📄 ext_def.c
字号:
/****************************************************************************
* *
* Certificate Attribute Definitions *
* Copyright Peter Gutmann 1996-2005 *
* *
****************************************************************************/
#include <ctype.h>
#include <string.h>
#if defined( INC_ALL )
#include "cert.h"
#include "certattr.h"
#include "asn1.h"
#include "asn1_ext.h"
#elif defined( INC_CHILD )
#include "cert.h"
#include "certattr.h"
#include "../misc/asn1.h"
#include "../misc/asn1_ext.h"
#else
#include "cert/cert.h"
#include "cert/certattr.h"
#include "misc/asn1.h"
#include "misc/asn1_ext.h"
#endif /* Compiler-specific includes */
/* The following certificate extensions are currently supported. If
'Enforced' is set to 'Yes', this means that they are constraint extensions
that are enforced by the cert checking code; if set to '-', they are
informational extensions for which enforcement doesn't apply; if set to
'No', they need to be handled by the user (this only applies for
certificate policies, where the user has to decide whether a given cert
policy is acceptable or not). The Yes/No in policyConstraints means that
everything except the policy mapping constraint is enforced (because
policyMappings itself isn't enforced).
Enforced
--------
authorityInfoAccess -
authorityKeyIdentifier -
basicConstraints Yes
biometricInfo (QualifiedCert) -
certCardRequired (SET) -
certificateIssuer -
certificatePolicies Yes
certificateType (SET) -
challengePassword (SCEP) -
cRLDistributionPoints -
cRLNumber -
cRLReason -
cRLExtReason -
dateOfCertGen (SigG) -
deltaCRLIndicator -
extKeyUsage Yes
freshestCRL -
hashedRootKey (SET) -
holdInstructionCode -
inhibitAnyPolicy Yes
invalidityDate -
issuerAltName -
issuingDistributionPoint -
keyFeatures -
keyUsage Yes
monetaryLimit (SigG) -
nameConstraints Yes
netscape-cert-type Yes
netscape-base-url -
netscape-revocation-url -
netscape-ca-revocation-url -
netscape-cert-renewal-url -
netscape-ca-policy-url -
netscape-ssl-server-name -
netscape-comment -
merchantData (SET) -
ocspAcceptableResponse (OCSP) -
ocspArchiveCutoff (OCSP) -
ocspNoCheck (OCSP) -
ocspNonce (OCSP) -
policyConstraints Yes/No
policyMappings No
privateKeyUsagePeriod Yes
procuration (SigG) -
qcStatements (QualifiedCert) -
restriction (SigG) -
strongExtranet (Thawte) -
subjectAltName -
subjectDirectoryAttributes -
subjectInfoAccess -
subjectKeyIdentifier -
tunneling (SET) -
Some extensions are specified as a SEQUENCE OF thing, to make it possible
to process these automatically we rewrite them as a SEQUENCE OF
thingInstance1 OPTIONAL, thingInstance2 OPTIONAL, ... thingInstanceN
OPTIONAL. Examples of this are extKeyUsage and the altNames.
