📄 cryptkrn.h
字号:
mechanisms is somewhat artificial in that they do the same thing, however
it's easier for the kernel to perform security checks on parameters if
the two are distinct */
typedef enum {
MECHANISM_NONE, /* No mechanism */
MECHANISM_PKCS1, /* PKCS #1 sign/encrypt */
MECHANISM_PKCS1_PGP, /* PKCS #1 using PGP formatting */
MECHANISM_PKCS1_RAW, /* PKCS #1 returning uninterpreted data */
MECHANISM_PKCS5, /* PKCS #5 derive */
MECHANISM_CMS, /* CMS key wrap */
MECHANISM_KEA, /* KEA key agreement */
MECHANISM_SSL, /* SSL derive */
MECHANISM_TLS, /* TLS derive */
MECHANISM_CMP, /* CMP/Entrust derive */
MECHANISM_PGP, /* OpenPGP S2K derive */
MECHANISM_PRIVATEKEYWRAP, /* Private key wrap */
MECHANISM_LAST /* Last valid mechanism type */
} MECHANISM_TYPE;
/* A structure to hold information needed by the key export/import mechanism.
The key can be passed as raw key data or as a context if tied to hardware
which doesn't allow keying material outside the hardware's security
perimeter:
PKCS #1 wrappedData = wrapped key
PKCS #1 PGP keyData = -
keyContext = context containing key
wrapContext = wrap/unwrap PKC context
auxContext = CRYPT_UNUSED
PKCS #1 raw wrappedData = wrapped raw data
keyData = uninterpreted raw data
keyContext = CRYPT_UNUSED
wrapContext = wrap/unwrap PKC context
auxContext = CRYPT_UNUSED
CMS wrappedData = wrapped key
keyData = raw key - or -
keyContext = context containing key
wrapContext = wrap/unwrap conventional context
auxContext = CRYPT_UNUSED
KEA wrappedData = len + TEK( MEK ), len + UKM
keyData = NULL
keyContext = MEK
wrapContext = recipient KEA public key
auxContext = originator KEA private key
ssh wrappedData = double-wrapped key
keyData = raw key
keyContext = CRYPT_UNUSED
wrapContext = server PKC key
auxContext = host PKC key
Private wrappedData = Padded encrypted private key components
key wrap keyData = -
keyContext = context containing private key
wrapContext = wrap/unwrap conventional context
auxContext = CRYPT_UNUSED */
typedef struct {
void *wrappedData; /* Wrapped key */
int wrappedDataLength;
void *keyData; /* Raw key */
int keyDataLength;
CRYPT_HANDLE keyContext; /* Context containing raw key */
CRYPT_HANDLE wrapContext; /* Wrap/unwrap context */
CRYPT_HANDLE auxContext; /* Auxiliary context */
} MECHANISM_WRAP_INFO;
/* A structure to hold information needed by the sign/sig check mechanism:
PKCS #1 signature = signature
hashContext = hash to sign
signContext = signing key */
typedef struct {
void *signature; /* Signature */
int signatureLength;
CRYPT_CONTEXT hashContext; /* Hash context */
CRYPT_HANDLE signContext; /* Signing context */
} MECHANISM_SIGN_INFO;
/* A structure to hold information needed by the key derive mechanism:
PKCS #5 dataOut = key data
CMP dataIn = password
PGP hashAlgo = hash algorithm
salt = salt
iterations = iteration count
SSL/TLS dataOut = key data/master secret
dataIn = master secret/premaster secret
hashAlgo = CRYPT_USE_DEFAULT
salt = client || server random/server || client random
iterations = CRYPT_UNUSED */
typedef struct {
void *dataOut; /* Output keying information */
int dataOutLength;
const void *dataIn; /* Input keying information */
int dataInLength;
CRYPT_ALGO hashAlgo; /* Hash algorithm */
const void *salt; /* Salt/randomiser */
int saltLength;
int iterations; /* Iterations of derivation function */
} MECHANISM_DERIVE_INFO;
/* Macros to make it easier to work with the mechanism info types. The
shortened name forms in the macro args are necessary to avoid clashes with
the struct members. The long lines are necessary because older Borland
compilers can't handle line breaks at the point in a macro definition */
#define clearMechanismInfo( mechanismInfo ) \
memset( mechanismInfo, 0, sizeof( *mechanismInfo ) )
#define setMechanismWrapInfo( mechanismInfo, wrapped, wrappedLen, key, keyLen, keyCtx, wrapCtx, auxCtx ) \
{ \
( mechanismInfo )->wrappedData = ( wrapped ); \
( mechanismInfo )->wrappedDataLength = ( wrappedLen ); \
( mechanismInfo )->keyData = ( key ); \
( mechanismInfo )->keyDataLength = ( keyLen ); \
( mechanismInfo )->keyContext = ( keyCtx ); \
( mechanismInfo )->wrapContext = ( wrapCtx ); \
( mechanismInfo )->auxContext = ( auxCtx ); \
}
#define setMechanismSignInfo( mechanismInfo, sig, sigLen, hashCtx, signCtx ) \
{ \
( mechanismInfo )->signature = ( sig ); \
( mechanismInfo )->signatureLength = ( sigLen ); \
( mechanismInfo )->hashContext = ( hashCtx ); \
( mechanismInfo )->signContext = ( signCtx ); \
}
#define setMechanismDeriveInfo( mechanismInfo, out, outLen, in, inLen, hAlgo, slt, sltLen, iters ) \
{ \
( mechanismInfo )->dataOut = ( out ); \
( mechanismInfo )->dataOutLength = ( outLen ); \
( mechanismInfo )->dataIn = ( in ); \
( mechanismInfo )->dataInLength = ( inLen ); \
( mechanismInfo )->hashAlgo = ( hAlgo ); \
( mechanismInfo )->salt = ( slt ); \
( mechanismInfo )->saltLength = ( sltLen ); \
( mechanismInfo )->iterations = ( iters ); \
}
/****************************************************************************
* *
* Misc Message Types *
* *
****************************************************************************/
/* Beside the general data+length and mechanism messages, we also have a
number of special-purposes messages which require their own parameter
data structures. These are:
Create object messages, used to create objects via a device, either
directly or indirectly by instantiating the object from encoded data (for
example a certificate object from a certificate). Usually the device is
the system object, but it can also be used to create contexts in hardware
devices. In addition to the creation parameters we also pass in the
owner user object to be stored with the object data since grabbing a
local copy is quicker than reading it from the system object table each
time it's required */
typedef struct {
CRYPT_HANDLE cryptHandle; /* Handle to created object */
CRYPT_USER cryptOwner; /* New object's owner */
int arg1, arg2; /* Integer args */
void *strArg1, *strArg2; /* String args */
int strArgLen1, strArgLen2;
} MESSAGE_CREATEOBJECT_INFO;
#define setMessageCreateObjectInfo( createObjectInfo, a1 ) \
{ \
memset( createObjectInfo, 0, sizeof( MESSAGE_CREATEOBJECT_INFO ) ); \
( createObjectInfo )->cryptHandle = CRYPT_ERROR; \
( createObjectInfo )->cryptOwner = CRYPT_ERROR; \
( createObjectInfo )->arg1 = ( a1 ); \
}
#define setMessageCreateObjectIndirectInfo( createObjectInfo, data, dataLen ) \
{ \
memset( createObjectInfo, 0, sizeof( MESSAGE_CREATEOBJECT_INFO ) ); \
( createObjectInfo )->cryptHandle = CRYPT_ERROR; \
( createObjectInfo )->cryptOwner = CRYPT_ERROR; \
( createObjectInfo )->strArg1 = ( data ); \
( createObjectInfo )->strArgLen1 = ( dataLen ); \
}
/* Key management messages, used to set, get and delete keys. The item type,
keyIDtype, keyID, and keyIDlength are mandatory, the aux.info depends on
the type if message (optional password for private key get/set, state
information for get next cert, null otherwise), and the flags are
generally only required where the keyset can hold multiple types of keys
(for example a crypto device acting as a keyset, or a PKCS #15 token).
An itemType of KEYMGMT_ITEM_PUBLICKEY is somewhat more general than its
name implies in that keysets/devices which store private key information
alongside public-key data may delete both types of items if asked to
delete a KEYMGMT_ITEM_PUBLICKEY since the two items are (implicitly)
connected.
In addition to the flags which are used to handle various special-case
read accesses, we can also specify a usage preference for cases where we
may have multiple keys with the same keyID which differ only in required
usage. Currently the only time where this is necessary is for
distinguishing confidentiality from signature-key usage, in the future
this can be extended to cover other usage types if required */
typedef enum {
KEYMGMT_ITEM_NONE, /* No item type */
KEYMGMT_ITEM_PUBLICKEY, /* Access public key */
KEYMGMT_ITEM_PRIVATEKEY, /* Access private key */
KEYMGMT_ITEM_SECRETKEY, /* Access secret key */
KEYMGMT_ITEM_REQUEST, /* Access cert request */
KEYMGMT_ITEM_PKIUSER, /* Access PKI user info */
KEYMGMT_ITEM_REVOCATIONINFO,/* Access revocation info/CRL */
KEYMGMT_ITEM_DATA, /* Other data (for PKCS #15 tokens) */
KEYMGMT_ITEM_LAST /* Last item type */
} KEYMGMT_ITEM_TYPE;
#define KEYMGMT_FLAG_NONE 0x0000 /* No flag */
#define KEYMGMT_FLAG_CHECK_ONLY 0x0001 /* Perform existence check only */
#define KEYMGMT_FLAG_LABEL_ONLY 0x0002 /* Get key label only */
#define KEYMGMT_FLAG_UPDATE 0x0004 /* Update existing (allow dups) */
#define KEYMGMT_FLAG_DATAONLY_CERT 0x0008 /* Create data-only certs */
#define KEYMGMT_FLAG_USAGE_CRYPT 0x0010 /* Prefer encryption key */
#define KEYMGMT_FLAG_USAGE_SIGN 0x0020 /* Prefer signature key */
#define KEYMGMT_FLAG_LAST 0x0040 /* Last valid flag */
#define KEYMGMT_MASK_USAGEOPTIONS ( KEYMGMT_FLAG_USAGE_CRYPT | \
KEYMGMT_FLAG_USAGE_SIGN )
#define KEYMGMT_MASK_CERTOPTIONS ( KEYMGMT_FLAG_DATAONLY_CERT | \
KEYMGMT_FLAG_USAGE_CRYPT | \
KEYMGMT_FLAG_USAGE_SIGN )
typedef struct {
CRYPT_HANDLE cryptHandle; /* Returned key */
CRYPT_KEYID_TYPE keyIDtype; /* Key ID type */
const void *keyID; /* Key ID */
int keyIDlength;
void *auxInfo; /* Aux.info (eg password for private key) */
int auxInfoLength;
int flags; /* Access options */
} MESSAGE_KEYMGMT_INFO;
#define setMessageKeymgmtInfo( keymgmtInfo, idType, id, idLength, aux, auxLen, keyFlags ) \
{ \
( keymgmtInfo )->cryptHandle = CRYPT_ERROR; \
( keymgmtInfo )->keyIDtype = ( idType ); \
( keymgmtInfo )->keyID = ( id ); \
( keymgmtInfo )->keyIDlength = ( idLength ); \
( keymgmtInfo )->auxInfo = ( aux ); \
( keymgmtInfo )->auxInfoLength = ( auxLen ); \
( keymgmtInfo )->flags = ( keyFlags ); \
}
/* Cert management messages used to handle CA operations. All fields are
mandatory, however the cryptCert and request fields may be set to
CRYPT_UNUSED to indicate 'don't care' conditions */
typedef struct {
CRYPT_CERTIFICATE cryptCert; /* Returned cert */
CRYPT_CONTEXT caKey; /* CA key to sign item */
CRYPT_CERTIFICATE request; /* Request for operation */
} MESSAGE_CERTMGMT_INFO;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -