cryptlib.h

cryptlib安全工具包

	CRYPT_IATTRIBUTE_RANDOM,		/* Random data */
	CRYPT_IATTRIBUTE_RANDOM_NZ,		/* Nonzero random data */
	CRYPT_IATTRIBUTE_RANDOM_HIPICKET,/* High picket for random data attrs.*/
	CRYPT_IATTRIBUTE_RANDOM_NONCE,	/* Basic nonce */
	CRYPT_IATTRIBUTE_TIME,			/* Reliable (hardware-based) time value */

	/* Envelope internal attributes */
	CRYPT_IATTRIBUTE_INCLUDESIGCERT,/* Whether to include signing cert(s) */
	CRYPT_IATTRIBUTE_ATTRONLY,		/* Signed data contains only CMS attrs.*/

	/* Keyset internal attributes */
	CRYPT_IATTRIBUTE_CONFIGDATA,	/* Config information */
	CRYPT_IATTRIBUTE_USERINDEX,		/* Index of users */
	CRYPT_IATTRIBUTE_USERID,		/* User ID */
	CRYPT_IATTRIBUTE_USERINFO,		/* User information */
	CRYPT_IATTRIBUTE_TRUSTEDCERT,	/* First trusted cert */
	CRYPT_IATTRIBUTE_TRUSTEDCERT_NEXT,	/* Successive trusted certs */

	/* Session internal attributes */
	CRYPT_IATTRIBUTE_ENC_TIMESTAMP,	/* Encoded TSA timestamp */

	/* User internal attributes */
	CRYPT_IATTRUBUTE_CERTKEYSET,	/* Keyset to send trusted certs to */
	CRYPT_IATTRIBUTE_CTL,			/* Cert.trust list */
	CRYPT_IATTRIBUTE_LAST,

	/* Subrange values used internally for range checking */
	CRYPT_CERTINFO_FIRST_CERTINFO = CRYPT_CERTINFO_FIRST + 1,
	CRYPT_CERTINFO_LAST_CERTINFO = CRYPT_CERTINFO_PKIUSER_REVPASSWORD,
		CRYPT_CERTINFO_FIRST_PSEUDOINFO = CRYPT_CERTINFO_SELFSIGNED,
		CRYPT_CERTINFO_LAST_PSEUDOINFO = CRYPT_CERTINFO_SIGNATURELEVEL,
	CRYPT_CERTINFO_FIRST_NAME = CRYPT_CERTINFO_COUNTRYNAME,
	CRYPT_CERTINFO_LAST_NAME = CRYPT_CERTINFO_REGISTEREDID,
		CRYPT_CERTINFO_FIRST_DN = CRYPT_CERTINFO_COUNTRYNAME,
		CRYPT_CERTINFO_LAST_DN = CRYPT_CERTINFO_COMMONNAME,
		CRYPT_CERTINFO_FIRST_GENERALNAME = CRYPT_CERTINFO_OTHERNAME_TYPEID,
		CRYPT_CERTINFO_LAST_GENERALNAME = CRYPT_CERTINFO_REGISTEREDID,
	CRYPT_CERTINFO_FIRST_EXTENSION = CRYPT_CERTINFO_CHALLENGEPASSWORD,
	CRYPT_CERTINFO_LAST_EXTENSION = CRYPT_CERTINFO_SET_TUNNELINGALGID,
	CRYPT_CERTINFO_FIRST_CMS = CRYPT_CERTINFO_CMS_CONTENTTYPE,
	CRYPT_CERTINFO_LAST_CMS = CRYPT_CERTINFO_LAST - 1,
	CRYPT_SESSINFO_FIRST_SPECIFIC = CRYPT_SESSINFO_REQUEST,
	CRYPT_SESSINFO_LAST_SPECIFIC = CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE
#endif /* _CRYPT_DEFINED */
	} CRYPT_ATTRIBUTE_TYPE;

/****************************************************************************
*																			*
*						Attribute Subtypes and Related Values				*
*																			*
****************************************************************************/

/* Flags for the X.509 keyUsage extension */

#define CRYPT_KEYUSAGE_NONE					0x000
#define CRYPT_KEYUSAGE_DIGITALSIGNATURE		0x001
#define CRYPT_KEYUSAGE_NONREPUDIATION		0x002
#define CRYPT_KEYUSAGE_KEYENCIPHERMENT		0x004
#define CRYPT_KEYUSAGE_DATAENCIPHERMENT		0x008
#define CRYPT_KEYUSAGE_KEYAGREEMENT			0x010
#define CRYPT_KEYUSAGE_KEYCERTSIGN			0x020
#define CRYPT_KEYUSAGE_CRLSIGN				0x040
#define CRYPT_KEYUSAGE_ENCIPHERONLY			0x080
#define CRYPT_KEYUSAGE_DECIPHERONLY			0x100
#define CRYPT_KEYUSAGE_LAST					0x200	/* Last possible value */
#ifdef _CRYPT_DEFINED
#define CRYPT_KEYUSAGE_FLAG_NONE			0x000	/* Defines for range checking */
#define CRYPT_KEYUSAGE_FLAG_MAX				0x1FF
#endif /* _CRYPT_DEFINED */

/* X.509 cRLReason and cryptlib cRLExtReason codes */

enum { CRYPT_CRLREASON_UNSPECIFIED, CRYPT_CRLREASON_KEYCOMPROMISE,
	   CRYPT_CRLREASON_CACOMPROMISE, CRYPT_CRLREASON_AFFILIATIONCHANGED,
	   CRYPT_CRLREASON_SUPERSEDED, CRYPT_CRLREASON_CESSATIONOFOPERATION,
	   CRYPT_CRLREASON_CERTIFICATEHOLD, CRYPT_CRLREASON_REMOVEFROMCRL = 8,
	   CRYPT_CRLREASON_PRIVILEGEWITHDRAWN, CRYPT_CRLREASON_AACOMPROMISE,
	   CRYPT_CRLREASON_LAST, /* End of standard CRL reasons */
	   CRYPT_CRLREASON_NEVERVALID = 20, CRYPT_CRLEXTREASON_LAST };

/* X.509 CRL reason flags.  These identify the same thing as the cRLReason
   codes but allow for multiple reasons to be specified.  Note that these
   don't follow the X.509 naming since in that scheme the enumerated types
   and bitflags have the same names */

#define CRYPT_CRLREASONFLAG_UNUSED				0x001
#define CRYPT_CRLREASONFLAG_KEYCOMPROMISE		0x002
#define CRYPT_CRLREASONFLAG_CACOMPROMISE		0x004
#define CRYPT_CRLREASONFLAG_AFFILIATIONCHANGED	0x008
#define CRYPT_CRLREASONFLAG_SUPERSEDED			0x010
#define CRYPT_CRLREASONFLAG_CESSATIONOFOPERATION 0x020
#define CRYPT_CRLREASONFLAG_CERTIFICATEHOLD		0x040
#define CRYPT_CRLREASONFLAG_LAST				0x080	/* Last poss.value */

/* X.509 CRL holdInstruction codes */

enum { CRYPT_HOLDINSTRUCTION_NONE, CRYPT_HOLDINSTRUCTION_CALLISSUER,
	   CRYPT_HOLDINSTRUCTION_REJECT, CRYPT_HOLDINSTRUCTION_PICKUPTOKEN,
	   CRYPT_HOLDINSTRUCTION_LAST };

/* Certificate checking compliance levels */

enum { CRYPT_COMPLIANCELEVEL_OBLIVIOUS, CRYPT_COMPLIANCELEVEL_REDUCED,
	   CRYPT_COMPLIANCELEVEL_STANDARD, CRYPT_COMPLIANCELEVEL_PKIX_PARTIAL,
	   CRYPT_COMPLIANCELEVEL_PKIX_FULL, CRYPT_COMPLIANCELEVEL_LAST };

/* Flags for the Netscape netscape-cert-type extension */

#define CRYPT_NS_CERTTYPE_SSLCLIENT			0x001
#define CRYPT_NS_CERTTYPE_SSLSERVER			0x002
#define CRYPT_NS_CERTTYPE_SMIME				0x004
#define CRYPT_NS_CERTTYPE_OBJECTSIGNING		0x008
#define CRYPT_NS_CERTTYPE_RESERVED			0x010
#define CRYPT_NS_CERTTYPE_SSLCA				0x020
#define CRYPT_NS_CERTTYPE_SMIMECA			0x040
#define CRYPT_NS_CERTTYPE_OBJECTSIGNINGCA	0x080
#define CRYPT_NS_CERTTYPE_LAST				0x100	/* Last possible value */

/* Flags for the SET certificate-type extension */

#define CRYPT_SET_CERTTYPE_CARD				0x001
#define CRYPT_SET_CERTTYPE_MER				0x002
#define CRYPT_SET_CERTTYPE_PGWY				0x004
#define CRYPT_SET_CERTTYPE_CCA				0x008
#define CRYPT_SET_CERTTYPE_MCA				0x010
#define CRYPT_SET_CERTTYPE_PCA				0x020
#define CRYPT_SET_CERTTYPE_GCA				0x040
#define CRYPT_SET_CERTTYPE_BCA				0x080
#define CRYPT_SET_CERTTYPE_RCA				0x100
#define CRYPT_SET_CERTTYPE_ACQ				0x200
#define CRYPT_SET_CERTTYPE_LAST				0x400	/* Last possible value */

/* CMS contentType values */

typedef enum { CRYPT_CONTENT_NONE, CRYPT_CONTENT_DATA,
			   CRYPT_CONTENT_SIGNEDDATA, CRYPT_CONTENT_ENVELOPEDDATA,
			   CRYPT_CONTENT_SIGNEDANDENVELOPEDDATA,
			   CRYPT_CONTENT_DIGESTEDDATA, CRYPT_CONTENT_ENCRYPTEDDATA,
			   CRYPT_CONTENT_COMPRESSEDDATA, CRYPT_CONTENT_AUTHDATA, 
			   CRYPT_CONTENT_AUTHENVDATA, CRYPT_CONTENT_TSTINFO,
			   CRYPT_CONTENT_SPCINDIRECTDATACONTEXT,
			   CRYPT_CONTENT_RTCSREQUEST, CRYPT_CONTENT_RTCSRESPONSE,
			   CRYPT_CONTENT_RTCSRESPONSE_EXT, CRYPT_CONTENT_MRTD, 
			   CRYPT_CONTENT_LAST
			 } CRYPT_CONTENT_TYPE;

/* ESS securityClassification codes */

enum { CRYPT_CLASSIFICATION_UNMARKED, CRYPT_CLASSIFICATION_UNCLASSIFIED,
	   CRYPT_CLASSIFICATION_RESTRICTED, CRYPT_CLASSIFICATION_CONFIDENTIAL,
	   CRYPT_CLASSIFICATION_SECRET, CRYPT_CLASSIFICATION_TOP_SECRET,
	   CRYPT_CLASSIFICATION_LAST = 255 };

/* RTCS certificate status */

enum { CRYPT_CERTSTATUS_VALID, CRYPT_CERTSTATUS_NOTVALID,
	   CRYPT_CERTSTATUS_NONAUTHORITATIVE, CRYPT_CERTSTATUS_UNKNOWN };

/* OCSP revocation status */

enum { CRYPT_OCSPSTATUS_NOTREVOKED, CRYPT_OCSPSTATUS_REVOKED,
	   CRYPT_OCSPSTATUS_UNKNOWN };

/* The amount of detail to include in signatures when signing certificate
   objects */

typedef enum {
	CRYPT_SIGNATURELEVEL_NONE,		/* Include only signature */
	CRYPT_SIGNATURELEVEL_SIGNERCERT,/* Include signer cert */
	CRYPT_SIGNATURELEVEL_ALL,		/* Include all relevant info */
	CRYPT_SIGNATURELEVEL_LAST		/* Last possible sig.level type */
	} CRYPT_SIGNATURELEVEL_TYPE;

/* The level of integrity protection to apply to enveloped data.  The 
   default envelope protection for an envelope with keying information 
   applied is encryption, this can be modified to use MAC-only protection
   (with no encryption) or hybrid encryption + authentication */

typedef enum {
	CRYPT_INTEGRITY_NONE,			/* No integrity protection */
	CRYPT_INTEGRITY_MACONLY,		/* MAC only, no encryption */
	CRYPT_INTEGRITY_FULL			/* Encryption + ingerity protection */
	} CRYPT_INTEGRITY_TYPE;

/* The certificate export format type, which defines the format in which a
   certificate object is exported */

typedef enum {
	CRYPT_CERTFORMAT_NONE,			/* No certificate format */
	CRYPT_CERTFORMAT_CERTIFICATE,	/* DER-encoded certificate */
	CRYPT_CERTFORMAT_CERTCHAIN,		/* PKCS #7 certificate chain */
	CRYPT_CERTFORMAT_TEXT_CERTIFICATE,	/* base-64 wrapped cert */
	CRYPT_CERTFORMAT_TEXT_CERTCHAIN,	/* base-64 wrapped cert chain */
	CRYPT_CERTFORMAT_XML_CERTIFICATE,	/* XML wrapped cert */
	CRYPT_CERTFORMAT_XML_CERTCHAIN,	/* XML wrapped cert chain */
#ifdef _CRYPT_DEFINED
	CRYPT_ICERTFORMAT_CERTSET,		/* SET OF Certificate */
	CRYPT_ICERTFORMAT_CERTSEQUENCE,	/* SEQUENCE OF Certificate */
	CRYPT_ICERTFORMAT_SSL_CERTCHAIN,/* SSL certificate chain */
	CRYPT_ICERTFORMAT_DATA,			/* Non-signed object data */
	CRYPT_ICERTFORMAT_SMIME_CERTIFICATE,/* S/MIME cert.request or cert chain */
			/* Used as an internal format specifier when the format is 
			   autodetected to tell the base64 decoding code to strip MIME 
			   headers before the base64 data */
#endif /* _CRYPT_DEFINED */
	CRYPT_CERTFORMAT_LAST			/* Last possible cert.format type */
#ifdef _CRYPT_DEFINED
	, CRYPT_CERTFORMAT_LAST_EXTERNAL = CRYPT_CERTFORMAT_XML_CERTCHAIN + 1
#endif /* _CRYPT_DEFINED */
	} CRYPT_CERTFORMAT_TYPE;

/* CMP request types */

typedef enum {
	CRYPT_REQUESTTYPE_NONE,			/* No request type */
	CRYPT_REQUESTTYPE_INITIALISATION,	/* Initialisation request */
		CRYPT_REQUESTTYPE_INITIALIZATION = CRYPT_REQUESTTYPE_INITIALISATION,
	CRYPT_REQUESTTYPE_CERTIFICATE,	/* Certification request */
	CRYPT_REQUESTTYPE_KEYUPDATE,	/* Key update request */
	CRYPT_REQUESTTYPE_REVOCATION,	/* Cert revocation request */
	CRYPT_REQUESTTYPE_PKIBOOT,		/* PKIBoot request */
	CRYPT_REQUESTTYPE_LAST			/* Last possible request type */
	} CRYPT_REQUESTTYPE_TYPE;

/* Key ID types */

typedef enum {
	CRYPT_KEYID_NONE,				/* No key ID type */
	CRYPT_KEYID_NAME,				/* Key owner name */
	CRYPT_KEYID_URI,				/* Key owner URI */
		CRYPT_KEYID_EMAIL = CRYPT_KEYID_URI, /* Synonym: owner email addr.*/
#ifdef _CRYPT_DEFINED
	/* Internal key ID types */
	CRYPT_IKEYID_KEYID,				/* SubjectKeyIdentifier/internal ID */
	CRYPT_IKEYID_PGPKEYID,			/* PGP/OpenPGP key ID */
	CRYPT_IKEYID_CERTID,			/* Certificate hash */
	CRYPT_IKEYID_ISSUERID,			/* Hashed issuerAndSerialNumber */
	CRYPT_IKEYID_ISSUERANDSERIALNUMBER,	/* issuerAndSerialNumber */
#endif /* _CRYPT_DEFINED */
	CRYPT_KEYID_LAST				/* Last possible key ID type */
#ifdef _CRYPT_DEFINED
	, CRYPT_KEYID_LAST_EXTERNAL = CRYPT_KEYID_URI + 1/* Last external key ID */
#endif /* _CRYPT_DEFINED */
	} CRYPT_KEYID_TYPE;

/* The encryption object types */

typedef enum {
	CRYPT_OBJECT_NONE,				/* No object type */
	CRYPT_OBJECT_ENCRYPTED_KEY,		/* Conventionally encrypted key */
	CRYPT_OBJECT_PKCENCRYPTED_KEY,	/* PKC-encrypted key */
	CRYPT_OBJECT_KEYAGREEMENT,		/* Key agreement information */
	CRYPT_OBJECT_SIGNATURE,			/* Signature */
	CRYPT_OBJECT_LAST				/* Last possible object type */
	} CRYPT_OBJECT_TYPE;

/* Object/attribute error type information */

typedef enum {
	CRYPT_ERRTYPE_NONE,				/* No error information */
	CRYPT_ERRTYPE_ATTR_SIZE,		/* Attribute data too small or large */
	CRYPT_ERRTYPE_ATTR_VALUE,		/* Attribute value is invalid */
	CRYPT_ERRTYPE_ATTR_ABSENT,		/* Required attribute missing */
	CRYPT_ERRTYPE_ATTR_PRESENT,		/* Non-allowed attribute present */
	CRYPT_ERRTYPE_CONSTRAINT,		/* Cert: Constraint violation in object */
	CRYPT_ERRTYPE_ISSUERCONSTRAINT,	/* Cert: Constraint viol.in issuing cert */
	CRYPT_ERRTYPE_LAST				/* Last possible error info type */
	} CRYPT_ERRTYPE_TYPE;

/* Cert store management action type */

typedef enum {
	CRYPT_CERTACTION_NONE,			/* No cert management action */
	CRYPT_CERTACTION_CREATE,		/* Create cert store */
	CRYPT_CERTACTION_CONNECT,		/* Connect to cert store */
	CRYPT_CERTACTION_DISCONNECT,	/* Disconnect from cert store */
	CRYPT_CERTACTION_ERROR,			/* Error information */
	CRYPT_CERTACTION_ADDUSER,		/* Add PKI user */
	CRYPT_CERTACTION_DELETEUSER,	/* Delete PKI user */
	CRYPT_CERTACTION_REQUEST_CERT,	/* Cert request */
	CRYPT_CERTACTION_REQUEST_RENEWAL,/* Cert renewal request */
	CRYPT_CERTACTION_REQUEST_REVOCATION,/* Cert revocation request */
	CRYPT_CERTACTION_CERT_CREATION,	/* Cert creation */
	CRYPT_CERTACTION_CERT_CREATION_COMPLETE,/* Confirmation of cert creation */
	CRYPT_CERTACTION_CERT_CREATION_DROP,	/* Cancellation of cert creation */
	CRYPT_CERTACTION_CERT_CREATION_REVERSE,	/* Cancel of creation w.revocation */
	CRYPT_CERTACTION_RESTART_CLEANUP, /* Delete reqs after restart */
	CRYPT_CERTACTION_RESTART_REVOKE_CERT, /* Complete revocation after restart */
	CRYPT_CERTACTION_ISSUE_CERT,	/* Cert issue */
	CRYPT_CERTACTION_ISSUE_CRL,		/* CRL issue */
	CRYPT_CERTACTION_REVOKE_CERT,	/* Cert revocation */
	CRYPT_CERTACTION_EXPIRE_CERT,	/* Cert expiry */
	CRYPT_CERTACTION_CLEANUP,		/* Clean up on restart */
	CRYPT_CERTACTION_LAST			/* Last possible cert s