Since some extensions fields are tagged, the fields as encoded differ from
the fields as defined by the tagging, the following macro is used to turn
a small integer into a context-specific tag. By default the tag is
implicit as per X.509v3, to make it an explicit tag we need to set the
FL_EXPLICIT flag for the field */
#define CTAG( x ) ( x | BER_CONTEXT_SPECIFIC )
/* Extended checking functions */
static int checkRFC822( const ATTRIBUTE_LIST *attributeListPtr );
static int checkDNS( const ATTRIBUTE_LIST *attributeListPtr );
static int checkURL( const ATTRIBUTE_LIST *attributeListPtr );
static int checkHTTP( const ATTRIBUTE_LIST *attributeListPtr );
static int checkDirectoryName( const ATTRIBUTE_LIST *attributeListPtr );
/* Forward declarations for alternative encoding tables used by the main
tables. These are declared in a somewhat peculiar manner because there's
no clean way in C to forward declare a static array. Under VC++ with the
highest warning level enabled, this produces a compiler warning, so we
turn the warning off for this module */
extern const ATTRIBUTE_INFO FAR_BSS generalNameInfo[];
extern const ATTRIBUTE_INFO FAR_BSS holdInstructionInfo[];
extern const ATTRIBUTE_INFO FAR_BSS contentTypeInfo[];
#if defined( _MSC_VER )
#pragma warning( disable: 4211 )
#endif /* VC++ */
/****************************************************************************
* *
* Certificate Extension Definitions *
* *
****************************************************************************/
/* Certificate extensions are encoded using the following table */
static const FAR_BSS ATTRIBUTE_INFO extensionInfo[] = {
/* challengePassword. This is here even though it's a CMS attribute
because SCEP stuffs it into PKCS #10 requests:
OID = 1 2 840 113549 1 9 7
PrintableString */
{ MKOID( "\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x07" ), CRYPT_CERTINFO_CHALLENGEPASSWORD,
MKDESC( "challengePassword" )
BER_STRING_PRINTABLE, 0,
FL_LEVEL_STANDARD | FL_NOCOPY | FL_VALID_CERTREQ, 1, CRYPT_MAX_TEXTSIZE, 0, NULL },
/* cRLExtReason:
OID = 1 3 6 1 4 1 3029 3 1 4
ENUMERATED */
{ MKOID( "\x06\x0A\x2B\x06\x01\x04\x01\x97\x55\x03\x01\x04" ), CRYPT_CERTINFO_CRLEXTREASON,
MKDESC( "cRLExtReason" )
BER_ENUMERATED, 0,
FL_LEVEL_STANDARD | FL_VALID_CRL | FL_VALID_REVREQ /*Per-entry*/, 0, CRYPT_CRLEXTREASON_LAST, 0, NULL },
/* keyFeatures:
OID = 1 3 6 1 4 1 3029 3 1 5
BITSTRING */
{ MKOID( "\x06\x0A\x2B\x06\x01\x04\x01\x97\x55\x03\x01\x05" ), CRYPT_CERTINFO_KEYFEATURES,
MKDESC( "keyFeatures" )
BER_BITSTRING, 0,
FL_LEVEL_STANDARD | FL_VALID_CERT | FL_VALID_CERTREQ, 0, 7, 0, NULL },
/* authorityInfoAccess:
OID = 1 3 6 1 5 5 7 1 1
SEQUENCE SIZE (1...MAX) OF {
SEQUENCE {
accessMethod OBJECT IDENTIFIER,
accessLocation GeneralName
}
} */
{ MKOID( "\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x01" ), CRYPT_CERTINFO_AUTHORITYINFOACCESS,
MKDESC( "authorityInfoAccess" )
BER_SEQUENCE, 0,
FL_MORE | FL_LEVEL_STANDARD | FL_VALID_CERT | FL_SETOF, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "authorityInfoAccess.accessDescription (rtcs)" )
BER_SEQUENCE, 0,
FL_MORE | FL_IDENTIFIER, 0, 0, 0, NULL },
{ MKOID( "\x06\x0A\x2B\x06\x01\x04\x01\x97\x55\x03\x01\x07" ), 0,
MKDESC( "authorityInfoAccess.rtcs (1 3 6 1 4 1 3029 3 1 7)" )
FIELDTYPE_IDENTIFIER, 0,
FL_MORE, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_AUTHORITYINFO_RTCS,
MKDESC( "authorityInfoAccess.accessDescription.accessLocation (rtcs)" )
FIELDTYPE_SUBTYPED, 0,
FL_MORE | FL_OPTIONAL | FL_MULTIVALUED | FL_SEQEND, 0, 0, 0, ( void * ) generalNameInfo },
{ NULL, 0,
MKDESC( "authorityInfoAccess.accessDescription (ocsp)" )
BER_SEQUENCE, 0,
FL_MORE | FL_IDENTIFIER, 0, 0, 0, NULL },
{ MKOID( "\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x01" ), 0,
MKDESC( "authorityInfoAccess.ocsp (1 3 6 1 5 5 7 48 1)" )
FIELDTYPE_IDENTIFIER, 0,
FL_MORE, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_AUTHORITYINFO_OCSP,
MKDESC( "authorityInfoAccess.accessDescription.accessLocation (ocsp)" )
FIELDTYPE_SUBTYPED, 0,
FL_MORE | FL_OPTIONAL | FL_MULTIVALUED | FL_SEQEND, 0, 0, 0, ( void * ) generalNameInfo },
{ NULL, 0,
MKDESC( "authorityInfoAccess.accessDescription (caIssuers)" )
BER_SEQUENCE, 0,
FL_MORE | FL_IDENTIFIER, 0, 0, 0, NULL },
{ MKOID( "\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x02" ), 0,
MKDESC( "authorityInfoAccess.caIssuers (1 3 6 1 5 5 7 48 2)" )
FIELDTYPE_IDENTIFIER, 0,
FL_MORE, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_AUTHORITYINFO_CAISSUERS,
MKDESC( "authorityInfoAccess.accessDescription.accessLocation (caIssuers)" )
FIELDTYPE_SUBTYPED, 0,
FL_MORE | FL_OPTIONAL | FL_MULTIVALUED | FL_SEQEND, 0, 0, 0, ( void * ) generalNameInfo },
{ NULL, 0,
MKDESC( "authorityInfoAccess.accessDescription (httpCerts)" )
BER_SEQUENCE, 0,
FL_MORE | FL_IDENTIFIER, 0, 0, 0, NULL },
{ MKOID( "\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x06" ), 0,
MKDESC( "authorityInfoAccess.httpCerts (1 3 6 1 5 5 7 48 6)" )
FIELDTYPE_IDENTIFIER, 0,
FL_MORE, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_AUTHORITYINFO_CERTSTORE,
MKDESC( "authorityInfoAccess.accessDescription.accessLocation (httpCerts)" )
FIELDTYPE_SUBTYPED, 0,
FL_MORE | FL_MULTIVALUED | FL_OPTIONAL | FL_SEQEND, 0, 0, 0, ( void * ) generalNameInfo },
{ NULL, 0,
MKDESC( "authorityInfoAccess.accessDescription (httpCRLs)" )
BER_SEQUENCE, 0,
FL_MORE | FL_IDENTIFIER, 0, 0, 0, NULL },
{ MKOID( "\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x07" ), 0,
MKDESC( "authorityInfoAccess.httpCRLs (1 3 6 1 5 5 7 48 7)" )
FIELDTYPE_IDENTIFIER, 0,
FL_MORE, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_AUTHORITYINFO_CRLS,
MKDESC( "authorityInfoAccess.accessDescription.accessLocation (httpCRLs)" )
FIELDTYPE_SUBTYPED, 0,
FL_MORE | FL_MULTIVALUED | FL_OPTIONAL | FL_SEQEND, 0, 0, 0, ( void * ) generalNameInfo },
{ NULL, 0,
MKDESC( "authorityInfoAccess.accessDescription (catchAll)" )
BER_SEQUENCE, 0,
FL_MORE | FL_IDENTIFIER, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "authorityInfoAccess.catchAll" )
FIELDTYPE_BLOB, 0, /* Match anything and ignore it */
FL_OPTIONAL | FL_NONENCODING | FL_SEQEND, 0, 0, 0, NULL },
/* biometricInfo
OID = 1 3 6 1 5 5 7 1 2
SEQUENCE OF {
SEQUENCE {
typeOfData INTEGER,
hashAlgorithm OBJECT IDENTIFIER,
dataHash OCTET STRING,
sourceDataUri IA5String OPTIONAL
}
} */
{ MKOID( "\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x02" ), CRYPT_CERTINFO_BIOMETRICINFO,
MKDESC( "biometricInfo" )
BER_SEQUENCE, 0,
FL_MORE | FL_LEVEL_PKIX_FULL | FL_VALID_CERT | FL_SETOF, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "biometricInfo.biometricData" )
BER_SEQUENCE, 0,
FL_MORE, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_BIOMETRICINFO_TYPE,
MKDESC( "biometricInfo.biometricData.typeOfData" )
BER_INTEGER, 0,
FL_MORE | FL_MULTIVALUED, 0, 1, 0, NULL },
{ NULL, CRYPT_CERTINFO_BIOMETRICINFO_HASHALGO,
MKDESC( "biometricInfo.biometricData.hashAlgorithm" )
BER_OBJECT_IDENTIFIER, 0,
FL_MORE | FL_MULTIVALUED, 3, 32, 0, NULL },
{ NULL, CRYPT_CERTINFO_BIOMETRICINFO_HASH,
MKDESC( "biometricInfo.biometricData.dataHash" )
BER_OCTETSTRING, 0,
FL_MORE | FL_MULTIVALUED, 16, CRYPT_MAX_HASHSIZE, 0, NULL },
{ NULL, CRYPT_CERTINFO_BIOMETRICINFO_URL,
MKDESC( "biometricInfo.biometricData.sourceDataUri" )
BER_STRING_IA5, 0,
FL_OPTIONAL | FL_MULTIVALUED | FL_SEQEND, MIN_URL_SIZE, MAX_URL_SIZE, 0, ( void * ) checkURL },
/* qcStatements
OID = 1 3 6 1 5 5 7 1 3
critical = TRUE
SEQUENCE OF {
SEQUENCE {
statementID OBJECT IDENTIFIER,
statementInfo SEQUENCE {
semanticsIdentifier OBJECT IDENTIFIER OPTIONAL,
nameRegistrationAuthorities SEQUENCE OF GeneralName
}
}
There are two versions of the statementID OID, one for RFC 3039 and
the other for RFC 3739 (which are actually identical except where
they're not). To handle this we preferentially encode the RFC 3739
(v2) OID, but allow the v1 OID as a fallback by marking both as
optional */
{ MKOID( "\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x03" ), CRYPT_CERTINFO_QCSTATEMENT,
MKDESC( "qcStatements" )
BER_SEQUENCE, 0,
FL_MORE | FL_LEVEL_PKIX_FULL | FL_CRITICAL | FL_VALID_CERT | FL_SETOF, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "qcStatements.qcStatement (statementID)" )
BER_SEQUENCE, 0,
FL_MORE | FL_IDENTIFIER, 0, 0, 0, NULL },
{ MKOID( "\x06\x08\x2B\x06\x01\x05\x05\x07\x0B\x02" ), 0,
MKDESC( "qcStatements.qcStatement.statementID (1 3 6 1 5 5 7 11 2)" )
FIELDTYPE_IDENTIFIER, 0,
FL_MORE | FL_OPTIONAL, 0, 0, 0, NULL },
{ MKOID( "\x06\x08\x2B\x06\x01\x05\x05\x07\x0B\x01" ), 0,
MKDESC( "qcStatements.qcStatement.statementID (Backwards-compat.) (1 3 6 1 5 5 7 11 1)" )
FIELDTYPE_IDENTIFIER, 0,
FL_MORE | FL_OPTIONAL, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "qcStatements.qcStatement.statementInfo (statementID)" )
BER_SEQUENCE, 0,
FL_MORE, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_QCSTATEMENT_SEMANTICS,
MKDESC( "qcStatements.qcStatement.statementInfo.semanticsIdentifier (statementID)" )
BER_OBJECT_IDENTIFIER, 0,
FL_MORE | FL_MULTIVALUED | FL_OPTIONAL, 3, 32, 0, NULL },
{ NULL, 0,
MKDESC( "qcStatements.qcStatement.statementInfo.nameRegistrationAuthorities (statementID)" )
BER_SEQUENCE, 0,
FL_MORE | FL_SETOF, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_QCSTATEMENT_REGISTRATIONAUTHORITY,
MKDESC( "qcStatements.qcStatement.statementInfo.nameRegistrationAuthorities.generalNames" )
FIELDTYPE_SUBTYPED, 0,
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -