📄 attr_acl.c
字号:
CRYPT_OPTION_CERT_UPDATEINTERVAL,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 1, 365 ) ),
MKACL_N( /* PKIX compliance level for cert chks.*/
CRYPT_OPTION_CERT_COMPLIANCELEVEL,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ),
RANGE( CRYPT_COMPLIANCELEVEL_OBLIVIOUS, CRYPT_COMPLIANCELEVEL_PKIX_FULL ) ),
MKACL_B( /* Whether explicit policy req'd for certs */
CRYPT_OPTION_CERT_REQUIREPOLICY,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ) ),
MKACL_B( /* Add default CMS attributes */
CRYPT_OPTION_CMS_DEFAULTATTRIBUTES,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ) ),
MKACL_S( /* Object class */
CRYPT_OPTION_KEYS_LDAP_OBJECTCLASS,
ST_KEYSET_LDAP, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
MKACL_EX( /* Object type to fetch */
CRYPT_OPTION_KEYS_LDAP_OBJECTTYPE, ATTRIBUTE_VALUE_NUMERIC,
ST_KEYSET_LDAP, ST_USER_ANY, ACCESS_RWx_RWx, 0,
ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
RANGE_ALLOWEDVALUES, allowedLDAPObjectTypes ),
MKACL_S( /* Query filter */
CRYPT_OPTION_KEYS_LDAP_FILTER,
ST_KEYSET_LDAP, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* CA certificate attribute name */
CRYPT_OPTION_KEYS_LDAP_CACERTNAME,
ST_KEYSET_LDAP, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* Certificate attribute name */
CRYPT_OPTION_KEYS_LDAP_CERTNAME,
ST_KEYSET_LDAP, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* CRL attribute name */
CRYPT_OPTION_KEYS_LDAP_CRLNAME,
ST_KEYSET_LDAP, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* Email attribute name */
CRYPT_OPTION_KEYS_LDAP_EMAILNAME,
ST_KEYSET_LDAP, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* Name of first PKCS #11 driver */
CRYPT_OPTION_DEVICE_PKCS11_DVR01,
ST_NONE, ST_USER_ANY, ACCESS_RWD_RWD,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 2, MAX_PATH_LENGTH ) ),
MKACL_S( /* Name of second PKCS #11 driver */
CRYPT_OPTION_DEVICE_PKCS11_DVR02,
ST_NONE, ST_USER_ANY, ACCESS_RWD_RWD,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 2, MAX_PATH_LENGTH ) ),
MKACL_S( /* Name of third PKCS #11 driver */
CRYPT_OPTION_DEVICE_PKCS11_DVR03,
ST_NONE, ST_USER_ANY, ACCESS_RWD_RWD,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 2, MAX_PATH_LENGTH ) ),
MKACL_S( /* Name of fourth PKCS #11 driver */
CRYPT_OPTION_DEVICE_PKCS11_DVR04,
ST_NONE, ST_USER_ANY, ACCESS_RWD_RWD,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 2, MAX_PATH_LENGTH ) ),
MKACL_S( /* Name of fifth PKCS #11 driver */
CRYPT_OPTION_DEVICE_PKCS11_DVR05,
ST_NONE, ST_USER_ANY, ACCESS_RWD_RWD,
ROUTE( OBJECT_TYPE_USER ),
RANGE( 2, MAX_PATH_LENGTH ) ),
MKACL_B( /* Use only hardware mechanisms */
CRYPT_OPTION_DEVICE_PKCS11_HARDWAREONLY,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ) ),
MKACL_S( /* Socks server name */
CRYPT_OPTION_NET_SOCKS_SERVER,
ST_NONE, ST_SESS_ANY | ST_USER_ANY, ACCESS_RWD_RWD,
ROUTE_ALT( OBJECT_TYPE_SESSION, OBJECT_TYPE_USER ),
RANGE( MIN_DNS_SIZE, MAX_DNS_SIZE ) ),
MKACL_S( /* Socks user name */
CRYPT_OPTION_NET_SOCKS_USERNAME,
ST_NONE, ST_SESS_ANY | ST_USER_ANY, ACCESS_RWD_RWD,
ROUTE_ALT( OBJECT_TYPE_SESSION, OBJECT_TYPE_USER ),
RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* Web proxy server */
CRYPT_OPTION_NET_HTTP_PROXY,
ST_NONE, ST_SESS_ANY | ST_USER_ANY, ACCESS_RWD_RWD,
ROUTE_ALT( OBJECT_TYPE_SESSION, OBJECT_TYPE_USER ),
RANGE( MIN_DNS_SIZE, MAX_DNS_SIZE ) ),
MKACL_N( /* Timeout for network connection setup */
CRYPT_OPTION_NET_CONNECTTIMEOUT,
ST_NONE, ST_SESS_ANY | ST_USER_ANY, ACCESS_Rxx_RWx,
ROUTE_ALT( OBJECT_TYPE_SESSION, OBJECT_TYPE_USER ),
RANGE( 5, 300 ) ),
MKACL_N( /* Timeout for network reads */
CRYPT_OPTION_NET_READTIMEOUT,
ST_NONE, ST_SESS_ANY | ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_SESSION, OBJECT_TYPE_USER ),
RANGE( 0, 300 ) ),
MKACL_N( /* Timeout for network writes */
CRYPT_OPTION_NET_WRITETIMEOUT,
ST_NONE, ST_SESS_ANY | ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_SESSION, OBJECT_TYPE_USER ),
RANGE( 0, 300 ) ),
MKACL_B( /* Whether to init cryptlib async'ly */
CRYPT_OPTION_MISC_ASYNCINIT,
ST_NONE, ST_USER_SO, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ) ),
MKACL_N( /* Protect against side-channel attacks */
CRYPT_OPTION_MISC_SIDECHANNELPROTECTION,
ST_CTX_PKC, ST_USER_SO, ACCESS_RWx_RWx,
ROUTE_ALT( OBJECT_TYPE_CONTEXT, OBJECT_TYPE_USER ),
RANGE( 0, 2 ) ),
MKACL( /* Whether in-mem.opts match on-disk ones */
/* This is a special-case boolean attribute value that can only be
set to FALSE to indicate that the config options should be
flushed to disk */
CRYPT_OPTION_CONFIGCHANGED, ATTRIBUTE_VALUE_BOOLEAN,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx, 0,
ROUTE( OBJECT_TYPE_USER ),
RANGE( FALSE, FALSE ) ),
MKACL_B( /* Algorithm self-test status */
CRYPT_OPTION_SELFTESTOK,
ST_NONE, ST_USER_ANY, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_USER ) ),
MKACL_END()
};
/****************************************************************************
* *
* Context ACLs *
* *
****************************************************************************/
static const int FAR_BSS allowedPKCKeysizes[] = {
sizeof( CRYPT_PKCINFO_DLP ), sizeof( CRYPT_PKCINFO_RSA ),
sizeof( CRYPT_PKCINFO_ECC ), CRYPT_ERROR };
static const int FAR_BSS allowedKeyingAlgos[] = {
CRYPT_ALGO_MD5, CRYPT_ALGO_SHA1, CRYPT_ALGO_RIPEMD160,
CRYPT_ALGO_HMAC_SHA, CRYPT_ERROR };
static const ATTRIBUTE_ACL FAR_BSS subACL_CtxinfoPersistent[] = {
MKACL_B( /* PKC is determined implicitly by storage type */
CRYPT_CTXINFO_PERSISTENT,
ST_CTX_PKC, ST_NONE, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_CONTEXT ) ),
MKACL_B( /* Conv./MAC can be set on create to create persistent object */
CRYPT_CTXINFO_PERSISTENT,
ST_CTX_CONV | ST_CTX_MAC, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CONTEXT ) ),
