📄 cryptacl.h
字号:
/****************************************************************************
* *
* Object Attribute ACLs *
* Copyright Peter Gutmann 1998-2003 *
* *
****************************************************************************/
#ifndef _CRYPTACL_DEFINED
#define _CRYPTACL_DEFINED
/* Common object ACLs for various object types */
static const FAR_BSS OBJECT_ACL objectCtxConv = {
ST_CTX_CONV, ST_NONE, ACL_FLAG_HIGH_STATE };
static const FAR_BSS OBJECT_ACL objectCtxPKC = {
ST_CTX_PKC, ST_NONE, ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CTX };
static const FAR_BSS OBJECT_ACL objectCtxHash = {
ST_CTX_HASH, ST_NONE, ACL_FLAG_HIGH_STATE };
static const FAR_BSS OBJECT_ACL objectCertificate = {
ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CERT };
static const FAR_BSS OBJECT_ACL objectCertRequest = {
ST_CERT_CERTREQ | ST_CERT_REQ_CERT, ST_NONE, ACL_FLAG_HIGH_STATE };
static const FAR_BSS OBJECT_ACL objectCertRevRequest = {
ST_CERT_REQ_REV, ST_NONE, ACL_FLAG_ANY_STATE }; /* Unsigned obj.*/
static const FAR_BSS OBJECT_ACL objectCertSessionRTCSRequest = {
ST_CERT_RTCS_REQ, ST_NONE, ACL_FLAG_ANY_STATE }; /* Unsigned obj.*/
static const FAR_BSS OBJECT_ACL objectCertSessionOCSPRequest = {
ST_CERT_OCSP_REQ, ST_NONE, ACL_FLAG_ANY_STATE }; /* Unsigned obj.*/
static const FAR_BSS OBJECT_ACL objectCertSessionCMPRequest = {
ST_CERT_CERTREQ | ST_CERT_REQ_CERT | ST_CERT_REQ_REV, ST_NONE, ACL_FLAG_ANY_STATE };
static const FAR_BSS OBJECT_ACL objectCertSessionUnsignedPKCS10Request = {
ST_CERT_CERTREQ, ST_NONE, ACL_FLAG_LOW_STATE };
static const FAR_BSS OBJECT_ACL objectCertRTCSRequest = {
ST_CERT_RTCS_REQ, ST_NONE, ACL_FLAG_HIGH_STATE };
static const FAR_BSS OBJECT_ACL objectCertRTCSResponse = {
ST_CERT_RTCS_RESP, ST_NONE, ACL_FLAG_HIGH_STATE };
static const FAR_BSS OBJECT_ACL objectCertOCSPRequest = {
ST_CERT_OCSP_REQ, ST_NONE, ACL_FLAG_HIGH_STATE };
static const FAR_BSS OBJECT_ACL objectCertOCSPResponse = {
ST_CERT_OCSP_RESP, ST_NONE, ACL_FLAG_HIGH_STATE };
static const FAR_BSS OBJECT_ACL objectCertPKIUser = {
ST_CERT_PKIUSER, ST_NONE, ACL_FLAG_HIGH_STATE };
static const FAR_BSS OBJECT_ACL objectCMSAttr = {
ST_CERT_CMSATTR, ST_NONE, ACL_FLAG_ANY_STATE };
static const FAR_BSS OBJECT_ACL objectKeyset = {
ST_KEYSET_ANY | ST_DEV_ANY_STD, ST_NONE, ACL_FLAG_NONE };
static const FAR_BSS OBJECT_ACL objectKeysetCerts = {
ST_KEYSET_DBMS | SUBTYPE_KEYSET_DBMS_STORE, ST_NONE, ACL_FLAG_NONE };
static const FAR_BSS OBJECT_ACL objectKeysetPrivate = {
ST_KEYSET_FILE | ST_DEV_P11, ST_NONE, ACL_FLAG_NONE };
static const FAR_BSS OBJECT_ACL objectKeysetConfigdata = {
SUBTYPE_KEYSET_FILE, ST_NONE, ACL_FLAG_NONE };
static const FAR_BSS OBJECT_ACL objectDeenvelope = {
ST_NONE, ST_ENV_DEENV, ACL_FLAG_HIGH_STATE };
static const FAR_BSS OBJECT_ACL objectSessionDataClient = {
ST_NONE, ST_SESS_SSH | ST_SESS_SSL, ACL_FLAG_NONE };
static const FAR_BSS OBJECT_ACL objectSessionDataServer = {
ST_NONE, ST_SESS_SSH_SVR | ST_SESS_SSL_SVR, ACL_FLAG_NONE };
static const FAR_BSS OBJECT_ACL objectSessionTSP = {
ST_NONE, ST_SESS_TSP, ACL_FLAG_LOW_STATE };
/****************************************************************************
* *
* Object/Property ACLs *
* *
****************************************************************************/
/* Object properties */
static const FAR_BSS ATTRIBUTE_ACL propertyACL[] = {
MKACL( /* Owned+non-forwardable+locked */
CRYPT_PROPERTY_HIGHSECURITY, ATTRIBUTE_VALUE_BOOLEAN,
ST_ANY, ST_ANY, ACCESS_xWx_xWx, ATTRIBUTE_FLAG_PROPERTY,
ROUTE_NONE, RANGE( TRUE, TRUE ) ),
MKACL_N_EX( /* Object owner */
CRYPT_PROPERTY_OWNER,
ST_ANY, ST_ANY, ACCESS_RWx_RWx, ATTRIBUTE_FLAG_PROPERTY,
ROUTE_NONE, RANGE_ANY ),
MKACL_N_EX( /* No.of times object can be forwarded */
CRYPT_PROPERTY_FORWARDCOUNT,
ST_ANY, ST_ANY, ACCESS_RWx_RWx, ATTRIBUTE_FLAG_PROPERTY,
ROUTE_NONE, RANGE( 1, 1000 ) ),
MKACL( /* Whether properties can be chged/read */
CRYPT_PROPERTY_LOCKED, ATTRIBUTE_VALUE_BOOLEAN,
ST_ANY, ST_ANY, ACCESS_RWx_RWx, ATTRIBUTE_FLAG_PROPERTY,
ROUTE_NONE, RANGE( TRUE, TRUE ) ),
MKACL_N_EX( /* Usage count before object expires */
CRYPT_PROPERTY_USAGECOUNT,
ST_ANY, ST_ANY, ACCESS_RWx_RWx, ATTRIBUTE_FLAG_PROPERTY,
ROUTE_NONE, RANGE( 1, 1000 ) ),
MKACL( /* Whether key is nonexp.from context */
CRYPT_PROPERTY_NONEXPORTABLE, ATTRIBUTE_VALUE_BOOLEAN,
ST_CTX_ANY, ST_NONE, ACCESS_xxx_xxx, ATTRIBUTE_FLAG_PROPERTY,
ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( TRUE, TRUE ) )
MKACL_END()
};
/* Generic attributes */
static const FAR_BSS ATTRIBUTE_ACL genericACL[] = {
MKACL_N( /* Type of last error */
CRYPT_ATTRIBUTE_ERRORTYPE,
ST_ANY, ST_ANY, ACCESS_Rxx_Rxx,
ROUTE_NONE, RANGE( CRYPT_ERRTYPE_NONE, CRYPT_ERRTYPE_LAST - 1 ) ),
MKACL_N( /* Locus of last error */
CRYPT_ATTRIBUTE_ERRORLOCUS,
ST_ANY, ST_ANY, ACCESS_Rxx_Rxx,
ROUTE_NONE, RANGE( CRYPT_ATTRIBUTE_NONE, CRYPT_ATTRIBUTE_LAST ) ),
MKACL_N( /* Low-level, software-specific */
CRYPT_ATTRIBUTE_INT_ERRORCODE,
ST_KEYSET_ANY | ST_DEV_ANY_STD, ST_SESS_ANY, ACCESS_Rxx_Rxx,
ROUTE_ALT2( OBJECT_TYPE_DEVICE, OBJECT_TYPE_KEYSET, OBJECT_TYPE_SESSION ), RANGE_ANY ),
MKACL_S( /* error code and message */
CRYPT_ATTRIBUTE_INT_ERRORMESSAGE,
ST_KEYSET_ANY | ST_DEV_ANY_STD, ST_SESS_ANY, ACCESS_Rxx_Rxx,
ROUTE_ALT2( OBJECT_TYPE_DEVICE, OBJECT_TYPE_KEYSET, OBJECT_TYPE_SESSION ), RANGE( 0, 512 ) ),
MKACL_N( /* Internal data buffer size */
CRYPT_ATTRIBUTE_BUFFERSIZE,
ST_NONE, ST_ENV_ANY | ST_SESS_ANY, ACCESS_Rxx_RWx,
ROUTE_ALT( OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_SESSION ), RANGE( MIN_BUFFER_SIZE, RANGE_MAX ) )
MKACL_END()
};
/****************************************************************************
* *
* Config Option ACLs *
* *
****************************************************************************/
static const FAR_BSS int allowedLDAPObjectTypes[] = {
CRYPT_CERTTYPE_NONE, CRYPT_CERTTYPE_CERTIFICATE, CRYPT_CERTTYPE_CRL,
CRYPT_ERROR };
/* Config attributes */
static const FAR_BSS ATTRIBUTE_ACL optionACL[] = {
MKACL_S( /* Text description */
CRYPT_OPTION_INFO_DESCRIPTION,
ST_NONE, ST_USER_ANY, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 16, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* Copyright notice */
CRYPT_OPTION_INFO_COPYRIGHT,
ST_NONE, ST_USER_ANY, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 16, CRYPT_MAX_TEXTSIZE ) ),
MKACL_N( /* Major release version */
CRYPT_OPTION_INFO_MAJORVERSION,
ST_NONE, ST_USER_ANY, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 3, 3 ) ),
MKACL_N( /* Minor release version */
CRYPT_OPTION_INFO_MINORVERSION,
ST_NONE, ST_USER_ANY, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 0, 5 ) ),
MKACL_N( /* Stepping version */
CRYPT_OPTION_INFO_STEPPING,
ST_NONE, ST_USER_ANY, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 1, 50 ) ),
MKACL_N( /* Encryption algorithm */
CRYPT_OPTION_ENCR_ALGO,
ST_NONE, ST_ENV_ENV | ST_ENV_ENV_PGP | ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_USER ),
RANGE( CRYPT_ALGO_FIRST_CONVENTIONAL, CRYPT_ALGO_LAST_CONVENTIONAL ) ),
MKACL_N( /* Hash algorithm */
CRYPT_OPTION_ENCR_HASH,
ST_NONE, ST_ENV_ENV | ST_ENV_ENV_PGP | ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_USER ),
RANGE( CRYPT_ALGO_FIRST_HASH, CRYPT_ALGO_LAST_HASH ) ),
MKACL_N( /* MAC algorithm */
CRYPT_OPTION_ENCR_MAC,
ST_NONE, ST_ENV_ENV | ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_USER ),
RANGE( CRYPT_ALGO_FIRST_MAC, CRYPT_ALGO_LAST_MAC ) ),
MKACL_N( /* Public-key encryption algorithm */
CRYPT_OPTION_PKC_ALGO,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( CRYPT_ALGO_FIRST_PKC, CRYPT_ALGO_LAST_PKC ) ),
MKACL_N( /* Public-key encryption key size */
CRYPT_OPTION_PKC_KEYSIZE,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( bitsToBytes( 512 ), CRYPT_MAX_PKCSIZE ) ),
MKACL_N( /* Signature algorithm */
CRYPT_OPTION_SIG_ALGO,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( CRYPT_ALGO_FIRST_PKC, CRYPT_ALGO_LAST_PKC ) ),
MKACL_N( /* Signature keysize */
CRYPT_OPTION_SIG_KEYSIZE,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( bitsToBytes( 512 ), CRYPT_MAX_PKCSIZE ) ),
MKACL_N( /* Key processing algorithm */
CRYPT_OPTION_KEYING_ALGO,
ST_CTX_CONV, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_CONTEXT, OBJECT_TYPE_USER ),
RANGE( CRYPT_ALGO_HMAC_SHA, CRYPT_ALGO_HMAC_SHA ) ),
MKACL_N( /* Key processing iterations */
CRYPT_OPTION_KEYING_ITERATIONS,
ST_CTX_CONV, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_CONTEXT, OBJECT_TYPE_USER ),
RANGE( 1, 20000 ) ),
MKACL_B( /* Whether to sign unrecog.attrs */
CRYPT_OPTION_CERT_SIGNUNRECOGNISEDATTRIBUTES,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ) ),
MKACL_N( /* Certificate validity period */
CRYPT_OPTION_CERT_VALIDITY,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 1, 20 * 365 ) ),
MKACL_N( /* CRL update interval */
CRYPT_OPTION_CERT_UPDATEINTERVAL,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 1, 365 ) ),
MKACL_N( /* PKIX compliance level for cert chks.*/
CRYPT_OPTION_CERT_COMPLIANCELEVEL,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( CRYPT_COMPLIANCELEVEL_OBLIVIOUS, CRYPT_COMPLIANCELEVEL_PKIX_FULL ) ),
MKACL_B( /* Add default CMS attributes */
CRYPT_OPTION_CMS_DEFAULTATTRIBUTES,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ) ),
MKACL_S( /* Object class */
CRYPT_OPTION_KEYS_LDAP_OBJECTCLASS,
ST_KEYSET_LDAP, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
MKACL_EX( /* Object type to fetch */
CRYPT_OPTION_KEYS_LDAP_OBJECTTYPE, ATTRIBUTE_VALUE_NUMERIC,
ST_KEYSET_LDAP, ST_USER_ANY, ACCESS_RWx_RWx, 0,
ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
RANGE_ALLOWEDVALUES, allowedLDAPObjectTypes ),
MKACL_S( /* Query filter */
CRYPT_OPTION_KEYS_LDAP_FILTER,
ST_KEYSET_LDAP, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* CA certificate attribute name */
CRYPT_OPTION_KEYS_LDAP_CACERTNAME,
ST_KEYSET_LDAP, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* Certificate attribute name */
CRYPT_OPTION_KEYS_LDAP_CERTNAME,
ST_KEYSET_LDAP, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* CRL attribute name */
CRYPT_OPTION_KEYS_LDAP_CRLNAME,
ST_KEYSET_LDAP, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* Email attribute name */
CRYPT_OPTION_KEYS_LDAP_EMAILNAME,
ST_KEYSET_LDAP, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* Name of first PKCS #11 driver */
CRYPT_OPTION_DEVICE_PKCS11_DVR01,
ST_NONE, ST_USER_ANY, ACCESS_RWD_RWD,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 2, MAX_PATH_LENGTH ) ),
MKACL_S( /* Name of second PKCS #11 driver */
CRYPT_OPTION_DEVICE_PKCS11_DVR02,
ST_NONE, ST_USER_ANY, ACCESS_RWD_RWD,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 2, MAX_PATH_LENGTH ) ),
MKACL_S( /* Name of third PKCS #11 driver */
CRYPT_OPTION_DEVICE_PKCS11_DVR03,
ST_NONE, ST_USER_ANY, ACCESS_RWD_RWD,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 2, MAX_PATH_LENGTH ) ),
MKACL_S( /* Name of fourth PKCS #11 driver */
CRYPT_OPTION_DEVICE_PKCS11_DVR04,
ST_NONE, ST_USER_ANY, ACCESS_RWD_RWD,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 2, MAX_PATH_LENGTH ) ),
MKACL_S( /* Name of fifth PKCS #11 driver */
CRYPT_OPTION_DEVICE_PKCS11_DVR05,
ST_NONE, ST_USER_ANY, ACCESS_RWD_RWD,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 2, MAX_PATH_LENGTH ) ),
MKACL_B( /* Use only hardware mechanisms */
CRYPT_OPTION_DEVICE_PKCS11_HARDWAREONLY,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ) ),
MKACL_S( /* Socks server name */
CRYPT_OPTION_NET_SOCKS_SERVER,
ST_NONE, ST_SESS_ANY | ST_USER_ANY, ACCESS_RWD_RWD,
ROUTE_ALT( OBJECT_TYPE_SESSION, OBJECT_TYPE_USER ),
RANGE( MIN_DNS_SIZE, MAX_DNS_SIZE ) ),
MKACL_S( /* Socks user name */
CRYPT_OPTION_NET_SOCKS_USERNAME,
ST_NONE, ST_SESS_ANY | ST_USER_ANY, ACCESS_RWD_RWD,
ROUTE_ALT( OBJECT_TYPE_SESSION, OBJECT_TYPE_USER ),
RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* Web proxy server */
CRYPT_OPTION_NET_HTTP_PROXY,
ST_NONE, ST_SESS_ANY | ST_USER_ANY, ACCESS_RWD_RWD,
ROUTE_ALT( OBJECT_TYPE_SESSION, OBJECT_TYPE_USER ),
RANGE( MIN_DNS_SIZE, MAX_DNS_SIZE ) ),
MKACL_N( /* Timeout for network connection setup */
CRYPT_OPTION_NET_CONNECTTIMEOUT,
ST_NONE, ST_SESS_ANY | ST_USER_ANY, ACCESS_Rxx_RWx,
ROUTE_ALT( OBJECT_TYPE_SESSION, OBJECT_TYPE_USER ),
RANGE( 5, 300 ) ),
MKACL_N( /* Timeout for network read/write */
CRYPT_OPTION_NET_TIMEOUT,
ST_NONE, ST_SESS_ANY | ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_SESSION, OBJECT_TYPE_USER ),
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -