAT_X509 = CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED;
+	{ OpenSSH v1 }
+	CSSM_KEYBLOB_RAW_FORMAT_OPENSSH = CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED + 1;		
+	{ openssl-style DSA private key }
+	CSSM_KEYBLOB_RAW_FORMAT_OPENSSL = CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED + 2;
+	{ OpenSSH v2 }
+	CSSM_KEYBLOB_RAW_FORMAT_OPENSSH2 = CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED + 3;
+
+{ Apple adds some "common" error codes. CDSA does not define an official start value for this. }
+const
+	CSSM_CUSTOM_COMMON_ERROR_EXTENT = $00e0;
+	CSSM_ERRCODE_NO_USER_INTERACTION = $00e0;
+	CSSM_ERRCODE_USER_CANCELED = $00e1;
+	CSSM_ERRCODE_SERVICE_NOT_AVAILABLE = $00e2;
+	CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION = $00e3;
+	CSSM_ERRCODE_DEVICE_RESET = $00e4;
+	CSSM_ERRCODE_DEVICE_FAILED = $00e5;
+
+const
+	CSSMERR_CSSM_NO_USER_INTERACTION = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION;
+	CSSMERR_AC_NO_USER_INTERACTION = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION;
+	CSSMERR_CSP_NO_USER_INTERACTION = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION;
+	CSSMERR_CL_NO_USER_INTERACTION = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION;
+	CSSMERR_DL_NO_USER_INTERACTION = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION;
+	CSSMERR_TP_NO_USER_INTERACTION = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION;
+	CSSMERR_CSSM_USER_CANCELED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED;
+	CSSMERR_AC_USER_CANCELED = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED;
+	CSSMERR_CSP_USER_CANCELED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED;
+	CSSMERR_CL_USER_CANCELED = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED;
+	CSSMERR_DL_USER_CANCELED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED;
+	CSSMERR_TP_USER_CANCELED = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED;
+	CSSMERR_CSSM_SERVICE_NOT_AVAILABLE = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE;
+	CSSMERR_AC_SERVICE_NOT_AVAILABLE = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE;
+	CSSMERR_CSP_SERVICE_NOT_AVAILABLE = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE;
+	CSSMERR_CL_SERVICE_NOT_AVAILABLE = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE;
+	CSSMERR_DL_SERVICE_NOT_AVAILABLE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE;
+	CSSMERR_TP_SERVICE_NOT_AVAILABLE = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE;
+	CSSMERR_CSSM_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION;
+	CSSMERR_AC_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION;
+	CSSMERR_CSP_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION;
+	CSSMERR_CL_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION;
+	CSSMERR_DL_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION;
+	CSSMERR_TP_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION;
+	CSSMERR_CSSM_DEVICE_RESET = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET;
+	CSSMERR_AC_DEVICE_RESET = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET;
+	CSSMERR_CSP_DEVICE_RESET = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET;
+	CSSMERR_CL_DEVICE_RESET = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET;
+	CSSMERR_DL_DEVICE_RESET = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET;
+	CSSMERR_TP_DEVICE_RESET = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET;
+	CSSMERR_CSSM_DEVICE_FAILED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED;
+	CSSMERR_AC_DEVICE_FAILED = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED;
+	CSSMERR_CSP_DEVICE_FAILED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED;
+	CSSMERR_CL_DEVICE_FAILED = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED;
+	CSSMERR_DL_DEVICE_FAILED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED;
+	CSSMERR_TP_DEVICE_FAILED = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED;
+
+{ AppleCSPDL, AppleCSP private error codes. }
+const
+	CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT = CSSM_CSP_PRIVATE_ERROR + 0;
+	{
+	 * An attempt was made to use a public key which is incomplete due to 
+	 * the lack of algorithm-specific parameters.
+	 }
+	CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE = CSSM_CSP_PRIVATE_ERROR + 1;
+	
+	{ a code signature match failed }
+	CSSMERR_CSP_APPLE_SIGNATURE_MISMATCH = CSSM_CSP_PRIVATE_ERROR + 2;
+	
+	{ Key StartDate/EndDate invalid }
+	CSSMERR_CSP_APPLE_INVALID_KEY_START_DATE = CSSM_CSP_PRIVATE_ERROR + 3;
+	CSSMERR_CSP_APPLE_INVALID_KEY_END_DATE = CSSM_CSP_PRIVATE_ERROR + 4;
+	
+	{ Keychain Syncing error codes }
+	CSSMERR_CSPDL_APPLE_DL_CONVERSION_ERROR = CSSM_CSP_PRIVATE_ERROR + 5;
+
+	{ SSLv2 padding check: rollback attack detected }
+	CSSMERR_CSP_APPLE_SSLv2_ROLLBACK = CSSM_CSP_PRIVATE_ERROR + 6;
+
+
+{ AppleFileDL record types. }
+const
+	CSSM_DL_DB_RECORD_GENERIC_PASSWORD = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 0;
+	CSSM_DL_DB_RECORD_INTERNET_PASSWORD = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 1;
+	CSSM_DL_DB_RECORD_APPLESHARE_PASSWORD = CSSM_DB_RECORDTYPE_APP_DEFINED_START + 2;
+	CSSM_DL_DB_RECORD_X509_CERTIFICATE = CSSM_DB_RECORDTYPE_APP_DEFINED_START + $1000;
+	CSSM_DL_DB_RECORD_USER_TRUST = CSSM_DB_RECORDTYPE_APP_DEFINED_START + $1000 + 1;
+	CSSM_DL_DB_RECORD_X509_CRL = CSSM_DB_RECORDTYPE_APP_DEFINED_START + $1000 + 2;
+	CSSM_DL_DB_RECORD_UNLOCK_REFERRAL = CSSM_DB_RECORDTYPE_APP_DEFINED_START + $1000 + 3;
+	CSSM_DL_DB_RECORD_EXTENDED_ATTRIBUTE = CSSM_DB_RECORDTYPE_APP_DEFINED_START + $1000 + 4;
+	CSSM_DL_DB_RECORD_METADATA = CSSM_DB_RECORDTYPE_APP_DEFINED_START + $8000;
+
+{ AppleFileDL extentions: passthrough ids }
+const
+// Toggle whether or not to autocommit after modifying the database.
+	// The input parameter is a CSSM_BOOL, where TRUE turns autocommit on
+	// and FALSE turns it off.
+	CSSM_APPLEFILEDL_TOGGLE_AUTOCOMMIT = 0;
+	
+	// Commit any pending changes to the database.
+	CSSM_APPLEFILEDL_COMMIT = 1;
+	
+	// Rollback and discard any pending changes to the database.
+	CSSM_APPLEFILEDL_ROLLBACK = 2;
+
+{ UNLOCK_REFERRAL "type" attribute values }
+const
+	CSSM_APPLE_UNLOCK_TYPE_KEY_DIRECT = 1;	// master secret key stored directly
+	CSSM_APPLE_UNLOCK_TYPE_WRAPPED_PRIVATE = 2;		// master key wrapped by public key
+
+{ Apple DL private error codes. }
+const
+{ The OpenParameters argument passed to CSSM_DL_DbCreate or CSSM_DL_DbOpen
+	   was neither NULL nor a pointer to a valid CSSM_APPLEDL_OPEN_PARAMETERS
+	   structure. }
+	CSSMERR_APPLEDL_INVALID_OPEN_PARAMETERS = CSSM_DL_PRIVATE_ERROR + 0;
+	
+	{ an operation failed because the disk was full }
+	CSSMERR_APPLEDL_DISK_FULL = CSSM_DL_PRIVATE_ERROR + 1;
+	
+	{ an operation failed because a disk quota was exceeded }
+	CSSMERR_APPLEDL_QUOTA_EXCEEDED = CSSM_DL_PRIVATE_ERROR + 2;
+	
+	{ an operation failed because a file was too large }
+	CSSMERR_APPLEDL_FILE_TOO_BIG = CSSM_DL_PRIVATE_ERROR + 3;
+    
+    { a keychain database's internal information ("blob") is invalid }
+	CSSMERR_APPLEDL_INVALID_DATABASE_BLOB = CSSM_DL_PRIVATE_ERROR + 4;
+	CSSMERR_APPLEDL_INVALID_KEY_BLOB = CSSM_DL_PRIVATE_ERROR + 5;
+    
+    { the internal data format version for a database's internal information ("blob") is invalid }
+	CSSMERR_APPLEDL_INCOMPATIBLE_DATABASE_BLOB = CSSM_DL_PRIVATE_ERROR + 6;
+	CSSMERR_APPLEDL_INCOMPATIBLE_KEY_BLOB = CSSM_DL_PRIVATE_ERROR + 7;
+
+{ Apple X509TP private error codes. }
+const
+{ Host name mismatch }
+	CSSMERR_APPLETP_HOSTNAME_MISMATCH = CSSM_TP_PRIVATE_ERROR + 0;
+	{ Non-understood extension with Critical flag true }
+	CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN = CSSM_TP_PRIVATE_ERROR + 1;
+	{ Basic Constraints extension required per policy, but not present }
+	CSSMERR_APPLETP_NO_BASIC_CONSTRAINTS = CSSM_TP_PRIVATE_ERROR + 2;
+	{ Invalid BasicConstraints.CA }
+	CSSMERR_APPLETP_INVALID_CA = CSSM_TP_PRIVATE_ERROR + 3;
+	{ Invalid Authority Key ID }
+	CSSMERR_APPLETP_INVALID_AUTHORITY_ID = CSSM_TP_PRIVATE_ERROR + 4;
+	{ Invalid Subject Key ID }
+	CSSMERR_APPLETP_INVALID_SUBJECT_ID = CSSM_TP_PRIVATE_ERROR + 5;
+	{ Invalid Key Usage for policy }
+	CSSMERR_APPLETP_INVALID_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 6;
+	{ Invalid Extended Key Usage for policy }
+	CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 7;
+	{ Invalid Subject/Authority Key ID Linkage }
+	CSSMERR_APPLETP_INVALID_ID_LINKAGE = CSSM_TP_PRIVATE_ERROR + 8;
+	{ PathLengthConstraint exceeded }
+	CSSMERR_APPLETP_PATH_LEN_CONSTRAINT = CSSM_TP_PRIVATE_ERROR + 9;
+	{ Cert group terminated at a root cert which did not self-verify }
+	CSSMERR_APPLETP_INVALID_ROOT = CSSM_TP_PRIVATE_ERROR + 10;
+	{ CRL expired/not valid yet }
+	CSSMERR_APPLETP_CRL_EXPIRED = CSSM_TP_PRIVATE_ERROR + 11;
+	CSSMERR_APPLETP_CRL_NOT_VALID_YET = CSSM_TP_PRIVATE_ERROR + 12;
+	{ Cannot find appropriate CRL }
+	CSSMERR_APPLETP_CRL_NOT_FOUND = CSSM_TP_PRIVATE_ERROR + 13;
+	{ specified CRL server down }
+	CSSMERR_APPLETP_CRL_SERVER_DOWN = CSSM_TP_PRIVATE_ERROR + 14;
+	{ illegible CRL distribution point URL }
+	CSSMERR_APPLETP_CRL_BAD_URI = CSSM_TP_PRIVATE_ERROR + 15;
+	{ Unknown critical cert/CRL extension }
+	CSSMERR_APPLETP_UNKNOWN_CERT_EXTEN = CSSM_TP_PRIVATE_ERROR + 16;
+	CSSMERR_APPLETP_UNKNOWN_CRL_EXTEN = CSSM_TP_PRIVATE_ERROR + 17;
+	{ CRL not verifiable to anchor or root }
+	CSSMERR_APPLETP_CRL_NOT_TRUSTED = CSSM_TP_PRIVATE_ERROR + 18;
+	{ CRL verified to untrusted root }
+	CSSMERR_APPLETP_CRL_INVALID_ANCHOR_CERT = CSSM_TP_PRIVATE_ERROR + 19;
+	{ CRL failed policy verification }
+	CSSMERR_APPLETP_CRL_POLICY_FAIL = CSSM_TP_PRIVATE_ERROR + 20;
+	{ IssuingDistributionPoint extension violation }
+	CSSMERR_APPLETP_IDP_FAIL = CSSM_TP_PRIVATE_ERROR + 21;
+	{ Cert not found at specified issuerAltName }
+	CSSMERR_APPLETP_CERT_NOT_FOUND_FROM_ISSUER = CSSM_TP_PRIVATE_ERROR + 22;
+	{ Bad cert obtained from specified issuerAltName }
+	CSSMERR_APPLETP_BAD_CERT_FROM_ISSUER = CSSM_TP_PRIVATE_ERROR + 23;
+	{ S/MIME Email address mismatch }
+	CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND = CSSM_TP_PRIVATE_ERROR + 24;
+	{ Appropriate S/MIME ExtendedKeyUsage not found }
+	CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE = CSSM_TP_PRIVATE_ERROR + 25;
+	{ S/MIME KeyUsage incompatiblity }
+	CSSMERR_APPLETP_SMIME_BAD_KEY_USE = CSSM_TP_PRIVATE_ERROR + 26;
+	{ S/MIME, cert with KeyUsage flagged !critical }
+	CSSMERR_APPLETP_SMIME_KEYUSAGE_NOT_CRITICAL = CSSM_TP_PRIVATE_ERROR + 27;
+	{ S/MIME, leaf with empty subject name and no email addrs
+	 * in SubjectAltName }
+	CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS = CSSM_TP_PRIVATE_ERROR + 28;
+	{ S/MIME, leaf with empty subject name, SubjectAltName 
+	 * not critical }
+	CSSMERR_APPLETP_SMIME_SUBJ_ALT_NAME_NOT_CRIT = CSSM_TP_PRIVATE_ERROR + 29;
+	{ Appropriate SSL ExtendedKeyUsage not found }
+	CSSMERR_APPLETP_SSL_BAD_EXT_KEY_USE = CSSM_TP_PRIVATE_ERROR + 30;
+	{ unparseable OCSP response }
+	CSSMERR_APPLETP_OCSP_BAD_RESPONSE = CSSM_TP_PRIVATE_ERROR + 31;
+	{ unparseable OCSP request }
+	CSSMERR_APPLETP_OCSP_BAD_REQUEST = CSSM_TP_PRIVATE_ERROR + 32;
+	{ OCSP service unavailable }
+	CSSMERR_APPLETP_OCSP_UNAVAILABLE = CSSM_TP_PRIVATE_ERROR + 33;
+	{ OCSP status: cert unrecognized }
+	CSSMERR_APPLETP_OCSP_STATUS_UNRECOGNIZED = CSSM_TP_PRIVATE_ERROR + 34;
+	{ revocation check not successful for each cert }
+	CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK = CSSM_TP_PRIVATE_ERROR + 35;
+	{ general network error }
+	CSSMERR_APPLETP_NETWORK_FAILURE = CSSM_TP_PRIVATE_ERROR + 36;
+	{ OCSP response not verifiable to anchor or root }
+	CSSMERR_APPLETP_OCSP_NOT_TRUSTED = CSSM_TP_PRIVATE_ERROR + 37;
+	{ OCSP response verified to untrusted root }
+	CSSMERR_APPLETP_OCSP_INVALID_ANCHOR_CERT = CSSM_TP_PRIVATE_ERROR + 38;
+	{ OCSP response signature error }
+	CSSMERR_APPLETP_OCSP_SIG_ERROR = CSSM_TP_PRIVATE_ERROR + 39;
+	{ No signer for OCSP response found }
+	CSSMERR_APPLETP_OCSP_NO_SIGNER = CSSM_TP_PRIVATE_ERROR + 40;
+	{ OCSP responder status: malformed request }
+	CSSMERR_APPLETP_OCSP_RESP_MALFORMED_REQ = CSSM_TP_PRIVATE_ERROR + 41;
+	{ OCSP responder status: internal error }
+	CSSMERR_APPLETP_OCSP_RESP_INTERNAL_ERR = CSSM_TP_PRIVATE_ERROR + 42;
+	{ OCSP responder status: try later }
+	CSSMERR_APPLETP_OCSP_RESP_TRY_LATER = CSSM_TP_PRIVATE_ERROR + 43;
+	{ OCSP responder status: signature required }
+	CSSMERR_APPLETP_OCSP_RESP_SIG_REQUIRED = CSSM_TP_PRIVATE_ERROR + 44;
+	{ OCSP responder status: unauthorized }
+	CSSMERR_APPLETP_OCSP_RESP_UNAUTHORIZED = CSSM_TP_PRIVATE_ERROR + 45;
+	{ OCSP response nonce did not match request }
+	CSSMERR_APPLETP_OCSP_NONCE_MISMATCH = CSSM_TP_PRIVATE_ERROR + 46;
+	{ Illegal cert chain length for Code Signing  }
+	CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH = CSSM_TP_PRIVATE_ERROR + 47;
+	{ Missing Basic Constraints for Code Signing }
+	CSSMERR_APPLETP_CS_NO_BASIC_CONSTRAINTS = CSSM_TP_PRIVATE_ERROR + 48;
+	{ Bad PathLengthConstraint for Code Signing }
+	CSSMERR_APPLETP_CS_BAD_PATH_LENGTH = CSSM_TP_PRIVATE_ERROR + 49;
+	{ Missing ExtendedKeyUsage for Code Signing }
+	CSSMERR_APPLETP_CS_NO_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 50;
+	{ Development style Code Signing Cert Detected }
+	CSSMERR_APPLETP_CODE_SIGN_DEVELOPMENT = CSSM_TP_PRIVATE_ERROR + 51;
+	{ Illegal cert chain length for Resource Signing  }
+	CSSMERR_APPLETP_RS_BAD_CERT_CHAIN_LENGTH = CSSM_TP_PRIVATE_ERROR + 52;
+	{ bad extended key usage for Resource Signing }
+	CSSMERR_APPLETP_RS_BAD_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 53;
+	{ Trust Setting: deny }
+	CSSMERR_APPLETP_TRUST_SETTING_DENY = CSSM_TP_PRIVATE_ERROR + 54;
+	{ invalid empty SubjectName }
+	CSSMERR_APPLETP_INVALID_EMPTY_SUBJECT = CSSM_TP_PRIVATE_ERROR + 55;
+	{ unknown critical Qualified Cert Statement ID }
+	CSSMERR_APPLETP_UNKNOWN_QUAL_CERT_STATEMENT = CSSM_TP_PRIVATE_ERROR + 56;
+
+{ Apple .mac TP private error codes. }
+const
+{ cert request queued }
+	CSSMERR_APPLE_DOTMAC_REQ_QUEUED = CSSM_TP_PRIVATE_ERROR + 100;
+	{ cert request redirected }
+	CSSMERR_APPLE_DOTMAC_REQ_REDIRECT = CSSM_TP_PRIVATE_ERROR + 101;
+	{ general server-reported error }
+	CSSMERR_APPLE_DOTMAC_REQ_SERVER_ERR = CSSM_TP_PRIVATE_ERROR + 102;
+	{ server-reported parameter error }
+	CSSMERR_APPLE_DOTMAC_REQ_SERVER_PARAM = CSSM_TP_PRIVATE_ERROR + 103;
+	{ server-reported authorization error }
+	CSSMERR_APPLE_DOTMAC_REQ_SERVER_AUTH = CSSM_TP_PRIVATE_ERROR + 104;
+	{ server-reported unimplemented }
+	CSSMERR_APPLE_DOTMAC_REQ_SERVER_UNIMPL = CSSM_TP_PRIVATE_ERROR + 105;
+	{ server-reported not available }
+	CSSMERR_APPLE_DOTMAC_REQ_SERVER_NOT_AVAIL = CSSM_TP_PRIVATE_ERROR + 106;
+	{ server-reported already exists }
+	CSSMERR_APPLE_DOTMAC_REQ_SERVER_ALREADY_EXIST = CSSM_TP_PRIVATE_ERROR + 107;
+	{ server-reported service error }
+	CSSMERR_APPLE_DOTMAC_REQ_SERVER_SERVICE_ERROR = CSSM_TP_PRIVATE_ERROR + 108;
+	{ request already pending for specified user }
+	CSSMERR_APPLE_DOTMAC_REQ_IS_PENDING = CSSM_TP_PRIVATE_ERROR + 109;
+	{ no request pending for specified user }
+	CSSMERR_APPLE_DOTMAC_NO_REQ_PENDING = CSSM_TP_PRIVATE_ERROR + 110;
+	{ CSR failed to verify }
+	CSSMERR_APPLE_DOTMAC_CSR_VERIFY_FAIL = CSSM_TP_PRIVATE_ERROR + 111;
+	{ server reported failed consistency check }
+	CSSMERR_APPLE_DOTMAC_FAILED_CONSISTENCY_CHECK = CSSM_TP_PRIVATE_ERROR + 112;
+
+const
+	CSSM_APPLEDL_OPEN_PARAMETERS_VERSION = 1;
+
+type
+	cssm_appledl_open_parameters_mask = SInt32;
+const
+	kCSSM_APPLEDL_MASK_MODE = 1 shl 0;
+
+{ Pass a CSSM_APPLEDL_OPEN_PARAMETERS_PTR as the OpenParameters argument to
+   CSSM_DL_DbCreate or CSSM_DL_DbOpen.  When using this struct, you must zero
+   out the entire struct before setting any additional parameters to ensure
+   forward compatibility.  }
+type
+	CSSM_APPLEDL_OPEN_PARAMETERS_PTR = ^cssm_appledl_open_parameters;
+	CSSM_APPLEDL_OPEN_PARAMETERSPtr = ^cssm_appledl_open_parameters;
+	cssm_appledl_open_parameters = record
+		length: UInt32;	{ Should be sizeof(CSSM_APPLEDL_OPEN_PARAMETERS). }
+		version: UInt32;	{ Should be CSSM_APPLEDL_OPEN_PARAMETERS_VERSION. }
+
+	{ If no OpenParameters are specified, autoCommit is on (!CSSM_FALSE) by default.
+	   When autoCommit is on (!CSSM_FALSE), changes made to the Db are written to disk
+	   before returning from each function.
+	   When autoCommit is off (CSSM_FALSE), changes made to the database are not guaranteed
+	   to be written to disk until the Db is closed.  This is useful for bulk writes.
+	   Be aware that if autoCommit is off, changes made in previous calls to the DL might
+	   get rolled back if a new modification operation fails. }
+		autoCommit: CSSM_BOOL;
+
+	{ Mask marking which of the following fields are to be used. }
+		mask: UInt32;
+
+	{ When calling DbCreate, the initial mode to create the database file with; ignored on DbOpen.  You must set the kCSSM_APPLEDL_MASK_MODE bit in mask or mode is ignored.  }
+		mode: mode_t;
+	end;
+
+
+{ AppleCSPDL passthough ids }
+const
+{ Tell the SecurityServer to lock the database specified by the DLDBHandle argument.
+	   The InputParams and OutputParams arguments are ignored. }
+	CSSM_APPLECSPDL_DB_LOCK = 0;
+
+	{ Tell the SecurityServer to unlock the database specified by the DLDBHandle argument.
+	   The InputParameters argument is a CSSM_DATA_PTR containing the password, or NULL if
+	   the SecurityServer should prompt for the password.
+	   The OutputParams argument is ignored.
+	   The SecurityServer will put up UI (though the SecurityAgent) when this function is called
+	   iff InputParameters is NULL.  }
+	CSSM_APPLECSPDL_DB_UNLOCK = 1;
+
+	{ Ask the SecurityServer to get the db settings specified for the database
+	   specified by the DLDBHandle argument.  The settings are returned in the OutputParameters argument.
+	   The OutputParameters argument is a pointer to a CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS_PTR.
+	   Upon successful completion, the AppleCSPDL will have allocated a
+	   CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS structure using the application-specified
+	   allocators for the DL attachment specified by the DLDBHandle argument.  The structure will contain
+	   the current database settings for the specified database.  The client should free the
+	   CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS_PTR after it has finished using it.
+	   The InputParameters argument is ignored.
+	   The SecurityServer might put up UI (though the SecurityAgent) when this function is called.  }
+	CSSM_APPLECSPDL_DB_GET_SETTINGS = 2;
+
+	{ Tell the SecurityServer to set the db settings specified in InputParameters on the database
+	   specified by the DLDBHandle argument.
+	   The InputParameters argument is a const CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS * containing
+	   the new settings for the specified database.
+	   The OutputParams argument is ignored.
+	   The SecurityServer might put up UI (though the SecurityAgent) when this function is called.  }
+	CSSM_APPLECSPDL_DB_SET_SETTINGS = 3;
+
+	{ Ask the SecurityServer whether the database specified by the DLDBHandle argument is locked.
+	   The InputParameters argument is ignored.
+	   The OutputParameters argument is a pointer to a CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR.
+	   Upon successful completion, the AppleCSPDL will have allocated a
+	   CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS structure using the application-specified
+	   allocators for the DL attachment specified by the DLDBHandle argument.  The structure will contain
+	   the current lock status for the specified database.  The client should free the
+	   CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR after it has finished using it.
+	   The SecurityServer will put up UI (though the SecurityAgent) when this function is called. }
+	CSSM_APPLECSPDL_DB_IS_LOCKED = 4;
+
+	{ Tell the SecurityServer to change the password for the database specified by
+	   the DLDBHandle.
+
+	   The InputParameters argument is a const CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS * containing
+	   a CSSM_ACCESS_CREDENTIALS * which determines how the password will be changed.  If the
+	   accessCredentials are NULL, the SecurityAgent will prompt for the old and the new password for the
+	   specified database.  If credentials are specified, there should be 2 entries:
+	   1. a 3-element list containing:
+	   CSSM_WORDID_KEYCHAIN_LOCK, CSSM_SAMPLE_TYPE_PASSWORD, and the old password.
+	   2. a 3-element list containing:
+	   CSSM_WORDID_KEYCHAIN_CHANGE_LOCK, CSSM_SAMPLE_TYPE_PASSWORD, and the new password.
+
+	   The OutputParams argument is ignored.
+	   The SecurityServer might put up UI (though the SecurityAgent) when this function is called.  }
+	CSSM_APPLECSPDL_DB_CHANGE_PASSWORD = 5;
+	
+	{ Return the SecurityServer database handle for the database specified by the DLDBHandle }
+	CSSM_APPLECSPDL_DB_GET_HANDLE = 6;
+	
+	{ Given a CSSM_KEY for the CSPDL, return the SecurityServer key handle }
+	CSSM_APPLESCPDL_CSP_GET_KEYHANDLE = 7;
+	CSSM_APPLE_PRIVATE_CSPDL_CODE_8 = 8;
+	CSSM_APPLE_PRIVATE_CSPDL_CODE_9 = 9;
+	CSSM_APPLE_PRIVATE_CSPDL_CODE_10 = 10;
+	CSSM_APPLE_PRIVATE_CSPDL_CODE_11 = 11;
+	CSSM_APPLE_PRIVATE_CSPDL_CODE_12 = 12;
+	CSSM_APPLE_PRIVATE_CSPDL_CODE_13 = 13;
+	CSSM_APPLE_PRIVATE_CSPDL_CODE_14 = 14;
+	CSSM_APPLE_PRIVATE_CSPDL_CODE_15 = 15;
+	CSSM_APPLE_PRIVATE_CSPDL_CODE_16 = 16;
+	
+	{ Given a CSSM_KEY_PTR in any format, obtain the SHA-1 hash of the 
+	 * associated key blob. 
+	 * Key is specified in CSSM_CSP_CreatePassThroughContext.
+	 * Hash is allocated bythe CSP, in the App's memory, and returned
+	 * in *outData. }
+	CSSM_APPLECSP_KEYDIGEST = $100;
+
+
+{ AppleCSPDL passthough parameters }
+type
+	CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERS_PTR = ^cssm_applecspdl_db_settings_parameters;
+	CSSM_APPLECSPDL_DB_SETTINGS_PARAMETERSPtr = ^cssm_applecspdl_db_settings_parameters;
+	cssm_applecspdl_db_settings_parameters = record
+		idleTimeout: UInt32;				// seconds idle timeout lock
+		lockOnSleep: UInt8;				// lock database when system sleeps
+	end;
+
+{ AppleCSPDL passthough parameters }
+type
+	CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR = ^cssm_applecspdl_db_is_locked_parameters;
+	CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERSPtr = ^cssm_applecspdl_db_is_locked_parameters;
+	cssm_applecspdl_db_is_locked_parameters = record
+		isLocked: UInt8;				// True iff the database is locked
+	end;
+
+{ AppleCSPDL passthough parameters }
+type
+	CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS_PTR = ^cssm_applecspdl_db_change_password_parameters;
+	CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERSPtr = ^cssm_applecspdl_db_change_password_parameters;
+	cssm_applecspdl_db_change_password_parameters = record
+		accessCredentials: CSSM_ACCESS_CREDENTIALSPtr;
+	end;
+
+{ Custom wrapped key formats }
+const
+	CSSM_KEYBLOB_WRAPPED_FORMAT_APPLE_CUSTOM = 100;
+	CSSM_KEYBLOB_WRAPPED_FORMAT_OPENSSL = 101;			// traditional openssl 
+	CSSM_KEYBLOB_WRAPPED_FORMAT_OPENSSH1 = 102;			// OpenSSH v1
+
+{
+ * Custom context attributes for AppleCSP.
+ }
+const
+	CSSM_ATTRIBUTE_VENDOR_DEFINED = $800000;
+
+const
+{ 
+	 * Public Key attribute for use with CSSM_ALGID_FEED.
+	 }
+	CSSM_ATTRIBUTE_PUBLIC_KEY = (CSSM_ATTRIBUTE_DATA_KEY or (CSSM_ATTRIBUTE_VENDOR_DEFINED + 0));
+			
+	{
+	 * FEE key attributes.
+	 * See CSSM_FEE_PRIME_TYPE_xxx, CSSM_FEE_CURVE_TYPE_xxx enums, below.
+	 }
+	CSSM_ATTRIBUTE_FEE_PRIME_TYPE = (CSSM_ATTRIBUTE_DATA_UINT32 or (CSSM_ATTRIBUTE_VENDOR_DEFINED + 1));
+	CSSM_ATTRIBUTE_FEE_CURVE_TYPE = (CSSM_ATTRIBUTE_DATA_UINT32 or (CSSM_ATTRIBUTE_VENDOR_DEFINED + 2));
+			
+	{
+	 * Apple Secure Compression (ComCryption) optimization.
+	 * See CSSM_ASC_OPTIMIZE_xxx, enums, below.
+	 }
+	CSSM_ATTRIBUTE_ASC_OPTIMIZATION = (CSSM_ATTRIBUTE_DATA_UINT32 or (CSSM_ATTRIBUTE_VENDOR_DEFINED + 3));
+			
+	{
+	 * RSA blinding. Value is integer, nonzero (blinding on) or zero.
+	 }
+	CSSM_ATTRIBUTE_RSA_BLINDING = (CSSM_ATTRIBUTE_DATA_UINT32 or (CSSM_ATTRIBUTE_VENDOR_DEFINED + 4));
+			
+	{
+	 * Additional public key from which to obtain algorithm-specific
+	 * parameters.
+	 }
+	CSSM_ATTRIBUTE_PARAM_KEY = (CSSM_ATTRIBUTE_DATA_KEY or (CSSM_ATTRIBUTE_VENDOR_DEFINED + 5));
+			
+	{
+	 * Prompt string for CSSM_ALGID_SECURE_PASSPHRASE key acquisition.
+	 * Data is a UTF8-encoded external representation of a CFString. 
+	 }
+	CSSM_ATTRIBUTE_PROMPT = (CSSM_ATTRIBUTE_DATA_CSSM_DATA or (CSSM_ATTRIBUTE_VENDOR_DEFINED + 6));
+
+	{
+	 * Alert panel title for CSSM_ALGID_SECURE_PASSPHRASE key acquisition.
+	 * Data is a UTF8-encoded external representation of a CFString. 
+	 }
+	CSSM_ATTRIBUTE_ALERT_TITLE = (CSSM_ATTRIBUTE_DATA_CSSM_DATA or (CSSM_ATTRIBUTE_VENDOR_DEFINED + 7));
+
+	{
+	 * Boolean to specify whether secure passphrase is being used to encrypt or to 
+	 * recover data. In the former case the user will be prompted to enter the 
+	 * passphrase twice. Value is integer, nonzero (verify passphrase) or zero.
+	 }
+	CSSM_ATTRIBUTE_VERIFY_PASSPHRASE = (CSSM_ATTRIBUTE_DATA_UINT32 or (CSSM_ATTRIBUTE_VENDOR_DEFINED + 8));
+
+{
+ * FEE key pair prime modulus types.
+ }
+const
+	CSSM_FEE_PRIME_TYPE_DEFAULT = 0;	{ default per key size }
+	CSSM_FEE_PRIME_TYPE_MERSENNE = 1;		{ (2 ** q) - 1Ê}
+	CSSM_FEE_PRIME_TYPE_FEE = 2;			{ (2 ** q) - k }
+	CSSM_FEE_PRIME_TYPE_GENERAL = 3;			{ random prime }
+
+{
+ * FEE curve types. Comments refer to equation
+ *
+ *    y**2 = x**3 + c(x**2) + ax + b
+ }
+const
+	CSSM_FEE_CURVE_TYPE_DEFAULT = 0;	{ default per key size }
+	CSSM_FEE_CURVE_TYPE_MONTGOMERY = 1;		{ a==1, b==0 }
+	CSSM_FEE_CURVE_TYPE_WEIERSTRASS = 2;	{ c==0. IEEE P1363 compliant. }
+	CSSM_FEE_CURVE_TYPE_ANSI_X9_62 = 3;		{ ANSI X9.62 compatible }
+
+{
+ * Apple Secure Compression (ComCryption) optimization attributes.
+ }
+const
+	CSSM_ASC_OPTIMIZE_DEFAULT = 0;
+	CSSM_ASC_OPTIMIZE_SIZE = 1;				{ max compression (currently the default) }
+	CSSM_ASC_OPTIMIZE_SECURITY = 2;			{ currently not implemented }
+	CSSM_ASC_OPTIMIZE_TIME = 3;				{ min runtime }
+	CSSM_ASC_OPTIMIZE_TIME_SIZE = 4;		{ implies loss of security }
+	CSSM_ASC_OPTIMIZE_ASCII = 5;			{ optimized for ASCC text, not implemented }
+
+{
+ * Apple custom CSSM_KEYATTR_FLAGS.
+ }
+const
+{
+	 * When set, indicates a public key which is incomplete (though
+	 * still valid) due to the lack of algorithm-specific parameters.
+	 }
+	CSSM_KEYATTR_PARTIAL = $00010000;
+	
+	{
+	 * When set, public keys are stored encrypted. Default is to store
+	 * public keys in the clear. AppleCSPDL only.
+	 }
+	CSSM_KEYATTR_PUBLIC_KEY_ENCRYPT = $00020000;
+
+{
+ * Name/OID pair used in CSSM_APPLE_TP_CERT_REQUEST
+ }
+type
+	CSSM_APPLE_TP_NAME_OIDPtr = ^CSSM_APPLE_TP_NAME_OID;
+	CSSM_APPLE_TP_NAME_OID = record
+		strng: {const} CStringPtr;
+		oid: {const} CSSM_OIDPtr;
+	end;
+
+{ 
+ * Certificate request passed to CSSM_TP_SubmitCredRequest() in the
+ * CSSM_TP_AUTHORITY_REQUEST_TYPE.Requests field. Used for requesting
+ * both locally-generated certs (CSSMOID_APPLE_TP_LOCAL_CERT_GEN) and
+ * cert signing requests (CSSMOID_APPLE_TP_CSR_GEN). 
+ }
+type
+	CSSM_APPLE_TP_CERT_REQUESTPtr = ^CSSM_APPLE_TP_CERT_REQUEST;
+	CSSM_APPLE_TP_CERT_REQUEST = record
+		cspHand: CSSM_CSP_HANDLE;		// sign with this CSP
+		clHand: CSSM_CL_HANDLE;			// and this CL
+		serialNumber: UInt32;
+		numSubjectNames: UInt32;// size subjectNames[]
+		subjectNames: CSSM_APPLE_TP_NAME_OIDPtr;	
+	
+	{
+	 * Issuer name can be expressed in the simplified CSSM_APPLE_TP_NAME_OID
+	 * array, as is the subject name, or as an CSSM_X509_NAME, which is 
+	 * typically obtained from a signing cert. 
+	 * Exactly one of (issuerNames, issuerNameX509) must be non-NULL. 
+	 }
+		numIssuerNames: UInt32;	// size issuerNames[]
+		issuerNames: CSSM_APPLE_TP_NAME_OIDPtr;   // optional; NULL implies root 
+											//    (signer == subject)
+		issuerNameX509: CSSM_X509_NAME_PTR;		
+		certPublicKey: {const} CSSM_KEYPtr;
+		issuerPrivateKey: {const} CSSM_KEYPtr;
+	
+	{ Unfortunately there is no practical way to map any algorithm
+	 * to its appropriate OID, and we need both.... }
+		signatureAlg: CSSM_ALGORITHMS;   // e.g., CSSM_ALGID_SHA1WithRSA
+		signatureOid: CSSM_OID;	// e.g., CSSMOID_SHA1WithRSA
+		notBefore: UInt32;		// relative to "now"
+		notAfter: UInt32;
+		numExtensions: UInt32;
+		extensions: CE_DataAndTypePtr;	// optional
+	
+	{ 
+	 * Optional challenge string for CSSMOID_APPLE_TP_CSR_GEN.
+	 }
+		challengeString: {const} CStringPtr;
+	end;
+
+{ 
+ * Options for X509TP's CSSM_TP_CertGroupVerify for policy CSSMOID_APPLE_TP_SSL. 
+ * A pointer to, and length of, one of these is optionally placed in 
+ * CSSM_TP_VERIFY_CONTEXT.Cred->Policy.PolicyIds[n].FieldValue.
+ }
+const
+	CSSM_APPLE_TP_SSL_OPTS_VERSION = 1;
+
+{
+ * Values for CSSM_APPLE_TP_SSL_OPTIONS.flags.
+ *
+ * Set this flag when evaluating a client cert.
+ }
+const
+	CSSM_APPLE_TP_SSL_CLIENT = $00000001;
+
+type
+	CSSM_APPLE_TP_SSL_OPTIONSPtr = ^CSSM_APPLE_TP_SSL_OPTIONS;
+	CSSM_APPLE_TP_SSL_OPTIONS = record
+		Version: UInt32;        // CSSM_APPLE_TP_SSL_OPTS_VERSION
+
+	{ 
+	 * The domain name of the server (e.g., "store.apple.com".) In the 
+	 * SSL and TLS protocols, this must match the common name of the 
+	 * subject cert. Expressed as a C string, optionally NULL terminated
+	 * if it is NULL terminated, the length field should include the NULL).
+	 }
+		ServerNameLen: UInt32;
+		ServerName: {const} CStringPtr;    // optional
+	
+	{ new fields for struct version 1 }
+		Flags: UInt32;
+	end;
+
+{ 
+ * Options for X509TP's CSSM_TP_CertGroupVerify for policy 
+ * CSSMOID_APPLE_TP_REVOCATION_CRL. A pointer to, and length of, one 
+ * of these is optionally placed in 
+ * CSSM_TP_VERIFY_CONTEXT.Cred->Policy.PolicyIds[n].FieldValue.
+ }
+const
+	CSSM_APPLE_TP_CRL_OPTS_VERSION = 0;
+
+type
+	CSSM_APPLE_TP_CRL_OPT_FLAGS = UInt32;
+const
+// require CRL verification for each cert; default is "try"
+	CSSM_TP_ACTION_REQUIRE_CRL_PER_CERT = $00000001;	
+	// enable fetch from network
+	CSSM_TP_ACTION_FETCH_CRL_FROM_NET = $00000002;
+	// if set and positive OCSP verify for given cert, no further revocation
+	// checking need be done on that cert
+	CSSM_TP_ACTION_CRL_SUFFICIENT = $00000004;
+	// require CRL verification for certs which claim a CRL provider
+	CSSM_TP_ACTION_REQUIRE_CRL_IF_PRESENT = $00000008;
+
+type
+	CSSM_APPLE_TP_CRL_OPTIONSPtr = ^CSSM_APPLE_TP_CRL_OPTIONS;
+	CSSM_APPLE_TP_CRL_OPTIONS = record
+		Version: UInt32;        // CSSM_APPLE_TP_CRL_OPTS_VERSION
+		CrlFlags: CSSM_APPLE_TP_CRL_OPT_FLAGS;
+	
+	{
+	 * When non-NULL, store CRLs fetched from net here.
+	 * This is most likely a pointer to one of the  
+	 * CSSM_TP_CALLERAUTH_CONTEXT.DBList entries but that
+	 * is not a strict requirement.
+	 }
+		crlStore: CSSM_DL_DB_HANDLE_PTR;
+	end;
+
+{ 
+ * Options for X509TP's CSSM_TP_CertGroupVerify for policy 
+ * CSSMOID_APPLE_TP_SMIME. A pointer to, and length of, one 
+ * of these is optionally placed in 
+ * CSSM_TP_VERIFY_CONTEXT.Cred->Policy.PolicyIds[n].FieldValue.
+ }
+const
+	CSSM_APPLE_TP_SMIME_OPTS_VERSION = 0;
+type
+	CSSM_APPLE_TP_SMIME_OPTIONSPtr = ^CSSM_APPLE_TP_SMIME_OPTIONS;
+	CSSM_APPLE_TP_SMIME_OPTIONS = record
+		Version: UInt32;        // CSSM_APPLE_TP_SMIME_OPTS_VERSION
+
+	{ 
+	 * Intended usage of the leaf cert. The cert's KeyUsage extension,
+	 * if present, must be a superset of this.
+	 }
+		IntendedUsage: CE_KeyUsage;
+	
+	{ 
+	 * The email address of the sender. If there is an email address
+	 * in the sender's cert, that email address must match this one.
+	 * Both (email address in the cert, and this one) are optional.
+	 * Expressed as a C string, optionally NULL terminated (i.e.,
+	 * SenderEmail[SenderEmailLen - 1] may or may not be NULL).
+	 }
+		SenderEmailLen: UInt32;
+		SenderEmail: {const} CStringPtr;    // optional
+	end;
+
+
+{
+ * Optional ActionData for all X509TP CertGroupVerify policies.
+ * A pointer to, and length of, one of these is optionally placed in 
+ * CSSM_TP_VERIFY_CONTEXT.ActionData.
+ }
+type
+	CSSM_APPLE_TP_ACTION_FLAGS = UInt32;
+const
+	CSSM_TP_ACTION_ALLOW_EXPIRED = $00000001;	// allow expired certs
+	CSSM_TP_ACTION_LEAF_IS_CA = $00000002;	// first cert is a CA 
+	CSSM_TP_ACTION_FETCH_CERT_FROM_NET = $00000004;	// enable net fetch of CA cert
+	CSSM_TP_ACTION_ALLOW_EXPIRED_ROOT = $00000008; 	// allow expired roots
+	CSSM_TP_ACTION_REQUIRE_REV_PER_CERT = $00000010; 	// require positive revocation
+														//   check per cert
+	CSSM_TP_ACTION_TRUST_SETTINGS = $00000020;	// use TrustSettings instead of 
+														//   anchors
+	CSSM_TP_ACTION_IMPLICIT_ANCHORS = $00000040;	// properly self-signed certs are
+														//   treated as anchors implicitly
+
+const
+	CSSM_APPLE_TP_ACTION_VERSION = 0;
+type
+	CSSM_APPLE_TP_ACTION_DATAPtr = ^CSSM_APPLE_TP_ACTION_DATA;
+	CSSM_APPLE_TP_ACTION_DATA = record
+		Version: UInt32; 		// CSSM_APPLE_TP_ACTION_VERSION
+		ActionFlags: CSSM_APPLE_TP_ACTION_FLAGS;	// CSSM_TP_ACTION_ALLOW_EXPIRED, etc.
+	end;
+
+{
+ * Per-cert evidence returned from CSSM_TP_CertGroupVerify.
+ * An array of these is presented in CSSM_TP_VERIFY_CONTEXT_RESULT.Evidence[2]. 
+ * Same number of these as in the cert group in Evidence[1].
+ }
+ 
+{ First, an array of bits indicating various status of the cert. }
+type
+	CSSM_TP_APPLE_CERT_STATUS = UInt32;
+const
+	CSSM_CERT_STATUS_EXPIRED = $00000001;
+	CSSM_CERT_STATUS_NOT_VALID_YET = $00000002;
+	CSSM_CERT_STATUS_IS_IN_INPUT_CERTS = $00000004;
+	CSSM_CERT_STATUS_IS_IN_ANCHORS = $00000008;
+	CSSM_CERT_STATUS_IS_ROOT = $00000010;
+	CSSM_CERT_STATUS_IS_FROM_NET = $00000020;
+	{ settings found in per-user Trust Settings }
+	CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_USER = $00000040;
+	{ settings found in Admin Trust Settings }
+	CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_ADMIN = $00000080;
+	{ settings found in System Trust Settings }
+	CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_SYSTEM = $00000100;
+	{ Trust Settings result = Trust }
+	CSSM_CERT_STATUS_TRUST_SETTINGS_TRUST = $00000200;
+	{ Trust Settings result = Deny }
+	CSSM_CERT_STATUS_TRUST_SETTINGS_DENY = $00000400;
+	{ Per-cert error ignored due to Trust Settings }
+	CSSM_CERT_STATUS_TRUST_SETTINGS_IGNORED_ERROR = $00000800;
+
+type
+	CSSM_TP_APPLE_EVIDENCE_INFOArrayPtr = ^CSSM_TP_APPLE_EVIDENCE_INFOPtr;
+	CSSM_TP_APPLE_EVIDENCE_INFOPtr = ^CSSM_TP_APPLE_EVIDENCE_INFO;
+	CSSM_TP_APPLE_EVIDENCE_INFO = record
+		StatusBits: CSSM_TP_APPLE_CERT_STATUS;
+		NumStatusCodes: UInt32;
+		StatusCodes: CSSM_RETURNPtr;
+	
+	{ index into raw cert group or AnchorCerts depending on IS_IN_ANCHORS }
+		Index: UInt32;   
+	
+	{ nonzero if cert came from a DLDB }
+		DlDbHandle: CSSM_DL_DB_HANDLE;
+		UniqueRecord: CSSM_DB_UNIQUE_RECORD_PTR;
+	end;
+
+{
+ * CSSM_TP_VERIFY_CONTEXT_RESULT.Evidence[0], basically defines which version/flavor 
+ * of remaining evidence is.
+ }
+const
+	CSSM_TP_APPLE_EVIDENCE_VERSION = 0;
+type
+	CSSM_TP_APPLE_EVIDENCE_HEADERPtr = ^CSSM_TP_APPLE_EVIDENCE_HEADER;
+	CSSM_TP_APPLE_EVIDENCE_HEADER = record
+		Version: UInt32;
+	end;
+
+
+{
+ * Apple-specific CSSM_EVIDENCE_FORM values
+ *
+ * The form of the evidence returns from CSSM_TP_CertGroupVerify is:
+ *
+ * EvidenceForm							contents of *Evidence
+ * ------------  						---------------------
+ * CSSM_EVIDENCE_FORM_APPLE_HEADER		CSSM_TP_APPLE_EVIDENCE_HEADER
+ * CSSM_EVIDENCE_FORM_APPLE_CERTGROUP	CSSM_CERTGROUP
+ * CSSM_EVIDENCE_FORM_APPLE_CERT_INFO	array of CSSM_TP_APPLE_EVIDENCE_INFO, size
+ *											CSSM_CERTGROUP.NumCerts
+ }
+
+const
+	CSSM_EVIDENCE_FORM_APPLE_CUSTOM = $80000000;
+const
+	CSSM_EVIDENCE_FORM_APPLE_HEADER = CSSM_EVIDENCE_FORM_APPLE_CUSTOM + 0;
+	CSSM_EVIDENCE_FORM_APPLE_CERTGROUP = CSSM_EVIDENCE_FORM_APPLE_CUSTOM + 1;
+	CSSM_EVIDENCE_FORM_APPLE_CERT_INFO = CSSM_EVIDENCE_FORM_APPLE_CUSTOM + 2;
+
+{ AppleX509CL extensions: passthrough ids }
+const
+{ 
+	 * Obtain a signed Certificate Signing Request.
+	 * Input = CSSM_APPLE_CL_CSR_REQUEST
+	 * Output = allocated CSSM_DATA which points to a DER-encoded CSR.
+	 }
+	CSSM_APPLEX509CL_OBTAIN_CSR = 0;
+	
+	{
+	 * Perform signature verify of a CSR.
+	 * Input:  CSSM_DATA referring to a DER-encoded CSR.
+	 * Output: Nothing, returns CSSMERR_CL_VERIFICATION_FAILURE on
+	 *         on failure.
+	 }
+	CSSM_APPLEX509CL_VERIFY_CSR = 1;
+
+{
+ * Used in CL's CSSM_APPLEX509_OBTAIN_CSR Passthrough. This is the 
+ * input; the output is a CSSM_DATA * containing the signed and 
+ * DER-encoded CSR.
+ }
+type
+	CSSM_APPLE_CL_CSR_REQUESTPtr = ^CSSM_APPLE_CL_CSR_REQUEST;
+	CSSM_APPLE_CL_CSR_REQUEST = record
+		subjectNameX509: CSSM_X509_NAME_PTR;		
+	
+	{ Unfortunately there is no practical way to map any algorithm
+	 * to its appropriate OID, and we need both.... }
+		signatureAlg: CSSM_ALGORITHMS;   // e.g., CSSM_ALGID_SHA1WithRSA
+		signatureOid: CSSM_OID;	// e.g., CSSMOID_SHA1WithRSA
+
+		cspHand: CSSM_CSP_HANDLE;		// sign with this CSP
+		subjectPublicKey: {const} CSSM_KEYPtr;
+		subjectPrivateKey: {const} CSSM_KEYPtr;
+	
+	{ 
+	 * Optional challenge string.
+	 }
+		challengeString: {const} CStringPtr;
+	end;
+
+{
+ * When a CRL with no NextUpdate field is encountered, we use this time 
+ * as the NextUpdate attribute when storing in a DB. It represents the
+ * virtual end of time in CSSM_TIMESTRING form.
+ }
+const
+	CSSM_APPLE_CRL_END_OF_TIME = '99991231235959';
+
+{
+ * Default filesystem names and locations for SecurityServer features
+ * (included here for lack of a better place)
+ }
+const
+	kKeychainSuffix = '.keychain';
+const
+	kSystemKeychainName = 'System.keychain';
+const
+	kSystemKeychainDir = '/Library/Keychains/';
+const
+	kSystemUnlockFile = '/var/db/SystemKey';
+
+
+procedure cssmPerror( how: ConstCStringPtr; error: CSSM_RETURN ); external name '_cssmPerror';
+
+{ Convert between CSSM_OID and CSSM_ALGORITHMS }
+function cssmOidToAlg( const (*var*) oid: CSSM_OID; var alg: CSSM_ALGORITHMS ): CBool; external name '_cssmOidToAlg';
+function cssmAlgToOid( algId: CSSM_ALGORITHMS ): CSSM_OIDPtr; external name '_cssmAlgToOid';
+
+{
+ * The MacOS OSStatus space has an embedding for UNIX errno values, similar to
+ * the way we embed CSSM_RETURN values in OSStatus. These are the base and limit
+ * values for this embedding.
+ }
+const
+	errSecErrnoBase = 100000;
+const
+	errSecErrnoLimit = 100255;
+
+{$endc} {TARGET_OS_MAC}
+
+{$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
+implementation
+
+{$ifc TARGET_OS_MAC}
+
+
+
+function CSSM_ACL_AUTHORIZATION_PREAUTH(slot: UInt32): UInt32; inline;
+begin
+  CSSM_ACL_AUTHORIZATION_PREAUTH:=CSSM_ACL_AUTHORIZATION_PREAUTH_BASE + slot
+end;
+
+function CSSM_ACL_AUTHORIZATION_PREAUTH_SLOT(auth: UInt32): UInt32; inline;
+begin
+  CSSM_ACL_AUTHORIZATION_PREAUTH_SLOT:=auth - CSSM_ACL_AUTHORIZATION_PREAUTH_BASE
+end;
+
+function CSSM_ACL_AUTHORIZATION_IS_PREAUTH(auth: UInt32): Boolean; inline;
+begin
+  CSSM_ACL_AUTHORIZATION_IS_PREAUTH:=
+    (auth >= CSSM_ACL_AUTHORIZATION_PREAUTH_BASE) and
+    (auth < CSSM_ACL_AUTHORIZATION_PREAUTH_END)
+end;
+
+{$endc} {TARGET_OS_MAC}
+
+end.
+
+{$endc} {not MACOSALLINCLUDE}

packages/univint/src/cssmconfig.pas

@@ -0,0 +1,201 @@
+{
+ * Copyright (c) 2000-2001,2003-2004,2007 Apple Inc. All Rights Reserved.
+ * 
+ * @APPLE_LICENSE_HEADER_START@
+ * 
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ * 
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ * 
+ * @APPLE_LICENSE_HEADER_END@
+ *
+ * cssmconfig.h -- Platform specific defines and typedefs for cdsa.
+ }
+{       Pascal Translation Updated:  Jonas Maebe, <[email protected]>, September 2010 }
+{
+    Modified for use with Free Pascal
+    Version 308
+    Please report any bugs to <[email protected]>
+}
+
+{$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
+{$mode macpas}
+{$packenum 1}
+{$macro on}
+{$inline on}
+{$calling mwpascal}
+
+unit cssmconfig;
+interface
+{$setc UNIVERSAL_INTERFACES_VERSION := $0400}
+{$setc GAP_INTERFACES_VERSION := $0308}
+
+{$ifc not defined USE_CFSTR_CONSTANT_MACROS}
+    {$setc USE_CFSTR_CONSTANT_MACROS := TRUE}
+{$endc}
+
+{$ifc defined CPUPOWERPC and defined CPUI386}
+	{$error Conflicting initial definitions for CPUPOWERPC and CPUI386}
+{$endc}
+{$ifc defined FPC_BIG_ENDIAN and defined FPC_LITTLE_ENDIAN}
+	{$error Conflicting initial definitions for FPC_BIG_ENDIAN and FPC_LITTLE_ENDIAN}
+{$endc}
+
+{$ifc not defined __ppc__ and defined CPUPOWERPC32}
+	{$setc __ppc__ := 1}
+{$elsec}
+	{$setc __ppc__ := 0}
+{$endc}
+{$ifc not defined __ppc64__ and defined CPUPOWERPC64}
+	{$setc __ppc64__ := 1}
+{$elsec}
+	{$setc __ppc64__ := 0}
+{$endc}
+{$ifc not defined __i386__ and defined CPUI386}
+	{$setc __i386__ := 1}
+{$elsec}
+	{$setc __i386__ := 0}
+{$endc}
+{$ifc not defined __x86_64__ and defined CPUX86_64}
+	{$setc __x86_64__ := 1}
+{$elsec}
+	{$setc __x86_64__ := 0}
+{$endc}
+{$ifc not defined __arm__ and defined CPUARM}
+	{$setc __arm__ := 1}
+{$elsec}
+	{$setc __arm__ := 0}
+{$endc}
+
+{$ifc defined cpu64}
+  {$setc __LP64__ := 1}
+{$elsec}
+  {$setc __LP64__ := 0}
+{$endc}
+
+
+{$ifc defined __ppc__ and __ppc__ and defined __i386__ and __i386__}
+	{$error Conflicting definitions for __ppc__ and __i386__}
+{$endc}
+
+{$ifc defined __ppc__ and __ppc__}
+	{$setc TARGET_CPU_PPC := TRUE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __ppc64__ and __ppc64__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := TRUE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __i386__ and __i386__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := TRUE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+{$ifc defined(iphonesim)}
+ 	{$setc TARGET_OS_MAC := FALSE}
+	{$setc TARGET_OS_IPHONE := TRUE}
+	{$setc TARGET_IPHONE_SIMULATOR := TRUE}
+{$elsec}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$endc}
+{$elifc defined __x86_64__ and __x86_64__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := TRUE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __arm__ and __arm__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := TRUE}
+	{ will require compiler define when/if other Apple devices with ARM cpus ship }
+	{$setc TARGET_OS_MAC := FALSE}
+	{$setc TARGET_OS_IPHONE := TRUE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elsec}
+	{$error __ppc__ nor __ppc64__ nor __i386__ nor __x86_64__ nor __arm__ is defined.}
+{$endc}
+
+{$ifc defined __LP64__ and __LP64__ }
+  {$setc TARGET_CPU_64 := TRUE}
+{$elsec}
+  {$setc TARGET_CPU_64 := FALSE}
+{$endc}
+
+{$ifc defined FPC_BIG_ENDIAN}
+	{$setc TARGET_RT_BIG_ENDIAN := TRUE}
+	{$setc TARGET_RT_LITTLE_ENDIAN := FALSE}
+{$elifc defined FPC_LITTLE_ENDIAN}
+	{$setc TARGET_RT_BIG_ENDIAN := FALSE}
+	{$setc TARGET_RT_LITTLE_ENDIAN := TRUE}
+{$elsec}
+	{$error Neither FPC_BIG_ENDIAN nor FPC_LITTLE_ENDIAN are defined.}
+{$endc}
+{$setc ACCESSOR_CALLS_ARE_FUNCTIONS := TRUE}
+{$setc CALL_NOT_IN_CARBON := FALSE}
+{$setc OLDROUTINENAMES := FALSE}
+{$setc OPAQUE_TOOLBOX_STRUCTS := TRUE}
+{$setc OPAQUE_UPP_TYPES := TRUE}
+{$setc OTCARBONAPPLICATION := TRUE}
+{$setc OTKERNEL := FALSE}
+{$setc PM_USE_SESSION_APIS := TRUE}
+{$setc TARGET_API_MAC_CARBON := TRUE}
+{$setc TARGET_API_MAC_OS8 := FALSE}
+{$setc TARGET_API_MAC_OSX := TRUE}
+{$setc TARGET_CARBON := TRUE}
+{$setc TARGET_CPU_68K := FALSE}
+{$setc TARGET_CPU_MIPS := FALSE}
+{$setc TARGET_CPU_SPARC := FALSE}
+{$setc TARGET_OS_UNIX := FALSE}
+{$setc TARGET_OS_WIN32 := FALSE}
+{$setc TARGET_RT_MAC_68881 := FALSE}
+{$setc TARGET_RT_MAC_CFM := FALSE}
+{$setc TARGET_RT_MAC_MACHO := TRUE}
+{$setc TYPED_FUNCTION_POINTERS := TRUE}
+{$setc TYPE_BOOL := FALSE}
+{$setc TYPE_EXTENDED := FALSE}
+{$setc TYPE_LONGLONG := TRUE}
+uses MacTypes;
+{$endc} {not MACOSALLINCLUDE}
+
+
+{$ifc TARGET_OS_MAC}
+
+type
+	CSSM_INTPTR = MacPtrSInt;
+	CSSM_SIZE = size_t;
+
+{$endc} {TARGET_OS_MAC}
+{$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
+
+end.
+{$endc} {not MACOSALLINCLUDE}

packages/univint/src/cssmerr.pas

@@ -0,0 +1,822 @@
+{
+ * Copyright (c) 1999-2002,2004 Apple Computer, Inc. All Rights Reserved.
+ * 
+ * @APPLE_LICENSE_HEADER_START@
+ * 
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ * 
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ * 
+ * @APPLE_LICENSE_HEADER_END@
+ *
+ * cssmerr.h -- Error Code Definitions for CSSM
+ }
+{       Pascal Translation Updated:  Jonas Maebe, <[email protected]>, September 2010 }
+{
+    Modified for use with Free Pascal
+    Version 308
+    Please report any bugs to <[email protected]>
+}
+
+{$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
+{$mode macpas}
+{$packenum 1}
+{$macro on}
+{$inline on}
+{$calling mwpascal}
+
+unit cssmerr;
+interface
+{$setc UNIVERSAL_INTERFACES_VERSION := $0400}
+{$setc GAP_INTERFACES_VERSION := $0308}
+
+{$ifc not defined USE_CFSTR_CONSTANT_MACROS}
+    {$setc USE_CFSTR_CONSTANT_MACROS := TRUE}
+{$endc}
+
+{$ifc defined CPUPOWERPC and defined CPUI386}
+	{$error Conflicting initial definitions for CPUPOWERPC and CPUI386}
+{$endc}
+{$ifc defined FPC_BIG_ENDIAN and defined FPC_LITTLE_ENDIAN}
+	{$error Conflicting initial definitions for FPC_BIG_ENDIAN and FPC_LITTLE_ENDIAN}
+{$endc}
+
+{$ifc not defined __ppc__ and defined CPUPOWERPC32}
+	{$setc __ppc__ := 1}
+{$elsec}
+	{$setc __ppc__ := 0}
+{$endc}
+{$ifc not defined __ppc64__ and defined CPUPOWERPC64}
+	{$setc __ppc64__ := 1}
+{$elsec}
+	{$setc __ppc64__ := 0}
+{$endc}
+{$ifc not defined __i386__ and defined CPUI386}
+	{$setc __i386__ := 1}
+{$elsec}
+	{$setc __i386__ := 0}
+{$endc}
+{$ifc not defined __x86_64__ and defined CPUX86_64}
+	{$setc __x86_64__ := 1}
+{$elsec}
+	{$setc __x86_64__ := 0}
+{$endc}
+{$ifc not defined __arm__ and defined CPUARM}
+	{$setc __arm__ := 1}
+{$elsec}
+	{$setc __arm__ := 0}
+{$endc}
+
+{$ifc defined cpu64}
+  {$setc __LP64__ := 1}
+{$elsec}
+  {$setc __LP64__ := 0}
+{$endc}
+
+
+{$ifc defined __ppc__ and __ppc__ and defined __i386__ and __i386__}
+	{$error Conflicting definitions for __ppc__ and __i386__}
+{$endc}
+
+{$ifc defined __ppc__ and __ppc__}
+	{$setc TARGET_CPU_PPC := TRUE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __ppc64__ and __ppc64__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := TRUE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __i386__ and __i386__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := TRUE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+{$ifc defined(iphonesim)}
+ 	{$setc TARGET_OS_MAC := FALSE}
+	{$setc TARGET_OS_IPHONE := TRUE}
+	{$setc TARGET_IPHONE_SIMULATOR := TRUE}
+{$elsec}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$endc}
+{$elifc defined __x86_64__ and __x86_64__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := TRUE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __arm__ and __arm__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := TRUE}
+	{ will require compiler define when/if other Apple devices with ARM cpus ship }
+	{$setc TARGET_OS_MAC := FALSE}
+	{$setc TARGET_OS_IPHONE := TRUE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elsec}
+	{$error __ppc__ nor __ppc64__ nor __i386__ nor __x86_64__ nor __arm__ is defined.}
+{$endc}
+
+{$ifc defined __LP64__ and __LP64__ }
+  {$setc TARGET_CPU_64 := TRUE}
+{$elsec}
+  {$setc TARGET_CPU_64 := FALSE}
+{$endc}
+
+{$ifc defined FPC_BIG_ENDIAN}
+	{$setc TARGET_RT_BIG_ENDIAN := TRUE}
+	{$setc TARGET_RT_LITTLE_ENDIAN := FALSE}
+{$elifc defined FPC_LITTLE_ENDIAN}
+	{$setc TARGET_RT_BIG_ENDIAN := FALSE}
+	{$setc TARGET_RT_LITTLE_ENDIAN := TRUE}
+{$elsec}
+	{$error Neither FPC_BIG_ENDIAN nor FPC_LITTLE_ENDIAN are defined.}
+{$endc}
+{$setc ACCESSOR_CALLS_ARE_FUNCTIONS := TRUE}
+{$setc CALL_NOT_IN_CARBON := FALSE}
+{$setc OLDROUTINENAMES := FALSE}
+{$setc OPAQUE_TOOLBOX_STRUCTS := TRUE}
+{$setc OPAQUE_UPP_TYPES := TRUE}
+{$setc OTCARBONAPPLICATION := TRUE}
+{$setc OTKERNEL := FALSE}
+{$setc PM_USE_SESSION_APIS := TRUE}
+{$setc TARGET_API_MAC_CARBON := TRUE}
+{$setc TARGET_API_MAC_OS8 := FALSE}
+{$setc TARGET_API_MAC_OSX := TRUE}
+{$setc TARGET_CARBON := TRUE}
+{$setc TARGET_CPU_68K := FALSE}
+{$setc TARGET_CPU_MIPS := FALSE}
+{$setc TARGET_CPU_SPARC := FALSE}
+{$setc TARGET_OS_UNIX := FALSE}
+{$setc TARGET_OS_WIN32 := FALSE}
+{$setc TARGET_RT_MAC_68881 := FALSE}
+{$setc TARGET_RT_MAC_CFM := FALSE}
+{$setc TARGET_RT_MAC_MACHO := TRUE}
+{$setc TYPED_FUNCTION_POINTERS := TRUE}
+{$setc TYPE_BOOL := FALSE}
+{$setc TYPE_EXTENDED := FALSE}
+{$setc TYPE_LONGLONG := TRUE}
+uses MacTypes;
+{$endc} {not MACOSALLINCLUDE}
+
+
+{$ifc TARGET_OS_MAC}
+
+{$packrecords c}
+
+
+{
+ * NOTE: To translate CSSM error codes into something vaguely
+ * human-readable, use the cssmPerror function in cssmapple.h.
+ * This function will also decode other Security layer errors
+ * (i.e. those with names like kSec...).
+ }
+
+
+{ Common error codes. }
+const
+	CSSM_BASE_ERROR = $80010000; { -0x7FFF0000 }
+
+const
+	CSSM_ERRORCODE_MODULE_EXTENT = $00000800;
+	CSSM_ERRORCODE_CUSTOM_OFFSET = $00000400;
+	CSSM_ERRORCODE_COMMON_EXTENT = $100;
+
+{ Macros for convertible error code manipulation. }
+{
+#define CSSM_ERRCODE(CODE) \
+	(((CODE) - CSSM_BASE_ERROR) & (CSSM_ERRORCODE_MODULE_EXTENT - 1)) 
+
+#define CSSM_ERRBASE(CODE) \
+	((((CODE) - CSSM_BASE_ERROR) & ~(CSSM_ERRORCODE_MODULE_EXTENT - 1)) + CSSM_BASE_ERROR) 
+
+#define CSSM_ERR_IS_CONVERTIBLE(CODE) \
+	(CSSM_ERRCODE(CODE) < CSSM_ERRORCODE_COMMON_EXTENT)
+
+#define CSSM_ERR_TAG(CODE, BASE) \
+	(CSSM_ERRCODE(CODE) + (BASE))
+}
+
+
+function CSSM_ERRCODE(arg: UInt32): UInt32; inline;
+function CSSM_ERRBASE(arg: UInt32): UInt32; inline;
+function CSSM_ERR_IS_CONVERTIBLE(arg: UInt32): Boolean; inline;
+function CSSM_ERR_TAG(code, base: UInt32): UInt32; inline;
+
+
+{ Error Bases for different module types. }
+const
+	CSSM_CSSM_BASE_ERROR = CSSM_BASE_ERROR;
+	CSSM_CSSM_PRIVATE_ERROR = CSSM_BASE_ERROR + CSSM_ERRORCODE_CUSTOM_OFFSET;
+	CSSM_CSP_BASE_ERROR = CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_MODULE_EXTENT;
+	CSSM_CSP_PRIVATE_ERROR = CSSM_CSP_BASE_ERROR + CSSM_ERRORCODE_CUSTOM_OFFSET;
+	CSSM_DL_BASE_ERROR = CSSM_CSP_BASE_ERROR + CSSM_ERRORCODE_MODULE_EXTENT;
+	CSSM_DL_PRIVATE_ERROR = CSSM_DL_BASE_ERROR + CSSM_ERRORCODE_CUSTOM_OFFSET;
+	CSSM_CL_BASE_ERROR = CSSM_DL_BASE_ERROR + CSSM_ERRORCODE_MODULE_EXTENT;
+	CSSM_CL_PRIVATE_ERROR = CSSM_CL_BASE_ERROR + CSSM_ERRORCODE_CUSTOM_OFFSET;
+	CSSM_TP_BASE_ERROR = CSSM_CL_BASE_ERROR + CSSM_ERRORCODE_MODULE_EXTENT;
+	CSSM_TP_PRIVATE_ERROR = CSSM_TP_BASE_ERROR + CSSM_ERRORCODE_CUSTOM_OFFSET;
+	CSSM_KR_BASE_ERROR = CSSM_TP_BASE_ERROR + CSSM_ERRORCODE_MODULE_EXTENT;
+	CSSM_KR_PRIVATE_ERROR = CSSM_KR_BASE_ERROR + CSSM_ERRORCODE_CUSTOM_OFFSET;
+	CSSM_AC_BASE_ERROR = CSSM_KR_BASE_ERROR + CSSM_ERRORCODE_MODULE_EXTENT;
+	CSSM_AC_PRIVATE_ERROR = CSSM_AC_BASE_ERROR + CSSM_ERRORCODE_CUSTOM_OFFSET;
+
+{ XXX @@@ MDS Error Bases same as DL for now. }
+const
+	CSSM_MDS_BASE_ERROR = CSSM_CSP_BASE_ERROR + CSSM_ERRORCODE_MODULE_EXTENT;
+	CSSM_MDS_PRIVATE_ERROR = CSSM_MDS_BASE_ERROR + CSSM_ERRORCODE_CUSTOM_OFFSET;
+
+{ General Error Values. }
+const
+	CSSMERR_CSSM_INVALID_ADDIN_HANDLE = CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + 1;
+	CSSMERR_CSSM_NOT_INITIALIZED = CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + 2;
+	CSSMERR_CSSM_INVALID_HANDLE_USAGE = CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + 3;
+	CSSMERR_CSSM_PVC_REFERENT_NOT_FOUND = CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + 4;
+	CSSMERR_CSSM_FUNCTION_INTEGRITY_FAIL = CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + 5;
+
+{ Common Error Codes For All Module Types. }
+const
+	CSSM_ERRCODE_INTERNAL_ERROR = $0001;
+	CSSM_ERRCODE_MEMORY_ERROR = $0002;
+	CSSM_ERRCODE_MDS_ERROR = $0003;
+	CSSM_ERRCODE_INVALID_POINTER = $0004;
+	CSSM_ERRCODE_INVALID_INPUT_POINTER = $0005;
+	CSSM_ERRCODE_INVALID_OUTPUT_POINTER = $0006;
+	CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED = $0007;
+	CSSM_ERRCODE_SELF_CHECK_FAILED = $0008;
+	CSSM_ERRCODE_OS_ACCESS_DENIED = $0009;
+	CSSM_ERRCODE_FUNCTION_FAILED = $000A;
+	CSSM_ERRCODE_MODULE_MANIFEST_VERIFY_FAILED = $000B;
+	CSSM_ERRCODE_INVALID_GUID = $000C;
+
+{ Common Error Codes for ACLs }
+const
+	CSSM_ERRCODE_OPERATION_AUTH_DENIED = $0020;
+	CSSM_ERRCODE_OBJECT_USE_AUTH_DENIED = $0021;
+	CSSM_ERRCODE_OBJECT_MANIP_AUTH_DENIED = $0022;
+	CSSM_ERRCODE_OBJECT_ACL_NOT_SUPPORTED = $0023;
+	CSSM_ERRCODE_OBJECT_ACL_REQUIRED = $0024;
+	CSSM_ERRCODE_INVALID_ACCESS_CREDENTIALS = $0025;
+	CSSM_ERRCODE_INVALID_ACL_BASE_CERTS = $0026;
+	CSSM_ERRCODE_ACL_BASE_CERTS_NOT_SUPPORTED = $0027;
+	CSSM_ERRCODE_INVALID_SAMPLE_VALUE = $0028;
+	CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED = $0029;
+	CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE = $002A;
+	CSSM_ERRCODE_ACL_SUBJECT_TYPE_NOT_SUPPORTED = $002B;
+	CSSM_ERRCODE_INVALID_ACL_CHALLENGE_CALLBACK = $002C;
+	CSSM_ERRCODE_ACL_CHALLENGE_CALLBACK_FAILED = $002D;
+	CSSM_ERRCODE_INVALID_ACL_ENTRY_TAG = $002E;
+	CSSM_ERRCODE_ACL_ENTRY_TAG_NOT_FOUND = $002F;
+	CSSM_ERRCODE_INVALID_ACL_EDIT_MODE = $0030;
+	CSSM_ERRCODE_ACL_CHANGE_FAILED = $0031;
+	CSSM_ERRCODE_INVALID_NEW_ACL_ENTRY = $0032;
+	CSSM_ERRCODE_INVALID_NEW_ACL_OWNER = $0033;
+	CSSM_ERRCODE_ACL_DELETE_FAILED = $0034;
+	CSSM_ERRCODE_ACL_REPLACE_FAILED = $0035;
+	CSSM_ERRCODE_ACL_ADD_FAILED = $0036;
+
+{ Common Error Codes for Specific Data Types }
+const
+	CSSM_ERRCODE_INVALID_CONTEXT_HANDLE = $0040;
+	CSSM_ERRCODE_INCOMPATIBLE_VERSION = $0041;
+	CSSM_ERRCODE_INVALID_CERTGROUP_POINTER = $0042;
+	CSSM_ERRCODE_INVALID_CERT_POINTER = $0043;
+	CSSM_ERRCODE_INVALID_CRL_POINTER = $0044;
+	CSSM_ERRCODE_INVALID_FIELD_POINTER = $0045;
+	CSSM_ERRCODE_INVALID_DATA = $0046;
+	CSSM_ERRCODE_CRL_ALREADY_SIGNED = $0047;
+	CSSM_ERRCODE_INVALID_NUMBER_OF_FIELDS = $0048;
+	CSSM_ERRCODE_VERIFICATION_FAILURE = $0049;
+	CSSM_ERRCODE_INVALID_DB_HANDLE = $004A;
+	CSSM_ERRCODE_PRIVILEGE_NOT_GRANTED = $004B;
+	CSSM_ERRCODE_INVALID_DB_LIST = $004C;
+	CSSM_ERRCODE_INVALID_DB_LIST_POINTER = $004D;
+	CSSM_ERRCODE_UNKNOWN_FORMAT = $004E;
+	CSSM_ERRCODE_UNKNOWN_TAG = $004F;
+	CSSM_ERRCODE_INVALID_CSP_HANDLE = $0050;
+	CSSM_ERRCODE_INVALID_DL_HANDLE = $0051;
+	CSSM_ERRCODE_INVALID_CL_HANDLE = $0052;
+	CSSM_ERRCODE_INVALID_TP_HANDLE = $0053;
+	CSSM_ERRCODE_INVALID_KR_HANDLE = $0054;
+	CSSM_ERRCODE_INVALID_AC_HANDLE = $0055;
+	CSSM_ERRCODE_INVALID_PASSTHROUGH_ID = $0056;
+	CSSM_ERRCODE_INVALID_NETWORK_ADDR = $0057;
+	CSSM_ERRCODE_INVALID_CRYPTO_DATA = $0058;
+
+{ CSSM Error Values Derived from Common Error Codes For All Module Types. }
+const
+	CSSMERR_CSSM_INTERNAL_ERROR = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INTERNAL_ERROR;
+	CSSMERR_CSSM_MEMORY_ERROR = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_MEMORY_ERROR;
+	CSSMERR_CSSM_MDS_ERROR = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_MDS_ERROR;
+	CSSMERR_CSSM_INVALID_POINTER = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INVALID_POINTER;
+	CSSMERR_CSSM_INVALID_INPUT_POINTER = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INVALID_INPUT_POINTER;
+	CSSMERR_CSSM_INVALID_OUTPUT_POINTER = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INVALID_OUTPUT_POINTER;
+	CSSMERR_CSSM_FUNCTION_NOT_IMPLEMENTED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED;
+	CSSMERR_CSSM_SELF_CHECK_FAILED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_SELF_CHECK_FAILED;
+	CSSMERR_CSSM_OS_ACCESS_DENIED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_OS_ACCESS_DENIED;
+	CSSMERR_CSSM_FUNCTION_FAILED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_FUNCTION_FAILED;
+	CSSMERR_CSSM_MODULE_MANIFEST_VERIFY_FAILED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_MODULE_MANIFEST_VERIFY_FAILED;
+	CSSMERR_CSSM_INVALID_GUID = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INVALID_GUID;
+
+{ CSSM Error Values for Specific Data Types. }
+const
+	CSSMERR_CSSM_INVALID_CONTEXT_HANDLE = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INVALID_CONTEXT_HANDLE;
+	CSSMERR_CSSM_INCOMPATIBLE_VERSION = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INCOMPATIBLE_VERSION;
+	CSSMERR_CSSM_PRIVILEGE_NOT_GRANTED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_PRIVILEGE_NOT_GRANTED;
+
+{ CSSM Module-Specific Error Values }
+const
+	CSSM_CSSM_BASE_CSSM_ERROR = CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + $10;
+	CSSMERR_CSSM_SCOPE_NOT_SUPPORTED = CSSM_CSSM_BASE_CSSM_ERROR + 1;
+	CSSMERR_CSSM_PVC_ALREADY_CONFIGURED = CSSM_CSSM_BASE_CSSM_ERROR + 2;
+	CSSMERR_CSSM_INVALID_PVC = CSSM_CSSM_BASE_CSSM_ERROR + 3;
+	CSSMERR_CSSM_EMM_LOAD_FAILED = CSSM_CSSM_BASE_CSSM_ERROR + 4;
+	CSSMERR_CSSM_EMM_UNLOAD_FAILED = CSSM_CSSM_BASE_CSSM_ERROR + 5;
+	CSSMERR_CSSM_ADDIN_LOAD_FAILED = CSSM_CSSM_BASE_CSSM_ERROR + 6;
+	CSSMERR_CSSM_INVALID_KEY_HIERARCHY = CSSM_CSSM_BASE_CSSM_ERROR + 7;
+	CSSMERR_CSSM_ADDIN_UNLOAD_FAILED = CSSM_CSSM_BASE_CSSM_ERROR + 8;
+	CSSMERR_CSSM_LIB_REF_NOT_FOUND = CSSM_CSSM_BASE_CSSM_ERROR + 9;
+	CSSMERR_CSSM_INVALID_ADDIN_FUNCTION_TABLE = CSSM_CSSM_BASE_CSSM_ERROR + 10;
+	CSSMERR_CSSM_EMM_AUTHENTICATE_FAILED = CSSM_CSSM_BASE_CSSM_ERROR + 11;
+	CSSMERR_CSSM_ADDIN_AUTHENTICATE_FAILED = CSSM_CSSM_BASE_CSSM_ERROR + 12;
+	CSSMERR_CSSM_INVALID_SERVICE_MASK = CSSM_CSSM_BASE_CSSM_ERROR + 13;
+	CSSMERR_CSSM_MODULE_NOT_LOADED = CSSM_CSSM_BASE_CSSM_ERROR + 14;
+	CSSMERR_CSSM_INVALID_SUBSERVICEID = CSSM_CSSM_BASE_CSSM_ERROR + 15;
+	CSSMERR_CSSM_BUFFER_TOO_SMALL = CSSM_CSSM_BASE_CSSM_ERROR + 16;
+	CSSMERR_CSSM_INVALID_ATTRIBUTE = CSSM_CSSM_BASE_CSSM_ERROR + 17;
+	CSSMERR_CSSM_ATTRIBUTE_NOT_IN_CONTEXT = CSSM_CSSM_BASE_CSSM_ERROR + 18;
+	CSSMERR_CSSM_MODULE_MANAGER_INITIALIZE_FAIL = CSSM_CSSM_BASE_CSSM_ERROR + 19;
+	CSSMERR_CSSM_MODULE_MANAGER_NOT_FOUND = CSSM_CSSM_BASE_CSSM_ERROR + 20;
+	CSSMERR_CSSM_EVENT_NOTIFICATION_CALLBACK_NOT_FOUND = CSSM_CSSM_BASE_CSSM_ERROR + 21;
+
+{ CSP Error Values Derived from Common Error Codes For All Module Types. }
+const
+	CSSMERR_CSP_INTERNAL_ERROR = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INTERNAL_ERROR;
+	CSSMERR_CSP_MEMORY_ERROR = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_MEMORY_ERROR;
+	CSSMERR_CSP_MDS_ERROR = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_MDS_ERROR;
+	CSSMERR_CSP_INVALID_POINTER = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_POINTER;
+	CSSMERR_CSP_INVALID_INPUT_POINTER = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_INPUT_POINTER;
+	CSSMERR_CSP_INVALID_OUTPUT_POINTER = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_OUTPUT_POINTER;
+	CSSMERR_CSP_FUNCTION_NOT_IMPLEMENTED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED;
+	CSSMERR_CSP_SELF_CHECK_FAILED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_SELF_CHECK_FAILED;
+	CSSMERR_CSP_OS_ACCESS_DENIED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_OS_ACCESS_DENIED;
+	CSSMERR_CSP_FUNCTION_FAILED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_FUNCTION_FAILED;
+
+{ CSP Error Values Derived from ACL-based Error Codes. }
+const
+	CSSMERR_CSP_OPERATION_AUTH_DENIED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_OPERATION_AUTH_DENIED;
+	CSSMERR_CSP_OBJECT_USE_AUTH_DENIED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_OBJECT_USE_AUTH_DENIED;
+	CSSMERR_CSP_OBJECT_MANIP_AUTH_DENIED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_OBJECT_MANIP_AUTH_DENIED;
+	CSSMERR_CSP_OBJECT_ACL_NOT_SUPPORTED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_OBJECT_ACL_NOT_SUPPORTED;
+	CSSMERR_CSP_OBJECT_ACL_REQUIRED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_OBJECT_ACL_REQUIRED;
+	CSSMERR_CSP_INVALID_ACCESS_CREDENTIALS = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_ACCESS_CREDENTIALS;
+	CSSMERR_CSP_INVALID_ACL_BASE_CERTS = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_BASE_CERTS;
+	CSSMERR_CSP_ACL_BASE_CERTS_NOT_SUPPORTED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_BASE_CERTS_NOT_SUPPORTED;
+	CSSMERR_CSP_INVALID_SAMPLE_VALUE = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_SAMPLE_VALUE;
+	CSSMERR_CSP_SAMPLE_VALUE_NOT_SUPPORTED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED;
+	CSSMERR_CSP_INVALID_ACL_SUBJECT_VALUE = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE;
+	CSSMERR_CSP_ACL_SUBJECT_TYPE_NOT_SUPPORTED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_SUBJECT_TYPE_NOT_SUPPORTED;
+	CSSMERR_CSP_INVALID_ACL_CHALLENGE_CALLBACK = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_CHALLENGE_CALLBACK;
+	CSSMERR_CSP_ACL_CHALLENGE_CALLBACK_FAILED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_CHALLENGE_CALLBACK_FAILED;
+	CSSMERR_CSP_INVALID_ACL_ENTRY_TAG = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_ENTRY_TAG;
+	CSSMERR_CSP_ACL_ENTRY_TAG_NOT_FOUND = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_ENTRY_TAG_NOT_FOUND;
+	CSSMERR_CSP_INVALID_ACL_EDIT_MODE = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_EDIT_MODE;
+	CSSMERR_CSP_ACL_CHANGE_FAILED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_CHANGE_FAILED;
+	CSSMERR_CSP_INVALID_NEW_ACL_ENTRY = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_NEW_ACL_ENTRY;
+	CSSMERR_CSP_INVALID_NEW_ACL_OWNER = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_NEW_ACL_OWNER;
+	CSSMERR_CSP_ACL_DELETE_FAILED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_DELETE_FAILED;
+	CSSMERR_CSP_ACL_REPLACE_FAILED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_REPLACE_FAILED;
+	CSSMERR_CSP_ACL_ADD_FAILED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_ADD_FAILED;
+
+{ CSP Error Values for Specific Data Types. }
+const
+	CSSMERR_CSP_INVALID_CONTEXT_HANDLE = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_CONTEXT_HANDLE;
+	CSSMERR_CSP_PRIVILEGE_NOT_GRANTED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_PRIVILEGE_NOT_GRANTED;
+	CSSMERR_CSP_INVALID_DATA = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_DATA;
+	CSSMERR_CSP_INVALID_PASSTHROUGH_ID = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_PASSTHROUGH_ID;
+	CSSMERR_CSP_INVALID_CRYPTO_DATA = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_CRYPTO_DATA;
+
+{ CSP Module-Specific Error Values }
+const
+{ General CSP Error Values }
+	CSSM_CSP_BASE_CSP_ERROR = CSSM_CSP_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT;
+	CSSMERR_CSP_INPUT_LENGTH_ERROR = CSSM_CSP_BASE_CSP_ERROR + 1;
+	CSSMERR_CSP_OUTPUT_LENGTH_ERROR = CSSM_CSP_BASE_CSP_ERROR + 2;
+	CSSMERR_CSP_PRIVILEGE_NOT_SUPPORTED = CSSM_CSP_BASE_CSP_ERROR + 3;
+	CSSMERR_CSP_DEVICE_ERROR = CSSM_CSP_BASE_CSP_ERROR + 4;
+	CSSMERR_CSP_DEVICE_MEMORY_ERROR = CSSM_CSP_BASE_CSP_ERROR + 5;
+	CSSMERR_CSP_ATTACH_HANDLE_BUSY = CSSM_CSP_BASE_CSP_ERROR + 6;
+	CSSMERR_CSP_NOT_LOGGED_IN = CSSM_CSP_BASE_CSP_ERROR + 7;
+	CSSMERR_CSP_INVALID_KEY = CSSM_CSP_BASE_CSP_ERROR + 16;
+	CSSMERR_CSP_INVALID_KEY_REFERENCE = CSSM_CSP_BASE_CSP_ERROR + 17;
+	CSSMERR_CSP_INVALID_KEY_CLASS = CSSM_CSP_BASE_CSP_ERROR + 18;
+	CSSMERR_CSP_ALGID_MISMATCH = CSSM_CSP_BASE_CSP_ERROR + 19;
+	CSSMERR_CSP_KEY_USAGE_INCORRECT = CSSM_CSP_BASE_CSP_ERROR + 20;
+	CSSMERR_CSP_KEY_BLOB_TYPE_INCORRECT = CSSM_CSP_BASE_CSP_ERROR + 21;
+	CSSMERR_CSP_KEY_HEADER_INCONSISTENT = CSSM_CSP_BASE_CSP_ERROR + 22;
+	CSSMERR_CSP_UNSUPPORTED_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 23;
+	CSSMERR_CSP_UNSUPPORTED_KEY_SIZE = CSSM_CSP_BASE_CSP_ERROR + 24;
+	CSSMERR_CSP_INVALID_KEY_POINTER = CSSM_CSP_BASE_CSP_ERROR + 25;
+	CSSMERR_CSP_INVALID_KEYUSAGE_MASK = CSSM_CSP_BASE_CSP_ERROR + 26;
+	CSSMERR_CSP_UNSUPPORTED_KEYUSAGE_MASK = CSSM_CSP_BASE_CSP_ERROR + 27;
+	CSSMERR_CSP_INVALID_KEYATTR_MASK = CSSM_CSP_BASE_CSP_ERROR + 28;
+	CSSMERR_CSP_UNSUPPORTED_KEYATTR_MASK = CSSM_CSP_BASE_CSP_ERROR + 29;
+	CSSMERR_CSP_INVALID_KEY_LABEL = CSSM_CSP_BASE_CSP_ERROR + 30;
+	CSSMERR_CSP_UNSUPPORTED_KEY_LABEL = CSSM_CSP_BASE_CSP_ERROR + 31;
+	CSSMERR_CSP_INVALID_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 32;
+
+	{ CSP Vector of Buffers Error Values. }
+	CSSMERR_CSP_INVALID_DATA_COUNT = CSSM_CSP_BASE_CSP_ERROR + 40;
+	CSSMERR_CSP_VECTOR_OF_BUFS_UNSUPPORTED = CSSM_CSP_BASE_CSP_ERROR + 41;
+	CSSMERR_CSP_INVALID_INPUT_VECTOR = CSSM_CSP_BASE_CSP_ERROR + 42;
+	CSSMERR_CSP_INVALID_OUTPUT_VECTOR = CSSM_CSP_BASE_CSP_ERROR + 43;
+
+	{ CSP Cryptographic Context Error Values. }
+	CSSMERR_CSP_INVALID_CONTEXT = CSSM_CSP_BASE_CSP_ERROR + 48;
+	CSSMERR_CSP_INVALID_ALGORITHM = CSSM_CSP_BASE_CSP_ERROR + 49;
+	CSSMERR_CSP_INVALID_ATTR_KEY = CSSM_CSP_BASE_CSP_ERROR + 54;
+	CSSMERR_CSP_MISSING_ATTR_KEY = CSSM_CSP_BASE_CSP_ERROR + 55;
+	CSSMERR_CSP_INVALID_ATTR_INIT_VECTOR = CSSM_CSP_BASE_CSP_ERROR + 56;
+	CSSMERR_CSP_MISSING_ATTR_INIT_VECTOR = CSSM_CSP_BASE_CSP_ERROR + 57;
+	CSSMERR_CSP_INVALID_ATTR_SALT = CSSM_CSP_BASE_CSP_ERROR + 58;
+	CSSMERR_CSP_MISSING_ATTR_SALT = CSSM_CSP_BASE_CSP_ERROR + 59;
+	CSSMERR_CSP_INVALID_ATTR_PADDING = CSSM_CSP_BASE_CSP_ERROR + 60;
+	CSSMERR_CSP_MISSING_ATTR_PADDING = CSSM_CSP_BASE_CSP_ERROR + 61;
+	CSSMERR_CSP_INVALID_ATTR_RANDOM = CSSM_CSP_BASE_CSP_ERROR + 62;
+	CSSMERR_CSP_MISSING_ATTR_RANDOM = CSSM_CSP_BASE_CSP_ERROR + 63;
+	CSSMERR_CSP_INVALID_ATTR_SEED = CSSM_CSP_BASE_CSP_ERROR + 64;
+	CSSMERR_CSP_MISSING_ATTR_SEED = CSSM_CSP_BASE_CSP_ERROR + 65;
+	CSSMERR_CSP_INVALID_ATTR_PASSPHRASE = CSSM_CSP_BASE_CSP_ERROR + 66;
+	CSSMERR_CSP_MISSING_ATTR_PASSPHRASE = CSSM_CSP_BASE_CSP_ERROR + 67;
+	CSSMERR_CSP_INVALID_ATTR_KEY_LENGTH = CSSM_CSP_BASE_CSP_ERROR + 68;
+	CSSMERR_CSP_MISSING_ATTR_KEY_LENGTH = CSSM_CSP_BASE_CSP_ERROR + 69;
+	CSSMERR_CSP_INVALID_ATTR_BLOCK_SIZE = CSSM_CSP_BASE_CSP_ERROR + 70;
+	CSSMERR_CSP_MISSING_ATTR_BLOCK_SIZE = CSSM_CSP_BASE_CSP_ERROR + 71;
+	CSSMERR_CSP_INVALID_ATTR_OUTPUT_SIZE = CSSM_CSP_BASE_CSP_ERROR + 100;
+	CSSMERR_CSP_MISSING_ATTR_OUTPUT_SIZE = CSSM_CSP_BASE_CSP_ERROR + 101;
+	CSSMERR_CSP_INVALID_ATTR_ROUNDS = CSSM_CSP_BASE_CSP_ERROR + 102;
+	CSSMERR_CSP_MISSING_ATTR_ROUNDS = CSSM_CSP_BASE_CSP_ERROR + 103;
+	CSSMERR_CSP_INVALID_ATTR_ALG_PARAMS = CSSM_CSP_BASE_CSP_ERROR + 104;
+	CSSMERR_CSP_MISSING_ATTR_ALG_PARAMS = CSSM_CSP_BASE_CSP_ERROR + 105;
+	CSSMERR_CSP_INVALID_ATTR_LABEL = CSSM_CSP_BASE_CSP_ERROR + 106;
+	CSSMERR_CSP_MISSING_ATTR_LABEL = CSSM_CSP_BASE_CSP_ERROR + 107;
+	CSSMERR_CSP_INVALID_ATTR_KEY_TYPE = CSSM_CSP_BASE_CSP_ERROR + 108;
+	CSSMERR_CSP_MISSING_ATTR_KEY_TYPE = CSSM_CSP_BASE_CSP_ERROR + 109;
+	CSSMERR_CSP_INVALID_ATTR_MODE = CSSM_CSP_BASE_CSP_ERROR + 110;
+	CSSMERR_CSP_MISSING_ATTR_MODE = CSSM_CSP_BASE_CSP_ERROR + 111;
+	CSSMERR_CSP_INVALID_ATTR_EFFECTIVE_BITS = CSSM_CSP_BASE_CSP_ERROR + 112;
+	CSSMERR_CSP_MISSING_ATTR_EFFECTIVE_BITS = CSSM_CSP_BASE_CSP_ERROR + 113;
+	CSSMERR_CSP_INVALID_ATTR_START_DATE = CSSM_CSP_BASE_CSP_ERROR + 114;
+	CSSMERR_CSP_MISSING_ATTR_START_DATE = CSSM_CSP_BASE_CSP_ERROR + 115;
+	CSSMERR_CSP_INVALID_ATTR_END_DATE = CSSM_CSP_BASE_CSP_ERROR + 116;
+	CSSMERR_CSP_MISSING_ATTR_END_DATE = CSSM_CSP_BASE_CSP_ERROR + 117;
+	CSSMERR_CSP_INVALID_ATTR_VERSION = CSSM_CSP_BASE_CSP_ERROR + 118;
+	CSSMERR_CSP_MISSING_ATTR_VERSION = CSSM_CSP_BASE_CSP_ERROR + 119;
+	CSSMERR_CSP_INVALID_ATTR_PRIME = CSSM_CSP_BASE_CSP_ERROR + 120;
+	CSSMERR_CSP_MISSING_ATTR_PRIME = CSSM_CSP_BASE_CSP_ERROR + 121;
+	CSSMERR_CSP_INVALID_ATTR_BASE = CSSM_CSP_BASE_CSP_ERROR + 122;
+	CSSMERR_CSP_MISSING_ATTR_BASE = CSSM_CSP_BASE_CSP_ERROR + 123;
+	CSSMERR_CSP_INVALID_ATTR_SUBPRIME = CSSM_CSP_BASE_CSP_ERROR + 124;
+	CSSMERR_CSP_MISSING_ATTR_SUBPRIME = CSSM_CSP_BASE_CSP_ERROR + 125;
+	CSSMERR_CSP_INVALID_ATTR_ITERATION_COUNT = CSSM_CSP_BASE_CSP_ERROR + 126;
+	CSSMERR_CSP_MISSING_ATTR_ITERATION_COUNT = CSSM_CSP_BASE_CSP_ERROR + 127;
+	CSSMERR_CSP_INVALID_ATTR_DL_DB_HANDLE = CSSM_CSP_BASE_CSP_ERROR + 128;
+	CSSMERR_CSP_MISSING_ATTR_DL_DB_HANDLE = CSSM_CSP_BASE_CSP_ERROR + 129;
+	CSSMERR_CSP_INVALID_ATTR_ACCESS_CREDENTIALS = CSSM_CSP_BASE_CSP_ERROR + 130;
+	CSSMERR_CSP_MISSING_ATTR_ACCESS_CREDENTIALS = CSSM_CSP_BASE_CSP_ERROR + 131;
+	CSSMERR_CSP_INVALID_ATTR_PUBLIC_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 132;
+	CSSMERR_CSP_MISSING_ATTR_PUBLIC_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 133;
+	CSSMERR_CSP_INVALID_ATTR_PRIVATE_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 134;
+	CSSMERR_CSP_MISSING_ATTR_PRIVATE_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 135;
+	CSSMERR_CSP_INVALID_ATTR_SYMMETRIC_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 136;
+	CSSMERR_CSP_MISSING_ATTR_SYMMETRIC_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 137;
+	CSSMERR_CSP_INVALID_ATTR_WRAPPED_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 138;
+	CSSMERR_CSP_MISSING_ATTR_WRAPPED_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 139;
+
+	{ CSP Staged Cryptographic API Error Values. }
+	CSSMERR_CSP_STAGED_OPERATION_IN_PROGRESS = CSSM_CSP_BASE_CSP_ERROR + 72;
+	CSSMERR_CSP_STAGED_OPERATION_NOT_STARTED = CSSM_CSP_BASE_CSP_ERROR + 73;
+	CSSMERR_CSP_VERIFY_FAILED = CSSM_CSP_BASE_CSP_ERROR + 74;
+	CSSMERR_CSP_INVALID_SIGNATURE = CSSM_CSP_BASE_CSP_ERROR + 75;
+	CSSMERR_CSP_QUERY_SIZE_UNKNOWN = CSSM_CSP_BASE_CSP_ERROR + 76;
+	CSSMERR_CSP_BLOCK_SIZE_MISMATCH = CSSM_CSP_BASE_CSP_ERROR + 77;
+	CSSMERR_CSP_PRIVATE_KEY_NOT_FOUND = CSSM_CSP_BASE_CSP_ERROR + 78;
+	CSSMERR_CSP_PUBLIC_KEY_INCONSISTENT = CSSM_CSP_BASE_CSP_ERROR + 79;
+	CSSMERR_CSP_DEVICE_VERIFY_FAILED = CSSM_CSP_BASE_CSP_ERROR + 80;
+	CSSMERR_CSP_INVALID_LOGIN_NAME = CSSM_CSP_BASE_CSP_ERROR + 81;
+	CSSMERR_CSP_ALREADY_LOGGED_IN = CSSM_CSP_BASE_CSP_ERROR + 82;
+	CSSMERR_CSP_PRIVATE_KEY_ALREADY_EXISTS = CSSM_CSP_BASE_CSP_ERROR + 83;
+	CSSMERR_CSP_KEY_LABEL_ALREADY_EXISTS = CSSM_CSP_BASE_CSP_ERROR + 84;
+	CSSMERR_CSP_INVALID_DIGEST_ALGORITHM = CSSM_CSP_BASE_CSP_ERROR + 85;
+	CSSMERR_CSP_CRYPTO_DATA_CALLBACK_FAILED = CSSM_CSP_BASE_CSP_ERROR + 86;
+
+
+{ TP Error Values Derived from Common Error Codes For All Module Types. }
+const
+	CSSMERR_TP_INTERNAL_ERROR = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INTERNAL_ERROR;
+	CSSMERR_TP_MEMORY_ERROR = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_MEMORY_ERROR;
+	CSSMERR_TP_MDS_ERROR = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_MDS_ERROR;
+	CSSMERR_TP_INVALID_POINTER = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_POINTER;
+	CSSMERR_TP_INVALID_INPUT_POINTER = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_INPUT_POINTER;
+	CSSMERR_TP_INVALID_OUTPUT_POINTER = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_OUTPUT_POINTER;
+	CSSMERR_TP_FUNCTION_NOT_IMPLEMENTED = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED;
+	CSSMERR_TP_SELF_CHECK_FAILED = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_SELF_CHECK_FAILED;
+	CSSMERR_TP_OS_ACCESS_DENIED = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_OS_ACCESS_DENIED;
+	CSSMERR_TP_FUNCTION_FAILED = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_FUNCTION_FAILED;
+	CSSMERR_TP_INVALID_CONTEXT_HANDLE = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_CONTEXT_HANDLE;
+	CSSMERR_TP_INVALID_DATA = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_DATA;
+	CSSMERR_TP_INVALID_DB_LIST = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_LIST;
+	CSSMERR_TP_INVALID_CERTGROUP_POINTER = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_CERTGROUP_POINTER;
+	CSSMERR_TP_INVALID_CERT_POINTER = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_CERT_POINTER;
+	CSSMERR_TP_INVALID_CRL_POINTER = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_CRL_POINTER;
+	CSSMERR_TP_INVALID_FIELD_POINTER = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_FIELD_POINTER;
+	CSSMERR_TP_INVALID_NETWORK_ADDR = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_NETWORK_ADDR;
+	CSSMERR_TP_CRL_ALREADY_SIGNED = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_CRL_ALREADY_SIGNED;
+	CSSMERR_TP_INVALID_NUMBER_OF_FIELDS = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_NUMBER_OF_FIELDS;
+	CSSMERR_TP_VERIFICATION_FAILURE = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_VERIFICATION_FAILURE;
+	CSSMERR_TP_INVALID_DB_HANDLE = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_HANDLE;
+	CSSMERR_TP_UNKNOWN_FORMAT = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_UNKNOWN_FORMAT;
+	CSSMERR_TP_UNKNOWN_TAG = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_UNKNOWN_TAG;
+	CSSMERR_TP_INVALID_PASSTHROUGH_ID = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_PASSTHROUGH_ID;
+	CSSMERR_TP_INVALID_CSP_HANDLE = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_CSP_HANDLE;
+	CSSMERR_TP_INVALID_DL_HANDLE = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_DL_HANDLE;
+	CSSMERR_TP_INVALID_CL_HANDLE = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_CL_HANDLE;
+	CSSMERR_TP_INVALID_DB_LIST_POINTER = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_LIST_POINTER;
+
+{ TP Module-Specific Error Values }
+const
+	CSSM_TP_BASE_TP_ERROR = CSSM_TP_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT;
+	CSSMERR_TP_INVALID_CALLERAUTH_CONTEXT_POINTER = CSSM_TP_BASE_TP_ERROR + 1;
+	CSSMERR_TP_INVALID_IDENTIFIER_POINTER = CSSM_TP_BASE_TP_ERROR + 2;
+	CSSMERR_TP_INVALID_KEYCACHE_HANDLE = CSSM_TP_BASE_TP_ERROR + 3;
+	CSSMERR_TP_INVALID_CERTGROUP = CSSM_TP_BASE_TP_ERROR + 4;
+	CSSMERR_TP_INVALID_CRLGROUP = CSSM_TP_BASE_TP_ERROR + 5;
+	CSSMERR_TP_INVALID_CRLGROUP_POINTER = CSSM_TP_BASE_TP_ERROR + 6;
+	CSSMERR_TP_AUTHENTICATION_FAILED = CSSM_TP_BASE_TP_ERROR + 7;
+	CSSMERR_TP_CERTGROUP_INCOMPLETE = CSSM_TP_BASE_TP_ERROR + 8;
+	CSSMERR_TP_CERTIFICATE_CANT_OPERATE = CSSM_TP_BASE_TP_ERROR + 9;
+	CSSMERR_TP_CERT_EXPIRED = CSSM_TP_BASE_TP_ERROR + 10;
+	CSSMERR_TP_CERT_NOT_VALID_YET = CSSM_TP_BASE_TP_ERROR + 11;
+	CSSMERR_TP_CERT_REVOKED = CSSM_TP_BASE_TP_ERROR + 12;
+	CSSMERR_TP_CERT_SUSPENDED = CSSM_TP_BASE_TP_ERROR + 13;
+	CSSMERR_TP_INSUFFICIENT_CREDENTIALS = CSSM_TP_BASE_TP_ERROR + 14;
+	CSSMERR_TP_INVALID_ACTION = CSSM_TP_BASE_TP_ERROR + 15;
+	CSSMERR_TP_INVALID_ACTION_DATA = CSSM_TP_BASE_TP_ERROR + 16;
+	CSSMERR_TP_INVALID_ANCHOR_CERT = CSSM_TP_BASE_TP_ERROR + 18;
+	CSSMERR_TP_INVALID_AUTHORITY = CSSM_TP_BASE_TP_ERROR + 19;
+	CSSMERR_TP_VERIFY_ACTION_FAILED = CSSM_TP_BASE_TP_ERROR + 20;
+	CSSMERR_TP_INVALID_CERTIFICATE = CSSM_TP_BASE_TP_ERROR + 21;
+	CSSMERR_TP_INVALID_CERT_AUTHORITY = CSSM_TP_BASE_TP_ERROR + 22;
+	CSSMERR_TP_INVALID_CRL_AUTHORITY = CSSM_TP_BASE_TP_ERROR + 23;
+	CSSMERR_TP_INVALID_CRL_ENCODING = CSSM_TP_BASE_TP_ERROR + 24;
+	CSSMERR_TP_INVALID_CRL_TYPE = CSSM_TP_BASE_TP_ERROR + 25;
+	CSSMERR_TP_INVALID_CRL = CSSM_TP_BASE_TP_ERROR + 26;
+	CSSMERR_TP_INVALID_FORM_TYPE = CSSM_TP_BASE_TP_ERROR + 27;
+	CSSMERR_TP_INVALID_ID = CSSM_TP_BASE_TP_ERROR + 28;
+	CSSMERR_TP_INVALID_IDENTIFIER = CSSM_TP_BASE_TP_ERROR + 29;
+	CSSMERR_TP_INVALID_INDEX = CSSM_TP_BASE_TP_ERROR + 30;
+	CSSMERR_TP_INVALID_NAME = CSSM_TP_BASE_TP_ERROR + 31;
+	CSSMERR_TP_INVALID_POLICY_IDENTIFIERS = CSSM_TP_BASE_TP_ERROR + 32;
+	CSSMERR_TP_INVALID_TIMESTRING = CSSM_TP_BASE_TP_ERROR + 33;
+	CSSMERR_TP_INVALID_REASON = CSSM_TP_BASE_TP_ERROR + 34;
+	CSSMERR_TP_INVALID_REQUEST_INPUTS = CSSM_TP_BASE_TP_ERROR + 35;
+	CSSMERR_TP_INVALID_RESPONSE_VECTOR = CSSM_TP_BASE_TP_ERROR + 36;
+	CSSMERR_TP_INVALID_SIGNATURE = CSSM_TP_BASE_TP_ERROR + 37;
+	CSSMERR_TP_INVALID_STOP_ON_POLICY = CSSM_TP_BASE_TP_ERROR + 38;
+	CSSMERR_TP_INVALID_CALLBACK = CSSM_TP_BASE_TP_ERROR + 39;
+	CSSMERR_TP_INVALID_TUPLE = CSSM_TP_BASE_TP_ERROR + 40;
+	CSSMERR_TP_NOT_SIGNER = CSSM_TP_BASE_TP_ERROR + 41;
+	CSSMERR_TP_NOT_TRUSTED = CSSM_TP_BASE_TP_ERROR + 42;
+	CSSMERR_TP_NO_DEFAULT_AUTHORITY = CSSM_TP_BASE_TP_ERROR + 43;
+	CSSMERR_TP_REJECTED_FORM = CSSM_TP_BASE_TP_ERROR + 44;
+	CSSMERR_TP_REQUEST_LOST = CSSM_TP_BASE_TP_ERROR + 45;
+	CSSMERR_TP_REQUEST_REJECTED = CSSM_TP_BASE_TP_ERROR + 46;
+	CSSMERR_TP_UNSUPPORTED_ADDR_TYPE = CSSM_TP_BASE_TP_ERROR + 47;
+	CSSMERR_TP_UNSUPPORTED_SERVICE = CSSM_TP_BASE_TP_ERROR + 48;
+	CSSMERR_TP_INVALID_TUPLEGROUP_POINTER = CSSM_TP_BASE_TP_ERROR + 49;
+	CSSMERR_TP_INVALID_TUPLEGROUP = CSSM_TP_BASE_TP_ERROR + 50;
+
+{ AC Error Values Derived from Common Error Codes For All Module Types. }
+const
+	CSSMERR_AC_INTERNAL_ERROR = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INTERNAL_ERROR;
+	CSSMERR_AC_MEMORY_ERROR = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_MEMORY_ERROR;
+	CSSMERR_AC_MDS_ERROR = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_MDS_ERROR;
+	CSSMERR_AC_INVALID_POINTER = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_POINTER;
+	CSSMERR_AC_INVALID_INPUT_POINTER = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_INPUT_POINTER;
+	CSSMERR_AC_INVALID_OUTPUT_POINTER = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_OUTPUT_POINTER;
+	CSSMERR_AC_FUNCTION_NOT_IMPLEMENTED = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED;
+	CSSMERR_AC_SELF_CHECK_FAILED = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_SELF_CHECK_FAILED;
+	CSSMERR_AC_OS_ACCESS_DENIED = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_OS_ACCESS_DENIED;
+	CSSMERR_AC_FUNCTION_FAILED = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_FUNCTION_FAILED;
+	CSSMERR_AC_INVALID_CONTEXT_HANDLE = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_CONTEXT_HANDLE;
+	CSSMERR_AC_INVALID_DATA = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_DATA;
+	CSSMERR_AC_INVALID_DB_LIST = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_LIST;
+	CSSMERR_AC_INVALID_PASSTHROUGH_ID = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_PASSTHROUGH_ID;
+	CSSMERR_AC_INVALID_DL_HANDLE = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_DL_HANDLE;
+	CSSMERR_AC_INVALID_CL_HANDLE = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_CL_HANDLE;
+	CSSMERR_AC_INVALID_TP_HANDLE = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_TP_HANDLE;
+	CSSMERR_AC_INVALID_DB_HANDLE = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_HANDLE;
+	CSSMERR_AC_INVALID_DB_LIST_POINTER = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_LIST_POINTER;
+
+{ AC Module-Specific Error Values }
+const
+	CSSM_AC_BASE_AC_ERROR = CSSM_AC_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT;
+	CSSMERR_AC_INVALID_BASE_ACLS = CSSM_AC_BASE_AC_ERROR + 1;
+	CSSMERR_AC_INVALID_TUPLE_CREDENTIALS = CSSM_AC_BASE_AC_ERROR + 2;
+	CSSMERR_AC_INVALID_ENCODING = CSSM_AC_BASE_AC_ERROR + 3;
+	CSSMERR_AC_INVALID_VALIDITY_PERIOD = CSSM_AC_BASE_AC_ERROR + 4;
+	CSSMERR_AC_INVALID_REQUESTOR = CSSM_AC_BASE_AC_ERROR + 5;
+	CSSMERR_AC_INVALID_REQUEST_DESCRIPTOR = CSSM_AC_BASE_AC_ERROR + 6;
+
+{ CL Error Values Derived from Common Error Codes For All Module Types. }
+const
+	CSSMERR_CL_INTERNAL_ERROR = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INTERNAL_ERROR;
+	CSSMERR_CL_MEMORY_ERROR = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_MEMORY_ERROR;
+	CSSMERR_CL_MDS_ERROR = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_MDS_ERROR;
+	CSSMERR_CL_INVALID_POINTER = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_POINTER;
+	CSSMERR_CL_INVALID_INPUT_POINTER = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_INPUT_POINTER;
+	CSSMERR_CL_INVALID_OUTPUT_POINTER = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_OUTPUT_POINTER;
+	CSSMERR_CL_FUNCTION_NOT_IMPLEMENTED = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED;
+	CSSMERR_CL_SELF_CHECK_FAILED = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_SELF_CHECK_FAILED;
+	CSSMERR_CL_OS_ACCESS_DENIED = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_OS_ACCESS_DENIED;
+	CSSMERR_CL_FUNCTION_FAILED = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_FUNCTION_FAILED;
+	CSSMERR_CL_INVALID_CONTEXT_HANDLE = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_CONTEXT_HANDLE;
+	CSSMERR_CL_INVALID_CERTGROUP_POINTER = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_CERTGROUP_POINTER;
+	CSSMERR_CL_INVALID_CERT_POINTER = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_CERT_POINTER;
+	CSSMERR_CL_INVALID_CRL_POINTER = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_CRL_POINTER;
+	CSSMERR_CL_INVALID_FIELD_POINTER = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_FIELD_POINTER;
+	CSSMERR_CL_INVALID_DATA = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_DATA;
+	CSSMERR_CL_CRL_ALREADY_SIGNED = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_CRL_ALREADY_SIGNED;
+	CSSMERR_CL_INVALID_NUMBER_OF_FIELDS = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_NUMBER_OF_FIELDS;
+	CSSMERR_CL_VERIFICATION_FAILURE = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_VERIFICATION_FAILURE;
+	CSSMERR_CL_UNKNOWN_FORMAT = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_UNKNOWN_FORMAT;
+	CSSMERR_CL_UNKNOWN_TAG = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_UNKNOWN_TAG;
+	CSSMERR_CL_INVALID_PASSTHROUGH_ID = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_PASSTHROUGH_ID;
+
+{ CL Module-Specific Error Values }
+const
+	CSSM_CL_BASE_CL_ERROR = CSSM_CL_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT;
+	CSSMERR_CL_INVALID_BUNDLE_POINTER = CSSM_CL_BASE_CL_ERROR + 1;
+	CSSMERR_CL_INVALID_CACHE_HANDLE = CSSM_CL_BASE_CL_ERROR + 2;
+	CSSMERR_CL_INVALID_RESULTS_HANDLE = CSSM_CL_BASE_CL_ERROR + 3;
+	CSSMERR_CL_INVALID_BUNDLE_INFO = CSSM_CL_BASE_CL_ERROR + 4;
+	CSSMERR_CL_INVALID_CRL_INDEX = CSSM_CL_BASE_CL_ERROR + 5;
+	CSSMERR_CL_INVALID_SCOPE = CSSM_CL_BASE_CL_ERROR + 6;
+	CSSMERR_CL_NO_FIELD_VALUES = CSSM_CL_BASE_CL_ERROR + 7;
+	CSSMERR_CL_SCOPE_NOT_SUPPORTED = CSSM_CL_BASE_CL_ERROR + 8;
+
+{ DL Error Values Derived from Common Error Codes For All Module Types. }
+const
+	CSSMERR_DL_INTERNAL_ERROR = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INTERNAL_ERROR;
+	CSSMERR_DL_MEMORY_ERROR = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_MEMORY_ERROR;
+	CSSMERR_DL_MDS_ERROR = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_MDS_ERROR;
+	CSSMERR_DL_INVALID_POINTER = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_POINTER;
+	CSSMERR_DL_INVALID_INPUT_POINTER = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_INPUT_POINTER;
+	CSSMERR_DL_INVALID_OUTPUT_POINTER = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_OUTPUT_POINTER;
+	CSSMERR_DL_FUNCTION_NOT_IMPLEMENTED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED;
+	CSSMERR_DL_SELF_CHECK_FAILED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_SELF_CHECK_FAILED;
+	CSSMERR_DL_OS_ACCESS_DENIED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_OS_ACCESS_DENIED;
+	CSSMERR_DL_FUNCTION_FAILED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_FUNCTION_FAILED;
+	CSSMERR_DL_INVALID_CSP_HANDLE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_CSP_HANDLE;
+	CSSMERR_DL_INVALID_DL_HANDLE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_DL_HANDLE;
+	CSSMERR_DL_INVALID_CL_HANDLE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_CL_HANDLE;
+	CSSMERR_DL_INVALID_DB_LIST_POINTER = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_LIST_POINTER;
+
+{ DL Error Values Derived from ACL-based Error Codes. }
+const
+	CSSMERR_DL_OPERATION_AUTH_DENIED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_OPERATION_AUTH_DENIED;
+	CSSMERR_DL_OBJECT_USE_AUTH_DENIED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_OBJECT_USE_AUTH_DENIED;
+	CSSMERR_DL_OBJECT_MANIP_AUTH_DENIED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_OBJECT_MANIP_AUTH_DENIED;
+	CSSMERR_DL_OBJECT_ACL_NOT_SUPPORTED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_OBJECT_ACL_NOT_SUPPORTED;
+	CSSMERR_DL_OBJECT_ACL_REQUIRED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_OBJECT_ACL_REQUIRED;
+	CSSMERR_DL_INVALID_ACCESS_CREDENTIALS = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_ACCESS_CREDENTIALS;
+	CSSMERR_DL_INVALID_ACL_BASE_CERTS = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_BASE_CERTS;
+	CSSMERR_DL_ACL_BASE_CERTS_NOT_SUPPORTED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_BASE_CERTS_NOT_SUPPORTED;
+	CSSMERR_DL_INVALID_SAMPLE_VALUE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_SAMPLE_VALUE;
+	CSSMERR_DL_SAMPLE_VALUE_NOT_SUPPORTED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED;
+	CSSMERR_DL_INVALID_ACL_SUBJECT_VALUE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE;
+	CSSMERR_DL_ACL_SUBJECT_TYPE_NOT_SUPPORTED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_SUBJECT_TYPE_NOT_SUPPORTED;
+	CSSMERR_DL_INVALID_ACL_CHALLENGE_CALLBACK = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_CHALLENGE_CALLBACK;
+	CSSMERR_DL_ACL_CHALLENGE_CALLBACK_FAILED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_CHALLENGE_CALLBACK_FAILED;
+	CSSMERR_DL_INVALID_ACL_ENTRY_TAG = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_ENTRY_TAG;
+	CSSMERR_DL_ACL_ENTRY_TAG_NOT_FOUND = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_ENTRY_TAG_NOT_FOUND;
+	CSSMERR_DL_INVALID_ACL_EDIT_MODE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_EDIT_MODE;
+	CSSMERR_DL_ACL_CHANGE_FAILED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_CHANGE_FAILED;
+	CSSMERR_DL_INVALID_NEW_ACL_ENTRY = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_NEW_ACL_ENTRY;
+	CSSMERR_DL_INVALID_NEW_ACL_OWNER = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_NEW_ACL_OWNER;
+	CSSMERR_DL_ACL_DELETE_FAILED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_DELETE_FAILED;
+	CSSMERR_DL_ACL_REPLACE_FAILED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_REPLACE_FAILED;
+	CSSMERR_DL_ACL_ADD_FAILED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_ADD_FAILED;
+
+{ DL Error Values for Specific Data Types. }
+const
+	CSSMERR_DL_INVALID_DB_HANDLE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_HANDLE;
+	CSSMERR_DL_INVALID_PASSTHROUGH_ID = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_PASSTHROUGH_ID;
+	CSSMERR_DL_INVALID_NETWORK_ADDR = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_NETWORK_ADDR;
+
+{ DL Module-Specific Error Values }
+const
+	CSSM_DL_BASE_DL_ERROR = CSSM_DL_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT;
+	CSSMERR_DL_DATABASE_CORRUPT = CSSM_DL_BASE_DL_ERROR + 1;
+	CSSMERR_DL_INVALID_RECORD_INDEX = CSSM_DL_BASE_DL_ERROR + 8;
+	CSSMERR_DL_INVALID_RECORDTYPE = CSSM_DL_BASE_DL_ERROR + 9;
+	CSSMERR_DL_INVALID_FIELD_NAME = CSSM_DL_BASE_DL_ERROR + 10;
+	CSSMERR_DL_UNSUPPORTED_FIELD_FORMAT = CSSM_DL_BASE_DL_ERROR + 11;
+	CSSMERR_DL_UNSUPPORTED_INDEX_INFO = CSSM_DL_BASE_DL_ERROR + 12;
+	CSSMERR_DL_UNSUPPORTED_LOCALITY = CSSM_DL_BASE_DL_ERROR + 13;
+	CSSMERR_DL_UNSUPPORTED_NUM_ATTRIBUTES = CSSM_DL_BASE_DL_ERROR + 14;
+	CSSMERR_DL_UNSUPPORTED_NUM_INDEXES = CSSM_DL_BASE_DL_ERROR + 15;
+	CSSMERR_DL_UNSUPPORTED_NUM_RECORDTYPES = CSSM_DL_BASE_DL_ERROR + 16;
+	CSSMERR_DL_UNSUPPORTED_RECORDTYPE = CSSM_DL_BASE_DL_ERROR + 17;
+	CSSMERR_DL_FIELD_SPECIFIED_MULTIPLE = CSSM_DL_BASE_DL_ERROR + 18;
+	CSSMERR_DL_INCOMPATIBLE_FIELD_FORMAT = CSSM_DL_BASE_DL_ERROR + 19;
+	CSSMERR_DL_INVALID_PARSING_MODULE = CSSM_DL_BASE_DL_ERROR + 20;
+	CSSMERR_DL_INVALID_DB_NAME = CSSM_DL_BASE_DL_ERROR + 22;
+	CSSMERR_DL_DATASTORE_DOESNOT_EXIST = CSSM_DL_BASE_DL_ERROR + 23;
+	CSSMERR_DL_DATASTORE_ALREADY_EXISTS = CSSM_DL_BASE_DL_ERROR + 24;
+	CSSMERR_DL_DB_LOCKED = CSSM_DL_BASE_DL_ERROR + 25;
+	CSSMERR_DL_DATASTORE_IS_OPEN = CSSM_DL_BASE_DL_ERROR + 26;
+	CSSMERR_DL_RECORD_NOT_FOUND = CSSM_DL_BASE_DL_ERROR + 27;
+	CSSMERR_DL_MISSING_VALUE = CSSM_DL_BASE_DL_ERROR + 28;
+	CSSMERR_DL_UNSUPPORTED_QUERY = CSSM_DL_BASE_DL_ERROR + 29;
+	CSSMERR_DL_UNSUPPORTED_QUERY_LIMITS = CSSM_DL_BASE_DL_ERROR + 30;
+	CSSMERR_DL_UNSUPPORTED_NUM_SELECTION_PREDS = CSSM_DL_BASE_DL_ERROR + 31;
+	CSSMERR_DL_UNSUPPORTED_OPERATOR = CSSM_DL_BASE_DL_ERROR + 33;
+	CSSMERR_DL_INVALID_RESULTS_HANDLE = CSSM_DL_BASE_DL_ERROR + 34;
+	CSSMERR_DL_INVALID_DB_LOCATION = CSSM_DL_BASE_DL_ERROR + 35;
+	CSSMERR_DL_INVALID_ACCESS_REQUEST = CSSM_DL_BASE_DL_ERROR + 36;
+	CSSMERR_DL_INVALID_INDEX_INFO = CSSM_DL_BASE_DL_ERROR + 37;
+	CSSMERR_DL_INVALID_SELECTION_TAG = CSSM_DL_BASE_DL_ERROR + 38;
+	CSSMERR_DL_INVALID_NEW_OWNER = CSSM_DL_BASE_DL_ERROR + 39;
+	CSSMERR_DL_INVALID_RECORD_UID = CSSM_DL_BASE_DL_ERROR + 40;
+	CSSMERR_DL_INVALID_UNIQUE_INDEX_DATA = CSSM_DL_BASE_DL_ERROR + 41;
+	CSSMERR_DL_INVALID_MODIFY_MODE = CSSM_DL_BASE_DL_ERROR + 42;
+	CSSMERR_DL_INVALID_OPEN_PARAMETERS = CSSM_DL_BASE_DL_ERROR + 43;
+	CSSMERR_DL_RECORD_MODIFIED = CSSM_DL_BASE_DL_ERROR + 44;
+	CSSMERR_DL_ENDOFDATA = CSSM_DL_BASE_DL_ERROR + 45;
+	CSSMERR_DL_INVALID_QUERY = CSSM_DL_BASE_DL_ERROR + 46;
+	CSSMERR_DL_INVALID_VALUE = CSSM_DL_BASE_DL_ERROR + 47;
+	CSSMERR_DL_MULTIPLE_VALUES_UNSUPPORTED = CSSM_DL_BASE_DL_ERROR + 48;
+	CSSMERR_DL_STALE_UNIQUE_RECORD = CSSM_DL_BASE_DL_ERROR + 49;
+
+{$endc} {TARGET_OS_MAC}
+
+{$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
+implementation
+
+{$ifc TARGET_OS_MAC}
+
+
+function CSSM_ERRCODE(arg: UInt32): UInt32; inline;
+begin
+  CSSM_ERRCODE:=(arg - CSSM_BASE_ERROR) and (CSSM_ERRORCODE_MODULE_EXTENT - 1)
+end;
+
+function CSSM_ERRBASE(arg: UInt32): UInt32; inline;
+begin
+  CSSM_ERRBASE:=((arg - CSSM_BASE_ERROR) and not(CSSM_ERRORCODE_MODULE_EXTENT - 1)) + CSSM_BASE_ERROR
+end;
+
+function CSSM_ERR_IS_CONVERTIBLE(arg: UInt32): Boolean; inline;
+begin
+  CSSM_ERR_IS_CONVERTIBLE:=CSSM_ERRCODE(arg) < CSSM_ERRORCODE_COMMON_EXTENT
+end;
+
+function CSSM_ERR_TAG(code, base: UInt32): UInt32; inline;
+begin
+  CSSM_ERR_TAG:=CSSM_ERRCODE(code) + base
+end;
+
+{$endc} {TARGET_OS_MAC}
+
+end.
+
+{$endc} {not MACOSALLINCLUDE}

packages/univint/src/cssmkrapi.pas

@@ -0,0 +1,348 @@
+{
+ * Copyright (c) 1999-2001,2004 Apple Computer, Inc. All Rights Reserved.
+ * 
+ * @APPLE_LICENSE_HEADER_START@
+ * 
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ * 
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ * 
+ * @APPLE_LICENSE_HEADER_END@
+ *
+ * cssmkrapi.h -- Application Programmers Interface for Key Recovery Modules
+ }
+{       Pascal Translation Updated:  Jonas Maebe, <[email protected]>, September 2010 }
+{
+    Modified for use with Free Pascal
+    Version 308
+    Please report any bugs to <[email protected]>
+}
+
+{$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
+{$mode macpas}
+{$packenum 1}
+{$macro on}
+{$inline on}
+{$calling mwpascal}
+
+unit cssmkrapi;
+interface
+{$setc UNIVERSAL_INTERFACES_VERSION := $0400}
+{$setc GAP_INTERFACES_VERSION := $0308}
+
+{$ifc not defined USE_CFSTR_CONSTANT_MACROS}
+    {$setc USE_CFSTR_CONSTANT_MACROS := TRUE}
+{$endc}
+
+{$ifc defined CPUPOWERPC and defined CPUI386}
+	{$error Conflicting initial definitions for CPUPOWERPC and CPUI386}
+{$endc}
+{$ifc defined FPC_BIG_ENDIAN and defined FPC_LITTLE_ENDIAN}
+	{$error Conflicting initial definitions for FPC_BIG_ENDIAN and FPC_LITTLE_ENDIAN}
+{$endc}
+
+{$ifc not defined __ppc__ and defined CPUPOWERPC32}
+	{$setc __ppc__ := 1}
+{$elsec}
+	{$setc __ppc__ := 0}
+{$endc}
+{$ifc not defined __ppc64__ and defined CPUPOWERPC64}
+	{$setc __ppc64__ := 1}
+{$elsec}
+	{$setc __ppc64__ := 0}
+{$endc}
+{$ifc not defined __i386__ and defined CPUI386}
+	{$setc __i386__ := 1}
+{$elsec}
+	{$setc __i386__ := 0}
+{$endc}
+{$ifc not defined __x86_64__ and defined CPUX86_64}
+	{$setc __x86_64__ := 1}
+{$elsec}
+	{$setc __x86_64__ := 0}
+{$endc}
+{$ifc not defined __arm__ and defined CPUARM}
+	{$setc __arm__ := 1}
+{$elsec}
+	{$setc __arm__ := 0}
+{$endc}
+
+{$ifc defined cpu64}
+  {$setc __LP64__ := 1}
+{$elsec}
+  {$setc __LP64__ := 0}
+{$endc}
+
+
+{$ifc defined __ppc__ and __ppc__ and defined __i386__ and __i386__}
+	{$error Conflicting definitions for __ppc__ and __i386__}
+{$endc}
+
+{$ifc defined __ppc__ and __ppc__}
+	{$setc TARGET_CPU_PPC := TRUE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __ppc64__ and __ppc64__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := TRUE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __i386__ and __i386__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := TRUE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+{$ifc defined(iphonesim)}
+ 	{$setc TARGET_OS_MAC := FALSE}
+	{$setc TARGET_OS_IPHONE := TRUE}
+	{$setc TARGET_IPHONE_SIMULATOR := TRUE}
+{$elsec}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$endc}
+{$elifc defined __x86_64__ and __x86_64__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := TRUE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __arm__ and __arm__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := TRUE}
+	{ will require compiler define when/if other Apple devices with ARM cpus ship }
+	{$setc TARGET_OS_MAC := FALSE}
+	{$setc TARGET_OS_IPHONE := TRUE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elsec}
+	{$error __ppc__ nor __ppc64__ nor __i386__ nor __x86_64__ nor __arm__ is defined.}
+{$endc}
+
+{$ifc defined __LP64__ and __LP64__ }
+  {$setc TARGET_CPU_64 := TRUE}
+{$elsec}
+  {$setc TARGET_CPU_64 := FALSE}
+{$endc}
+
+{$ifc defined FPC_BIG_ENDIAN}
+	{$setc TARGET_RT_BIG_ENDIAN := TRUE}
+	{$setc TARGET_RT_LITTLE_ENDIAN := FALSE}
+{$elifc defined FPC_LITTLE_ENDIAN}
+	{$setc TARGET_RT_BIG_ENDIAN := FALSE}
+	{$setc TARGET_RT_LITTLE_ENDIAN := TRUE}
+{$elsec}
+	{$error Neither FPC_BIG_ENDIAN nor FPC_LITTLE_ENDIAN are defined.}
+{$endc}
+{$setc ACCESSOR_CALLS_ARE_FUNCTIONS := TRUE}
+{$setc CALL_NOT_IN_CARBON := FALSE}
+{$setc OLDROUTINENAMES := FALSE}
+{$setc OPAQUE_TOOLBOX_STRUCTS := TRUE}
+{$setc OPAQUE_UPP_TYPES := TRUE}
+{$setc OTCARBONAPPLICATION := TRUE}
+{$setc OTKERNEL := FALSE}
+{$setc PM_USE_SESSION_APIS := TRUE}
+{$setc TARGET_API_MAC_CARBON := TRUE}
+{$setc TARGET_API_MAC_OS8 := FALSE}
+{$setc TARGET_API_MAC_OSX := TRUE}
+{$setc TARGET_CARBON := TRUE}
+{$setc TARGET_CPU_68K := FALSE}
+{$setc TARGET_CPU_MIPS := FALSE}
+{$setc TARGET_CPU_SPARC := FALSE}
+{$setc TARGET_OS_UNIX := FALSE}
+{$setc TARGET_OS_WIN32 := FALSE}
+{$setc TARGET_RT_MAC_68881 := FALSE}
+{$setc TARGET_RT_MAC_CFM := FALSE}
+{$setc TARGET_RT_MAC_MACHO := TRUE}
+{$setc TYPED_FUNCTION_POINTERS := TRUE}
+{$setc TYPE_BOOL := FALSE}
+{$setc TYPE_EXTENDED := FALSE}
+{$setc TYPE_LONGLONG := TRUE}
+uses MacTypes,cssmtype;
+{$endc} {not MACOSALLINCLUDE}
+
+
+{$ifc TARGET_OS_MAC}
+
+{$packrecords c}
+
+type
+	CSSM_KRSP_HANDLE = UInt32; { Key Recovery Service Provider Handle }
+
+type
+	cssm_kr_name = record
+		Type_: UInt8; { namespace type }
+		Length: UInt8; { name string length }
+		Name: CStringPtr; { name string }
+	end;
+
+type
+	CSSM_KR_PROFILE_PTR = ^cssm_kr_profile;
+	CSSM_KR_PROFILEPtr = ^cssm_kr_profile;
+	cssm_kr_profile = record
+		UserName: CSSM_KR_NAME; { name of the user }
+		UserCertificate: CSSM_CERTGROUP_PTR; { public key certificate of the user }
+		KRSCertChain: CSSM_CERTGROUP_PTR; { cert chain for the KRSP coordinator }
+		LE_KRANum: UInt8; { number of KRA cert chains in the following list }
+		LE_KRACertChainList: CSSM_CERTGROUP_PTR; { list of Law enforcement KRA certificate chains }
+		ENT_KRANum: UInt8; { number of KRA cert chains in the following list }
+		ENT_KRACertChainList: CSSM_CERTGROUP_PTR; { list of Enterprise KRA certificate chains }
+		INDIV_KRANum: UInt8; { number of KRA cert chains in the following list }
+		INDIV_KRACertChainList: CSSM_CERTGROUP_PTR; { list of Individual KRA certificate chains }
+		INDIV_AuthenticationInfo: CSSM_DATA_PTR; { authentication information for individual key recovery }
+		KRSPFlags: UInt32; { flag values to be interpreted by KRSP }
+		KRSPExtensions: CSSM_DATA_PTR; { reserved for extensions specific to KRSPs }
+	end;
+
+type
+	CSSM_KR_WRAPPEDPRODUCT_INFO_PTR = ^CSSM_KR_WRAPPEDPRODUCT_INFO;
+	CSSM_KR_WRAPPEDPRODUCT_INFOPtr = ^CSSM_KR_WRAPPEDPRODUCT_INFO;
+	CSSM_KR_WRAPPEDPRODUCT_INFO = record
+		StandardVersion: CSSM_VERSION;
+		StandardDescription: CSSM_STRING;
+		ProductVersion: CSSM_VERSION;
+		ProductDescription: CSSM_STRING;
+		ProductVendor: CSSM_STRING;
+		ProductFlags: UInt32;
+	end;
+
+type
+	CSSM_KRSUBSERVICE_PTR = ^cssm_krsubservice;
+	CSSM_KRSUBSERVICEPtr = ^cssm_krsubservice;
+	cssm_krsubservice = record
+		SubServiceId: UInt32;
+		Description: CStringPtr; { Description of this sub service }
+		WrappedProduct: CSSM_KR_WRAPPEDPRODUCT_INFO;
+	end;
+
+type
+	CSSM_KR_POLICY_TYPE = UInt32;
+const
+	CSSM_KR_INDIV_POLICY = $00000001;
+const
+	CSSM_KR_ENT_POLICY = $00000002;
+const
+	CSSM_KR_LE_MAN_POLICY = $00000003;
+const
+	CSSM_KR_LE_USE_POLICY = $00000004;
+
+type
+	CSSM_KR_POLICY_FLAGS = UInt32;
+
+const
+	CSSM_KR_INDIV = $00000001;
+const
+	CSSM_KR_ENT = $00000002;
+const
+	CSSM_KR_LE_MAN = $00000004;
+const
+	CSSM_KR_LE_USE = $00000008;
+const
+	CSSM_KR_LE = (CSSM_KR_LE_MAN or CSSM_KR_LE_USE);
+const
+	CSSM_KR_OPTIMIZE = $00000010;
+const
+	CSSM_KR_DROP_WORKFACTOR = $00000020;
+
+type
+	CSSM_KR_POLICY_LIST_ITEM_PTR = ^cssm_kr_policy_list_item;
+	CSSM_KR_POLICY_LIST_ITEMPtr = ^cssm_kr_policy_list_item;
+	cssm_kr_policy_list_item = record
+		next: CSSM_KR_POLICY_LIST_ITEM_PTR;
+		AlgorithmId: CSSM_ALGORITHMS;
+		Mode: CSSM_ENCRYPT_MODE;
+		MaxKeyLength: UInt32;
+		MaxRounds: UInt32;
+		WorkFactor: UInt8;
+		PolicyFlags: CSSM_KR_POLICY_FLAGS;
+		AlgClass: CSSM_CONTEXT_TYPE;
+	end;
+
+type
+	CSSM_KR_POLICY_INFO_PTR = ^cssm_kr_policy_info;
+	CSSM_KR_POLICY_INFOPtr = ^cssm_kr_policy_info;
+	cssm_kr_policy_info = record
+		krbNotAllowed: CSSM_BOOL;
+		numberOfEntries: UInt32;
+		policyEntry: CSSM_KR_POLICY_LIST_ITEMPtr;
+	end;
+
+
+{ Key Recovery Module Mangement Operations }
+
+function CSSM_KR_SetEnterpriseRecoveryPolicy( const (*var*) RecoveryPolicyFileName: CSSM_DATA; const (*var*) OldPassPhrase: CSSM_ACCESS_CREDENTIALS; const (*var*) NewPassPhrase: CSSM_ACCESS_CREDENTIALS ): CSSM_RETURN; external name '_CSSM_KR_SetEnterpriseRecoveryPolicy';
+
+
+{ Key Recovery Context Operations }
+
+function CSSM_KR_CreateRecoveryRegistrationContext( KRSPHandle: CSSM_KRSP_HANDLE; var NewContext: CSSM_CC_HANDLE ): CSSM_RETURN; external name '_CSSM_KR_CreateRecoveryRegistrationContext';
+
+function CSSM_KR_CreateRecoveryEnablementContext( KRSPHandle: CSSM_KRSP_HANDLE; const (*var*) LocalProfile: CSSM_KR_PROFILE; const (*var*) RemoteProfile: CSSM_KR_PROFILE; var NewContext: CSSM_CC_HANDLE ): CSSM_RETURN; external name '_CSSM_KR_CreateRecoveryEnablementContext';
+
+function CSSM_KR_CreateRecoveryRequestContext( KRSPHandle: CSSM_KRSP_HANDLE; const (*var*) LocalProfile: CSSM_KR_PROFILE; var NewContext: CSSM_CC_HANDLE ): CSSM_RETURN; external name '_CSSM_KR_CreateRecoveryRequestContext';
+
+function CSSM_KR_GetPolicyInfo( CCHandle: CSSM_CC_HANDLE; var EncryptionProhibited: CSSM_KR_POLICY_FLAGS; var WorkFactor: UInt32 ): CSSM_RETURN; external name '_CSSM_KR_GetPolicyInfo';
+
+
+{ Key Recovery Registration Operations }
+
+function CSSM_KR_RegistrationRequest( RecoveryRegistrationContext: CSSM_CC_HANDLE; const (*var*) KRInData: CSSM_DATA; const (*var*) AccessCredentials: CSSM_ACCESS_CREDENTIALS; KRFlags: CSSM_KR_POLICY_FLAGS; var EstimatedTime: SInt32; ReferenceHandle: CSSM_HANDLE_PTR ): CSSM_RETURN; external name '_CSSM_KR_RegistrationRequest';
+
+function CSSM_KR_RegistrationRetrieve( KRSPHandle: CSSM_KRSP_HANDLE; ReferenceHandle: CSSM_HANDLE; const (*var*) AccessCredentials: CSSM_ACCESS_CREDENTIALS; var EstimatedTime: SInt32; KRProfile: CSSM_KR_PROFILE_PTR ): CSSM_RETURN; external name '_CSSM_KR_RegistrationRetrieve';
+
+
+{ Key Recovery Enablement Operations }
+
+function CSSM_KR_GenerateRecoveryFields( KeyRecoveryContext: CSSM_CC_HANDLE; CCHandle: CSSM_CC_HANDLE; const (*var*) KRSPOptions: CSSM_DATA; KRFlags: CSSM_KR_POLICY_FLAGS; KRFields: CSSM_DATA_PTR; var NewCCHandle: CSSM_CC_HANDLE ): CSSM_RETURN; external name '_CSSM_KR_GenerateRecoveryFields';
+
+function CSSM_KR_ProcessRecoveryFields( KeyRecoveryContext: CSSM_CC_HANDLE; CryptoContext: CSSM_CC_HANDLE; const (*var*) KRSPOptions: CSSM_DATA; KRFlags: CSSM_KR_POLICY_FLAGS; const (*var*) KRFields: CSSM_DATA; var NewCryptoContext: CSSM_CC_HANDLE ): CSSM_RETURN; external name '_CSSM_KR_ProcessRecoveryFields';
+
+
+{ Key Recovery Request Operations }
+
+function CSSM_KR_RecoveryRequest( RecoveryRequestContext: CSSM_CC_HANDLE; const (*var*) KRInData: CSSM_DATA; const (*var*) AccessCredentials: CSSM_ACCESS_CREDENTIALS; var EstimatedTime: SInt32; ReferenceHandle: CSSM_HANDLE_PTR ): CSSM_RETURN; external name '_CSSM_KR_RecoveryRequest';
+
+function CSSM_KR_RecoveryRetrieve( KRSPHandle: CSSM_KRSP_HANDLE; ReferenceHandle: CSSM_HANDLE; const (*var*) AccessCredentials: CSSM_ACCESS_CREDENTIALS; var EstimatedTime: SInt32; CacheHandle: CSSM_HANDLE_PTR; var NumberOfRecoveredKeys: UInt32 ): CSSM_RETURN; external name '_CSSM_KR_RecoveryRetrieve';
+
+function CSSM_KR_GetRecoveredObject( KRSPHandle: CSSM_KRSP_HANDLE; CacheHandle: CSSM_HANDLE; IndexInResults: UInt32; CSPHandle: CSSM_CSP_HANDLE; const (*var*) CredAndAclEntry: CSSM_RESOURCE_CONTROL_CONTEXT; Flags: UInt32; RecoveredKey: CSSM_KEY_PTR; OtherInfo: CSSM_DATA_PTR ): CSSM_RETURN; external name '_CSSM_KR_GetRecoveredObject';
+
+function CSSM_KR_RecoveryRequestAbort( KRSPHandle: CSSM_KRSP_HANDLE; CacheHandle: CSSM_HANDLE ): CSSM_RETURN; external name '_CSSM_KR_RecoveryRequestAbort';
+
+function CSSM_KR_QueryPolicyInfo( KRSPHandle: CSSM_KRSP_HANDLE; AlgorithmID: CSSM_ALGORITHMS; Mode: CSSM_ENCRYPT_MODE; Class: CSSM_CONTEXT_TYPE; var PolicyInfoData: CSSM_KR_POLICY_INFO_PTR ): CSSM_RETURN; external name '_CSSM_KR_QueryPolicyInfo';
+
+
+{ Extensibility Functions }
+
+function CSSM_KR_PassThrough( KRSPHandle: CSSM_KRSP_HANDLE; KeyRecoveryContext: CSSM_CC_HANDLE; CryptoContext: CSSM_CC_HANDLE; PassThroughId: UInt32; InputParams: {const} UnivPtr; OutputParams: UnivPtrPtr ): CSSM_RETURN; external name '_CSSM_KR_PassThrough';
+
+{$endc} {TARGET_OS_MAC}
+{$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
+
+end.
+{$endc} {not MACOSALLINCLUDE}

packages/univint/src/cssmtype.pas

@@ -0,0 +1,2551 @@
+{
+ * Copyright (c) 1999-2002,2004 Apple Computer, Inc. All Rights Reserved.
+ * 
+ * @APPLE_LICENSE_HEADER_START@
+ * 
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ * 
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ * 
+ * @APPLE_LICENSE_HEADER_END@
+ *
+ * cssmtype.h -- Common Security Services Manager Common Data Types
+ }
+{       Pascal Translation Updated:  Jonas Maebe, <[email protected]>, September 2010 }
+{
+    Modified for use with Free Pascal
+    Version 308
+    Please report any bugs to <[email protected]>
+}
+
+{$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
+{$mode macpas}
+{$packenum 1}
+{$macro on}
+{$inline on}
+{$calling mwpascal}
+
+unit cssmtype;
+interface
+{$setc UNIVERSAL_INTERFACES_VERSION := $0400}
+{$setc GAP_INTERFACES_VERSION := $0308}
+
+{$ifc not defined USE_CFSTR_CONSTANT_MACROS}
+    {$setc USE_CFSTR_CONSTANT_MACROS := TRUE}
+{$endc}
+
+{$ifc defined CPUPOWERPC and defined CPUI386}
+	{$error Conflicting initial definitions for CPUPOWERPC and CPUI386}
+{$endc}
+{$ifc defined FPC_BIG_ENDIAN and defined FPC_LITTLE_ENDIAN}
+	{$error Conflicting initial definitions for FPC_BIG_ENDIAN and FPC_LITTLE_ENDIAN}
+{$endc}
+
+{$ifc not defined __ppc__ and defined CPUPOWERPC32}
+	{$setc __ppc__ := 1}
+{$elsec}
+	{$setc __ppc__ := 0}
+{$endc}
+{$ifc not defined __ppc64__ and defined CPUPOWERPC64}
+	{$setc __ppc64__ := 1}
+{$elsec}
+	{$setc __ppc64__ := 0}
+{$endc}
+{$ifc not defined __i386__ and defined CPUI386}
+	{$setc __i386__ := 1}
+{$elsec}
+	{$setc __i386__ := 0}
+{$endc}
+{$ifc not defined __x86_64__ and defined CPUX86_64}
+	{$setc __x86_64__ := 1}
+{$elsec}
+	{$setc __x86_64__ := 0}
+{$endc}
+{$ifc not defined __arm__ and defined CPUARM}
+	{$setc __arm__ := 1}
+{$elsec}
+	{$setc __arm__ := 0}
+{$endc}
+
+{$ifc defined cpu64}
+  {$setc __LP64__ := 1}
+{$elsec}
+  {$setc __LP64__ := 0}
+{$endc}
+
+
+{$ifc defined __ppc__ and __ppc__ and defined __i386__ and __i386__}
+	{$error Conflicting definitions for __ppc__ and __i386__}
+{$endc}
+
+{$ifc defined __ppc__ and __ppc__}
+	{$setc TARGET_CPU_PPC := TRUE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __ppc64__ and __ppc64__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := TRUE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __i386__ and __i386__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := TRUE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+{$ifc defined(iphonesim)}
+ 	{$setc TARGET_OS_MAC := FALSE}
+	{$setc TARGET_OS_IPHONE := TRUE}
+	{$setc TARGET_IPHONE_SIMULATOR := TRUE}
+{$elsec}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$endc}
+{$elifc defined __x86_64__ and __x86_64__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := TRUE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __arm__ and __arm__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := TRUE}
+	{ will require compiler define when/if other Apple devices with ARM cpus ship }
+	{$setc TARGET_OS_MAC := FALSE}
+	{$setc TARGET_OS_IPHONE := TRUE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elsec}
+	{$error __ppc__ nor __ppc64__ nor __i386__ nor __x86_64__ nor __arm__ is defined.}
+{$endc}
+
+{$ifc defined __LP64__ and __LP64__ }
+  {$setc TARGET_CPU_64 := TRUE}
+{$elsec}
+  {$setc TARGET_CPU_64 := FALSE}
+{$endc}
+
+{$ifc defined FPC_BIG_ENDIAN}
+	{$setc TARGET_RT_BIG_ENDIAN := TRUE}
+	{$setc TARGET_RT_LITTLE_ENDIAN := FALSE}
+{$elifc defined FPC_LITTLE_ENDIAN}
+	{$setc TARGET_RT_BIG_ENDIAN := FALSE}
+	{$setc TARGET_RT_LITTLE_ENDIAN := TRUE}
+{$elsec}
+	{$error Neither FPC_BIG_ENDIAN nor FPC_LITTLE_ENDIAN are defined.}
+{$endc}
+{$setc ACCESSOR_CALLS_ARE_FUNCTIONS := TRUE}
+{$setc CALL_NOT_IN_CARBON := FALSE}
+{$setc OLDROUTINENAMES := FALSE}
+{$setc OPAQUE_TOOLBOX_STRUCTS := TRUE}
+{$setc OPAQUE_UPP_TYPES := TRUE}
+{$setc OTCARBONAPPLICATION := TRUE}
+{$setc OTKERNEL := FALSE}
+{$setc PM_USE_SESSION_APIS := TRUE}
+{$setc TARGET_API_MAC_CARBON := TRUE}
+{$setc TARGET_API_MAC_OS8 := FALSE}
+{$setc TARGET_API_MAC_OSX := TRUE}
+{$setc TARGET_CARBON := TRUE}
+{$setc TARGET_CPU_68K := FALSE}
+{$setc TARGET_CPU_MIPS := FALSE}
+{$setc TARGET_CPU_SPARC := FALSE}
+{$setc TARGET_OS_UNIX := FALSE}
+{$setc TARGET_OS_WIN32 := FALSE}
+{$setc TARGET_RT_MAC_68881 := FALSE}
+{$setc TARGET_RT_MAC_CFM := FALSE}
+{$setc TARGET_RT_MAC_MACHO := TRUE}
+{$setc TYPED_FUNCTION_POINTERS := TRUE}
+{$setc TYPE_BOOL := FALSE}
+{$setc TYPE_EXTENDED := FALSE}
+{$setc TYPE_LONGLONG := TRUE}
+uses MacTypes,cssmconfig;
+{$endc} {not MACOSALLINCLUDE}
+
+
+{$ifc TARGET_OS_MAC}
+
+{$packrecords c}
+
+{ Handle types. }
+	
+type
+	CSSM_HANDLE = CSSM_INTPTR;
+	CSSM_HANDLE_PTR = ^CSSM_INTPTR;
+	CSSM_HANDLEPtr = ^CSSM_INTPTR;
+
+type
+	CSSM_LONG_HANDLE = UInt64;
+	CSSM_LONG_HANDLE_PTR = ^UInt64;
+	CSSM_LONG_HANDLEPtr = ^UInt64;
+
+type
+	CSSM_MODULE_HANDLE = CSSM_HANDLE;
+	CSSM_MODULE_HANDLE_PTR = ^CSSM_HANDLE;
+	CSSM_MODULE_HANDLEPtr = ^CSSM_HANDLE;
+
+type
+	CSSM_CC_HANDLE = CSSM_LONG_HANDLE; { Cryptographic Context Handle }
+
+type
+	CSSM_CSP_HANDLE = CSSM_MODULE_HANDLE; { Cryptographic Service Provider Handle }
+
+type
+	CSSM_TP_HANDLE = CSSM_MODULE_HANDLE; { Trust Policy Handle }
+
+type
+	CSSM_AC_HANDLE = CSSM_MODULE_HANDLE; { Authorization Computation Handle }
+
+type
+	CSSM_CL_HANDLE = CSSM_MODULE_HANDLE; { Certificate Library Handle }
+
+type
+	CSSM_DL_HANDLE = CSSM_MODULE_HANDLE; { Data Storage Library Handle }
+
+type
+	CSSM_DB_HANDLE = CSSM_MODULE_HANDLE; { Data Storage Database Handle }
+
+
+{ invalid or NULL value for any CSSM_HANDLE type }
+const
+	CSSM_INVALID_HANDLE = 0;
+
+
+{ Data Types for Core Services }
+
+type
+	CSSM_BOOL = SInt32;
+const
+	CSSM_FALSE = 0;
+	CSSM_TRUE = 1;
+
+{ The standard declares this as uint32 but we changed it to sint32 to match OSStatus. }
+type
+  CSSM_RETURNPtr = ^CSSM_RETURN;
+	CSSM_RETURN = SInt32;
+const
+	CSSM_OK = 0;
+
+const
+	CSSM_MODULE_STRING_SIZE = 64;
+type
+	CSSM_STRING = array [0..CSSM_MODULE_STRING_SIZE + 4-1] of char;
+
+
+type
+	CSSM_DATA_PTR = ^cssm_data;
+	CSSM_DATAPtr = ^cssm_data;
+	CSSM_DATAArrayPtr = ^cssm_dataPtr;
+	cssm_data = record
+		Length: CSSM_SIZE; { in bytes }
+		Data: UInt8Ptr;
+	end;
+
+type
+	CSSM_GUID_PTR = ^cssm_guid;
+	CSSM_GUIDPtr = ^cssm_guid;
+	cssm_guid = record
+		Data1: UInt32;
+		Data2: UInt16;
+		Data3: UInt16;
+		Data4: array [0..8-1] of UInt8;
+	end;
+
+type
+	CSSM_BITMASK = UInt32;
+	CSSM_KEY_HIERARCHY = CSSM_BITMASK;
+const
+	CSSM_KEY_HIERARCHY_NONE = 0;
+	CSSM_KEY_HIERARCHY_INTEG = 1;
+	CSSM_KEY_HIERARCHY_EXPORT = 2;
+
+type
+	CSSM_PVC_MODE = CSSM_BITMASK;
+const
+	CSSM_PVC_NONE = 0;
+	CSSM_PVC_APP = 1;
+	CSSM_PVC_SP = 2;
+
+type
+	CSSM_PRIVILEGE_SCOPE = UInt32;
+const
+	CSSM_PRIVILEGE_SCOPE_NONE = 0;
+	CSSM_PRIVILEGE_SCOPE_PROCESS = 1;
+	CSSM_PRIVILEGE_SCOPE_THREAD = 2;
+
+type
+	CSSM_VERSION_PTR = ^cssm_version;
+	CSSM_VERSIONPtr = ^cssm_version;
+	cssm_version = record
+		Major: UInt32;
+		Minor: UInt32;
+	end;
+
+type
+	CSSM_SERVICE_MASK = UInt32;
+const
+	CSSM_SERVICE_CSSM = $1;
+	CSSM_SERVICE_CSP = $2;
+	CSSM_SERVICE_DL = $4;
+	CSSM_SERVICE_CL = $8;
+	CSSM_SERVICE_TP = $10;
+	CSSM_SERVICE_AC = $20;
+	CSSM_SERVICE_KR = $40;
+
+type
+	CSSM_SERVICE_TYPE = CSSM_SERVICE_MASK;
+
+type
+	CSSM_SUBSERVICE_UID_PTR = ^cssm_subservice_uid;
+	CSSM_SUBSERVICE_UIDPtr = ^cssm_subservice_uid;
+	cssm_subservice_uid = record
+		Guid: CSSM_GUID;
+		Version: CSSM_VERSION;
+		SubserviceId: UInt32;
+		SubserviceType: CSSM_SERVICE_TYPE;
+	end;
+
+type
+	CSSM_MODULE_EVENT = UInt32;
+	CSSM_MODULE_EVENT_PTR = ^UInt32;
+	CSSM_MODULE_EVENTPtr = ^UInt32;
+const
+	CSSM_NOTIFY_INSERT = 1;
+	CSSM_NOTIFY_REMOVE = 2;
+	CSSM_NOTIFY_FAULT = 3;
+
+type
+	CSSM_API_ModuleEventHandler = function( const (*var*) ModuleGuid: CSSM_GUID; AppNotifyCallbackCtx: UnivPtr; SubserviceId: UInt32; ServiceType: CSSM_SERVICE_TYPE; EventType: CSSM_MODULE_EVENT ): CSSM_RETURN;
+
+type
+	CSSM_ATTACH_FLAGS = UInt32;
+const
+	CSSM_ATTACH_READ_ONLY = $00000001;
+
+{ Non-export privilege range: (0x00000000 - 0x7FFFFFFF) }
+{ Vendor specific range: (0x80000000 - 0xFFFFFFFF) }
+type
+	CSSM_PRIVILEGE = UInt64;
+	CSSM_USEE_TAG = CSSM_PRIVILEGE;
+const
+	CSSM_USEE_LAST = $FF;
+	CSSM_USEE_NONE = 0;
+	CSSM_USEE_DOMESTIC = 1;
+	CSSM_USEE_FINANCIAL = 2;
+	CSSM_USEE_KRLE = 3;
+	CSSM_USEE_KRENT = 4;
+	CSSM_USEE_SSL = 5;
+	CSSM_USEE_AUTHENTICATION = 6;
+	CSSM_USEE_KEYEXCH = 7;
+	CSSM_USEE_MEDICAL = 8;
+	CSSM_USEE_INSURANCE = 9;
+	CSSM_USEE_WEAK = 10;
+
+type
+	CSSM_NET_ADDRESS_TYPE = UInt32;
+const
+	CSSM_ADDR_NONE = 0;
+	CSSM_ADDR_CUSTOM = 1;
+	CSSM_ADDR_URL = 2; { char* }
+	CSSM_ADDR_SOCKADDR = 3;
+	CSSM_ADDR_NAME = 4; { char* - qualified by access method }
+
+type
+	CSSM_NET_ADDRESS_PTR = ^cssm_net_address;
+	CSSM_NET_ADDRESSPtr = ^cssm_net_address;
+	cssm_net_address = record
+		AddressType: CSSM_NET_ADDRESS_TYPE;
+		Address: CSSM_DATA;
+	end;
+
+type
+	CSSM_NET_PROTOCOL = UInt32;
+const
+	CSSM_NET_PROTO_NONE = 0;	{ local }
+	CSSM_NET_PROTO_CUSTOM = 1;	{ proprietary implementation }
+	CSSM_NET_PROTO_UNSPECIFIED = 2;	{ implementation default }
+	CSSM_NET_PROTO_LDAP = 3;	{ light weight directory access protocol }
+	CSSM_NET_PROTO_LDAPS = 4;	{ ldap/ssl where SSL initiates the connection }
+	CSSM_NET_PROTO_LDAPNS = 5;	{ ldap where ldap negotiates an SSL session }
+	CSSM_NET_PROTO_X500DAP = 6;	{ x.500 Directory access protocol }
+	CSSM_NET_PROTO_FTP = 7;	{ ftp for cert/crl fetch }
+	CSSM_NET_PROTO_FTPS = 8;	{ ftp/ssl/tls where SSL/TLS initiates the connection }
+	CSSM_NET_PROTO_OCSP = 9;	{ online certificate status protocol }
+	CSSM_NET_PROTO_CMP = 10;	{ the cert request protocol in PKIX3 }
+	CSSM_NET_PROTO_CMPS = 11;	{ The ssl/tls derivative of CMP }
+
+type
+	CSSM_CALLBACK = function( OutData: CSSM_DATA_PTR; CallerCtx: UnivPtr ): CSSM_RETURN;
+
+type
+	CSSM_CRYPTO_DATA_PTR = ^cssm_crypto_data;
+	CSSM_CRYPTO_DATAPtr = ^cssm_crypto_data;
+	cssm_crypto_data = record
+		Param: CSSM_DATA;
+		Callback: CSSM_CALLBACK;
+		CallerCtx: UnivPtr;
+	end;
+
+type
+	CSSM_WORDID_TYPE = SInt32;
+const
+	CSSM_WORDID__UNK_ = -1; { not in dictionary }
+	CSSM_WORDID__NLU_ = 0; { not yet looked up }
+	CSSM_WORDID__STAR_ = 1;
+	CSSM_WORDID_A = 2;
+	CSSM_WORDID_ACL = 3;
+	CSSM_WORDID_ALPHA = 4;
+	CSSM_WORDID_B = 5;
+	CSSM_WORDID_BER = 6;
+	CSSM_WORDID_BINARY = 7;
+	CSSM_WORDID_BIOMETRIC = 8;
+	CSSM_WORDID_C = 9;
+	CSSM_WORDID_CANCELED = 10;
+	CSSM_WORDID_CERT = 11;
+	CSSM_WORDID_COMMENT = 12;
+	CSSM_WORDID_CRL = 13;
+	CSSM_WORDID_CUSTOM = 14;
+	CSSM_WORDID_D = 15;
+	CSSM_WORDID_DATE = 16;
+	CSSM_WORDID_DB_DELETE = 17;
+	CSSM_WORDID_DB_EXEC_STORED_QUERY = 18;
+	CSSM_WORDID_DB_INSERT = 19;
+	CSSM_WORDID_DB_MODIFY = 20;
+	CSSM_WORDID_DB_READ = 21;
+	CSSM_WORDID_DBS_CREATE = 22;
+	CSSM_WORDID_DBS_DELETE = 23;
+	CSSM_WORDID_DECRYPT = 24;
+	CSSM_WORDID_DELETE = 25;
+	CSSM_WORDID_DELTA_CRL = 26;
+	CSSM_WORDID_DER = 27;
+	CSSM_WORDID_DERIVE = 28;
+	CSSM_WORDID_DISPLAY = 29;
+	CSSM_WORDID_DO = 30;
+	CSSM_WORDID_DSA = 31;
+	CSSM_WORDID_DSA_SHA1 = 32;
+	CSSM_WORDID_E = 33;
+	CSSM_WORDID_ELGAMAL = 34;
+	CSSM_WORDID_ENCRYPT = 35;
+	CSSM_WORDID_ENTRY = 36;
+	CSSM_WORDID_EXPORT_CLEAR = 37;
+	CSSM_WORDID_EXPORT_WRAPPED = 38;
+	CSSM_WORDID_G = 39;
+	CSSM_WORDID_GE = 40;
+	CSSM_WORDID_GENKEY = 41;
+	CSSM_WORDID_HASH = 42;
+	CSSM_WORDID_HASHED_PASSWORD = 43;
+	CSSM_WORDID_HASHED_SUBJECT = 44;
+	CSSM_WORDID_HAVAL = 45;
+	CSSM_WORDID_IBCHASH = 46;
+	CSSM_WORDID_IMPORT_CLEAR = 47;
+	CSSM_WORDID_IMPORT_WRAPPED = 48;
+	CSSM_WORDID_INTEL = 49;
+	CSSM_WORDID_ISSUER = 50;
+	CSSM_WORDID_ISSUER_INFO = 51;
+	CSSM_WORDID_K_OF_N = 52;
+	CSSM_WORDID_KEA = 53;
+	CSSM_WORDID_KEYHOLDER = 54;
+	CSSM_WORDID_L = 55;
+	CSSM_WORDID_LE = 56;
+	CSSM_WORDID_LOGIN = 57;
+	CSSM_WORDID_LOGIN_NAME = 58;
+	CSSM_WORDID_MAC = 59;
+	CSSM_WORDID_MD2 = 60;
+	CSSM_WORDID_MD2WITHRSA = 61;
+	CSSM_WORDID_MD4 = 62;
+	CSSM_WORDID_MD5 = 63;
+	CSSM_WORDID_MD5WITHRSA = 64;
+	CSSM_WORDID_N = 65;
+	CSSM_WORDID_NAME = 66;
+	CSSM_WORDID_NDR = 67;
+	CSSM_WORDID_NHASH = 68;
+	CSSM_WORDID_NOT_AFTER = 69;
+	CSSM_WORDID_NOT_BEFORE = 70;
+	CSSM_WORDID_NULL = 71;
+	CSSM_WORDID_NUMERIC = 72;
+	CSSM_WORDID_OBJECT_HASH = 73;
+	CSSM_WORDID_ONE_TIME = 74;
+	CSSM_WORDID_ONLINE = 75;
+	CSSM_WORDID_OWNER = 76;
+	CSSM_WORDID_P = 77;
+	CSSM_WORDID_PAM_NAME = 78;
+	CSSM_WORDID_PASSWORD = 79;
+	CSSM_WORDID_PGP = 80;
+	CSSM_WORDID_PREFIX = 81;
+	CSSM_WORDID_PRIVATE_KEY = 82;
+	CSSM_WORDID_PROMPTED_BIOMETRIC = 83;
+	CSSM_WORDID_PROMPTED_PASSWORD = 84;
+	CSSM_WORDID_PROPAGATE = 85;
+	CSSM_WORDID_PROTECTED_BIOMETRIC = 86;
+	CSSM_WORDID_PROTECTED_PASSWORD = 87;
+	CSSM_WORDID_PROTECTED_PIN = 88;
+	CSSM_WORDID_PUBLIC_KEY = 89;
+	CSSM_WORDID_PUBLIC_KEY_FROM_CERT = 90;
+	CSSM_WORDID_Q = 91;
+	CSSM_WORDID_RANGE = 92;
+	CSSM_WORDID_REVAL = 93;
+	CSSM_WORDID_RIPEMAC = 94;
+	CSSM_WORDID_RIPEMD = 95;
+	CSSM_WORDID_RIPEMD160 = 96;
+	CSSM_WORDID_RSA = 97;
+	CSSM_WORDID_RSA_ISO9796 = 98;
+	CSSM_WORDID_RSA_PKCS = 99;
+	CSSM_WORDID_RSA_PKCS_MD5 = 100;
+	CSSM_WORDID_RSA_PKCS_SHA1 = 101;
+	CSSM_WORDID_RSA_PKCS1 = 102;
+	CSSM_WORDID_RSA_PKCS1_MD5 = 103;
+	CSSM_WORDID_RSA_PKCS1_SHA1 = 104;
+	CSSM_WORDID_RSA_PKCS1_SIG = 105;
+	CSSM_WORDID_RSA_RAW = 106;
+	CSSM_WORDID_SDSIV1 = 107;
+	CSSM_WORDID_SEQUENCE = 108;
+	CSSM_WORDID_SET = 109;
+	CSSM_WORDID_SEXPR = 110;
+	CSSM_WORDID_SHA1 = 111;
+	CSSM_WORDID_SHA1WITHDSA = 112;
+	CSSM_WORDID_SHA1WITHECDSA = 113;
+	CSSM_WORDID_SHA1WITHRSA = 114;
+	CSSM_WORDID_SIGN = 115;
+	CSSM_WORDID_SIGNATURE = 116;
+	CSSM_WORDID_SIGNED_NONCE = 117;
+	CSSM_WORDID_SIGNED_SECRET = 118;
+	CSSM_WORDID_SPKI = 119;
+	CSSM_WORDID_SUBJECT = 120;
+	CSSM_WORDID_SUBJECT_INFO = 121;
+	CSSM_WORDID_TAG = 122;
+	CSSM_WORDID_THRESHOLD = 123;
+	CSSM_WORDID_TIME = 124;
+	CSSM_WORDID_URI = 125;
+	CSSM_WORDID_VERSION = 126;
+	CSSM_WORDID_X509_ATTRIBUTE = 127;
+	CSSM_WORDID_X509V1 = 128;
+	CSSM_WORDID_X509V2 = 129;
+	CSSM_WORDID_X509V3 = 130;
+	CSSM_WORDID_X9_ATTRIBUTE = 131;
+	CSSM_WORDID_VENDOR_START = $00010000;
+	CSSM_WORDID_VENDOR_END = $7FFF0000;
+
+type
+	CSSM_LIST_ELEMENT_TYPE = UInt32;
+	CSSM_LIST_ELEMENT_TYPE_PTR = ^UInt32;
+	CSSM_LIST_ELEMENT_TYPEPtr = ^UInt32;
+const
+	CSSM_LIST_ELEMENT_DATUM = $00;
+	CSSM_LIST_ELEMENT_SUBLIST = $01;
+	CSSM_LIST_ELEMENT_WORDID = $02;
+
+type
+	CSSM_LIST_TYPE = UInt32;
+	CSSM_LIST_TYPE_PTR = ^UInt32;
+	CSSM_LIST_TYPEPtr = ^UInt32;
+const
+	CSSM_LIST_TYPE_UNKNOWN = 0;
+	CSSM_LIST_TYPE_CUSTOM = 1;
+	CSSM_LIST_TYPE_SEXPR = 2;
+
+type
+  CSSM_LIST_ELEMENT_PTR = ^cssm_list_element;
+  CSSM_LIST_ELEMENTPtr = ^cssm_list_element;
+	CSSM_LIST_PTR = ^cssm_list;
+	CSSM_LISTPtr = ^cssm_list;
+	cssm_list = record
+		ListType: CSSM_LIST_TYPE;	{ type of this list }
+		Head: CSSM_LIST_ELEMENT_PTR;	{ head of the list }
+		Tail: CSSM_LIST_ELEMENT_PTR;	{ tail of the list }
+	end;
+
+  __embedded_cssm_list_element = record
+    case Integer of
+      0: (Sublist: CSSM_LIST);		{ sublist }
+      1: (Word: CSSM_DATA);		{ a byte-string }
+  end;
+
+	cssm_list_element = record
+		NextElement: cssm_list_element_ptr;	{ next list element }
+		WordID: CSSM_WORDID_TYPE;	{ integer identifier associated }
+								{ with a Word value }
+		ElementType: CSSM_LIST_ELEMENT_TYPE;
+		Element: __embedded_cssm_list_element;
+	end;
+
+type
+	CSSM_TUPLE_PTR = ^CSSM_TUPLE;
+	CSSM_TUPLEPtr = ^CSSM_TUPLE;
+	CSSM_TUPLE = record
+{ 5-tuple definition }
+		Issuer: CSSM_LIST;			{ issuer, or empty if ACL }
+		Subject: CSSM_LIST;			{ subject }
+		Delegate: CSSM_BOOL;			{ permission to delegate }
+		AuthorizationTag: CSSM_LIST;	{ authorization field }
+		ValidityPeriod: CSSM_LIST;	{ validity information (dates) }
+	end;
+
+type
+	CSSM_TUPLEGROUP_PTR = ^cssm_tuplegroup;
+	CSSM_TUPLEGROUPPtr = ^cssm_tuplegroup;
+	cssm_tuplegroup = record
+		NumberOfTuples: UInt32;
+		Tuples: CSSM_TUPLE_PTR;
+	end;
+
+type
+	CSSM_SAMPLE_TYPE = CSSM_WORDID_TYPE;
+const
+	CSSM_SAMPLE_TYPE_PASSWORD = CSSM_WORDID_PASSWORD;
+	CSSM_SAMPLE_TYPE_HASHED_PASSWORD = CSSM_WORDID_HASHED_PASSWORD;
+	CSSM_SAMPLE_TYPE_PROTECTED_PASSWORD = CSSM_WORDID_PROTECTED_PASSWORD;
+	CSSM_SAMPLE_TYPE_PROMPTED_PASSWORD = CSSM_WORDID_PROMPTED_PASSWORD;
+	CSSM_SAMPLE_TYPE_SIGNED_NONCE = CSSM_WORDID_SIGNED_NONCE;
+	CSSM_SAMPLE_TYPE_SIGNED_SECRET = CSSM_WORDID_SIGNED_SECRET;
+	CSSM_SAMPLE_TYPE_BIOMETRIC = CSSM_WORDID_BIOMETRIC;
+	CSSM_SAMPLE_TYPE_PROTECTED_BIOMETRIC = CSSM_WORDID_PROTECTED_BIOMETRIC;
+	CSSM_SAMPLE_TYPE_PROMPTED_BIOMETRIC = CSSM_WORDID_PROMPTED_BIOMETRIC;
+	CSSM_SAMPLE_TYPE_THRESHOLD = CSSM_WORDID_THRESHOLD;
+
+type
+	CSSM_SAMPLE_PTR = ^cssm_sample;
+	CSSM_SAMPLEPtr = ^cssm_sample;
+	cssm_sample = record
+		TypedSample: CSSM_LIST;
+		Verifier: {const} CSSM_SUBSERVICE_UIDPtr;
+	end;
+
+type
+	CSSM_SAMPLEGROUP_PTR = ^cssm_samplegroup;
+	CSSM_SAMPLEGROUPPtr = ^cssm_samplegroup;
+	cssm_samplegroup = record
+		NumberOfSamples: UInt32;
+		Samples: {const} CSSM_SAMPLEPtr;
+	end;
+
+type
+	CSSM_MALLOC = function( size: CSSM_SIZE; allocref: UnivPtr ): UnivPtr;
+
+type
+	CSSM_FREE = procedure( memblock: UnivPtr; allocref: UnivPtr );
+
+type
+	CSSM_REALLOC = function( memblock: UnivPtr; size: CSSM_SIZE; allocref: UnivPtr ): UnivPtr;
+
+type
+	CSSM_CALLOC = function( num: UInt32; size: CSSM_SIZE; allocref: UnivPtr ): UnivPtr;
+
+type
+	CSSM_MEMORY_FUNCS_PTR = ^cssm_memory_funcs;
+	CSSM_MEMORY_FUNCSPtr = ^cssm_memory_funcs;
+	cssm_memory_funcs = record
+		malloc_func: CSSM_MALLOC;
+		free_func: CSSM_FREE;
+		realloc_func: CSSM_REALLOC;
+		calloc_func: CSSM_CALLOC;
+		AllocRef: UnivPtr;
+	end;
+
+type
+	CSSM_API_MEMORY_FUNCS = CSSM_MEMORY_FUNCS;
+	CSSM_API_MEMORY_FUNCS_PTR = ^CSSM_API_MEMORY_FUNCS;
+	CSSM_API_MEMORY_FUNCSPtr = ^CSSM_API_MEMORY_FUNCS;
+
+type
+	CSSM_CHALLENGE_CALLBACK = function( const (*var*) Challenge: CSSM_LIST; Response: CSSM_SAMPLEGROUP_PTR; CallerCtx: UnivPtr; const (*var*) MemFuncs: CSSM_MEMORY_FUNCS ): CSSM_RETURN;
+
+type
+	CSSM_CERT_TYPE = UInt32;
+	CSSM_CERT_TYPE_PTR = ^UInt32;
+	CSSM_CERT_TYPEPtr = ^UInt32;
+const
+	CSSM_CERT_UNKNOWN = $00;
+	CSSM_CERT_X_509v1 = $01;
+	CSSM_CERT_X_509v2 = $02;
+	CSSM_CERT_X_509v3 = $03;
+	CSSM_CERT_PGP = $04;
+	CSSM_CERT_SPKI = $05;
+	CSSM_CERT_SDSIv1 = $06;
+	CSSM_CERT_Intel = $08;
+	CSSM_CERT_X_509_ATTRIBUTE = $09; { X.509 attribute cert }
+	CSSM_CERT_X9_ATTRIBUTE = $0A; { X9 attribute cert }
+	CSSM_CERT_TUPLE = $0B;
+	CSSM_CERT_ACL_ENTRY = $0C;
+	CSSM_CERT_MULTIPLE = $7FFE;
+	CSSM_CERT_LAST = $7FFF;
+	{ Applications wishing to define their own custom certificate
+	   type should define and publicly document a uint32 value greater
+	   than the CSSM_CL_CUSTOM_CERT_TYPE }
+	CSSM_CL_CUSTOM_CERT_TYPE = $08000;
+
+type
+	CSSM_CERT_ENCODING = UInt32;
+	CSSM_CERT_ENCODING_PTR = ^UInt32;
+	CSSM_CERT_ENCODINGPtr = ^UInt32;
+const
+	CSSM_CERT_ENCODING_UNKNOWN = $00;
+	CSSM_CERT_ENCODING_CUSTOM = $01;
+	CSSM_CERT_ENCODING_BER = $02;
+	CSSM_CERT_ENCODING_DER = $03;
+	CSSM_CERT_ENCODING_NDR = $04;
+	CSSM_CERT_ENCODING_SEXPR = $05;
+	CSSM_CERT_ENCODING_PGP = $06;
+	CSSM_CERT_ENCODING_MULTIPLE = $7FFE;
+	CSSM_CERT_ENCODING_LAST = $7FFF;
+	{ Applications wishing to define their own custom certificate
+	   encoding should create a uint32 value greater than the
+	   CSSM_CL_CUSTOM_CERT_ENCODING }
+	CSSM_CL_CUSTOM_CERT_ENCODING = $8000;
+
+type
+	CSSM_ENCODED_CERT_PTR = ^cssm_encoded_cert;
+	CSSM_ENCODED_CERTPtr = ^cssm_encoded_cert;
+	cssm_encoded_cert = record
+		CertType: CSSM_CERT_TYPE;			{ type of certificate }
+		CertEncoding: CSSM_CERT_ENCODING;	{ encoding for this packed cert }
+		CertBlob: CSSM_DATA;					{ packed cert }
+	end;
+
+type
+	CSSM_CERT_PARSE_FORMAT = UInt32;
+	CSSM_CERT_PARSE_FORMAT_PTR = ^UInt32;
+	CSSM_CERT_PARSE_FORMATPtr = ^UInt32;
+const
+	CSSM_CERT_PARSE_FORMAT_NONE = $00;
+	CSSM_CERT_PARSE_FORMAT_CUSTOM = $01; { void* }
+	CSSM_CERT_PARSE_FORMAT_SEXPR = $02; { CSSM_LIST }
+	CSSM_CERT_PARSE_FORMAT_COMPLEX = $03; { void* }
+	CSSM_CERT_PARSE_FORMAT_OID_NAMED = $04; { CSSM_FIELDGROUP }
+	CSSM_CERT_PARSE_FORMAT_TUPLE = $05; { CSSM_TUPLE }
+	CSSM_CERT_PARSE_FORMAT_MULTIPLE = $7FFE;
+{ multiple forms, each cert carries a
+   parse format indicator }
+	CSSM_CERT_PARSE_FORMAT_LAST = $7FFF;
+{ Applications wishing to define their
+   own custom parse format should create
+   a * uint32 value greater than the
+   CSSM_CL_CUSTOM_CERT_PARSE_FORMAT }
+	CSSM_CL_CUSTOM_CERT_PARSE_FORMAT = $8000;
+
+type
+	CSSM_PARSED_CERT_PTR = ^cssm_parsed_cert;
+	CSSM_PARSED_CERTPtr = ^cssm_parsed_cert;
+	cssm_parsed_cert = record
+		CertType: CSSM_CERT_TYPE; { certificate type }
+		ParsedCertFormat: CSSM_CERT_PARSE_FORMAT;
+    { struct of ParsedCert }
+		ParsedCert: UnivPtr; { parsed cert (to be typecast) }
+	end;
+
+type
+	CSSM_CERT_PAIR_PTR = ^cssm_cert_pair;
+	CSSM_CERT_PAIRPtr = ^cssm_cert_pair;
+	cssm_cert_pair = record
+		EncodedCert: CSSM_ENCODED_CERT; { an encoded certificate blob }
+		ParsedCert: CSSM_PARSED_CERT; { equivalent parsed certificate }
+	end;
+
+type
+	CSSM_CERTGROUP_TYPE = UInt32;
+	CSSM_CERTGROUP_TYPE_PTR = ^UInt32;
+	CSSM_CERTGROUP_TYPEPtr = ^UInt32;
+const
+	CSSM_CERTGROUP_DATA = $00;
+	CSSM_CERTGROUP_ENCODED_CERT = $01;
+	CSSM_CERTGROUP_PARSED_CERT = $02;
+	CSSM_CERTGROUP_CERT_PAIR = $03;
+
+type
+  __EmbeddedGroupListType = record
+    case Integer of
+      0: (CertList: CSSM_DATA_PTR); { legacy list of single type certificate blobs }
+		  1: (EncodedCertList: CSSM_ENCODED_CERT_PTR);
+        { list of multi-type certificate blobs }
+		  2: (ParsedCertList: CSSM_PARSED_CERT_PTR);
+        { list of multi-type parsed certs }
+		  3: (PairCertList: CSSM_CERT_PAIR_PTR);
+        {list of single or multi-type certs with two representations: blob and parsed }
+	end;
+	cssm_certgroup = record
+		CertType: CSSM_CERT_TYPE;
+		CertEncoding: CSSM_CERT_ENCODING;
+		NumCerts: UInt32; { # of certificates in this list }
+    CertGroupType: __EmbeddedGroupListType;
+    { type of structure in the GroupList }
+    Reserved: UnivPtr; { reserved for implementation dependent use }
+  end;
+  cssm_certgroup_ptr = ^cssm_certgroup;
+  CSSM_certgroupPtr = ^cssm_certgroup;
+
+type
+	CSSM_BASE_CERTS_PTR = ^cssm_base_certs;
+	CSSM_BASE_CERTSPtr = ^cssm_base_certs;
+	cssm_base_certs = record
+		TPHandle: CSSM_TP_HANDLE;
+		CLHandle: CSSM_CL_HANDLE;
+		Certs: CSSM_CERTGROUP;
+	end;
+
+type
+	CSSM_ACCESS_CREDENTIALS_PTR = ^cssm_access_credentials;
+	CSSM_ACCESS_CREDENTIALSPtr = ^cssm_access_credentials;
+	cssm_access_credentials = record
+		EntryTag: CSSM_STRING;
+		BaseCerts: CSSM_BASE_CERTS;
+		Samples: CSSM_SAMPLEGROUP;
+		Callback: CSSM_CHALLENGE_CALLBACK;
+		CallerCtx: UnivPtr;
+	end;
+
+type
+	CSSM_ACL_SUBJECT_TYPE = SInt32;
+const
+	CSSM_ACL_SUBJECT_TYPE_ANY = CSSM_WORDID__STAR_;
+	CSSM_ACL_SUBJECT_TYPE_THRESHOLD = CSSM_WORDID_THRESHOLD;
+	CSSM_ACL_SUBJECT_TYPE_PASSWORD = CSSM_WORDID_PASSWORD;
+	CSSM_ACL_SUBJECT_TYPE_PROTECTED_PASSWORD = CSSM_WORDID_PROTECTED_PASSWORD;
+	CSSM_ACL_SUBJECT_TYPE_PROMPTED_PASSWORD = CSSM_WORDID_PROMPTED_PASSWORD;
+	CSSM_ACL_SUBJECT_TYPE_PUBLIC_KEY = CSSM_WORDID_PUBLIC_KEY;
+	CSSM_ACL_SUBJECT_TYPE_HASHED_SUBJECT = CSSM_WORDID_HASHED_SUBJECT;
+	CSSM_ACL_SUBJECT_TYPE_BIOMETRIC = CSSM_WORDID_BIOMETRIC;
+	CSSM_ACL_SUBJECT_TYPE_PROTECTED_BIOMETRIC = CSSM_WORDID_PROTECTED_BIOMETRIC;
+	CSSM_ACL_SUBJECT_TYPE_PROMPTED_BIOMETRIC = CSSM_WORDID_PROMPTED_BIOMETRIC;
+	CSSM_ACL_SUBJECT_TYPE_LOGIN_NAME = CSSM_WORDID_LOGIN_NAME;
+	CSSM_ACL_SUBJECT_TYPE_EXT_PAM_NAME = CSSM_WORDID_PAM_NAME;
+
+{ Authorization tag type }
+type
+	CSSM_ACL_AUTHORIZATION_TAG = SInt32;
+	CSSM_ACL_AUTHORIZATION_TAGPtr = ^CSSM_ACL_AUTHORIZATION_TAG;
+const
+{ All vendor specific constants must be in the number range
+	   starting at CSSM_ACL_AUTHORIZATION_TAG_VENDOR_DEFINED_START }
+	CSSM_ACL_AUTHORIZATION_TAG_VENDOR_DEFINED_START = $00010000;
+	{ No restrictions. Permission to perform all operations on
+	   the resource or available to an ACL owner.  }
+	CSSM_ACL_AUTHORIZATION_ANY = CSSM_WORDID__STAR_;
+	{ Defined authorization tag values for CSPs }
+	CSSM_ACL_AUTHORIZATION_LOGIN = CSSM_WORDID_LOGIN;
+	CSSM_ACL_AUTHORIZATION_GENKEY = CSSM_WORDID_GENKEY;
+	CSSM_ACL_AUTHORIZATION_DELETE = CSSM_WORDID_DELETE;
+	CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED = CSSM_WORDID_EXPORT_WRAPPED;
+	CSSM_ACL_AUTHORIZATION_EXPORT_CLEAR = CSSM_WORDID_EXPORT_CLEAR;
+	CSSM_ACL_AUTHORIZATION_IMPORT_WRAPPED = CSSM_WORDID_IMPORT_WRAPPED;
+	CSSM_ACL_AUTHORIZATION_IMPORT_CLEAR = CSSM_WORDID_IMPORT_CLEAR;
+	CSSM_ACL_AUTHORIZATION_SIGN = CSSM_WORDID_SIGN;
+	CSSM_ACL_AUTHORIZATION_ENCRYPT = CSSM_WORDID_ENCRYPT;
+	CSSM_ACL_AUTHORIZATION_DECRYPT = CSSM_WORDID_DECRYPT;
+	CSSM_ACL_AUTHORIZATION_MAC = CSSM_WORDID_MAC;
+	CSSM_ACL_AUTHORIZATION_DERIVE = CSSM_WORDID_DERIVE;
+	{ Defined authorization tag values for DLs }
+	CSSM_ACL_AUTHORIZATION_DBS_CREATE = CSSM_WORDID_DBS_CREATE;
+	CSSM_ACL_AUTHORIZATION_DBS_DELETE = CSSM_WORDID_DBS_DELETE;
+	CSSM_ACL_AUTHORIZATION_DB_READ = CSSM_WORDID_DB_READ;
+	CSSM_ACL_AUTHORIZATION_DB_INSERT = CSSM_WORDID_DB_INSERT;
+	CSSM_ACL_AUTHORIZATION_DB_MODIFY = CSSM_WORDID_DB_MODIFY;
+	CSSM_ACL_AUTHORIZATION_DB_DELETE = CSSM_WORDID_DB_DELETE;
+
+type
+	CSSM_AUTHORIZATIONGROUP_PTR = ^cssm_authorizationgroup;
+	CSSM_AUTHORIZATIONGROUPPtr = ^cssm_authorizationgroup;
+	cssm_authorizationgroup = record
+		NumberOfAuthTags: UInt32;
+		AuthTags: CSSM_ACL_AUTHORIZATION_TAGPtr;
+	end;
+
+type
+	CSSM_ACL_VALIDITY_PERIOD_PTR = ^cssm_acl_validity_period;
+	CSSM_ACL_VALIDITY_PERIODPtr = ^cssm_acl_validity_period;
+	cssm_acl_validity_period = record
+		StartDate: CSSM_DATA;
+		EndDate: CSSM_DATA;
+	end;
+
+type
+	CSSM_ACL_ENTRY_PROTOTYPE_PTR = ^cssm_acl_entry_prototype;
+	CSSM_ACL_ENTRY_PROTOTYPEPtr = ^cssm_acl_entry_prototype;
+	cssm_acl_entry_prototype = record
+		TypedSubject: CSSM_LIST;
+		Delegate: CSSM_BOOL;
+		Authorization: CSSM_AUTHORIZATIONGROUP;
+		TimeRange: CSSM_ACL_VALIDITY_PERIOD;
+		EntryTag: CSSM_STRING;
+	end;
+
+type
+	CSSM_ACL_OWNER_PROTOTYPE_PTR = ^cssm_acl_owner_prototype;
+	CSSM_ACL_OWNER_PROTOTYPEPtr = ^cssm_acl_owner_prototype;
+	cssm_acl_owner_prototype = record
+		TypedSubject: CSSM_LIST;
+		Delegate: CSSM_BOOL;
+	end;
+
+type
+	CSSM_ACL_SUBJECT_CALLBACK = function( const (*var*) SubjectRequest: CSSM_LIST; SubjectResponse: CSSM_LIST_PTR; CallerContext: UnivPtr; const (*var*) MemFuncs: CSSM_MEMORY_FUNCS ): CSSM_RETURN;
+
+type
+	CSSM_ACL_ENTRY_INPUT_PTR = ^cssm_acl_entry_input;
+	CSSM_ACL_ENTRY_INPUTPtr = ^cssm_acl_entry_input;
+	cssm_acl_entry_input = record
+		Prototype: CSSM_ACL_ENTRY_PROTOTYPE;
+		Callback: CSSM_ACL_SUBJECT_CALLBACK;
+		CallerContext: UnivPtr;
+	end;
+
+type
+	CSSM_RESOURCE_CONTROL_CONTEXT_PTR = ^cssm_resource_control_context;
+	CSSM_RESOURCE_CONTROL_CONTEXTPtr = ^cssm_resource_control_context;
+	cssm_resource_control_context = record
+		AccessCred: CSSM_ACCESS_CREDENTIALS_PTR;
+		InitialAclEntry: CSSM_ACL_ENTRY_INPUT;
+	end;
+
+type
+	CSSM_ACL_HANDLE = CSSM_HANDLE;
+
+type
+	CSSM_ACL_ENTRY_INFO_PTR = ^cssm_acl_entry_info;
+	CSSM_ACL_ENTRY_INFOPtr = ^cssm_acl_entry_info;
+	cssm_acl_entry_info = record
+		EntryPublicInfo: CSSM_ACL_ENTRY_PROTOTYPE;
+		EntryHandle: CSSM_ACL_HANDLE;
+	end;
+
+type
+	CSSM_ACL_EDIT_MODE = UInt32;
+const
+	CSSM_ACL_EDIT_MODE_ADD = 1;
+	CSSM_ACL_EDIT_MODE_DELETE = 2;
+	CSSM_ACL_EDIT_MODE_REPLACE = 3;
+
+type
+	CSSM_ACL_EDIT_PTR = ^cssm_acl_edit;
+	CSSM_ACL_EDITPtr = ^cssm_acl_edit;
+	cssm_acl_edit = record
+		EditMode: CSSM_ACL_EDIT_MODE;
+		OldEntryHandle: CSSM_ACL_HANDLE;
+		NewEntry: {const} CSSM_ACL_ENTRY_INPUTPtr;
+	end;
+
+{$ifc defined(WIN32)}
+type
+	CSSM_PROC_ADDR = FARPROC;
+{$elsec}
+type
+	CSSM_PROC_ADDR = procedure;
+{$endc}
+  CSSM_PROC_ADDRPtr = ^CSSM_PROC_ADDR;
+type
+	CSSM_PROC_ADDR_PTR = CSSM_PROC_ADDRPtr;
+
+type
+	CSSM_FUNC_NAME_ADDR_PTR = ^cssm_func_name_addr;
+	CSSM_FUNC_NAME_ADDRPtr = ^cssm_func_name_addr;
+	cssm_func_name_addr = record
+		Name: CSSM_STRING;
+		Address: CSSM_PROC_ADDR;
+	end;
+
+
+{ Data Types for Cryptographic Services  }
+
+type
+	CSSM_DATE_PTR = ^cssm_date;
+	CSSM_DATEPtr = ^cssm_date;
+	cssm_date = record
+		Year: array [0..4-1] of UInt8;
+		Month: array [0..2-1] of UInt8;
+		Day: array [0..2-1] of UInt8;
+	end;
+
+type
+	CSSM_RANGE_PTR = ^cssm_range;
+	CSSM_RANGEPtr = ^cssm_range;
+	cssm_range = record
+		Min: UInt32; { inclusive minimum value }
+		Max: UInt32; { inclusive maximum value }
+	end;
+
+type
+	CSSM_QUERY_SIZE_DATA_PTR = ^cssm_query_size_data;
+	CSSM_QUERY_SIZE_DATAPtr = ^cssm_query_size_data;
+	cssm_query_size_data = record
+		SizeInputBlock: UInt32; { size of input data block }
+		SizeOutputBlock: UInt32; { size of resulting output data block }
+	end;
+
+type
+	CSSM_HEADERVERSION = UInt32;
+const
+	CSSM_KEYHEADER_VERSION = 2;
+
+type
+	CSSM_KEY_SIZE_PTR = ^cssm_key_size;
+	CSSM_KEY_SIZEPtr = ^cssm_key_size;
+	cssm_key_size = record
+		LogicalKeySizeInBits: UInt32; { Logical key size in bits }
+		EffectiveKeySizeInBits: UInt32; { Effective key size in bits }
+	end;
+
+type
+	CSSM_KEYBLOB_TYPE = UInt32;
+const
+	CSSM_KEYBLOB_RAW = 0; { The blob is a clear, raw key }
+	CSSM_KEYBLOB_REFERENCE = 2; { The blob is a reference to a key }
+	CSSM_KEYBLOB_WRAPPED = 3; { The blob is a wrapped RAW key }
+	CSSM_KEYBLOB_OTHER = $FFFFFFFF;
+
+type
+	CSSM_KEYBLOB_FORMAT = UInt32;
+const
+{ Raw Format }
+	CSSM_KEYBLOB_RAW_FORMAT_NONE = 0;
+	{ No further conversion need to be done }
+	CSSM_KEYBLOB_RAW_FORMAT_PKCS1 = 1; { RSA PKCS1 V1.5 }
+	CSSM_KEYBLOB_RAW_FORMAT_PKCS3 = 2; { RSA PKCS3 V1.5 }
+	CSSM_KEYBLOB_RAW_FORMAT_MSCAPI = 3; { Microsoft CAPI V2.0 }
+	CSSM_KEYBLOB_RAW_FORMAT_PGP = 4; { PGP V }
+	CSSM_KEYBLOB_RAW_FORMAT_FIPS186 = 5; { US Gov. FIPS 186 - DSS V }
+	CSSM_KEYBLOB_RAW_FORMAT_BSAFE = 6; { RSA Bsafe V3.0 }
+	CSSM_KEYBLOB_RAW_FORMAT_CCA = 9; { CCA clear public key blob }
+	CSSM_KEYBLOB_RAW_FORMAT_PKCS8 = 10; { RSA PKCS8 V1.2 }
+	CSSM_KEYBLOB_RAW_FORMAT_SPKI = 11; { SPKI Specification }
+	CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING = 12;
+	CSSM_KEYBLOB_RAW_FORMAT_OTHER = $FFFFFFFF; { Other, CSP defined }
+const
+{ Wrapped Format }
+	CSSM_KEYBLOB_WRAPPED_FORMAT_NONE = 0;
+	{ No further conversion need to be done }
+	CSSM_KEYBLOB_WRAPPED_FORMAT_PKCS8 = 1; { RSA PKCS8 V1.2 }
+	CSSM_KEYBLOB_WRAPPED_FORMAT_PKCS7 = 2;
+	CSSM_KEYBLOB_WRAPPED_FORMAT_MSCAPI = 3;
+	CSSM_KEYBLOB_WRAPPED_FORMAT_OTHER = $FFFFFFFF; { Other, CSP defined }
+const
+{ Reference Format }
+	CSSM_KEYBLOB_REF_FORMAT_INTEGER = 0;	{ Reference is a number or handle }
+	CSSM_KEYBLOB_REF_FORMAT_STRING = 1;	{ Reference is a string or label }
+	CSSM_KEYBLOB_REF_FORMAT_SPKI = 2;	{ Reference is an SPKI S-expression }
+												{ to be evaluated to locate the key }
+	CSSM_KEYBLOB_REF_FORMAT_OTHER = $FFFFFFFF;	{ Other, CSP defined }
+
+type
+	CSSM_KEYCLASS = UInt32;
+const
+	CSSM_KEYCLASS_PUBLIC_KEY = 0; { Key is public key }
+	CSSM_KEYCLASS_PRIVATE_KEY = 1; { Key is private key }
+	CSSM_KEYCLASS_SESSION_KEY = 2; { Key is session or symmetric key }
+	CSSM_KEYCLASS_SECRET_PART = 3; { Key is part of secret key }
+	CSSM_KEYCLASS_OTHER = $FFFFFFFF; { Other }
+
+type
+	CSSM_KEYATTR_FLAGS = UInt32;
+const
+{ Valid only during call to an API. Will never be valid when set in a key header }
+	CSSM_KEYATTR_RETURN_DEFAULT = $00000000;
+	CSSM_KEYATTR_RETURN_DATA = $10000000;
+	CSSM_KEYATTR_RETURN_REF = $20000000;
+	CSSM_KEYATTR_RETURN_NONE = $40000000;
+	{ Valid during an API call and in a key header }
+	CSSM_KEYATTR_PERMANENT = $00000001;
+	CSSM_KEYATTR_PRIVATE = $00000002;
+	CSSM_KEYATTR_MODIFIABLE = $00000004;
+	CSSM_KEYATTR_SENSITIVE = $00000008;
+	CSSM_KEYATTR_EXTRACTABLE = $00000020;
+	{ Valid only in a key header generated by a CSP, not valid during an API call }
+	CSSM_KEYATTR_ALWAYS_SENSITIVE = $00000010;
+	CSSM_KEYATTR_NEVER_EXTRACTABLE = $00000040;
+
+type
+	CSSM_KEYUSE = UInt32;
+const
+	CSSM_KEYUSE_ANY = $80000000;
+	CSSM_KEYUSE_ENCRYPT = $00000001;
+	CSSM_KEYUSE_DECRYPT = $00000002;
+	CSSM_KEYUSE_SIGN = $00000004;
+	CSSM_KEYUSE_VERIFY = $00000008;
+	CSSM_KEYUSE_SIGN_RECOVER = $00000010;
+	CSSM_KEYUSE_VERIFY_RECOVER = $00000020;
+	CSSM_KEYUSE_WRAP = $00000040;
+	CSSM_KEYUSE_UNWRAP = $00000080;
+	CSSM_KEYUSE_DERIVE = $00000100;
+
+type
+	CSSM_ALGORITHMS = UInt32;
+const
+	CSSM_ALGID_NONE = 0;
+	CSSM_ALGID_CUSTOM = CSSM_ALGID_NONE + 1;
+	CSSM_ALGID_DH = CSSM_ALGID_NONE + 2;
+	CSSM_ALGID_PH = CSSM_ALGID_NONE + 3;
+	CSSM_ALGID_KEA = CSSM_ALGID_NONE + 4;
+	CSSM_ALGID_MD2 = CSSM_ALGID_NONE + 5;
+	CSSM_ALGID_MD4 = CSSM_ALGID_NONE + 6;
+	CSSM_ALGID_MD5 = CSSM_ALGID_NONE + 7;
+	CSSM_ALGID_SHA1 = CSSM_ALGID_NONE + 8;
+	CSSM_ALGID_NHASH = CSSM_ALGID_NONE + 9;
+	CSSM_ALGID_HAVAL = CSSM_ALGID_NONE + 10;
+	CSSM_ALGID_RIPEMD = CSSM_ALGID_NONE + 11;
+	CSSM_ALGID_IBCHASH = CSSM_ALGID_NONE + 12;
+	CSSM_ALGID_RIPEMAC = CSSM_ALGID_NONE + 13;
+	CSSM_ALGID_DES = CSSM_ALGID_NONE + 14;
+	CSSM_ALGID_DESX = CSSM_ALGID_NONE + 15;
+	CSSM_ALGID_RDES = CSSM_ALGID_NONE + 16;
+	CSSM_ALGID_3DES_3KEY_EDE = CSSM_ALGID_NONE + 17;
+	CSSM_ALGID_3DES_2KEY_EDE = CSSM_ALGID_NONE + 18;
+	CSSM_ALGID_3DES_1KEY_EEE = CSSM_ALGID_NONE + 19;
+	CSSM_ALGID_3DES_3KEY = CSSM_ALGID_3DES_3KEY_EDE;
+	CSSM_ALGID_3DES_3KEY_EEE = CSSM_ALGID_NONE + 20;
+	CSSM_ALGID_3DES_2KEY = CSSM_ALGID_3DES_2KEY_EDE;
+	CSSM_ALGID_3DES_2KEY_EEE = CSSM_ALGID_NONE + 21;
+	CSSM_ALGID_3DES_1KEY = CSSM_ALGID_3DES_3KEY_EEE;
+	CSSM_ALGID_IDEA = CSSM_ALGID_NONE + 22;
+	CSSM_ALGID_RC2 = CSSM_ALGID_NONE + 23;
+	CSSM_ALGID_RC5 = CSSM_ALGID_NONE + 24;
+	CSSM_ALGID_RC4 = CSSM_ALGID_NONE + 25;
+	CSSM_ALGID_SEAL = CSSM_ALGID_NONE + 26;
+	CSSM_ALGID_CAST = CSSM_ALGID_NONE + 27;
+	CSSM_ALGID_BLOWFISH = CSSM_ALGID_NONE + 28;
+	CSSM_ALGID_SKIPJACK = CSSM_ALGID_NONE + 29;
+	CSSM_ALGID_LUCIFER = CSSM_ALGID_NONE + 30;
+	CSSM_ALGID_MADRYGA = CSSM_ALGID_NONE + 31;
+	CSSM_ALGID_FEAL = CSSM_ALGID_NONE + 32;
+	CSSM_ALGID_REDOC = CSSM_ALGID_NONE + 33;
+	CSSM_ALGID_REDOC3 = CSSM_ALGID_NONE + 34;
+	CSSM_ALGID_LOKI = CSSM_ALGID_NONE + 35;
+	CSSM_ALGID_KHUFU = CSSM_ALGID_NONE + 36;
+	CSSM_ALGID_KHAFRE = CSSM_ALGID_NONE + 37;
+	CSSM_ALGID_MMB = CSSM_ALGID_NONE + 38;
+	CSSM_ALGID_GOST = CSSM_ALGID_NONE + 39;
+	CSSM_ALGID_SAFER = CSSM_ALGID_NONE + 40;
+	CSSM_ALGID_CRAB = CSSM_ALGID_NONE + 41;
+	CSSM_ALGID_RSA = CSSM_ALGID_NONE + 42;
+	CSSM_ALGID_DSA = CSSM_ALGID_NONE + 43;
+	CSSM_ALGID_MD5WithRSA = CSSM_ALGID_NONE + 44;
+	CSSM_ALGID_MD2WithRSA = CSSM_ALGID_NONE + 45;
+	CSSM_ALGID_ElGamal = CSSM_ALGID_NONE + 46;
+	CSSM_ALGID_MD2Random = CSSM_ALGID_NONE + 47;
+	CSSM_ALGID_MD5Random = CSSM_ALGID_NONE + 48;
+	CSSM_ALGID_SHARandom = CSSM_ALGID_NONE + 49;
+	CSSM_ALGID_DESRandom = CSSM_ALGID_NONE + 50;
+	CSSM_ALGID_SHA1WithRSA = CSSM_ALGID_NONE + 51;
+	CSSM_ALGID_CDMF = CSSM_ALGID_NONE + 52;
+	CSSM_ALGID_CAST3 = CSSM_ALGID_NONE + 53;
+	CSSM_ALGID_CAST5 = CSSM_ALGID_NONE + 54;
+	CSSM_ALGID_GenericSecret = CSSM_ALGID_NONE + 55;
+	CSSM_ALGID_ConcatBaseAndKey = CSSM_ALGID_NONE + 56;
+	CSSM_ALGID_ConcatKeyAndBase = CSSM_ALGID_NONE + 57;
+	CSSM_ALGID_ConcatBaseAndData = CSSM_ALGID_NONE + 58;
+	CSSM_ALGID_ConcatDataAndBase = CSSM_ALGID_NONE + 59;
+	CSSM_ALGID_XORBaseAndData = CSSM_ALGID_NONE + 60;
+	CSSM_ALGID_ExtractFromKey = CSSM_ALGID_NONE + 61;
+	CSSM_ALGID_SSL3PreMasterGen = CSSM_ALGID_NONE + 62;
+	CSSM_ALGID_SSL3MasterDerive = CSSM_ALGID_NONE + 63;
+	CSSM_ALGID_SSL3KeyAndMacDerive = CSSM_ALGID_NONE + 64;
+	CSSM_ALGID_SSL3MD5_MAC = CSSM_ALGID_NONE + 65;
+	CSSM_ALGID_SSL3SHA1_MAC = CSSM_ALGID_NONE + 66;
+	CSSM_ALGID_PKCS5_PBKDF1_MD5 = CSSM_ALGID_NONE + 67;
+	CSSM_ALGID_PKCS5_PBKDF1_MD2 = CSSM_ALGID_NONE + 68;
+	CSSM_ALGID_PKCS5_PBKDF1_SHA1 = CSSM_ALGID_NONE + 69;
+	CSSM_ALGID_WrapLynks = CSSM_ALGID_NONE + 70;
+	CSSM_ALGID_WrapSET_OAEP = CSSM_ALGID_NONE + 71;
+	CSSM_ALGID_BATON = CSSM_ALGID_NONE + 72;
+	CSSM_ALGID_ECDSA = CSSM_ALGID_NONE + 73;
+	CSSM_ALGID_MAYFLY = CSSM_ALGID_NONE + 74;
+	CSSM_ALGID_JUNIPER = CSSM_ALGID_NONE + 75;
+	CSSM_ALGID_FASTHASH = CSSM_ALGID_NONE + 76;
+	CSSM_ALGID_3DES = CSSM_ALGID_NONE + 77;
+	CSSM_ALGID_SSL3MD5 = CSSM_ALGID_NONE + 78;
+	CSSM_ALGID_SSL3SHA1 = CSSM_ALGID_NONE + 79;
+	CSSM_ALGID_FortezzaTimestamp = CSSM_ALGID_NONE + 80;
+	CSSM_ALGID_SHA1WithDSA = CSSM_ALGID_NONE + 81;
+	CSSM_ALGID_SHA1WithECDSA = CSSM_ALGID_NONE + 82;
+	CSSM_ALGID_DSA_BSAFE = CSSM_ALGID_NONE + 83;
+	CSSM_ALGID_ECDH = CSSM_ALGID_NONE + 84;
+	CSSM_ALGID_ECMQV = CSSM_ALGID_NONE + 85;
+	CSSM_ALGID_PKCS12_SHA1_PBE = CSSM_ALGID_NONE + 86;
+	CSSM_ALGID_ECNRA = CSSM_ALGID_NONE + 87;
+	CSSM_ALGID_SHA1WithECNRA = CSSM_ALGID_NONE + 88;
+	CSSM_ALGID_ECES = CSSM_ALGID_NONE + 89;
+	CSSM_ALGID_ECAES = CSSM_ALGID_NONE + 90;
+	CSSM_ALGID_SHA1HMAC = CSSM_ALGID_NONE + 91;
+	CSSM_ALGID_FIPS186Random = CSSM_ALGID_NONE + 92;
+	CSSM_ALGID_ECC = CSSM_ALGID_NONE + 93;
+	CSSM_ALGID_MQV = CSSM_ALGID_NONE + 94;
+	CSSM_ALGID_NRA = CSSM_ALGID_NONE + 95;
+	CSSM_ALGID_IntelPlatformRandom = CSSM_ALGID_NONE + 96;
+	CSSM_ALGID_UTC = CSSM_ALGID_NONE + 97;
+	CSSM_ALGID_HAVAL3 = CSSM_ALGID_NONE + 98;
+	CSSM_ALGID_HAVAL4 = CSSM_ALGID_NONE + 99;
+	CSSM_ALGID_HAVAL5 = CSSM_ALGID_NONE + 100;
+	CSSM_ALGID_TIGER = CSSM_ALGID_NONE + 101;
+	CSSM_ALGID_MD5HMAC = CSSM_ALGID_NONE + 102;
+	CSSM_ALGID_PKCS5_PBKDF2 = CSSM_ALGID_NONE + 103;
+	CSSM_ALGID_RUNNING_COUNTER = CSSM_ALGID_NONE + 104;
+	CSSM_ALGID_LAST = CSSM_ALGID_NONE + $7FFFFFFF;
+{ All algorithms IDs that are vendor specific, and not
+   part of the CSSM specification should be defined relative
+   to CSSM_ALGID_VENDOR_DEFINED. }
+	CSSM_ALGID_VENDOR_DEFINED = CSSM_ALGID_NONE + $80000000;
+
+type
+	CSSM_ENCRYPT_MODE = UInt32;
+const
+	CSSM_ALGMODE_NONE = 0;
+	CSSM_ALGMODE_CUSTOM = CSSM_ALGMODE_NONE + 1;
+	CSSM_ALGMODE_ECB = CSSM_ALGMODE_NONE + 2;
+	CSSM_ALGMODE_ECBPad = CSSM_ALGMODE_NONE + 3;
+	CSSM_ALGMODE_CBC = CSSM_ALGMODE_NONE + 4;
+	CSSM_ALGMODE_CBC_IV8 = CSSM_ALGMODE_NONE + 5;
+	CSSM_ALGMODE_CBCPadIV8 = CSSM_ALGMODE_NONE + 6;
+	CSSM_ALGMODE_CFB = CSSM_ALGMODE_NONE + 7;
+	CSSM_ALGMODE_CFB_IV8 = CSSM_ALGMODE_NONE + 8;
+	CSSM_ALGMODE_CFBPadIV8 = CSSM_ALGMODE_NONE + 9;
+	CSSM_ALGMODE_OFB = CSSM_ALGMODE_NONE + 10;
+	CSSM_ALGMODE_OFB_IV8 = CSSM_ALGMODE_NONE + 11;
+	CSSM_ALGMODE_OFBPadIV8 = CSSM_ALGMODE_NONE + 12;
+	CSSM_ALGMODE_COUNTER = CSSM_ALGMODE_NONE + 13;
+	CSSM_ALGMODE_BC = CSSM_ALGMODE_NONE + 14;
+	CSSM_ALGMODE_PCBC = CSSM_ALGMODE_NONE + 15;
+	CSSM_ALGMODE_CBCC = CSSM_ALGMODE_NONE + 16;
+	CSSM_ALGMODE_OFBNLF = CSSM_ALGMODE_NONE + 17;
+	CSSM_ALGMODE_PBC = CSSM_ALGMODE_NONE + 18;
+	CSSM_ALGMODE_PFB = CSSM_ALGMODE_NONE + 19;
+	CSSM_ALGMODE_CBCPD = CSSM_ALGMODE_NONE + 20;
+	CSSM_ALGMODE_PUBLIC_KEY = CSSM_ALGMODE_NONE + 21;
+	CSSM_ALGMODE_PRIVATE_KEY = CSSM_ALGMODE_NONE + 22;
+	CSSM_ALGMODE_SHUFFLE = CSSM_ALGMODE_NONE + 23;
+	CSSM_ALGMODE_ECB64 = CSSM_ALGMODE_NONE + 24;
+	CSSM_ALGMODE_CBC64 = CSSM_ALGMODE_NONE + 25;
+	CSSM_ALGMODE_OFB64 = CSSM_ALGMODE_NONE + 26;
+	CSSM_ALGMODE_CFB32 = CSSM_ALGMODE_NONE + 28;
+	CSSM_ALGMODE_CFB16 = CSSM_ALGMODE_NONE + 29;
+	CSSM_ALGMODE_CFB8 = CSSM_ALGMODE_NONE + 30;
+	CSSM_ALGMODE_WRAP = CSSM_ALGMODE_NONE + 31;
+	CSSM_ALGMODE_PRIVATE_WRAP = CSSM_ALGMODE_NONE + 32;
+	CSSM_ALGMODE_RELAYX = CSSM_ALGMODE_NONE + 33;
+	CSSM_ALGMODE_ECB128 = CSSM_ALGMODE_NONE + 34;
+	CSSM_ALGMODE_ECB96 = CSSM_ALGMODE_NONE + 35;
+	CSSM_ALGMODE_CBC128 = CSSM_ALGMODE_NONE + 36;
+	CSSM_ALGMODE_OAEP_HASH = CSSM_ALGMODE_NONE + 37;
+	CSSM_ALGMODE_PKCS1_EME_V15 = CSSM_ALGMODE_NONE + 38;
+	CSSM_ALGMODE_PKCS1_EME_OAEP = CSSM_ALGMODE_NONE + 39;
+	CSSM_ALGMODE_PKCS1_EMSA_V15 = CSSM_ALGMODE_NONE + 40;
+	CSSM_ALGMODE_ISO_9796 = CSSM_ALGMODE_NONE + 41;
+	CSSM_ALGMODE_X9_31 = CSSM_ALGMODE_NONE + 42;
+	CSSM_ALGMODE_LAST = CSSM_ALGMODE_NONE + $7FFFFFFF;
+{ All algorithms modes that are vendor specific, and
+   not part of the CSSM specification should be defined
+   relative to CSSM_ALGMODE_VENDOR_DEFINED. }
+	CSSM_ALGMODE_VENDOR_DEFINED = CSSM_ALGMODE_NONE + $80000000;
+
+type
+	CSSM_KEYHEADER_PTR = ^cssm_keyheader;
+	CSSM_KEYHEADERPtr = ^cssm_keyheader;
+	cssm_keyheader = record
+		HeaderVersion: CSSM_HEADERVERSION; { Key header version }
+		CspId: CSSM_GUID; { GUID of CSP generating the key }
+		BlobType: CSSM_KEYBLOB_TYPE; { See BlobType enum }
+		Format: CSSM_KEYBLOB_FORMAT; { Raw or Reference format }
+		AlgorithmId: CSSM_ALGORITHMS; { Algorithm ID of key }
+		KeyClass: CSSM_KEYCLASS; { Public/Private/Secret, etc. }
+		LogicalKeySizeInBits: UInt32; { Logical key size in bits }
+		KeyAttr: CSSM_KEYATTR_FLAGS; { Attribute flags }
+		KeyUsage: CSSM_KEYUSE; { Key use flags }
+		StartDate: CSSM_DATE; { Effective date of key }
+		EndDate: CSSM_DATE; { Expiration date of key }
+		WrapAlgorithmId: CSSM_ALGORITHMS; { == CSSM_ALGID_NONE if clear key }
+		WrapMode: CSSM_ENCRYPT_MODE; { if alg supports multiple wrapping modes }
+		Reserved: UInt32;
+	end;
+
+type
+	CSSM_KEY_PTR = ^cssm_key;
+	CSSM_KEYPtr = ^cssm_key;
+	cssm_key = record
+		KeyHeader: CSSM_KEYHEADER; { Fixed length key header }
+		KeyData: CSSM_DATA; { Variable length key data }
+	end;
+
+type
+	CSSM_WRAP_KEY = CSSM_KEY;
+	CSSM_WRAP_KEY_PTR = ^CSSM_KEY;
+	CSSM_WRAP_KEYPtr = ^CSSM_KEY;
+
+type
+	CSSM_CSPTYPE = UInt32;
+const
+	CSSM_CSP_SOFTWARE = 1;
+	CSSM_CSP_HARDWARE = CSSM_CSP_SOFTWARE + 1;
+	CSSM_CSP_HYBRID = CSSM_CSP_SOFTWARE + 2;
+
+{ From DL. }
+type
+	CSSM_DL_DB_HANDLE_PTR = ^cssm_dl_db_handle;
+	CSSM_DL_DB_HANDLEPtr = ^cssm_dl_db_handle;
+	cssm_dl_db_handle = record
+		DLHandle: CSSM_DL_HANDLE;
+		DBHandle: CSSM_DB_HANDLE;
+	end;
+
+type
+	CSSM_CONTEXT_TYPE = UInt32;
+const
+	CSSM_ALGCLASS_NONE = 0;
+	CSSM_ALGCLASS_CUSTOM = CSSM_ALGCLASS_NONE + 1;
+	CSSM_ALGCLASS_SIGNATURE = CSSM_ALGCLASS_NONE + 2;
+	CSSM_ALGCLASS_SYMMETRIC = CSSM_ALGCLASS_NONE + 3;
+	CSSM_ALGCLASS_DIGEST = CSSM_ALGCLASS_NONE + 4;
+	CSSM_ALGCLASS_RANDOMGEN = CSSM_ALGCLASS_NONE + 5;
+	CSSM_ALGCLASS_UNIQUEGEN = CSSM_ALGCLASS_NONE + 6;
+	CSSM_ALGCLASS_MAC = CSSM_ALGCLASS_NONE + 7;
+	CSSM_ALGCLASS_ASYMMETRIC = CSSM_ALGCLASS_NONE + 8;
+	CSSM_ALGCLASS_KEYGEN = CSSM_ALGCLASS_NONE + 9;
+	CSSM_ALGCLASS_DERIVEKEY = CSSM_ALGCLASS_NONE + 10;
+
+{ Attribute data type tags }
+const
+	CSSM_ATTRIBUTE_DATA_NONE = $00000000;
+	CSSM_ATTRIBUTE_DATA_UINT32 = $10000000;
+	CSSM_ATTRIBUTE_DATA_CSSM_DATA = $20000000;
+	CSSM_ATTRIBUTE_DATA_CRYPTO_DATA = $30000000;
+	CSSM_ATTRIBUTE_DATA_KEY = $40000000;
+	CSSM_ATTRIBUTE_DATA_STRING = $50000000;
+	CSSM_ATTRIBUTE_DATA_DATE = $60000000;
+	CSSM_ATTRIBUTE_DATA_RANGE = $70000000;
+	CSSM_ATTRIBUTE_DATA_ACCESS_CREDENTIALS = $80000000;
+	CSSM_ATTRIBUTE_DATA_VERSION = $01000000;
+	CSSM_ATTRIBUTE_DATA_DL_DB_HANDLE = $02000000;
+	CSSM_ATTRIBUTE_DATA_KR_PROFILE = $03000000;
+	CSSM_ATTRIBUTE_TYPE_MASK = $FF000000;
+
+type
+	CSSM_ATTRIBUTE_TYPE = UInt32;
+const
+	CSSM_ATTRIBUTE_NONE = 0;
+	CSSM_ATTRIBUTE_CUSTOM = CSSM_ATTRIBUTE_DATA_CSSM_DATA or 1;
+	CSSM_ATTRIBUTE_DESCRIPTION = CSSM_ATTRIBUTE_DATA_STRING or 2;
+	CSSM_ATTRIBUTE_KEY = CSSM_ATTRIBUTE_DATA_KEY or 3;
+	CSSM_ATTRIBUTE_INIT_VECTOR = CSSM_ATTRIBUTE_DATA_CSSM_DATA or 4;
+	CSSM_ATTRIBUTE_SALT = CSSM_ATTRIBUTE_DATA_CSSM_DATA or 5;
+	CSSM_ATTRIBUTE_PADDING = CSSM_ATTRIBUTE_DATA_UINT32 or 6;
+	CSSM_ATTRIBUTE_RANDOM = CSSM_ATTRIBUTE_DATA_CSSM_DATA or 7;
+	CSSM_ATTRIBUTE_SEED = CSSM_ATTRIBUTE_DATA_CRYPTO_DATA or 8;
+	CSSM_ATTRIBUTE_PASSPHRASE = CSSM_ATTRIBUTE_DATA_CRYPTO_DATA or 9;
+	CSSM_ATTRIBUTE_KEY_LENGTH = CSSM_ATTRIBUTE_DATA_UINT32 or 10;
+	CSSM_ATTRIBUTE_KEY_LENGTH_RANGE = CSSM_ATTRIBUTE_DATA_RANGE or 11;
+	CSSM_ATTRIBUTE_BLOCK_SIZE = CSSM_ATTRIBUTE_DATA_UINT32 or 12;
+	CSSM_ATTRIBUTE_OUTPUT_SIZE = CSSM_ATTRIBUTE_DATA_UINT32 or 13;
+	CSSM_ATTRIBUTE_ROUNDS = CSSM_ATTRIBUTE_DATA_UINT32 or 14;
+	CSSM_ATTRIBUTE_IV_SIZE = CSSM_ATTRIBUTE_DATA_UINT32 or 15;
+	CSSM_ATTRIBUTE_ALG_PARAMS = CSSM_ATTRIBUTE_DATA_CSSM_DATA or 16;
+	CSSM_ATTRIBUTE_LABEL = CSSM_ATTRIBUTE_DATA_CSSM_DATA or 17;
+	CSSM_ATTRIBUTE_KEY_TYPE = CSSM_ATTRIBUTE_DATA_UINT32 or 18;
+	CSSM_ATTRIBUTE_MODE = CSSM_ATTRIBUTE_DATA_UINT32 or 19;
+	CSSM_ATTRIBUTE_EFFECTIVE_BITS = CSSM_ATTRIBUTE_DATA_UINT32 or 20;
+	CSSM_ATTRIBUTE_START_DATE = CSSM_ATTRIBUTE_DATA_DATE or 21;
+	CSSM_ATTRIBUTE_END_DATE = CSSM_ATTRIBUTE_DATA_DATE or 22;
+	CSSM_ATTRIBUTE_KEYUSAGE = CSSM_ATTRIBUTE_DATA_UINT32 or 23;
+	CSSM_ATTRIBUTE_KEYATTR = CSSM_ATTRIBUTE_DATA_UINT32 or 24;
+	CSSM_ATTRIBUTE_VERSION = CSSM_ATTRIBUTE_DATA_VERSION or 25;
+	CSSM_ATTRIBUTE_PRIME = CSSM_ATTRIBUTE_DATA_CSSM_DATA or 26;
+	CSSM_ATTRIBUTE_BASE = CSSM_ATTRIBUTE_DATA_CSSM_DATA or 27;
+	CSSM_ATTRIBUTE_SUBPRIME = CSSM_ATTRIBUTE_DATA_CSSM_DATA or 28;
+	CSSM_ATTRIBUTE_ALG_ID = CSSM_ATTRIBUTE_DATA_UINT32 or 29;
+	CSSM_ATTRIBUTE_ITERATION_COUNT = CSSM_ATTRIBUTE_DATA_UINT32 or 30;
+	CSSM_ATTRIBUTE_ROUNDS_RANGE = CSSM_ATTRIBUTE_DATA_RANGE or 31;
+	CSSM_ATTRIBUTE_KRPROFILE_LOCAL = CSSM_ATTRIBUTE_DATA_KR_PROFILE or 32;
+	CSSM_ATTRIBUTE_KRPROFILE_REMOTE = CSSM_ATTRIBUTE_DATA_KR_PROFILE or 33;
+	CSSM_ATTRIBUTE_CSP_HANDLE = CSSM_ATTRIBUTE_DATA_UINT32 or 34;
+	CSSM_ATTRIBUTE_DL_DB_HANDLE = CSSM_ATTRIBUTE_DATA_DL_DB_HANDLE or 35;
+	CSSM_ATTRIBUTE_ACCESS_CREDENTIALS = CSSM_ATTRIBUTE_DATA_ACCESS_CREDENTIALS or 36;
+	CSSM_ATTRIBUTE_PUBLIC_KEY_FORMAT = CSSM_ATTRIBUTE_DATA_UINT32 or 37;
+	CSSM_ATTRIBUTE_PRIVATE_KEY_FORMAT = CSSM_ATTRIBUTE_DATA_UINT32 or 38;
+	CSSM_ATTRIBUTE_SYMMETRIC_KEY_FORMAT = CSSM_ATTRIBUTE_DATA_UINT32 or 39;
+	CSSM_ATTRIBUTE_WRAPPED_KEY_FORMAT = CSSM_ATTRIBUTE_DATA_UINT32 or 40;
+
+type
+	CSSM_PADDING = UInt32;
+const
+	CSSM_PADDING_NONE = 0;
+	CSSM_PADDING_CUSTOM = CSSM_PADDING_NONE + 1;
+	CSSM_PADDING_ZERO = CSSM_PADDING_NONE + 2;
+	CSSM_PADDING_ONE = CSSM_PADDING_NONE + 3;
+	CSSM_PADDING_ALTERNATE = CSSM_PADDING_NONE + 4;
+	CSSM_PADDING_FF = CSSM_PADDING_NONE + 5;
+	CSSM_PADDING_PKCS5 = CSSM_PADDING_NONE + 6;
+	CSSM_PADDING_PKCS7 = CSSM_PADDING_NONE + 7;
+	CSSM_PADDING_CIPHERSTEALING = CSSM_PADDING_NONE + 8;
+	CSSM_PADDING_RANDOM = CSSM_PADDING_NONE + 9;
+	CSSM_PADDING_PKCS1 = CSSM_PADDING_NONE + 10;
+{ All padding types that are vendor specific, and not
+   part of the CSSM specification should be defined
+   relative to CSSM_PADDING_VENDOR_DEFINED. }
+	CSSM_PADDING_VENDOR_DEFINED = CSSM_PADDING_NONE + $80000000;
+
+type
+	CSSM_KEY_TYPE = CSSM_ALGORITHMS;
+
+type
+  __embedded_cssm_context_attribute = record
+		case Integer of
+		  0: (String_: CStringPtr);
+		  1: (Uint32: UInt32_fix);
+  		2: (AccessCredentials: CSSM_ACCESS_CREDENTIALS_PTR);
+		  3: (Key: CSSM_KEY_PTR);
+		  4: (Data: CSSM_DATA_PTR);
+		  5: (Padding: CSSM_PADDING);
+		  6: (Date: CSSM_DATE_PTR);
+		  7: (Range: CSSM_RANGE_PTR);
+		  8: (CryptoData: CSSM_CRYPTO_DATA_PTR);
+  		9: (Version: CSSM_VERSION_PTR);
+		  10: (DLDBHandle: CSSM_DL_DB_HANDLE_PTR);
+  		11: (KRProfile: UnivPtr {cssm_kr_profile_ptr});
+  end;
+  
+  CSSM_CONTEXT_ATTRIBUTE_PTR = ^cssm_context_attribute;
+  CSSM_CONTEXT_ATTRIBUTEPtr = ^cssm_context_attribute;
+	cssm_context_attribute = record
+		AttributeType: CSSM_ATTRIBUTE_TYPE;
+		AttributeLength: UInt32;
+		Attribute: __embedded_cssm_context_attribute;
+	end;
+
+type
+	CSSM_CONTEXT_PTR = ^cssm_context;
+	CSSM_CONTEXTPtr = ^cssm_context;
+	cssm_context = record
+		ContextType: CSSM_CONTEXT_TYPE;
+		AlgorithmType: CSSM_ALGORITHMS;
+		NumberOfAttributes: UInt32;
+		ContextAttributes: CSSM_CONTEXT_ATTRIBUTE_PTR;
+		CSPHandle: CSSM_CSP_HANDLE;
+		Privileged: CSSM_BOOL;
+	  EncryptionProhibited: uint32 {CSSM_KR_POLICY_FLAGS} ;
+		WorkFactor: UInt32;
+		Reserved: UInt32;	{ reserved for future use }
+	end;
+
+type
+	CSSM_SC_FLAGS = UInt32;
+const
+	CSSM_CSP_TOK_RNG = $00000001;
+	CSSM_CSP_TOK_CLOCK_EXISTS = $00000040;
+
+type
+	CSSM_CSP_READER_FLAGS = UInt32;
+const
+	CSSM_CSP_RDR_TOKENPRESENT = $00000001;
+	{ Token is present in reader/slot }
+	CSSM_CSP_RDR_EXISTS = $00000002;
+	{ Device is a reader with a
+	   removable token }
+	CSSM_CSP_RDR_HW = $00000004;
+	{ Slot is a hardware slot }
+
+type
+	CSSM_CSP_FLAGS = UInt32;
+const
+	CSSM_CSP_TOK_WRITE_PROTECTED = $00000002;
+	CSSM_CSP_TOK_LOGIN_REQUIRED = $00000004;
+	CSSM_CSP_TOK_USER_PIN_INITIALIZED = $00000008;
+	CSSM_CSP_TOK_PROT_AUTHENTICATION = $00000100;
+	CSSM_CSP_TOK_USER_PIN_EXPIRED = $00100000;
+	CSSM_CSP_TOK_SESSION_KEY_PASSWORD = $00200000;
+	CSSM_CSP_TOK_PRIVATE_KEY_PASSWORD = $00400000;
+	CSSM_CSP_STORES_PRIVATE_KEYS = $01000000;
+	CSSM_CSP_STORES_PUBLIC_KEYS = $02000000;
+	CSSM_CSP_STORES_SESSION_KEYS = $04000000;
+	CSSM_CSP_STORES_CERTIFICATES = $08000000;
+	CSSM_CSP_STORES_GENERIC = $10000000;
+
+type
+	CSSM_PKCS_OAEP_MGF = UInt32;
+const
+	CSSM_PKCS_OAEP_MGF_NONE = 0;
+	CSSM_PKCS_OAEP_MGF1_SHA1 = CSSM_PKCS_OAEP_MGF_NONE + 1;
+	CSSM_PKCS_OAEP_MGF1_MD5 = CSSM_PKCS_OAEP_MGF_NONE + 2;
+
+type
+	CSSM_PKCS_OAEP_PSOURCE = UInt32;
+const
+	CSSM_PKCS_OAEP_PSOURCE_NONE = 0;
+	CSSM_PKCS_OAEP_PSOURCE_Pspecified = CSSM_PKCS_OAEP_PSOURCE_NONE + 1;
+
+type
+	CSSM_PKCS1_OAEP_PARAMS_PTR = ^cssm_pkcs1_oaep_params;
+	CSSM_PKCS1_OAEP_PARAMSPtr = ^cssm_pkcs1_oaep_params;
+	cssm_pkcs1_oaep_params = record
+		HashAlgorithm: UInt32;
+		HashParams: CSSM_DATA;
+		MGF: CSSM_PKCS_OAEP_MGF;
+		MGFParams: CSSM_DATA;
+		PSource: CSSM_PKCS_OAEP_PSOURCE;
+		PSourceParams: CSSM_DATA;
+	end;
+
+type
+	CSSM_CSP_OPERATIONAL_STATISTICS_PTR = ^cssm_csp_operational_statistics;
+	CSSM_CSP_OPERATIONAL_STATISTICSPtr = ^cssm_csp_operational_statistics;
+	cssm_csp_operational_statistics = record
+		UserAuthenticated: CSSM_BOOL;
+    { CSSM_TRUE if the user is logged in to the token, CSSM_FALSE otherwise. }
+		DeviceFlags: CSSM_CSP_FLAGS;
+		TokenMaxSessionCount: UInt32; { Exported by Cryptoki modules. }
+		TokenOpenedSessionCount: UInt32;
+		TokenMaxRWSessionCount: UInt32;
+		TokenOpenedRWSessionCount: UInt32;
+		TokenTotalPublicMem: UInt32; { Storage space statistics. }
+		TokenFreePublicMem: UInt32;
+		TokenTotalPrivateMem: UInt32;
+		TokenFreePrivateMem: UInt32;
+	end;
+
+{ Indicates that the statistical value can not be revealed or is not
+   relevant for a CSP }
+const
+	CSSM_VALUE_NOT_AVAILABLE = $FFFFFFFF;
+
+type
+	CSSM_PKCS5_PBKDF1_PARAMS_PTR = ^cssm_pkcs5_pbkdf1_params;
+	CSSM_PKCS5_PBKDF1_PARAMSPtr = ^cssm_pkcs5_pbkdf1_params;
+	cssm_pkcs5_pbkdf1_params = record
+		Passphrase: CSSM_DATA;
+		InitVector: CSSM_DATA;
+	end;
+
+type
+	CSSM_PKCS5_PBKDF2_PRF = UInt32;
+const
+	CSSM_PKCS5_PBKDF2_PRF_HMAC_SHA1 = 0;
+
+type
+	CSSM_PKCS5_PBKDF2_PARAMS_PTR = ^cssm_pkcs5_pbkdf2_params;
+	CSSM_PKCS5_PBKDF2_PARAMSPtr = ^cssm_pkcs5_pbkdf2_params;
+	cssm_pkcs5_pbkdf2_params = record
+		Passphrase: CSSM_DATA;
+		PseudoRandomFunction: CSSM_PKCS5_PBKDF2_PRF;
+	end;
+
+type
+	CSSM_KEA_DERIVE_PARAMS_PTR = ^cssm_kea_derive_params;
+	CSSM_KEA_DERIVE_PARAMSPtr = ^cssm_kea_derive_params;
+	cssm_kea_derive_params = record
+		Rb: CSSM_DATA;
+		Yb: CSSM_DATA;
+	end;
+
+
+{ Data Types for Trust Policy Services  }
+
+type
+	CSSM_TP_AUTHORITY_ID_PTR = ^cssm_tp_authority_id;
+	CSSM_TP_AUTHORITY_IDPtr = ^cssm_tp_authority_id;
+	cssm_tp_authority_id = record
+		AuthorityCert: CSSM_DATAPtr;
+		AuthorityLocation: CSSM_NET_ADDRESS_PTR;
+	end;
+
+type
+	CSSM_TP_AUTHORITY_REQUEST_TYPE = UInt32;
+	CSSM_TP_AUTHORITY_REQUEST_TYPE_PTR = ^UInt32;
+	CSSM_TP_AUTHORITY_REQUEST_TYPEPtr = ^UInt32;
+const
+	CSSM_TP_AUTHORITY_REQUEST_CERTISSUE = $01;
+	CSSM_TP_AUTHORITY_REQUEST_CERTREVOKE = $02;
+	CSSM_TP_AUTHORITY_REQUEST_CERTSUSPEND = $03;
+	CSSM_TP_AUTHORITY_REQUEST_CERTRESUME = $04;
+	CSSM_TP_AUTHORITY_REQUEST_CERTVERIFY = $05;
+	CSSM_TP_AUTHORITY_REQUEST_CERTNOTARIZE = $06;
+	CSSM_TP_AUTHORITY_REQUEST_CERTUSERECOVER = $07;
+	CSSM_TP_AUTHORITY_REQUEST_CRLISSUE = $100;
+
+type
+	CSSM_TP_VERIFICATION_RESULTS_CALLBACK = function( ModuleHandle: CSSM_MODULE_HANDLE; CallerCtx: UnivPtr; VerifiedCert: CSSM_DATA_PTR ): CSSM_RETURN;
+
+{ From CL }
+type
+	CSSM_OID = CSSM_DATA;
+	CSSM_OID_PTR = ^CSSM_DATA;
+	CSSM_OIDPtr = ^CSSM_DATA;
+
+type
+	CSSM_FIELD_PTR = ^cssm_field;
+	CSSM_FIELDPtr = ^cssm_field;
+	cssm_field = record
+		FieldOid: CSSM_OID;
+		FieldValue: CSSM_DATA;
+	end;
+
+{ TP Again. }
+type
+	CSSM_TP_POLICYINFO_PTR = ^cssm_tp_policyinfo;
+	CSSM_TP_POLICYINFOPtr = ^cssm_tp_policyinfo;
+	cssm_tp_policyinfo = record
+		NumberOfPolicyIds: UInt32;
+		PolicyIds: CSSM_FIELD_PTR;
+		PolicyControl: UnivPtr;
+	end;
+
+type
+	CSSM_TP_SERVICES = UInt32;
+const
+{ bit masks for additional Authority services available through TP }
+	CSSM_TP_KEY_ARCHIVE = $0001; { archive cert & keys }
+	CSSM_TP_CERT_PUBLISH = $0002; { register cert in directory }
+	CSSM_TP_CERT_NOTIFY_RENEW = $0004; { notify at renewal time }
+	CSSM_TP_CERT_DIR_UPDATE = $0008; { update cert registry entry }
+	CSSM_TP_CRL_DISTRIBUTE = $0010; { push CRL to everyone }
+
+type
+	CSSM_TP_ACTION = UInt32;
+const
+	CSSM_TP_ACTION_DEFAULT = 0;
+
+type
+	CSSM_TP_STOP_ON = UInt32;
+const
+	CSSM_TP_STOP_ON_POLICY = 0; { use the pre-defined stopping criteria }
+	CSSM_TP_STOP_ON_NONE = 1; { evaluate all condition whether TRUE or FALSE }
+	CSSM_TP_STOP_ON_FIRST_PASS = 2; { stop evaluation at first TRUE }
+	CSSM_TP_STOP_ON_FIRST_FAIL = 3; { stop evaluation at first FALSE }
+
+type
+	CSSM_TIMESTRING = CStringPtr;
+
+{ From DL. }
+type
+	CSSM_DL_DB_LIST_PTR = ^cssm_dl_db_list;
+	CSSM_DL_DB_LISTPtr = ^cssm_dl_db_list;
+	cssm_dl_db_list = record
+		NumHandles: UInt32;
+		DLDBHandle: CSSM_DL_DB_HANDLE_PTR;
+	end;
+
+{ TP Again. }
+type
+	CSSM_TP_CALLERAUTH_CONTEXT_PTR = ^cssm_tp_callerauth_context;
+	CSSM_TP_CALLERAUTH_CONTEXTPtr = ^cssm_tp_callerauth_context;
+	cssm_tp_callerauth_context = record
+		Policy: CSSM_TP_POLICYINFO;
+		VerifyTime: CSSM_TIMESTRING;
+		VerificationAbortOn: CSSM_TP_STOP_ON;
+		CallbackWithVerifiedCert: CSSM_TP_VERIFICATION_RESULTS_CALLBACK;
+		NumberOfAnchorCerts: UInt32;
+		AnchorCerts: CSSM_DATA_PTR;
+		DBList: CSSM_DL_DB_LIST_PTR;
+		CallerCredentials: CSSM_ACCESS_CREDENTIALS_PTR;
+	end;
+
+type
+	CSSM_CRL_PARSE_FORMAT = UInt32;
+	CSSM_CRL_PARSE_FORMAT_PTR = ^UInt32;
+	CSSM_CRL_PARSE_FORMATPtr = ^UInt32;
+const
+	CSSM_CRL_PARSE_FORMAT_NONE = $00;
+	CSSM_CRL_PARSE_FORMAT_CUSTOM = $01;
+	CSSM_CRL_PARSE_FORMAT_SEXPR = $02;
+	CSSM_CRL_PARSE_FORMAT_COMPLEX = $03;
+	CSSM_CRL_PARSE_FORMAT_OID_NAMED = $04;
+	CSSM_CRL_PARSE_FORMAT_TUPLE = $05;
+	CSSM_CRL_PARSE_FORMAT_MULTIPLE = $7FFE;
+	CSSM_CRL_PARSE_FORMAT_LAST = $7FFF;
+	{ Applications wishing to define their own custom parse
+	   format should create a uint32 value greater than the
+	   CSSM_CL_CUSTOM_CRL_PARSE_FORMAT }
+	CSSM_CL_CUSTOM_CRL_PARSE_FORMAT = $8000;
+
+{ From CL. }
+type
+	CSSM_CRL_TYPE = UInt32;
+	CSSM_CRL_TYPE_PTR = ^UInt32;
+	CSSM_CRL_TYPEPtr = ^UInt32;
+const
+	CSSM_CRL_TYPE_UNKNOWN = $00;
+	CSSM_CRL_TYPE_X_509v1 = $01;
+	CSSM_CRL_TYPE_X_509v2 = $02;
+	CSSM_CRL_TYPE_SPKI = $03;
+	CSSM_CRL_TYPE_MULTIPLE = $7FFE;
+
+type
+	CSSM_CRL_ENCODING = UInt32;
+	CSSM_CRL_ENCODING_PTR = ^UInt32;
+	CSSM_CRL_ENCODINGPtr = ^UInt32;
+const
+	CSSM_CRL_ENCODING_UNKNOWN = $00;
+	CSSM_CRL_ENCODING_CUSTOM = $01;
+	CSSM_CRL_ENCODING_BER = $02;
+	CSSM_CRL_ENCODING_DER = $03;
+	CSSM_CRL_ENCODING_BLOOM = $04;
+	CSSM_CRL_ENCODING_SEXPR = $05;
+	CSSM_CRL_ENCODING_MULTIPLE = $7FFE;
+
+type
+	CSSM_ENCODED_CRL_PTR = ^cssm_encoded_crl;
+	CSSM_ENCODED_CRLPtr = ^cssm_encoded_crl;
+	cssm_encoded_crl = record
+		CrlType: CSSM_CRL_TYPE; { type of CRL }
+		CrlEncoding: CSSM_CRL_ENCODING; { encoding for this packed CRL }
+		CrlBlob: CSSM_DATA; { packed CRL }
+	end;
+
+{ TP Again. }
+type
+	CSSM_PARSED_CRL_PTR = ^cssm_parsed_crl;
+	CSSM_PARSED_CRLPtr = ^cssm_parsed_crl;
+	cssm_parsed_crl = record
+		CrlType: CSSM_CRL_TYPE; { CRL type }
+		ParsedCrlFormat: CSSM_CRL_PARSE_FORMAT;
+    { struct of ParsedCrl }
+		ParsedCrl: UnivPtr; { parsed CRL (to be typecast) }
+	end;
+
+type
+	CSSM_CRL_PAIR_PTR = ^cssm_crl_pair;
+	CSSM_CRL_PAIRPtr = ^cssm_crl_pair;
+	cssm_crl_pair = record
+		EncodedCrl: CSSM_ENCODED_CRL; { an encoded CRL blob }
+		ParsedCrl: CSSM_PARSED_CRL; { equivalent parsed CRL }
+	end;
+
+type
+	CSSM_CRLGROUP_TYPE = UInt32;
+	CSSM_CRLGROUP_TYPE_PTR = ^UInt32;
+	CSSM_CRLGROUP_TYPEPtr = ^UInt32;
+const
+	CSSM_CRLGROUP_DATA = $00;
+	CSSM_CRLGROUP_ENCODED_CRL = $01;
+	CSSM_CRLGROUP_PARSED_CRL = $02;
+	CSSM_CRLGROUP_CRL_PAIR = $03;
+
+type
+  __embedded_cssm_crlgroup = record
+    case Integer of
+		  0: (CrlList: CSSM_DATA_PTR);					{ CRL blob }
+		  1: (EncodedCrlList: CSSM_ENCODED_CRL_PTR);	{ CRL blob w/ separate type }
+		  2: (ParsedCrlList: CSSM_PARSED_CRL_PTR);		{ bushy, parsed CRL }
+		  3: (PairCrlList: CSSM_CRL_PAIR_PTR);
+  end;
+
+  CSSM_CRLGROUP_PTR = ^cssm_crlgroup;
+  CSSM_CRLGROUPPtr = ^cssm_crlgroup;
+	cssm_crlgroup = record
+		CrlType: CSSM_CRL_TYPE;
+		CrlEncoding: CSSM_CRL_ENCODING;
+		NumberOfCrls: UInt32;
+		GroupCrlList: __embedded_cssm_crlgroup;
+	end;
+
+type
+	CSSM_FIELDGROUP_PTR = ^cssm_fieldgroup;
+	CSSM_FIELDGROUPPtr = ^cssm_fieldgroup;
+	cssm_fieldgroup = record
+		NumberOfFields: SInt32;		{ number of fields in the array }
+		Fields: CSSM_FIELD_PTR;	{ array of fields }
+	end;
+
+type
+	CSSM_EVIDENCE_FORM = UInt32;
+const
+	CSSM_EVIDENCE_FORM_UNSPECIFIC = $0;
+	CSSM_EVIDENCE_FORM_CERT = $1;
+	CSSM_EVIDENCE_FORM_CRL = $2;
+	CSSM_EVIDENCE_FORM_CERT_ID = $3;
+	CSSM_EVIDENCE_FORM_CRL_ID = $4;
+	CSSM_EVIDENCE_FORM_VERIFIER_TIME = $5;
+	CSSM_EVIDENCE_FORM_CRL_THISTIME = $6;
+	CSSM_EVIDENCE_FORM_CRL_NEXTTIME = $7;
+	CSSM_EVIDENCE_FORM_POLICYINFO = $8;
+	CSSM_EVIDENCE_FORM_TUPLEGROUP = $9;
+
+type
+	CSSM_EVIDENCE_PTR = ^cssm_evidence;
+	CSSM_EVIDENCEPtr = ^cssm_evidence;
+	cssm_evidence = record
+		EvidenceForm: CSSM_EVIDENCE_FORM;
+		Evidence: UnivPtr; { Evidence content }
+	end;
+
+type
+	CSSM_TP_VERIFY_CONTEXT_PTR = ^cssm_tp_verify_context;
+	CSSM_TP_VERIFY_CONTEXTPtr = ^cssm_tp_verify_context;
+	cssm_tp_verify_context = record
+		Action: CSSM_TP_ACTION;
+		ActionData: CSSM_DATA;
+		Crls: CSSM_CRLGROUP;
+		Cred: CSSM_TP_CALLERAUTH_CONTEXT_PTR;
+	end;
+
+type
+	CSSM_TP_VERIFY_CONTEXT_RESULT_PTR = ^cssm_tp_verify_context_result;
+	CSSM_TP_VERIFY_CONTEXT_RESULTPtr = ^cssm_tp_verify_context_result;
+	cssm_tp_verify_context_result = record
+		NumberOfEvidences: UInt32;
+		Evidence: CSSM_EVIDENCE_PTR;
+	end;
+
+type
+	CSSM_TP_REQUEST_SET_PTR = ^cssm_tp_request_set;
+	CSSM_TP_REQUEST_SETPtr = ^cssm_tp_request_set;
+	cssm_tp_request_set = record
+		NumberOfRequests: UInt32;
+		Requests: UnivPtr;
+	end;
+
+type
+	CSSM_TP_RESULT_SET_PTR = ^cssm_tp_result_set;
+	CSSM_TP_RESULT_SETPtr = ^cssm_tp_result_set;
+	cssm_tp_result_set = record
+		NumberOfResults: UInt32;
+		Results: UnivPtr;
+	end;
+
+type
+	CSSM_TP_CONFIRM_STATUS = UInt32;
+	CSSM_TP_CONFIRM_STATUS_PTR = ^UInt32;
+	CSSM_TP_CONFIRM_STATUSPtr = ^UInt32;
+const
+	CSSM_TP_CONFIRM_STATUS_UNKNOWN = $0;
+	{ indeterminate }
+	CSSM_TP_CONFIRM_ACCEPT = $1;
+	{ accept results of executing a
+	   submit-retrieve function pair }
+	CSSM_TP_CONFIRM_REJECT = $2;
+	{ reject results of executing a
+	   submit-retrieve function pair }
+
+type
+	CSSM_TP_CONFIRM_RESPONSE_PTR = ^cssm_tp_confirm_response;
+	CSSM_TP_CONFIRM_RESPONSEPtr = ^cssm_tp_confirm_response;
+	cssm_tp_confirm_response = record
+		NumberOfResponses: UInt32;
+		Responses: CSSM_TP_CONFIRM_STATUS_PTR;
+	end;
+
+const
+	CSSM_ESTIMATED_TIME_UNKNOWN = -1;
+
+const
+	CSSM_ELAPSED_TIME_UNKNOWN = -1;
+	CSSM_ELAPSED_TIME_COMPLETE = -2;
+
+type
+	CSSM_TP_CERTISSUE_INPUT_PTR = ^cssm_tp_certissue_input;
+	CSSM_TP_CERTISSUE_INPUTPtr = ^cssm_tp_certissue_input;
+	cssm_tp_certissue_input = record
+		CSPSubserviceUid: CSSM_SUBSERVICE_UID;
+		CLHandle: CSSM_CL_HANDLE;
+		NumberOfTemplateFields: UInt32;
+		SubjectCertFields: CSSM_FIELD_PTR;
+		MoreServiceRequests: CSSM_TP_SERVICES;
+		NumberOfServiceControls: UInt32;
+		ServiceControls: CSSM_FIELD_PTR;
+		UserCredentials: CSSM_ACCESS_CREDENTIALS_PTR;
+	end;
+
+type
+	CSSM_TP_CERTISSUE_STATUS = UInt32;
+const
+	CSSM_TP_CERTISSUE_STATUS_UNKNOWN = $0;
+	{ indeterminate }
+	CSSM_TP_CERTISSUE_OK = $1;
+	{ cert issued as requested }
+	CSSM_TP_CERTISSUE_OKWITHCERTMODS = $2;
+	{ cert issued but cert contents were
+	   updated by the issuing authority }
+	CSSM_TP_CERTISSUE_OKWITHSERVICEMODS = $3;
+	{ cert issued but some requested backend
+	   services were not performed by the
+	   issuing authority }
+	CSSM_TP_CERTISSUE_REJECTED = $4;
+	{ cert was not issued due to some error
+	   condition }
+	CSSM_TP_CERTISSUE_NOT_AUTHORIZED = $5;
+	{ cert was not issued, the request was
+	   not authorized }
+	CSSM_TP_CERTISSUE_WILL_BE_REVOKED = $6;
+	{ cert was issued, but TP has initiated
+	   a revocation of the certificate }
+
+type
+	CSSM_TP_CERTISSUE_OUTPUT_PTR = ^cssm_tp_certissue_output;
+	CSSM_TP_CERTISSUE_OUTPUTPtr = ^cssm_tp_certissue_output;
+	cssm_tp_certissue_output = record
+		IssueStatus: CSSM_TP_CERTISSUE_STATUS;
+		CertGroup: CSSM_CERTGROUP_PTR;
+		PerformedServiceRequests: CSSM_TP_SERVICES;
+	end;
+
+type
+	CSSM_TP_CERTCHANGE_ACTION = UInt32;
+const
+	CSSM_TP_CERTCHANGE_NONE = $0; { no change }
+	CSSM_TP_CERTCHANGE_REVOKE = $1; { Revoke the certificate }
+{ This action type indicates a request to revoke a single
+   certificate. Notice of the revocation operation remains
+   in affect until the certificate itself expires. Revocation
+   should be used to permanently remove a certificate from use. }
+	CSSM_TP_CERTCHANGE_HOLD = $2; { Hold/suspend the certificate }
+{ This action type indicates a request to suspend a
+   single certificate. A suspension operation implies
+   that the requester intends, at some time in the future,
+   to request that the certificate be released from hold,
+   making it available for use again. Placing a hold on
+   a certificate does not obligate the requester to
+   request a release. In practice, a certificate may
+   remain on hold until the certificate itself expires.
+   Revocation should be used to permanently remove a
+   certificate from use. }
+	CSSM_TP_CERTCHANGE_RELEASE = $3; { Release the held certificate }
+{ This action type indicates a request to release a
+   single certificate currently on hold. A release
+   operation makes a certificate available for use again.
+   Revocation should be used to permanently remove a
+   certificate from use. }
+
+type
+	CSSM_TP_CERTCHANGE_REASON = UInt32;
+const
+	CSSM_TP_CERTCHANGE_REASON_UNKNOWN = $0;
+	{ unspecified }
+	CSSM_TP_CERTCHANGE_REASON_KEYCOMPROMISE = $1;
+	{ Subject key believed to be compromised }
+	CSSM_TP_CERTCHANGE_REASON_CACOMPROMISE = $2;
+	{ CA’s key believed to be compromised }
+	CSSM_TP_CERTCHANGE_REASON_CEASEOPERATION = $3;
+	{ certificate holder ceases operation under
+	   the jurisdiction of this certificate }
+	CSSM_TP_CERTCHANGE_REASON_AFFILIATIONCHANGE = $4;
+	{ certificate holder has moved from this
+	   jurisdiction }
+	CSSM_TP_CERTCHANGE_REASON_SUPERCEDED = $5;
+	{ certificate holder as issued a new, superceding
+	   certificate }
+	CSSM_TP_CERTCHANGE_REASON_SUSPECTEDCOMPROMISE = $6;
+	{ certificate could be compromised }
+	CSSM_TP_CERTCHANGE_REASON_HOLDRELEASE = $7;
+	{ certificate holder resumes operation under the
+	   jurisdiction of this certificate }
+
+type
+	CSSM_TP_CERTCHANGE_INPUT_PTR = ^cssm_tp_certchange_input;
+	CSSM_TP_CERTCHANGE_INPUTPtr = ^cssm_tp_certchange_input;
+	cssm_tp_certchange_input = record
+		Action: CSSM_TP_CERTCHANGE_ACTION;
+		Reason: CSSM_TP_CERTCHANGE_REASON;
+		CLHandle: CSSM_CL_HANDLE;
+		Cert: CSSM_DATA_PTR;
+		ChangeInfo: CSSM_FIELD_PTR;
+		StartTime: CSSM_TIMESTRING;
+		CallerCredentials: CSSM_ACCESS_CREDENTIALS_PTR;
+	end;
+
+type
+	CSSM_TP_CERTCHANGE_STATUS = UInt32;
+const
+	CSSM_TP_CERTCHANGE_STATUS_UNKNOWN = $0;
+	{ indeterminate }
+	CSSM_TP_CERTCHANGE_OK = $1;
+	{ cert state was successfully changed
+	   beginning at the specified time }
+	CSSM_TP_CERTCHANGE_OKWITHNEWTIME = $2;
+	{ cert state was successfully changed,
+	   at a modified effective time }
+	CSSM_TP_CERTCHANGE_WRONGCA = $3;
+	{ cert state was not changed, the
+	   selected CA is not authorized to
+	   change the cert state }
+	CSSM_TP_CERTCHANGE_REJECTED = $4;
+	{ cert state was not changed due to some
+	   error condition }
+	CSSM_TP_CERTCHANGE_NOT_AUTHORIZED = $5;
+	{ cert state was not changed, the
+	   requester is not authorized to change
+	   the cert state }
+
+type
+	CSSM_TP_CERTCHANGE_OUTPUT_PTR = ^cssm_tp_certchange_output;
+	CSSM_TP_CERTCHANGE_OUTPUTPtr = ^cssm_tp_certchange_output;
+	cssm_tp_certchange_output = record
+		ActionStatus: CSSM_TP_CERTCHANGE_STATUS;
+		RevokeInfo: CSSM_FIELD;
+	end;
+
+type
+	CSSM_TP_CERTVERIFY_INPUT_PTR = ^cssm_tp_certverify_input;
+	CSSM_TP_CERTVERIFY_INPUTPtr = ^cssm_tp_certverify_input;
+	cssm_tp_certverify_input = record
+		CLHandle: CSSM_CL_HANDLE;
+		Cert: CSSM_DATA_PTR;
+		VerifyContext: CSSM_TP_VERIFY_CONTEXT_PTR;
+	end;
+
+type
+	CSSM_TP_CERTVERIFY_STATUS = UInt32;
+const
+	CSSM_TP_CERTVERIFY_UNKNOWN = $0;
+	CSSM_TP_CERTVERIFY_VALID = $1;
+	CSSM_TP_CERTVERIFY_INVALID = $2;
+	CSSM_TP_CERTVERIFY_REVOKED = $3;
+	CSSM_TP_CERTVERIFY_SUSPENDED = $4;
+	CSSM_TP_CERTVERIFY_EXPIRED = $5;
+	CSSM_TP_CERTVERIFY_NOT_VALID_YET = $6;
+	CSSM_TP_CERTVERIFY_INVALID_AUTHORITY = $7;
+	CSSM_TP_CERTVERIFY_INVALID_SIGNATURE = $8;
+	CSSM_TP_CERTVERIFY_INVALID_CERT_VALUE = $9;
+	CSSM_TP_CERTVERIFY_INVALID_CERTGROUP = $A;
+	CSSM_TP_CERTVERIFY_INVALID_POLICY = $B;
+	CSSM_TP_CERTVERIFY_INVALID_POLICY_IDS = $C;
+	CSSM_TP_CERTVERIFY_INVALID_BASIC_CONSTRAINTS = $D;
+	CSSM_TP_CERTVERIFY_INVALID_CRL_DIST_PT = $E;
+	CSSM_TP_CERTVERIFY_INVALID_NAME_TREE = $F;
+	CSSM_TP_CERTVERIFY_UNKNOWN_CRITICAL_EXT = $10;
+
+type
+	CSSM_TP_CERTVERIFY_OUTPUT_PTR = ^cssm_tp_certverify_output;
+	CSSM_TP_CERTVERIFY_OUTPUTPtr = ^cssm_tp_certverify_output;
+	cssm_tp_certverify_output = record
+		VerifyStatus: CSSM_TP_CERTVERIFY_STATUS;
+		NumberOfEvidence: UInt32;
+		Evidence: CSSM_EVIDENCE_PTR;
+	end;
+
+type
+	CSSM_TP_CERTNOTARIZE_INPUT_PTR = ^cssm_tp_certnotarize_input;
+	CSSM_TP_CERTNOTARIZE_INPUTPtr = ^cssm_tp_certnotarize_input;
+	cssm_tp_certnotarize_input = record
+		CLHandle: CSSM_CL_HANDLE;
+		NumberOfFields: UInt32;
+		MoreFields: CSSM_FIELD_PTR;
+		SignScope: CSSM_FIELD_PTR;
+		ScopeSize: UInt32;
+		MoreServiceRequests: CSSM_TP_SERVICES;
+		NumberOfServiceControls: UInt32;
+		ServiceControls: CSSM_FIELD_PTR;
+		UserCredentials: CSSM_ACCESS_CREDENTIALS_PTR;
+	end;
+
+type
+	CSSM_TP_CERTNOTARIZE_STATUS = UInt32;
+const
+	CSSM_TP_CERTNOTARIZE_STATUS_UNKNOWN = $0;
+	{ indeterminate }
+	CSSM_TP_CERTNOTARIZE_OK = $1;
+	{ cert fields were added and the result was
+	   notarized as requested }
+	CSSM_TP_CERTNOTARIZE_OKWITHOUTFIELDS = $2;
+	{ non-conflicting cert fields were added,
+	   conflicting cert fields were ignored,
+	   and the result was notarized as requested }
+	CSSM_TP_CERTNOTARIZE_OKWITHSERVICEMODS = $3;
+	{ cert fields were added and the result was
+	   notarized as requested, but some requested
+	   backend services were not performed by the
+	   notary }
+	CSSM_TP_CERTNOTARIZE_REJECTED = $4;
+	{ cert was not notarized due to some error
+	   condition }
+	CSSM_TP_CERTNOTARIZE_NOT_AUTHORIZED = $5;
+	{ cert was not notarized, the request was
+	   not authorized }
+
+type
+	CSSM_TP_CERTNOTARIZE_OUTPUT_PTR = ^cssm_tp_certnotarize_output;
+	CSSM_TP_CERTNOTARIZE_OUTPUTPtr = ^cssm_tp_certnotarize_output;
+	cssm_tp_certnotarize_output = record
+		NotarizeStatus: CSSM_TP_CERTNOTARIZE_STATUS;
+		NotarizedCertGroup: CSSM_CERTGROUP_PTR;
+		PerformedServiceRequests: CSSM_TP_SERVICES;
+	end;
+
+type
+	CSSM_TP_CERTRECLAIM_INPUT_PTR = ^cssm_tp_certreclaim_input;
+	CSSM_TP_CERTRECLAIM_INPUTPtr = ^cssm_tp_certreclaim_input;
+	cssm_tp_certreclaim_input = record
+		CLHandle: CSSM_CL_HANDLE;
+		NumberOfSelectionFields: UInt32;
+		SelectionFields: CSSM_FIELD_PTR;
+		UserCredentials: CSSM_ACCESS_CREDENTIALS_PTR;
+	end;
+
+type
+	CSSM_TP_CERTRECLAIM_STATUS = UInt32;
+const
+	CSSM_TP_CERTRECLAIM_STATUS_UNKNOWN = $0;
+	{ indeterminate }
+	CSSM_TP_CERTRECLAIM_OK = $1;
+	{ a set of one or more certificates were
+	   returned by the CA for local recovery
+	   of the associated private key }
+	CSSM_TP_CERTRECLAIM_NOMATCH = $2;
+	{ no certificates owned by the requester
+	   were found matching the specified
+	   selection fields }
+	CSSM_TP_CERTRECLAIM_REJECTED = $3;
+	{ certificate reclamation failed due
+	   to some error condition }
+	CSSM_TP_CERTRECLAIM_NOT_AUTHORIZED = $4;
+	{ certificate reclamation was not
+	   performed, the request was not
+	   authorized }
+
+type
+	CSSM_TP_CERTRECLAIM_OUTPUT_PTR = ^cssm_tp_certreclaim_output;
+	CSSM_TP_CERTRECLAIM_OUTPUTPtr = ^cssm_tp_certreclaim_output;
+	cssm_tp_certreclaim_output = record
+		ReclaimStatus: CSSM_TP_CERTRECLAIM_STATUS;
+		ReclaimedCertGroup: CSSM_CERTGROUP_PTR;
+		KeyCacheHandle: CSSM_LONG_HANDLE;
+	end;
+
+type
+	CSSM_TP_CRLISSUE_INPUT_PTR = ^cssm_tp_crlissue_input;
+	CSSM_TP_CRLISSUE_INPUTPtr = ^cssm_tp_crlissue_input;
+	cssm_tp_crlissue_input = record
+		CLHandle: CSSM_CL_HANDLE;
+		CrlIdentifier: UInt32;
+		CrlThisTime: CSSM_TIMESTRING;
+		PolicyIdentifier: CSSM_FIELD_PTR;
+		CallerCredentials: CSSM_ACCESS_CREDENTIALS_PTR;
+	end;
+
+type
+	CSSM_TP_CRLISSUE_STATUS = UInt32;
+const
+	CSSM_TP_CRLISSUE_STATUS_UNKNOWN = $0;
+	{ indeterminate }
+	CSSM_TP_CRLISSUE_OK = $1;
+	{ a copy of the most current CRL was
+	   issued as requested and the time for
+	   issuing the next CRL is also returned }
+	CSSM_TP_CRLISSUE_NOT_CURRENT = $2;
+	{ either no CRL has been issued since
+	   the CRL identified in the request, or
+	   it is not time to issue an updated CRL.
+	   no CRL has been returned, but the time
+	   for issuing the next CRL is included
+	   in the results }
+	CSSM_TP_CRLISSUE_INVALID_DOMAIN = $3;
+	{ CRL domain was not recognized or was
+	   outside the CA jurisdiction, no CRL or
+	   time for the next CRL has been
+	   returned. }
+	CSSM_TP_CRLISSUE_UNKNOWN_IDENTIFIER = $4;
+	{ unrecognized CRL identifier, no CRL or
+	   time for the next CRL has been
+	   returned. }
+	CSSM_TP_CRLISSUE_REJECTED = $5;
+	{ CRL was not issued due to some error
+	   condition, no CRL or time for the next
+	   CRL has been returned. }
+	CSSM_TP_CRLISSUE_NOT_AUTHORIZED = $6;
+	{ CRL was not issued, the request was
+	   not authorized, no CRL or time for the
+	   next CRL has been returned. }
+
+type
+	CSSM_TP_CRLISSUE_OUTPUT_PTR = ^cssm_tp_crlissue_output;
+	CSSM_TP_CRLISSUE_OUTPUTPtr = ^cssm_tp_crlissue_output;
+	cssm_tp_crlissue_output = record
+		IssueStatus: CSSM_TP_CRLISSUE_STATUS;
+		Crl: CSSM_ENCODED_CRL_PTR;
+		CrlNextTime: CSSM_TIMESTRING;
+	end;
+
+type
+	CSSM_TP_FORM_TYPE = UInt32;
+const
+	CSSM_TP_FORM_TYPE_GENERIC = $0;
+	CSSM_TP_FORM_TYPE_REGISTRATION = $1;
+
+{ Data Types for Certificate Library Services  }
+
+type
+	CSSM_CL_TEMPLATE_TYPE = UInt32;
+const
+	CSSM_CL_TEMPLATE_INTERMEDIATE_CERT = 1;
+	{ for X509 certificates, a fully-formed
+	   encoded certificate with empty signature field }
+	CSSM_CL_TEMPLATE_PKIX_CERTTEMPLATE = 2;
+	{ as defined in RFC2511, section 5 CertTemplate }
+
+type
+	CSSM_CERT_BUNDLE_TYPE = UInt32;
+const
+	CSSM_CERT_BUNDLE_UNKNOWN = $00;
+	CSSM_CERT_BUNDLE_CUSTOM = $01;
+	CSSM_CERT_BUNDLE_PKCS7_SIGNED_DATA = $02;
+	CSSM_CERT_BUNDLE_PKCS7_SIGNED_ENVELOPED_DATA = $03;
+	CSSM_CERT_BUNDLE_PKCS12 = $04;
+	CSSM_CERT_BUNDLE_PFX = $05;
+	CSSM_CERT_BUNDLE_SPKI_SEQUENCE = $06;
+	CSSM_CERT_BUNDLE_PGP_KEYRING = $07;
+	CSSM_CERT_BUNDLE_LAST = $7FFF;
+	{ Applications wishing to define their own custom certificate
+	   bundle type should define and publicly document a uint32
+	   value greater than CSSM_CL_CUSTOM_CERT_BUNDLE_TYPE }
+	CSSM_CL_CUSTOM_CERT_BUNDLE_TYPE = $8000;
+
+type
+	CSSM_CERT_BUNDLE_ENCODING = UInt32;
+const
+	CSSM_CERT_BUNDLE_ENCODING_UNKNOWN = $00;
+	CSSM_CERT_BUNDLE_ENCODING_CUSTOM = $01;
+	CSSM_CERT_BUNDLE_ENCODING_BER = $02;
+	CSSM_CERT_BUNDLE_ENCODING_DER = $03;
+	CSSM_CERT_BUNDLE_ENCODING_SEXPR = $04;
+	CSSM_CERT_BUNDLE_ENCODING_PGP = $05;
+
+type
+	CSSM_CERT_BUNDLE_HEADER_PTR = ^cssm_cert_bundle_header;
+	CSSM_CERT_BUNDLE_HEADERPtr = ^cssm_cert_bundle_header;
+	cssm_cert_bundle_header = record
+		BundleType: CSSM_CERT_BUNDLE_TYPE;
+		BundleEncoding: CSSM_CERT_BUNDLE_ENCODING;
+	end;
+
+type
+	CSSM_CERT_BUNDLE_PTR = ^cssm_cert_bundle;
+	CSSM_CERT_BUNDLEPtr = ^cssm_cert_bundle;
+	cssm_cert_bundle = record
+		BundleHeader: CSSM_CERT_BUNDLE_HEADER;
+		Bundle: CSSM_DATA;
+	end;
+
+const
+	CSSM_FIELDVALUE_COMPLEX_DATA_TYPE = $FFFFFFFF;
+
+{ Data Types for Data Storage Library Services  }
+
+type
+	CSSM_DB_ATTRIBUTE_NAME_FORMAT = UInt32;
+	CSSM_DB_ATTRIBUTE_NAME_FORMAT_PTR = ^UInt32;
+	CSSM_DB_ATTRIBUTE_NAME_FORMATPtr = ^UInt32;
+const
+	CSSM_DB_ATTRIBUTE_NAME_AS_STRING = 0;
+	CSSM_DB_ATTRIBUTE_NAME_AS_OID = 1;
+	CSSM_DB_ATTRIBUTE_NAME_AS_INTEGER = 2;
+
+type
+	CSSM_DB_ATTRIBUTE_FORMAT = UInt32;
+	CSSM_DB_ATTRIBUTE_FORMAT_PTR = ^UInt32;
+	CSSM_DB_ATTRIBUTE_FORMATPtr = ^UInt32;
+const
+	CSSM_DB_ATTRIBUTE_FORMAT_STRING = 0;
+	CSSM_DB_ATTRIBUTE_FORMAT_SINT32 = 1;
+	CSSM_DB_ATTRIBUTE_FORMAT_UINT32 = 2;
+	CSSM_DB_ATTRIBUTE_FORMAT_BIG_NUM = 3;
+	CSSM_DB_ATTRIBUTE_FORMAT_REAL = 4;
+	CSSM_DB_ATTRIBUTE_FORMAT_TIME_DATE = 5;
+	CSSM_DB_ATTRIBUTE_FORMAT_BLOB = 6;
+	CSSM_DB_ATTRIBUTE_FORMAT_MULTI_UINT32 = 7;
+	CSSM_DB_ATTRIBUTE_FORMAT_COMPLEX = 8;
+
+type
+  __embeddded_cssm_db_attribute_info = record
+    case Integer of
+      0: (AttributeName: CStringPtr);		{ e.g., "record label" }
+      1: (AttributeOID: CSSM_OID);		{ e.g., CSSMOID_RECORDLABEL }
+      2: (AttributeID: UInt32);			{ e.g., FourCharCode('recl') }
+  end;
+ 
+  CSSM_DB_ATTRIBUTE_INFO_PTR = ^cssm_db_attribute_info;
+  CSSM_DB_ATTRIBUTE_INFOPtr = ^cssm_db_attribute_info;
+	cssm_db_attribute_info = record
+    AttributeNameFormat: CSSM_DB_ATTRIBUTE_NAME_FORMAT;
+    AttributeFormat: __embeddded_cssm_db_attribute_info;
+	end;
+
+type
+	CSSM_DB_ATTRIBUTE_DATA_PTR = ^cssm_db_attribute_data;
+	CSSM_DB_ATTRIBUTE_DATAPtr = ^cssm_db_attribute_data;
+	cssm_db_attribute_data = record
+		Info: CSSM_DB_ATTRIBUTE_INFO;
+		NumberOfValues: UInt32;
+		Value: CSSM_DATA_PTR;
+	end;
+
+type
+	CSSM_DB_RECORDTYPE = UInt32;
+const
+{ Schema Management Name Space Range Definition}
+	CSSM_DB_RECORDTYPE_SCHEMA_START = $00000000;
+	CSSM_DB_RECORDTYPE_SCHEMA_END = CSSM_DB_RECORDTYPE_SCHEMA_START + 4;
+	{ Open Group Application Name Space Range Definition}
+	CSSM_DB_RECORDTYPE_OPEN_GROUP_START = $0000000A;
+	CSSM_DB_RECORDTYPE_OPEN_GROUP_END = CSSM_DB_RECORDTYPE_OPEN_GROUP_START + 8;
+	{ Industry At Large Application Name Space Range Definition }
+	CSSM_DB_RECORDTYPE_APP_DEFINED_START = $80000000;
+	CSSM_DB_RECORDTYPE_APP_DEFINED_END = $ffffffff;
+	{ Record Types defined in the Schema Management Name Space }
+	CSSM_DL_DB_SCHEMA_INFO = CSSM_DB_RECORDTYPE_SCHEMA_START + 0;
+	CSSM_DL_DB_SCHEMA_INDEXES = CSSM_DB_RECORDTYPE_SCHEMA_START + 1;
+	CSSM_DL_DB_SCHEMA_ATTRIBUTES = CSSM_DB_RECORDTYPE_SCHEMA_START + 2;
+	CSSM_DL_DB_SCHEMA_PARSING_MODULE = CSSM_DB_RECORDTYPE_SCHEMA_START + 3;
+	{ Record Types defined in the Open Group Application Name Space }
+	CSSM_DL_DB_RECORD_ANY = CSSM_DB_RECORDTYPE_OPEN_GROUP_START + 0;
+	CSSM_DL_DB_RECORD_CERT = CSSM_DB_RECORDTYPE_OPEN_GROUP_START + 1;
+	CSSM_DL_DB_RECORD_CRL = CSSM_DB_RECORDTYPE_OPEN_GROUP_START + 2;
+	CSSM_DL_DB_RECORD_POLICY = CSSM_DB_RECORDTYPE_OPEN_GROUP_START + 3;
+	CSSM_DL_DB_RECORD_GENERIC = CSSM_DB_RECORDTYPE_OPEN_GROUP_START + 4;
+	CSSM_DL_DB_RECORD_PUBLIC_KEY = CSSM_DB_RECORDTYPE_OPEN_GROUP_START + 5;
+	CSSM_DL_DB_RECORD_PRIVATE_KEY = CSSM_DB_RECORDTYPE_OPEN_GROUP_START + 6;
+	CSSM_DL_DB_RECORD_SYMMETRIC_KEY = CSSM_DB_RECORDTYPE_OPEN_GROUP_START + 7;
+	CSSM_DL_DB_RECORD_ALL_KEYS = CSSM_DB_RECORDTYPE_OPEN_GROUP_START + 8;
+
+const
+	CSSM_DB_CERT_USE_TRUSTED = $00000001;	{ application-defined as trusted }
+	CSSM_DB_CERT_USE_SYSTEM = $00000002;	{ the CSSM system cert }
+	CSSM_DB_CERT_USE_OWNER = $00000004;	{ private key owned by system user}
+	CSSM_DB_CERT_USE_REVOKED = $00000008;	{ revoked cert -15913 used w CRL APIs }
+	CSSM_DB_CERT_USE_SIGNING = $00000010;	{ use cert for signing only }
+	CSSM_DB_CERT_USE_PRIVACY = $00000020;	{ use cert for confidentiality only }
+
+type
+	CSSM_DB_RECORD_ATTRIBUTE_INFO_PTR = ^cssm_db_record_attribute_info;
+	CSSM_DB_RECORD_ATTRIBUTE_INFOPtr = ^cssm_db_record_attribute_info;
+	cssm_db_record_attribute_info = record
+		DataRecordType: CSSM_DB_RECORDTYPE;
+		NumberOfAttributes: UInt32;
+		AttributeInfo: CSSM_DB_ATTRIBUTE_INFO_PTR;
+	end;
+
+type
+	CSSM_DB_RECORD_ATTRIBUTE_DATA_PTR = ^cssm_db_record_attribute_data;
+	CSSM_DB_RECORD_ATTRIBUTE_DATAPtr = ^cssm_db_record_attribute_data;
+	cssm_db_record_attribute_data = record
+		DataRecordType: CSSM_DB_RECORDTYPE;
+		SemanticInformation: UInt32;
+		NumberOfAttributes: UInt32;
+		AttributeData: CSSM_DB_ATTRIBUTE_DATA_PTR;
+	end;
+
+type
+	CSSM_DB_PARSING_MODULE_INFO_PTR = ^cssm_db_parsing_module_info;
+	CSSM_DB_PARSING_MODULE_INFOPtr = ^cssm_db_parsing_module_info;
+	cssm_db_parsing_module_info = record
+		RecordType: CSSM_DB_RECORDTYPE;
+		ModuleSubserviceUid: CSSM_SUBSERVICE_UID;
+	end;
+
+type
+	CSSM_DB_INDEX_TYPE = UInt32;
+const
+	CSSM_DB_INDEX_UNIQUE = 0;
+	CSSM_DB_INDEX_NONUNIQUE = 1;
+
+type
+	CSSM_DB_INDEXED_DATA_LOCATION = UInt32;
+const
+	CSSM_DB_INDEX_ON_UNKNOWN = 0;
+	CSSM_DB_INDEX_ON_ATTRIBUTE = 1;
+	CSSM_DB_INDEX_ON_RECORD = 2;
+
+type
+	CSSM_DB_INDEX_INFO_PTR = ^cssm_db_index_info;
+	CSSM_DB_INDEX_INFOPtr = ^cssm_db_index_info;
+	cssm_db_index_info = record
+		IndexType: CSSM_DB_INDEX_TYPE;
+		IndexedDataLocation: CSSM_DB_INDEXED_DATA_LOCATION;
+		Info: CSSM_DB_ATTRIBUTE_INFO;
+	end;
+
+type
+	CSSM_DB_UNIQUE_RECORD_PTR = ^cssm_db_unique_record;
+	CSSM_DB_UNIQUE_RECORDPtr = ^cssm_db_unique_record;
+	cssm_db_unique_record = record
+		RecordLocator: CSSM_DB_INDEX_INFO;
+		RecordIdentifier: CSSM_DATA;
+	end;
+
+type
+	CSSM_DB_RECORD_INDEX_INFO_PTR = ^cssm_db_record_index_info;
+	CSSM_DB_RECORD_INDEX_INFOPtr = ^cssm_db_record_index_info;
+	cssm_db_record_index_info = record
+		DataRecordType: CSSM_DB_RECORDTYPE;
+		NumberOfIndexes: UInt32;
+		IndexInfo: CSSM_DB_INDEX_INFO_PTR;
+	end;
+
+type
+	CSSM_DB_ACCESS_TYPE = UInt32;
+	CSSM_DB_ACCESS_TYPE_PTR = ^UInt32;
+	CSSM_DB_ACCESS_TYPEPtr = ^UInt32;
+const
+	CSSM_DB_ACCESS_READ = $00001;
+	CSSM_DB_ACCESS_WRITE = $00002;
+	CSSM_DB_ACCESS_PRIVILEGED = $00004; { versus user mode }
+
+type
+	CSSM_DB_MODIFY_MODE = UInt32;
+const
+	CSSM_DB_MODIFY_ATTRIBUTE_NONE = 0;
+	CSSM_DB_MODIFY_ATTRIBUTE_ADD = CSSM_DB_MODIFY_ATTRIBUTE_NONE + 1;
+	CSSM_DB_MODIFY_ATTRIBUTE_DELETE = CSSM_DB_MODIFY_ATTRIBUTE_NONE + 2;
+	CSSM_DB_MODIFY_ATTRIBUTE_REPLACE = CSSM_DB_MODIFY_ATTRIBUTE_NONE + 3;
+
+type
+	CSSM_DBINFO_PTR = ^cssm_dbinfo;
+	CSSM_DBINFOPtr = ^cssm_dbinfo;
+	cssm_dbinfo = record
+{ meta information about each record type stored in this
+    data store including meta information about record
+    attributes and indexes }
+		NumberOfRecordTypes: UInt32;
+		DefaultParsingModules: CSSM_DB_PARSING_MODULE_INFO_PTR;
+		RecordAttributeNames: CSSM_DB_RECORD_ATTRIBUTE_INFO_PTR;
+		RecordIndexes: CSSM_DB_RECORD_INDEX_INFO_PTR;
+    { access restrictions for opening this data store }
+		IsLocal: CSSM_BOOL;
+		AccessPath: CStringPtr; { URL, dir path, etc. }
+		Reserved: UnivPtr;
+	end;
+
+type
+	CSSM_DB_OPERATOR = UInt32;
+	CSSM_DB_OPERATOR_PTR = ^UInt32;
+	CSSM_DB_OPERATORPtr = ^UInt32;
+const
+	CSSM_DB_EQUAL = 0;
+	CSSM_DB_NOT_EQUAL = 1;
+	CSSM_DB_LESS_THAN = 2;
+	CSSM_DB_GREATER_THAN = 3;
+	CSSM_DB_CONTAINS = 4;
+	CSSM_DB_CONTAINS_INITIAL_SUBSTRING = 5;
+	CSSM_DB_CONTAINS_FINAL_SUBSTRING = 6;
+
+type
+	CSSM_DB_CONJUNCTIVE = UInt32;
+	CSSM_DB_CONJUNCTIVE_PTR = ^UInt32;
+	CSSM_DB_CONJUNCTIVEPtr = ^UInt32;
+const
+	CSSM_DB_NONE = 0;
+	CSSM_DB_AND = 1;
+	CSSM_DB_OR = 2;
+
+type
+	CSSM_SELECTION_PREDICATE_PTR = ^cssm_selection_predicate;
+	CSSM_SELECTION_PREDICATEPtr = ^cssm_selection_predicate;
+	cssm_selection_predicate = record
+		DbOperator: CSSM_DB_OPERATOR;
+		Attribute: CSSM_DB_ATTRIBUTE_DATA;
+	end;
+
+const
+	CSSM_QUERY_TIMELIMIT_NONE = 0;
+
+const
+	CSSM_QUERY_SIZELIMIT_NONE = 0;
+
+type
+	CSSM_QUERY_LIMITS_PTR = ^cssm_query_limits;
+	CSSM_QUERY_LIMITSPtr = ^cssm_query_limits;
+	cssm_query_limits = record
+		TimeLimit: UInt32; { in seconds }
+		SizeLimit: UInt32; { max. number of records to return }
+	end;
+
+type
+	CSSM_QUERY_FLAGS = UInt32;
+const
+	CSSM_QUERY_RETURN_DATA = $01;
+
+type
+	CSSM_QUERY_PTR = ^cssm_query;
+	CSSM_QUERYPtr = ^cssm_query;
+	cssm_query = record
+		RecordType: CSSM_DB_RECORDTYPE;
+		Conjunctive: CSSM_DB_CONJUNCTIVE;
+		NumSelectionPredicates: UInt32;
+		SelectionPredicate: CSSM_SELECTION_PREDICATE_PTR;
+		QueryLimits: CSSM_QUERY_LIMITS;
+		QueryFlags: CSSM_QUERY_FLAGS;
+	end;
+
+type
+	CSSM_DLTYPE = UInt32;
+	CSSM_DLTYPE_PTR = ^UInt32;
+	CSSM_DLTYPEPtr = ^UInt32;
+const
+	CSSM_DL_UNKNOWN = 0;
+	CSSM_DL_CUSTOM = 1;
+	CSSM_DL_LDAP = 2;
+	CSSM_DL_ODBC = 3;
+	CSSM_DL_PKCS11 = 4;
+	CSSM_DL_FFS = 5; { flat file system }
+	CSSM_DL_MEMORY = 6;
+	CSSM_DL_REMOTEDIR = 7;
+
+type
+	CSSM_DL_CUSTOM_ATTRIBUTES = UnivPtr;
+	CSSM_DL_LDAP_ATTRIBUTES = UnivPtr;
+	CSSM_DL_ODBC_ATTRIBUTES = UnivPtr;
+	CSSM_DL_FFS_ATTRIBUTES = UnivPtr;
+
+type
+	CSSM_DL_PKCS11_ATTRIBUTE_PTR = ^cssm_dl_pkcs11_attributes;
+	CSSM_DL_PKCS11_ATTRIBUTEPtr = ^cssm_dl_pkcs11_attributes;
+	cssm_dl_pkcs11_attributes = record
+		DeviceAccessFlags: UInt32;
+  end;
+
+const
+	CSSM_DB_DATASTORES_UNKNOWN = $FFFFFFFF;
+
+type
+  CSSM_NAME_LIST_PTR = ^cssm_name_list;
+  CSSM_NAME_LISTPtr = ^cssm_name_list;
+ cssm_name_list = record
+		NumStrings: UInt32;
+		String_: CStringPtrPtr;
+	end;
+
+type
+	CSSM_DB_RETRIEVAL_MODES = UInt32;
+const
+	CSSM_DB_TRANSACTIONAL_MODE = 0;
+	CSSM_DB_FILESYSTEMSCAN_MODE = 1;
+
+type
+	CSSM_DB_SCHEMA_ATTRIBUTE_INFO_PTR = ^cssm_db_schema_attribute_info;
+	CSSM_DB_SCHEMA_ATTRIBUTE_INFOPtr = ^cssm_db_schema_attribute_info;
+	cssm_db_schema_attribute_info = record
+		AttributeId: UInt32;
+		AttributeName: CStringPtr;
+		AttributeNameID: CSSM_OID;
+		DataType: CSSM_DB_ATTRIBUTE_FORMAT;
+	end;
+
+type
+	CSSM_DB_SCHEMA_INDEX_INFO_PTR = ^cssm_db_schema_index_info;
+	CSSM_DB_SCHEMA_INDEX_INFOPtr = ^cssm_db_schema_index_info;
+	cssm_db_schema_index_info = record
+		AttributeId: UInt32;
+		IndexId: UInt32;
+		IndexType: CSSM_DB_INDEX_TYPE;
+		IndexedDataLocation: CSSM_DB_INDEXED_DATA_LOCATION;
+	end;
+
+{$endc} {TARGET_OS_MAC}
+{$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
+
+end.
+{$endc} {not MACOSALLINCLUDE}

packages/univint/src/x509defs.pas

@@ -0,0 +1,494 @@
+{
+ * Copyright (c) 1999-2002,2004 Apple Computer, Inc. All Rights Reserved.
+ * 
+ * @APPLE_LICENSE_HEADER_START@
+ * 
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ * 
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ * 
+ * @APPLE_LICENSE_HEADER_END@
+ *
+ * x509defs.h -- Data structures for X509 Certificate Library field values
+ }
+{       Pascal Translation Updated:  Jonas Maebe, <[email protected]>, September 2010 }
+{
+    Modified for use with Free Pascal
+    Version 308
+    Please report any bugs to <[email protected]>
+}
+
+{$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
+{$mode macpas}
+{$packenum 1}
+{$macro on}
+{$inline on}
+{$calling mwpascal}
+
+unit x509defs;
+interface
+{$setc UNIVERSAL_INTERFACES_VERSION := $0400}
+{$setc GAP_INTERFACES_VERSION := $0308}
+
+{$ifc not defined USE_CFSTR_CONSTANT_MACROS}
+    {$setc USE_CFSTR_CONSTANT_MACROS := TRUE}
+{$endc}
+
+{$ifc defined CPUPOWERPC and defined CPUI386}
+	{$error Conflicting initial definitions for CPUPOWERPC and CPUI386}
+{$endc}
+{$ifc defined FPC_BIG_ENDIAN and defined FPC_LITTLE_ENDIAN}
+	{$error Conflicting initial definitions for FPC_BIG_ENDIAN and FPC_LITTLE_ENDIAN}
+{$endc}
+
+{$ifc not defined __ppc__ and defined CPUPOWERPC32}
+	{$setc __ppc__ := 1}
+{$elsec}
+	{$setc __ppc__ := 0}
+{$endc}
+{$ifc not defined __ppc64__ and defined CPUPOWERPC64}
+	{$setc __ppc64__ := 1}
+{$elsec}
+	{$setc __ppc64__ := 0}
+{$endc}
+{$ifc not defined __i386__ and defined CPUI386}
+	{$setc __i386__ := 1}
+{$elsec}
+	{$setc __i386__ := 0}
+{$endc}
+{$ifc not defined __x86_64__ and defined CPUX86_64}
+	{$setc __x86_64__ := 1}
+{$elsec}
+	{$setc __x86_64__ := 0}
+{$endc}
+{$ifc not defined __arm__ and defined CPUARM}
+	{$setc __arm__ := 1}
+{$elsec}
+	{$setc __arm__ := 0}
+{$endc}
+
+{$ifc defined cpu64}
+  {$setc __LP64__ := 1}
+{$elsec}
+  {$setc __LP64__ := 0}
+{$endc}
+
+
+{$ifc defined __ppc__ and __ppc__ and defined __i386__ and __i386__}
+	{$error Conflicting definitions for __ppc__ and __i386__}
+{$endc}
+
+{$ifc defined __ppc__ and __ppc__}
+	{$setc TARGET_CPU_PPC := TRUE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __ppc64__ and __ppc64__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := TRUE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __i386__ and __i386__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := TRUE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := FALSE}
+{$ifc defined(iphonesim)}
+ 	{$setc TARGET_OS_MAC := FALSE}
+	{$setc TARGET_OS_IPHONE := TRUE}
+	{$setc TARGET_IPHONE_SIMULATOR := TRUE}
+{$elsec}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$endc}
+{$elifc defined __x86_64__ and __x86_64__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := TRUE}
+	{$setc TARGET_CPU_ARM := FALSE}
+	{$setc TARGET_OS_MAC := TRUE}
+	{$setc TARGET_OS_IPHONE := FALSE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elifc defined __arm__ and __arm__}
+	{$setc TARGET_CPU_PPC := FALSE}
+	{$setc TARGET_CPU_PPC64 := FALSE}
+	{$setc TARGET_CPU_X86 := FALSE}
+	{$setc TARGET_CPU_X86_64 := FALSE}
+	{$setc TARGET_CPU_ARM := TRUE}
+	{ will require compiler define when/if other Apple devices with ARM cpus ship }
+	{$setc TARGET_OS_MAC := FALSE}
+	{$setc TARGET_OS_IPHONE := TRUE}
+	{$setc TARGET_IPHONE_SIMULATOR := FALSE}
+{$elsec}
+	{$error __ppc__ nor __ppc64__ nor __i386__ nor __x86_64__ nor __arm__ is defined.}
+{$endc}
+
+{$ifc defined __LP64__ and __LP64__ }
+  {$setc TARGET_CPU_64 := TRUE}
+{$elsec}
+  {$setc TARGET_CPU_64 := FALSE}
+{$endc}
+
+{$ifc defined FPC_BIG_ENDIAN}
+	{$setc TARGET_RT_BIG_ENDIAN := TRUE}
+	{$setc TARGET_RT_LITTLE_ENDIAN := FALSE}
+{$elifc defined FPC_LITTLE_ENDIAN}
+	{$setc TARGET_RT_BIG_ENDIAN := FALSE}
+	{$setc TARGET_RT_LITTLE_ENDIAN := TRUE}
+{$elsec}
+	{$error Neither FPC_BIG_ENDIAN nor FPC_LITTLE_ENDIAN are defined.}
+{$endc}
+{$setc ACCESSOR_CALLS_ARE_FUNCTIONS := TRUE}
+{$setc CALL_NOT_IN_CARBON := FALSE}
+{$setc OLDROUTINENAMES := FALSE}
+{$setc OPAQUE_TOOLBOX_STRUCTS := TRUE}
+{$setc OPAQUE_UPP_TYPES := TRUE}
+{$setc OTCARBONAPPLICATION := TRUE}
+{$setc OTKERNEL := FALSE}
+{$setc PM_USE_SESSION_APIS := TRUE}
+{$setc TARGET_API_MAC_CARBON := TRUE}
+{$setc TARGET_API_MAC_OS8 := FALSE}
+{$setc TARGET_API_MAC_OSX := TRUE}
+{$setc TARGET_CARBON := TRUE}
+{$setc TARGET_CPU_68K := FALSE}
+{$setc TARGET_CPU_MIPS := FALSE}
+{$setc TARGET_CPU_SPARC := FALSE}
+{$setc TARGET_OS_UNIX := FALSE}
+{$setc TARGET_OS_WIN32 := FALSE}
+{$setc TARGET_RT_MAC_68881 := FALSE}
+{$setc TARGET_RT_MAC_CFM := FALSE}
+{$setc TARGET_RT_MAC_MACHO := TRUE}
+{$setc TYPED_FUNCTION_POINTERS := TRUE}
+{$setc TYPE_BOOL := FALSE}
+{$setc TYPE_EXTENDED := FALSE}
+{$setc TYPE_LONGLONG := TRUE}
+uses MacTypes,cssmtype;
+{$endc} {not MACOSALLINCLUDE}
+
+
+{$ifc TARGET_OS_MAC}
+
+{$packrecords c}
+
+
+type
+	CSSM_BER_TAG = UInt8;
+const
+	BER_TAG_UNKNOWN = 0;
+const
+	BER_TAG_BOOLEAN = 1;
+const
+	BER_TAG_INTEGER = 2;
+const
+	BER_TAG_BIT_STRING = 3;
+const
+	BER_TAG_OCTET_STRING = 4;
+const
+	BER_TAG_NULL = 5;
+const
+	BER_TAG_OID = 6;
+const
+	BER_TAG_OBJECT_DESCRIPTOR = 7;
+const
+	BER_TAG_EXTERNAL = 8;
+const
+	BER_TAG_REAL = 9;
+const
+	BER_TAG_ENUMERATED = 10;
+{ 12 to 15 are reserved for future versions of the recommendation }
+const
+	BER_TAG_PKIX_UTF8_STRING = 12;
+const
+	BER_TAG_SEQUENCE = 16;
+const
+	BER_TAG_SET = 17;
+const
+	BER_TAG_NUMERIC_STRING = 18;
+const
+	BER_TAG_PRINTABLE_STRING = 19;
+const
+	BER_TAG_T61_STRING = 20;
+const
+  BER_TAG_TELETEX_STRING = BER_TAG_T61_STRING;
+const
+	BER_TAG_VIDEOTEX_STRING = 21;
+const
+	BER_TAG_IA5_STRING = 22;
+const
+	BER_TAG_UTC_TIME = 23;
+const
+	BER_TAG_GENERALIZED_TIME = 24;
+const
+	BER_TAG_GRAPHIC_STRING = 25;
+const
+	BER_TAG_ISO646_STRING = 26;
+const
+	BER_TAG_GENERAL_STRING = 27;
+const
+  BER_TAG_VISIBLE_STRING = BER_TAG_ISO646_STRING;
+{ 28 - are reserved for future versions of the recommendation }
+const
+	BER_TAG_PKIX_UNIVERSAL_STRING = 28;
+const
+	BER_TAG_PKIX_BMP_STRING = 30;
+
+
+{ Data Structures for X.509 Certificates }
+
+type
+	CSSM_X509_ALGORITHM_IDENTIFIER_PTR = ^cssm_x509_algorithm_identifier;
+	CSSM_X509_ALGORITHM_IDENTIFIERPtr = ^cssm_x509_algorithm_identifier;
+	cssm_x509_algorithm_identifier = record
+		algorithm: CSSM_OID;
+		parameters: CSSM_DATA;
+	end;
+
+{ X509 Distinguished name structure }
+type
+	CSSM_X509_TYPE_VALUE_PAIR_PTR = ^cssm_x509_type_value_pair;
+	CSSM_X509_TYPE_VALUE_PAIRPtr = ^cssm_x509_type_value_pair;
+	cssm_x509_type_value_pair = record
+		typ: CSSM_OID;
+		valueType: CSSM_BER_TAG; { The Tag to be used when }
+    {this value is BER encoded }
+		value: CSSM_DATA;
+	end;
+
+type
+	CSSM_X509_RDN_PTR = ^cssm_x509_rdn;
+	CSSM_X509_RDNPtr = ^cssm_x509_rdn;
+	cssm_x509_rdn = record
+		numberOfPairs: UInt32;
+		AttributeTypeAndValue: CSSM_X509_TYPE_VALUE_PAIR_PTR;
+	end;
+
+type
+	CSSM_X509_NAME_PTR = ^cssm_x509_name;
+	CSSM_X509_NAMEPtr = ^cssm_x509_name;
+	cssm_x509_name = record
+		numberOfRDNs: UInt32;
+		RelativeDistinguishedName: CSSM_X509_RDN_PTR;
+	end;
+
+{ Public key info struct }
+type
+	CSSM_X509_SUBJECT_PUBLIC_KEY_INFO_PTR = ^cssm_x509_subject_public_key_info;
+	CSSM_X509_SUBJECT_PUBLIC_KEY_INFOPtr = ^cssm_x509_subject_public_key_info;
+	cssm_x509_subject_public_key_info = record
+		algorithm: CSSM_X509_ALGORITHM_IDENTIFIER;
+		subjectPublicKey: CSSM_DATA;
+	end;
+
+type
+	CSSM_X509_TIME_PTR = ^cssm_x509_time;
+	CSSM_X509_TIMEPtr = ^cssm_x509_time;
+	cssm_x509_time = record
+		timeType: CSSM_BER_TAG;
+		time: CSSM_DATA;
+	end;
+
+{ Validity struct }
+type
+	CSSM_X509_VALIDITY_PTR = ^CSSM_X509_VALIDITY;
+	CSSM_X509_VALIDITYPtr = ^CSSM_X509_VALIDITY;
+	CSSM_X509_VALIDITY = record
+		notBefore: CSSM_X509_TIME;
+		notAfter: CSSM_X509_TIME;
+	end;
+
+const
+  CSSM_X509_OPTION_PRESENT = CSSM_TRUE;
+  CSSM_X509_OPTION_NOT_PRESENT = CSSM_FALSE;
+
+type
+	CSSM_X509_OPTION = CSSM_BOOL;
+
+type
+	CSSM_X509EXT_BASICCONSTRAINTS_PTR = ^cssm_x509ext_basicConstraints;
+	CSSM_X509EXT_BASICCONSTRAINTSPtr = ^cssm_x509ext_basicConstraints;
+	cssm_x509ext_basicConstraints = record
+		cA: CSSM_BOOL;
+		pathLenConstraintPresent: CSSM_X509_OPTION;
+		pathLenConstraint: UInt32;
+	end;
+
+type
+  CSSM_X509EXT_DATA_FORMAT = UInt32;
+
+const
+  CSSM_X509_DATAFORMAT_ENCODED = 0;
+  CSSM_X509_DATAFORMAT_PARSED = 1;
+  CSSM_X509_DATAFORMAT_PAIR = 2;
+
+type
+	CSSM_X509EXT_TAGandVALUE_PTR = ^CSSM_X509EXT_TAGandVALUE;
+	CSSM_X509EXT_TAGandVALUEPtr = ^CSSM_X509EXT_TAGandVALUE;
+	CSSM_X509EXT_TAGandVALUE = record
+		typ: CSSM_BER_TAG;
+		value: CSSM_DATA;
+	end;
+
+type
+	CSSM_X509EXT_PAIR_PTR = ^cssm_x509ext_pair;
+	CSSM_X509EXT_PAIRPtr = ^cssm_x509ext_pair;
+	cssm_x509ext_pair = record
+		tagAndValue: CSSM_X509EXT_TAGandVALUE;
+		parsedValue: UnivPtr;
+	end;
+
+{ Extension structure }
+type
+  __embedded_cssm_x509_extension = record
+    case Integer of
+      0: (tagAndValue: CSSM_X509EXT_TAGandVALUEPtr);
+      1: (parsedValue: UnivPtr);
+      2: (valuePair: CSSM_X509EXT_PAIRPtr);
+  end;
+
+  CSSM_X509_EXTENSION_PTR = ^cssm_x509_extension;
+  CSSM_X509_EXTENSIONPtr = ^cssm_x509_extension;
+	cssm_x509_extension = record
+		extnId: CSSM_OID;
+		critical: CSSM_BOOL;
+		format: CSSM_X509EXT_DATA_FORMAT;
+		value: __embedded_cssm_x509_extension;
+    BERvalue: CSSM_DATA ;
+  end;
+
+type
+	CSSM_X509_EXTENSIONS_PTR = ^cssm_x509_extensions;
+	CSSM_X509_EXTENSIONSPtr = ^cssm_x509_extensions;
+	cssm_x509_extensions = record
+		numberOfExtensions: UInt32;
+		extensions: CSSM_X509_EXTENSION_PTR;
+	end;
+
+{ X509V3 certificate structure }
+type
+	CSSM_X509_TBS_CERTIFICATE_PTR = ^cssm_x509_tbs_certificate;
+	CSSM_X509_TBS_CERTIFICATEPtr = ^cssm_x509_tbs_certificate;
+	cssm_x509_tbs_certificate = record
+		version: CSSM_DATA;
+		serialNumber: CSSM_DATA;
+		signature: CSSM_X509_ALGORITHM_IDENTIFIER;
+		issuer: CSSM_X509_NAME;
+		validity: CSSM_X509_VALIDITY;
+		subject: CSSM_X509_NAME;
+		subjectPublicKeyInfo: CSSM_X509_SUBJECT_PUBLIC_KEY_INFO;
+		issuerUniqueIdentifier: CSSM_DATA;
+		subjectUniqueIdentifier: CSSM_DATA;
+		extensions: CSSM_X509_EXTENSIONS;
+	end;
+
+{ Signature structure }
+type
+	CSSM_X509_SIGNATURE_PTR = ^cssm_x509_signature;
+	CSSM_X509_SIGNATUREPtr = ^cssm_x509_signature;
+	cssm_x509_signature = record
+		algorithmIdentifier: CSSM_X509_ALGORITHM_IDENTIFIER;
+		encrypted: CSSM_DATA;
+	end;
+
+{ Signed certificate structure }
+type
+	CSSM_X509_SIGNED_CERTIFICATE_PTR = ^cssm_x509_signed_certificate;
+	CSSM_X509_SIGNED_CERTIFICATEPtr = ^cssm_x509_signed_certificate;
+	cssm_x509_signed_certificate = record
+		certificate: CSSM_X509_TBS_CERTIFICATE;
+		signature: CSSM_X509_SIGNATURE;
+	end;
+
+type
+	CSSM_X509EXT_POLICYQUALIFIERINFO_PTR = ^cssm_x509ext_policyQualifierInfo;
+	CSSM_X509EXT_POLICYQUALIFIERINFOPtr = ^cssm_x509ext_policyQualifierInfo;
+	cssm_x509ext_policyQualifierInfo = record
+		policyQualifierId: CSSM_OID;
+		value: CSSM_DATA;
+	end;
+
+type
+	CSSM_X509EXT_POLICYQUALIFIERS_PTR = ^cssm_x509ext_policyQualifiers;
+	CSSM_X509EXT_POLICYQUALIFIERSPtr = ^cssm_x509ext_policyQualifiers;
+	cssm_x509ext_policyQualifiers = record
+		numberOfPolicyQualifiers: UInt32;
+		policyQualifier: CSSM_X509EXT_POLICYQUALIFIERINFOPtr;
+	end;
+
+type
+	CSSM_X509EXT_POLICYINFO_PTR = ^cssm_x509ext_policyInfo;
+	CSSM_X509EXT_POLICYINFOPtr = ^cssm_x509ext_policyInfo;
+	cssm_x509ext_policyInfo = record
+		policyIdentifier: CSSM_OID;
+		policyQualifiers: CSSM_X509EXT_POLICYQUALIFIERS;
+	end;
+
+
+{ Data Structures for X.509 Certificate Revocations Lists }
+
+{ x509V2 entry in the CRL revokedCertificates sequence }
+type
+	CSSM_X509_REVOKED_CERT_ENTRY_PTR = ^cssm_x509_revoked_cert_entry;
+	CSSM_X509_REVOKED_CERT_ENTRYPtr = ^cssm_x509_revoked_cert_entry;
+	cssm_x509_revoked_cert_entry = record
+		certificateSerialNumber: CSSM_DATA;
+		revocationDate: CSSM_X509_TIME;
+		extensions: CSSM_X509_EXTENSIONS;
+	end;
+
+type
+	CSSM_X509_REVOKED_CERT_LIST_PTR = ^cssm_x509_revoked_cert_list;
+	CSSM_X509_REVOKED_CERT_LISTPtr = ^cssm_x509_revoked_cert_list;
+	cssm_x509_revoked_cert_list = record
+		numberOfRevokedCertEntries: UInt32;
+		revokedCertEntry: CSSM_X509_REVOKED_CERT_ENTRY_PTR;
+	end;
+
+{ x509v2 Certificate Revocation List (CRL) (unsigned) structure }
+type
+	CSSM_X509_TBS_CERTLIST_PTR = ^cssm_x509_tbs_certlist;
+	CSSM_X509_TBS_CERTLISTPtr = ^cssm_x509_tbs_certlist;
+	cssm_x509_tbs_certlist = record
+		version: CSSM_DATA;
+		signature: CSSM_X509_ALGORITHM_IDENTIFIER;
+		issuer: CSSM_X509_NAME;
+		thisUpdate: CSSM_X509_TIME;
+		nextUpdate: CSSM_X509_TIME;
+		revokedCertificates: CSSM_X509_REVOKED_CERT_LIST_PTR;
+		extensions: CSSM_X509_EXTENSIONS;
+	end;
+
+type
+	CSSM_X509_SIGNED_CRL_PTR = ^cssm_x509_signed_crl;
+	CSSM_X509_SIGNED_CRLPtr = ^cssm_x509_signed_crl;
+	cssm_x509_signed_crl = record
+		tbsCertList: CSSM_X509_TBS_CERTLIST;
+		signature: CSSM_X509_SIGNATURE;
+	end;
+
+{$endc} {TARGET_OS_MAC}
+{$ifc not defined MACOSALLINCLUDE or not MACOSALLINCLUDE}
+
+end.
+{$endc} {not MACOSALLINCLUDE}