📄 cert.h
字号:
addition some certificates are imported as data-only certificates,
denoted by CERT_FLAG_DATAONLY being set. These constitute a
container object that contain no public-key context, and are used for
cert chains (when read from a trusted source) and to store cert
information associated with a private-key context. Since it's not
known during the import stage whether a cert in a chain will be a
data-only or standard cert (it's not known which cert is the leaf
cert until the entire chain has been processed), cert chains from a
trusted source are imported as data-only certs and then the leaf
has its context instantiated */
CRYPT_CONTEXT iPubkeyContext; /* Public-key context */
CRYPT_ALGO_TYPE publicKeyAlgo; /* Key algorithm */
int publicKeyFeatures; /* Key features */
void *publicKeyInfo; /* Encoded key information */
int publicKeyInfoSize;
BYTE publicKeyID[ KEYID_SIZE ]; /* Key ID */
/* General certificate object information */
void *issuerName; /* Issuer name */
void *subjectName; /* Subject name */
time_t startTime; /* Validity start or update time */
time_t endTime; /* Validity end or next update time */
/* In theory we can just copy the subject DN of a CA cert into the issuer
DN of a subject cert, however due to broken implementations this will
break chaining if we correct any problems in the DN. Because of this
we need to preserve a copy of the cert's subject DN so that we can
write it as a blob to the issuer DN field of any certs it signs. We
also need to remember the encoded issuer DN so that we can chain
upwards. The following fields identify the size and location of the
encoded DNs inside the encoded certificate object */
void *subjectDNptr, *issuerDNptr; /* Pointer to encoded DN blobs */
int subjectDNsize, issuerDNsize; /* Size of encoded DN blobs */
/* For some objects the public key and/or subject DN and/or issuer DN are
copied in from an external source before the object is signed so we
can't just point the issuerDNptr at the encoded object, we have to
allocate a separate data area to copy the DN into. This is used in
cases where we don't copy in a full subject/issuerName but only use
an encoded DN blob for the reasons described above */
void *publicKeyData, *subjectDNdata, *issuerDNdata;
/* The certificate hash/fingerprint/oobCertID/thumbprint/whatever. This
is used so frequently that it's cached here for future re-use */
BYTE certHash[ KEYID_SIZE ]; /* Cached cert hash */
BOOLEAN certHashSet; /* Whether hash has been set */
/* Certificate object attributes and a cursor into the attribute list.
This can be moved by the user on a per-attribute, per-field, and per-
component basis */
ATTRIBUTE_LIST *attributes, *attributeCursor;
/* The currently selected GeneralName and DN. A cert can contain
multiple GeneralNames and DNs that can be selected by their field types,
after which adding DN components will affected the selected DN. This
value contains the currently selected GeneralName and DN info */
SELECTION_INFO currentSelection;
/* Save area for the currently selected GeneralName and DN, and position
in the cert chain. The current values are saved to this area when the
object receives a lock object message, and restored when the object
receives the corresponding unlock message. This guarantees that any
changes made during processing while the cert is locked don't get
reflected back to external users */
SELECTION_STATE selectionState;
/* Error information */
CRYPT_ATTRIBUTE_TYPE errorLocus;/* Error locus */
CRYPT_ERRTYPE_TYPE errorType; /* Error type */
/* The object's handle and the handle of the user who owns this object.
The former is used when sending messages to the object when only the
xxx_INFO is available, the latter is used to avoid having to fetch the
same information from the system object table */
CRYPT_HANDLE objectHandle;
CRYPT_USER ownerHandle;
/* Variable-length storage for the type-specific data */
DECLARE_VARSTRUCT_VARS;
} CERT_INFO;
/* Cert read/write methods for the different format types */
typedef struct {
const CRYPT_CERTTYPE_TYPE type;
int ( *readFunction )( STREAM *stream, CERT_INFO *certInfoPtr );
} CERTREAD_INFO;
typedef struct {
const CRYPT_CERTTYPE_TYPE type;
int ( *writeFunction )( STREAM *stream, CERT_INFO *subjectCertInfoPtr,
const CERT_INFO *issuerCertInfoPtr,
const CRYPT_CONTEXT iIssuerCryptContext );
} CERTWRITE_INFO;
extern const CERTREAD_INFO certReadTable[];
extern const CERTWRITE_INFO certWriteTable[];
/****************************************************************************
* *
* Attribute Selection Macros *
* *
****************************************************************************/
/* Determine whether an attribute list item is a dummy entry that denotes
that this field isn't present in the list but has a default value, that
this field isn't present in the list but represents an entire
(constructed) attribute, or that it contains a single blob-type
attribute */
#define DEFAULTFIELD_VALUE { 0, CRYPT_ERROR, 0 }
#define COMPLETEATTRIBUTE_VALUE { CRYPT_ERROR, 0, 0 }
#define isDefaultFieldValue( attributeListPtr ) \
( ( attributeListPtr )->fieldID == CRYPT_ERROR && \
( attributeListPtr )->attributeID == 0 )
#define isCompleteAttribute( attributeListPtr ) \
( ( attributeListPtr )->fieldID == 0 && \
( attributeListPtr )->attributeID == CRYPT_ERROR )
#define isBlobAttribute( attributeListPtr ) \
( ( attributeListPtr )->fieldID == 0 && \
( attributeListPtr )->attributeID == 0 )
/* Determine whether a component which is being added to a cert is a special-
case DN selection component that selects the current DN without changing
the cert itself, a GeneralName selection component, an attribute cursor
movement component, or a general control information component */
#define isDNSelectionComponent( certInfoType ) \
( ( certInfoType ) == CRYPT_CERTINFO_ISSUERNAME || \
( certInfoType ) == CRYPT_CERTINFO_SUBJECTNAME || \
( certInfoType ) == CRYPT_CERTINFO_DIRECTORYNAME )
#define isGeneralNameSelectionComponent( certInfoType ) \
( ( certInfoType ) == CRYPT_CERTINFO_AUTHORITYINFO_RTCS || \
( certInfoType ) == CRYPT_CERTINFO_AUTHORITYINFO_OCSP || \
( certInfoType ) == CRYPT_CERTINFO_AUTHORITYINFO_CAISSUERS || \
( certInfoType ) == CRYPT_CERTINFO_SUBJECTINFO_CAREPOSITORY || \
( certInfoType ) == CRYPT_CERTINFO_SUBJECTINFO_TIMESTAMPING || \
( certInfoType ) == CRYPT_CERTINFO_SIGG_PROCURE_SIGNINGFOR || \
( certInfoType ) == CRYPT_CERTINFO_SUBJECTALTNAME || \
( certInfoType ) == CRYPT_CERTINFO_ISSUERALTNAME || \
( certInfoType ) == CRYPT_CERTINFO_ISSUINGDIST_FULLNAME || \
( certInfoType ) == CRYPT_CERTINFO_CERTIFICATEISSUER || \
( certInfoType ) == CRYPT_CERTINFO_PERMITTEDSUBTREES || \
( certInfoType ) == CRYPT_CERTINFO_EXCLUDEDSUBTREES || \
( certInfoType ) == CRYPT_CERTINFO_CRLDIST_FULLNAME || \
( certInfoType ) == CRYPT_CERTINFO_CRLDIST_CRLISSUER || \
( certInfoType ) == CRYPT_CERTINFO_AUTHORITY_CERTISSUER || \
( certInfoType ) == CRYPT_CERTINFO_FRESHESTCRL_FULLNAME || \
( certInfoType ) == CRYPT_CERTINFO_FRESHESTCRL_CRLISSUER || \
( certInfoType ) == CRYPT_CERTINFO_CMS_RECEIPT_TO || \
( certInfoType ) == CRYPT_CERTINFO_CMS_MLEXP_INSTEADOF || \
( certInfoType ) == CRYPT_CERTINFO_CMS_MLEXP_INADDITIONTO )
#define isCursorComponent( certInfoType ) \
( ( certInfoType ) == CRYPT_CERTINFO_CURRENT_CERTIFICATE || \
( certInfoType ) == CRYPT_ATTRIBUTE_CURRENT_GROUP || \
( certInfoType ) == CRYPT_ATTRIBUTE_CURRENT || \
( certInfoType ) == CRYPT_ATTRIBUTE_CURRENT_INSTANCE )
#define isControlComponent( certInfoType ) \
( ( certInfoType ) == CRYPT_CERTINFO_TRUSTED_USAGE || \
( certInfoType ) == CRYPT_CERTINFO_TRUSTED_IMPLICIT )
/* Determine whether a component which is being added is a DN or GeneralName
component */
#define isDNComponent( certInfoType ) \
( ( certInfoType ) >= CRYPT_CERTINFO_FIRST_DN && \
( certInfoType ) <= CRYPT_CERTINFO_LAST_DN )
#define isGeneralNameComponent( certInfoType ) \
( ( certInfoType ) >= CRYPT_CERTINFO_FIRST_GENERALNAME && \
( certInfoType ) <= CRYPT_CERTINFO_LAST_GENERALNAME )
/* Determine whether a component which is being added is pseudo-information
that corresponds to certificate control information rather than a normal
cert attribute */
#define isPseudoInformation( certInfoType ) \
( ( certInfoType ) >= CRYPT_CERTINFO_FIRST_PSEUDOINFO && \
( certInfoType ) <= CRYPT_CERTINFO_LAST_PSEUDOINFO )
/* Determine whether a component which is being added to a validity/
revocation check request/response is a standard attribute or a per-entry
attribute */
#define isRevocationEntryComponent( certInfoType ) \
( ( certInfoType ) == CRYPT_CERTINFO_CRLREASON || \
( certInfoType ) == CRYPT_CERTINFO_HOLDINSTRUCTIONCODE || \
( certInfoType ) == CRYPT_CERTINFO_INVALIDITYDATE )
/* Check whether an entry in an attribute list is valid. This checks not
only the pointer value but also whether it has a non-zero attribute
ID, denoting a non blob-type attribute */
#define isValidAttributeField( attributePtr ) \
( ( attributePtr ) != NULL && ( attributePtr )->attributeID > 0 )
/****************************************************************************
* *
* String-Handling Functions *
* *
****************************************************************************/
/* Copy a string to/from an ASN.1 string type */
int getAsn1StringInfo( const void *string, const int stringLen,
int *stringType, int *asn1StringType,
int *asn1StringLen );
int copyToAsn1String( void *dest, int *destLen, const int maxLen,
const void *source, const int sourceLen,
const int stringType );
int copyFromAsn1String( void *dest, int *destLen, const int maxLen,
const void *source, const int sourceLen,
const int stringTag );
/* Check that a text string contains valid characters for its string type.
This is used in non-DN strings where we can't avoid the problem by varying
the string type based on the characters being used */
BOOLEAN checkTextStringData( const char *string, const int stringLength,
const BOOLEAN isPrintableString );
/****************************************************************************
* *
* DN Manipulation Functions *
* *
****************************************************************************/
/* Selection options when working with DNs/GeneralNames in extensions. These
are used internally when handling user get/set/delete DN/GeneralName
requests */
typedef enum {
MAY_BE_ABSENT, /* Component may be absent */
MUST_BE_PRESENT, /* Component must be present */
CREATE_IF_ABSENT, /* Create component if absent */
SELECTION_OPTION_LAST /* Last valid selection option type */
} SELECTION_OPTION;
/* DN manipulation routines */
int insertDNComponent( void **dnListHead,
const CRYPT_ATTRIBUTE_TYPE componentType,
const void *value, const int valueLength,
CRYPT_ERRTYPE_TYPE *errorType );
int deleteDNComponent( void **dnListHead, const CRYPT_ATTRIBUTE_TYPE type,
const void *value, const int valueLength );
int getDNComponentValue( const void *dnListHead,
const CRYPT_ATTRIBUTE_TYPE type,
void *value, int *length, const int maxLength );
void deleteDN( void **dnListHead );
/* Copy and compare a DN */
int copyDN( void **dnDest, const void *dnSrc );
BOOLEAN compareDN( const void *dnComponentListHead1,
const void *dnComponentListHead2,
const BOOLEAN dn1substring );
/* Read/write a DN */
int checkDN( const void *dnComponentListHead,
const BOOLEAN checkCN, const BOOLEAN checkC,
CRYPT_ATTRIBUTE_TYPE *errorLocus,
CRYPT_ERRTYPE_TYPE *errorType );
int sizeofDN( void *dnComponentListHead );
int readDN( STREAM *stream, void **dnComponentListHead );
int writeDN( STREAM *stream, const void *dnComponentListHead,
const int tag );
int readDNstring( const char *string, const int stringLength,
void **dnComponentListHead );
int writeDNstring( STREAM *stream, const void *dnComponentListHead );
/****************************************************************************
* *
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -