certattr.h

cryptlib安全工具包

/****************************************************************************
*																			*
*					Certificate Attribute Routines Header File 				*
*						Copyright Peter Gutmann 1997-2007					*
*																			*
****************************************************************************/

#ifndef _CERTATTR_DEFINED

#define _CERTATTR_DEFINED

/* The attribute type information.  This is used to both check the validity
   of encoded attribute data and to describe the structure of an attribute
   when encoding it.  The flags are broken down into the following groups:

	Attribute-specific flags that apply to an individual field or an
	overall attribute.

	SET/SEQUENCE control flags that indicate the end of a SET/SEQUENCE or
	nested SET/SEQUENCE.  These are only used for encoding, for decoding the 
	decoder maintains a parse state stack driven by the encoded data 
	(actually that's not quite correct, when skipping to the end of some 
	SEQUENCEs containing type-and-value pairs we also use the flags to locate 
	the end of the SEQUENCE encoding/start of the next type-and-value entry).  
	The use of SEQEND gets extremely complicated in the presence of optional
	SEQUENCEs because it's not certain how many levels we need to undo.  
	Consider for example name constraints:

		SEQUENCE {
			permittedSubtrees	[ 0 ] SEQUENCE OF {
				SEQUENCE { GeneralName }
				} OPTIONAL,
			excludedSubtrees	[ 1 ] SEQUENCE OF {
				SEQUENCE { GeneralName }
				} OPTIONAL,
			}

	Is the value at the end FL_SEQEND or FL_SEQEND_3?  If excludedSubtrees 
	are absent then it's FL_SEQEND, but if we're encoding the exlucded 
	subtree then it's FL_SEQEND_3.  Because of this ambiguity the current 
	encoding routines simply assume that once they reach the end of an 
	extension there's an implicit FL_SEQEND_whatever there.  Luckily all of 
	the ambiguous decoding-level points occur at the end of extensions so 
	this is a workable way to handle things.

	Decoding level flags that indicate the compliance level at which this
	attribute is decoded.

	The object subtypes for which an attribute is valid.  CRLs actually 
	contain two sets of extensions, one for the entire CRL (crlExtensions) 
	and the other for each entry in the CRL (crlEntryExtension).  Sorting 
	out whether we're adding a CRL extension or per-entry extension is 
	handled by the higher-level code which references the CRL attribute list 
	or per-entry attribute list as appropriate.

   The attribute flags are:

	FL_OPTIONAL: The field is optional.
	
	FL_DEFAULT: The field has a default value that's set if no field data
		is present.

	FL_EXPLICIT: The field is explicitly tagged, so instead of being en/
		decoded using the tag for the field it's given a second level of 
		tagging that encapsulated the field's actual tag type.

	FL_IDENTIFIER: Used for the encapsulating SEQUENCE of fields of the type:

		SEQUENCE {
			identifier	OBJECT IDENTIFIER
			data		ANY DEFINED BY identifier
			}

		for which the field identified by a CRYPT_CERTINFO_xxx is the 'data'
		field and the whole is only encoded if the data field is present.  
		The overall item is only encoded if the 'data' field is present.

	FL_SETOF: Applied to the encapsulating SET/SEQUENCE of a SET OF x/
		SEQUENCE OF x to indicate that one or more inner fields may be 
		present.  The field marked with FL_SETOF in the encoding/decoding
		table is bookmarked, if all of the SET/SEQUENCE data isn't read the 
		first time through then the decoding table position is restarted 
		from the bookmark until the SET/SEQUENCE data is exhausted.

	FL_NONEMPTY: Used for a SET/SEQUENCE consisting of nothing but OPTIONAL
		elements to indicate that at least one optional/default element must 
		be present.  If this check wasn't applied and the data didn't match
		any of the optional elements then the decoder would get stuck in an 
		endless loop.

	FL_NONENCODING: The field is read and written but not associated with 
		any user data.  This is used for fields such as version numbers that 
		aren't used for encoding user-supplied data but that must be read and 
		written when processing an attribute 

	FL_MULTIVALUED: If a cryptlib-level attribute is part of a SET OF x/
		SEQUENCE OF x, this flag is set to indicate that more than one 
		instance can exist at the same time.  If this flag isn't set then 
		cryptlib will detect that an attribute of that type already exists 
		and refuse to allow a second instance to be added.