MKACL_END_SUBACL()
};
/* Context attributes */
static const ATTRIBUTE_ACL FAR_BSS contextACL[] = {
MKACL_N( /* Algorithm */
CRYPT_CTXINFO_ALGO,
ST_CTX_ANY, ST_NONE, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_CONTEXT ),
RANGE( CRYPT_ALGO_NONE + 1, CRYPT_ALGO_LAST - 1 ) ),
MKACL_N( /* Mode */
CRYPT_CTXINFO_MODE,
ST_CTX_CONV, ST_NONE, ACCESS_Rxx_RWx,
ROUTE( OBJECT_TYPE_CONTEXT ),
RANGE( CRYPT_MODE_NONE + 1, CRYPT_MODE_LAST - 1 ) ),
MKACL_S( /* Algorithm name */
CRYPT_CTXINFO_NAME_ALGO,
ST_CTX_ANY, ST_NONE, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_CONTEXT ),
RANGE( 3, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* Mode name */
CRYPT_CTXINFO_NAME_MODE,
ST_CTX_CONV, ST_NONE, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_CONTEXT ),
RANGE( 3, CRYPT_MAX_TEXTSIZE ) ),
MKACL_N( /* Key size in bytes */
CRYPT_CTXINFO_KEYSIZE,
ST_CTX_CONV | ST_CTX_PKC | ST_CTX_MAC, ST_NONE, ACCESS_Rxx_RWx,
ROUTE( OBJECT_TYPE_CONTEXT ),
RANGE( MIN_KEYSIZE, CRYPT_MAX_PKCSIZE ) ),
MKACL_N( /* Block size in bytes */
CRYPT_CTXINFO_BLOCKSIZE,
ST_CTX_ANY, ST_NONE, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_CONTEXT ),
RANGE( 1, CRYPT_MAX_HASHSIZE ) ),
MKACL_N( /* IV size in bytes */
CRYPT_CTXINFO_IVSIZE,
ST_CTX_CONV, ST_NONE, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_CONTEXT ),
RANGE( 8, CRYPT_MAX_IVSIZE ) ),
MKACL_EX( /* Key processing algorithm */
/* The allowed algorithm range is a bit peculiar, usually we only
allow HMAC-SHA1 for normal key derivation, however PGP uses
plain hash algorithms for the derivation and although these
are never applied, they are stored in the context when PGP keys
are loaded */
CRYPT_CTXINFO_KEYING_ALGO, ATTRIBUTE_VALUE_NUMERIC,
ST_CTX_CONV | ST_CTX_MAC, ST_NONE, ACCESS_Rxx_RWD, 0,
ROUTE( OBJECT_TYPE_CONTEXT ),
RANGE_ALLOWEDVALUES, allowedKeyingAlgos ),
MKACL_N( /* Key processing iterations */
CRYPT_CTXINFO_KEYING_ITERATIONS,
ST_CTX_CONV | ST_CTX_MAC, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CONTEXT ),
RANGE( 1, 20000 ) ),
MKACL_S( /* Key processing salt */
CRYPT_CTXINFO_KEYING_SALT,
ST_CTX_CONV | ST_CTX_MAC, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CONTEXT ),
RANGE( 8, CRYPT_MAX_HASHSIZE ) ),
MKACL_S_EX( /* Value used to derive key */
CRYPT_CTXINFO_KEYING_VALUE,
ST_CTX_CONV | ST_CTX_MAC, ST_NONE, ACCESS_xxx_xWx, ATTRIBUTE_FLAG_TRIGGER,
ROUTE( OBJECT_TYPE_CONTEXT ),
RANGE( 1, MAX_ATTRIBUTE_SIZE ) ),
#ifdef USE_FIPS140
MKACL_S_EX( /* Key */
CRYPT_CTXINFO_KEY,
ST_CTX_CONV | ST_CTX_MAC, ST_NONE, ACCESS_INT_xxx_xWx, ATTRIBUTE_FLAG_TRIGGER,
ROUTE( OBJECT_TYPE_CONTEXT ),
RANGE( MIN_KEYSIZE, CRYPT_MAX_KEYSIZE ) ),
MKACL_EX( /* Public-key components */
CRYPT_CTXINFO_KEY_COMPONENTS, ATTRIBUTE_VALUE_STRING,
ST_CTX_PKC, ST_NONE, ACCESS_INT_xxx_xWx, ATTRIBUTE_FLAG_TRIGGER,
ROUTE( OBJECT_TYPE_CONTEXT ),
RANGE_ALLOWEDVALUES, allowedPKCKeysizes ),
#else
MKACL_S_EX( /* Key */
CRYPT_CTXINFO_KEY,
ST_CTX_CONV | ST_CTX_MAC, ST_NONE, ACCESS_xxx_xWx, ATTRIBUTE_FLAG_TRIGGER,
ROUTE( OBJECT_TYPE_CONTEXT ),
RANGE( MIN_KEYSIZE, CRYPT_MAX_KEYSIZE ) ),
MKACL_EX( /* Public-key components */
CRYPT_CTXINFO_KEY_COMPONENTS, ATTRIBUTE_VALUE_STRING,
ST_CTX_PKC, ST_NONE, ACCESS_xxx_xWx, ATTRIBUTE_FLAG_TRIGGER,
ROUTE( OBJECT_TYPE_CONTEXT ),
RANGE_ALLOWEDVALUES, allowedPKCKeysizes ),
#endif /* FIPS 140 keying rules */
MKACL_S( /* IV */
CRYPT_CTXINFO_IV,
ST_CTX_CONV, ST_NONE, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_CONTEXT ),
RANGE( 8, CRYPT_MAX_IVSIZE ) ),
MKACL_S( /* Hash value */
CRYPT_CTXINFO_HASHVALUE,
ST_CTX_HASH | ST_CTX_MAC, ST_NONE, ACCESS_RxD_RxD,
ROUTE( OBJECT_TYPE_CONTEXT ),
RANGE( 16, CRYPT_MAX_HASHSIZE ) ),
MKACL_S( /* Label for private/secret key */
CRYPT_CTXINFO_LABEL,
ST_CTX_CONV | ST_CTX_PKC | ST_CTX_MAC, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CONTEXT ),
RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
MKACL_X( /* Object is backed by a device or keyset */
CRYPT_CTXINFO_PERSISTENT,
ST_CTX_CONV | ST_CTX_PKC | ST_CTX_MAC, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CONTEXT ),
subACL_CtxinfoPersistent ),
MKACL_END()
};
/****************************************************************************
* *
* Certificate ACLs *
* *
****************************************************************************/
static const int FAR_BSS allowedIPAddressSizes[] = \
{ 4, 16, CRYPT_ERROR };
static const ATTRIBUTE_ACL FAR_BSS subACL_CertinfoFingerprintSHA[] = {
MKACL_S( /* Certs: General access */
CRYPT_CERTINFO_FINGERPRINT_SHA,
ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ACCESS_Rxx_xxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 20, 20 ) ),
MKACL_S( /* Selected other objs (requests, PKI users): Int.access only */
CRYPT_CERTINFO_FINGERPRINT_SHA,
ST_CERT_ANY_CERT | ST_CERT_REQ_REV | ST_CERT_PKIUSER, ST_NONE, ACCESS_INT_Rxx_xxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 20, 20 ) ),
MKACL_END_SUBACL()
};
static const ATTRIBUTE_ACL FAR_BSS subACL_CertinfoSerialNumber[] = {
MKACL_S( /* Certificates: General access */
/* In theory we shouldn't allow this access since the serial number
should be chosen by the CA, however it's required for SCEP, which
requires that the cert serial number contain a transaction ID (!!)
so we make it writeable for internal access */
CRYPT_CERTINFO_SERIALNUMBER,
ST_CERT_CERT, ST_NONE, ACCESS_SPECIAL_Rxx_RWx_Rxx_Rxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 1, 32 ) ),
MKACL_S( /* Everything else: Read-only */
CRYPT_CERTINFO_SERIALNUMBER,
ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_REQ_CERT, ST_NONE, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 1, 32 ) ),
MKACL_END_SUBACL()
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -