cryptacl.h

提供了很多种加密算法和CA认证及相关服务如CMP、OCSP等的开发

/****************************************************************************
*																			*
*					  Object Attribute Permission Information				*
*						Copyright Peter Gutmann 1998-2002					*
*																			*
****************************************************************************/

#ifndef _CRYPTACL_DEFINED

#define _CRYPTACL_DEFINED

/* Various includes and defines needed for range checking */

#include <limits.h>		/* For INT_MAX */

/* Each attribute has a mandatory ACL associated with it which controls how
   that attribute may be modified and used.  The ACL is enforced by the
   kernel before dispatching attribute-manipulation messages to an object.
   For example, a read of a CRYPT_CTXINFO_KEY wouldn't even make it to the
   object, it'd be rejected immediately by the kernel.

   The first entry in the ACL is the attribute's type, which determines
   what type the attribute should have.  The basic values are boolean,
   numeric, or byte string, there are also some special types such as object
   handles which place extra constraints on the attribute */

typedef enum {
	VALUE_NONE,						/* Non-value */
	VALUE_BOOLEAN,					/* Boolean flag */
	VALUE_NUMERIC,					/* Numeric value */
	VALUE_STRING,					/* Byte string */
	VALUE_OBJECT,					/* Object handle */
	VALUE_TIME						/* Timestamp */
	} VALUE_TYPE;

/* The next entry is a bitfield which defines for which object subtypes the
   attribute is valid.  The interpretation of the bitfield is object-specific,
   the check is performed with a simple AND (if
   ACL->bitfield & object->subType -> access is valid).  Since the full field
   names are rather long, we define a shortened form (only visible within this
   header file) which reduces the space required to define them */

#define ST_CTX_CONV				SUBTYPE_CTX_CONV
#define ST_CTX_PKC				SUBTYPE_CTX_PKC
#define ST_CTX_HASH				SUBTYPE_CTX_HASH
#define ST_CTX_MAC				SUBTYPE_CTX_MAC
#define ST_CTX_ANY				( ST_CTX_CONV | ST_CTX_PKC | ST_CTX_HASH | \
								  ST_CTX_MAC )

#define ST_CERT_CERT			SUBTYPE_CERT_CERT
#define ST_CERT_CERTREQ			SUBTYPE_CERT_CERTREQ
#define ST_CERT_REQ_CERT		SUBTYPE_CERT_REQ_CERT
#define ST_CERT_REQ_REV			SUBTYPE_CERT_REQ_REV
#define ST_CERT_CERTCHAIN		SUBTYPE_CERT_CERTCHAIN
#define ST_CERT_ATTRCERT		SUBTYPE_CERT_ATTRCERT
#define ST_CERT_CRL				SUBTYPE_CERT_CRL
#define ST_CERT_CMSATTR			SUBTYPE_CERT_CMSATTR
#define ST_CERT_OCSP_REQ		SUBTYPE_CERT_OCSP_REQ
#define ST_CERT_OCSP_RESP		SUBTYPE_CERT_OCSP_RESP
#define ST_CERT_PKIUSER			SUBTYPE_CERT_PKIUSER
#define ST_CERT_ANY_CERT		( ST_CERT_CERT | ST_CERT_CERTREQ | \
								  SUBTYPE_CERT_REQ_CERT | ST_CERT_CERTCHAIN )
#define ST_CERT_ANY				( ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | \
								  ST_CERT_REQ_REV | ST_CERT_CRL | \
								  ST_CERT_CMSATTR | ST_CERT_OCSP_REQ | \
								  ST_CERT_OCSP_RESP | ST_CERT_PKIUSER )

#define ST_KEYSET_FILE			SUBTYPE_KEYSET_FILE
#define ST_KEYSET_DBMS			SUBTYPE_KEYSET_DBMS
#define ST_KEYSET_DBMS_STORE	SUBTYPE_KEYSET_DBMS_STORE
#define ST_KEYSET_HTTP			SUBTYPE_KEYSET_HTTP
#define ST_KEYSET_LDAP			SUBTYPE_KEYSET_LDAP
#define ST_KEYSET_ANY			( ST_KEYSET_FILE | ST_KEYSET_DBMS | \
								  ST_KEYSET_DBMS_STORE | ST_KEYSET_HTTP | \
								  ST_KEYSET_LDAP )

#define ST_ENV_ENV				SUBTYPE_ENV_ENV
#define ST_ENV_ENV_PGP			SUBTYPE_ENV_ENV_PGP
#define ST_ENV_DEENV			SUBTYPE_ENV_DEENV
#define ST_ENV_ANY				( SUBTYPE_ENV_ENV | SUBTYPE_ENV_ENV_PGP | \
								  SUBTYPE_ENV_DEENV )

#define ST_DEV_SYSTEM			SUBTYPE_DEV_SYSTEM
#define ST_DEV_FORT				SUBTYPE_DEV_FORTEZZA
#define ST_DEV_P11				SUBTYPE_DEV_PKCS11
#define ST_DEV_ANY_STD			( SUBTYPE_DEV_FORTEZZA | SUBTYPE_DEV_PKCS11 )
#define ST_DEV_ANY				( ST_DEV_ANY_STD | SUBTYPE_DEV_SYSTEM )

#define ST_SESS_SSH				SUBTYPE_SESSION_SSH
#define ST_SESS_SSH_SVR			SUBTYPE_SESSION_SSH_SVR
#define ST_SESS_SSL				SUBTYPE_SESSION_SSL
#define ST_SESS_SSL_SVR			SUBTYPE_SESSION_SSL_SVR
#define ST_SESS_OCSP			SUBTYPE_SESSION_OCSP
#define ST_SESS_OCSP_SVR		SUBTYPE_SESSION_OCSP_SVR
#define ST_SESS_TSP				SUBTYPE_SESSION_TSP
#define ST_SESS_TSP_SVR			SUBTYPE_SESSION_TSP_SVR
#define ST_SESS_CMP				SUBTYPE_SESSION_CMP
#define ST_SESS_CMP_SVR			SUBTYPE_SESSION_CMP_SVR
#define ST_SESS_ANY_SVR			( ST_SESS_SSH_SVR | ST_SESS_SSL_SVR | \
								  ST_SESS_OCSP_SVR | ST_SESS_TSP_SVR | \
								  ST_SESS_CMP_SVR )
#define ST_SESS_ANY_CLIENT		( ST_SESS_SSH | ST_SESS_SSL | ST_SESS_OCSP | \
								  ST_SESS_TSP | ST_SESS_CMP )
#define ST_SESS_ANY_DATA		( ST_SESS_SSH | ST_SESS_SSH_SVR | \
								  ST_SESS_SSL | ST_SESS_SSL_SVR )
#define ST_SESS_ANY_SEC			( ST_SESS_ANY_DATA | \
								  ST_SESS_CMP | ST_SESSION_CMP_SVR )
#define ST_SESS_ANY				( ST_SESS_ANY_CLIENT | ST_SESS_ANY_SVR )

#define ST_USER_NORMAL			SUBTYPE_USER_NORMAL
#define ST_USER_SO				SUBTYPE_USER_SO
#define ST_USER_CA				SUBTYPE_USER_CA
#define ST_USER_ANY				( SUBTYPE_USER_NORMAL | SUBTYPE_USER_SO | \
								  SUBTYPE_USER_CA )

/* A subtype value which allows access for any object subtype and for no
   object subtypes */

#define ST_ANY					0x7FFFFFFFL
#define ST_NONE					0

/* The next entry is the read/write/delete permissions, which define what the
   user is allowed to do to the attribute.  Each object can have two modes,
   "low" and "high", whose exact definition depends on the object type.  At
   some point an operation on an object (loading a key for a context, signing
   a cert) will move it from the low to the high state, at which point a much
   more restricted set of permissions apply.  The permissions are given as
   RWD_RWD with the first set being for the object in the high state and the
   second for the object in the low state.

   In addition the the usual external-access permssions, some attributes are
   only visible internally.  Normal attributes have matching internal-access
   and external-access permssions but the internal-access-only ones have the
   external-access permissions turned off */

#define ACCESS_xxx_xxx		0x0000	/* No access */
#define ACCESS_xxx_xWx		0x0202	/* Low: Write-only */
#define ACCESS_xxx_Rxx		0x0404	/* Low: Read-only */
#define ACCESS_xxx_RWx		0x0606	/* Low: Read/write */
#define ACCESS_xxx_RWD		0x0707	/* Low: All access */
#define ACCESS_xWx_xWx		0x2222	/* High: Write-only, Low: Write-only */
#define ACCESS_Rxx_xxx		0x4040	/* High: Read-only, Low: None */
#define ACCESS_Rxx_xWx		0x4242	/* High: Read-only, Low: Write-only */
#define ACCESS_Rxx_Rxx		0x44F4	/* High: Read-only, Low: Read-only */
#define ACCESS_Rxx_RxD		0x4545	/* High: Read-only, Low: Read/delete */
#define ACCESS_Rxx_RWx		0x4646	/* High: Read-only, Low: Read/write */
#define ACCESS_Rxx_RWD		0x4747	/* High: Read-only, Low: All access */
#define ACCESS_RxD_RxD		0x5555	/* High: Read/delete, Low: Read/delete */
#define ACCESS_RWx_Rxx		0x6464	/* High: Read/write, Low: Read-only */
#define ACCESS_RWx_RWx		0x6666	/* High: Read/write, Low: Read/write */
#define ACCESS_RWx_RWD		0x6767	/* High: Read/write, Low: All access */
#define ACCESS_RWD_xxx		0x7070	/* High: All access, Low: None */
#define ACCESS_RWD_RWD		0x7777	/* High: All access, Low: All access */

#define ACCESS_INT_xxx_xWx	0x0200	/* Internal: None, write-only */
#define ACCESS_INT_xxx_Rxx	0x0400	/* Internal: None, read-only */
#define ACCESS_INT_xWx_xxx	0x2000	/* Internal: Write-only, none */
#define ACCESS_INT_xWx_xWx	0x2200	/* Internal: Write-only, write-only */
#define ACCESS_INT_Rxx_xxx	0x4000	/* Internal: Read-only, none */
#define ACCESS_INT_Rxx_xWx	0x4200	/* Internal: Read-only, write-only */
#define ACCESS_INT_Rxx_Rxx	0x4400	/* Internal: Read-only, read-only */
#define ACCESS_INT_Rxx_RWx	0x4600	/* Internal: Read-only, read/write */
#define ACCESS_INT_RWx_xxx	0x6000	/* Internal: Read/write, none */
#define ACCESS_INT_RWx_RWx	0x6600	/* Internal: Read/write, read/write */

#define ACCESS_FLAG_R		0x0004	/* Read access permitted */
#define ACCESS_FLAG_W		0x0002	/* Write access permitted */
#define ACCESS_FLAG_D		0x0001	/* Delete access permitted */
#define ACCESS_FLAG_H_R		0x0040	/* Read access permitted in high mode */
#define ACCESS_FLAG_H_W		0x0020	/* Write access permitted in high mode */
#define ACCESS_FLAG_H_D		0x0010	/* Delete access permitted in high mode */

#define ACCESS_MASK_EXTERNAL 0x0077	/* External-access flags mask */
#define ACCESS_MASK_INTERNAL 0x7700	/* Internal-access flags mask */

#define MK_ACCESS_INTERNAL( value )	( ( value ) << 8 )

/* The basic RWD access flags are also used for checking some parameters
   passed with keyset mechanism messages, in addition to these we have flags
   for getFirst/getNext functions which are only used with keysets.  Note
   that although these partially overlap with the high-mode access flags for
   attributes this isn't a problem since keysets don't distinguish between
   high and low states.  In addition some of the combinations may seem a bit
   odd, but that's because they're for mechanism parameters such as key ID
   information which is needed for reads and deletes but not writes, since
   it's implicitly included with the key which is being written.  Finally,
   one type of mechanism has parameter semantics which are too complex to
   express via a simple ACL entry, these are given a different-looking ACL
   entry xxXXxx to indicate to readers that this isn't the same as a normal 
   entry with the same value */

#define ACCESS_KEYSET_xxxxx	0x0000	/* No access */
#define ACCESS_KEYSET_xxXXx	0x0006	/* Special-case values (params optional) */
#define ACCESS_KEYSET_xxRxD	0x0005	/* Read and delete */
#define ACCESS_KEYSET_xxRWx	0x0006	/* Read/write */
#define ACCESS_KEYSET_xxRWD	0x0007	/* Read/write and delete */
#define ACCESS_KEYSET_FxRxD	0x0015	/* GetFirst, read, and delete */
#define ACCESS_KEYSET_FNxxx	0x0030	/* GetFirst/Next */
#define ACCESS_KEYSET_FNRWD	0x003F	/* All access */

#define ACCESS_FLAG_F		0x0010	/* GetFirst access permitted */
#define ACCESS_FLAG_N		0x0008	/* GetNext access permitted */

/* The next entry contains general flags for the attribute.  The flags are:

	FLAG_OBJECTPROPERTY
		This is an object property attribute which is handled by the kernel
		rather than being forwarded to the object.

	FLAG_TRIGGER
		Successfully setting this attribute triggers a change from the low to
		the high state */

#define ATTRIBUTE_FLAG_PROPERTY	0x01
#define ATTRIBUTE_FLAG_TRIGGER	0x02

/* The next entry contains the routing type, which specifies the routing used
   for the attribute.  This routing applies not only for attribute
   manipulation messages but for all messages in general, some of the routing
   types defined below only apply for non-attribute messages.  The routing
   types are:

	ROUTE_NONE
		Not routed (the message or attribute is valid for any object type).

	ROUTE( target )
	ROUTE_ALT( target, altTarget )
	ROUTE_ALT2( target, altTarget1, altTarget2 )
		Fixed-target messages always routed to a particular object type (eg
		a certificate attribute is always routed to a certificate object; a
		generate key message is always routed to a context).

	ROUTE_FIXED( target )
	ROUTE_FIXED_ALT( target, altTarget )
		Not routed, but checked to make sure they're addressed to the
		required target type.  These message types aren't routed because
		they're specific to a particular object and are explicitly unroutable
		(for example a get key message sent to a cert or context tied to a
		device shouldn't be forwarded on to the device, since it would result
		in the cert acting as a keyset.  This is theoretically justifiable -
		"Get me another cert from the same place this one came from" - but
		it's stretching the orthogonality of objects a bit far).

	ROUTE_IMPLICIT
		For object attribute manipulation messages, implicitly routed by
		attribute type.

	ROUTE_SPECIAL( routingFunction )
		Special-case, message-dependent routing */

#define ROUTE_NONE \
		OBJECT_TYPE_NONE, NULL
#define ROUTE( target ) \
		( target ), findTargetType
#define ROUTE_ALT( target, altTarget ) \
		( target ) | ( ( altTarget ) << 8 ), findTargetType
#define ROUTE_ALT2( target, altTarget1, altTarget2 ) \
		( target ) | ( ( altTarget1 ) << 8 ) | ( ( altTarget2 ) << 16 ), findTargetType
#define ROUTE_FIXED( target ) \
		( target ), checkTargetType
#define ROUTE_FIXED_ALT( target, altTarget ) \
		( target ) | ( ( altTarget ) << 8 ), checkTargetType
#define ROUTE_IMPLICIT \
		OBJECT_TYPE_LAST, findTargetType
#define ROUTE_SPECIAL( function ) \
		OBJECT_TYPE_NONE, ( function )

/* Macros to determine which type of routing to apply */

#define isImplicitRouting( target ) \
		( ( target ) == OBJECT_TYPE_LAST )
#define isExplicitRouting( target ) \
		( ( target ) == OBJECT_TYPE_NONE )

/* Prototypes for routing functions used with the above definitions */

static int findTargetType( const int objectHandle, const int arg );

/* The next entry determines the value range (for numeric or boolean values),
   length range (for variable-length data), or special range types (eg the
   value must be a valid handle).  Some values aren't amenable to a simple
   range check so we also allow various extended types of checking.  To
   denote that an extended check needs to be performed, we set the low range
   value to RANGE_SPECIAL and the high range value to an indicator of the
   type of check to be performed.  The range types are:

	RANGE_NONE
		Must be zero.
	RANGE_UNUSED
		Must be CRYPT_UNUSED
	RANGE_BOOLEAN
		TRUE or FALSE.
	RANGE_HANDLE
		Valid object handle
	RANGE_HANDLE_OPT
		As RANGE_HANDLE but may also be CRYPT_UNUSED
	RANGE_ANY
		Allow any value
	RANGE_ALLOWEDVALUES
		extendedInfo contains int [] of allowed values, terminated by
		CRYPT_ERROR
	RANGE_SUBRANGES
		extendedInfo contains subrange [] of allowed subranges, terminated
		by { CRYPT_ERROR, CRYPT_ERROR }
	RANGE_ASYMMETRIC
		extendedInfo contains acl [2], the first for read, the second for
		write */

enum {
	RANGEVAL_UNUSED,				/* Must be CRYPT_UNUSED */
	RANGEVAL_HANDLE,				/* Valid object handle */
	RANGEVAL_HANDLE_OPT,			/* Valid object handle or CRYPT_UNUSED */
	RANGEVAL_ANY,					/* Any value allowed */
	RANGEVAL_ALLOWEDVALUES,			/* List of permissible values */