📄 ext_def.c
字号:
/****************************************************************************
* *
* Certificate Attribute Definitions *
* Copyright Peter Gutmann 1996-2008 *
* *
****************************************************************************/
#if defined( INC_ALL )
#include "cert.h"
#include "certattr.h"
#include "asn1.h"
#include "asn1_ext.h"
#else
#include "cert/cert.h"
#include "cert/certattr.h"
#include "misc/asn1.h"
#include "misc/asn1_ext.h"
#endif /* Compiler-specific includes */
/* The following certificate extensions are currently supported. If
'Enforced' is set to 'Yes', this means that they are constraint extensions
that are enforced by the certificate checking code; if set to '-', they
are informational extensions for which enforcement doesn't apply; if set
to 'No', they need to be handled by the user (this only applies for
certificate policies, where the user has to decide whether a given
certificate policy is acceptable or not). The Yes/No in policyConstraints
means that everything except the policy mapping constraint is enforced
(because policyMappings itself isn't enforced).
Enforced
--------
authorityInfoAccess -
authorityKeyIdentifier -
basicConstraints Yes
biometricInfo (QualifiedCert) -
certCardRequired (SET) -
certificateIssuer -
certificatePolicies Yes
certificateType (SET) -
challengePassword (SCEP) -
cRLDistributionPoints -
cRLNumber -
cRLReason -
cRLExtReason -
dateOfCertGen (SigG) -
deltaCRLIndicator -
extKeyUsage Yes
freshestCRL -
hashedRootKey (SET) -
holdInstructionCode -
inhibitAnyPolicy Yes
invalidityDate -
issuerAltName -
issuingDistributionPoint -
keyFeatures -
keyUsage Yes
monetaryLimit (SigG) -
nameConstraints Yes
netscape-cert-type Yes
netscape-base-url -
netscape-revocation-url -
netscape-ca-revocation-url -
netscape-cert-renewal-url -
netscape-ca-policy-url -
netscape-ssl-server-name -
netscape-comment -
merchantData (SET) -
ocspAcceptableResponse (OCSP) -
ocspArchiveCutoff (OCSP) -
ocspNoCheck (OCSP) -
ocspNonce (OCSP) -
policyConstraints Yes/No
policyMappings No
privateKeyUsagePeriod Yes
procuration (SigG) -
qcStatements (QualifiedCert) -
restriction (SigG) -
strongExtranet (Thawte) -
subjectAltName -
subjectDirectoryAttributes -
subjectInfoAccess -
subjectKeyIdentifier -
tunneling (SET) -
Some extensions are specified as a SEQUENCE OF thing, to make it possible
to process these automatically we rewrite them as a SEQUENCE OF
thingInstance1 OPTIONAL, thingInstance2 OPTIONAL, ... thingInstanceN
OPTIONAL. Examples of this are extKeyUsage and the altNames.
Since some extensions fields are tagged, the fields as encoded differ from
the fields as defined by the tagging, the following macro is used to turn
a small integer into a context-specific tag. By default the tag is
implicit as per X.509v3, to make it an explicit tag we need to set the
FL_EXPLICIT flag for the field */
#define CTAG( x ) ( x | BER_CONTEXT_SPECIFIC )
/* A symbolic define for use when there's no explicit tagging or other form
of encapsulation being used */
#define ENCODING( tag ) tag, CRYPT_UNUSED
#define ENCODING_ALIAS( tag, aliasTag ) \
tag, aliasTag
#define ENCODING_TAGGED( tag, outerTag ) \
tag, outerTag
#define RANGE( min, max ) min, max, 0, NULL
#define RANGE_ATTRIBUTEBLOB 1, MAX_ATTRIBUTE_SIZE, 0, NULL
#define RANGE_BLOB 32, MAX_ATTRIBUTE_SIZE, 0, NULL
#define RANGE_BOOLEAN FALSE, TRUE, FALSE, NULL
#define RANGE_NONE 0, 0, 0, NULL
#define RANGE_OID MIN_OID_SIZE, MAX_OID_SIZE, 0, NULL
#define RANGE_TEXTSTRING 1, CRYPT_MAX_TEXTSIZE, 0, NULL
#define RANGE_TIME sizeof( time_t ), sizeof( time_t ), 0, NULL
#define RANGE_UNUSED CRYPT_UNUSED, CRYPT_UNUSED, 0, NULL
#define ENCODED_OBJECT( altEncodingTable ) \
0, 0, 0, ( void * ) altEncodingTable
#define CHECK_DNS MIN_DNS_SIZE, MAX_DNS_SIZE, 0, ( void * ) checkDNS
#define CHECK_HTTP MIN_URL_SIZE, MAX_URL_SIZE, 0, ( void * ) checkHTTP
#define CHECK_RFC822 MIN_RFC822_SIZE, MAX_RFC822_SIZE, 0, ( void * ) checkRFC822
#define CHECK_URL MIN_URL_SIZE, MAX_URL_SIZE, 0, ( void * ) checkURL
#define CHECK_X500 0, 0, 0, ( void * ) checkDirectoryName
/* Extended checking functions */
CHECK_RETVAL_ENUM( CRYPT_ERRTYPE ) STDC_NONNULL_ARG( ( 1 ) ) \
static int checkRFC822( const ATTRIBUTE_LIST *attributeListPtr );
CHECK_RETVAL_ENUM( CRYPT_ERRTYPE ) STDC_NONNULL_ARG( ( 1 ) ) \
static int checkDNS( const ATTRIBUTE_LIST *attributeListPtr );
CHECK_RETVAL_ENUM( CRYPT_ERRTYPE ) STDC_NONNULL_ARG( ( 1 ) ) \
static int checkURL( const ATTRIBUTE_LIST *attributeListPtr );
CHECK_RETVAL_ENUM( CRYPT_ERRTYPE ) STDC_NONNULL_ARG( ( 1 ) ) \
static int checkHTTP( const ATTRIBUTE_LIST *attributeListPtr );
CHECK_RETVAL_ENUM( CRYPT_ERRTYPE ) STDC_NONNULL_ARG( ( 1 ) ) \
static int checkDirectoryName( const ATTRIBUTE_LIST *attributeListPtr );
/* Forward declarations for alternative encoding tables used by the main
tables. These are declared in a somewhat peculiar manner because there's
no clean way in C to forward declare a static array. Under VC++ with the
highest warning level enabled this produces a compiler warning, so we
turn the warning off for this module. In addition there are problems with
some versions of gcc 4.x, these first cropped up in 4.0.0 (which only
Apple, with their penchant for running with buggy bleeding-edge releases
really went with) but they're they're still in 4.1.x so we have to add a
special case for this */
#if defined( __GNUC__ ) && ( __GNUC__ == 4 )
static const ATTRIBUTE_INFO FAR_BSS generalNameInfo[];
static const ATTRIBUTE_INFO FAR_BSS holdInstructionInfo[];
static const ATTRIBUTE_INFO FAR_BSS contentTypeInfo[];
#else
extern const ATTRIBUTE_INFO FAR_BSS generalNameInfo[];
extern const ATTRIBUTE_INFO FAR_BSS holdInstructionInfo[];
extern const ATTRIBUTE_INFO FAR_BSS contentTypeInfo[];
#endif /* Some gcc 4 versions */
#if defined( _MSC_VER )
#pragma warning( disable: 4211 )
#endif /* VC++ */
/****************************************************************************
* *
* Certificate Extension Definitions *
* *
****************************************************************************/
/* Certificate extensions are encoded using the following table */
static const ATTRIBUTE_INFO FAR_BSS extensionInfo[] = {
/* challengePassword. This is here even though it's a CMS attribute
because SCEP stuffs it into PKCS #10 requests:
OID = 1 2 840 113549 1 9 7
PrintableString */
{ MKOID( "\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x07" ), CRYPT_CERTINFO_CHALLENGEPASSWORD,
MKDESC( "challengePassword" )
ENCODING( BER_STRING_PRINTABLE ),
FL_LEVEL_STANDARD | FL_NOCOPY | FL_VALID_CERTREQ, RANGE_TEXTSTRING },
/* signingCertificate. This is here even though it's a CMS attribute
because it's required in order to make OCSP work. Since OCSP breaks
up the certificate identification information into bits and pieces
and hashes some while leaving others intact, there's no way to map
what arrives at the responder back into a certificate without
breaking the hash function. To work around this, we include an
ESSCertID in the request that properly identifies the certificate
being queried. Since it's a limited-use version that only identifies
the certificate, we don't allow a full signingCertificate extension
but only a single ESSCertID:
OID = 1 2 840 113549 1 9 16 2 12
SEQUENCE {
SEQUENCE OF ESSCertID, -- SIZE(1)
SEQUENCE OF { ... } OPTIONAL -- ABSENT
} */
{ MKOID( "\x06\x0B\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x02\x0C" ), CRYPT_CERTINFO_CMS_SIGNINGCERTIFICATE,
MKDESC( "signingCertificate" )
ENCODING( BER_SEQUENCE ),
FL_MORE | FL_LEVEL_STANDARD | FL_VALID_OCSPREQ /*Per-entry*/, RANGE_NONE },
{ NULL, 0,
MKDESC( "signingCertificate.certs" )
ENCODING( BER_SEQUENCE ),
FL_MORE, RANGE_NONE },
{ NULL, CRYPT_CERTINFO_CMS_SIGNINGCERT_ESSCERTID,
MKDESC( "signingCertificate.certs.essCertID" )
ENCODING( FIELDTYPE_BLOB ),
FL_SEQEND_2 /*FL_SEQEND*/, RANGE_BLOB },
/* cRLExtReason:
OID = 1 3 6 1 4 1 3029 3 1 4
ENUMERATED */
{ MKOID( "\x06\x0A\x2B\x06\x01\x04\x01\x97\x55\x03\x01\x04" ), CRYPT_CERTINFO_CRLEXTREASON,
MKDESC( "cRLExtReason" )
ENCODING( BER_ENUMERATED ),
FL_LEVEL_STANDARD | FL_VALID_CRL | FL_VALID_REVREQ /*Per-entry*/, RANGE( 0, CRYPT_CRLEXTREASON_LAST ) },
/* keyFeatures:
OID = 1 3 6 1 4 1 3029 3 1 5
BITSTRING */
{ MKOID( "\x06\x0A\x2B\x06\x01\x04\x01\x97\x55\x03\x01\x05" ), CRYPT_CERTINFO_KEYFEATURES,
MKDESC( "keyFeatures" )
ENCODING( BER_BITSTRING ),
FL_LEVEL_STANDARD | FL_VALID_CERT | FL_VALID_CERTREQ, RANGE( 0, 7 ) },
/* authorityInfoAccess:
OID = 1 3 6 1 5 5 7 1 1
SEQUENCE SIZE (1...MAX) OF {
SEQUENCE {
accessMethod OBJECT IDENTIFIER,
accessLocation GeneralName
}
} */
{ MKOID( "\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x01" ), CRYPT_CERTINFO_AUTHORITYINFOACCESS,
MKDESC( "authorityInfoAccess" )
ENCODING( BER_SEQUENCE ),
FL_MORE | FL_LEVEL_STANDARD | FL_VALID_CERT | FL_SETOF, RANGE_NONE },
{ NULL, 0,
MKDESC( "authorityInfoAccess.accessDescription (rtcs)" )
ENCODING( BER_SEQUENCE ),
FL_MORE | FL_IDENTIFIER, RANGE_NONE },
{ MKOID( "\x06\x0A\x2B\x06\x01\x04\x01\x97\x55\x03\x01\x07" ), 0,
MKDESC( "authorityInfoAccess.rtcs (1 3 6 1 4 1 3029 3 1 7)" )
ENCODING( FIELDTYPE_IDENTIFIER ),
FL_MORE, RANGE_NONE },
{ NULL, CRYPT_CERTINFO_AUTHORITYINFO_RTCS,
MKDESC( "authorityInfoAccess.accessDescription.accessLocation (rtcs)" )
ENCODING( FIELDTYPE_SUBTYPED ),
FL_MORE | FL_NONEMPTY | FL_OPTIONAL | FL_MULTIVALUED | FL_SEQEND, ENCODED_OBJECT( generalNameInfo ) },
{ NULL, 0,
MKDESC( "authorityInfoAccess.accessDescription (ocsp)" )
ENCODING( BER_SEQUENCE ),
FL_MORE | FL_IDENTIFIER, RANGE_NONE },
{ MKOID( "\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x01" ), 0,
MKDESC( "authorityInfoAccess.ocsp (1 3 6 1 5 5 7 48 1)" )
ENCODING( FIELDTYPE_IDENTIFIER ),
FL_MORE, RANGE_NONE },
{ NULL, CRYPT_CERTINFO_AUTHORITYINFO_OCSP,
MKDESC( "authorityInfoAccess.accessDescription.accessLocation (ocsp)" )
ENCODING( FIELDTYPE_SUBTYPED ),
FL_MORE | FL_NONEMPTY | FL_OPTIONAL | FL_MULTIVALUED | FL_SEQEND, ENCODED_OBJECT( generalNameInfo ) },
{ NULL, 0,
MKDESC( "authorityInfoAccess.accessDescription (caIssuers)" )
ENCODING( BER_SEQUENCE ),
FL_MORE | FL_IDENTIFIER, RANGE_NONE },
{ MKOID( "\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x02" ), 0,
MKDESC( "authorityInfoAccess.caIssuers (1 3 6 1 5 5 7 48 2)" )
ENCODING( FIELDTYPE_IDENTIFIER ),
FL_MORE, RANGE_NONE },
{ NULL, CRYPT_CERTINFO_AUTHORITYINFO_CAISSUERS,
MKDESC( "authorityInfoAccess.accessDescription.accessLocation (caIssuers)" )
ENCODING( FIELDTYPE_SUBTYPED ),
FL_MORE | FL_NONEMPTY | FL_OPTIONAL | FL_MULTIVALUED | FL_SEQEND, ENCODED_OBJECT( generalNameInfo ) },
{ NULL, 0,
MKDESC( "authorityInfoAccess.accessDescription (httpCerts)" )
ENCODING( BER_SEQUENCE ),
FL_MORE | FL_IDENTIFIER, RANGE_NONE },
{ MKOID( "\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x06" ), 0,
MKDESC( "authorityInfoAccess.httpCerts (1 3 6 1 5 5 7 48 6)" )
ENCODING( FIELDTYPE_IDENTIFIER ),
FL_MORE, RANGE_NONE },
{ NULL, CRYPT_CERTINFO_AUTHORITYINFO_CERTSTORE,
MKDESC( "authorityInfoAccess.accessDescription.accessLocation (httpCerts)" )
ENCODING( FIELDTYPE_SUBTYPED ),
FL_MORE | FL_NONEMPTY | FL_MULTIVALUED | FL_OPTIONAL | FL_SEQEND, ENCODED_OBJECT( generalNameInfo ) },
{ NULL, 0,
MKDESC( "authorityInfoAccess.accessDescription (httpCRLs)" )
ENCODING( BER_SEQUENCE ),
FL_MORE | FL_IDENTIFIER, RANGE_NONE },
{ MKOID( "\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x07" ), 0,
MKDESC( "authorityInfoAccess.httpCRLs (1 3 6 1 5 5 7 48 7)" )
ENCODING( FIELDTYPE_IDENTIFIER ),
FL_MORE, RANGE_NONE },
{ NULL, CRYPT_CERTINFO_AUTHORITYINFO_CRLS,
MKDESC( "authorityInfoAccess.accessDescription.accessLocation (httpCRLs)" )
ENCODING( FIELDTYPE_SUBTYPED ),
FL_MORE | FL_NONEMPTY | FL_MULTIVALUED | FL_OPTIONAL | FL_SEQEND, ENCODED_OBJECT( generalNameInfo ) },
{ NULL, 0,
MKDESC( "authorityInfoAccess.accessDescription (catchAll)" )
ENCODING( BER_SEQUENCE ),
FL_MORE | FL_IDENTIFIER, RANGE_NONE },
{ NULL, 0,
MKDESC( "authorityInfoAccess.catchAll" )
ENCODING( FIELDTYPE_BLOB ), /* Match anything and ignore it */
FL_OPTIONAL | FL_NONENCODING | FL_SEQEND_2 /*FL_SEQEND*/, RANGE_NONE },
/* biometricInfo
OID = 1 3 6 1 5 5 7 1 2
SEQUENCE OF {
SEQUENCE {
typeOfData INTEGER,
hashAlgorithm OBJECT IDENTIFIER,
dataHash OCTET STRING,
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -