keyset.h

提供了很多种加密算法和CA认证及相关服务如CMP、OCSP等的开发

   information to be passed to lower-level routines without having to have
   an entire keyset record present, and as a convenient side-effect to
   conserve memory with some of the more data-intensive types such as
   database keysets.  In addition the structures provide a convenient way to
   group the context-type-specific parameters */

typedef enum { KEYSET_NONE, KEYSET_FILE, KEYSET_DBMS, KEYSET_LDAP,
			   KEYSET_HTTP } KEYSET_TYPE;

struct KI;	/* Forward declaration for argument to function pointers */

typedef struct {
	/* The I/O stream and file name */
	STREAM stream;					/* I/O stream for key file */
	char fileName[ FILENAME_MAX ];	/* Name of key file */
	} FILE_INFO;

typedef struct {
	/* DBMS status information.  The update active flag is required because
	   we can sometimes run into a situation where an update falls through to
	   an abort without ever having been begun, this happens if there's a
	   sequence of misc setup operations taking place and one of them fails
	   before we begin the update.  Although it'd be better if the caller
	   handled this, in practice it'd mean passing extra status information
	   (failed vs failed but need to abort a commenced update) across a
	   number of different functions, to avoid this we record whether an
	   update has begun and if not skip an abort operation if there's no
	   update currently in progress */
	BOOLEAN hasBinaryBlobs;			/* Whether DBMS supports binary blobs */
	BOOLEAN isCertStore;			/* Whether DBMS is a full cert store */
	BOOLEAN updateActive;			/* Whether there's an update active */

	/* Pointers to error information returned by the database.  The data
	   itself is stored in a common location in the KEYSET_INFO struct */
	int *errorCode;
	char *errorMessage;

	/* The data being sent to the backend can be communicated over a variety
	   of channels, the following function pointer points to the appropriate
	   dispatch function and the state information contains the state data
	   needed for the communications channel */
	void ( *dispatchFunction )( void *stateInfo, BYTE *buffer );
	void *stateInfo;

	/* For database types which can use binary blobs we need to bind the
	   locations of variables and use placeholders in the SQL text rather
	   than passing the data as part of the SQL command.  The following
	   variables are the storage which is bound */
	char boundCertData[ MAX_ENCODED_CERT_SIZE ];
	int boundCertDataLen;			/* Bound cert data value */
	} DBMS_INFO;

typedef struct {
	/* The I/O stream */
	STREAM stream;					/* I/O stream for HTTP read */

	/* An HTTP fetch differs from the other types of read in that it can
	   return data in multiple chunks depending on how much comes over the
	   net at once.  Because of this we need to track what's come in, and
	   also allocate more buffer space on demand if required.  The following
	   variables handle the on-demand reallocation of buffer space */
	int bufPos;						/* Current position in buffer */
	} HTTP_INFO;

typedef struct {
#ifdef DBX_LDAP
	/* LDAP access information */
	void *ld;						/* LDAP connection information */
	void *result;					/* State information for ongoing queries */
#endif /* DBX_LDAP */

	/* The names of the object class and various attributes.  These are
	   stored as part of the keyset context since they may be user-defined or
	   the library-wide definition may change over time */
	char nameObjectClass[ CRYPT_MAX_TEXTSIZE + 1 ];	/* Name of object class */
	char nameFilter[ CRYPT_MAX_TEXTSIZE + 1 ];	/* Name of query filter */
	char nameCACert[ CRYPT_MAX_TEXTSIZE + 1 ];	/* Name of CA cert attribute */
	char nameCert[ CRYPT_MAX_TEXTSIZE + 1 ];	/* Name of cert attribute */
	char nameCRL[ CRYPT_MAX_TEXTSIZE + 1 ];		/* Name of CRL attribute */
	char nameEmail[ CRYPT_MAX_TEXTSIZE + 1 ];	/* Name of email addr.attr.*/
	CRYPT_CERTTYPE_TYPE objectType;				/* Preferred obj.type to fetch */

	/* When storing a cert we need the certificate DN, email address,
	   and cert expiry date */
	char C[ CRYPT_MAX_TEXTSIZE + 1 ], SP[ CRYPT_MAX_TEXTSIZE + 1 ],
		L[ CRYPT_MAX_TEXTSIZE + 1 ], O[ CRYPT_MAX_TEXTSIZE + 1 ],
		OU[ CRYPT_MAX_TEXTSIZE + 1 ], CN[ CRYPT_MAX_TEXTSIZE + 1 ];
	char email[ CRYPT_MAX_TEXTSIZE + 1 ];
	time_t date;
	} LDAP_INFO;

/* Defines to make access to the union fields less messy */

#define keysetFile		keysetInfo.fileInfo
#define keysetDBMS		keysetInfo.dbmsInfo
#define keysetHTTP		keysetInfo.httpInfo
#define keysetLDAP		keysetInfo.ldapInfo

/* The structure which stores information on a keyset */

typedef struct KI {
	/* General keyset information */
	KEYSET_TYPE type;				/* Keyset type (native, PGP, X.509, etc) */
	KEYSET_SUBTYPE subType;			/* Keyset subtype (public, private, etc) */
	CRYPT_KEYOPT_TYPE options;		/* Keyset option flags */
	BOOLEAN queryInProgress;		/* Whether keyset is processing ongoing query */
	BOOLEAN isOpen;					/* Whether keyset is open */
	BOOLEAN isEmpty;				/* Whether keyset is empty */
	BOOLEAN isDirty;				/* Whether keyset data has been changed */

	/* The keyset-type-specific information */
	union {
		FILE_INFO fileInfo;
		DBMS_INFO dbmsInfo;
		HTTP_INFO httpInfo;
		LDAP_INFO ldapInfo;
		} keysetInfo;				/* Keyset-specific information */

	/* Last-error information returned from lower-level code */
	int errorCode;
	char errorMessage[ MAX_ERRMSG_SIZE ];

	/* Pointers to keyset access methods */
	int ( *initFunction )( struct KI *keysetInfo, const char *name,
						   const char *param, 
						   const CRYPT_KEYOPT_TYPE options );
	void ( *shutdownFunction )( struct KI *keysetInfo );
	int ( *getItemFunction )( struct KI *keysetInfo,
							  CRYPT_HANDLE *iCryptHandle,
							  const KEYMGMT_ITEM_TYPE itemType,
							  const CRYPT_KEYID_TYPE keyIDtype,
							  const void *keyID,  const int keyIDlength,
							  void *auxInfo, int *auxInfoLength,
							  const int flags );
	int ( *setItemFunction )( struct KI *deviceInfo,
							  const CRYPT_HANDLE iCryptHandle,
							  const KEYMGMT_ITEM_TYPE itemType,
							  const char *password, const int passwordLength,
							  const int flags );
	int ( *deleteItemFunction )( struct KI *keysetInfo,
								 const KEYMGMT_ITEM_TYPE itemType,
								 const CRYPT_KEYID_TYPE keyIDtype,
								 const void *keyID, const int keyIDlength );
	int ( *getFirstItemFunction )( struct KI *keysetInfo,
								   CRYPT_CERTIFICATE *iCertificate,
								   int *stateInfo,
								   const CRYPT_KEYID_TYPE keyIDtype,
								   const void *keyID, const int keyIDlength,
								   const KEYMGMT_ITEM_TYPE itemType,
								   const int options );
	int ( *getNextItemFunction )( struct KI *keysetInfo,
								  CRYPT_CERTIFICATE *iCertificate,
								  int *stateInfo, const int options );
	int ( *certMgmtFunction)( struct KI *keysetInfo, CRYPT_CERTIFICATE *iCryptCert,
							  const CRYPT_CERTIFICATE caKey,
							  const CRYPT_CERTIFICATE request,
							  const CRYPT_CERTACTION_TYPE action );

	/* Some keysets require keyset-type-specific data storage which is
	   managed via the following variables */
	void *keyData;					/* Keyset data buffer */
	int keyDataSize;				/* Buffer size */

	/* Error information */
	CRYPT_ATTRIBUTE_TYPE errorLocus;/* Error locus */
	CRYPT_ERRTYPE_TYPE errorType;	/* Error type */

	/* When we clone an object, there are certain per-instance fields which
	   don't get cloned.  These fields are located after the following
	   member, and must be initialised by the cloning function */
	int _sharedEnd;					/* Dummy used for end of shared fields */

	/* The object's handle and the handle of the user who owns this object.
	   The former is used when sending messages to the object when only the
	   xxx_INFO is available, the latter is used to avoid having to fetch the
	   same information from the system object table */
	CRYPT_HANDLE objectHandle;
	CRYPT_USER ownerHandle;

	/* In multithreaded environments we need to protect the information from
	   access by other threads while we use it.  The following macro declares
	   the actual variables required to handle the object locking (the actual
	   values are defined in cryptos.h) */
	DECLARE_OBJECT_LOCKING_VARS
	} KEYSET_INFO;

/* Prototypes for keyset mapping functions */

int setAccessMethodDBMS( KEYSET_INFO *keysetInfo,
						 const CRYPT_KEYSET_TYPE type );
int setAccessMethodHTTP( KEYSET_INFO *keysetInfo );
int setAccessMethodLDAP( KEYSET_INFO *keysetInfo );
int setAccessMethodPGP( KEYSET_INFO *keysetInfo );
int setAccessMethodPKCS12( KEYSET_INFO *keysetInfo );
int setAccessMethodPKCS15( KEYSET_INFO *keysetInfo );

#endif /* _KEYSET_DEFINED */