📄 attr_acl.c
字号:
};
/* Certificate: General info */
static const ATTRIBUTE_ACL FAR_BSS certificateACL[] = {
MKACL_B( /* Cert is self-signed */
CRYPT_CERTINFO_SELFSIGNED,
ST_CERT_ANY_CERT, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
MKACL_B( /* Cert is signed and immutable */
CRYPT_CERTINFO_IMMUTABLE,
ST_CERT_ANY, ST_NONE, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
MKACL_B( /* Cert is a magic just-works cert */
CRYPT_CERTINFO_XYZZY,
ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ACCESS_Rxx_RWx,
ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
MKACL_N( /* Certificate object type */
CRYPT_CERTINFO_CERTTYPE,
ST_CERT_ANY, ST_NONE, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( CRYPT_CERTTYPE_NONE + 1, CRYPT_CERTTYPE_LAST - 1 ) ),
MKACL_S( /* Certificate fingerprint: MD5 */
CRYPT_CERTINFO_FINGERPRINT,
ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ACCESS_Rxx_xxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 16, 16 ) ),
MKACL_X( /* Certificate fingerprint: SHA-1 */
CRYPT_CERTINFO_FINGERPRINT_SHA,
ST_CERT_ANY_CERT | ST_CERT_REQ_REV | ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_xxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
subACL_CertinfoFingerprintSHA ),
MKACL_N( /* Cursor mgt: Rel.pos in chain/CRL/OCSP */
/* The subtype flag is somewhat unusual since it includes as an
allowed subtype a cert, which doesn't have further cert components.
The reason for this is that when the chain is created it's just a
collection of certs, it isn't until all of them are available that
one can be marked the leaf cert and its type changed to cert chain.
Since an object's subtype can't be changed after it's created, we
have to allow cursor movement commands to certs in case one of
them is really the leaf in a cert chain - it's because of the way
the leaf can act as both a cert and a cert chain. A pure cert
looks just like a one-cert chain, so there's no harm in sending a
movement command to a cert that isn't a chain leaf */
CRYPT_CERTINFO_CURRENT_CERTIFICATE,
ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_CRL | ST_CERT_RTCS_REQ | \
ST_CERT_RTCS_RESP | ST_CERT_OCSP_REQ | \
ST_CERT_OCSP_RESP, ST_NONE, ACCESS_xWx_xWx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( CRYPT_CURSOR_FIRST, CRYPT_CURSOR_LAST ) ),
MKACL_N( /* Usage that cert is trusted for */
CRYPT_CERTINFO_TRUSTED_USAGE,
ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ACCESS_RWD_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( CRYPT_KEYUSAGE_NONE, CRYPT_KEYUSAGE_LAST - 1 ) ),
MKACL_B( /* Whether cert is implicitly trusted */
CRYPT_CERTINFO_TRUSTED_IMPLICIT,
ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ACCESS_RWD_xxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
MKACL_N( /* Amount of detail to include in sigs.*/
CRYPT_CERTINFO_SIGNATURELEVEL,
ST_CERT_OCSP_REQ, ST_NONE, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( CRYPT_SIGNATURELEVEL_NONE, CRYPT_SIGNATURELEVEL_ALL ) ),
MKACL_N( /* Cert.format version */
CRYPT_CERTINFO_VERSION,
ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_RTCS_REQ | ST_CERT_RTCS_RESP | \
ST_CERT_OCSP_REQ | ST_CERT_OCSP_RESP, ST_NONE, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 1, 3 ) ),
MKACL_X( /* Serial number */
CRYPT_CERTINFO_SERIALNUMBER,
ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_REQ_CERT, ST_NONE, ACCESS_SPECIAL_Rxx_RWx_Rxx_Rxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
subACL_CertinfoSerialNumber ),
MKACL_O( /* Public key */
CRYPT_CERTINFO_SUBJECTPUBLICKEYINFO,
ST_CERT_ANY_CERT, ST_NONE, ACCESS_xxx_xWx,
ROUTE( OBJECT_TYPE_CERTIFICATE ), &objectCtxPKC ),
MKACL_O( /* User certificate */
CRYPT_CERTINFO_CERTIFICATE,
ST_CERT_CERTCHAIN | ST_CERT_CRL | ST_CERT_REQ_CERT | ST_CERT_REQ_REV | \
ST_CERT_RTCS_REQ | ST_CERT_OCSP_REQ, ST_NONE, ACCESS_xxx_xWx,
ROUTE( OBJECT_TYPE_CERTIFICATE ), &objectCertificate ),
MKACL_O( /* CA certificate */
CRYPT_CERTINFO_CACERTIFICATE,
ST_CERT_OCSP_REQ, ST_NONE, ACCESS_xxx_xWx,
ROUTE( OBJECT_TYPE_CERTIFICATE ), &objectCertificate ),
MKACL_N( /* Issuer DN */
CRYPT_CERTINFO_ISSUERNAME,
ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT | \
ST_CERT_CRL | ST_CERT_OCSP_RESP, ST_NONE, ACCESS_RWx_RWx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE_SELECTVALUE ),
MKACL_T( /* Cert valid-from time */
CRYPT_CERTINFO_VALIDFROM,
ST_CERT_CERT | ST_CERT_REQ_CERT | ST_CERT_CERTCHAIN | \
ST_CERT_ATTRCERT, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
MKACL_T( /* Cert valid-to time */
CRYPT_CERTINFO_VALIDTO,
ST_CERT_CERT | ST_CERT_REQ_CERT | ST_CERT_CERTCHAIN | \
ST_CERT_ATTRCERT, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
MKACL_N( /* Subject DN */
CRYPT_CERTINFO_SUBJECTNAME,
ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_PKIUSER, ST_NONE, ACCESS_RWx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE_SELECTVALUE ),
MKACL_S( /* Issuer unique ID */
CRYPT_CERTINFO_ISSUERUNIQUEID,
ST_CERT_CERT, ST_NONE, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* Subject unique ID */
CRYPT_CERTINFO_SUBJECTUNIQUEID,
ST_CERT_CERT, ST_NONE, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
MKACL_O( /* Cert.request (DN + public key) */
CRYPT_CERTINFO_CERTREQUEST,
ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT, ST_NONE, ACCESS_xxx_xWx,
ROUTE( OBJECT_TYPE_CERTIFICATE ), &objectCertRequest ),
MKACL_T( /* CRL/OCSP current-update time */
CRYPT_CERTINFO_THISUPDATE,
ST_CERT_CRL | ST_CERT_OCSP_RESP, ST_NONE, ACCESS_Rxx_RWx,
ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
MKACL_T( /* CRL/OCSP next-update time */
CRYPT_CERTINFO_NEXTUPDATE,
ST_CERT_CRL | ST_CERT_OCSP_RESP, ST_NONE, ACCESS_Rxx_RWx,
ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
MKACL_T( /* CRL/RTCS/OCSP cert-revocation time */
CRYPT_CERTINFO_REVOCATIONDATE,
ST_CERT_CRL | ST_CERT_RTCS_RESP | ST_CERT_OCSP_RESP, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
MKACL_N( /* OCSP revocation status */
CRYPT_CERTINFO_REVOCATIONSTATUS,
ST_CERT_OCSP_RESP, ST_NONE, ACCESS_Rxx_xxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( CRYPT_OCSPSTATUS_NOTREVOKED, CRYPT_OCSPSTATUS_UNKNOWN ) ),
MKACL_N( /* RTCS certificate status */
CRYPT_CERTINFO_CERTSTATUS,
ST_CERT_RTCS_RESP, ST_NONE, ACCESS_Rxx_xxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( CRYPT_CERTSTATUS_VALID, CRYPT_CERTSTATUS_UNKNOWN ) ),
MKACL_S( /* Currently selected DN in string form */
CRYPT_CERTINFO_DN,
ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_OCSP_RESP | ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RWx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 2, MAX_ATTRIBUTE_SIZE ) ),
MKACL_S( /* PKI user ID */
CRYPT_CERTINFO_PKIUSER_ID,
ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_xxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 17, 17 ) ),
MKACL_S( /* PKI user issue password */
CRYPT_CERTINFO_PKIUSER_ISSUEPASSWORD,
ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_xxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 23, 23 ) ),
MKACL_S( /* PKI user revocation password */
CRYPT_CERTINFO_PKIUSER_REVPASSWORD,
ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_xxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 23, 23 ) ),
MKACL_END()
};
/* Certificate: Name components */
static const ATTRIBUTE_ACL FAR_BSS certNameACL[] = {
MKACL_S( /* countryName */
CRYPT_CERTINFO_COUNTRYNAME,
ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_OCSP_RESP | ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 2, 2 ) ),
MKACL_WCS( /* stateOrProvinceName */
CRYPT_CERTINFO_STATEORPROVINCENAME,
ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_OCSP_RESP | ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 1, 128 ) ),
MKACL_WCS( /* localityName */
CRYPT_CERTINFO_LOCALITYNAME,
ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_OCSP_RESP | ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 1, 128 ) ),
MKACL_WCS( /* organizationName */
CRYPT_CERTINFO_ORGANIZATIONNAME,
ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_OCSP_RESP | ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
MKACL_WCS( /* organizationalUnitName */
CRYPT_CERTINFO_ORGANIZATIONALUNITNAME,
ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_OCSP_RESP | ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
MKACL_WCS( /* commonName */
CRYPT_CERTINFO_COMMONNAME,
ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_OCSP_RESP | ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* otherName.typeID */
CRYPT_CERTINFO_OTHERNAME_TYPEID,
ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* otherName.value */
CRYPT_CERTINFO_OTHERNAME_VALUE,
ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* rfc822Name */
CRYPT_CERTINFO_RFC822NAME,
ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( MIN_RFC822_SIZE, MAX_RFC822_SIZE ) ),
MKACL_S( /* dNSName */
CRYPT_CERTINFO_DNSNAME,
ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( MIN_DNS_SIZE, MAX_DNS_SIZE ) ),
MKACL_N( /* directoryName */
CRYPT_CERTINFO_DIRECTORYNAME,
ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RxD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( FALSE, TRUE ) ),
MKACL_S( /* ediPartyName.nameAssigner */
CRYPT_CERTINFO_EDIPARTYNAME_NAMEASSIGNER,
ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* ediPartyName.partyName */
CRYPT_CERTINFO_EDIPARTYNAME_PARTYNAME,
ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
MKACL_S( /* uniformResourceIdentifier */
CRYPT_CERTINFO_UNIFORMRESOURCEIDENTIFIER,
ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( MIN_URL_SIZE, MAX_URL_SIZE ) ),
MKACL_EX( /* iPAddress */
CRYPT_CERTINFO_IPADDRESS, ATTRIBUTE_VALUE_STRING,
ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RWD, 0,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE_ALLOWEDVALUES, allowedIPAddressSizes ),
MKACL_S( /* registeredID */
CRYPT_CERTINFO_REGISTEREDID,
ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
MKACL_END()
};
/* Certificate: Extensions */
static const ATTRIBUTE_ACL FAR_BSS certExtensionACL[] = {
/* 1 2 840 113549 1 9 7 challengePassword. This is here even though it's
a CMS attribute because SCEP stuffs it into PKCS #10 requests */
MKACL_S( /* nonce */
CRYPT_CERTINFO_CHALLENGEPASSWORD,
ST_CERT_CERTREQ, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
/* 1 3 6 1 4 1 3029 3 1 4 cRLExtReason */
MKACL_N( /* cRLExtReason */
CRYPT_CERTINFO_CRLEXTREASON,
ST_CERT_CRL | ST_CERT_REQ_REV, ST_NONE, ACCESS_Rxx_RWD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( CRYPT_CRLREASON_UNSPECIFIED, CRYPT_CRLEXTREASON_LAST - 1 ) ),
/* 1 3 6 1 4 1 3029 3 1 5 keyFeatures */
MKACL_N( /* keyFeatures */
CRYPT_CERTINFO_KEYFEATURES,
ST_CERT_ANY_CERT, ST_NONE, ACCESS_Rxx_Rxx,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( 0, 7 ) ),
/* 1 3 6 1 5 5 7 1 1 authorityInfoAccess. The values are GeneralName
selectors so the ACL doesn't allow writes, since they can only be
used to select the GeneralName that's written to */
MKACL_B( /* Extension present flag */
CRYPT_CERTINFO_AUTHORITYINFOACCESS,
ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RxD,
ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
MKACL_N( /* accessDescription.accessLocation */
CRYPT_CERTINFO_AUTHORITYINFO_RTCS,
ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RxD,
ROUTE( OBJECT_TYPE_CERTIFICATE ),
RANGE( FALSE, TRUE ) ),
MKACL_N( /* accessDescription.accessLocation */
CRYPT_CERTINFO_AUTHORITYINFO_OCSP,
ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ACCESS_Rxx_RxD,
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -