cryptacl.h

来自「提供了很多种加密算法和CA认证及相关服务如CMP、OCSP等的开发」· C头文件 代码 · 共 1,568 行 · 第 1/5 页

	RANGEVAL_SUBRANGES,				/* List of permissible subranges */
	RANGEVAL_ASYMMETRIC				/* One range for read, one for write */
	};

#define RANGE_EXT_MARKER	-1000	/* Marker to denote extended range value */

#define RANGE_NONE			-1, 1
#define RANGE_UNUSED		RANGE_EXT_MARKER, RANGEVAL_UNUSED
#define RANGE_BOOLEAN		FALSE - 1, TRUE + 1
#define RANGE_HANDLE		RANGE_EXT_MARKER, RANGEVAL_HANDLE
#define RANGE_HANDLE_OPT	RANGE_EXT_MARKER, RANGEVAL_HANDLE_OPT
#define RANGE_ANY			RANGE_EXT_MARKER, RANGEVAL_ANY
#define RANGE_ALLOWEDVALUES	RANGE_EXT_MARKER, RANGEVAL_ALLOWEDVALUES
#define RANGE_SUBRANGES		RANGE_EXT_MARKER, RANGEVAL_SUBRANGES
#define RANGE_ASYMMETRIC	RANGE_EXT_MARKER, RANGEVAL_ASYMMETRIC
#define RANGE( low, high )	( low ) - 1, ( high ) + 1

/* RANGE_ALLOWEDVALUES values for various attributes */

static const int allowedLDAPObjectTypes[] = {
	CRYPT_CERTTYPE_NONE, CRYPT_CERTTYPE_CERTIFICATE, CRYPT_CERTTYPE_CRL,
	CRYPT_ERROR };
static const int allowedConfigChanged[] = { FALSE, CRYPT_ERROR };
static const int allowedPKCKeysizes[] = {
	sizeof( CRYPT_PKCINFO_DLP ), sizeof( CRYPT_PKCINFO_RSA ),
	CRYPT_ERROR };
static const int allowedCursorValues[] = {
	CRYPT_CURSOR_FIRST, CRYPT_CURSOR_PREVIOUS, CRYPT_CURSOR_NEXT,
	CRYPT_CURSOR_LAST, CRYPT_ERROR };
static const int allowedObjectStatusValues[] = {
	CRYPT_OK, CRYPT_ERROR_NOTINITED, CRYPT_ERROR_BUSY, CRYPT_ERROR_SIGNALLED,
	CRYPT_ERROR };

/* RANGE_SUBRANGES values for various attributes */

typedef int RANGE_SUBRANGE_TYPE[ 2 ];

static const RANGE_SUBRANGE_TYPE allowedXXX[] = {
	{ CRYPT_ERROR, CRYPT_ERROR } };

/* RANGE_ASYMMETRIC values for various attributes */

/*static const ATTRIBUTE_ACL allowedXYZ[ 2 ] = { 0 }; */

/* An attribute ACL entry.  If the code is compiled in debug mode, we also
   add the attribute type, which is used for an internal consistency check */

typedef struct {
#ifndef NDEBUG
	/* The attribute type, used for consistency checking */
	const CRYPT_ATTRIBUTE_TYPE attribute;	/* Attribute */
#endif /* NDEBUG */

	/* Attribute type checking information: The attribute value type and
	   object subtypes for which the attribute is valid */
	const VALUE_TYPE valueType;		/* Attribute value type */
	const unsigned int subTypeA, subTypeB;
									/* Object subtypes for which attr.valid */

	/* Access information: The type of access and object states which are
	   permitted, and general flags for this attribute */
	const int access;				/* Permitted access type */
	const int flags;				/* General flags */

	/* Routing information: The object type the attribute applies to, and the
	   routing function applied to the attribute message */
	const OBJECT_TYPE routingTarget;	/* Target type if routable */
	int ( *routingFunction )( const int objectHandle, const int arg );

	/* Attribute value checking information */
	const int lowRange;				/* Min/max allowed if numeric/boolean */
	const int highRange;			/* Length if string */
	const void *extendedInfo;		/* Extended access information */
	} ATTRIBUTE_ACL;

/* A key management ACL entry.  If the code is compiled in debug mode, we
   also add the item type, which is used for an internal consistency check */

typedef struct {
#ifndef NDEBUG
	/* The item type, used for consistency checking */
	const KEYMGMT_ITEM_TYPE itemType;/* Key management item type */
#endif /* NDEBUG */

	/* Valid keyset types for this item type for general operations and
	   for queries and get-next operations, and valid object types for 
	   this item type */
	const unsigned int keysetSubTypeA, keysetSubTypeB;
									/* Keyset types for which item valid */
	const unsigned int querySubTypeA, querySubTypeB;
									/* Keyset types for which query valid */
	const unsigned int getNextSubTypeA, getNextSubTypeB;
									/* Keyset types for which getNextCert valid */
	const unsigned int objSubTypeA, objSubTypeB;
									/* Object types for which item valid */

	/* Permitted access types and key management flags for this item type */
	const int allowedAccess;		/* Permitted access types */
	const int allowedFlags;			/* Permitted key management flags */

	/* Parameter flags for the mechanism information which define which
	   types of optional/mandatory parameters can and can't be present.
	   These use an extended form of the ACCESS_xxx flags to indicate
	   whether the parameter is required or not permitted or not for
	   read, write, and delete messages */
	const int idUseFlags;			/* ID required/not permitted */
	const int pwUseFlags;			/* Password required/not permitted */
	} KEYMGMT_ACL;

/* Parameter ACL entries for objects are much simpler, containing only the
   message type and the corresponding object subtypes for which the object
   parameter in the message is valid.  Since the parameter ACL is much
   shorter than the attribute one, we define it directly in cryptkrn.c */

typedef struct {
	const RESOURCE_MESSAGE_TYPE type;/* Message type */
	const unsigned int subTypeA, subTypeB;
									/* Object subtypes for which attr.valid */
	} PARAMETER_ACL;

/* Macros to make it easy to set up ACL's.  We have one for each of the
   basic types and two general-purpose ones which provide more control over
   the values */

#ifndef NDEBUG
  /* Standard ACL entries */
  #define MKACL_B( attribute, subTypeA, subTypeB, access, routing ) \
			{ attribute, VALUE_BOOLEAN, subTypeA, subTypeB, access, 0, \
			  routing, FALSE, TRUE, NULL }
  #define MKACL_N( attribute, subTypeA, subTypeB, access, routing, range ) \
			{ attribute, VALUE_NUMERIC, subTypeA, subTypeB, access, 0, \
			  routing, range, NULL }
  #define MKACL_S( attribute, subTypeA, subTypeB, access, routing, range ) \
			{ attribute, VALUE_STRING, subTypeA, subTypeB, access, 0, \
			  routing, range, NULL }
  #define MKACL_O( attribute, subTypeA, subTypeB, access, routing ) \
			{ attribute, VALUE_OBJECT, subTypeA, subTypeB, access, 0, \
			  routing, 0, 0, NULL }
  #define MKACL_T( attribute, subTypeA, subTypeB, access, routing ) \
			{ attribute, VALUE_TIME, subTypeA, subTypeB, access, 0, \
			  routing, 0, 0, NULL }

  /* Extended types */
  #define MKACL_B_EX( attribute, subTypeA, subTypeB, access, flags, routing ) \
			{ attribute, VALUE_BOOLEAN, subTypeA, subTypeB, access, flags, \
			  routing, FALSE, TRUE, NULL }
  #define MKACL_N_EX( attribute, subTypeA, subTypeB, access, flags, routing, range ) \
			{ attribute, VALUE_NUMERIC, subTypeA, subTypeB, access, flags, \
			  routing, range, NULL }
  #define MKACL_S_EX( attribute, subTypeA, subTypeB, access, flags, routing, range ) \
			{ attribute, VALUE_STRING, subTypeA, subTypeB, access, flags, \
			  routing, range, NULL }
  #define MKACL_O_EX( attribute, subTypeA, subTypeB, access, flags, routing ) \
			{ attribute, VALUE_OBJECT, subTypeA, subTypeB, access, flags, \
			  routing, 0, 0, NULL }

  /* General-purpose ACL macros */
  #define MKACL( attribute, valueType, subTypeA, subTypeB, access, flags, routing, range ) \
			{ attribute, valueType, subTypeA, subTypeB, access, flags, \
			  routing, range, NULL }
  #define MKACL_EX( attribute, valueType, subTypeA, subTypeB, access, flags, routing, range, allowed ) \
			{ attribute, valueType, subTypeA, subTypeB, access, flags, \
			  routing, range, allowed }

  /* End-of-ACL marker.  Note that the comma is necessary in order to allow
     the non-debug version to evaluate to nothing */
  #define MKACL_END() \
			, { CRYPT_ERROR, VALUE_NONE, 0, 0, ACCESS_xxx_xxx, 0, 0, NULL, 0, 0, NULL }

  /* Key management ACLs */
  #define MK_KEYACL( itemType, keysetSubType, querySubType, getNextSubType, objectSubType, access, flags, idUseFlags, pwUseFlags ) \
			{ itemType, keysetSubType, ST_NONE, querySubType, ST_NONE, \
			  getNextSubType, ST_NONE, objectSubType, ST_NONE, access, \
			  flags, idUseFlags, pwUseFlags }
#else
  /* Standard ACL entries */
  #define MKACL_B( attribute, subTypeA, subTypeB, access, routing ) \
			{ VALUE_BOOLEAN, subTypeA, subTypeB, access, 0, routing, FALSE, TRUE, NULL }
  #define MKACL_N( attribute, subTypeA, subTypeB, access, routing, range ) \
			{ VALUE_NUMERIC, subTypeA, subTypeB, access, 0, routing, range, NULL }
  #define MKACL_S( attribute, subTypeA, subTypeB, access, routing, range ) \
			{ VALUE_STRING, subTypeA, subTypeB, access, 0, routing, range, NULL }
  #define MKACL_O( attribute, subTypeA, subTypeB, access, routing ) \
			{ VALUE_OBJECT, subTypeA, subTypeB, access, 0, routing, 0, 0, NULL }
  #define MKACL_T( attribute, subTypeA, subTypeB, access, routing ) \
			{ VALUE_TIME, subTypeA, subTypeB, access, 0, routing, 0, 0, NULL }

  /* Extended types */
  #define MKACL_B_EX( attribute, subTypeA, subTypeB, access, flags, routing ) \
			{ VALUE_BOOLEAN, subTypeA, subTypeB, access, flags, routing, FALSE, TRUE, NULL }
  #define MKACL_N_EX( attribute, subTypeA, subTypeB, access, flags, routing, range ) \
			{ VALUE_NUMERIC, subTypeA, subTypeB, access, flags, routing, range, NULL }
  #define MKACL_S_EX( attribute, subTypeA, subTypeB, access, flags, routing, range ) \
			{ VALUE_STRING, subTypeA, subTypeB, access, flags, routing, range, NULL }
  #define MKACL_O_EX( attribute, subTypeA, subTypeB, access, flags, routing ) \
			{ VALUE_OBJECT, subTypeA, subTypeB, access, flags, routing, 0, 0, NULL }

  /* General-purpose ACL macros */
  #define MKACL( attribute, valueType, subTypeA, subTypeB, access, flags, routing, range ) \
			{ valueType, subTypeA, subTypeB, access, flags, routing, range, NULL }
  #define MKACL_EX( attribute, valueType, subTypeA, subTypeB, access, flags, routing, range, allowed ) \
			{ valueType, subTypeA, subTypeB, access, flags, routing, range, allowed }

  /* End-of-ACL marker */
  #define MKACL_END()

  /* Key management ACLs */
  #define MK_KEYACL( itemType, keysetSubType, querySubType, getNextSubType, objectSubType, access, flags, idUseFlags, pwUseFlags ) \
			{ ST_NONE, keysetSubType, ST_NONE, querySubType, \
			  ST_NONE, getNextSubType, objectSubType, ST_NONE, access, \
			  flags, idUseFlags, pwUseFlags }
#endif /* NDEBUG */

/* The ACL tables for each attribute class */

static const ATTRIBUTE_ACL propertyACL[] = {	/* Object properties */
	MKACL(		/* Owned+non-forwardable+locked */
		CRYPT_PROPERTY_HIGHSECURITY, VALUE_BOOLEAN,
		ST_ANY, ST_ANY, ACCESS_xWx_xWx, ATTRIBUTE_FLAG_PROPERTY,
		ROUTE_NONE, RANGE( TRUE, TRUE ) ),
	MKACL_N_EX(	/* Object owner */
		CRYPT_PROPERTY_OWNER,
		ST_ANY, ST_ANY, ACCESS_RWx_RWx, ATTRIBUTE_FLAG_PROPERTY,
		ROUTE_NONE, RANGE_ANY ),
	MKACL_N_EX(	/* No.of times object can be forwarded */
		CRYPT_PROPERTY_FORWARDABLE,
		ST_ANY, ST_ANY, ACCESS_RWx_RWx, ATTRIBUTE_FLAG_PROPERTY,
		ROUTE_NONE, RANGE( 1, 1000 ) ),
	MKACL(	/* Whether properties can be chged/read */
		CRYPT_PROPERTY_LOCKED, VALUE_BOOLEAN,
		ST_ANY, ST_ANY, ACCESS_RWx_RWx, ATTRIBUTE_FLAG_PROPERTY,
		ROUTE_NONE, RANGE( TRUE, TRUE ) ),
	MKACL_N_EX(	/* Usage count before object expires */
		CRYPT_PROPERTY_USAGECOUNT,
		ST_ANY, ST_ANY, ACCESS_RWx_RWx, ATTRIBUTE_FLAG_PROPERTY,
		ROUTE_NONE, RANGE( 1, 1000 ) ),
	MKACL(		/* Whether key is nonexp.from context */
		CRYPT_PROPERTY_NONEXPORTABLE, VALUE_BOOLEAN,
		ST_CTX_ANY, ST_NONE, ACCESS_xxx_xxx, ATTRIBUTE_FLAG_PROPERTY,
		ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( TRUE, TRUE ) )

	MKACL_END()
	};

static const ATTRIBUTE_ACL genericACL[] = {		/* Generic attributes */
	MKACL_N(	/* Type of last error */
		CRYPT_ATTRIBUTE_ERRORTYPE,
		ST_ANY, ST_ANY, ACCESS_Rxx_Rxx,
		ROUTE_NONE, RANGE( CRYPT_ERRTYPE_NONE, CRYPT_ERRTYPE_LAST ) ),
	MKACL_N(	/* Locus of last error */
		CRYPT_ATTRIBUTE_ERRORLOCUS,
		ST_ANY, ST_ANY, ACCESS_Rxx_Rxx,
		ROUTE_NONE, RANGE( CRYPT_ATTRIBUTE_NONE, CRYPT_ATTRIBUTE_LAST ) ),
	MKACL_N(	/* Low-level, software-specific */
		CRYPT_ATTRIBUTE_INT_ERRORCODE,
		ST_KEYSET_ANY | ST_DEV_ANY_STD, ST_SESS_ANY, ACCESS_RWx_RWx,
		ROUTE_ALT2( OBJECT_TYPE_DEVICE, OBJECT_TYPE_KEYSET, OBJECT_TYPE_SESSION ), RANGE_ANY ),
	MKACL_S(	/*   error code and message */
		CRYPT_ATTRIBUTE_INT_ERRORMESSAGE,
		ST_KEYSET_ANY | ST_DEV_ANY_STD, ST_SESS_ANY, ACCESS_RWx_RWx,
		ROUTE_ALT2( OBJECT_TYPE_DEVICE, OBJECT_TYPE_KEYSET, OBJECT_TYPE_SESSION ), RANGE( 0, 512 ) ),
	MKACL_N(	/* Internal data buffer size */
		CRYPT_ATTRIBUTE_BUFFERSIZE,
		ST_NONE, ST_ENV_ANY | ST_SESS_ANY, ACCESS_Rxx_RWx,
		ROUTE_ALT( OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_SESSION ), RANGE( MIN_BUFFER_SIZE, INT_MAX - 1 ) )

	MKACL_END()
	};

static const ATTRIBUTE_ACL optionACL[] = {		/* Config attributes */
	MKACL_S(	/* Text description */
		CRYPT_OPTION_INFO_DESCRIPTION,
		ST_NONE, ST_USER_ANY, ACCESS_Rxx_Rxx,
		ROUTE( OBJECT_TYPE_USER ),
		RANGE( 16, CRYPT_MAX_TEXTSIZE ) ),
	MKACL_S(	/* Copyright notice */
		CRYPT_OPTION_INFO_COPYRIGHT,
		ST_NONE, ST_USER_ANY, ACCESS_Rxx_Rxx,
		ROUTE( OBJECT_TYPE_USER ),
		RANGE( 16, CRYPT_MAX_TEXTSIZE ) ),
	MKACL_N(	/* Major release version */
		CRYPT_OPTION_INFO_MAJORVERSION,
		ST_NONE, ST_USER_ANY, ACCESS_Rxx_Rxx,
		ROUTE( OBJECT_TYPE_USER ),
		RANGE( 3, 3 ) ),
	MKACL_N(	/* Minor release version */
		CRYPT_OPTION_INFO_MINORVERSION,
		ST_NONE, ST_USER_ANY, ACCESS_Rxx_Rxx,
		ROUTE( OBJECT_TYPE_USER ),
		RANGE( 0, 0 ) ),
	MKACL_N(	/* Stepping version */
		CRYPT_OPTION_INFO_STEPPING,
		ST_NONE, ST_USER_ANY, ACCESS_Rxx_Rxx,
		ROUTE( OBJECT_TYPE_USER ),
		RANGE( 1, 50 ) ),

	MKACL_N(	/* Encryption algorithm */
		CRYPT_OPTION_ENCR_ALGO,
		ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
		ROUTE( OBJECT_TYPE_USER ),
		RANGE( CRYPT_ALGO_FIRST_CONVENTIONAL, CRYPT_ALGO_LAST_CONVENTIONAL ) ),
	MKACL_N(	/* Hash algorithm */
		CRYPT_OPTION_ENCR_HASH,
		ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
		ROUTE( OBJECT_TYPE_USER ),
		RANGE( CRYPT_ALGO_FIRST_HASH, CRYPT_ALGO_LAST_HASH ) ),
	MKACL_N(	/* MAC algorithm */
		CRYPT_OPTION_ENCR_MAC,
		ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
		ROUTE( OBJECT_TYPE_USER ),
		RANGE( CRYPT_ALGO_FIRST_MAC, CRYPT_ALGO_LAST_MAC ) ),
	MKACL_N(	/* Public-key encryption algorithm */
		CRYPT_OPTION_PKC_ALGO,
		ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,