	FL_ALIAS: The field is actually of the type specified in the 
		fieldEncodedType but is treated as if it were of the type given in
		the fieldType.  This is used to handle hole encodings or standards 
		committees creating ASN.1 turduckens.

	FL_NOCOPY: The attribute is regarded as sensitive and therefore 
		shouldn't be copied from source to destination (e.g. from a 
		certificate request into a certificate) when the other attributes 
		are copied.
    
	FL_CRITICAL: The overall extension is marked critical when encoding.

	FL_MORE: Another field in the current extension follows.  The last field
		in the extension has FL_MORE clear */

/*!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!*/
/* Break up into two sets of fields, a SEQEND + validity and a level + misc */
/*!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!*/

#define FL_SEQEND			0x0000001L	/* End of constructed object */
#define FL_SEQEND_1			0x0000001L	/*  End of cons.obj, one nesting lvl.*/
#define FL_SEQEND_2			0x0000002L	/*  End of cons.obj, two nesting lvl.*/
#define FL_SEQEND_3			0x0000003L	/*  End of cons.obj, three nesting lvls.*/
#define FL_SEQEND_MASK		0x0000003L	/* Mask for sequence control value */

#define FL_LEVEL_OBLIVIOUS	0x0000000L	/* Process at oblivious compliance level */
#define FL_LEVEL_REDUCED	0x0000010L	/* Process at reduced compliance level */
#define FL_LEVEL_STANDARD	0x0000020L	/* Process at standard compliance level */
#define FL_LEVEL_PKIX_PARTIAL 0x0000030L/* Process at partial PKIX compliance level */
#define FL_LEVEL_PKIX_FULL	0x0000040L	/* Process at full PKIX compliance level */
#define FL_LEVEL_MASK		0x0000070L	/* Mask for compliance level value */

#define FL_VALID_CERT		0x0000100L	/* Valid in a certificate */
#define FL_VALID_ATTRCERT	0x0000200L	/* Valid in an attribute cert */
#define FL_VALID_CRL		0x0000400L	/* Valid in a CRL */
#define FL_VALID_CERTREQ	0x0000800L	/* Valid in a cert.request */
#define FL_VALID_REVREQ		0x0001000L	/* Valid in a rev.request */
#define FL_VALID_OCSPREQ	0x0001000L	/* Valid in an OCSP request */
#define FL_VALID_OCSPRESP	0x0001000L	/* Valid in an OCSP response */

#define FL_OPTIONAL			0x0002000L	/* Field is optional */
#define FL_DEFAULT			0x0004000L	/* Field has default value */
#define FL_EXPLICIT			0x0008000L	/* Field is explicitly tagged */
#define FL_IDENTIFIER		0x0010000L	/* Following field contains selection OID */
#define FL_SETOF			0x0020000L	/* Start of SET/SEQ OF values */
#define FL_NONEMPTY			0x0040000L	/* SET/SEQ must contain at least one entry */
#define FL_NONENCODING		0x0080000L	/* Field is a non-encoding value */
#define FL_MULTIVALUED		0x0100000L	/* Field can occur multiple times */
#define FL_ALIAS			0x0200000L	/* Field is an alias for another type */
#define FL_NOCOPY			0x0400000L	/* Attr.isn't copied when attrs.copied*/
#define FL_CRITICAL			0x0800000L	/* Extension is marked critical */
#define FL_MORE				0x1000000L	/* Further entries follow */

/* If a constructed field is nested (for example a SEQUENCE OF SEQUENCE) the
   FL_SEQEND may need to denote multiple levels of unnesting.  This is done
   by using FL_SEQEND_n, the following macro can be used to extract the
   actual level of nesting */

#define decodeNestingLevel( value )		( ( value ) & FL_SEQEND_MASK )

/* In order to be able to process broken certificates we allow for 
   processing them at various levels of standards compliance.  If the 
   current processing level is below that required for the extension, we 
   skip it and treat it as a blob extension */

#define decodeComplianceLevel( value ) \