📄 ext_def.c
字号:
/* cRLReason:
OID = 2 5 29 21
ENUMERATED */
{ MKOID( "\x06\x03\x55\x1D\x15" ), CRYPT_CERTINFO_CRLREASON,
MKDESC( "cRLReason" )
BER_ENUMERATED, 0,
FL_LEVEL_REDUCED | FL_VALID_CRL | FL_VALID_REVREQ /*Per-entry*/, 0, CRYPT_CRLREASON_LAST, 0, NULL },
/* holdInstructionCode:
OID = 2 5 29 23
OBJECT IDENTIFIER */
{ MKOID( "\x06\x03\x55\x1D\x17" ), CRYPT_CERTINFO_HOLDINSTRUCTIONCODE,
MKDESC( "holdInstructionCode" )
FIELDTYPE_CHOICE, 0,
FL_LEVEL_PKIX_PARTIAL | FL_VALID_CRL | FL_VALID_REVREQ /*Per-entry*/, CRYPT_HOLDINSTRUCTION_NONE, CRYPT_HOLDINSTRUCTION_LAST, 0, ( void * ) holdInstructionInfo },
/* invalidityDate:
OID = 2 5 29 24
GeneralizedTime */
{ MKOID( "\x06\x03\x55\x1D\x18" ), CRYPT_CERTINFO_INVALIDITYDATE,
MKDESC( "invalidityDate" )
BER_TIME_GENERALIZED, 0,
FL_LEVEL_STANDARD | FL_VALID_CRL | FL_VALID_REVREQ /*Per-entry*/, sizeof( time_t ), sizeof( time_t ), 0, NULL },
/* deltaCRLIndicator:
OID = 2 5 29 27
critical = TRUE
INTEGER */
{ MKOID( "\x06\x03\x55\x1D\x1B" ), CRYPT_CERTINFO_DELTACRLINDICATOR,
MKDESC( "deltaCRLIndicator" )
BER_INTEGER, 0,
FL_CRITICAL | FL_LEVEL_PKIX_PARTIAL | FL_VALID_CRL, 0, INT_MAX, 0, NULL },
/* issuingDistributionPoint:
OID = 2 5 29 28
critical = TRUE
SEQUENCE {
distributionPoint [ 0 ] {
fullName [ 0 ] { -- CHOICE { ... }
SEQUENCE OF GeneralName -- GeneralNames
}
} OPTIONAL,
onlyContainsUserCerts
[ 1 ] BOOLEAN DEFAULT FALSE,
onlyContainsCACerts
[ 2 ] BOOLEAN DEFAULT FALSE,
onlySomeReasons [ 3 ] BITSTRING OPTIONAL,
indirectCRL [ 4 ] BOOLEAN DEFAULT FALSE
} */
{ MKOID( "\x06\x03\x55\x1D\x1C" ), CRYPT_CERTINFO_ISSUINGDISTRIBUTIONPOINT,
MKDESC( "issuingDistributionPoint" )
BER_SEQUENCE, 0,
FL_MORE | FL_CRITICAL | FL_LEVEL_PKIX_PARTIAL | FL_VALID_CRL, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "issuingDistributionPoint.distributionPoint" )
BER_SEQUENCE, CTAG( 0 ),
FL_MORE | FL_OPTIONAL, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "issuingDistributionPoint.distributionPoint.fullName" )
BER_SEQUENCE, CTAG( 0 ),
FL_MORE, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "issuingDistributionPoint.distributionPoint.fullName.generalNames" )
BER_SEQUENCE, 0,
FL_MORE, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_ISSUINGDIST_FULLNAME,
MKDESC( "issuingDistributionPoint.distributionPoint.fullName.generalNames.generalName" )
FIELDTYPE_SUBTYPED, 0,
FL_MORE | FL_OPTIONAL | FL_MULTIVALUED | FL_SEQEND_3, 0, 0, 0, ( void * ) generalNameInfo },
{ NULL, CRYPT_CERTINFO_ISSUINGDIST_USERCERTSONLY,
MKDESC( "issuingDistributionPoint.onlyContainsUserCerts" )
BER_BOOLEAN, CTAG( 1 ),
FL_MORE | FL_OPTIONAL | FL_DEFAULT, FALSE, TRUE, FALSE, NULL },
{ NULL, CRYPT_CERTINFO_ISSUINGDIST_CACERTSONLY,
MKDESC( "issuingDistributionPoint.onlyContainsCACerts" )
BER_BOOLEAN, CTAG( 2 ),
FL_MORE | FL_OPTIONAL | FL_DEFAULT, FALSE, TRUE, FALSE, NULL },
{ NULL, CRYPT_CERTINFO_ISSUINGDIST_SOMEREASONSONLY,
MKDESC( "issuingDistributionPoint.onlySomeReasons" )
BER_BITSTRING, CTAG( 3 ),
FL_MORE | FL_OPTIONAL, 0, CRYPT_CRLREASONFLAG_LAST, 0, NULL },
{ NULL, CRYPT_CERTINFO_ISSUINGDIST_INDIRECTCRL,
MKDESC( "issuingDistributionPoint.indirectCRL" )
BER_BOOLEAN, CTAG( 4 ),
FL_OPTIONAL | FL_DEFAULT, FALSE, TRUE, FALSE, NULL },
/* certificateIssuer:
OID = 2 5 29 29
critical = TRUE
certificateIssuer SEQUENCE OF GeneralName */
{ MKOID( "\x06\x03\x55\x1D\x1D" ), FIELDID_FOLLOWS,
MKDESC( "certificateIssuer" )
BER_SEQUENCE, 0,
FL_MORE | FL_CRITICAL | FL_LEVEL_PKIX_FULL | FL_VALID_CRL, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_CERTIFICATEISSUER,
MKDESC( "certificateIssuer.generalNames" )
FIELDTYPE_SUBTYPED, 0,
FL_MULTIVALUED, 0, 0, 0, ( void * ) generalNameInfo },
/* nameConstraints
OID = 2 5 29 30
critical = TRUE
SEQUENCE {
permittedSubtrees [ 0 ] SEQUENCE OF {
SEQUENCE { GeneralName }
} OPTIONAL,
excludedSubtrees [ 1 ] SEQUENCE OF {
SEQUENCE { GeneralName }
} OPTIONAL,
}
RFC 3280 extended this by adding two additional fields after the
GeneralName (probably from X.509v4), but mitigated it by requiring
that they never be used, so we leave the definition as is */
{ MKOID( "\x06\x03\x55\x1D\x1E" ), CRYPT_CERTINFO_NAMECONSTRAINTS,
MKDESC( "nameConstraints" )
BER_SEQUENCE, 0,
FL_MORE | FL_LEVEL_PKIX_FULL | FL_VALID_CERT | FL_VALID_ATTRCERT, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "nameConstraints.permittedSubtrees" )
BER_SEQUENCE, CTAG( 0 ),
FL_MORE | FL_SETOF | FL_OPTIONAL, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "nameConstraints.permittedSubtrees.sequenceOf" )
BER_SEQUENCE, 0,
FL_MORE, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_PERMITTEDSUBTREES,
MKDESC( "nameConstraints.permittedSubtrees.sequenceOf.generalName" )
FIELDTYPE_SUBTYPED, 0,
FL_MORE | FL_OPTIONAL | FL_MULTIVALUED | FL_SEQEND_2, 0, 0, 0, ( void * ) generalNameInfo },
{ NULL, 0,
MKDESC( "nameConstraints.excludedSubtrees" )
BER_SEQUENCE, CTAG( 1 ),
FL_MORE | FL_SETOF | FL_OPTIONAL, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "nameConstraints.excludedSubtrees.sequenceOf" )
BER_SEQUENCE, 0,
FL_MORE, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_EXCLUDEDSUBTREES,
MKDESC( "nameConstraints.excludedSubtrees.sequenceOf.generalName" )
FIELDTYPE_SUBTYPED, 0,
FL_OPTIONAL | FL_MULTIVALUED | FL_SEQEND_2, 0, 0, 0, ( void * ) generalNameInfo },
/* cRLDistributionPoints:
OID = 2 5 29 31
SEQUENCE OF {
SEQUENCE {
distributionPoint
[ 0 ] { -- CHOICE { ... }
fullName [ 0 ] SEQUENCE OF GeneralName
} OPTIONAL,
reasons [ 1 ] BIT STRING OPTIONAL,
cRLIssuer [ 2 ] SEQUENCE OF GeneralName OPTIONAL
}
} */
{ MKOID( "\x06\x03\x55\x1D\x1F" ), CRYPT_CERTINFO_CRLDISTRIBUTIONPOINT,
MKDESC( "cRLDistributionPoints" )
BER_SEQUENCE, 0,
FL_MORE | FL_LEVEL_STANDARD | FL_VALID_CERT | FL_VALID_ATTRCERT | FL_SETOF, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "cRLDistributionPoints.distPoint" )
BER_SEQUENCE, 0,
FL_MORE, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "cRLDistributionPoints.distPoint.distPoint" )
BER_SEQUENCE, CTAG( 0 ),
FL_MORE | FL_OPTIONAL, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "cRLDistributionPoints.distPoint.distPoint.fullName" )
BER_SEQUENCE, CTAG( 0 ),
FL_MORE | FL_SETOF, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_CRLDIST_FULLNAME,
MKDESC( "cRLDistributionPoints.distPoint.distPoint.fullName.generalName" )
FIELDTYPE_SUBTYPED, 0,
FL_MORE | FL_OPTIONAL | FL_MULTIVALUED | FL_SEQEND_2, 0, 0, 0, ( void * ) generalNameInfo },
{ NULL, CRYPT_CERTINFO_CRLDIST_REASONS,
MKDESC( "cRLDistributionPoints.distPoint.reasons" )
BER_BITSTRING, CTAG( 1 ),
FL_MORE | FL_OPTIONAL | FL_MULTIVALUED, 0, CRYPT_CRLREASONFLAG_LAST, 0, NULL },
{ NULL, 0,
MKDESC( "cRLDistributionPoints.distPoint.cRLIssuer" )
BER_SEQUENCE, CTAG( 2 ),
FL_MORE | FL_SETOF | FL_OPTIONAL, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_CRLDIST_CRLISSUER,
MKDESC( "cRLDistributionPoints.distPoint.cRLIssuer.generalName" )
FIELDTYPE_SUBTYPED, 0,
FL_OPTIONAL | FL_MULTIVALUED | FL_SEQEND_2, 0, 0, 0, ( void * ) generalNameInfo },
/* certificatePolicies:
OID = 2 5 29 32
SEQUENCE SIZE (1..64) OF {
SEQUENCE {
policyIdentifier OBJECT IDENTIFIER,
policyQualifiers SEQUENCE SIZE (1..64) OF {
SEQUENCE {
policyQualifierId
OBJECT IDENTIFIER,
qualifier ANY DEFINED BY policyQualifierID
} OPTIONAL
}
}
}
CPSuri ::= IA5String -- OID = cps
UserNotice ::= SEQUENCE { -- OID = unotice
noticeRef SEQUENCE {
organization DisplayText,
noticeNumbers SEQUENCE OF INTEGER -- SIZE (1)
} OPTIONAL,
explicitText DisplayText OPTIONAL
}
Note that although this extension is decoded at
CRYPT_COMPLIANCELEVEL_STANDARD, policy constraints are only enforced
at CRYPT_COMPLIANCELEVEL_PKIX_FULL due to the totally bizarre
requirements that some of them have (see comments in chk_*.c for more
on this) */
{ MKOID( "\x06\x03\x55\x1D\x20" ), CRYPT_CERTINFO_CERTIFICATEPOLICIES,
MKDESC( "certPolicies" )
BER_SEQUENCE, 0,
FL_MORE | FL_LEVEL_STANDARD | FL_VALID_CERT | FL_SETOF, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "certPolicies.policyInfo" )
BER_SEQUENCE, 0,
FL_MORE, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_CERTPOLICYID,
MKDESC( "certPolicies.policyInfo.policyIdentifier" )
BER_OBJECT_IDENTIFIER, 0,
FL_MORE | FL_MULTIVALUED, 3, 32, 0, NULL },
{ NULL, 0,
MKDESC( "certPolicies.policyInfo.policyQualifiers" )
BER_SEQUENCE, 0,
FL_MORE | FL_SETOF | FL_OPTIONAL, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "certPolicies.policyInfo.policyQual" )
BER_SEQUENCE, 0,
FL_MORE | FL_IDENTIFIER, 0, 0, 0, NULL },
{ MKOID( "\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01" ), 0,
MKDESC( "certPolicies.policyInfo.policyQual.cps (1 3 6 1 5 5 7 2 1)" )
FIELDTYPE_IDENTIFIER, 0,
FL_MORE, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_CERTPOLICY_CPSURI,
MKDESC( "certPolicies.policyInfo.policyQuals.qualifier.cPSuri" )
BER_STRING_IA5, 0,
FL_MORE | FL_MULTIVALUED | FL_NONEMPTY | FL_SEQEND_2, MIN_URL_SIZE, MAX_URL_SIZE, 0, ( void * ) checkURL },
{ NULL, 0,
MKDESC( "certPolicies.policyInfo.policyQual" )
BER_SEQUENCE, 0,
FL_MORE | FL_IDENTIFIER, 0, 0, 0, NULL },
{ MKOID( "\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02" ), 0,
MKDESC( "certPolicies.policyInfo.policyQual.unotice (1 3 6 1 5 5 7 2 2)" )
FIELDTYPE_IDENTIFIER, 0,
FL_MORE, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "certPolicies.policyInfo.policyQual.userNotice" )
BER_SEQUENCE, 0,
FL_MORE | FL_OPTIONAL, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "certPolicies.policyInfo.policyQual.userNotice.noticeRef" )
BER_SEQUENCE, 0,
FL_MORE | FL_MULTIVALUED | FL_OPTIONAL, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_CERTPOLICY_ORGANIZATION,
MKDESC( "certPolicies.policyInfo.policyQual.userNotice.noticeRef.organization" )
FIELDTYPE_DISPLAYSTRING, 0,
FL_MORE | FL_MULTIVALUED | FL_NONEMPTY, 1, 200, 0, NULL },
{ NULL, 0,
MKDESC( "certPolicies.policyInfo.policyQual.userNotice.noticeRef.noticeNumbers" )
BER_SEQUENCE, 0,
FL_MORE | FL_OPTIONAL, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_CERTPOLICY_NOTICENUMBERS,
MKDESC( "certPolicies.policyInfo.policyQual.userNotice.noticeRef.noticeNumbers" )
BER_INTEGER, 0,
FL_MORE | FL_MULTIVALUED | FL_NONEMPTY | FL_SEQEND_2, 1, 1024, 0, NULL },
{ NULL, CRYPT_CERTINFO_CERTPOLICY_EXPLICITTEXT,
MKDESC( "certPolicies.policyInfo.policyQual.userNotice.explicitText" )
FIELDTYPE_DISPLAYSTRING, 0,
FL_OPTIONAL | FL_NONEMPTY | FL_MULTIVALUED | FL_SEQEND, 1, 200, 0, NULL },
/* policyMappings:
OID = 2 5 29 33
SEQUENCE SIZE (1..MAX) OF {
SEQUENCE {
issuerDomainPolicy OBJECT IDENTIFIER,
subjectDomainPolicy OBJECT IDENTIFIER
}
} */
{ MKOID( "\x06\x03\x55\x1D\x21" ), CRYPT_CERTINFO_POLICYMAPPINGS,
MKDESC( "policyMappings" )
BER_SEQUENCE, 0,
FL_MORE | FL_LEVEL_PKIX_FULL | FL_VALID_CERT | FL_SETOF, 0, 0, 0, NULL },
{ NULL, 0,
MKDESC( "policyMappings.sequenceOf" )
BER_SEQUENCE, 0,
FL_MORE, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_ISSUERDOMAINPOLICY,
MKDESC( "policyMappings.sequenceOf.issuerDomainPolicy" )
BER_OBJECT_IDENTIFIER, 0,
FL_MORE | FL_MULTIVALUED, 3, 32, 0, NULL },
{ NULL, CRYPT_CERTINFO_SUBJECTDOMAINPOLICY,
MKDESC( "policyMappings.sequenceOf.subjectDomainPolicy" )
BER_OBJECT_IDENTIFIER, 0,
FL_MULTIVALUED | FL_SEQEND_3, 3, 32, 0, NULL },
/* authorityKeyIdentifier:
OID = 2 5 29 35
SEQUENCE {
keyIdentifier [ 0 ] OCTET STRING OPTIONAL,
authorityCertIssuer -- Neither or both
[ 1 ] SEQUENCE OF GeneralName OPTIONAL
authorityCertSerialNumber -- of these must
[ 2 ] INTEGER OPTIONAL -- be present
}
Although the serialNumber should be an integer, it's really an
integer equivalent of an octet string hole so we call it an octet
string to make sure it gets handled appropriately */
{ MKOID( "\x06\x03\x55\x1D\x23" ), CRYPT_CERTINFO_AUTHORITYKEYIDENTIFIER,
MKDESC( "authorityKeyIdentifier" )
BER_SEQUENCE, 0,
FL_MORE | FL_LEVEL_PKIX_PARTIAL | FL_VALID_CERT | FL_VALID_CRL, 0, 0, 0, NULL },
{ NULL, CRYPT_CERTINFO_AUTHORITY_KEYIDENTIFIER,
MKDESC( "authorityKeyIdentifier.keyIdentifier" )
BER_OCTETSTRING, CTAG( 0 ),
FL_MORE | FL_OPTIONAL, 1, 64, 0, NULL },
{ NULL, 0,
MKDESC( "authorityKeyIdentifier.authorityCertIssuer" )
BER_SEQUENCE, CTAG( 1 ),
FL_MORE | FL_SETOF | FL_OPTIONAL, 0, 0, 0, NULL },
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -