cryptlib  3.4.1
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Properties Macros
attr_acl.c
Go to the documentation of this file.
1 /****************************************************************************
2 * *
3 * Object Attribute ACLs *
4 * Copyright Peter Gutmann 1997-2010 *
5 * *
6 ****************************************************************************/
7 
8 #if defined( INC_ALL )
9  #include "crypt.h"
10  #include "acl.h"
11  #include "kernel.h"
12 #else
13  #include "crypt.h"
14  #include "kernel/acl.h"
15  #include "kernel/kernel.h"
16 #endif /* Compiler-specific includes */
17 
18 /* Common object ACLs for various object types */
19 
20 static const OBJECT_ACL FAR_BSS objectCtxConv = {
21  ST_CTX_CONV, ST_NONE, ST_NONE, ACL_FLAG_HIGH_STATE };
22 static const OBJECT_ACL FAR_BSS objectCtxPKC = {
23  ST_CTX_PKC, ST_NONE, ST_NONE, ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CTX };
24 static const OBJECT_ACL FAR_BSS objectCtxHash = {
25  ST_CTX_HASH, ST_NONE, ST_NONE, ACL_FLAG_HIGH_STATE };
26 
27 static const OBJECT_ACL FAR_BSS objectCertificate = {
28  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE, ACL_FLAG_HIGH_STATE | ACL_FLAG_ROUTE_TO_CERT };
29 static const OBJECT_ACL FAR_BSS objectCertificateTemplate = {
30  ST_CERT_CERT, ST_NONE, ST_NONE, ACL_FLAG_ANY_STATE }; /* Template for cert.attrs */
31 static const OBJECT_ACL FAR_BSS objectCertRequest = {
32  ST_CERT_CERTREQ | ST_CERT_REQ_CERT, ST_NONE, ST_NONE, ACL_FLAG_HIGH_STATE };
33 static const OBJECT_ACL FAR_BSS objectCertRevRequest = {
34  ST_CERT_REQ_REV, ST_NONE, ST_NONE, ACL_FLAG_ANY_STATE }; /* Unsigned obj.*/
35 static const OBJECT_ACL FAR_BSS objectCertSessionRTCSRequest = {
36  ST_CERT_RTCS_REQ, ST_NONE, ST_NONE, ACL_FLAG_ANY_STATE }; /* Unsigned obj.*/
37 static const OBJECT_ACL FAR_BSS objectCertSessionOCSPRequest = {
38  ST_CERT_OCSP_REQ, ST_NONE, ST_NONE, ACL_FLAG_ANY_STATE }; /* Unsigned obj.*/
39 static const OBJECT_ACL FAR_BSS objectCertSessionCMPRequest = {
40  ST_CERT_CERTREQ | ST_CERT_REQ_CERT | ST_CERT_REQ_REV, ST_NONE, ST_NONE, ACL_FLAG_ANY_STATE };
41 static const OBJECT_ACL FAR_BSS objectCertSessionUnsignedPKCS10Request = {
42  ST_CERT_CERTREQ, ST_NONE, ST_NONE, ACL_FLAG_LOW_STATE };
43 static const OBJECT_ACL FAR_BSS objectCertRTCSRequest = {
44  ST_CERT_RTCS_REQ, ST_NONE, ST_NONE, ACL_FLAG_HIGH_STATE };
45 static const OBJECT_ACL FAR_BSS objectCertRTCSResponse = {
46  ST_CERT_RTCS_RESP, ST_NONE, ST_NONE, ACL_FLAG_HIGH_STATE };
47 static const OBJECT_ACL FAR_BSS objectCertOCSPRequest = {
48  ST_CERT_OCSP_REQ, ST_NONE, ST_NONE, ACL_FLAG_HIGH_STATE };
49 static const OBJECT_ACL FAR_BSS objectCertOCSPResponse = {
50  ST_CERT_OCSP_RESP, ST_NONE, ST_NONE, ACL_FLAG_HIGH_STATE };
51 static const OBJECT_ACL FAR_BSS objectCertPKIUser = {
52  ST_CERT_PKIUSER, ST_NONE, ST_NONE, ACL_FLAG_HIGH_STATE };
53 
54 static const OBJECT_ACL FAR_BSS objectCMSAttr = {
55  ST_CERT_CMSATTR, ST_NONE, ST_NONE, ACL_FLAG_ANY_STATE };
56 
57 static const OBJECT_ACL FAR_BSS objectKeyset = {
58  ST_NONE, ST_KEYSET_ANY | ST_DEV_ANY_STD, ST_NONE, ACL_FLAG_NONE };
59 static const OBJECT_ACL FAR_BSS objectKeysetCerts = {
60  ST_NONE, ST_KEYSET_DBMS | SUBTYPE_KEYSET_DBMS_STORE, ST_NONE, ACL_FLAG_NONE };
61 static const OBJECT_ACL FAR_BSS objectKeysetCertstore = {
62  ST_NONE, SUBTYPE_KEYSET_DBMS_STORE, ST_NONE, ACL_FLAG_NONE };
63 static const OBJECT_ACL FAR_BSS objectKeysetPrivate = {
64  ST_NONE, ST_KEYSET_FILE | ST_DEV_P11, ST_NONE, ACL_FLAG_NONE };
65 static const OBJECT_ACL FAR_BSS objectKeysetConfigdata = {
66  ST_NONE, SUBTYPE_KEYSET_FILE, ST_NONE, ACL_FLAG_NONE };
67 
68 static const OBJECT_ACL FAR_BSS objectDeenvelope = {
69  ST_NONE, ST_ENV_DEENV, ST_NONE, ACL_FLAG_HIGH_STATE };
70 
71 static const OBJECT_ACL FAR_BSS objectHardwareDevice = {
72  ST_NONE, ST_DEV_HW, ST_NONE, ACL_FLAG_NONE };
73 
74 static const OBJECT_ACL FAR_BSS objectSessionDataClient = {
75  ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSL, ACL_FLAG_NONE };
76 static const OBJECT_ACL FAR_BSS objectSessionDataServer = {
77  ST_NONE, ST_NONE, ST_SESS_SSH_SVR | ST_SESS_SSL_SVR, ACL_FLAG_NONE };
78 static const OBJECT_ACL FAR_BSS objectSessionTSP = {
79  ST_NONE, ST_NONE, ST_SESS_TSP, ACL_FLAG_LOW_STATE };
80 
81 /****************************************************************************
82 * *
83 * Object/Property ACLs *
84 * *
85 ****************************************************************************/
86 
87 static const RANGE_SUBRANGE_TYPE FAR_BSS allowedCertCursorSubranges[] = {
88  /* Alongside the standard attributes and cursor movement codes we also
89  allow the selection of the subject and issuer DN pseudo-attributes,
90  which is required when we've implicitly moved to another DN by
91  selecting a GeneralName */
92  { CRYPT_CURSOR_FIRST, CRYPT_CURSOR_LAST },
93  { CRYPT_CERTINFO_FIRST_EXTENSION, CRYPT_CERTINFO_LAST_EXTENSION },
94  { CRYPT_CERTINFO_ISSUERNAME, CRYPT_CERTINFO_ISSUERNAME },
95  { CRYPT_CERTINFO_SUBJECTNAME, CRYPT_CERTINFO_SUBJECTNAME },
96  { CRYPT_ERROR, CRYPT_ERROR }
97  };
98 static const RANGE_SUBRANGE_TYPE FAR_BSS allowedCertCursorSubrangesEx[] = {
99  /* This one is a bit more complex than the other object types, since
100  certificates are so complex it's possible to enumerate items at what
101  would normally be the attribute-instance level once components of
102  GeneralNames are taken into account, so we also allow GeneralName
103  entries as complete attributes rather than an instance of an
104  attribute.
105 
106  There's a second special case in which DN entries can be
107  multivalued, and depending on whether the DN is a primary DN in the
108  certificate (subject or issuer name) this could be either a non-
109  attribute type (since primary DNs aren't attributes) or something
110  below even the attribute-instance level. To handle this we allow
111  enumeration of multivalued entries in DNs as pseudo-attribute
112  instances, and don't allow enumeration of multivalued DNs as
113  subclasses of GeneralNames, since the only likely reason for anyone
114  doing that is to engage in shenanigans with name checking in
115  implementations, and even the standards groups have no real idea of
116  what to do with these things */
117  { CRYPT_CURSOR_FIRST, CRYPT_CURSOR_LAST },
118  { CRYPT_CERTINFO_FIRST_EXTENSION, CRYPT_CERTINFO_LAST_EXTENSION },
119  { CRYPT_CERTINFO_FIRST_GENERALNAME, CRYPT_CERTINFO_LAST_GENERALNAME },
120  { CRYPT_CERTINFO_FIRST_DN, CRYPT_CERTINFO_LAST_DN },
121  { CRYPT_ERROR, CRYPT_ERROR }
122  };
123 static const RANGE_SUBRANGE_TYPE FAR_BSS allowedEnvCursorSubranges[] = {
124  { CRYPT_CURSOR_FIRST, CRYPT_CURSOR_LAST },
125  { CRYPT_ENVINFO_FIRST, CRYPT_ENVINFO_LAST },
126  { CRYPT_ERROR, CRYPT_ERROR }
127  };
128 static const RANGE_SUBRANGE_TYPE FAR_BSS allowedSessionCursorSubranges[] = {
129  { CRYPT_CURSOR_FIRST, CRYPT_CURSOR_LAST },
130  { CRYPT_SESSINFO_FIRST, CRYPT_SESSINFO_LAST },
131  { CRYPT_ERROR, CRYPT_ERROR }
132  };
133 
134 static const ATTRIBUTE_ACL FAR_BSS subACL_AttributeCurrentGroup[] = {
135  MKACL_EX( /* Certs */
136  CRYPT_ATTRIBUTE_CURRENT_GROUP, ATTRIBUTE_VALUE_NUMERIC,
137  ST_CERT_ANY, ST_NONE, ST_NONE,
138  MKPERM( RWx_RWx ), 0,
139  ROUTE( OBJECT_TYPE_CERTIFICATE ),
140  RANGE_SUBRANGES, allowedCertCursorSubranges ),
141  MKACL_EX( /* Envelopes */
142  CRYPT_ATTRIBUTE_CURRENT_GROUP, ATTRIBUTE_VALUE_NUMERIC,
143  ST_NONE, ST_ENV_DEENV, ST_NONE,
144  MKPERM_ENVELOPE( RWx_RWx ), 0,
145  ROUTE( OBJECT_TYPE_ENVELOPE ),
146  RANGE_SUBRANGES, allowedEnvCursorSubranges ),
147  MKACL_EX( /* Sessions */
148  CRYPT_ATTRIBUTE_CURRENT_GROUP, ATTRIBUTE_VALUE_NUMERIC,
149  ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSH_SVR,
150  MKPERM_SESSIONS( RWx_RWx ), 0,
151  ROUTE( OBJECT_TYPE_SESSION ),
152  RANGE_SUBRANGES, allowedSessionCursorSubranges ),
153  MKACL_END_SUBACL(), MKACL_END_SUBACL()
154  };
155 static const ATTRIBUTE_ACL FAR_BSS subACL_AttributeCurrent[] = {
156  MKACL_EX( /* Certs */
157  CRYPT_ATTRIBUTE_CURRENT, ATTRIBUTE_VALUE_NUMERIC,
158  ST_CERT_ANY, ST_NONE, ST_NONE,
159  MKPERM( RWx_RWx ), 0,
160  ROUTE( OBJECT_TYPE_CERTIFICATE ),
161  RANGE_SUBRANGES, allowedCertCursorSubranges ),
162  MKACL_EX( /* Envelopes */
163  CRYPT_ATTRIBUTE_CURRENT, ATTRIBUTE_VALUE_NUMERIC,
164  ST_NONE, ST_ENV_DEENV, ST_NONE,
165  MKPERM_ENVELOPE( RWx_RWx ), 0,
166  ROUTE( OBJECT_TYPE_ENVELOPE ),
167  RANGE_SUBRANGES, allowedEnvCursorSubranges ),
168  MKACL_EX( /* Sessions */
169  CRYPT_ATTRIBUTE_CURRENT, ATTRIBUTE_VALUE_NUMERIC,
170  ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSH_SVR,
171  MKPERM_SESSIONS( RWx_RWx ), 0,
172  ROUTE( OBJECT_TYPE_SESSION ),
173  RANGE_SUBRANGES, allowedSessionCursorSubranges ),
174  MKACL_END_SUBACL(), MKACL_END_SUBACL()
175  };
176 static const ATTRIBUTE_ACL FAR_BSS subACL_AttributeCurrentInstance[] = {
177  /* Only certificates are complex enough to have instances of fields
178  (the progression being certificate-extension -> GeneralName ->
179  GeneralName-field), for all other object types this always returns
180  the basic field value since it represents multiple instantiations of
181  the same field */
182  MKACL_EX( /* Certs */
183  CRYPT_ATTRIBUTE_CURRENT_INSTANCE, ATTRIBUTE_VALUE_NUMERIC,
184  ST_CERT_ANY, ST_NONE, ST_NONE,
185  MKPERM( RWx_RWx ), 0,
186  ROUTE( OBJECT_TYPE_CERTIFICATE ),
187  RANGE_SUBRANGES, allowedCertCursorSubrangesEx ),
188  MKACL_N( /* Envelopes */
189  CRYPT_ATTRIBUTE_CURRENT_INSTANCE,
190  ST_NONE, ST_ENV_DEENV, ST_NONE,
191  MKPERM_ENVELOPE( RWx_RWx ),
192  ROUTE( OBJECT_TYPE_ENVELOPE ),
193  RANGE( CRYPT_CURSOR_FIRST, CRYPT_CURSOR_LAST ) ),
194  MKACL_N( /* Sessions */
195  CRYPT_ATTRIBUTE_CURRENT_INSTANCE,
196  ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSH_SVR,
197  MKPERM_SESSIONS( RWx_RWx ),
198  ROUTE( OBJECT_TYPE_SESSION ),
199  RANGE( CRYPT_CURSOR_FIRST, CRYPT_CURSOR_LAST ) ),
200  MKACL_END_SUBACL(), MKACL_END_SUBACL()
201  };
202 
203 /* Object properties */
204 
205 static const ATTRIBUTE_ACL FAR_BSS propertyACL[] = {
206  MKACL( /* Owned+non-forwardable+locked */
207  CRYPT_PROPERTY_HIGHSECURITY, ATTRIBUTE_VALUE_BOOLEAN,
208  ST_ANY_A, ST_ANY_B, ST_ANY_C,
209  MKPERM( xWx_xWx ), ATTRIBUTE_FLAG_PROPERTY,
210  ROUTE_NONE, RANGE( TRUE, TRUE ) ),
211  MKACL_N_EX( /* Object owner */
212  CRYPT_PROPERTY_OWNER,
213  ST_ANY_A, ST_ANY_B, ST_ANY_C,
214  MKPERM( RWx_RWx ), ATTRIBUTE_FLAG_PROPERTY,
215  ROUTE_NONE, RANGE_ANY ),
216  MKACL_N_EX( /* No.of times object can be forwarded */
217  CRYPT_PROPERTY_FORWARDCOUNT,
218  ST_ANY_A, ST_ANY_B, ST_ANY_C,
219  MKPERM( RWx_RWx ), ATTRIBUTE_FLAG_PROPERTY,
220  ROUTE_NONE, RANGE( 1, 1000 ) ),
221  MKACL( /* Whether properties can be chged/read */
222  CRYPT_PROPERTY_LOCKED, ATTRIBUTE_VALUE_BOOLEAN,
223  ST_ANY_A, ST_ANY_B, ST_ANY_C,
224  MKPERM( RWx_RWx ), ATTRIBUTE_FLAG_PROPERTY,
225  ROUTE_NONE, RANGE( TRUE, TRUE ) ),
226  MKACL_N_EX( /* Usage count before object expires */
227  CRYPT_PROPERTY_USAGECOUNT,
228  ST_ANY_A, ST_ANY_B, ST_ANY_C,
229  MKPERM( RWx_RWx ), ATTRIBUTE_FLAG_PROPERTY,
230  ROUTE_NONE, RANGE( 1, 1000 ) ),
231  MKACL( /* Whether key is nonexp.from context */
232  CRYPT_PROPERTY_NONEXPORTABLE, ATTRIBUTE_VALUE_BOOLEAN,
233  ST_CTX_ANY, ST_NONE, ST_NONE,
234  MKPERM( xxx_xxx ), ATTRIBUTE_FLAG_PROPERTY,
235  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( TRUE, TRUE ) ),
236  MKACL_END(), MKACL_END()
237  };
238 
239 /* Generic attributes */
240 
241 static const ATTRIBUTE_ACL FAR_BSS genericACL[] = {
242  MKACL_N( /* Type of last error */
243  CRYPT_ATTRIBUTE_ERRORTYPE,
244  ST_ANY_A, ST_ANY_B, ST_ANY_C,
245  MKPERM( Rxx_Rxx ),
246  ROUTE_NONE, RANGE( CRYPT_ERRTYPE_NONE, CRYPT_ERRTYPE_LAST - 1 ) ),
247  MKACL_N( /* Locus of last error */
248  CRYPT_ATTRIBUTE_ERRORLOCUS,
249  ST_ANY_A, ST_ANY_B, ST_ANY_C,
250  MKPERM( Rxx_Rxx ),
251  ROUTE_NONE, RANGE( CRYPT_ATTRIBUTE_NONE, CRYPT_ATTRIBUTE_LAST ) ),
252  MKACL_S( /* Detailed error description */
253  CRYPT_ATTRIBUTE_ERRORMESSAGE,
254  ST_NONE, ST_ENV_ANY | ST_KEYSET_ANY | ST_DEV_ANY_STD, ST_SESS_ANY,
255  MKPERM( Rxx_Rxx ),
256  ROUTE_NONE, RANGE( 0, 512 ) ),
257  MKACL_X( /* Cursor mgt: Group in attribute list */
258 /* In = cursor components, out = component type */
259  CRYPT_ATTRIBUTE_CURRENT_GROUP,
260  ST_CERT_ANY, ST_ENV_DEENV, ST_SESS_SSH | ST_SESS_SSH_SVR,
261  MKPERM( RWx_RWx ),
262  ROUTE_ALT2( OBJECT_TYPE_CERTIFICATE, OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_SESSION ),
263  subACL_AttributeCurrentGroup ),
264  MKACL_X( /* Cursor mgt: Entry in attribute list */
265 /* In = cursor components, out = component type */
266  CRYPT_ATTRIBUTE_CURRENT,
267  ST_CERT_ANY, ST_ENV_DEENV, ST_SESS_SSH | ST_SESS_SSH_SVR,
268  MKPERM( RWx_RWx ),
269  ROUTE_ALT2( OBJECT_TYPE_CERTIFICATE, OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_SESSION ),
270  subACL_AttributeCurrent ),
271  MKACL_X( /* Cursor mgt: Instance in attribute list */
272 /* In = cursor components, out = component type */
273  CRYPT_ATTRIBUTE_CURRENT_INSTANCE,
274  ST_CERT_ANY, ST_ENV_DEENV, ST_SESS_SSH | ST_SESS_SSH_SVR,
275  MKPERM( RWx_RWx ),
276  ROUTE_ALT2( OBJECT_TYPE_CERTIFICATE, OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_SESSION ),
277  subACL_AttributeCurrentInstance ),
278  MKACL_N( /* Internal data buffer size */
279  CRYPT_ATTRIBUTE_BUFFERSIZE,
280  ST_NONE, ST_ENV_ANY, ST_SESS_ANY,
281  MKPERM( Rxx_RWx ),
282  ROUTE_ALT( OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_SESSION ), RANGE( MIN_BUFFER_SIZE, RANGE_MAX ) ),
283  MKACL_END(), MKACL_END()
284  };
285 
286 /****************************************************************************
287 * *
288 * Config Option ACLs *
289 * *
290 ****************************************************************************/
291 
292 static const RANGE_SUBRANGE_TYPE FAR_BSS allowedEncrAlgoSubranges[] = {
293  { CRYPT_ALGO_3DES, CRYPT_ALGO_3DES }, /* No DES */
294  { CRYPT_ALGO_AES, CRYPT_ALGO_BLOWFISH }, /* No IDEA, CAST, RC2, RC4, RC5 */
295  { CRYPT_ALGO_RESERVED2 + 1, CRYPT_ALGO_LAST_CONVENTIONAL },/* No ex-Skipjack */
296  { CRYPT_ERROR, CRYPT_ERROR }
297  };
298 static const int FAR_BSS allowedLDAPObjectTypes[] = {
299  CRYPT_CERTTYPE_NONE, CRYPT_CERTTYPE_CERTIFICATE, CRYPT_CERTTYPE_CRL,
300  CRYPT_ERROR };
301 
302 /* Config attributes */
303 
304 static const ATTRIBUTE_ACL FAR_BSS optionACL[] = {
305  MKACL_S( /* Text description */
306  CRYPT_OPTION_INFO_DESCRIPTION,
307  ST_NONE, ST_NONE, ST_USER_ANY,
308  MKPERM( Rxx_Rxx ),
309  ROUTE( OBJECT_TYPE_USER ),
310  RANGE( 16, CRYPT_MAX_TEXTSIZE ) ),
311  MKACL_S( /* Copyright notice */
312  CRYPT_OPTION_INFO_COPYRIGHT,
313  ST_NONE, ST_NONE, ST_USER_ANY,
314  MKPERM( Rxx_Rxx ),
315  ROUTE( OBJECT_TYPE_USER ),
316  RANGE( 16, CRYPT_MAX_TEXTSIZE ) ),
317  MKACL_N( /* Major release version */
318  CRYPT_OPTION_INFO_MAJORVERSION,
319  ST_NONE, ST_NONE, ST_USER_ANY,
320  MKPERM( Rxx_Rxx ),
321  ROUTE( OBJECT_TYPE_USER ),
322  RANGE( 3, 3 ) ),
323  MKACL_N( /* Minor release version */
324  CRYPT_OPTION_INFO_MINORVERSION,
325  ST_NONE, ST_NONE, ST_USER_ANY,
326  MKPERM( Rxx_Rxx ),
327  ROUTE( OBJECT_TYPE_USER ),
328  RANGE( 0, 5 ) ),
329  MKACL_N( /* Stepping version */
330  CRYPT_OPTION_INFO_STEPPING,
331  ST_NONE, ST_NONE, ST_USER_ANY,
332  MKPERM( Rxx_Rxx ),
333  ROUTE( OBJECT_TYPE_USER ),
334  RANGE( 1, 50 ) ),
335 
336  MKACL_EX( /* Encryption algorithm */
337  /* We restrict the subrange to disallow the selection of the
338  insecure or deprecated DES, RC2, RC4, and Skipjack algorithms
339  as the default encryption algorithms */
340  CRYPT_OPTION_ENCR_ALGO, ATTRIBUTE_VALUE_NUMERIC,
341  ST_NONE, ST_ENV_ENV | ST_ENV_ENV_PGP, ST_USER_ANY,
342  MKPERM( RWx_RWx ), 0,
343  ROUTE_ALT( OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_USER ),
344  RANGE_SUBRANGES, allowedEncrAlgoSubranges ),
345  MKACL_N( /* Hash algorithm */
346  /* We restrict the subrange to disallow the selection of the
347  insecure or deprecated MD2, MD4, and MD5 algorithms as the
348  default hash algorithm */
349  CRYPT_OPTION_ENCR_HASH,
350  ST_NONE, ST_ENV_ENV | ST_ENV_ENV_PGP, ST_USER_ANY,
351  MKPERM( RWx_RWx ),
352  ROUTE_ALT( OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_USER ),
353  RANGE( CRYPT_ALGO_SHA1, CRYPT_ALGO_LAST_HASH ) ),
354  MKACL_N( /* MAC algorithm */
355  CRYPT_OPTION_ENCR_MAC,
356  ST_NONE, ST_ENV_ENV, ST_USER_ANY,
357  MKPERM( RWx_RWx ),
358  ROUTE_ALT( OBJECT_TYPE_ENVELOPE, OBJECT_TYPE_USER ),
359  RANGE( CRYPT_ALGO_FIRST_MAC, CRYPT_ALGO_LAST_MAC ) ),
360  MKACL_N( /* Public-key encryption algorithm */
361  CRYPT_OPTION_PKC_ALGO,
362  ST_NONE, ST_NONE, ST_USER_ANY,
363  MKPERM( RWx_RWx ),
364  ROUTE( OBJECT_TYPE_USER ),
365  RANGE( CRYPT_ALGO_FIRST_PKC, CRYPT_ALGO_LAST_PKC ) ),
366  MKACL_N( /* Public-key encryption key size */
367  CRYPT_OPTION_PKC_KEYSIZE,
368  ST_NONE, ST_NONE, ST_USER_ANY,
369  MKPERM( RWx_RWx ),
370  ROUTE( OBJECT_TYPE_USER ),
371  RANGE( bitsToBytes( 512 ), CRYPT_MAX_PKCSIZE ) ),
372  MKACL_N( /* Signature algorithm */
373  CRYPT_OPTION_SIG_ALGO,
374  ST_NONE, ST_NONE, ST_USER_ANY,
375  MKPERM( RWx_RWx ),
376  ROUTE( OBJECT_TYPE_USER ),
377  RANGE( CRYPT_ALGO_FIRST_PKC, CRYPT_ALGO_LAST_PKC ) ),
378  MKACL_N( /* Signature keysize */
379  CRYPT_OPTION_SIG_KEYSIZE,
380  ST_NONE, ST_NONE, ST_USER_ANY,
381  MKPERM( RWx_RWx ),
382  ROUTE( OBJECT_TYPE_USER ),
383  RANGE( bitsToBytes( 512 ), CRYPT_MAX_PKCSIZE ) ),
384  MKACL_N( /* Key processing algorithm */
385  CRYPT_OPTION_KEYING_ALGO,
386  ST_CTX_CONV, ST_NONE, ST_USER_ANY,
387  MKPERM( RWx_RWx ),
388  ROUTE_ALT( OBJECT_TYPE_CONTEXT, OBJECT_TYPE_USER ),
389  RANGE( CRYPT_ALGO_HMAC_SHA1, CRYPT_ALGO_HMAC_SHA1 ) ),
390  MKACL_N( /* Key processing iterations */
391  CRYPT_OPTION_KEYING_ITERATIONS,
392  ST_CTX_CONV, ST_NONE, ST_USER_ANY,
393  MKPERM( RWx_RWx ),
394  ROUTE_ALT( OBJECT_TYPE_CONTEXT, OBJECT_TYPE_USER ),
395  RANGE( 1, MAX_KEYSETUP_ITERATIONS ) ),
396 
397  MKACL_B( /* Whether to sign unrecog.attrs */
398  CRYPT_OPTION_CERT_SIGNUNRECOGNISEDATTRIBUTES,
399  ST_NONE, ST_NONE, ST_USER_ANY,
400  MKPERM_CERTIFICATES( RWx_RWx ),
401  ROUTE( OBJECT_TYPE_USER ) ),
402  MKACL_N( /* Certificate validity period */
403  CRYPT_OPTION_CERT_VALIDITY,
404  ST_NONE, ST_NONE, ST_USER_ANY,
405  MKPERM_CERTIFICATES( RWx_RWx ),
406  ROUTE( OBJECT_TYPE_USER ),
407  RANGE( 1, 20 * 365 ) ),
408  MKACL_N( /* CRL update interval */
409  CRYPT_OPTION_CERT_UPDATEINTERVAL,
410  ST_NONE, ST_NONE, ST_USER_ANY,
411  MKPERM_CERTREV( RWx_RWx ),
412  ROUTE( OBJECT_TYPE_USER ),
413  RANGE( 1, 365 ) ),
414  MKACL_N( /* PKIX compliance level for cert chks.*/
415  CRYPT_OPTION_CERT_COMPLIANCELEVEL,
416  ST_NONE, ST_NONE, ST_USER_ANY,
417  MKPERM_CERTIFICATES( RWx_RWx ),
418  ROUTE( OBJECT_TYPE_USER ),
419  RANGE( CRYPT_COMPLIANCELEVEL_OBLIVIOUS, \
420  MAX_COMPLIANCE_LEVEL ) ),
421  MKACL_B( /* Whether explicit policy req'd for certs */
422  CRYPT_OPTION_CERT_REQUIREPOLICY,
423  ST_NONE, ST_NONE, ST_USER_ANY,
424  MKPERM_CERTIFICATES( RWx_RWx ),
425  ROUTE( OBJECT_TYPE_USER ) ),
426 
427  MKACL_B( /* Add default CMS attributes */
428  CRYPT_OPTION_CMS_DEFAULTATTRIBUTES,
429  ST_NONE, ST_NONE, ST_USER_ANY,
430  MKPERM( RWx_RWx ),
431  ROUTE( OBJECT_TYPE_USER ) ),
432 
433  MKACL_S( /* Object class */
434  CRYPT_OPTION_KEYS_LDAP_OBJECTCLASS,
435  ST_NONE, ST_KEYSET_LDAP, ST_USER_ANY,
436  MKPERM_LDAP( RWx_RWx ),
437  ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
438  RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
439  MKACL_EX( /* Object type to fetch */
440  CRYPT_OPTION_KEYS_LDAP_OBJECTTYPE, ATTRIBUTE_VALUE_NUMERIC,
441  ST_NONE, ST_KEYSET_LDAP, ST_USER_ANY,
442  MKPERM_LDAP( RWx_RWx ), 0,
443  ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
444  RANGE_ALLOWEDVALUES, allowedLDAPObjectTypes ),
445  MKACL_S( /* Query filter */
446  CRYPT_OPTION_KEYS_LDAP_FILTER,
447  ST_NONE, ST_KEYSET_LDAP, ST_USER_ANY,
448  MKPERM_LDAP( RWx_RWx ),
449  ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
450  RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
451  MKACL_S( /* CA certificate attribute name */
452  CRYPT_OPTION_KEYS_LDAP_CACERTNAME,
453  ST_NONE, ST_KEYSET_LDAP, ST_USER_ANY,
454  MKPERM_LDAP( RWx_RWx ),
455  ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
456  RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
457  MKACL_S( /* Certificate attribute name */
458  CRYPT_OPTION_KEYS_LDAP_CERTNAME,
459  ST_NONE, ST_KEYSET_LDAP, ST_USER_ANY,
460  MKPERM_LDAP( RWx_RWx ),
461  ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
462  RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
463  MKACL_S( /* CRL attribute name */
464  CRYPT_OPTION_KEYS_LDAP_CRLNAME,
465  ST_NONE, ST_KEYSET_LDAP, ST_USER_ANY,
466  MKPERM_LDAP( RWx_RWx ),
467  ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
468  RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
469  MKACL_S( /* Email attribute name */
470  CRYPT_OPTION_KEYS_LDAP_EMAILNAME,
471  ST_NONE, ST_KEYSET_LDAP, ST_USER_ANY,
472  MKPERM_LDAP( RWx_RWx ),
473  ROUTE_ALT( OBJECT_TYPE_KEYSET, OBJECT_TYPE_USER ),
474  RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
475 
476  MKACL_S( /* Name of first PKCS #11 driver */
477  CRYPT_OPTION_DEVICE_PKCS11_DVR01,
478  ST_NONE, ST_NONE, ST_USER_ANY,
479  MKPERM_PKCS11( RWD_RWD ),
480  ROUTE( OBJECT_TYPE_USER ),
481  RANGE( 2, MAX_PATH_LENGTH ) ),
482  MKACL_S( /* Name of second PKCS #11 driver */
483  CRYPT_OPTION_DEVICE_PKCS11_DVR02,
484  ST_NONE, ST_NONE, ST_USER_ANY,
485  MKPERM_PKCS11( RWD_RWD ),
486  ROUTE( OBJECT_TYPE_USER ),
487  RANGE( 2, MAX_PATH_LENGTH ) ),
488  MKACL_S( /* Name of third PKCS #11 driver */
489  CRYPT_OPTION_DEVICE_PKCS11_DVR03,
490  ST_NONE, ST_NONE, ST_USER_ANY,
491  MKPERM_PKCS11( RWD_RWD ),
492  ROUTE( OBJECT_TYPE_USER ),
493  RANGE( 2, MAX_PATH_LENGTH ) ),
494  MKACL_S( /* Name of fourth PKCS #11 driver */
495  CRYPT_OPTION_DEVICE_PKCS11_DVR04,
496  ST_NONE, ST_NONE, ST_USER_ANY,
497  MKPERM_PKCS11( RWD_RWD ),
498  ROUTE( OBJECT_TYPE_USER ),
499  RANGE( 2, MAX_PATH_LENGTH ) ),
500  MKACL_S( /* Name of fifth PKCS #11 driver */
501  CRYPT_OPTION_DEVICE_PKCS11_DVR05,
502  ST_NONE, ST_NONE, ST_USER_ANY,
503  MKPERM_PKCS11( RWD_RWD ),
504  ROUTE( OBJECT_TYPE_USER ),
505  RANGE( 2, MAX_PATH_LENGTH ) ),
506  MKACL_B( /* Use only hardware mechanisms */
507  CRYPT_OPTION_DEVICE_PKCS11_HARDWAREONLY,
508  ST_NONE, ST_NONE, ST_USER_ANY,
509  MKPERM_PKCS11( RWx_RWx ),
510  ROUTE( OBJECT_TYPE_USER ) ),
511 
512  MKACL_S( /* Socks server name */
513  CRYPT_OPTION_NET_SOCKS_SERVER,
514  ST_NONE, ST_NONE, ST_SESS_ANY | ST_USER_ANY,
515  MKPERM_TCP( RWD_RWD ),
516  ROUTE_ALT( OBJECT_TYPE_SESSION, OBJECT_TYPE_USER ),
517  RANGE( MIN_DNS_SIZE, MAX_DNS_SIZE ) ),
518  MKACL_S( /* Socks user name */
519  CRYPT_OPTION_NET_SOCKS_USERNAME,
520  ST_NONE, ST_NONE, ST_SESS_ANY | ST_USER_ANY,
521  MKPERM_TCP( RWD_RWD ),
522  ROUTE_ALT( OBJECT_TYPE_SESSION, OBJECT_TYPE_USER ),
523  RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
524  MKACL_S( /* Web proxy server */
525  CRYPT_OPTION_NET_HTTP_PROXY,
526  ST_NONE, ST_NONE, ST_SESS_ANY | ST_USER_ANY,
527  MKPERM_HTTP( RWD_RWD ),
528  ROUTE_ALT( OBJECT_TYPE_SESSION, OBJECT_TYPE_USER ),
529  RANGE( MIN_DNS_SIZE, MAX_DNS_SIZE ) ),
530  MKACL_N( /* Timeout for network connection setup */
531  CRYPT_OPTION_NET_CONNECTTIMEOUT,
532  ST_NONE, ST_NONE, ST_SESS_ANY | ST_USER_ANY,
533  MKPERM_TCP( Rxx_RWx ),
534  ROUTE_ALT( OBJECT_TYPE_SESSION, OBJECT_TYPE_USER ),
535  RANGE( 5, 300 ) ),
536  MKACL_N( /* Timeout for network reads */
537  CRYPT_OPTION_NET_READTIMEOUT,
538  ST_NONE, ST_NONE, ST_SESS_ANY | ST_USER_ANY,
539  MKPERM_TCP( RWx_RWx ),
540  ROUTE_ALT( OBJECT_TYPE_SESSION, OBJECT_TYPE_USER ),
541  RANGE( 0, 300 ) ),
542  MKACL_N( /* Timeout for network writes */
543  CRYPT_OPTION_NET_WRITETIMEOUT,
544  ST_NONE, ST_NONE, ST_SESS_ANY | ST_USER_ANY,
545  MKPERM_TCP( RWx_RWx ),
546  ROUTE_ALT( OBJECT_TYPE_SESSION, OBJECT_TYPE_USER ),
547  RANGE( 0, 300 ) ),
548 
549  MKACL_B( /* Whether to init cryptlib async'ly */
550  CRYPT_OPTION_MISC_ASYNCINIT,
551  ST_NONE, ST_NONE, ST_USER_SO,
552  MKPERM( RWx_RWx ),
553  ROUTE( OBJECT_TYPE_USER ) ),
554  MKACL_N( /* Protect against side-channel attacks */
555  CRYPT_OPTION_MISC_SIDECHANNELPROTECTION,
556  ST_CTX_PKC, ST_NONE, ST_USER_SO,
557  MKPERM( RWx_RWx ),
558  ROUTE_ALT( OBJECT_TYPE_CONTEXT, OBJECT_TYPE_USER ),
559  RANGE( 0, 2 ) ),
560 
561  MKACL( /* Whether in-mem.opts match on-disk ones */
562  /* This is a special-case boolean attribute value that can only be
563  set to FALSE to indicate that the config options should be
564  flushed to disk */
565  CRYPT_OPTION_CONFIGCHANGED, ATTRIBUTE_VALUE_BOOLEAN,
566  ST_NONE, ST_NONE, ST_USER_ANY,
567  MKPERM( RWx_RWx ), 0,
568  ROUTE( OBJECT_TYPE_USER ),
569  RANGE( FALSE, FALSE ) ),
570 
571  MKACL_B( /* Algorithm self-test status */
572  CRYPT_OPTION_SELFTESTOK,
573  ST_NONE, ST_NONE, ST_USER_ANY,
574  MKPERM( RWx_RWx ),
575  ROUTE( OBJECT_TYPE_USER ) ),
576  MKACL_END(), MKACL_END()
577  };
578 
579 /****************************************************************************
580 * *
581 * Context ACLs *
582 * *
583 ****************************************************************************/
584 
585 static const int FAR_BSS allowedPKCKeysizes[] = {
586  sizeof( CRYPT_PKCINFO_DLP ), sizeof( CRYPT_PKCINFO_RSA ),
587  sizeof( CRYPT_PKCINFO_ECC ), CRYPT_ERROR };
588 static const int FAR_BSS allowedKeyingAlgos[] = {
589 #ifdef USE_MD5
590  CRYPT_ALGO_MD5, /* Hash algos for PGP */
591 #endif /* USE_MD5 */
592  CRYPT_ALGO_SHA1,
593 #ifdef USE_RIPEMD160
594  CRYPT_ALGO_RIPEMD160,
595 #endif /* USE_RIPEMD160 */
596  CRYPT_ALGO_SHA2, /* MAC algos for everything else */
597  CRYPT_ALGO_HMAC_SHA1, CRYPT_ALGO_HMAC_SHA2, CRYPT_ALGO_HMAC_SHAng,
598  CRYPT_ERROR };
599 
600 static const ATTRIBUTE_ACL FAR_BSS subACL_CtxinfoBlocksize[] = {
601  MKACL_N( /* Encr. and PKC is determined implicitly algorithm type */
602  CRYPT_CTXINFO_BLOCKSIZE,
603  ST_CTX_CONV | ST_CTX_PKC, ST_NONE, ST_NONE,
604  MKPERM( Rxx_Rxx ),
605  ROUTE( OBJECT_TYPE_CONTEXT ),
606  RANGE( 1, CRYPT_MAX_HASHSIZE ) ),
607  MKACL_N( /* Some hash/MAC algos have variable-length outputs */
608  /* Hash contexts are a special case because they're moved into the
609  high state as soon as they're created because there's no further
610  initialisation to be done. This means that the output size can
611  be changed even when they're (effectively) in the high state,
612  although the actual meaning of this state is somewhat different
613  than for other context types */
614  CRYPT_CTXINFO_BLOCKSIZE,
615  ST_CTX_HASH, ST_NONE, ST_NONE,
616  MKPERM( RWx_Rxx ),
617  ROUTE( OBJECT_TYPE_CONTEXT ),
618  RANGE( 16, CRYPT_MAX_HASHSIZE ) ),
619  MKACL_N( /* Some hash/MAC algos have variable-length outputs */
620  CRYPT_CTXINFO_BLOCKSIZE,
621  ST_CTX_MAC, ST_NONE, ST_NONE,
622  MKPERM( Rxx_RWx ),
623  ROUTE( OBJECT_TYPE_CONTEXT ),
624  RANGE( 16, CRYPT_MAX_HASHSIZE ) ),
625  MKACL_END_SUBACL(), MKACL_END_SUBACL()
626  };
627 
628 static const ATTRIBUTE_ACL FAR_BSS subACL_CtxinfoPersistent[] = {
629  MKACL_B( /* PKC is determined implicitly by storage type */
630  CRYPT_CTXINFO_PERSISTENT,
631  ST_CTX_PKC, ST_NONE, ST_NONE,
632  MKPERM( Rxx_Rxx ),
633  ROUTE( OBJECT_TYPE_CONTEXT ) ),
634  MKACL_B( /* Conv./MAC can be set on create to create persistent object */
635  CRYPT_CTXINFO_PERSISTENT,
636  ST_CTX_CONV | ST_CTX_MAC, ST_NONE, ST_NONE,
637  MKPERM( Rxx_RWD ),
638  ROUTE( OBJECT_TYPE_CONTEXT ) ),
639  MKACL_END_SUBACL(), MKACL_END_SUBACL()
640  };
641 
642 /* Context attributes */
643 
644 static const ATTRIBUTE_ACL FAR_BSS contextACL[] = {
645  MKACL_N( /* Algorithm */
646  CRYPT_CTXINFO_ALGO,
647  ST_CTX_ANY, ST_NONE, ST_NONE,
648  MKPERM( Rxx_Rxx ),
649  ROUTE( OBJECT_TYPE_CONTEXT ),
650  RANGE( CRYPT_ALGO_NONE + 1, CRYPT_ALGO_LAST - 1 ) ),
651  MKACL_N( /* Mode */
652  CRYPT_CTXINFO_MODE,
653  ST_CTX_CONV, ST_NONE, ST_NONE,
654  MKPERM( Rxx_RWx ),
655  ROUTE( OBJECT_TYPE_CONTEXT ),
656  RANGE( CRYPT_MODE_NONE + 1, CRYPT_MODE_LAST - 1 ) ),
657  MKACL_S( /* Algorithm name */
658  CRYPT_CTXINFO_NAME_ALGO,
659  ST_CTX_ANY, ST_NONE, ST_NONE,
660  MKPERM( Rxx_Rxx ),
661  ROUTE( OBJECT_TYPE_CONTEXT ),
662  RANGE( 3, CRYPT_MAX_TEXTSIZE ) ),
663  MKACL_S( /* Mode name */
664  CRYPT_CTXINFO_NAME_MODE,
665  ST_CTX_CONV, ST_NONE, ST_NONE,
666  MKPERM( Rxx_Rxx ),
667  ROUTE( OBJECT_TYPE_CONTEXT ),
668  RANGE( 3, CRYPT_MAX_TEXTSIZE ) ),
669  MKACL_N( /* Key size in bytes */
670  CRYPT_CTXINFO_KEYSIZE,
671  ST_CTX_CONV | ST_CTX_PKC | ST_CTX_MAC | ST_CTX_GENERIC, ST_NONE, ST_NONE,
672  MKPERM( Rxx_RWx ),
673  ROUTE( OBJECT_TYPE_CONTEXT ),
674  RANGE( MIN_KEYSIZE, CRYPT_MAX_PKCSIZE ) ),
675  MKACL_X( /* Block size in bytes */
676  CRYPT_CTXINFO_BLOCKSIZE,
677  ST_CTX_CONV | ST_CTX_PKC | ST_CTX_HASH | ST_CTX_MAC, ST_NONE, ST_NONE,
678  MKPERM( RWx_RWx ),
679  ROUTE( OBJECT_TYPE_CONTEXT ),
680  subACL_CtxinfoBlocksize ),
681  MKACL_N( /* IV size in bytes */
682  CRYPT_CTXINFO_IVSIZE,
683  ST_CTX_CONV, ST_NONE, ST_NONE,
684  MKPERM( Rxx_Rxx ),
685  ROUTE( OBJECT_TYPE_CONTEXT ),
686  RANGE( 8, CRYPT_MAX_IVSIZE ) ),
687  MKACL_EX( /* Key processing algorithm */
688  /* The allowed algorithm range is a bit peculiar, usually we only
689  allow HMAC-SHA1 for normal key derivation, however PGP uses
690  plain hash algorithms for the derivation and although these
691  are never applied they are stored in the context when PGP keys
692  are loaded */
693  CRYPT_CTXINFO_KEYING_ALGO, ATTRIBUTE_VALUE_NUMERIC,
694  ST_CTX_CONV | ST_CTX_MAC, ST_NONE, ST_NONE,
695  MKPERM( Rxx_RWD ), 0,
696  ROUTE( OBJECT_TYPE_CONTEXT ),
697  RANGE_ALLOWEDVALUES, allowedKeyingAlgos ),
698  MKACL_N( /* Key processing iterations */
699  CRYPT_CTXINFO_KEYING_ITERATIONS,
700  ST_CTX_CONV | ST_CTX_MAC, ST_NONE, ST_NONE,
701  MKPERM( Rxx_RWD ),
702  ROUTE( OBJECT_TYPE_CONTEXT ),
703  RANGE( 1, MAX_KEYSETUP_ITERATIONS ) ),
704  MKACL_S( /* Key processing salt */
705  CRYPT_CTXINFO_KEYING_SALT,
706  ST_CTX_CONV | ST_CTX_MAC, ST_NONE, ST_NONE,
707  MKPERM( Rxx_RWD ),
708  ROUTE( OBJECT_TYPE_CONTEXT ),
709  RANGE( 8, CRYPT_MAX_HASHSIZE ) ),
710  MKACL_S_EX( /* Value used to derive key */
711  CRYPT_CTXINFO_KEYING_VALUE,
712  ST_CTX_CONV | ST_CTX_MAC, ST_NONE, ST_NONE,
713  MKPERM( xxx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
714  ROUTE( OBJECT_TYPE_CONTEXT ),
715  RANGE( 1, MAX_ATTRIBUTE_SIZE ) ),
716 #ifdef USE_FIPS140
717  MKACL_S_EX( /* Key */
718  CRYPT_CTXINFO_KEY,
719  ST_CTX_CONV | ST_CTX_MAC | ST_CTX_GENERIC, ST_NONE, ST_NONE,
720  MKPERM_INT( xxx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
721  ROUTE( OBJECT_TYPE_CONTEXT ),
722  RANGE( MIN_KEYSIZE, CRYPT_MAX_KEYSIZE ) ),
723  MKACL_EX( /* Public-key components */
724  CRYPT_CTXINFO_KEY_COMPONENTS, ATTRIBUTE_VALUE_STRING,
725  ST_CTX_PKC, ST_NONE, ST_NONE,
726  MKPERM_INT( xxx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
727  ROUTE( OBJECT_TYPE_CONTEXT ),
728  RANGE_ALLOWEDVALUES, allowedPKCKeysizes ),
729 #else
730  MKACL_S_EX( /* Key */
731  CRYPT_CTXINFO_KEY,
732  ST_CTX_CONV | ST_CTX_MAC | ST_CTX_GENERIC, ST_NONE, ST_NONE,
733  MKPERM( xxx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
734  ROUTE( OBJECT_TYPE_CONTEXT ),
735  RANGE( MIN_KEYSIZE, CRYPT_MAX_KEYSIZE ) ),
736  MKACL_EX( /* Public-key components */
737  CRYPT_CTXINFO_KEY_COMPONENTS, ATTRIBUTE_VALUE_STRING,
738  ST_CTX_PKC, ST_NONE, ST_NONE,
739  MKPERM( xxx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
740  ROUTE( OBJECT_TYPE_CONTEXT ),
741  RANGE_ALLOWEDVALUES, allowedPKCKeysizes ),
742 #endif /* FIPS 140 keying rules */
743  MKACL_S( /* IV */
744  CRYPT_CTXINFO_IV,
745  ST_CTX_CONV, ST_NONE, ST_NONE,
746  MKPERM( RWx_RWx ),
747  ROUTE( OBJECT_TYPE_CONTEXT ),
748  RANGE( 8, CRYPT_MAX_IVSIZE ) ),
749  MKACL_S( /* Hash value */
750  CRYPT_CTXINFO_HASHVALUE,
751  ST_CTX_HASH | ST_CTX_MAC, ST_NONE, ST_NONE,
752  MKPERM( RxD_RxD ),
753  ROUTE( OBJECT_TYPE_CONTEXT ),
754  RANGE( 16, CRYPT_MAX_HASHSIZE ) ),
755  MKACL_S( /* Label for private/secret key */
756  CRYPT_CTXINFO_LABEL,
757  ST_CTX_CONV | ST_CTX_PKC | ST_CTX_MAC, ST_NONE, ST_NONE,
758  MKPERM( Rxx_RWD ),
759  ROUTE( OBJECT_TYPE_CONTEXT ),
760  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
761  MKACL_X( /* Object is backed by a device or keyset */
762  CRYPT_CTXINFO_PERSISTENT,
763  ST_CTX_CONV | ST_CTX_PKC | ST_CTX_MAC, ST_NONE, ST_NONE,
764  MKPERM( Rxx_RWD ),
765  ROUTE( OBJECT_TYPE_CONTEXT ),
766  subACL_CtxinfoPersistent ),
767  MKACL_END(), MKACL_END()
768  };
769 
770 /****************************************************************************
771 * *
772 * Certificate ACLs *
773 * *
774 ****************************************************************************/
775 
776 static const int FAR_BSS allowedIPAddressSizes[] = \
777  { 4, 16, CRYPT_ERROR };
778 
779 static const RANGE_SUBRANGE_TYPE FAR_BSS allowedContentTypeSubranges[] = {
780  { CRYPT_CONTENT_DATA, CRYPT_CONTENT_ENVELOPEDDATA },
781 #ifdef USE_CMSATTR_OBSCURE
782  { CRYPT_CONTENT_SIGNEDANDENVELOPEDDATA, CRYPT_CONTENT_SIGNEDANDENVELOPEDDATA },
783 #endif /* USE_CMSATTR_OBSCURE */
784  { CRYPT_CONTENT_DIGESTEDDATA, CRYPT_CONTENT_ENCRYPTEDDATA },
785 #ifdef USE_COMPRESSION
786  { CRYPT_CONTENT_COMPRESSEDDATA, CRYPT_CONTENT_COMPRESSEDDATA },
787 #endif /* USE_COMPRESSION */
788 #ifdef USE_TSP
789  { CRYPT_CONTENT_TSTINFO, CRYPT_CONTENT_TSTINFO },
790 #endif /* USE_TSP */
791 #ifdef USE_CMSATTR_OBSCURE
792  { CRYPT_CONTENT_SPCINDIRECTDATACONTEXT, CRYPT_CONTENT_SPCINDIRECTDATACONTEXT },
793 #endif /* USE_CMSATTR_OBSCURE */
794 #ifdef USE_CERTVAL
795  { CRYPT_CONTENT_RTCSREQUEST, CRYPT_CONTENT_RTCSRESPONSE_EXT },
796 #endif /* USE_CERTVAL */
797  { CRYPT_CONTENT_MRTD, CRYPT_CONTENT_MRTD },
798  { CRYPT_ERROR, CRYPT_ERROR }
799  };
800 
801 static const ATTRIBUTE_ACL FAR_BSS subACL_CertinfoFingerprintSHA[] = {
802  MKACL_S( /* Certs: General access */
803  CRYPT_CERTINFO_FINGERPRINT_SHA1,
804  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
805  MKPERM_CERTIFICATES( Rxx_xxx ),
806  ROUTE( OBJECT_TYPE_CERTIFICATE ),
807  RANGE( 20, 20 ) ),
808  MKACL_S( /* Selected other objs (requests, PKI users): Int.access only */
809  CRYPT_CERTINFO_FINGERPRINT_SHA1,
810  ST_CERT_ANY_CERT | ST_CERT_REQ_REV | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
811  MKPERM_INT_CERTIFICATES( Rxx_xxx ),
812  ROUTE( OBJECT_TYPE_CERTIFICATE ),
813  RANGE( 20, 20 ) ),
814  MKACL_END_SUBACL(), MKACL_END_SUBACL()
815  };
816 
817 /* Certificate: General info */
818 
819 static const ATTRIBUTE_ACL FAR_BSS certificateACL[] = {
820  MKACL_B( /* Cert is self-signed */
821  CRYPT_CERTINFO_SELFSIGNED,
822  ST_CERT_ANY_CERT, ST_NONE, ST_NONE,
823  MKPERM_CERTIFICATES( Rxx_RWD ),
824  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
825  MKACL_B( /* Cert is signed and immutable */
826  CRYPT_CERTINFO_IMMUTABLE,
827  ST_CERT_ANY, ST_NONE, ST_NONE,
828  MKPERM_CERTIFICATES( Rxx_Rxx ),
829  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
830  MKACL_B( /* Cert is a magic just-works cert */
831  CRYPT_CERTINFO_XYZZY,
832  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
833  MKPERM_CERTIFICATES( Rxx_RWx ),
834  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
835  MKACL_N( /* Certificate object type */
836  CRYPT_CERTINFO_CERTTYPE,
837  ST_CERT_ANY, ST_NONE, ST_NONE,
838  MKPERM_CERTIFICATES( Rxx_Rxx ),
839  ROUTE( OBJECT_TYPE_CERTIFICATE ),
840  RANGE( CRYPT_CERTTYPE_NONE + 1, CRYPT_CERTTYPE_LAST - 1 ) ),
841  MKACL_S( /* Certificate fingerprint: MD5 */
842  CRYPT_CERTINFO_FINGERPRINT,
843  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
844  MKPERM_CERTIFICATES( Rxx_xxx ),
845  ROUTE( OBJECT_TYPE_CERTIFICATE ),
846  RANGE( 16, 16 ) ),
847  MKACL_X( /* Certificate fingerprint: SHA-1 */
848  CRYPT_CERTINFO_FINGERPRINT_SHA1,
849  ST_CERT_ANY_CERT | ST_CERT_REQ_REV | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
850  MKPERM_CERTIFICATES( Rxx_xxx ),
851  ROUTE( OBJECT_TYPE_CERTIFICATE ),
852  subACL_CertinfoFingerprintSHA ),
853  MKACL_S( /* Certificate fingerprint: SHA-2 */
854  CRYPT_CERTINFO_FINGERPRINT_SHA2,
855  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
856  MKPERM_CERTIFICATES( Rxx_xxx ),
857  ROUTE( OBJECT_TYPE_CERTIFICATE ),
858  RANGE( 32, 32 ) ),
859  MKACL_S( /* Certificate fingerprint: SHAng */
860  CRYPT_CERTINFO_FINGERPRINT_SHAng,
861  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
862  MKPERM_CERTIFICATES( Rxx_xxx ),
863  ROUTE( OBJECT_TYPE_CERTIFICATE ),
864  RANGE( 32, 32 ) ),
865  MKACL_N( /* Cursor mgt: Rel.pos in chain/CRL/OCSP */
866  /* The subtype flag is somewhat unusual since it includes as an
867  allowed subtype a cert, which doesn't have further cert components.
868  The reason for this is that when the chain is created it's just a
869  collection of certs, it isn't until all of them are available that
870  one can be marked the leaf cert and its type changed to cert chain.
871  Since an object's subtype can't be changed after it's created, we
872  have to allow cursor movement commands to certs in case one of
873  them is really the leaf in a cert chain - it's because of the way
874  the leaf can act as both a cert and a cert chain. A pure cert
875  looks just like a one-cert chain, so there's no harm in sending a
876  movement command to a cert that isn't a chain leaf */
877  CRYPT_CERTINFO_CURRENT_CERTIFICATE,
878  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_CRL | ST_CERT_RTCS_REQ | \
879  ST_CERT_RTCS_RESP | ST_CERT_OCSP_REQ | \
880  ST_CERT_OCSP_RESP, ST_NONE, ST_NONE,
881  MKPERM_CERTIFICATES( xWx_xWx ),
882  ROUTE( OBJECT_TYPE_CERTIFICATE ),
883  RANGE( CRYPT_CURSOR_FIRST, CRYPT_CURSOR_LAST ) ),
884  MKACL_N( /* Usage that cert is trusted for */
885  CRYPT_CERTINFO_TRUSTED_USAGE,
886  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
887  MKPERM_CERTIFICATES( RWD_RWD ),
888  ROUTE( OBJECT_TYPE_CERTIFICATE ),
889  RANGE( CRYPT_KEYUSAGE_NONE, CRYPT_KEYUSAGE_LAST - 1 ) ),
890  MKACL_B( /* Whether cert is implicitly trusted */
891  CRYPT_CERTINFO_TRUSTED_IMPLICIT,
892  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
893  MKPERM_CERTIFICATES( RWD_xxx ),
894  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
895  MKACL_N( /* Amount of detail to include in sigs.*/
896  CRYPT_CERTINFO_SIGNATURELEVEL,
897  ST_CERT_OCSP_REQ, ST_NONE, ST_NONE,
898  MKPERM_CERTREV( RWx_RWx ),
899  ROUTE( OBJECT_TYPE_CERTIFICATE ),
900  RANGE( CRYPT_SIGNATURELEVEL_NONE, CRYPT_SIGNATURELEVEL_ALL ) ),
901 
902  MKACL_N( /* Certificate format version */
903  CRYPT_CERTINFO_VERSION,
904  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT | ST_CERT_CRL | \
905  ST_CERT_RTCS_REQ | ST_CERT_RTCS_RESP | \
906  ST_CERT_OCSP_REQ | ST_CERT_OCSP_RESP, ST_NONE, ST_NONE,
907  MKPERM_CERTIFICATES( Rxx_Rxx ),
908  ROUTE( OBJECT_TYPE_CERTIFICATE ),
909  RANGE( 1, 3 ) ),
910  MKACL_S( /* Serial number */
911  CRYPT_CERTINFO_SERIALNUMBER,
912  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT | ST_CERT_CRL | \
913  ST_CERT_REQ_CERT, ST_NONE, ST_NONE,
914  MKPERM_CERTIFICATES( Rxx_Rxx ),
915  ROUTE( OBJECT_TYPE_CERTIFICATE ),
916  RANGE( 1, 32 ) ),
917  MKACL_O( /* Public key */
918  CRYPT_CERTINFO_SUBJECTPUBLICKEYINFO,
919  ST_CERT_ANY_CERT, ST_NONE, ST_NONE,
920  MKPERM_CERTIFICATES( xxx_xWx ),
921  ROUTE( OBJECT_TYPE_CERTIFICATE ), &objectCtxPKC ),
922  MKACL_O( /* User certificate */
923  CRYPT_CERTINFO_CERTIFICATE,
924  ST_CERT_CERTCHAIN | ST_CERT_CRL | ST_CERT_REQ_CERT | ST_CERT_REQ_REV | \
925  ST_CERT_RTCS_REQ | ST_CERT_OCSP_REQ, ST_NONE, ST_NONE,
926  MKPERM_CERTIFICATES( xxx_xWx ),
927  ROUTE( OBJECT_TYPE_CERTIFICATE ), &objectCertificate ),
928  MKACL_O( /* CA certificate */
929  CRYPT_CERTINFO_CACERTIFICATE,
930  ST_CERT_OCSP_REQ, ST_NONE, ST_NONE,
931  MKPERM_CERTREV( xxx_xWx ),
932  ROUTE( OBJECT_TYPE_CERTIFICATE ), &objectCertificate ),
933  MKACL_B( /* Issuer DN */
934  CRYPT_CERTINFO_ISSUERNAME,
935  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT | \
936  ST_CERT_CRL | ST_CERT_OCSP_RESP, ST_NONE, ST_NONE,
937  MKPERM_CERTIFICATES( Rxx_Rxx ),
938  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
939  MKACL_T( /* Cert valid-from time */
940  CRYPT_CERTINFO_VALIDFROM,
941  ST_CERT_CERT | ST_CERT_REQ_CERT | ST_CERT_CERTCHAIN | \
942  ST_CERT_ATTRCERT, ST_NONE, ST_NONE,
943  MKPERM_CERTIFICATES( Rxx_RWD ),
944  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
945  MKACL_T( /* Cert valid-to time */
946  CRYPT_CERTINFO_VALIDTO,
947  ST_CERT_CERT | ST_CERT_REQ_CERT | ST_CERT_CERTCHAIN | \
948  ST_CERT_ATTRCERT, ST_NONE, ST_NONE,
949  MKPERM_CERTIFICATES( Rxx_RWD ),
950  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
951  MKACL_B( /* Subject DN */
952  CRYPT_CERTINFO_SUBJECTNAME,
953  ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
954  MKPERM_CERTIFICATES( Rxx_RxD ),
955  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
956  MKACL_S( /* Issuer unique ID */
957  CRYPT_CERTINFO_ISSUERUNIQUEID,
958  ST_CERT_CERT, ST_NONE, ST_NONE,
959  MKPERM_CERT_OBSOLETE( Rxx_Rxx ),
960  ROUTE( OBJECT_TYPE_CERTIFICATE ),
961  RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
962  MKACL_S( /* Subject unique ID */
963  CRYPT_CERTINFO_SUBJECTUNIQUEID,
964  ST_CERT_CERT, ST_NONE, ST_NONE,
965  MKPERM_CERT_OBSOLETE( Rxx_Rxx ),
966  ROUTE( OBJECT_TYPE_CERTIFICATE ),
967  RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
968  MKACL_O( /* Cert.request (DN + public key) */
969  CRYPT_CERTINFO_CERTREQUEST,
970  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT, ST_NONE, ST_NONE,
971  MKPERM_CERTIFICATES( xxx_xWx ),
972  ROUTE( OBJECT_TYPE_CERTIFICATE ), &objectCertRequest ),
973  MKACL_T( /* CRL/OCSP current-update time */
974  CRYPT_CERTINFO_THISUPDATE,
975  ST_CERT_CRL | ST_CERT_OCSP_RESP, ST_NONE, ST_NONE,
976  MKPERM_CERTREV( Rxx_RWx ),
977  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
978  MKACL_T( /* CRL/OCSP next-update time */
979  CRYPT_CERTINFO_NEXTUPDATE,
980  ST_CERT_CRL | ST_CERT_OCSP_RESP, ST_NONE, ST_NONE,
981  MKPERM_CERTREV( Rxx_RWx ),
982  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
983  MKACL_T( /* CRL/RTCS/OCSP cert-revocation time */
984  CRYPT_CERTINFO_REVOCATIONDATE,
985  ST_CERT_CRL | ST_CERT_RTCS_RESP | ST_CERT_OCSP_RESP, ST_NONE, ST_NONE,
986  MKPERM_CERTREV_VAL( Rxx_RWD ),
987  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
988  MKACL_N( /* OCSP revocation status */
989  CRYPT_CERTINFO_REVOCATIONSTATUS,
990  ST_CERT_OCSP_RESP, ST_NONE, ST_NONE,
991  MKPERM_CERTREV( Rxx_xxx ),
992  ROUTE( OBJECT_TYPE_CERTIFICATE ),
993  RANGE( CRYPT_OCSPSTATUS_NOTREVOKED, CRYPT_OCSPSTATUS_UNKNOWN ) ),
994  MKACL_N( /* RTCS certificate status */
995  CRYPT_CERTINFO_CERTSTATUS,
996  ST_CERT_RTCS_RESP, ST_NONE, ST_NONE,
997  MKPERM_CERTVAL( Rxx_xxx ),
998  ROUTE( OBJECT_TYPE_CERTIFICATE ),
999  RANGE( CRYPT_CERTSTATUS_VALID, CRYPT_CERTSTATUS_UNKNOWN ) ),
1000  MKACL_S( /* Currently selected DN in string form */
1001  CRYPT_CERTINFO_DN,
1002  ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
1003  ST_CERT_OCSP_RESP | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1004  MKPERM_DNSTRING( Rxx_RWx ),
1005  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1006  RANGE( 3, MAX_ATTRIBUTE_SIZE ) ),
1007  MKACL_S( /* PKI user ID */
1008  CRYPT_CERTINFO_PKIUSER_ID,
1009  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1010  MKPERM_PKIUSER( Rxx_xxx ),
1011  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1012  RANGE( 17, 17 ) ),
1013  MKACL_S( /* PKI user issue password */
1014  CRYPT_CERTINFO_PKIUSER_ISSUEPASSWORD,
1015  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1016  MKPERM_PKIUSER( Rxx_xxx ),
1017  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1018  RANGE( 23, 23 ) ),
1019  MKACL_S( /* PKI user revocation password */
1020  CRYPT_CERTINFO_PKIUSER_REVPASSWORD,
1021  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1022  MKPERM_PKIUSER( Rxx_xxx ),
1023  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1024  RANGE( 23, 23 ) ),
1025  MKACL_END(), MKACL_END()
1026  };
1027 
1028 /* Certificate: Name components */
1029 
1030 static const ATTRIBUTE_ACL FAR_BSS certNameACL[] = {
1031  MKACL_S( /* countryName */
1032  CRYPT_CERTINFO_COUNTRYNAME,
1033  ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
1034  ST_CERT_OCSP_RESP | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1035  MKPERM_CERTIFICATES( Rxx_RWD ),
1036  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1037  RANGE( 2, 2 ) ),
1038  MKACL_WCS( /* stateOrProvinceName */
1039  CRYPT_CERTINFO_STATEORPROVINCENAME,
1040  ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
1041  ST_CERT_OCSP_RESP | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1042  MKPERM_CERTIFICATES( Rxx_RWD ),
1043  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1044  RANGE( 1, 128 ) ),
1045  MKACL_WCS( /* localityName */
1046  CRYPT_CERTINFO_LOCALITYNAME,
1047  ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
1048  ST_CERT_OCSP_RESP | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1049  MKPERM_CERTIFICATES( Rxx_RWD ),
1050  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1051  RANGE( 1, 128 ) ),
1052  MKACL_WCS( /* organizationName */
1053  CRYPT_CERTINFO_ORGANIZATIONNAME,
1054  ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
1055  ST_CERT_OCSP_RESP | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1056  MKPERM_CERTIFICATES( Rxx_RWD ),
1057  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1058  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
1059  MKACL_WCS( /* organizationalUnitName */
1060  CRYPT_CERTINFO_ORGANIZATIONALUNITNAME,
1061  ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
1062  ST_CERT_OCSP_RESP | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1063  MKPERM_CERTIFICATES( Rxx_RWD ),
1064  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1065  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
1066  MKACL_WCS( /* commonName */
1067  CRYPT_CERTINFO_COMMONNAME,
1068  ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
1069  ST_CERT_OCSP_RESP | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1070  MKPERM_CERTIFICATES( Rxx_RWD ),
1071  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1072  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
1073 
1074  MKACL_S( /* otherName.typeID */
1075  CRYPT_CERTINFO_OTHERNAME_TYPEID,
1076  ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
1077  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1078  MKPERM_CERTIFICATES( Rxx_RWD ),
1079  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1080  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
1081  MKACL_S( /* otherName.value */
1082  CRYPT_CERTINFO_OTHERNAME_VALUE,
1083  ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
1084  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1085  MKPERM_CERTIFICATES( Rxx_RWD ),
1086  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1087  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
1088  MKACL_S( /* rfc822Name */
1089  CRYPT_CERTINFO_RFC822NAME,
1090  ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
1091  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1092  MKPERM_CERTIFICATES( Rxx_RWD ),
1093  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1094  RANGE( MIN_RFC822_SIZE, MAX_RFC822_SIZE ) ),
1095  MKACL_S( /* dNSName */
1096  CRYPT_CERTINFO_DNSNAME,
1097  ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
1098  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1099  MKPERM_CERTIFICATES( Rxx_RWD ),
1100  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1101  RANGE( MIN_DNS_SIZE, MAX_DNS_SIZE ) ),
1102  MKACL_N( /* directoryName */
1103  CRYPT_CERTINFO_DIRECTORYNAME,
1104  ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
1105  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1106  MKPERM_CERTIFICATES( Rxx_RxD ),
1107  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1108  RANGE( FALSE, TRUE ) ),
1109  MKACL_S( /* ediPartyName.nameAssigner */
1110  CRYPT_CERTINFO_EDIPARTYNAME_NAMEASSIGNER,
1111  ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
1112  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1113  MKPERM_CERTIFICATES( Rxx_RWD ),
1114  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1115  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
1116  MKACL_S( /* ediPartyName.partyName */
1117  CRYPT_CERTINFO_EDIPARTYNAME_PARTYNAME,
1118  ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
1119  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1120  MKPERM_CERTIFICATES( Rxx_RWD ),
1121  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1122  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
1123  MKACL_S( /* uniformResourceIdentifier */
1124  CRYPT_CERTINFO_UNIFORMRESOURCEIDENTIFIER,
1125  ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
1126  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1127  MKPERM_CERTIFICATES( Rxx_RWD ),
1128  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1129  RANGE( MIN_URL_SIZE, MAX_URL_SIZE ) ),
1130  MKACL_EX( /* iPAddress */
1131  CRYPT_CERTINFO_IPADDRESS, ATTRIBUTE_VALUE_STRING,
1132  ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
1133  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1134  MKPERM_CERTIFICATES( Rxx_RWD ), 0,
1135  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1136  RANGE_ALLOWEDVALUES, allowedIPAddressSizes ),
1137  MKACL_S( /* registeredID */
1138  CRYPT_CERTINFO_REGISTEREDID,
1139  ST_CERT_ANY_CERT | ST_CERT_ATTRCERT | ST_CERT_CRL | \
1140  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1141  MKPERM_CERTIFICATES( Rxx_RWD ),
1142  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1143  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
1144  MKACL_END(), MKACL_END()
1145  };
1146 
1147 /* Certificate: Extensions */
1148 
1149 static const ATTRIBUTE_ACL FAR_BSS certExtensionACL[] = {
1150  /* 1 2 840 113549 1 9 7 challengePassword. This is here even though it's
1151  a CMS attribute because SCEP stuffs it into PKCS #10 requests */
1152  MKACL_S( /* nonce */
1153  CRYPT_CERTINFO_CHALLENGEPASSWORD,
1154  ST_CERT_CERTREQ, ST_NONE, ST_NONE,
1155  MKPERM_CERTREQ( Rxx_RWD ),
1156  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1157  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
1158 
1159  /* 1 3 6 1 4 1 3029 3 1 4 cRLExtReason */
1160  MKACL_N( /* cRLExtReason */
1161  CRYPT_CERTINFO_CRLEXTREASON,
1162  ST_CERT_CRL | ST_CERT_REQ_REV, ST_NONE, ST_NONE,
1163  MKPERM_CERTREQ_REV( Rxx_RWD ),
1164  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1165  RANGE( CRYPT_CRLREASON_UNSPECIFIED, CRYPT_CRLEXTREASON_LAST - 1 ) ),
1166 
1167  /* 1 3 6 1 4 1 3029 3 1 5 keyFeatures */
1168  MKACL_N( /* keyFeatures */
1169  CRYPT_CERTINFO_KEYFEATURES,
1170  ST_CERT_ANY_CERT, ST_NONE, ST_NONE,
1171  MKPERM_CERTIFICATES( Rxx_Rxx ),
1172  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1173  RANGE( 0, 7 ) ),
1174 
1175  /* 1 3 6 1 5 5 7 1 1 authorityInfoAccess. The values are GeneralName
1176  selectors so the ACL doesn't allow writes, since they can only be
1177  used to select the GeneralName that's written to */
1178  MKACL_B( /* Extension present flag */
1179  CRYPT_CERTINFO_AUTHORITYINFOACCESS,
1180  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1181  MKPERM_CERTIFICATES( Rxx_RxD ),
1182  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1183  MKACL_N( /* accessDescription.accessLocation */
1184  CRYPT_CERTINFO_AUTHORITYINFO_RTCS,
1185  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1186  MKPERM_CERTIFICATES( Rxx_RxD ),
1187  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1188  RANGE( FALSE, TRUE ) ),
1189  MKACL_N( /* accessDescription.accessLocation */
1190  CRYPT_CERTINFO_AUTHORITYINFO_OCSP,
1191  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1192  MKPERM_CERTIFICATES( Rxx_RxD ),
1193  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1194  RANGE( FALSE, TRUE ) ),
1195  MKACL_N( /* accessDescription.accessLocation */
1196  CRYPT_CERTINFO_AUTHORITYINFO_CAISSUERS,
1197  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1198  MKPERM_CERTIFICATES( Rxx_RxD ),
1199  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1200  RANGE( FALSE, TRUE ) ),
1201  MKACL_N( /* accessDescription.accessLocation */
1202  CRYPT_CERTINFO_AUTHORITYINFO_CERTSTORE,
1203  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1204  MKPERM_CERTIFICATES( Rxx_RxD ),
1205  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1206  RANGE( FALSE, TRUE ) ),
1207  MKACL_N( /* accessDescription.accessLocation */
1208  CRYPT_CERTINFO_AUTHORITYINFO_CRLS,
1209  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1210  MKPERM_CERTIFICATES( Rxx_RxD ),
1211  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1212  RANGE( FALSE, TRUE ) ),
1213 
1214  /* 1 3 6 1 5 5 7 1 2 biometricInfo */
1215  MKACL_B( /* Extension present flag */
1216  CRYPT_CERTINFO_BIOMETRICINFO,
1217  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1218  MKPERM_CERT_PKIX_FULL( Rxx_RxD ),
1219  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1220  MKACL_N( /* biometricData.typeOfData */
1221  CRYPT_CERTINFO_BIOMETRICINFO_TYPE,
1222  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1223  MKPERM_CERT_PKIX_FULL( Rxx_RWD ),
1224  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1225  RANGE( 0, 1 ) ),
1226  MKACL_S( /* biometricData.hashAlgorithm */
1227  CRYPT_CERTINFO_BIOMETRICINFO_HASHALGO,
1228  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1229  MKPERM_CERT_PKIX_FULL( Rxx_RWD ),
1230  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1231  RANGE( 3, 32 ) ),
1232  MKACL_S( /* biometricData.dataHash */
1233  CRYPT_CERTINFO_BIOMETRICINFO_HASH,
1234  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1235  MKPERM_CERT_PKIX_FULL( Rxx_RWD ),
1236  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1237  RANGE( 16, CRYPT_MAX_HASHSIZE ) ),
1238  MKACL_S( /* biometricData.sourceDataUri */
1239  CRYPT_CERTINFO_BIOMETRICINFO_URL,
1240  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1241  MKPERM_CERT_PKIX_FULL( Rxx_RWD ),
1242  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1243  RANGE( MIN_URL_SIZE, MAX_URL_SIZE ) ),
1244 
1245  /* 1 3 6 1 5 5 7 1 3 qcStatements */
1246  MKACL_B( /* Extension present flag */
1247  CRYPT_CERTINFO_QCSTATEMENT,
1248  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1249  MKPERM_CERT_PKIX_FULL( Rxx_RxD ),
1250  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1251  MKACL_S( /* qcStatement.statementInfo.semanticsIdentifier */
1252  CRYPT_CERTINFO_QCSTATEMENT_SEMANTICS,
1253  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1254  MKPERM_CERT_PKIX_FULL( Rxx_RWD ),
1255  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1256  RANGE( 3, 32 ) ),
1257  MKACL_N( /* qcStatement.statementInfo.nameRegistrationAuthorities */
1258  /* This is a GeneralName selector so it can't be written to directly */
1259  CRYPT_CERTINFO_QCSTATEMENT_REGISTRATIONAUTHORITY,
1260  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1261  MKPERM_CERT_PKIX_FULL( Rxx_RxD ),
1262  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1263  RANGE( FALSE, TRUE ) ),
1264 
1265  /* 1 3 6 1 5 5 7 1 7 ipAddrBlocks */
1266  MKACL_B( /* Extension present flag */
1267  CRYPT_CERTINFO_IPADDRESSBLOCKS,
1268  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1269  MKPERM_CERTIFICATES( Rxx_RxD ),
1270  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1271  MKACL_S( /* addressFamily */
1272  CRYPT_CERTINFO_IPADDRESSBLOCKS_ADDRESSFAMILY,
1273  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1274  MKPERM_CERTIFICATES( Rxx_RxD ),
1275  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1276  RANGE( 2, 2 ) ),
1277  MKACL_S( /* ipAddress.addressPrefix */
1278  /* See the comment in ext_def.c for the length range */
1279  CRYPT_CERTINFO_IPADDRESSBLOCKS_PREFIX,
1280  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1281  MKPERM_CERTIFICATES( Rxx_RxD ),
1282  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1283  RANGE( 3, 19 ) ),
1284  MKACL_S( /* ipAddress.addressRangeMin */
1285  CRYPT_CERTINFO_IPADDRESSBLOCKS_MIN,
1286  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1287  MKPERM_CERTIFICATES( Rxx_RxD ),
1288  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1289  RANGE( 3, 19 ) ),
1290  MKACL_S( /* ipAddress.addressRangeMax */
1291  CRYPT_CERTINFO_IPADDRESSBLOCKS_MAX,
1292  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1293  MKPERM_CERTIFICATES( Rxx_RxD ),
1294  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1295  RANGE( 3, 19 ) ),
1296 
1297  /* 1 3 6 1 5 5 7 1 8 autonomousSysIds */
1298  MKACL_B( /* Extension present flag */
1299  CRYPT_CERTINFO_AUTONOMOUSSYSIDS,
1300  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1301  MKPERM_CERTIFICATES( Rxx_RxD ),
1302  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1303  MKACL_N( /* asNum.id */
1304  /* See the comment in ext_def.c for the AS range */
1305  CRYPT_CERTINFO_AUTONOMOUSSYSIDS_ASNUM_ID,
1306  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1307  MKPERM_CERTIFICATES( Rxx_RxD ),
1308  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1309  RANGE( 1, 500000 ) ),
1310  MKACL_N( /* asNum.min */
1311  CRYPT_CERTINFO_AUTONOMOUSSYSIDS_ASNUM_MIN,
1312  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1313  MKPERM_CERTIFICATES( Rxx_RxD ),
1314  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1315  RANGE( 1, 500000 ) ),
1316  MKACL_N( /* asNum.max */
1317  CRYPT_CERTINFO_AUTONOMOUSSYSIDS_ASNUM_MAX,
1318  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1319  MKPERM_CERTIFICATES( Rxx_RxD ),
1320  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1321  RANGE( 1, 500000 ) ),
1322 
1323  /* 1 3 6 1 5 5 7 48 1 2 ocspNonce */
1324  MKACL_S( /* nonce */
1325  CRYPT_CERTINFO_OCSP_NONCE,
1326  ST_CERT_OCSP_REQ | ST_CERT_OCSP_RESP, ST_NONE, ST_NONE,
1327  MKPERM_CERTREV( Rxx_Rxx ),
1328  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1329  RANGE( 1, 64 ) ),
1330 
1331  /* 1 3 6 1 5 5 7 48 1 4 ocspAcceptableResponses */
1332  MKACL_B( /* Extension present flag */
1333  CRYPT_CERTINFO_OCSP_RESPONSE,
1334  ST_CERT_OCSP_REQ, ST_NONE, ST_NONE,
1335  MKPERM_CERTREV_PKIX_PARTIAL( Rxx_RxD ),
1336  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1337  MKACL_B( /* OCSP standard response */
1338  CRYPT_CERTINFO_OCSP_RESPONSE_OCSP,
1339  ST_CERT_OCSP_REQ, ST_NONE, ST_NONE,
1340  MKPERM_CERTREV_PKIX_PARTIAL( Rxx_RWD ),
1341  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1342 
1343  /* 1 3 6 1 5 5 7 48 1 5 ocspNoCheck */
1344  MKACL_N( /* noCheck */
1345  CRYPT_CERTINFO_OCSP_NOCHECK,
1346  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1347  MKPERM_CERTREV_PKIX_PARTIAL( Rxx_RWD ),
1348  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1349  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1350 
1351  /* 1 3 6 1 5 5 7 48 1 6 ocspArchiveCutoff */
1352  MKACL_T( /* archiveCutoff */
1353  CRYPT_CERTINFO_OCSP_ARCHIVECUTOFF,
1354  ST_CERT_OCSP_RESP, ST_NONE, ST_NONE,
1355  MKPERM_CERTREV_PKIX_PARTIAL( Rxx_RWD ),
1356  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1357 
1358  /* 1 3 6 1 5 5 7 48 1 11 subjectInfoAccess. The values are GeneralName
1359  selectors so the ACL doesn't allow writes, since they can only be
1360  used to select the GeneralName that's written to */
1361  MKACL_B( /* Extension present flag */
1362  CRYPT_CERTINFO_SUBJECTINFOACCESS,
1363  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1364  MKPERM_CERTIFICATES( Rxx_RxD ),
1365  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1366  MKACL_N( /* accessDescription.accessLocation */
1367  CRYPT_CERTINFO_SUBJECTINFO_TIMESTAMPING,
1368  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1369  MKPERM_CERTIFICATES( Rxx_RxD ),
1370  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1371  RANGE( FALSE, TRUE ) ),
1372  MKACL_N( /* accessDescription.accessLocation */
1373  CRYPT_CERTINFO_SUBJECTINFO_CAREPOSITORY,
1374  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1375  MKPERM_CERTIFICATES( Rxx_RxD ),
1376  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1377  RANGE( FALSE, TRUE ) ),
1378  MKACL_N( /* accessDescription.accessLocation */
1379  CRYPT_CERTINFO_SUBJECTINFO_SIGNEDOBJECTREPOSITORY,
1380  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1381  MKPERM_CERTIFICATES( Rxx_RxD ),
1382  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1383  RANGE( FALSE, TRUE ) ),
1384  MKACL_N( /* accessDescription.accessLocation */
1385  CRYPT_CERTINFO_SUBJECTINFO_RPKIMANIFEST,
1386  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1387  MKPERM_CERTIFICATES( Rxx_RxD ),
1388  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1389  RANGE( FALSE, TRUE ) ),
1390  MKACL_N( /* accessDescription.accessLocation */
1391  CRYPT_CERTINFO_SUBJECTINFO_SIGNEDOBJECT,
1392  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1393  MKPERM_CERTIFICATES( Rxx_RxD ),
1394  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1395  RANGE( FALSE, TRUE ) ),
1396 
1397  /* 1 3 36 8 3 1 dateOfCertGen */
1398  MKACL_T( /* dateOfCertGen */
1399  CRYPT_CERTINFO_SIGG_DATEOFCERTGEN,
1400  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1401  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RWD ),
1402  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1403 
1404  /* 1 3 36 8 3 2 procuration */
1405  MKACL_B( /* Extension present flag */
1406  CRYPT_CERTINFO_SIGG_PROCURATION,
1407  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1408  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RxD ),
1409  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1410  MKACL_S( /* country */
1411  CRYPT_CERTINFO_SIGG_PROCURE_COUNTRY,
1412  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1413  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RWD ),
1414  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1415  RANGE( 2, 2 ) ),
1416  MKACL_S( /* typeOfSubstitution */
1417  CRYPT_CERTINFO_SIGG_PROCURE_TYPEOFSUBSTITUTION,
1418  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1419  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RWD ),
1420  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1421  RANGE( 1, 128 ) ),
1422  MKACL_N( /* signingFor.thirdPerson */
1423  CRYPT_CERTINFO_SIGG_PROCURE_SIGNINGFOR,
1424  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1425  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RxD ),
1426  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1427  RANGE( FALSE, TRUE ) ),
1428 
1429  /* 1 3 36 8 3 3 siggAdmissions */
1430  MKACL_B( /* Extension present flag */
1431  CRYPT_CERTINFO_SIGG_ADMISSIONS,
1432  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1433  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RxD ),
1434  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1435  MKACL_N( /* authority */
1436  CRYPT_CERTINFO_SIGG_ADMISSIONS_AUTHORITY,
1437  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1438  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RxD ),
1439  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1440  RANGE( FALSE, TRUE ) ),
1441  MKACL_S( /* namingAuth.iD */
1442  CRYPT_CERTINFO_SIGG_ADMISSIONS_NAMINGAUTHID,
1443  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1444  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RWD ),
1445  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1446  RANGE( 3, 32 ) ),
1447  MKACL_S( /* namingAuth.uRL */
1448  CRYPT_CERTINFO_SIGG_ADMISSIONS_NAMINGAUTHURL,
1449  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1450  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RWD ),
1451  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1452  RANGE( 1, 128 ) ),
1453  MKACL_S( /* namingAuth.text */
1454  CRYPT_CERTINFO_SIGG_ADMISSIONS_NAMINGAUTHTEXT,
1455  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1456  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RWD ),
1457  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1458  RANGE( 1, 128 ) ),
1459  MKACL_S( /* professionItem */
1460  CRYPT_CERTINFO_SIGG_ADMISSIONS_PROFESSIONITEM,
1461  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1462  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RWD ),
1463  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1464  RANGE( 1, 128 ) ),
1465  MKACL_S( /* professionOID */
1466  CRYPT_CERTINFO_SIGG_ADMISSIONS_PROFESSIONOID,
1467  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1468  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RWD ),
1469  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1470  RANGE( 3, 32 ) ),
1471  MKACL_S( /* registrationNumber */
1472  CRYPT_CERTINFO_SIGG_ADMISSIONS_REGISTRATIONNUMBER,
1473  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1474  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RWD ),
1475  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1476  RANGE( 1, 128 ) ),
1477 
1478  /* 1 3 36 8 3 4 monetaryLimit */
1479  MKACL_B( /* Extension present flag */
1480  CRYPT_CERTINFO_SIGG_MONETARYLIMIT,
1481  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1482  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RxD ),
1483  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1484  MKACL_S( /* currency */
1485  CRYPT_CERTINFO_SIGG_MONETARY_CURRENCY,
1486  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1487  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RWD ),
1488  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1489  RANGE( 3, 3 ) ),
1490  MKACL_N( /* amount */
1491  CRYPT_CERTINFO_SIGG_MONETARY_AMOUNT,
1492  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1493  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RWD ),
1494  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1495  RANGE( 1, 255 ) ),
1496  MKACL_N( /* exponent */
1497  CRYPT_CERTINFO_SIGG_MONETARY_EXPONENT,
1498  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1499  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RWD ),
1500  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1501  RANGE( 0, 255 ) ),
1502 
1503  /* 1 3 36 8 3 5 declarationOfMajority */
1504  MKACL_B( /* Extension present flag */
1505  CRYPT_CERTINFO_SIGG_DECLARATIONOFMAJORITY,
1506  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1507  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RxD ),
1508  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1509  MKACL_S( /* fullAgeAtCountry */
1510  CRYPT_CERTINFO_SIGG_DECLARATIONOFMAJORITY_COUNTRY,
1511  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1512  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RWD ),
1513  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1514  RANGE( 2, 2 ) ),
1515 
1516  /* 1 3 36 8 3 8 restriction */
1517  MKACL_S( /* restriction */
1518  CRYPT_CERTINFO_SIGG_RESTRICTION,
1519  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1520  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RWD ),
1521  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1522  RANGE( 1, 128 ) ),
1523 
1524  /* 1 3 36 8 3 13 siggCertHash */
1525  MKACL_S( /* certHash */
1526  CRYPT_CERTINFO_SIGG_CERTHASH,
1527  ST_CERT_OCSP_RESP, ST_NONE, ST_NONE,
1528  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RWD ),
1529  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1530  RANGE( 32, MAX_ATTRIBUTE_SIZE ) ),
1531 
1532  /* 1 3 36 8 3 15 additionalInformation */
1533  MKACL_S( /* additionalInformation */
1534  CRYPT_CERTINFO_SIGG_ADDITIONALINFORMATION,
1535  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1536  MKPERM_PKIX_PARTIAL_OBSCURE( Rxx_RWD ),
1537  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1538  RANGE( 1, 128 ) ),
1539 
1540  /* 1 3 101 1 4 1 strongExtranet */
1541  MKACL_B( /* Extension present flag */
1542  CRYPT_CERTINFO_STRONGEXTRANET,
1543  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1544  MKPERM_CERT_OBSOLETE( Rxx_RxD ),
1545  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1546  MKACL_N( /* sxNetIDList.sxNetID.zone */
1547  CRYPT_CERTINFO_STRONGEXTRANET_ZONE,
1548  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1549  MKPERM_CERT_OBSOLETE( Rxx_RWD ),
1550  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1551  RANGE( 0, RANGE_MAX ) ),
1552  MKACL_S( /* sxNetIDList.sxNetID.id */
1553  CRYPT_CERTINFO_STRONGEXTRANET_ID,
1554  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1555  MKPERM_CERT_OBSOLETE( Rxx_RWD ),
1556  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1557  RANGE( 1, 64 ) ),
1558 
1559  /* 2 5 29 9 subjectDirectoryAttributes */
1560  MKACL_B( /* Extension present flag */
1561  CRYPT_CERTINFO_SUBJECTDIRECTORYATTRIBUTES,
1562  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1563  MKPERM_CERT_PKIX_PARTIAL( Rxx_Rxx ),
1564  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1565  MKACL_S( /* attribute.type */
1566  CRYPT_CERTINFO_SUBJECTDIR_TYPE,
1567  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1568  MKPERM_CERT_PKIX_PARTIAL( Rxx_Rxx ),
1569  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1570  RANGE( 3, 32 ) ),
1571  MKACL_S( /* attribute.values */
1572  CRYPT_CERTINFO_SUBJECTDIR_VALUES,
1573  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1574  MKPERM_CERT_PKIX_PARTIAL( Rxx_Rxx ),
1575  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1576  RANGE( 1, MAX_ATTRIBUTE_SIZE ) ),
1577 
1578  /* 2 5 29 14 subjectKeyIdentifier */
1579  MKACL_S( /* subjectKeyIdentifier */
1580  CRYPT_CERTINFO_SUBJECTKEYIDENTIFIER,
1581  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1582  MKPERM_CERTIFICATES( Rxx_RxD ),
1583  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1584  RANGE( 1, 64 ) ),
1585 
1586  /* 2 5 29 15 keyUsage */
1587  MKACL_N( /* keyUsage */
1588  CRYPT_CERTINFO_KEYUSAGE,
1589  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1590  MKPERM_CERTIFICATES( Rxx_RWD ),
1591  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1592  RANGE( CRYPT_KEYUSAGE_NONE + 1, CRYPT_KEYUSAGE_LAST + 1 ) ),
1593 
1594  /* 2 5 29 16 privateKeyUsagePeriod */
1595  MKACL_B( /* Extension present flag */
1596  CRYPT_CERTINFO_PRIVATEKEYUSAGEPERIOD,
1597  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1598  MKPERM_CERT_PKIX_PARTIAL( Rxx_RxD ),
1599  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1600  MKACL_T( /* notBefore */
1601  CRYPT_CERTINFO_PRIVATEKEY_NOTBEFORE,
1602  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1603  MKPERM_CERT_PKIX_PARTIAL( Rxx_RWD ),
1604  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1605  MKACL_T( /* notBefore */
1606  CRYPT_CERTINFO_PRIVATEKEY_NOTAFTER,
1607  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
1608  MKPERM_CERT_PKIX_PARTIAL( Rxx_RWD ),
1609  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1610 
1611  /* 2 5 29 17 subjectAltName */
1612  MKACL_N( /* subjectAltName */
1613  CRYPT_CERTINFO_SUBJECTALTNAME,
1614  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1615  MKPERM_CERTIFICATES( Rxx_RxD ),
1616  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1617  RANGE( FALSE, TRUE ) ),
1618 
1619  /* 2 5 29 18 issuerAltName */
1620  MKACL_N( /* issuerAltName */
1621  CRYPT_CERTINFO_ISSUERALTNAME,
1622  ST_CERT_ANY_CERT, ST_NONE, ST_NONE,
1623  MKPERM_CERTIFICATES( Rxx_RxD ),
1624  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1625  RANGE( FALSE, TRUE ) ),
1626 
1627  /* 2 5 29 19 basicConstraints */
1628  MKACL_B( /* Extension present flag */
1629  CRYPT_CERTINFO_BASICCONSTRAINTS,
1630  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1631  MKPERM_CERTIFICATES( Rxx_RxD ),
1632  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1633  MKACL_B( /* cA */
1634  CRYPT_CERTINFO_CA,
1635  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1636  MKPERM_CERTIFICATES( Rxx_RWD ),
1637  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1638  MKACL_N( /* pathLenConstraint */
1639  CRYPT_CERTINFO_PATHLENCONSTRAINT,
1640  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1641  MKPERM_CERTIFICATES( Rxx_RWD ),
1642  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1643  RANGE( 0, 64 ) ),
1644 
1645  /* 2 5 29 20 cRLNumber */
1646  MKACL_N( /* cRLNumber */
1647  CRYPT_CERTINFO_CRLNUMBER,
1648  ST_CERT_CRL, ST_NONE, ST_NONE,
1649  MKPERM_CERTREV_PKIX_PARTIAL( Rxx_RWD ),
1650  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1651  RANGE( 0, RANGE_MAX ) ),
1652 
1653  /* 2 5 29 21 cRLReason */
1654  MKACL_N( /* cRLReason */
1655  /* We allow a range up to the last extended reason because the cert-
1656  handling code transparently maps one to the other to provide the
1657  illusion of a unified crlReason attribute */
1658  CRYPT_CERTINFO_CRLREASON,
1659  ST_CERT_CRL | ST_CERT_REQ_REV, ST_NONE, ST_NONE,
1660  MKPERM_CERTREQ_REV( Rxx_RWD ),
1661  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1662  RANGE( CRYPT_CRLREASON_UNSPECIFIED, CRYPT_CRLEXTREASON_LAST - 1 ) ),
1663 
1664  /* 2 5 29 23 holdInstructionCode */
1665  MKACL_N( /* holdInstructionCode */
1666  CRYPT_CERTINFO_HOLDINSTRUCTIONCODE,
1667  ST_CERT_CRL | ST_CERT_REQ_REV, ST_NONE, ST_NONE,
1668  MKPERM_CERTREQ_REV_PKIX_FULL( Rxx_RWD ),
1669  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1670  RANGE( CRYPT_HOLDINSTRUCTION_NONE + 1, CRYPT_HOLDINSTRUCTION_LAST - 1 ) ),
1671 
1672  /* 2 5 29 24 invalidityDate */
1673  MKACL_T( /* invalidityDate */
1674  CRYPT_CERTINFO_INVALIDITYDATE,
1675  ST_CERT_CRL | ST_CERT_REQ_REV, ST_NONE, ST_NONE,
1676  MKPERM_CERTREQ_REV( Rxx_RWD ),
1677  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1678 
1679  /* 2 5 29 27 deltaCRLIndicator */
1680  MKACL_N( /* deltaCRLIndicator */
1681  CRYPT_CERTINFO_DELTACRLINDICATOR,
1682  ST_CERT_CRL, ST_NONE, ST_NONE,
1683  MKPERM_CERTREV_PKIX_PARTIAL( Rxx_RWD ),
1684  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1685  RANGE( 0, RANGE_MAX ) ),
1686 
1687  /* 2 5 29 28 issuingDistributionPoint */
1688  MKACL_B( /* Extension present flag */
1689  CRYPT_CERTINFO_ISSUINGDISTRIBUTIONPOINT,
1690  ST_CERT_CRL, ST_NONE, ST_NONE,
1691  MKPERM_CERTREV_PKIX_PARTIAL( Rxx_RxD ),
1692  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1693  MKACL_N( /* distributionPointName.fullName */
1694  CRYPT_CERTINFO_ISSUINGDIST_FULLNAME,
1695  ST_CERT_CRL, ST_NONE, ST_NONE,
1696  MKPERM_CERTREV_PKIX_PARTIAL( Rxx_RxD ),
1697  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1698  RANGE( FALSE, TRUE ) ),
1699  MKACL_B( /* onlyContainsUserCerts */
1700  CRYPT_CERTINFO_ISSUINGDIST_USERCERTSONLY,
1701  ST_CERT_CRL, ST_NONE, ST_NONE,
1702  MKPERM_CERTREV_PKIX_PARTIAL( Rxx_RWD ),
1703  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1704  MKACL_B( /* onlyContainsCACerts */
1705  CRYPT_CERTINFO_ISSUINGDIST_CACERTSONLY,
1706  ST_CERT_CRL, ST_NONE, ST_NONE,
1707  MKPERM_CERTREV_PKIX_PARTIAL( Rxx_RWD ),
1708  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1709  MKACL_N( /* onlySomeReasons */
1710  CRYPT_CERTINFO_ISSUINGDIST_SOMEREASONSONLY,
1711  ST_CERT_CRL, ST_NONE, ST_NONE,
1712  MKPERM_CERTREV_PKIX_PARTIAL( Rxx_RWD ),
1713  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1714  RANGE( CRYPT_CRLREASONFLAG_UNUSED, CRYPT_CRLREASONFLAG_LAST - 1 ) ),
1715  MKACL_B( /* indirectCRL */
1716  CRYPT_CERTINFO_ISSUINGDIST_INDIRECTCRL,
1717  ST_CERT_CRL, ST_NONE, ST_NONE,
1718  MKPERM_CERTREV_PKIX_PARTIAL( Rxx_RWD ),
1719  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1720 
1721  /* 2 5 29 29 certificateIssuer */
1722  MKACL_N( /* certificateIssuer */
1723  CRYPT_CERTINFO_CERTIFICATEISSUER,
1724  ST_CERT_CRL, ST_NONE, ST_NONE,
1725  MKPERM_CERTREV_PKIX_PARTIAL( Rxx_RxD ),
1726  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1727  RANGE( FALSE, TRUE ) ),
1728 
1729  /* 2 5 29 30 nameConstraints */
1730  MKACL_B( /* Extension present flag */
1731  CRYPT_CERTINFO_NAMECONSTRAINTS,
1732  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT | \
1733  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1734  MKPERM_CERT_PKIX_FULL( Rxx_RxD ),
1735  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1736  MKACL_N( /* permittedSubtrees */
1737  CRYPT_CERTINFO_PERMITTEDSUBTREES,
1738  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT | \
1739  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1740  MKPERM_CERT_PKIX_FULL( Rxx_RxD ),
1741  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1742  RANGE( FALSE, TRUE ) ),
1743  MKACL_N( /* excludedSubtrees */
1744  CRYPT_CERTINFO_EXCLUDEDSUBTREES,
1745  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT | \
1746  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1747  MKPERM_CERT_PKIX_FULL( Rxx_RxD ),
1748  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1749  RANGE( FALSE, TRUE ) ),
1750 
1751  /* 2 5 29 31 cRLDistributionPoint */
1752  MKACL_B( /* Extension present flag */
1753  CRYPT_CERTINFO_CRLDISTRIBUTIONPOINT,
1754  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT | \
1755  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1756  MKPERM_CERTIFICATES( Rxx_RxD ),
1757  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1758  MKACL_N( /* distributionPointName.fullName */
1759  CRYPT_CERTINFO_CRLDIST_FULLNAME,
1760  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT | \
1761  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1762  MKPERM_CERTIFICATES( Rxx_RxD ),
1763  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1764  RANGE( FALSE, TRUE ) ),
1765  MKACL_N( /* reasons */
1766  CRYPT_CERTINFO_CRLDIST_REASONS,
1767  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT | \
1768  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1769  MKPERM_CERTIFICATES( Rxx_RWD ),
1770  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1771  RANGE( CRYPT_CRLREASONFLAG_UNUSED, CRYPT_CRLREASONFLAG_LAST - 1 ) ),
1772  MKACL_N( /* cRLIssuer */
1773  CRYPT_CERTINFO_CRLDIST_CRLISSUER,
1774  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT | \
1775  ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1776  MKPERM_CERTIFICATES( Rxx_RxD ),
1777  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1778  RANGE( FALSE, TRUE ) ),
1779 
1780  /* 2 5 29 32 certificatePolicies */
1781  MKACL_B( /* Extension present flag */
1782  CRYPT_CERTINFO_CERTIFICATEPOLICIES,
1783  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1784  MKPERM_CERTIFICATES( Rxx_RxD ),
1785  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1786  MKACL_S( /* policyInformation.policyIdentifier */
1787  CRYPT_CERTINFO_CERTPOLICYID,
1788  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1789  MKPERM_CERTIFICATES( Rxx_RWD ),
1790  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1791  RANGE( 3, 32 ) ),
1792  MKACL_S( /* policyInformation.policyQualifiers.qualifier.cPSuri */
1793  CRYPT_CERTINFO_CERTPOLICY_CPSURI,
1794  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1795  MKPERM_CERTIFICATES( Rxx_RWD ),
1796  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1797  RANGE( MIN_URL_SIZE, MAX_URL_SIZE ) ),
1798  MKACL_S( /* policyInformation.policyQualifiers.qualifier.userNotice.noticeRef.organization */
1799  CRYPT_CERTINFO_CERTPOLICY_ORGANIZATION,
1800  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1801  MKPERM_CERTIFICATES( Rxx_RWD ),
1802  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1803  RANGE( 1, 200 ) ),
1804  MKACL_N( /* policyInformation.policyQualifiers.qualifier.userNotice.noticeRef.noticeNumbers */
1805  CRYPT_CERTINFO_CERTPOLICY_NOTICENUMBERS,
1806  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1807  MKPERM_CERTIFICATES( Rxx_RWD ),
1808  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1809  RANGE( 1, 1024 ) ),
1810  MKACL_S( /* policyInformation.policyQualifiers.qualifier.userNotice.explicitText */
1811  CRYPT_CERTINFO_CERTPOLICY_EXPLICITTEXT,
1812  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1813  MKPERM_CERTIFICATES( Rxx_RWD ),
1814  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1815  RANGE( 1, 200 ) ),
1816 
1817  /* 2 5 29 33 policyMappings */
1818  MKACL_B( /* Extension present flag */
1819  CRYPT_CERTINFO_POLICYMAPPINGS,
1820  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1821  MKPERM_CERT_PKIX_FULL( Rxx_RxD ),
1822  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1823  MKACL_S( /* policyMappings.issuerDomainPolicy */
1824  CRYPT_CERTINFO_ISSUERDOMAINPOLICY,
1825  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1826  MKPERM_CERT_PKIX_FULL( Rxx_RWD ),
1827  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1828  RANGE( 3, 32 ) ),
1829  MKACL_S( /* policyMappings.subjectDomainPolicy */
1830  CRYPT_CERTINFO_SUBJECTDOMAINPOLICY,
1831  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1832  MKPERM_CERT_PKIX_FULL( Rxx_RWD ),
1833  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1834  RANGE( 3, 32 ) ),
1835 
1836  /* 2 5 29 35 authorityKeyIdentifier */
1837  MKACL_B( /* Extension present flag */
1838  CRYPT_CERTINFO_AUTHORITYKEYIDENTIFIER,
1839  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_CRL, ST_NONE, ST_NONE,
1840  MKPERM_CERT_PKIX_PARTIAL( Rxx_RxD ),
1841  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1842  MKACL_S( /* keyIdentifier */
1843  CRYPT_CERTINFO_AUTHORITY_KEYIDENTIFIER,
1844  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_CRL, ST_NONE, ST_NONE,
1845  MKPERM_CERT_PKIX_PARTIAL( Rxx_RxD ),
1846  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1847  RANGE( 1, 64 ) ),
1848  MKACL_N( /* authorityCertIssuer */
1849  CRYPT_CERTINFO_AUTHORITY_CERTISSUER,
1850  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_CRL, ST_NONE, ST_NONE,
1851  MKPERM_CERT_PKIX_PARTIAL( Rxx_RxD ),
1852  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1853  RANGE( FALSE, TRUE ) ),
1854  MKACL_S( /* authorityCertSerialNumber */
1855  CRYPT_CERTINFO_AUTHORITY_CERTSERIALNUMBER,
1856  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_CRL, ST_NONE, ST_NONE,
1857  MKPERM_CERT_PKIX_PARTIAL( Rxx_RxD ),
1858  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1859  RANGE( 1, 64 ) ),
1860 
1861  /* 2 5 29 36 policyConstraints */
1862  MKACL_B( /* Extension present flag */
1863  CRYPT_CERTINFO_POLICYCONSTRAINTS,
1864  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1865  MKPERM_CERT_PKIX_FULL( Rxx_RxD ),
1866  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
1867  MKACL_N( /* policyConstraints.requireExplicitPolicy */
1868  CRYPT_CERTINFO_REQUIREEXPLICITPOLICY,
1869  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1870  MKPERM_CERT_PKIX_FULL( Rxx_RWD ),
1871  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1872  RANGE( 0, 64 ) ),
1873  MKACL_N( /* policyConstraints.inhibitPolicyMapping */
1874  CRYPT_CERTINFO_INHIBITPOLICYMAPPING,
1875  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1876  MKPERM_CERT_PKIX_FULL( Rxx_RWD ),
1877  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1878  RANGE( 0, 64 ) ),
1879 
1880  /* 2 5 29 37 extKeyUsage */
1881  MKACL_N( /* Extension present flag */
1882  CRYPT_CERTINFO_EXTKEYUSAGE,
1883  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1884  MKPERM_CERTIFICATES( Rxx_RxD ),
1885  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1886  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1887  MKACL_N( /* individualCodeSigning */
1888  CRYPT_CERTINFO_EXTKEY_MS_INDIVIDUALCODESIGNING,
1889  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1890  MKPERM_CERTIFICATES( Rxx_RWD ),
1891  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1892  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1893  MKACL_N( /* commercialCodeSigning */
1894  CRYPT_CERTINFO_EXTKEY_MS_COMMERCIALCODESIGNING,
1895  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1896  MKPERM_CERTIFICATES( Rxx_RWD ),
1897  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1898  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1899  MKACL_N( /* certTrustListSigning */
1900  CRYPT_CERTINFO_EXTKEY_MS_CERTTRUSTLISTSIGNING,
1901  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1902  MKPERM_CERTIFICATES( Rxx_RWD ),
1903  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1904  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1905  MKACL_N( /* timeStampSigning */
1906  CRYPT_CERTINFO_EXTKEY_MS_TIMESTAMPSIGNING,
1907  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1908  MKPERM_CERTIFICATES( Rxx_RWD ),
1909  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1910  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1911  MKACL_N( /* serverGatedCrypto */
1912  CRYPT_CERTINFO_EXTKEY_MS_SERVERGATEDCRYPTO,
1913  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1914  MKPERM_CERTIFICATES( Rxx_RWD ),
1915  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1916  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1917  MKACL_N( /* encrypedFileSystem */
1918  CRYPT_CERTINFO_EXTKEY_MS_ENCRYPTEDFILESYSTEM,
1919  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1920  MKPERM_CERTIFICATES( Rxx_RWD ),
1921  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1922  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1923  MKACL_N( /* serverAuth */
1924  CRYPT_CERTINFO_EXTKEY_SERVERAUTH,
1925  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1926  MKPERM_CERTIFICATES( Rxx_RWD ),
1927  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1928  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1929  MKACL_N( /* clientAuth */
1930  CRYPT_CERTINFO_EXTKEY_CLIENTAUTH,
1931  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1932  MKPERM_CERTIFICATES( Rxx_RWD ),
1933  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1934  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1935  MKACL_N( /* codeSigning */
1936  CRYPT_CERTINFO_EXTKEY_CODESIGNING,
1937  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1938  MKPERM_CERTIFICATES( Rxx_RWD ),
1939  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1940  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1941  MKACL_N( /* emailProtection */
1942  CRYPT_CERTINFO_EXTKEY_EMAILPROTECTION,
1943  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1944  MKPERM_CERTIFICATES( Rxx_RWD ),
1945  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1946  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1947  MKACL_N( /* ipsecEndSystem */
1948  CRYPT_CERTINFO_EXTKEY_IPSECENDSYSTEM,
1949  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1950  MKPERM_CERTIFICATES( Rxx_RWD ),
1951  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1952  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1953  MKACL_N( /* ipsecTunnel */
1954  CRYPT_CERTINFO_EXTKEY_IPSECTUNNEL,
1955  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1956  MKPERM_CERTIFICATES( Rxx_RWD ),
1957  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1958  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1959  MKACL_N( /* ipsecUser */
1960  CRYPT_CERTINFO_EXTKEY_IPSECUSER,
1961  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1962  MKPERM_CERTIFICATES( Rxx_RWD ),
1963  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1964  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1965  MKACL_N( /* timeStamping */
1966  CRYPT_CERTINFO_EXTKEY_TIMESTAMPING,
1967  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1968  MKPERM_CERTIFICATES( Rxx_RWD ),
1969  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1970  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1971  MKACL_N( /* ocspSigning */
1972  CRYPT_CERTINFO_EXTKEY_OCSPSIGNING,
1973  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1974  MKPERM_CERTIFICATES( Rxx_RWD ),
1975  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1976  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1977  MKACL_N( /* directoryService */
1978  CRYPT_CERTINFO_EXTKEY_DIRECTORYSERVICE,
1979  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1980  MKPERM_CERTIFICATES( Rxx_RWD ),
1981  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1982  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1983  MKACL_N( /* anyExtendedKeyUsage */
1984  /* This extension exists solely as a bugfix for a circular
1985  definition in the PKIX RFC and introduces a number of further
1986  problems, to avoid falling into this rathole we don't allow
1987  the creation of certs with this usage type */
1988  CRYPT_CERTINFO_EXTKEY_ANYKEYUSAGE,
1989  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1990  MKPERM_CERTIFICATES( Rxx_RxD ),
1991  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1992  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1993  MKACL_N( /* serverGatedCrypto */
1994  CRYPT_CERTINFO_EXTKEY_NS_SERVERGATEDCRYPTO,
1995  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
1996  MKPERM_CERTIFICATES( Rxx_RWD ),
1997  ROUTE( OBJECT_TYPE_CERTIFICATE ),
1998  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
1999  MKACL_N( /* serverGatedCrypto CA */
2000  CRYPT_CERTINFO_EXTKEY_VS_SERVERGATEDCRYPTO_CA,
2001  ST_CERT_ANY_CERT | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
2002  MKPERM_CERTIFICATES( Rxx_RWD ),
2003  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2004  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2005 
2006  /* 2 5 29 40 crlStreamIdentifier */
2007  MKACL_N( /* crlStreamIdentifier */
2008  CRYPT_CERTINFO_CRLSTREAMIDENTIFIER,
2009  ST_CERT_CRL, ST_NONE, ST_NONE,
2010  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2011  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2012  RANGE( 0, 64 ) ),
2013 
2014  /* 2 5 29 46 freshestCRL */
2015  MKACL_B( /* Extension present flag */
2016  CRYPT_CERTINFO_FRESHESTCRL,
2017  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT, ST_NONE, ST_NONE,
2018  MKPERM_CERT_PKIX_FULL( Rxx_RxD ),
2019  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2020  MKACL_N( /* distributionPointName.fullName */
2021  CRYPT_CERTINFO_FRESHESTCRL_FULLNAME,
2022  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT, ST_NONE, ST_NONE,
2023  MKPERM_CERT_PKIX_FULL( Rxx_RxD ),
2024  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2025  RANGE( FALSE, TRUE ) ),
2026  MKACL_N( /* reasons */
2027  CRYPT_CERTINFO_FRESHESTCRL_REASONS,
2028  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT, ST_NONE, ST_NONE,
2029  MKPERM_CERT_PKIX_FULL( Rxx_RWD ),
2030  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2031  RANGE( CRYPT_CRLREASONFLAG_UNUSED, CRYPT_CRLREASONFLAG_LAST - 1 ) ),
2032  MKACL_N( /* cRLIssuer */
2033  CRYPT_CERTINFO_FRESHESTCRL_CRLISSUER,
2034  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_ATTRCERT, ST_NONE, ST_NONE,
2035  MKPERM_CERT_PKIX_FULL( Rxx_RxD ),
2036  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2037  RANGE( FALSE, TRUE ) ),
2038 
2039  /* 2 5 29 47 orderedList */
2040  MKACL_N( /* orderedList */
2041  CRYPT_CERTINFO_ORDEREDLIST,
2042  ST_CERT_CRL, ST_NONE, ST_NONE,
2043  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2044  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2045  RANGE( 0, 1 ) ),
2046 
2047  /* 2 5 29 51 baseUpdateTime */
2048  MKACL_T( /* baseUpdateTime */
2049  CRYPT_CERTINFO_BASEUPDATETIME,
2050  ST_CERT_CRL, ST_NONE, ST_NONE,
2051  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2052  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2053 
2054  /* 2 5 29 53 deltaInfo */
2055  MKACL_B( /* Extension present flag */
2056  CRYPT_CERTINFO_DELTAINFO,
2057  ST_CERT_CRL, ST_NONE, ST_NONE,
2058  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2059  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2060  MKACL_N( /* deltaLocation */
2061  CRYPT_CERTINFO_DELTAINFO_LOCATION,
2062  ST_CERT_CRL, ST_NONE, ST_NONE,
2063  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2064  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2065  RANGE( FALSE, TRUE ) ),
2066  MKACL_T( /* nextDelta */
2067  CRYPT_CERTINFO_DELTAINFO_NEXTDELTA,
2068  ST_CERT_CRL, ST_NONE, ST_NONE,
2069  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2070  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2071 
2072  /* 2 5 29 54 inhibitAnyPolicy */
2073  MKACL_N( /* inhibitAnyPolicy */
2074  CRYPT_CERTINFO_INHIBITANYPOLICY,
2075  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
2076  MKPERM_CERT_PKIX_FULL( Rxx_RWD ),
2077  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2078  RANGE( 0, 64 ) ),
2079 
2080  /* 2 5 29 58 toBeRevoked */
2081  MKACL_B( /* Extension present flag */
2082  CRYPT_CERTINFO_TOBEREVOKED,
2083  ST_CERT_CRL, ST_NONE, ST_NONE,
2084  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2085  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2086  MKACL_N( /* certificateIssuer */
2087  CRYPT_CERTINFO_TOBEREVOKED_CERTISSUER,
2088  ST_CERT_CRL, ST_NONE, ST_NONE,
2089  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2090  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2091  RANGE( FALSE, TRUE ) ),
2092  MKACL_N( /* reasonCode */
2093  CRYPT_CERTINFO_TOBEREVOKED_REASONCODE,
2094  ST_CERT_CRL, ST_NONE, ST_NONE,
2095  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2096  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2097  RANGE( CRYPT_CRLREASON_UNSPECIFIED, CRYPT_CRLEXTREASON_LAST - 1 ) ),
2098  MKACL_T( /* revocationTime */
2099  CRYPT_CERTINFO_TOBEREVOKED_REVOCATIONTIME,
2100  ST_CERT_CRL, ST_NONE, ST_NONE,
2101  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2102  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2103  MKACL_S( /* certSerialNumber */
2104  CRYPT_CERTINFO_TOBEREVOKED_CERTSERIALNUMBER,
2105  ST_CERT_CRL, ST_NONE, ST_NONE,
2106  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2107  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2108  RANGE( 1, 64 ) ),
2109 
2110  /* 2 5 29 59 revokedGroups */
2111  MKACL_B( /* Extension present flag */
2112  CRYPT_CERTINFO_REVOKEDGROUPS,
2113  ST_CERT_CRL, ST_NONE, ST_NONE,
2114  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2115  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2116  MKACL_N( /* certificateIssuer */
2117  CRYPT_CERTINFO_REVOKEDGROUPS_CERTISSUER,
2118  ST_CERT_CRL, ST_NONE, ST_NONE,
2119  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2120  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2121  RANGE( FALSE, TRUE ) ),
2122  MKACL_N( /* reasonCode */
2123  CRYPT_CERTINFO_REVOKEDGROUPS_REASONCODE,
2124  ST_CERT_CRL, ST_NONE, ST_NONE,
2125  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2126  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2127  RANGE( CRYPT_CRLREASON_UNSPECIFIED, CRYPT_CRLEXTREASON_LAST - 1 ) ),
2128  MKACL_T( /* revocationTime */
2129  CRYPT_CERTINFO_REVOKEDGROUPS_INVALIDITYDATE,
2130  ST_CERT_CRL, ST_NONE, ST_NONE,
2131  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2132  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2133  MKACL_S( /* startingNumber */
2134  CRYPT_CERTINFO_REVOKEDGROUPS_STARTINGNUMBER,
2135  ST_CERT_CRL, ST_NONE, ST_NONE,
2136  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2137  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2138  RANGE( 1, 64 ) ),
2139  MKACL_S( /* endingNumber */
2140  CRYPT_CERTINFO_REVOKEDGROUPS_ENDINGNUMBER,
2141  ST_CERT_CRL, ST_NONE, ST_NONE,
2142  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2143  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2144  RANGE( 1, 64 ) ),
2145 
2146  /* 2 5 29 60 expiredCertsOnCRL */
2147  MKACL_T( /* expiredCertsOnCRL */
2148  CRYPT_CERTINFO_EXPIREDCERTSONCRL,
2149  ST_CERT_CRL, ST_NONE, ST_NONE,
2150  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2151  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2152 
2153  /* 2 5 29 63 aaIssuingDistributionPoint */
2154  MKACL_B( /* Extension present flag */
2155  CRYPT_CERTINFO_AAISSUINGDISTRIBUTIONPOINT,
2156  ST_CERT_CRL, ST_NONE, ST_NONE,
2157  MKPERM_CERTREV_PKIX_FULL( Rxx_RxD ),
2158  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2159  MKACL_N( /* distributionPointName.fullName */
2160  CRYPT_CERTINFO_AAISSUINGDIST_FULLNAME,
2161  ST_CERT_CRL, ST_NONE, ST_NONE,
2162  MKPERM_CERTREV_PKIX_FULL( Rxx_RxD ),
2163  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2164  RANGE( FALSE, TRUE ) ),
2165  MKACL_N( /* onlySomeReasons */
2166  CRYPT_CERTINFO_AAISSUINGDIST_SOMEREASONSONLY,
2167  ST_CERT_CRL, ST_NONE, ST_NONE,
2168  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2169  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2170  RANGE( CRYPT_CRLREASONFLAG_UNUSED, CRYPT_CRLREASONFLAG_LAST - 1 ) ),
2171  MKACL_B( /* indirectCRL */
2172  CRYPT_CERTINFO_AAISSUINGDIST_INDIRECTCRL,
2173  ST_CERT_CRL, ST_NONE, ST_NONE,
2174  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2175  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2176  MKACL_B( /* containsUserAttributeCerts */
2177  CRYPT_CERTINFO_AAISSUINGDIST_USERATTRCERTS,
2178  ST_CERT_CRL, ST_NONE, ST_NONE,
2179  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2180  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2181  MKACL_B( /* containsAACerts */
2182  CRYPT_CERTINFO_AAISSUINGDIST_AACERTS,
2183  ST_CERT_CRL, ST_NONE, ST_NONE,
2184  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2185  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2186  MKACL_B( /* containsSOAPublicKeyCerts */
2187  CRYPT_CERTINFO_AAISSUINGDIST_SOACERTS,
2188  ST_CERT_CRL, ST_NONE, ST_NONE,
2189  MKPERM_CERTREV_PKIX_FULL( Rxx_RWD ),
2190  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2191 
2192  /* 2 16 840 1 113730 1 x Netscape extensions (obsolete) */
2193  MKACL_N( /* netscape-cert-type */
2194  /* This attribute can't normally be set, however when creating a
2195  template of disallowed attributes to apply to an about-to-be-
2196  issued cert we need to be able to set it to mask out any
2197  attributes of this type that may have come in via a cert
2198  request */
2199  CRYPT_CERTINFO_NS_CERTTYPE,
2200  ST_CERT_ANY_CERT, ST_NONE, ST_NONE,
2201  MKPERM_SPECIAL_CERTIFICATES( Rxx_RWx_Rxx_Rxx ), /* OBSOLETE */
2202  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2203  RANGE( CRYPT_NS_CERTTYPE_SSLCLIENT, CRYPT_NS_CERTTYPE_LAST - 1 ) ),
2204  MKACL_S( /* netscape-base-url */
2205  CRYPT_CERTINFO_NS_BASEURL,
2206  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2207  MKPERM_CERT_OBSOLETE( Rxx_Rxx ),
2208  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2209  RANGE( MIN_URL_SIZE, MAX_URL_SIZE ) ),
2210  MKACL_S( /* netscape-revocation-url */
2211  CRYPT_CERTINFO_NS_REVOCATIONURL,
2212  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2213  MKPERM_CERT_OBSOLETE( Rxx_Rxx ),
2214  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2215  RANGE( MIN_URL_SIZE, MAX_URL_SIZE ) ),
2216  MKACL_S( /* netscape-ca-revocation-url */
2217  CRYPT_CERTINFO_NS_CAREVOCATIONURL,
2218  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2219  MKPERM_CERT_OBSOLETE( Rxx_Rxx ),
2220  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2221  RANGE( MIN_URL_SIZE, MAX_URL_SIZE ) ),
2222  MKACL_S( /* netscape-cert-renewal-url */
2223  CRYPT_CERTINFO_NS_CERTRENEWALURL,
2224  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2225  MKPERM_CERT_OBSOLETE( Rxx_Rxx ),
2226  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2227  RANGE( MIN_URL_SIZE, MAX_URL_SIZE ) ),
2228  MKACL_S( /* netscape-ca-policy-url */
2229  CRYPT_CERTINFO_NS_CAPOLICYURL,
2230  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2231  MKPERM_CERT_OBSOLETE( Rxx_Rxx ),
2232  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2233  RANGE( MIN_URL_SIZE, MAX_URL_SIZE ) ),
2234  MKACL_S( /* netscape-ssl-server-name */
2235  CRYPT_CERTINFO_NS_SSLSERVERNAME,
2236  ST_CERT_ANY_CERT, ST_NONE, ST_NONE,
2237  MKPERM_CERT_OBSOLETE( Rxx_Rxx ),
2238  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2239  RANGE( MIN_URL_SIZE, MAX_URL_SIZE ) ),
2240  MKACL_S( /* netscape-comment */
2241  CRYPT_CERTINFO_NS_COMMENT,
2242  ST_CERT_ANY_CERT, ST_NONE, ST_NONE,
2243  MKPERM_CERT_OBSOLETE( Rxx_Rxx ),
2244  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2245  RANGE( 1, MAX_ATTRIBUTE_SIZE ) ),
2246 
2247  /* 2 23 42 7 0 SET hashedRootKey */
2248  MKACL_B( /* Extension present flag */
2249  CRYPT_CERTINFO_SET_HASHEDROOTKEY,
2250  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2251  MKPERM_CERT_OBSOLETE( Rxx_RxD ),
2252  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2253  MKACL_S( /* rootKeyThumbPrint */
2254  CRYPT_CERTINFO_SET_ROOTKEYTHUMBPRINT,
2255  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2256  MKPERM_CERT_OBSOLETE( Rxx_RWD ),
2257  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2258  RANGE( 20, 20 ) ),
2259 
2260  /* 2 23 42 7 1 SET certificateType */
2261  MKACL_N( /* certificateType */
2262  CRYPT_CERTINFO_SET_CERTIFICATETYPE,
2263  ST_CERT_CERT | ST_CERT_CERTREQ | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2264  MKPERM_CERT_OBSOLETE( Rxx_RWD ),
2265  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2266  RANGE( CRYPT_SET_CERTTYPE_CARD, CRYPT_SET_CERTTYPE_LAST - 1 ) ),
2267 
2268  /* 2 23 42 7 2 SET merchantData */
2269  MKACL_B( /* Extension present flag */
2270  CRYPT_CERTINFO_SET_MERCHANTDATA,
2271  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2272  MKPERM_CERT_OBSOLETE( Rxx_RxD ),
2273  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2274  MKACL_S( /* merID */
2275  CRYPT_CERTINFO_SET_MERID,
2276  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2277  MKPERM_CERT_OBSOLETE( Rxx_RWD ),
2278  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2279  RANGE( 1, 30 ) ),
2280  MKACL_S( /* merAcquirerBIN */
2281  CRYPT_CERTINFO_SET_MERACQUIRERBIN,
2282  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2283  MKPERM_CERT_OBSOLETE( Rxx_RWD ),
2284  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2285  RANGE( 6, 6 ) ),
2286  MKACL_S( /* merNames.language */
2287  CRYPT_CERTINFO_SET_MERCHANTLANGUAGE,
2288  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2289  MKPERM_CERT_OBSOLETE( Rxx_RWD ),
2290  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2291  RANGE( 1, 35 ) ),
2292  MKACL_S( /* merNames.name */
2293  CRYPT_CERTINFO_SET_MERCHANTNAME,
2294  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2295  MKPERM_CERT_OBSOLETE( Rxx_RWD ),
2296  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2297  RANGE( 1, 50 ) ),
2298  MKACL_S( /* merNames.city */
2299  CRYPT_CERTINFO_SET_MERCHANTCITY,
2300  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2301  MKPERM_CERT_OBSOLETE( Rxx_RWD ),
2302  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2303  RANGE( 1, 50 ) ),
2304  MKACL_S( /* merNames.stateProvince */
2305  CRYPT_CERTINFO_SET_MERCHANTSTATEPROVINCE,
2306  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2307  MKPERM_CERT_OBSOLETE( Rxx_RWD ),
2308  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2309  RANGE( 1, 50 ) ),
2310  MKACL_S( /* merNames.postalCode */
2311  CRYPT_CERTINFO_SET_MERCHANTPOSTALCODE,
2312  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2313  MKPERM_CERT_OBSOLETE( Rxx_RWD ),
2314  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2315  RANGE( 1, 50 ) ),
2316  MKACL_S( /* merNames.countryName */
2317  CRYPT_CERTINFO_SET_MERCHANTCOUNTRYNAME,
2318  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2319  MKPERM_CERT_OBSOLETE( Rxx_RWD ),
2320  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2321  RANGE( 1, 50 ) ),
2322  MKACL_N( /* merCountry */
2323  CRYPT_CERTINFO_SET_MERCOUNTRY,
2324  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2325  MKPERM_CERT_OBSOLETE( Rxx_RWD ),
2326  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2327  RANGE( 1, 999 ) ),
2328  MKACL_B( /* merAuthFlag */
2329  CRYPT_CERTINFO_SET_MERAUTHFLAG,
2330  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2331  MKPERM_CERT_OBSOLETE( Rxx_RWD ),
2332  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2333 
2334  /* 2 23 42 7 3 SET certCardRequired */
2335  MKACL_B( /* certCardRequired */
2336  CRYPT_CERTINFO_SET_CERTCARDREQUIRED,
2337  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2338  MKPERM_CERT_OBSOLETE( Rxx_RWD ),
2339  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2340 
2341  /* 2 23 42 7 4 SET tunneling */
2342  MKACL_B( /* Extension present flag */
2343  CRYPT_CERTINFO_SET_TUNNELING,
2344  ST_CERT_CERT | ST_CERT_CERTREQ | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2345  MKPERM_CERT_OBSOLETE( Rxx_RxD ),
2346  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2347  MKACL_B( /* tunneling */
2348  CRYPT_CERTINFO_SET_TUNNELINGFLAG,
2349  ST_CERT_CERT | ST_CERT_CERTREQ | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2350  MKPERM_CERT_OBSOLETE( Rxx_RWD ),
2351  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2352  MKACL_S( /* tunnelingAlgID */
2353  CRYPT_CERTINFO_SET_TUNNELINGALGID,
2354  ST_CERT_CERT | ST_CERT_CERTREQ | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
2355  MKPERM_CERT_OBSOLETE( Rxx_RWD ),
2356  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2357  RANGE( 3, 32 ) ),
2358  MKACL_END(), MKACL_END()
2359  };
2360 
2361 /* Certificate: S/MIME attributes */
2362 
2363 static const ATTRIBUTE_ACL FAR_BSS certSmimeACL[] = {
2364  /* 1 2 840 113549 1 9 3 contentType */
2365  MKACL_EX( /* contentType */
2366  CRYPT_CERTINFO_CMS_CONTENTTYPE, ATTRIBUTE_VALUE_NUMERIC,
2367  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2368  MKPERM_CMSATTR( Rxx_RWD ), 0,
2369  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2370  RANGE_SUBRANGES, allowedContentTypeSubranges ),
2371 
2372  /* 1 2 840 113549 1 9 4 messageDigest */
2373  MKACL_S( /* messageDigest */
2374  CRYPT_CERTINFO_CMS_MESSAGEDIGEST,
2375  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2376  MKPERM_CMSATTR( Rxx_RWD ),
2377  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2378  RANGE( 16, CRYPT_MAX_HASHSIZE ) ),
2379 
2380  /* 1 2 840 113549 1 9 5 signingTime */
2381  MKACL_T( /* signingTime */
2382  CRYPT_CERTINFO_CMS_SIGNINGTIME,
2383  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2384  MKPERM_SPECIAL_CMSATTR( Rxx_RWD_Rxx_Rxx ),
2385  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2386 
2387  /* 1 2 840 113549 1 9 6 counterSignature */
2388  MKACL_S( /* counterSignature */
2389  CRYPT_CERTINFO_CMS_COUNTERSIGNATURE,
2390  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2391  MKPERM_CMSATTR_OBSCURE( Rxx_xxx ),
2392  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2393  RANGE( 64, MAX_ATTRIBUTE_SIZE ) ),
2394 
2395  /* 1 2 840 113549 1 9 13 signingDescription */
2396  MKACL_S( /* counterSignature */
2397  CRYPT_CERTINFO_CMS_SIGNINGDESCRIPTION,
2398  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2399  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2400  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2401  RANGE( 1, MAX_ATTRIBUTE_SIZE ) ),
2402 
2403  /* 1 2 840 113549 1 9 15 sMIMECapabilities */
2404  MKACL_B( /* Extension present flag */
2405  CRYPT_CERTINFO_CMS_SMIMECAPABILITIES,
2406  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2407  MKPERM_CMSATTR( Rxx_RxD ),
2408  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2409  MKACL_N( /* 3DES encryption */
2410  CRYPT_CERTINFO_CMS_SMIMECAP_3DES,
2411  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2412  MKPERM_CMSATTR( Rxx_RWD ),
2413  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2414  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2415  MKACL_N( /* AES encryption */
2416  CRYPT_CERTINFO_CMS_SMIMECAP_AES,
2417  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2418  MKPERM_CMSATTR( Rxx_RWD ),
2419  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2420  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2421  MKACL_N( /* CAST-128 encryption */
2422  CRYPT_CERTINFO_CMS_SMIMECAP_CAST128,
2423  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2424  MKPERM_CMSATTR( Rxx_RWD ),
2425  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2426  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2427  MKACL_N( /* IDEA encryption */
2428  CRYPT_CERTINFO_CMS_SMIMECAP_IDEA,
2429  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2430  MKPERM_CMSATTR( Rxx_RWD ),
2431  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2432  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2433  MKACL_N( /* RC2 encryption (w.128 key) */
2434  CRYPT_CERTINFO_CMS_SMIMECAP_RC2,
2435  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2436  MKPERM_CMSATTR( Rxx_RWD ),
2437  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2438  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2439  MKACL_N( /* RC5 encryption (w.128 key) */
2440  CRYPT_CERTINFO_CMS_SMIMECAP_RC5,
2441  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2442  MKPERM_CMSATTR( Rxx_RWD ),
2443  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2444  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2445  MKACL_N( /* Skipjack encryption */
2446  CRYPT_CERTINFO_CMS_SMIMECAP_SKIPJACK,
2447  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2448  MKPERM_CMSATTR( Rxx_RWD ),
2449  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2450  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2451  MKACL_N( /* DES encryption */
2452  CRYPT_CERTINFO_CMS_SMIMECAP_DES,
2453  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2454  MKPERM_CMSATTR( Rxx_RWD ),
2455  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2456  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2457  MKACL_N( /* SHA2-ng hash */
2458  CRYPT_CERTINFO_CMS_SMIMECAP_SHAng,
2459  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2460  MKPERM_CMSATTR( Rxx_RWD ),
2461  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2462  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2463  MKACL_N( /* SHA2-256 hash */
2464  CRYPT_CERTINFO_CMS_SMIMECAP_SHA2,
2465  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2466  MKPERM_CMSATTR( Rxx_RWD ),
2467  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2468  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2469  MKACL_N( /* SHA1 hash */
2470  CRYPT_CERTINFO_CMS_SMIMECAP_SHA1,
2471  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2472  MKPERM_CMSATTR( Rxx_RWD ),
2473  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2474  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2475  MKACL_N( /* HMAC-SHA2-ng MAC */
2476  CRYPT_CERTINFO_CMS_SMIMECAP_HMAC_SHAng,
2477  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2478  MKPERM_CMSATTR( Rxx_RWD ),
2479  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2480  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2481  MKACL_N( /* HMAC-SHA2-256 MAC */
2482  CRYPT_CERTINFO_CMS_SMIMECAP_HMAC_SHA2,
2483  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2484  MKPERM_CMSATTR( Rxx_RWD ),
2485  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2486  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2487  MKACL_N( /* HMAC-SHA1 MAC */
2488  CRYPT_CERTINFO_CMS_SMIMECAP_HMAC_SHA1,
2489  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2490  MKPERM_CMSATTR( Rxx_RWD ),
2491  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2492  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2493  MKACL_N( /* AuthEnc w.256-bit key */
2494  CRYPT_CERTINFO_CMS_SMIMECAP_AUTHENC256,
2495  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2496  MKPERM_CMSATTR( Rxx_RWD ),
2497  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2498  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2499  MKACL_N( /* AuthEnc w.128-bit key */
2500  CRYPT_CERTINFO_CMS_SMIMECAP_AUTHENC128,
2501  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2502  MKPERM_CMSATTR( Rxx_RWD ),
2503  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2504  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2505  MKACL_N( /* RSA with SHA-ng signing */
2506  CRYPT_CERTINFO_CMS_SMIMECAP_RSA_SHAng,
2507  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2508  MKPERM_CMSATTR( Rxx_RWD ),
2509  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2510  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2511  MKACL_N( /* RSA with SHA2-256 signing */
2512  CRYPT_CERTINFO_CMS_SMIMECAP_RSA_SHA2,
2513  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2514  MKPERM_CMSATTR( Rxx_RWD ),
2515  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2516  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2517  MKACL_N( /* RSA with SHA1 signing */
2518  CRYPT_CERTINFO_CMS_SMIMECAP_RSA_SHA1,
2519  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2520  MKPERM_CMSATTR( Rxx_RWD ),
2521  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2522  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2523  MKACL_N( /* DSA with SHA-1 signing */
2524  CRYPT_CERTINFO_CMS_SMIMECAP_DSA_SHA1,
2525  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2526  MKPERM_CMSATTR( Rxx_RWD ),
2527  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2528  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2529  MKACL_N( /* ECDSA with SHA-ng signing */
2530  CRYPT_CERTINFO_CMS_SMIMECAP_ECDSA_SHAng,
2531  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2532  MKPERM_CMSATTR( Rxx_RWD ),
2533  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2534  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2535  MKACL_N( /* ECDSA with SHA2-256 signing */
2536  CRYPT_CERTINFO_CMS_SMIMECAP_ECDSA_SHA2,
2537  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2538  MKPERM_CMSATTR( Rxx_RWD ),
2539  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2540  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2541  MKACL_N( /* ECDSA with SHA-1 signing */
2542  CRYPT_CERTINFO_CMS_SMIMECAP_ECDSA_SHA1,
2543  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2544  MKPERM_CMSATTR( Rxx_RWD ),
2545  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2546  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2547  MKACL_N( /* preferSignedData */
2548  CRYPT_CERTINFO_CMS_SMIMECAP_PREFERSIGNEDDATA,
2549  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2550  MKPERM_CMSATTR( Rxx_RWD ),
2551  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2552  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2553  MKACL_N( /* canNotDecryptAny */
2554  CRYPT_CERTINFO_CMS_SMIMECAP_CANNOTDECRYPTANY,
2555  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2556  MKPERM_CMSATTR( Rxx_RWD ),
2557  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2558  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2559  MKACL_N( /* preferBinaryInside */
2560  CRYPT_CERTINFO_CMS_SMIMECAP_PREFERBINARYINSIDE,
2561  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2562  MKPERM_CMSATTR( Rxx_RWD ),
2563  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2564  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2565 
2566  /* 1 2 840 113549 1 9 16 2 1 receiptRequest */
2567  MKACL_B( /* Extension present flag */
2568  CRYPT_CERTINFO_CMS_RECEIPTREQUEST,
2569  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2570  MKPERM_CMSATTR_OBSCURE( Rxx_RxD ),
2571  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2572  MKACL_S( /* contentIdentifier */
2573  CRYPT_CERTINFO_CMS_RECEIPT_CONTENTIDENTIFIER,
2574  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2575  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2576  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2577  RANGE( 16, 64 ) ),
2578  MKACL_N( /* receiptsFrom */
2579  CRYPT_CERTINFO_CMS_RECEIPT_FROM,
2580  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2581  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2582  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2583  RANGE( 0, 1 ) ),
2584  MKACL_N( /* receiptsTo */
2585  CRYPT_CERTINFO_CMS_RECEIPT_TO,
2586  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2587  MKPERM_CMSATTR_OBSCURE( Rxx_RxD ),
2588  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2589  RANGE( FALSE, TRUE ) ),
2590 
2591  /* 1 2 840 113549 1 9 16 2 2 essSecurityLabel */
2592  MKACL_B( /* Extension present flag */
2593  CRYPT_CERTINFO_CMS_SECURITYLABEL,
2594  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2595  MKPERM_CMSATTR_OBSCURE( Rxx_RxD ),
2596  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2597  MKACL_S( /* securityPolicyIdentifier */
2598  CRYPT_CERTINFO_CMS_SECLABEL_POLICY,
2599  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2600  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2601  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2602  RANGE( 3, 32 ) ),
2603  MKACL_N( /* securityClassification */
2604  CRYPT_CERTINFO_CMS_SECLABEL_CLASSIFICATION,
2605  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2606  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2607  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2608  RANGE( CRYPT_CLASSIFICATION_UNMARKED, CRYPT_CLASSIFICATION_LAST ) ),
2609  MKACL_S( /* privacyMark */
2610  CRYPT_CERTINFO_CMS_SECLABEL_PRIVACYMARK,
2611  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2612  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2613  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2614  RANGE( 1, 64 ) ),
2615  MKACL_S( /* securityCategories.securityCategory.type */
2616  CRYPT_CERTINFO_CMS_SECLABEL_CATTYPE,
2617  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2618  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2619  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2620  RANGE( 3, 32 ) ),
2621  MKACL_S( /* securityCategories.securityCategory.value */
2622  CRYPT_CERTINFO_CMS_SECLABEL_CATVALUE,
2623  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2624  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2625  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2626  RANGE( 1, 512 ) ),
2627 
2628  /* 1 2 840 113549 1 9 16 2 3 mlExpansionHistory */
2629  MKACL_B( /* Extension present flag */
2630  CRYPT_CERTINFO_CMS_MLEXPANSIONHISTORY,
2631  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2632  MKPERM_CMSATTR_OBSCURE( Rxx_RxD ),
2633  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2634  MKACL_S( /* mlData.mailListIdentifier.issuerAndSerialNumber */
2635  CRYPT_CERTINFO_CMS_MLEXP_ENTITYIDENTIFIER,
2636  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2637  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2638  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2639  RANGE( 1, 512 ) ),
2640  MKACL_T( /* mlData.expansionTime */
2641  CRYPT_CERTINFO_CMS_MLEXP_TIME,
2642  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2643  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2644  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2645  MKACL_N( /* mlData.mlReceiptPolicy.none */
2646  CRYPT_CERTINFO_CMS_MLEXP_NONE,
2647  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2648  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2649  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2650  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2651  MKACL_N( /* mlData.mlReceiptPolicy.insteadOf.generalNames.generalName */
2652  CRYPT_CERTINFO_CMS_MLEXP_INSTEADOF,
2653  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2654  MKPERM_CMSATTR_OBSCURE( Rxx_RxD ),
2655  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2656  RANGE( FALSE, TRUE ) ),
2657  MKACL_N( /* mlData.mlReceiptPolicy.inAdditionTo.generalNames.generalName */
2658  CRYPT_CERTINFO_CMS_MLEXP_INADDITIONTO,
2659  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2660  MKPERM_CMSATTR_OBSCURE( Rxx_RxD ),
2661  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2662  RANGE( FALSE, TRUE ) ),
2663 
2664  /* 1 2 840 113549 1 9 16 2 4 contentHints */
2665  MKACL_B( /* Extension present flag */
2666  CRYPT_CERTINFO_CMS_CONTENTHINTS,
2667  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2668  MKPERM_CMSATTR_OBSCURE( Rxx_RxD ),
2669  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2670  MKACL_S( /* contentDescription */
2671  CRYPT_CERTINFO_CMS_CONTENTHINT_DESCRIPTION,
2672  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2673  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2674  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2675  RANGE( 1, 64 ) ),
2676  MKACL_N( /* contentType */
2677  CRYPT_CERTINFO_CMS_CONTENTHINT_TYPE,
2678  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2679  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2680  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2681  RANGE( CRYPT_CONTENT_DATA, CRYPT_CONTENT_LAST - 1 ) ),
2682 
2683  /* 1 2 840 113549 1 9 16 2 9 equivalentLabels */
2684  MKACL_B( /* Extension present flag */
2685  CRYPT_CERTINFO_CMS_EQUIVALENTLABEL,
2686  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2687  MKPERM_CMSATTR_OBSCURE( Rxx_RxD ),
2688  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2689  MKACL_S( /* securityPolicyIdentifier */
2690  CRYPT_CERTINFO_CMS_EQVLABEL_POLICY,
2691  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2692  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2693  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2694  RANGE( 3, 32 ) ),
2695  MKACL_N( /* securityClassification */
2696  CRYPT_CERTINFO_CMS_EQVLABEL_CLASSIFICATION,
2697  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2698  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2699  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2700  RANGE( CRYPT_CLASSIFICATION_UNMARKED, CRYPT_CLASSIFICATION_LAST ) ),
2701  MKACL_S( /* privacyMark */
2702  CRYPT_CERTINFO_CMS_EQVLABEL_PRIVACYMARK,
2703  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2704  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2705  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2706  RANGE( 1, 64 ) ),
2707  MKACL_S( /* securityCategories.securityCategory.type */
2708  CRYPT_CERTINFO_CMS_EQVLABEL_CATTYPE,
2709  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2710  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2711  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2712  RANGE( 3, 32 ) ),
2713  MKACL_S( /* securityCategories.securityCategory.value */
2714  CRYPT_CERTINFO_CMS_EQVLABEL_CATVALUE,
2715  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2716  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2717  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2718  RANGE( 1, 512 ) ),
2719 
2720  /* 1 2 840 113549 1 9 16 2 12 signingCertificate */
2721  MKACL_B( /* Extension present flag */
2722  CRYPT_CERTINFO_CMS_SIGNINGCERTIFICATE,
2723  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2724  MKPERM_CMSATTR_OBSCURE_TSP( Rxx_RxD ),
2725  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2726  MKACL_S( /* certs.essCertID */
2727  CRYPT_CERTINFO_CMS_SIGNINGCERT_ESSCERTID,
2728  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2729  MKPERM_CMSATTR_OBSCURE_TSP( Rxx_RWD ),
2730  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2731  RANGE( 32, MAX_ATTRIBUTE_SIZE ) ),
2732  MKACL_S( /* policies.policyInformation.policyIdentifier */
2733  CRYPT_CERTINFO_CMS_SIGNINGCERT_POLICIES,
2734  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2735  MKPERM_CMSATTR_OBSCURE_TSP( Rxx_RWD ),
2736  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2737  RANGE( 3, 32 ) ),
2738 
2739  /* 1 2 840 113549 1 9 16 2 47 signingCertificateV2 */
2740  MKACL_B( /* Extension present flag */
2741  CRYPT_CERTINFO_CMS_SIGNINGCERTIFICATEV2,
2742  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2743  MKPERM_CMSATTR_OBSCURE( Rxx_RxD ),
2744  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2745  MKACL_S( /* certs.essCertID */
2746  CRYPT_CERTINFO_CMS_SIGNINGCERTV2_ESSCERTIDV2,
2747  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2748  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2749  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2750  RANGE( 32, MAX_ATTRIBUTE_SIZE ) ),
2751  MKACL_S( /* policies.policyInformation.policyIdentifier */
2752  CRYPT_CERTINFO_CMS_SIGNINGCERTV2_POLICIES,
2753  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2754  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2755  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2756  RANGE( 3, 32 ) ),
2757 
2758  /* 1 2 840 113549 1 9 16 2 15 signaturePolicyID */
2759  MKACL_B( /* Extension present flag */
2760  CRYPT_CERTINFO_CMS_SIGNATUREPOLICYID,
2761  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2762  MKPERM_CMSATTR_OBSCURE( Rxx_RxD ),
2763  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2764  MKACL_S( /* signaturePolicyID.sigPolicyID */
2765  CRYPT_CERTINFO_CMS_SIGPOLICYID,
2766  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2767  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2768  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2769  RANGE( 3, 32 ) ),
2770  MKACL_S( /* signaturePolicyID.sigPolicyHash */
2771  CRYPT_CERTINFO_CMS_SIGPOLICYHASH,
2772  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2773  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2774  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2775  RANGE( 32, MAX_ATTRIBUTE_SIZE ) ),
2776  MKACL_S( /* signaturePolicyID.sigPolicyQualifiers.sigPolicyQualifier.cPSuri */
2777  CRYPT_CERTINFO_CMS_SIGPOLICY_CPSURI,
2778  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2779  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2780  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2781  RANGE( MIN_URL_SIZE, MAX_URL_SIZE ) ),
2782  MKACL_S( /* signaturePolicyID.sigPolicyQualifiers.sigPolicyQualifier.userNotice.noticeRef.organization */
2783  CRYPT_CERTINFO_CMS_SIGPOLICY_ORGANIZATION,
2784  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2785  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2786  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2787  RANGE( 1, 200 ) ),
2788  MKACL_N( /* signaturePolicyID.sigPolicyQualifiers.sigPolicyQualifier.userNotice.noticeRef.noticeNumbers */
2789  CRYPT_CERTINFO_CMS_SIGPOLICY_NOTICENUMBERS,
2790  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2791  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2792  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2793  RANGE( 1, 1024 ) ),
2794  MKACL_S( /* signaturePolicyID.sigPolicyQualifiers.sigPolicyQualifier.userNotice.explicitText */
2795  CRYPT_CERTINFO_CMS_SIGPOLICY_EXPLICITTEXT,
2796  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2797  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2798  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2799  RANGE( 1, 200 ) ),
2800 
2801  /* 1 2 840 113549 1 9 16 9 signatureTypeIdentifier */
2802  MKACL_B( /* Extension present flag */
2803  CRYPT_CERTINFO_CMS_SIGTYPEIDENTIFIER,
2804  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2805  MKPERM_CMSATTR_OBSCURE( Rxx_RxD ),
2806  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2807  MKACL_N( /* originatorSig */
2808  CRYPT_CERTINFO_CMS_SIGTYPEID_ORIGINATORSIG,
2809  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2810  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2811  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2812  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2813  MKACL_N( /* domainSig */
2814  CRYPT_CERTINFO_CMS_SIGTYPEID_DOMAINSIG,
2815  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2816  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2817  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2818  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2819  MKACL_N( /* additionalAttributesSig */
2820  CRYPT_CERTINFO_CMS_SIGTYPEID_ADDITIONALATTRIBUTES,
2821  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2822  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2823  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2824  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2825  MKACL_N( /* reviewSig */
2826  CRYPT_CERTINFO_CMS_SIGTYPEID_REVIEWSIG,
2827  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2828  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2829  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2830  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2831 
2832  /* 1 2 840 113549 1 9 25 3 randomNonce */
2833  MKACL_S( /* randomNonce */
2834  /* This is valid in RTCS requests, which are occasionally
2835  communicated using a CMS content-type that can't provide
2836  attributes so they need to be bundled with the request instead */
2837  CRYPT_CERTINFO_CMS_NONCE,
2838  ST_CERT_CMSATTR | ST_CERT_RTCS_REQ, ST_NONE, ST_NONE,
2839  MKPERM_CERTVAL( Rxx_RWD ),
2840  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2841  RANGE( 4, CRYPT_MAX_HASHSIZE ) ),
2842 
2843  /* SCEP attributes:
2844  2 16 840 1 113733 1 9 2 messageType
2845  2 16 840 1 113733 1 9 3 pkiStatus
2846  2 16 840 1 113733 1 9 4 failInfo
2847  2 16 840 1 113733 1 9 5 senderNonce
2848  2 16 840 1 113733 1 9 6 recipientNonce
2849  2 16 840 1 113733 1 9 7 transID */
2850  MKACL_S( /* messageType */
2851  CRYPT_CERTINFO_SCEP_MESSAGETYPE,
2852  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2853  MKPERM_SCEP( Rxx_RWD ),
2854  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2855  RANGE( 1, 2 ) ),
2856  MKACL_S( /* pkiStatus */
2857  CRYPT_CERTINFO_SCEP_PKISTATUS,
2858  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2859  MKPERM_SCEP( Rxx_RWD ),
2860  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2861  RANGE( 1, 1 ) ),
2862  MKACL_S( /* failInfo */
2863  CRYPT_CERTINFO_SCEP_FAILINFO,
2864  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2865  MKPERM_SCEP( Rxx_RWD ),
2866  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2867  RANGE( 1, 1 ) ),
2868  MKACL_S( /* senderNonce */
2869  CRYPT_CERTINFO_SCEP_SENDERNONCE,
2870  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2871  MKPERM_SCEP( Rxx_RWD ),
2872  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2873  RANGE( 8, CRYPT_MAX_HASHSIZE ) ),
2874  MKACL_S( /* recipientNonce */
2875  CRYPT_CERTINFO_SCEP_RECIPIENTNONCE,
2876  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2877  MKPERM_SCEP( Rxx_RWD ),
2878  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2879  RANGE( 8, CRYPT_MAX_HASHSIZE ) ),
2880  MKACL_S( /* transID */
2881  CRYPT_CERTINFO_SCEP_TRANSACTIONID,
2882  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2883  MKPERM_SCEP( Rxx_RWD ),
2884  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2885  RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
2886 
2887  /* 1 3 6 1 4 1 311 2 1 10 spcAgencyInfo */
2888  MKACL_B( /* Extension present flag */
2889  CRYPT_CERTINFO_CMS_SPCAGENCYINFO,
2890  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2891  MKPERM_CMSATTR_OBSCURE( Rxx_RxD ),
2892  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2893  MKACL_S( /* spcAgencyInfo.url */
2894  CRYPT_CERTINFO_CMS_SPCAGENCYURL,
2895  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2896  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2897  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2898  RANGE( MIN_URL_SIZE, MAX_URL_SIZE ) ),
2899 
2900  /* 1 3 6 1 4 1 311 2 1 11 spcStatementType */
2901  MKACL_B( /* Extension present flag */
2902  CRYPT_CERTINFO_CMS_SPCSTATEMENTTYPE,
2903  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2904  MKPERM_CMSATTR_OBSCURE( Rxx_RxD ),
2905  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2906  MKACL_N( /* individualCodeSigning */
2907  CRYPT_CERTINFO_CMS_SPCSTMT_INDIVIDUALCODESIGNING,
2908  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2909  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2910  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2911  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2912  MKACL_N( /* commercialCodeSigning */
2913  CRYPT_CERTINFO_CMS_SPCSTMT_COMMERCIALCODESIGNING,
2914  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2915  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2916  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2917  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
2918 
2919  /* 1 3 6 1 4 1 311 2 1 12 spcOpusInfo */
2920  MKACL_B( /* Extension present flag */
2921  CRYPT_CERTINFO_CMS_SPCOPUSINFO,
2922  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2923  MKPERM_CMSATTR_OBSCURE( Rxx_RxD ),
2924  ROUTE( OBJECT_TYPE_CERTIFICATE ) ),
2925  MKACL_S( /* spcOpusInfo.name */
2926  CRYPT_CERTINFO_CMS_SPCOPUSINFO_NAME,
2927  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2928  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2929  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2930  RANGE( 2, 128 ) ),
2931  MKACL_S( /* spcOpusInfo.url */
2932  CRYPT_CERTINFO_CMS_SPCOPUSINFO_URL,
2933  ST_CERT_CMSATTR, ST_NONE, ST_NONE,
2934  MKPERM_CMSATTR_OBSCURE( Rxx_RWD ),
2935  ROUTE( OBJECT_TYPE_CERTIFICATE ),
2936  RANGE( MIN_URL_SIZE, MAX_URL_SIZE ) ),
2937  MKACL_END(), MKACL_END()
2938  };
2939 
2940 /****************************************************************************
2941 * *
2942 * Keyset ACLs *
2943 * *
2944 ****************************************************************************/
2945 
2946 /* Keyset attributes */
2947 
2948 static const ATTRIBUTE_ACL FAR_BSS keysetACL[] = {
2949  MKACL_S( /* Keyset query */
2950  CRYPT_KEYINFO_QUERY,
2951  ST_NONE, ST_KEYSET_DBMS, ST_NONE,
2952  MKPERM_DBMS( xWx_xWx ),
2953  ROUTE( OBJECT_TYPE_KEYSET ),
2954  RANGE( 6, CRYPT_MAX_TEXTSIZE ) ),
2955  MKACL_S( /* Query of requests in cert store */
2956  CRYPT_KEYINFO_QUERY_REQUESTS,
2957  ST_NONE, ST_KEYSET_DBMS_STORE, ST_NONE,
2958  MKPERM_DBMS( xWx_xWx ),
2959  ROUTE( OBJECT_TYPE_KEYSET ),
2960  RANGE( 6, CRYPT_MAX_TEXTSIZE ) ),
2961  MKACL_END(), MKACL_END()
2962  };
2963 
2964 /****************************************************************************
2965 * *
2966 * Device ACLs *
2967 * *
2968 ****************************************************************************/
2969 
2970 /* Device attributes */
2971 
2972 static const ATTRIBUTE_ACL FAR_BSS deviceACL[] = {
2973  MKACL_S_EX( /* Initialise device for use */
2974  CRYPT_DEVINFO_INITIALISE,
2975  ST_NONE, ST_DEV_ANY_STD, ST_NONE,
2976  MKPERM( xWx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
2977  ROUTE( OBJECT_TYPE_DEVICE ),
2978  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
2979  MKACL_S_EX( /* Authenticate user to device */
2980  /* This is allowed in both the low and high states since the device
2981  may be in the SSO initialised state and all we're doing is
2982  switching it to the user initialised state */
2983  CRYPT_DEVINFO_AUTHENT_USER,
2984  ST_NONE, ST_DEV_ANY_STD, ST_NONE,
2985  MKPERM( xWx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
2986  ROUTE( OBJECT_TYPE_DEVICE ),
2987  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
2988  MKACL_S_EX( /* Authenticate supervisor to dev.*/
2989  CRYPT_DEVINFO_AUTHENT_SUPERVISOR,
2990  ST_NONE, ST_DEV_ANY_STD, ST_NONE,
2991  MKPERM( xxx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
2992  ROUTE( OBJECT_TYPE_DEVICE ),
2993  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
2994  MKACL_S( /* Set user authent.value */
2995  CRYPT_DEVINFO_SET_AUTHENT_USER,
2996  ST_NONE, ST_DEV_ANY_STD, ST_NONE,
2997  MKPERM( xWx_xxx ),
2998  ROUTE( OBJECT_TYPE_DEVICE ),
2999  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3000  MKACL_S( /* Set supervisor auth.val.*/
3001  CRYPT_DEVINFO_SET_AUTHENT_SUPERVISOR,
3002  ST_NONE, ST_DEV_ANY_STD, ST_NONE,
3003  MKPERM( xWx_xxx ),
3004  ROUTE( OBJECT_TYPE_DEVICE ),
3005  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3006  MKACL_S( /* Zeroise device */
3007  CRYPT_DEVINFO_ZEROISE,
3008  ST_NONE, ST_DEV_ANY_STD, ST_NONE,
3009  MKPERM( xWx_xWx ),
3010  ROUTE( OBJECT_TYPE_DEVICE ),
3011  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3012  MKACL_B( /* Whether user is logged in */
3013  CRYPT_DEVINFO_LOGGEDIN,
3014  ST_NONE, ST_DEV_ANY_STD, ST_NONE,
3015  MKPERM( Rxx_Rxx ),
3016  ROUTE( OBJECT_TYPE_DEVICE ) ),
3017  MKACL_S( /* Device/token label */
3018  CRYPT_DEVINFO_LABEL,
3019  ST_NONE, ST_DEV_ANY_STD, ST_NONE,
3020  MKPERM( Rxx_Rxx ),
3021  ROUTE( OBJECT_TYPE_DEVICE ),
3022  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3023  MKACL_END(), MKACL_END()
3024  };
3025 
3026 /****************************************************************************
3027 * *
3028 * Envelope ACLs *
3029 * *
3030 ****************************************************************************/
3031 
3032 static const RANGE_SUBRANGE_TYPE FAR_BSS allowedSigResultSubranges[] = {
3033  /* We make the error subrange start at CRYPT_ERROR_MEMORY rather than
3034  the generic CRYPT_ERROR_PARAM1, which is the same as CRYPT_ERROR,
3035  the end-of-range marker */
3036  { CRYPT_OK, CRYPT_OK },
3037  { CRYPT_ERROR_MEMORY, CRYPT_ENVELOPE_RESOURCE },
3038  { CRYPT_ERROR, CRYPT_ERROR }
3039  };
3040 
3041 static const ATTRIBUTE_ACL FAR_BSS subACL_EnvinfoContentType[] = {
3042 #if 0
3043  MKACL_N( /* Envelope: Read/write */
3044  CRYPT_ENVINFO_CONTENTTYPE,
3045  ST_NONE, ST_ENV_ENV | ST_ENV_ENV_PGP, ST_NONE,
3046  MKPERM_ENVELOPE( Rxx_RWx ),
3047  ROUTE( OBJECT_TYPE_ENVELOPE ),
3048  RANGE_SUBRANGES, allowedContentTypeSubranges ),
3049  RANGE( CRYPT_CONTENT_NONE + 1, CRYPT_CONTENT_LAST - 1 ) ),
3050  MKACL_N( /* Deenvelope: Read-only */
3051  CRYPT_ENVINFO_CONTENTTYPE,
3052  ST_NONE, ST_ENV_DEENV, ST_NONE,
3053  MKPERM_ENVELOPE( Rxx_xxx ),
3054  ROUTE( OBJECT_TYPE_ENVELOPE ),
3055  RANGE( CRYPT_CONTENT_NONE + 1, CRYPT_CONTENT_LAST - 1 ) ),
3056 #else
3057  MKACL_EX( /* Envelope: Read/write */
3058  CRYPT_ENVINFO_CONTENTTYPE, ATTRIBUTE_VALUE_NUMERIC,
3059  ST_NONE, ST_ENV_ENV | ST_ENV_ENV_PGP, ST_NONE,
3060  MKPERM_ENVELOPE( Rxx_RWx ), 0,
3061  ROUTE( OBJECT_TYPE_ENVELOPE ),
3062  RANGE_SUBRANGES, allowedContentTypeSubranges ),
3063  MKACL_EX( /* Deenvelope: Read-only */
3064  CRYPT_ENVINFO_CONTENTTYPE, ATTRIBUTE_VALUE_NUMERIC,
3065  ST_NONE, ST_ENV_DEENV, ST_NONE,
3066  MKPERM_ENVELOPE( Rxx_xxx ), 0,
3067  ROUTE( OBJECT_TYPE_ENVELOPE ),
3068  RANGE_SUBRANGES, allowedContentTypeSubranges ),
3069 #endif /* 0 */
3070  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3071  };
3072 static const ATTRIBUTE_ACL FAR_BSS subACL_EnvinfoDetachedSig[] = {
3073  MKACL_B( /* Envelope: Read/write */
3074  CRYPT_ENVINFO_DETACHEDSIGNATURE,
3075  ST_NONE, ST_ENV_ENV | ST_ENV_ENV_PGP, ST_NONE,
3076  MKPERM_ENVELOPE( Rxx_RWx ),
3077  ROUTE( OBJECT_TYPE_ENVELOPE ) ),
3078  MKACL_B( /* Deenvelope: Read-only */
3079  CRYPT_ENVINFO_DETACHEDSIGNATURE,
3080  ST_NONE, ST_ENV_DEENV, ST_NONE,
3081  MKPERM_ENVELOPE( Rxx_xxx ),
3082  ROUTE( OBJECT_TYPE_ENVELOPE ) ),
3083  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3084  };
3085 static const ATTRIBUTE_ACL FAR_BSS subACL_EnvinfoIntegrity[] = {
3086  MKACL_N( /* Envelope: Write-only */
3087  CRYPT_ENVINFO_INTEGRITY,
3088  ST_NONE, ST_ENV_ENV, ST_NONE,
3089  MKPERM_ENVELOPE( xxx_xWx ),
3090  ROUTE( OBJECT_TYPE_ENVELOPE ),
3091  RANGE( CRYPT_INTEGRITY_NONE, CRYPT_INTEGRITY_FULL ) ),
3092  MKACL_N( /* De-envelope: Read-only */
3093  CRYPT_ENVINFO_INTEGRITY,
3094  ST_NONE, ST_ENV_DEENV, ST_NONE,
3095  MKPERM_ENVELOPE( Rxx_xxx ),
3096  ROUTE( OBJECT_TYPE_ENVELOPE ),
3097  RANGE( CRYPT_INTEGRITY_NONE, CRYPT_INTEGRITY_FULL ) ),
3098  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3099  };
3100 static const ATTRIBUTE_ACL FAR_BSS subACL_EnvinfoSignature[] = {
3101  MKACL_O( /* Envelope: Write-only */
3102  CRYPT_ENVINFO_SIGNATURE,
3103  ST_NONE, ST_ENV_ENV | ST_ENV_ENV_PGP, ST_NONE,
3104  MKPERM_ENVELOPE( xxx_xWx ),
3105  ROUTE( OBJECT_TYPE_ENVELOPE ), &objectCtxPKC ),
3106  MKACL_O( /* De-envelope: Read/write */
3107  /* This is readable and writeable since it can be used to add a sig-
3108  check key to an envelope that doesn't include certs */
3109  CRYPT_ENVINFO_SIGNATURE,
3110  ST_NONE, ST_ENV_DEENV, ST_NONE,
3111  MKPERM_ENVELOPE( RWx_xxx ),
3112  ROUTE( OBJECT_TYPE_ENVELOPE ), &objectCtxPKC ),
3113  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3114  };
3115 static const ATTRIBUTE_ACL FAR_BSS subACL_EnvinfoSignatureExtraData[] = {
3116  MKACL_O( /* Envelope: Write-only */
3117  CRYPT_ENVINFO_SIGNATURE_EXTRADATA,
3118  ST_NONE, ST_ENV_ENV, ST_NONE,
3119  MKPERM_ENVELOPE( xxx_xWx ),
3120  ROUTE( OBJECT_TYPE_ENVELOPE ), &objectCMSAttr ),
3121  MKACL_O( /* De-envelope: Read-only */
3122  CRYPT_ENVINFO_SIGNATURE_EXTRADATA,
3123  ST_NONE, ST_ENV_DEENV, ST_NONE,
3124  MKPERM_ENVELOPE( Rxx_xxx ),
3125  ROUTE( OBJECT_TYPE_ENVELOPE ), &objectCMSAttr ),
3126  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3127  };
3128 static const ATTRIBUTE_ACL FAR_BSS subACL_EnvinfoTimestamp[] = {
3129  MKACL_O( /* Envelope: Write-only TSP session */
3130  CRYPT_ENVINFO_TIMESTAMP,
3131  ST_NONE, ST_ENV_ENV, ST_NONE,
3132  MKPERM_ENVELOPE( xxx_xWx ),
3133  ROUTE( OBJECT_TYPE_ENVELOPE ), &objectSessionTSP ),
3134  MKACL_O( /* De-envelope: Read-only sub-envelope */
3135  CRYPT_ENVINFO_TIMESTAMP,
3136  ST_NONE, ST_ENV_DEENV, ST_NONE,
3137  MKPERM_ENVELOPE( Rxx_xxx ),
3138  ROUTE( OBJECT_TYPE_ENVELOPE ), &objectDeenvelope ),
3139  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3140  };
3141 
3142 /* Envelope attributes */
3143 
3144 static const ATTRIBUTE_ACL FAR_BSS envelopeACL[] = {
3145  MKACL_N( /* Data size information */
3146  /* The maximum length is adjusted by MAX_INTLENGTH_DELTA bytes
3147  because what this attribute specifies is only the payload size
3148  and not the overall message size, which could be up to
3149  MAX_INTLENGTH_DELTA bytes larger */
3150  CRYPT_ENVINFO_DATASIZE,
3151  ST_NONE, ST_ENV_ENV | ST_ENV_ENV_PGP, ST_NONE,
3152  MKPERM_ENVELOPE( xxx_xWx ),
3153  ROUTE( OBJECT_TYPE_ENVELOPE ),
3154  RANGE( 0, MAX_INTLENGTH - MAX_INTLENGTH_DELTA ) ),
3155  MKACL_N( /* Compression information */
3156  CRYPT_ENVINFO_COMPRESSION,
3157  ST_NONE, ST_ENV_ENV | ST_ENV_ENV_PGP, ST_NONE,
3158  MKPERM_ENVELOPE( Rxx_RWx ),
3159  ROUTE( OBJECT_TYPE_ENVELOPE ),
3160  RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
3161  MKACL_X( /* Inner CMS content type */
3162  CRYPT_ENVINFO_CONTENTTYPE,
3163  ST_NONE, ST_ENV_ANY, ST_NONE,
3164  MKPERM_ENVELOPE( Rxx_RWx ),
3165  ROUTE( OBJECT_TYPE_ENVELOPE ),
3166  subACL_EnvinfoContentType ),
3167  MKACL_X( /* Detached signature */
3168  CRYPT_ENVINFO_DETACHEDSIGNATURE,
3169  ST_NONE, ST_ENV_ANY, ST_NONE,
3170  MKPERM_ENVELOPE( Rxx_RWx ),
3171  ROUTE( OBJECT_TYPE_ENVELOPE ),
3172  subACL_EnvinfoDetachedSig ),
3173  MKACL_EX( /* Signature check result */
3174  /* This is a special case because an OK status is positive but an
3175  error status is negative, which spans two range types. To handle
3176  this we treat it as two distinct subranges, the positive CRYPT_OK
3177  and the negative error values */
3178  CRYPT_ENVINFO_SIGNATURE_RESULT, ATTRIBUTE_VALUE_NUMERIC,
3179  ST_NONE, ST_ENV_DEENV, ST_NONE,
3180  MKPERM_ENVELOPE( Rxx_xxx ), 0,
3181  ROUTE( OBJECT_TYPE_ENVELOPE ),
3182  RANGE_SUBRANGES, allowedSigResultSubranges ),
3183  MKACL_X( /* Integrity-protection level */
3184  CRYPT_ENVINFO_INTEGRITY,
3185  ST_NONE, ST_ENV_ENV | ST_ENV_DEENV, ST_NONE,
3186  MKPERM_ENVELOPE( Rxx_xWx ),
3187  ROUTE( OBJECT_TYPE_ENVELOPE ),
3188  subACL_EnvinfoIntegrity ),
3189  MKACL_S( /* User password */
3190  CRYPT_ENVINFO_PASSWORD,
3191  ST_NONE, ST_ENV_ANY, ST_NONE,
3192  MKPERM_ENVELOPE( xxx_xWx ),
3193  ROUTE( OBJECT_TYPE_ENVELOPE ),
3194  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3195  MKACL_O( /* Conventional encryption key */
3196  CRYPT_ENVINFO_KEY,
3197  ST_NONE, ST_ENV_ENV | ST_ENV_DEENV, ST_NONE,
3198  MKPERM_ENVELOPE( xxx_xWx ),
3199  ROUTE( OBJECT_TYPE_ENVELOPE ), &objectCtxConv ),
3200  MKACL_X( /* Signature/signature check key */
3201  CRYPT_ENVINFO_SIGNATURE,
3202  ST_NONE, ST_ENV_ANY, ST_NONE,
3203  MKPERM_ENVELOPE( RWx_xWx ),
3204  ROUTE( OBJECT_TYPE_ENVELOPE ),
3205  subACL_EnvinfoSignature ),
3206  MKACL_X( /* Extra information added to CMS sigs */
3207  CRYPT_ENVINFO_SIGNATURE_EXTRADATA,
3208  ST_NONE, ST_ENV_ENV | ST_ENV_DEENV, ST_NONE,
3209  MKPERM_ENVELOPE( Rxx_xWx ),
3210  ROUTE( OBJECT_TYPE_ENVELOPE ),
3211  subACL_EnvinfoSignatureExtraData ),
3212  MKACL_S( /* Recipient email address */
3213  CRYPT_ENVINFO_RECIPIENT,
3214  ST_NONE, ST_ENV_ENV | ST_ENV_ENV_PGP, ST_NONE,
3215  MKPERM_ENVELOPE( xxx_xWx ),
3216  ROUTE( OBJECT_TYPE_ENVELOPE ),
3217  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3218  MKACL_O( /* PKC encryption key */
3219  CRYPT_ENVINFO_PUBLICKEY,
3220  ST_NONE, ST_ENV_ENV | ST_ENV_ENV_PGP, ST_NONE,
3221  MKPERM_ENVELOPE( xxx_xWx ),
3222  ROUTE( OBJECT_TYPE_ENVELOPE ), &objectCtxPKC ),
3223  MKACL_O( /* PKC decryption key */
3224  CRYPT_ENVINFO_PRIVATEKEY,
3225  ST_NONE, ST_ENV_DEENV, ST_NONE,
3226  MKPERM_ENVELOPE( xxx_xWx ),
3227  ROUTE( OBJECT_TYPE_ENVELOPE ), &objectCtxPKC ),
3228  MKACL_S( /* Label of PKC decryption key */
3229  CRYPT_ENVINFO_PRIVATEKEY_LABEL,
3230  ST_NONE, ST_ENV_DEENV, ST_NONE,
3231  MKPERM_ENVELOPE( xxx_Rxx ),
3232  ROUTE( OBJECT_TYPE_ENVELOPE ),
3233  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3234  MKACL_O( /* Originator info/key */
3235  CRYPT_ENVINFO_ORIGINATOR,
3236  ST_NONE, ST_ENV_ENV, ST_NONE,
3237  MKPERM_ENVELOPE( xxx_xWx ),
3238  ROUTE( OBJECT_TYPE_ENVELOPE ), &objectCtxPKC ),
3239  MKACL_O( /* Session key */
3240  CRYPT_ENVINFO_SESSIONKEY,
3241  ST_NONE, ST_ENV_ENV | ST_ENV_DEENV, ST_NONE,
3242  MKPERM_ENVELOPE( xxx_xWx ),
3243  ROUTE( OBJECT_TYPE_ENVELOPE ), &objectCtxConv ),
3244  MKACL_O( /* Hash value */
3245  CRYPT_ENVINFO_HASH,
3246  ST_NONE, ST_ENV_ENV | ST_ENV_ENV_PGP | ST_ENV_DEENV, ST_NONE,
3247  MKPERM_ENVELOPE( xxx_xWx ),
3248  ROUTE( OBJECT_TYPE_ENVELOPE ), &objectCtxHash ),
3249  MKACL_X( /* Timestamp */
3250  CRYPT_ENVINFO_TIMESTAMP,
3251  ST_NONE, ST_ENV_ENV | ST_ENV_DEENV, ST_NONE,
3252  MKPERM_ENVELOPE( Rxx_xWx ),
3253  ROUTE( OBJECT_TYPE_ENVELOPE ),
3254  subACL_EnvinfoTimestamp ),
3255  MKACL_O( /* Signature check keyset */
3256  CRYPT_ENVINFO_KEYSET_SIGCHECK,
3257  ST_NONE, ST_ENV_DEENV, ST_NONE,
3258  MKPERM_ENVELOPE( xWx_xWx ),
3259  ROUTE( OBJECT_TYPE_ENVELOPE ), &objectKeyset ),
3260  MKACL_O( /* PKC encryption keyset */
3261  CRYPT_ENVINFO_KEYSET_ENCRYPT,
3262  ST_NONE, ST_ENV_ENV | ST_ENV_ENV_PGP, ST_NONE,
3263  MKPERM_ENVELOPE( xWx_xWx ),
3264  ROUTE( OBJECT_TYPE_ENVELOPE ), &objectKeyset ),
3265  MKACL_O( /* PKC decryption keyset */
3266  CRYPT_ENVINFO_KEYSET_DECRYPT,
3267  ST_NONE, ST_ENV_DEENV, ST_NONE,
3268  MKPERM_ENVELOPE( xWx_xWx ),
3269  ROUTE( OBJECT_TYPE_ENVELOPE ), &objectKeyset ),
3270  MKACL_END(), MKACL_END()
3271  };
3272 
3273 /****************************************************************************
3274 * *
3275 * Session ACLs *
3276 * *
3277 ****************************************************************************/
3278 
3279 static const RANGE_SUBRANGE_TYPE FAR_BSS allowedSSHChannelSubranges[] = {
3280  { CRYPT_UNUSED, CRYPT_UNUSED },
3281  { 1, RANGE_MAX },
3282  { CRYPT_ERROR, CRYPT_ERROR }
3283  };
3284 static const int FAR_BSS allowedAuthResponses[] = \
3285  { CRYPT_UNUSED, FALSE, TRUE, CRYPT_ERROR };
3286 
3287 static const ATTRIBUTE_ACL FAR_BSS subACL_SessinfoActive[] = {
3288  MKACL_B_EX( /* SSH/SSL: Can only be activated once */
3289  CRYPT_SESSINFO_ACTIVE,
3290  ST_NONE, ST_NONE, ST_SESS_ANY_DATA,
3291  MKPERM_SESSIONS( Rxx_RWx ), ATTRIBUTE_FLAG_TRIGGER,
3292  ROUTE( OBJECT_TYPE_SESSION ) ),
3293  MKACL_B_EX( /* Ongoing protocol: Persistent connections */
3294  CRYPT_SESSINFO_ACTIVE,
3295  ST_NONE, ST_NONE, ST_SESS_ANY_REQRESP,
3296  MKPERM_SESSIONS( RWx_RWx ), ATTRIBUTE_FLAG_TRIGGER,
3297  ROUTE( OBJECT_TYPE_SESSION ) ),
3298  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3299  };
3300 static const ATTRIBUTE_ACL FAR_BSS subACL_SessinfoUsername[] = {
3301  MKACL_S( /* SSH/SSL/SCEP client: RWD for client auth */
3302  CRYPT_SESSINFO_USERNAME,
3303  ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSL | ST_SESS_SCEP,
3304  MKPERM_SESSIONS( Rxx_RWD ),
3305  ROUTE( OBJECT_TYPE_SESSION ),
3306  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3307  MKACL_S( /* SSH server: Read-only for client auth */
3308  /* We can read this attribute in the low state because we might be
3309  going back to the caller for confirmation before we transition
3310  into the high state */
3311  CRYPT_SESSINFO_USERNAME,
3312  ST_NONE, ST_NONE, ST_SESS_SSH_SVR,
3313  MKPERM_SESSIONS( Rxx_Rxx ),
3314  ROUTE( OBJECT_TYPE_SESSION ),
3315  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3316  MKACL_S( /* CMP server: Read-only for client auth */
3317  CRYPT_SESSINFO_USERNAME,
3318  ST_NONE, ST_NONE, ST_SESS_CMP_SVR,
3319  MKPERM_SESSIONS( Rxx_xxx ),
3320  ROUTE( OBJECT_TYPE_SESSION ),
3321  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3322  MKACL_S( /* SSL server: RW for client auth */
3323  /* For SSL the username doesn't work like a standard user name but
3324  instead acts as a magic value to identify a shared secret in the
3325  session cache which is used to peform an SSL resume when the
3326  client connects. Multiple username/password combinations can be
3327  added, what's read back is either the last one added if the
3328  session hasn't been activated, or the one that was used to provide
3329  the encryption keys for the currently-active session */
3330  CRYPT_SESSINFO_USERNAME,
3331  ST_NONE, ST_NONE, ST_SESS_SSL_SVR,
3332  MKPERM_SESSIONS( RWx_RWx ),
3333  ROUTE( OBJECT_TYPE_SESSION ),
3334  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3335  MKACL_S( /* CMP client: RWD in both states for persistent conns */
3336  CRYPT_SESSINFO_USERNAME,
3337  ST_NONE, ST_NONE, ST_SESS_CMP,
3338  MKPERM_SESSIONS( RWD_RWD ),
3339  ROUTE( OBJECT_TYPE_SESSION ),
3340  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3341  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3342  };
3343 static const ATTRIBUTE_ACL FAR_BSS subACL_SessinfoPassword[] = {
3344  MKACL_S( /* SSH/SSL/SCEP client: Write-only for client auth */
3345  CRYPT_SESSINFO_PASSWORD,
3346  ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSL | ST_SESS_SCEP,
3347  MKPERM_SESSIONS( xxx_xWD ),
3348  ROUTE( OBJECT_TYPE_SESSION ),
3349  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3350  MKACL_S( /* SSH server: Read-only from client auth */
3351  /* We can read this attribute in the low state because we might be
3352  going back to the caller for confirmation before we transition
3353  into the high state */
3354  CRYPT_SESSINFO_PASSWORD,
3355  ST_NONE, ST_NONE, ST_SESS_SSH_SVR,
3356  MKPERM_SESSIONS( Rxx_Rxx ),
3357  ROUTE( OBJECT_TYPE_SESSION ),
3358  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3359  MKACL_S( /* SSL server: Write-only in both states for client auth */
3360  CRYPT_SESSINFO_PASSWORD,
3361  ST_NONE, ST_NONE, ST_SESS_SSL_SVR,
3362  MKPERM_SESSIONS( xWD_xWD ),
3363  ROUTE( OBJECT_TYPE_SESSION ),
3364  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3365  MKACL_S( /* CMP client: Write-only in both states for persistent conns */
3366  CRYPT_SESSINFO_PASSWORD,
3367  ST_NONE, ST_NONE, ST_SESS_CMP,
3368  MKPERM_SESSIONS( xWD_xWD ),
3369  ROUTE( OBJECT_TYPE_SESSION ),
3370  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3371  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3372  };
3373 static const ATTRIBUTE_ACL FAR_BSS subACL_SessinfoPrivatekey[] = {
3374  MKACL_O( /* Server or SSH/SSL/SCEP client: Write-only */
3375  CRYPT_SESSINFO_PRIVATEKEY,
3376  ST_NONE, ST_NONE, ( ST_SESS_ANY_SVR & ~ST_SESS_CERT_SVR ) | \
3377  ST_SESS_SSH | ST_SESS_SSL | ST_SESS_SCEP,
3378  MKPERM_SESSIONS( xxx_xWx ),
3379  ROUTE( OBJECT_TYPE_SESSION ), &objectCtxPKC ),
3380  MKACL_O( /* CMP client: Write-only in both states for persistent conns */
3381  CRYPT_SESSINFO_PRIVATEKEY,
3382  ST_NONE, ST_NONE, ST_SESS_CMP,
3383  MKPERM_SESSIONS( xWx_xWx ),
3384  ROUTE( OBJECT_TYPE_SESSION ), &objectCtxPKC ),
3385  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3386  };
3387 static const ATTRIBUTE_ACL FAR_BSS subACL_SessinfoKeyset[] = {
3388  MKACL_O( /* SSL and cert status/access protocols: Certificate source */
3389  CRYPT_SESSINFO_KEYSET,
3390  ST_NONE, ST_NONE, ST_SESS_SSL_SVR | ST_SESS_RTCS_SVR | \
3391  ST_SESS_OCSP_SVR | ST_SESS_CERT_SVR,
3392  MKPERM_SESSIONS( xxx_xWx ),
3393  ROUTE( OBJECT_TYPE_SESSION ), &objectKeysetCerts ),
3394  MKACL_O( /* Cert management protocols: Certificate store */
3395  CRYPT_SESSINFO_KEYSET,
3396  ST_NONE, ST_NONE, ST_SESS_CMP_SVR | ST_SESS_SCEP_SVR,
3397  MKPERM_SESSIONS( xxx_xWx ),
3398  ROUTE( OBJECT_TYPE_SESSION ), &objectKeysetCertstore ),
3399  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3400  };
3401 static const ATTRIBUTE_ACL FAR_BSS subACL_SessinfoFingerprint[] = {
3402  MKACL_S( /* Client: Write-only low, read-only high */
3403  CRYPT_SESSINFO_SERVER_FINGERPRINT,
3404  ST_NONE, ST_NONE, ST_SESS_SSL | ST_SESS_SSH | ST_SESS_SCEP,
3405  MKPERM_SESSIONS( Rxx_xWx ),
3406  ROUTE( OBJECT_TYPE_SESSION ),
3407  RANGE( 16, 20 ) ),
3408  MKACL_S( /* Server: Read-only */
3409  CRYPT_SESSINFO_SERVER_FINGERPRINT,
3410  ST_NONE, ST_NONE, ST_SESS_SSH_SVR,
3411  MKPERM_SESSIONS( Rxx_Rxx ),
3412  ROUTE( OBJECT_TYPE_SESSION ),
3413  RANGE( 16, 20 ) ),
3414  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3415  };
3416 static const ATTRIBUTE_ACL FAR_BSS subACL_SessinfoSession[] = {
3417  MKACL_O( /* Client: Client session */
3418  CRYPT_SESSINFO_SESSION,
3419  ST_NONE, ST_NONE, ST_SESS_RTCS | ST_SESS_OCSP | ST_SESS_TSP | \
3420  ST_SESS_CMP | ST_SESS_SCEP,
3421  MKPERM_SESSIONS( xxx_xWx ),
3422  ROUTE( OBJECT_TYPE_SESSION ), &objectSessionDataClient ),
3423  MKACL_O( /* Server: Server session */
3424  CRYPT_SESSINFO_SESSION,
3425  ST_NONE, ST_NONE, ST_SESS_RTCS_SVR | ST_SESS_OCSP_SVR | \
3426  ST_SESS_TSP_SVR | ST_SESS_CMP_SVR | \
3427  ST_SESS_SCEP_SVR,
3428  MKPERM_SESSIONS( xxx_xWx ),
3429  ROUTE( OBJECT_TYPE_SESSION ), &objectSessionDataServer ),
3430  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3431  };
3432 static const ATTRIBUTE_ACL FAR_BSS subACL_SessinfoVersion[] = {
3433  MKACL_N( /* SSH: 1 or 2 */
3434  CRYPT_SESSINFO_VERSION,
3435  ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSH_SVR,
3436  MKPERM_SESSIONS( Rxx_RWx ),
3437  ROUTE( OBJECT_TYPE_SESSION ),
3438  RANGE( 1, 2 ) ),
3439  MKACL_N( /* SSL: 0 (SSLv3), 1 (TLS 1.0), 2 (TLS 1.1), or 3 (TLS 1.2) */
3440  CRYPT_SESSINFO_VERSION,
3441  ST_NONE, ST_NONE, ST_SESS_SSL | ST_SESS_SSL_SVR,
3442  MKPERM_SESSIONS( Rxx_RWx ),
3443  ROUTE( OBJECT_TYPE_SESSION ),
3444  RANGE( 0, 3 ) ),
3445  MKACL_N( /* OCSP: 1 or 2 */
3446  CRYPT_SESSINFO_VERSION,
3447  ST_NONE, ST_NONE, ST_SESS_OCSP | ST_SESS_OCSP_SVR,
3448  MKPERM_SESSIONS( Rxx_RWx ),
3449  ROUTE( OBJECT_TYPE_SESSION ),
3450  RANGE( 1, 2 ) ),
3451  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3452  };
3453 static const ATTRIBUTE_ACL FAR_BSS subACL_SessinfoRequest[] = {
3454  MKACL_O( /* RTCS session: RTCS request */
3455  CRYPT_SESSINFO_REQUEST,
3456  ST_NONE, ST_NONE, ST_SESS_RTCS,
3457  MKPERM_SESSIONS( xWD_xWD ),
3458  ROUTE( OBJECT_TYPE_SESSION ), &objectCertSessionRTCSRequest ),
3459  MKACL_O( /* OCSP session: OCSP request */
3460  CRYPT_SESSINFO_REQUEST,
3461  ST_NONE, ST_NONE, ST_SESS_OCSP,
3462  MKPERM_SESSIONS( xWD_xWD ),
3463  ROUTE( OBJECT_TYPE_SESSION ), &objectCertSessionOCSPRequest ),
3464  MKACL_O( /* CMP session: Cert/rev.request */
3465  CRYPT_SESSINFO_REQUEST,
3466  ST_NONE, ST_NONE, ST_SESS_CMP,
3467  MKPERM_SESSIONS( xWD_xWD ),
3468  ROUTE( OBJECT_TYPE_SESSION ), &objectCertSessionCMPRequest ),
3469  MKACL_O( /* SCEP session: Unsigned PKCS #10 request */
3470  CRYPT_SESSINFO_REQUEST,
3471  ST_NONE, ST_NONE, ST_SESS_SCEP,
3472  MKPERM_SESSIONS( xWD_xWD ),
3473  ROUTE( OBJECT_TYPE_SESSION ), &objectCertSessionUnsignedPKCS10Request ),
3474  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3475  };
3476 static const ATTRIBUTE_ACL FAR_BSS subACL_SessinfoResponse[] = {
3477  MKACL_O( /* RTCS session: RTCS response */
3478  CRYPT_SESSINFO_RESPONSE,
3479  ST_NONE, ST_NONE, ST_SESS_RTCS,
3480  MKPERM_SESSIONS( Rxx_xxx ),
3481  ROUTE( OBJECT_TYPE_SESSION ), &objectCertRTCSResponse ),
3482  MKACL_O( /* OCSP session: OCSP response */
3483  CRYPT_SESSINFO_RESPONSE,
3484  ST_NONE, ST_NONE, ST_SESS_OCSP,
3485  MKPERM_SESSIONS( Rxx_xxx ),
3486  ROUTE( OBJECT_TYPE_SESSION ), &objectCertOCSPResponse ),
3487  MKACL_O( /* SSL, PKI mgt.session: Cert, cert.response */
3488  CRYPT_SESSINFO_RESPONSE,
3489  ST_NONE, ST_NONE, ST_SESS_SSL | ST_SESS_SSL_SVR | ST_SESS_CMP | \
3490  ST_SESS_SCEP,
3491  MKPERM_SESSIONS( Rxx_xxx ),
3492  ROUTE( OBJECT_TYPE_SESSION ), &objectCertificate ),
3493  MKACL_O( /* TSP session: CMS enveloped timestamp */
3494  CRYPT_SESSINFO_RESPONSE,
3495  ST_NONE, ST_NONE, ST_SESS_TSP,
3496  MKPERM_SESSIONS( Rxx_xxx ),
3497  ROUTE( OBJECT_TYPE_SESSION ), &objectDeenvelope ),
3498  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3499  };
3500 static const ATTRIBUTE_ACL FAR_BSS subACL_SessinfoRequesttype[] = {
3501  MKACL_N( /* CMP client: Read/write */
3502  CRYPT_SESSINFO_CMP_REQUESTTYPE,
3503  ST_NONE, ST_NONE, ST_SESS_CMP,
3504  MKPERM_SESSIONS( RWx_RWx ),
3505  ROUTE( OBJECT_TYPE_SESSION ),
3506  RANGE( CRYPT_REQUESTTYPE_NONE + 1, CRYPT_REQUESTTYPE_LAST - 1 ) ),
3507  MKACL_N( /* CMP server: Read-only info from client */
3508  CRYPT_SESSINFO_CMP_REQUESTTYPE,
3509  ST_NONE, ST_NONE, ST_SESS_CMP_SVR,
3510  MKPERM_SESSIONS( Rxx_xxx ),
3511  ROUTE( OBJECT_TYPE_SESSION ),
3512  RANGE( CRYPT_REQUESTTYPE_NONE + 1, CRYPT_REQUESTTYPE_LAST - 1 ) ),
3513  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3514  };
3515 static const ATTRIBUTE_ACL FAR_BSS subACL_SessinfoSSHChannel[] = {
3516  MKACL_EX( /* SSH client: Read/write */
3517  /* Write = CRYPT_UNUSED to create channel, read = channel number */
3518  CRYPT_SESSINFO_SSH_CHANNEL, ATTRIBUTE_VALUE_NUMERIC,
3519  ST_NONE, ST_NONE, ST_SESS_SSH,
3520  MKPERM_SSH_EXT( RWx_RWx ), 0,
3521  ROUTE( OBJECT_TYPE_SESSION ),
3522  RANGE_SUBRANGES, allowedSSHChannelSubranges ),
3523  MKACL_EX( /* SSH server: Read-only info from client */
3524  /* Write = CRYPT_UNUSED to create channel, read = channel number */
3525  CRYPT_SESSINFO_SSH_CHANNEL, ATTRIBUTE_VALUE_NUMERIC,
3526  ST_NONE, ST_NONE, ST_SESS_SSH_SVR,
3527  MKPERM_SSH_EXT( RWx_xxx ), 0,
3528  ROUTE( OBJECT_TYPE_SESSION ),
3529  RANGE_SUBRANGES, allowedSSHChannelSubranges ),
3530  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3531  };
3532 static const ATTRIBUTE_ACL FAR_BSS subACL_SessinfoSSHChannelType[] = {
3533  MKACL_S( /* SSH client: Read/write */
3534  /* Shortest valid name = "exec" */
3535  CRYPT_SESSINFO_SSH_CHANNEL_TYPE,
3536  ST_NONE, ST_NONE, ST_SESS_SSH,
3537  MKPERM_SSH_EXT( RWx_RWx ),
3538  ROUTE( OBJECT_TYPE_SESSION ), RANGE( 4, CRYPT_MAX_TEXTSIZE ) ),
3539  MKACL_S( /* SSH server: Read-only info from client */
3540  CRYPT_SESSINFO_SSH_CHANNEL_TYPE,
3541  ST_NONE, ST_NONE, ST_SESS_SSH_SVR,
3542  MKPERM_SSH_EXT( RWx_xxx ),
3543  ROUTE( OBJECT_TYPE_SESSION ), RANGE( 7, CRYPT_MAX_TEXTSIZE ) ),
3544  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3545  };
3546 static const ATTRIBUTE_ACL FAR_BSS subACL_SessinfoSSHChannelArg1[] = {
3547  MKACL_S( /* SSH client: Read/write */
3548  /* Shortest valid name = "sftp" */
3549  CRYPT_SESSINFO_SSH_CHANNEL_ARG1,
3550  ST_NONE, ST_NONE, ST_SESS_SSH,
3551  MKPERM_SSH_EXT( RWx_RWx ),
3552  ROUTE( OBJECT_TYPE_SESSION ), RANGE( 4, CRYPT_MAX_TEXTSIZE ) ),
3553  MKACL_S( /* SSH server: Read-only info from client */
3554  CRYPT_SESSINFO_SSH_CHANNEL_ARG1,
3555  ST_NONE, ST_NONE, ST_SESS_SSH_SVR,
3556  MKPERM_SSH_EXT( RWx_xxx ),
3557  ROUTE( OBJECT_TYPE_SESSION ), RANGE( 4, CRYPT_MAX_TEXTSIZE ) ),
3558  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3559  };
3560 
3561 /* Session attributes */
3562 
3563 static const ATTRIBUTE_ACL FAR_BSS sessionACL[] = {
3564  MKACL_X_EX( /* Whether session is active */
3565  CRYPT_SESSINFO_ACTIVE,
3566  ST_NONE, ST_NONE, ST_SESS_ANY,
3567  MKPERM_SESSIONS( RWx_RWx ), ATTRIBUTE_FLAG_TRIGGER,
3568  ROUTE( OBJECT_TYPE_SESSION ),
3569  subACL_SessinfoActive ),
3570  MKACL_B( /* Whether network connection is active */
3571  CRYPT_SESSINFO_CONNECTIONACTIVE,
3572  ST_NONE, ST_NONE, ST_SESS_ANY,
3573  MKPERM_SESSIONS( Rxx_Rxx ),
3574  ROUTE( OBJECT_TYPE_SESSION ) ),
3575  MKACL_X( /* User name */
3576  CRYPT_SESSINFO_USERNAME,
3577  ST_NONE, ST_NONE, ST_SESS_ANY_DATA | ST_SESS_CMP | ST_SESS_CMP_SVR | \
3578  ST_SESS_SCEP,
3579  MKPERM_SESSIONS( RWD_RWD ),
3580  ROUTE( OBJECT_TYPE_SESSION ),
3581  subACL_SessinfoUsername ),
3582  MKACL_X( /* Password */
3583  CRYPT_SESSINFO_PASSWORD,
3584  ST_NONE, ST_NONE, ST_SESS_ANY_DATA | ST_SESS_CMP | ST_SESS_SCEP,
3585  MKPERM_SESSIONS( RWD_RWD ),
3586  ROUTE( OBJECT_TYPE_SESSION ),
3587  subACL_SessinfoPassword ),
3588  MKACL_X( /* Server/client private key */
3589  CRYPT_SESSINFO_PRIVATEKEY,
3590  ST_NONE, ST_NONE, ( ST_SESS_ANY_SVR & ~ST_SESS_CERT_SVR ) | \
3591  ST_SESS_SSH | ST_SESS_SSL | ST_SESS_CMP | \
3592  ST_SESS_SCEP,
3593  MKPERM_SESSIONS( xWx_xWx ),
3594  ROUTE( OBJECT_TYPE_SESSION ),
3595  subACL_SessinfoPrivatekey ),
3596  MKACL_X( /* Certificate store */
3597  CRYPT_SESSINFO_KEYSET,
3598  ST_NONE, ST_NONE, ST_SESS_SSL_SVR | ST_SESS_RTCS_SVR | \
3599  ST_SESS_OCSP_SVR | ST_SESS_CMP_SVR | \
3600  ST_SESS_SCEP_SVR | ST_SESS_CERT_SVR,
3601  MKPERM_SESSIONS( xxx_xWx ),
3602  ROUTE( OBJECT_TYPE_SESSION ),
3603  subACL_SessinfoKeyset ),
3604  MKACL_EX( /* Session authorisation OK */
3605  CRYPT_SESSINFO_AUTHRESPONSE, ATTRIBUTE_VALUE_NUMERIC,
3606  ST_NONE, ST_NONE, ST_SESS_SSH_SVR,
3607  MKPERM_SESSIONS( RWx_RWx ), 0,
3608  ROUTE( OBJECT_TYPE_SESSION ),
3609  RANGE_ALLOWEDVALUES, allowedAuthResponses ),
3610  MKACL_S( /* Server name */
3611  CRYPT_SESSINFO_SERVER_NAME,
3612  ST_NONE, ST_NONE, ST_SESS_ANY,
3613  MKPERM_SESSIONS( Rxx_RWD ),
3614  ROUTE( OBJECT_TYPE_SESSION ),
3615  RANGE( 2, MAX_URL_SIZE ) ),
3616  MKACL_N( /* Server port number */
3617  CRYPT_SESSINFO_SERVER_PORT,
3618  ST_NONE, ST_NONE, ST_SESS_ANY,
3619  MKPERM_SESSIONS( Rxx_RWD ),
3620  ROUTE( OBJECT_TYPE_SESSION ),
3621  RANGE( MIN_PORT_NUMBER, MAX_PORT_NUMBER ) ),
3622  MKACL_X( /* Server key fingerprint */
3623  CRYPT_SESSINFO_SERVER_FINGERPRINT,
3624  ST_NONE, ST_NONE, ST_SESS_SSL | ST_SESS_SSH | ST_SESS_SCEP | \
3625  ST_SESS_SSH_SVR,
3626  MKPERM_SESSIONS( Rxx_RWx ),
3627  ROUTE( OBJECT_TYPE_SESSION ),
3628  subACL_SessinfoFingerprint ),
3629  MKACL_S( /* Client name */
3630  CRYPT_SESSINFO_CLIENT_NAME,
3631  ST_NONE, ST_NONE, ST_SESS_ANY_SVR,
3632  MKPERM_SESSIONS( Rxx_xxx ),
3633  ROUTE( OBJECT_TYPE_SESSION ),
3634  RANGE( 2, MAX_URL_SIZE ) ),
3635  MKACL_N( /* Client port number */
3636  CRYPT_SESSINFO_CLIENT_PORT,
3637  ST_NONE, ST_NONE, ST_SESS_ANY_SVR,
3638  MKPERM_SESSIONS( Rxx_xxx ),
3639  ROUTE( OBJECT_TYPE_SESSION ),
3640  RANGE( MIN_PORT_NUMBER, MAX_PORT_NUMBER ) ),
3641  MKACL_X( /* Transport mechanism */
3642  CRYPT_SESSINFO_SESSION,
3643  ST_NONE, ST_NONE, ST_SESS_RTCS | ST_SESS_RTCS_SVR | \
3644  ST_SESS_OCSP | ST_SESS_OCSP_SVR | \
3645  ST_SESS_TSP | ST_SESS_TSP_SVR | \
3646  ST_SESS_CMP | ST_SESS_CMP_SVR | \
3647  ST_SESS_SCEP | ST_SESS_SCEP_SVR,
3648  MKPERM_SESSIONS( xxx_xWx ),
3649  ROUTE( OBJECT_TYPE_SESSION ),
3650  subACL_SessinfoSession ),
3651  MKACL_N( /* User-supplied network socket */
3652  CRYPT_SESSINFO_NETWORKSOCKET,
3653  ST_NONE, ST_NONE, ST_SESS_ANY,
3654  MKPERM_SESSIONS( xxx_xWx ),
3655  ROUTE( OBJECT_TYPE_SESSION ),
3656  RANGE_ANY ),
3657 
3658  MKACL_X( /* Session protocol version */
3659  CRYPT_SESSINFO_VERSION,
3660  ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSH_SVR | ST_SESS_SSL | \
3661  ST_SESS_SSL_SVR | ST_SESS_OCSP | ST_SESS_OCSP_SVR,
3662  MKPERM_SESSIONS( Rxx_RWx ),
3663  ROUTE( OBJECT_TYPE_SESSION ),
3664  subACL_SessinfoVersion ),
3665  MKACL_X( /* Cert.request object */
3666  /* The object can be updated in both states for persistent
3667  connections */
3668  CRYPT_SESSINFO_REQUEST,
3669  ST_NONE, ST_NONE, ST_SESS_RTCS | ST_SESS_OCSP | ST_SESS_CMP | \
3670  ST_SESS_SCEP,
3671  MKPERM_SESSIONS( xWD_xWD ),
3672  ROUTE( OBJECT_TYPE_SESSION ),
3673  subACL_SessinfoRequest ),
3674  MKACL_X( /* Cert.response object */
3675  CRYPT_SESSINFO_RESPONSE,
3676  ST_NONE, ST_NONE, ST_SESS_SSL | ST_SESS_SSL_SVR | ST_SESS_RTCS | \
3677  ST_SESS_OCSP | ST_SESS_TSP | ST_SESS_CMP | \
3678  ST_SESS_SCEP,
3679  MKPERM_SESSIONS( Rxx_xxx ),
3680  ROUTE( OBJECT_TYPE_SESSION ),
3681  subACL_SessinfoResponse ),
3682  MKACL_O( /* Issuing CA certificate */
3683  CRYPT_SESSINFO_CACERTIFICATE,
3684  ST_NONE, ST_NONE, ST_SESS_CMP | ST_SESS_SCEP,
3685  MKPERM_SESSIONS( xxx_xWx ),
3686  ROUTE( OBJECT_TYPE_SESSION ), &objectCertificate ),
3687 
3688  MKACL_X( /* CMP request type */
3689  CRYPT_SESSINFO_CMP_REQUESTTYPE,
3690  ST_NONE, ST_NONE, ST_SESS_CMP | ST_SESS_CMP_SVR,
3691  MKPERM_CMP( RWx_RWx ),
3692  ROUTE( OBJECT_TYPE_SESSION ),
3693  subACL_SessinfoRequesttype ),
3694  MKACL_O( /* Private-key keyset */
3695  CRYPT_SESSINFO_CMP_PRIVKEYSET,
3696  ST_NONE, ST_NONE, ST_SESS_CMP,
3697  MKPERM_CMP( xxx_xWx ),
3698  ROUTE( OBJECT_TYPE_SESSION ), &objectKeysetPrivate ),
3699 
3700  MKACL_X( /* SSH current channel */
3701  /* Write = CRYPT_UNUSED to create channel, read = channel number */
3702  CRYPT_SESSINFO_SSH_CHANNEL,
3703  ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSH_SVR,
3704  MKPERM_SSH_EXT( RWx_RWx ),
3705  ROUTE( OBJECT_TYPE_SESSION ),
3706  subACL_SessinfoSSHChannel ),
3707  MKACL_X( /* SSH channel type */
3708  CRYPT_SESSINFO_SSH_CHANNEL_TYPE,
3709  ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSH_SVR,
3710  MKPERM_SSH_EXT( RWx_RWx ),
3711  ROUTE( OBJECT_TYPE_SESSION ),
3712  subACL_SessinfoSSHChannelType ),
3713  MKACL_X( /* SSH channel argument 1 */
3714  CRYPT_SESSINFO_SSH_CHANNEL_ARG1,
3715  ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSH_SVR,
3716  MKPERM_SSH_EXT( RWx_RWx ),
3717  ROUTE( OBJECT_TYPE_SESSION ),
3718  subACL_SessinfoSSHChannelArg1 ),
3719  MKACL_S( /* SSH channel argument 2 */
3720  CRYPT_SESSINFO_SSH_CHANNEL_ARG2,
3721  ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSH_SVR,
3722  MKPERM_SSH_EXT( RWx_xxx ),
3723  ROUTE( OBJECT_TYPE_SESSION ), RANGE( 5, CRYPT_MAX_TEXTSIZE ) ),
3724  MKACL_B( /* SSH channel active */
3725  CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE,
3726  ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSH_SVR,
3727  MKPERM_SSH_EXT( RWx_xxx ),
3728  ROUTE( OBJECT_TYPE_SESSION ) ),
3729 
3730  MKACL_N( /* SSL/TLS protocol options */
3731  CRYPT_SESSINFO_SSL_OPTIONS,
3732  ST_NONE, ST_NONE, ST_SESS_SSL | ST_SESS_SSL_SVR,
3733  MKPERM_SESSIONS( Rxx_RWx ),
3734  ROUTE( OBJECT_TYPE_SESSION ),
3735  RANGE( CRYPT_SSLOPTION_NONE, CRYPT_SSLOPTION_MAX ) ),
3736 
3737  MKACL_O( /* TSP message imprint */
3738  /* The object can be updated in both states for persistent
3739  connections */
3740  CRYPT_SESSINFO_TSP_MSGIMPRINT,
3741  ST_NONE, ST_NONE, ST_SESS_TSP,
3742  MKPERM_TSP( xWD_xWD ),
3743  ROUTE( OBJECT_TYPE_SESSION ), &objectCtxHash ),
3744 
3745  MKACL_END(), MKACL_END()
3746  };
3747 
3748 /****************************************************************************
3749 * *
3750 * User ACLs *
3751 * *
3752 ****************************************************************************/
3753 
3754 /* User attributes */
3755 
3756 static const ATTRIBUTE_ACL FAR_BSS userACL[] = {
3757  MKACL_S_EX( /* Password */
3758  CRYPT_USERINFO_PASSWORD,
3759  ST_NONE, ST_NONE, ST_USER_ANY,
3760  MKPERM( xxx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
3761  ROUTE( OBJECT_TYPE_USER ),
3762  RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3763 
3764  MKACL_O( /* CA cert signing key */
3765  CRYPT_USERINFO_CAKEY_CERTSIGN,
3766  ST_NONE, ST_NONE, ST_USER_CA,
3767  MKPERM( xxx_xWx ),
3768  ROUTE( OBJECT_TYPE_USER ), &objectCertificate ),
3769  MKACL_O( /* CA CRL signing key */
3770  CRYPT_USERINFO_CAKEY_CRLSIGN,
3771  ST_NONE, ST_NONE, ST_USER_CA,
3772  MKPERM( xxx_xWx ),
3773  ROUTE( OBJECT_TYPE_USER ), &objectCertificate ),
3774  MKACL_O( /* CA RTCS signing key */
3775  CRYPT_USERINFO_CAKEY_RTCSSIGN,
3776  ST_NONE, ST_NONE, ST_USER_CA,
3777  MKPERM( xxx_xWx ),
3778  ROUTE( OBJECT_TYPE_USER ), &objectCertificate ),
3779  MKACL_O( /* CA OCSP signing key */
3780  CRYPT_USERINFO_CAKEY_OCSPSIGN,
3781  ST_NONE, ST_NONE, ST_USER_CA,
3782  MKPERM( xxx_xWx ),
3783  ROUTE( OBJECT_TYPE_USER ), &objectCertificate ),
3784  MKACL_END(), MKACL_END()
3785  };
3786 
3787 /****************************************************************************
3788 * *
3789 * Internal ACLs *
3790 * *
3791 ****************************************************************************/
3792 
3793 static const int FAR_BSS allowedObjectStatusValues[] = {
3794  CRYPT_OK, CRYPT_ERROR_TIMEOUT, CRYPT_ERROR };
3795 
3796 static const ATTRIBUTE_ACL FAR_BSS subACL_IAttributeSubject[] = {
3797  MKACL_S( /* CRMF objects: Readable in any state (unsigned in CMP msgs) */
3798  CRYPT_IATTRIBUTE_SUBJECT,
3799  ST_CERT_REQ_CERT | ST_CERT_REQ_REV, ST_NONE, ST_NONE,
3800  MKPERM_INT_CERTIFICATES( Rxx_Rxx ),
3801  ROUTE( OBJECT_TYPE_CERTIFICATE ), RANGE( 16, 8192 ) ),
3802  MKACL_S( /* Other objects: Object must be in high state */
3803  CRYPT_IATTRIBUTE_SUBJECT,
3804  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_CERTREQ | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
3805  MKPERM_INT_CERTIFICATES( Rxx_xxx ),
3806  ROUTE( OBJECT_TYPE_CERTIFICATE ), RANGE( 16, 8192 ) ),
3807  MKACL_END_SUBACL(), MKACL_END_SUBACL()
3808  };
3809 
3810 /* Internal attributes */
3811 
3812 static const ATTRIBUTE_ACL FAR_BSS internalACL[] = {
3813  MKACL_N_EX( /* Object type */
3814  CRYPT_IATTRIBUTE_TYPE,
3815  ST_ANY_A, ST_ANY_B, ST_ANY_C,
3816  MKPERM_INT( Rxx_Rxx ), ATTRIBUTE_FLAG_PROPERTY,
3817  ROUTE_NONE, RANGE( OBJECT_TYPE_NONE + 1, OBJECT_TYPE_LAST - 1 ) ),
3818  MKACL_N_EX( /* Object subtype */
3819  CRYPT_IATTRIBUTE_SUBTYPE,
3820  ST_ANY_A, ST_ANY_B, ST_ANY_C,
3821  MKPERM_INT( Rxx_Rxx ), ATTRIBUTE_FLAG_PROPERTY,
3822  ROUTE_NONE, RANGE( OBJECT_TYPE_NONE + 1, OBJECT_TYPE_LAST - 1 ) ),
3823  MKACL_EX( /* Object status */
3824  /* Write = status value, read = OBJECT_FLAG_xxx (since an object may
3825  be, for example, busy and signalled at the same time) */
3826  CRYPT_IATTRIBUTE_STATUS, ATTRIBUTE_VALUE_NUMERIC,
3827  ST_ANY_A, ST_ANY_B, ST_ANY_C,
3828  MKPERM_INT( RWx_RWx ), ATTRIBUTE_FLAG_PROPERTY,
3829  ROUTE_NONE, RANGE_ALLOWEDVALUES, allowedObjectStatusValues ),
3830  MKACL_B_EX( /* Object internal flag */
3831  CRYPT_IATTRIBUTE_INTERNAL,
3832  ST_ANY_A, ST_ANY_B, ST_ANY_C,
3833  MKPERM_INT( RWx_RWx ), ATTRIBUTE_FLAG_PROPERTY,
3834  ROUTE_NONE ),
3835  MKACL_N_EX( /* Object action permissions */
3836  CRYPT_IATTRIBUTE_ACTIONPERMS,
3837  ST_CTX_ANY, ST_NONE, ST_NONE,
3838  MKPERM_INT( RWx_RWx ), ATTRIBUTE_FLAG_PROPERTY,
3839  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( ACTION_PERM_NOTAVAIL, ACTION_PERM_LAST ) ),
3840  MKACL_B_EX( /* Object locked for exclusive use */
3841  CRYPT_IATTRIBUTE_LOCKED,
3842  ST_CTX_PKC | ST_CTX_CONV | ST_CERT_ANY_CERT | ST_CERT_CRL , ST_NONE, ST_NONE,
3843  MKPERM_INT( xWx_xWx ), ATTRIBUTE_FLAG_PROPERTY,
3844  ROUTE_NONE ),
3845  MKACL_N_EX( /* Object inited (e.g. key loaded, cert signed) */
3846  CRYPT_IATTRIBUTE_INITIALISED,
3847  ST_ANY_A, ST_ANY_B, ST_ANY_C,
3848  MKPERM_INT( xxx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
3849  ROUTE_NONE, RANGE( CRYPT_UNUSED, CRYPT_UNUSED ) ),
3850 
3851  /* Context internal attributes */
3852  MKACL_N( /* Ctx: Key size (for non-native ctxts) */
3853  CRYPT_IATTRIBUTE_KEYSIZE,
3854  ST_CTX_CONV | ST_CTX_PKC | ST_CTX_MAC | ST_CTX_GENERIC, ST_NONE, ST_NONE,
3855  MKPERM_INT( xxx_xWx ),
3856  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( MIN_KEYSIZE, CRYPT_MAX_PKCSIZE ) ),
3857  MKACL_N( /* Ctx: Key feature info */
3858  CRYPT_IATTRIBUTE_KEYFEATURES,
3859  ST_CTX_PKC, ST_NONE, ST_NONE,
3860  MKPERM_INT( Rxx_xxx ),
3861  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 0, 16 ) ),
3862  MKACL_S( /* Ctx: Key ID */
3863  CRYPT_IATTRIBUTE_KEYID,
3864  ST_CTX_PKC, ST_NONE, ST_NONE,
3865  MKPERM_INT( Rxx_Rxx ),
3866  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 20, 20 ) ),
3867  MKACL_S( /* Ctx: PGP 2 key ID */
3868  CRYPT_IATTRIBUTE_KEYID_PGP2,
3869  ST_CTX_PKC, ST_NONE, ST_NONE,
3870  MKPERM_INT( Rxx_Rxx ),
3871  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 8, 8 ) ),
3872  MKACL_S( /* Ctx: OpenPGP key ID */
3873  /* This attribute is writeable in the high state since it may be
3874  retroactively set for objects for which the value couldn't be
3875  calculated at object instantiation time, for example a
3876  certificate that has the OpenPGP information stored alongside
3877  it */
3878  CRYPT_IATTRIBUTE_KEYID_OPENPGP,
3879  ST_CTX_PKC, ST_NONE, ST_NONE,
3880  MKPERM_INT( RWx_RWx ),
3881  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 8, 8 ) ),
3882 #if !( defined( USE_ECDH ) || defined( USE_ECDSA ) )
3883  MKACL_S_EX( /* Ctx: SubjectPublicKeyInfo */
3884  /* The attribute length values are only approximate because there's
3885  wrapper data involved, and (for the maximum length) several of
3886  the DLP PKC values are only a fraction of CRYPT_MAX_PKCSIZE, the
3887  rest of the space requirement being allocated to the wrapper */
3888  CRYPT_IATTRIBUTE_KEY_SPKI,
3889  ST_CTX_PKC, ST_NONE, ST_NONE,
3890  MKPERM_INT( Rxx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
3891  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 8 + MIN_PKCSIZE, CRYPT_MAX_PKCSIZE * 4 ) ),
3892 #else
3893  MKACL_S_EX( /* Ctx: SubjectPublicKeyInfo */
3894  /* ECC keys are somewhat different, the lower bound is much smaller
3895  but the key data consists of a point on a curve so it's calcuated
3896  as twice the minimum key size */
3897  CRYPT_IATTRIBUTE_KEY_SPKI,
3898  ST_CTX_PKC, ST_NONE, ST_NONE,
3899  MKPERM_INT( Rxx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
3900  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 8 + MIN_PKCSIZE_ECCPOINT_THRESHOLD, CRYPT_MAX_PKCSIZE * 4 ) ),
3901 #endif /* !( USE_ECDH || USE_ECDSA ) */
3902  MKACL_S_EX( /* Ctx: PGP-format public key */
3903  CRYPT_IATTRIBUTE_KEY_PGP,
3904  ST_CTX_PKC, ST_NONE, ST_NONE,
3905  MKPERM_INT_PGP( Rxx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
3906  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 10 + MIN_PKCSIZE, CRYPT_MAX_PKCSIZE * 4 ) ),
3907 #if !( defined( USE_ECDH ) || defined( USE_ECDSA ) )
3908  MKACL_S_EX( /* Ctx: SSH-format public key */
3909  CRYPT_IATTRIBUTE_KEY_SSH,
3910  ST_CTX_PKC, ST_NONE, ST_NONE,
3911  MKPERM_INT_SSH( Rxx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
3912  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 16 + MIN_PKCSIZE, ( CRYPT_MAX_PKCSIZE * 4 ) + 20 ) ),
3913 #else
3914  MKACL_S_EX( /* Ctx: SSH-format public key */
3915  CRYPT_IATTRIBUTE_KEY_SSH,
3916  ST_CTX_PKC, ST_NONE, ST_NONE,
3917  MKPERM_INT_SSH( Rxx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
3918  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 16 + MIN_PKCSIZE_ECC, ( CRYPT_MAX_PKCSIZE * 4 ) + 20 ) ),
3919 #endif /* !( USE_ECDH || USE_ECDSA ) */
3920  MKACL_S_EX( /* Ctx: SSHv1-format public key */
3921  CRYPT_IATTRIBUTE_KEY_SSH1,
3922  ST_CTX_PKC, ST_NONE, ST_NONE,
3923  MKPERM_INT_SSH( Rxx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
3924  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 8 + MIN_PKCSIZE, CRYPT_MAX_PKCSIZE + 10 ) ),
3925 #if !( defined( USE_ECDH ) || defined( USE_ECDSA ) )
3926  MKACL_S_EX( /* Ctx: SSL-format public key */
3927  CRYPT_IATTRIBUTE_KEY_SSL,
3928  ST_CTX_PKC, ST_NONE, ST_NONE,
3929  MKPERM_INT_SSL( Rxx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
3930  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 4 + MIN_PKCSIZE, ( CRYPT_MAX_PKCSIZE * 4 ) + 20 ) ),
3931 #else
3932  MKACL_S_EX( /* Ctx: SSL-format public key */
3933  CRYPT_IATTRIBUTE_KEY_SSL,
3934  ST_CTX_PKC, ST_NONE, ST_NONE,
3935  MKPERM_INT_SSL( Rxx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
3936  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 1 + 2, ( CRYPT_MAX_PKCSIZE * 4 ) + 20 ) ),
3937 #endif /* !( USE_ECDH || USE_ECDSA ) */
3938 #if !( defined( USE_ECDH ) || defined( USE_ECDSA ) )
3939  MKACL_S( /* Ctx: SubjectPublicKeyInfo w/o trigger */
3940  /* We allow a read as well as write to handle dummy contexts tied to
3941  hardware that are used as placeholders for crypto hardware
3942  functionality, these aren't necessarily in the high state as
3943  required by CRYPT_IATTRIBUTE_KEY_SPKI when they're accessed
3944  because the hardware may not be ready yet, but we can still
3945  fetch the stored public-key data from them */
3946  CRYPT_IATTRIBUTE_KEY_SPKI_PARTIAL,
3947  ST_CTX_PKC, ST_NONE, ST_NONE,
3948  MKPERM_INT( Rxx_RWx ),
3949  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 8 + MIN_PKCSIZE, CRYPT_MAX_PKCSIZE * 4 ) ),
3950 #else
3951  MKACL_S( /* Ctx: SubjectPublicKeyInfo w/o trigger */
3952  CRYPT_IATTRIBUTE_KEY_SPKI_PARTIAL,
3953  ST_CTX_PKC, ST_NONE, ST_NONE,
3954  MKPERM_INT( Rxx_RWx ),
3955  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 8 + MIN_PKCSIZE_ECCPOINT_THRESHOLD, CRYPT_MAX_PKCSIZE * 4 ) ),
3956 #endif /* !( USE_ECDH || USE_ECDSA ) */
3957  MKACL_S( /* Ctx: PGP public key w/o trigger */
3958  CRYPT_IATTRIBUTE_KEY_PGP_PARTIAL,
3959  ST_CTX_PKC, ST_NONE, ST_NONE,
3960  MKPERM_INT_PGP( xxx_xWx ),
3961  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 10 + MIN_PKCSIZE, CRYPT_MAX_PKCSIZE * 3 ) ),
3962  MKACL_T( /* Ctx: PGP key validity */
3963  /* This attribute is writeable in the high state since it may be
3964  retroactively set for objects for which the value couldn't be
3965  calculated at object instantiation time, for example a
3966  certificate that has the OpenPGP information stored alongside
3967  it */
3968  CRYPT_IATTRIBUTE_PGPVALIDITY,
3969  ST_CTX_PKC, ST_NONE, ST_NONE,
3970  MKPERM_INT( RWx_RWx ),
3971  ROUTE( OBJECT_TYPE_CONTEXT ) ),
3972  MKACL_N( /* Ctx: Device object handle */
3973  CRYPT_IATTRIBUTE_DEVICEOBJECT,
3974  ST_CTX_ANY, ST_NONE, ST_NONE,
3975  MKPERM_INT( Rxx_RWx ),
3976  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE_ANY ),
3977  MKACL_S( /* Ctx: Storage ID for data in device */
3978  CRYPT_IATTRIBUTE_DEVICESTORAGEID,
3979  ST_CTX_CONV | ST_CTX_PKC | ST_CTX_MAC | ST_CTX_GENERIC, ST_NONE, ST_NONE,
3980  MKPERM_INT( Rxx_RWx ),
3981  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 1, KEYID_SIZE ) ),
3982  MKACL_S( /* Ctx: Existing label for object in device */
3983  /* This is like CRYPT_CTXINFO_LABEL except that what we're setting
3984  is the label for an existing persistent object in a device, so
3985  the context code doesn't reject it if it finds a match for this
3986  label in the device */
3987  CRYPT_IATTRIBUTE_EXISTINGLABEL,
3988  ST_CTX_CONV | ST_CTX_PKC | ST_CTX_MAC, ST_NONE, ST_NONE,
3989  MKPERM_INT( xxx_xWx ),
3990  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3991  MKACL_S( /* Ctx: Encryption params for generic-secret */
3992  CRYPT_IATTRIBUTE_ENCPARAMS,
3993  ST_CTX_GENERIC, ST_NONE, ST_NONE,
3994  MKPERM_INT( RWx_xWx ),
3995  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
3996  MKACL_S( /* Ctx: MAC params for generic-secret */
3997  CRYPT_IATTRIBUTE_MACPARAMS,
3998  ST_CTX_GENERIC, ST_NONE, ST_NONE,
3999  MKPERM_INT( RWx_xWx ),
4000  ROUTE( OBJECT_TYPE_CONTEXT ), RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
4001  MKACL_S( /* AAD for authenticated-encr.modes */
4002  CRYPT_IATTRIBUTE_AAD,
4003  ST_CTX_CONV, ST_NONE, ST_NONE,
4004  MKPERM_INT( xWx_xxx ),
4005  ROUTE( OBJECT_TYPE_CONTEXT ),
4006  RANGE( 1, MAX_ATTRIBUTE_SIZE ) ),
4007  MKACL_S( /* ICV for authenticated-encr.modes */
4008  CRYPT_IATTRIBUTE_ICV,
4009  ST_CTX_CONV, ST_NONE, ST_NONE,
4010  MKPERM_INT( Rxx_xxx ),
4011  ROUTE( OBJECT_TYPE_CONTEXT ),
4012  RANGE( 12, CRYPT_MAX_HASHSIZE ) ),
4013 
4014  /* Certificate internal attributes */
4015  MKACL_X( /* Cert: SubjectName */
4016  /* Although in theory this attribute should only be present for
4017  signed cert objects, it also exists in CRMF objects that are
4018  being used as CMP revocation requests and that aren't signed and
4019  are therefore never in the high state. Because of this we have to
4020  allow reads in the low state for this one object type */
4021  CRYPT_IATTRIBUTE_SUBJECT,
4022  ST_CERT_CERT | ST_CERT_CERTREQ | ST_CERT_REQ_CERT | ST_CERT_REQ_REV | \
4023  ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
4024  MKPERM_INT_CERTIFICATES( Rxx_Rxx ),
4025  ROUTE( OBJECT_TYPE_CERTIFICATE ), subACL_IAttributeSubject ),
4026  MKACL_S( /* Cert: IssuerName */
4027  CRYPT_IATTRIBUTE_ISSUER,
4028  ST_CERT_CERT | ST_CERT_REQ_CERT | ST_CERT_CERTCHAIN | ST_CERT_CRL, ST_NONE, ST_NONE,
4029  MKPERM_INT_CERTIFICATES( Rxx_xxx ),
4030  ROUTE( OBJECT_TYPE_CERTIFICATE ), RANGE( 16, 8192 ) ),
4031  MKACL_S( /* Cert: IssuerAndSerial */
4032  CRYPT_IATTRIBUTE_ISSUERANDSERIALNUMBER,
4033  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_REQ_REV | ST_CERT_CRL, ST_NONE, ST_NONE,
4034  MKPERM_INT_CERTIFICATES( Rxx_xxx ),
4035  ROUTE( OBJECT_TYPE_CERTIFICATE ), RANGE( 16, 8192 ) ),
4036  MKACL_S( /* Cert: Best approximation to cert.owner name */
4037  CRYPT_IATTRIBUTE_HOLDERNAME,
4038  ST_CERT_CERT | ST_CERT_CERTREQ | ST_CERT_REQ_CERT | ST_CERT_REQ_REV | \
4039  ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
4040  MKPERM_INT_CERTIFICATES( Rxx_xxx ),
4041  ROUTE( OBJECT_TYPE_CERTIFICATE ), RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
4042  MKACL_S( /* Cert: Best approximation to cert.owner URI */
4043  CRYPT_IATTRIBUTE_HOLDERURI,
4044  ST_CERT_CERT | ST_CERT_CERTREQ | ST_CERT_REQ_CERT | ST_CERT_REQ_REV | \
4045  ST_CERT_CERTCHAIN | ST_CERT_PKIUSER, ST_NONE, ST_NONE,
4046  MKPERM_INT_CERTIFICATES( Rxx_xxx ),
4047  ROUTE( OBJECT_TYPE_CERTIFICATE ), RANGE( MIN_URL_SIZE, MAX_URL_SIZE ) ),
4048  MKACL_S( /* Cert: Encoded SubjectPublicKeyInfo */
4049  /* Although we never need to extract the SPKI from a CRMF request, we
4050  have to be able to read it so we can do a presence check since we
4051  can't issue a cert without having a public key present (although
4052  this would be detcted later on, it allows us to report the error
4053  at an earlier stage by explicitly checking). Since the same
4054  checks are also applied to PKCS #10 cert requests, we also have to
4055  make it readable for those */
4056  CRYPT_IATTRIBUTE_SPKI,
4057  ST_CERT_CERT | ST_CERT_CERTCHAIN | ST_CERT_CERTREQ | ST_CERT_REQ_CERT, ST_NONE, ST_NONE,
4058  MKPERM_INT_CERTIFICATES( Rxx_xxx ),
4059  ROUTE( OBJECT_TYPE_CERTIFICATE ), RANGE( 64, CRYPT_MAX_PKCSIZE * 3 ) ),
4060  MKACL_N( /* Cert: PKC algo.used for certificate */
4061  CRYPT_IATTRIBUTE_CERTKEYALGO,
4062  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
4063  MKPERM_INT_CERTIFICATES( Rxx_xxx ),
4064  ROUTE( OBJECT_TYPE_CERTIFICATE ), RANGE( CRYPT_ALGO_FIRST_PKC, CRYPT_ALGO_LAST_PKC ) ),
4065  MKACL_N( /* Cert: Hash algo.used for certificate */
4066  /* Although this attribute is technically valid for most cert types,
4067  it's only used with standard certificates, where it's used as
4068  an implicit indicator of the preferred hash algorithm to use when
4069  signing data */
4070  CRYPT_IATTRIBUTE_CERTHASHALGO,
4071  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
4072  MKPERM_INT_CERTIFICATES( Rxx_xxx ),
4073  ROUTE( OBJECT_TYPE_CERTIFICATE ), RANGE( CRYPT_ALGO_FIRST_HASH, CRYPT_ALGO_LAST_HASH ) ),
4074  MKACL_O_EX( /* Cert: Certs added to cert chain */
4075  /* This attribute is marked as a trigger attribute since the cert
4076  chain object it affects doesn't contain a true chain of certs but
4077  only a collection of non-duplicate certs that are never
4078  explicitly signed. To allow it to function as a normal cert
4079  chain, we move it into the high state as soon as at least on cert
4080  is added. In addition, this is a retriggerable attribute in that
4081  further data can be added after the initial trigger action */
4082  CRYPT_IATTRIBUTE_CERTCOLLECTION,
4083  ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
4084  MKPERM_INT_CERTIFICATES( xWx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
4085  ROUTE( OBJECT_TYPE_CERTIFICATE ), &objectCertificate ),
4086  MKACL_S( /* Cert: Individual entry from CRL */
4087  CRYPT_IATTRIBUTE_CRLENTRY,
4088  ST_CERT_CRL, ST_NONE, ST_NONE,
4089  MKPERM_INT_CERTREV( Rxx_xWx ),
4090  ROUTE( OBJECT_TYPE_CERTIFICATE ), RANGE( 8, MAX_ATTRIBUTE_SIZE ) ),
4091  MKACL_S( /* Cert: RTCS/OCSP responder name */
4092  CRYPT_IATTRIBUTE_RESPONDERURL,
4093  ST_CERT_RTCS_REQ | ST_CERT_OCSP_REQ, ST_NONE, ST_NONE,
4094  MKPERM_INT_CERTREV_VAL( Rxx_Rxx ),
4095  ROUTE( OBJECT_TYPE_CERTIFICATE ), RANGE( MIN_URL_SIZE, MAX_URL_SIZE ) ),
4096  MKACL_O( /* Cert: RTCS req.info added to RTCS resp.*/
4097  CRYPT_IATTRIBUTE_RTCSREQUEST,
4098  ST_CERT_RTCS_RESP, ST_NONE, ST_NONE,
4099  MKPERM_INT_CERTVAL( xxx_xWx ),
4100  ROUTE( OBJECT_TYPE_CERTIFICATE ), &objectCertRTCSRequest ),
4101  MKACL_O( /* Cert: OCSP req.info added to OCSP resp.*/
4102  CRYPT_IATTRIBUTE_OCSPREQUEST,
4103  ST_CERT_OCSP_RESP, ST_NONE, ST_NONE,
4104  MKPERM_INT_CERTREV( xxx_xWx ),
4105  ROUTE( OBJECT_TYPE_CERTIFICATE ), &objectCertOCSPRequest ),
4106  MKACL_O_EX( /* Cert: CRMF rev.request added to CRL */
4107  /* This is marked as a trigger attribute since it's used to create a
4108  CRL template from a CRMF request (i.e. to turn a CRMF revocation
4109  request into something that the rest of cryptlib can work with),
4110  so adding it has to create a pseudosigned CRL from which we can
4111  read things like the encoded CRL entry and the
4112  issuerAndSerialNumber */
4113  CRYPT_IATTRIBUTE_REVREQUEST,
4114  ST_CERT_CRL, ST_NONE, ST_NONE,
4115  MKPERM_INT_CERTREV( xxx_xWx ), ATTRIBUTE_FLAG_TRIGGER,
4116  ROUTE( OBJECT_TYPE_CERTIFICATE ), &objectCertRevRequest ),
4117  MKACL_O( /* Cert: Additional user info added to cert.request */
4118  CRYPT_IATTRIBUTE_PKIUSERINFO,
4119  ST_CERT_CERTREQ | ST_CERT_REQ_CERT, ST_NONE, ST_NONE,
4120  MKPERM_INT_CERTREQ( xWx_xxx ),
4121  ROUTE( OBJECT_TYPE_CERTIFICATE ), &objectCertPKIUser ),
4122  MKACL_O( /* Cert: Template of disallowed attrs.in cert */
4123  CRYPT_IATTRIBUTE_BLOCKEDATTRS,
4124  ST_CERT_CERT, ST_NONE, ST_NONE,
4125  MKPERM_INT_CERTIFICATES( xxx_xWx ),
4126  ROUTE( OBJECT_TYPE_CERTIFICATE ), &objectCertificateTemplate ),
4127  MKACL_S( /* Cert: Authorising cert ID for a cert/rev.request */
4128  CRYPT_IATTRIBUTE_AUTHCERTID,
4129  ST_CERT_REQ_CERT | ST_CERT_REQ_REV, ST_NONE, ST_NONE,
4130  MKPERM_INT_CERTREQ( RWx_xxx ),
4131  ROUTE( OBJECT_TYPE_CERTIFICATE ), RANGE( 20, 20 ) ),
4132  MKACL_S( /* Cert: ESSCertID */
4133  CRYPT_IATTRIBUTE_ESSCERTID,
4134  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
4135  MKPERM_INT_CERTIFICATES( Rxx_Rxx ),
4136  ROUTE( OBJECT_TYPE_CERTIFICATE ), RANGE( 32, 8192 ) ),
4137  MKACL_O( /* Cert: Copy of cert object */
4138  /* This is used to create a sanitised copy of a (possibly-internal)
4139  cert.for external use */
4140  CRYPT_IATTRIBUTE_CERTCOPY,
4141  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
4142  MKPERM_INT_CERTIFICATES( Rxx_xxx ),
4143  ROUTE( OBJECT_TYPE_CERTIFICATE ), &objectCertificate ),
4144  MKACL_O( /* Cert: Copy of cert object as data-only cert */
4145  CRYPT_IATTRIBUTE_CERTCOPY_DATAONLY,
4146  ST_CERT_CERT | ST_CERT_CERTCHAIN, ST_NONE, ST_NONE,
4147  MKPERM_INT_CERTIFICATES( Rxx_xxx ),
4148  ROUTE( OBJECT_TYPE_CERTIFICATE ), &objectCertificate ),
4149 
4150  /* Device internal attributes */
4151  MKACL_S( /* Dev: Polled entropy data */
4152  CRYPT_IATTRIBUTE_ENTROPY,
4153  ST_NONE, ST_DEV_SYSTEM, ST_NONE,
4154  MKPERM_INT( xWx_xWx ),
4155  ROUTE_FIXED( OBJECT_TYPE_DEVICE ), RANGE( 1, MAX_INTLENGTH - 1 ) ),
4156  MKACL_N( /* Dev: Quality of entropy */
4157  CRYPT_IATTRIBUTE_ENTROPY_QUALITY,
4158  ST_NONE, ST_DEV_SYSTEM, ST_NONE,
4159  MKPERM_INT( xWx_xWx ),
4160  ROUTE_FIXED( OBJECT_TYPE_DEVICE ), RANGE( 1, 100 ) ),
4161  MKACL_B( /* Slow/fast entropy poll */
4162  CRYPT_IATTRIBUTE_RANDOM_POLL,
4163  ST_NONE, ST_DEV_SYSTEM, ST_NONE,
4164  MKPERM_INT( xWx_xWx ),
4165  ROUTE_FIXED( OBJECT_TYPE_DEVICE ) ),
4166  MKACL_N( /* Dev: Low picket for random data attrs.*/
4167  /* This and the high picket are used to protect the critical
4168  randomness attributes from accidental access due to fencepost
4169  errors or similar problems. They're marked as non-accessible numeric
4170  attributes (randomness is a string attribute) to ensure they'll both
4171  be trapped as an error in the debug kernel and rejected in normal
4172  use */
4173  CRYPT_IATTRIBUTE_RANDOM_LOPICKET,
4174  ST_NONE, ST_DEV_ANY, ST_NONE,
4175  MKPERM_INT( xxx_xxx ),
4176  ROUTE_FIXED( OBJECT_TYPE_DEVICE ), RANGE( 0, 0 ) ),
4177  MKACL_S( /* Dev: Random data */
4178  CRYPT_IATTRIBUTE_RANDOM,
4179  ST_NONE, ST_DEV_ANY, ST_NONE,
4180  MKPERM_INT( Rxx_Rxx ),
4181  ROUTE_FIXED( OBJECT_TYPE_DEVICE ), RANGE( MIN_KEYSIZE, CRYPT_MAX_PKCSIZE ) ),
4182  MKACL_S( /* Dev: Nonzero random data */
4183  CRYPT_IATTRIBUTE_RANDOM_NZ,
4184  ST_NONE, ST_DEV_ANY, ST_NONE,
4185  MKPERM_INT( Rxx_Rxx ),
4186  ROUTE_FIXED( OBJECT_TYPE_DEVICE ), RANGE( MIN_KEYSIZE, CRYPT_MAX_PKCSIZE ) ),
4187  MKACL_N( /* Dev: High picket for random data attrs.*/
4188  CRYPT_IATTRIBUTE_RANDOM_HIPICKET,
4189  ST_NONE, ST_DEV_ANY, ST_NONE,
4190  MKPERM_INT( xxx_xxx ),
4191  ROUTE_FIXED( OBJECT_TYPE_DEVICE ), RANGE( 0, 0 ) ),
4192  MKACL_S( /* Dev: Basic nonce */
4193  CRYPT_IATTRIBUTE_RANDOM_NONCE,
4194  ST_NONE, ST_DEV_SYSTEM, ST_NONE,
4195  MKPERM_INT( Rxx_Rxx ),
4196  ROUTE_FIXED( OBJECT_TYPE_DEVICE ), RANGE( 1, MAX_INTLENGTH_SHORT ) ),
4197  MKACL_T( /* Dev: Reliable (hardware-based) time value */
4198  CRYPT_IATTRIBUTE_TIME,
4199  ST_NONE, ST_DEV_ANY, ST_NONE,
4200  MKPERM_INT( Rxx_xxx ),
4201  ROUTE_FIXED( OBJECT_TYPE_DEVICE ) ),
4202 
4203  /* Envelope internal attributes */
4204  MKACL_B( /* Env: Whether to include signing cert(s) */
4205  CRYPT_IATTRIBUTE_INCLUDESIGCERT,
4206  ST_NONE, ST_ENV_ENV, ST_NONE,
4207  MKPERM_INT_ENVELOPE( xxx_xWx ),
4208  ROUTE_FIXED( OBJECT_TYPE_ENVELOPE ) ),
4209  MKACL_B( /* Env: Signed data contains only CMS attrs.*/
4210  CRYPT_IATTRIBUTE_ATTRONLY,
4211  ST_NONE, ST_ENV_ENV | ST_ENV_DEENV, ST_NONE,
4212  MKPERM_INT_ENVELOPE( xWx_xWx ),
4213  ROUTE_FIXED( OBJECT_TYPE_ENVELOPE ) ),
4214 
4215  /* Keyset internal attributes */
4216  MKACL_S( /* Keyset: Config information */
4217  CRYPT_IATTRIBUTE_CONFIGDATA,
4218  ST_NONE, ST_KEYSET_FILE, ST_NONE,
4219  MKPERM_INT( RWx_RWx ),
4220  ROUTE_FIXED( OBJECT_TYPE_KEYSET ), RANGE( 8, 16384 ) ),
4221  MKACL_S( /* Keyset: Index of users */
4222  CRYPT_IATTRIBUTE_USERINDEX,
4223  ST_NONE, ST_KEYSET_FILE, ST_NONE,
4224  MKPERM_INT( RWx_RWx ),
4225  ROUTE_FIXED( OBJECT_TYPE_KEYSET ), RANGE( 16, 16384 ) ),
4226  MKACL_S( /* Keyset: User ID */
4227  CRYPT_IATTRIBUTE_USERID,
4228  ST_NONE, ST_KEYSET_FILE, ST_NONE,
4229  MKPERM_INT( RWx_RWx ),
4230  ROUTE_FIXED( OBJECT_TYPE_KEYSET ), RANGE( KEYID_SIZE, KEYID_SIZE ) ),
4231  MKACL_S( /* Keyset: User information */
4232  CRYPT_IATTRIBUTE_USERINFO,
4233  ST_NONE, ST_KEYSET_FILE, ST_NONE,
4234  MKPERM_INT( RWx_RWx ),
4235  ROUTE_FIXED( OBJECT_TYPE_KEYSET ), RANGE( 64, 16384 ) ),
4236  MKACL_S( /* Keyset: First trusted cert */
4237  CRYPT_IATTRIBUTE_TRUSTEDCERT,
4238  ST_NONE, ST_KEYSET_FILE, ST_NONE,
4239  MKPERM_INT( Rxx_Rxx ),
4240  ROUTE_FIXED( OBJECT_TYPE_KEYSET ), RANGE( 64, 2048 ) ),
4241  MKACL_S( /* Keyset: Successive trusted certs */
4242  CRYPT_IATTRIBUTE_TRUSTEDCERT_NEXT,
4243  ST_NONE, ST_KEYSET_FILE, ST_NONE,
4244  MKPERM_INT( Rxx_Rxx ),
4245  ROUTE_FIXED( OBJECT_TYPE_KEYSET ), RANGE( 64, 2048 ) ),
4246  MKACL_O( /* Keyset: Associated device for private key data */
4247  CRYPT_IATTRIBUTE_HWSTORAGE,
4248  ST_NONE, ST_KEYSET_FILE, ST_NONE,
4249  MKPERM_INT( xWx_xWx ),
4250  ROUTE_FIXED( OBJECT_TYPE_KEYSET ), &objectHardwareDevice ),
4251 
4252  /* Session internal attributes */
4253  MKACL_S( /* Session: Encoded TSA timestamp */
4254  CRYPT_IATTRIBUTE_ENC_TIMESTAMP,
4255  ST_NONE, ST_NONE, ST_SESS_TSP,
4256  MKPERM_INT_TSP( Rxx_xxx ),
4257  ROUTE_FIXED( OBJECT_TYPE_SESSION ), RANGE( 128, 8192 ) ),
4258 
4259  /* User internal attributes */
4260  MKACL_O( /* User: Keyset to send trusted certs to */
4261  CRYPT_IATTRUBUTE_CERTKEYSET,
4262  ST_NONE, ST_NONE, ST_USER_ANY,
4263  MKPERM_INT( xWx_xxx ),
4264  ROUTE( OBJECT_TYPE_USER ), &objectKeysetConfigdata ),
4265  MKACL_O( /* User: Cert.trust list */
4266  CRYPT_IATTRIBUTE_CTL,
4267  ST_NONE, ST_NONE, ST_USER_ANY,
4268  MKPERM_INT_CERTIFICATES( RWx_xxx ),
4269  ROUTE( OBJECT_TYPE_USER ), &objectCertificate ),
4270  MKACL_END(), MKACL_END()
4271  };
4272 
4273 /****************************************************************************
4274 * *
4275 * Init/Shutdown Functions *
4276 * *
4277 ****************************************************************************/
4278 
4279 /* Check that a special range entry is consistent */
4280 
4281 CHECK_RETVAL_BOOL STDC_NONNULL_ARG( ( 1 ) ) \
4282 static BOOLEAN specialRangeConsistent( const ATTRIBUTE_ACL *attributeACL )
4283  {
4284  assert( isReadPtr( attributeACL, sizeof( ATTRIBUTE_ACL ) ) );
4285 
4286  switch( getSpecialRangeType( attributeACL ) )
4287  {
4288  case RANGEVAL_ANY:
4289  if( getSpecialRangeInfo( attributeACL ) != NULL )
4290  return( FALSE );
4291  break;
4292 
4293  case RANGEVAL_ALLOWEDVALUES:
4294  {
4295  const int *rangeVal = getSpecialRangeInfo( attributeACL );
4296  int i;
4297 
4298  if( rangeVal == NULL )
4299  return( FALSE );
4300  for( i = 0; i < 10; i++ )
4301  {
4302  if( *rangeVal++ == CRYPT_ERROR )
4303  break;
4304  }
4305  if( i >= 10 )
4306  return( FALSE );
4307  break;
4308  }
4309 
4310  case RANGEVAL_SUBRANGES:
4311  {
4312  const RANGE_SUBRANGE_TYPE *rangeVal = \
4313  getSpecialRangeInfo( attributeACL );
4314  int i;
4315 
4316  if( rangeVal == NULL )
4317  return( FALSE );
4318  for( i = 0; i < 10; i++ )
4319  {
4320  if( rangeVal->highRange == CRYPT_ERROR )
4321  break;
4322  if( rangeVal->lowRange < 0 )
4323  {
4324  if( !( rangeVal->lowRange < 0 && \
4325  rangeVal->highRange < 0 ) || \
4326  rangeVal->lowRange < rangeVal->highRange )
4327  return( FALSE );
4328  }
4329  else
4330  if( !( rangeVal->lowRange >= 0 && \
4331  rangeVal->highRange >= 0 ) || \
4332  rangeVal->lowRange > rangeVal->highRange )
4333  return( FALSE );
4334  rangeVal++;
4335  }
4336  if( i >= 10 )
4337  return( FALSE );
4338  break;
4339  }
4340 
4341  default:
4342  return( FALSE );
4343  }
4344 
4345  return( TRUE );
4346  }
4347 
4348 /* Check that an ACL is consistent */
4349 
4350 #define ACCESS_RWx_xxx 0x6060 /* Special-case used for consistency check */
4351 
4352 CHECK_RETVAL_BOOL STDC_NONNULL_ARG( ( 1 ) ) \
4353 static BOOLEAN aclConsistent( const ATTRIBUTE_ACL *attributeACL,
4354  IN_ATTRIBUTE const CRYPT_ATTRIBUTE_TYPE attribute,
4355  IN_ENUM( OBJECT ) const OBJECT_SUBTYPE subTypeA,
4356  IN_ENUM( OBJECT ) const OBJECT_SUBTYPE subTypeB,
4357  IN_ENUM( OBJECT ) const OBJECT_SUBTYPE subTypeC )
4358  {
4359  assert( isReadPtr( attributeACL, sizeof( ATTRIBUTE_ACL ) ) );
4360 
4361 #ifndef NDEBUG
4362  REQUIRES_B( attribute > CRYPT_ATTRIBUTE_NONE && \
4363  attribute < CRYPT_IATTRIBUTE_LAST );
4364 #endif /* !NDEBUG */
4365  REQUIRES_B( !( subTypeA & ( SUBTYPE_CLASS_B | SUBTYPE_CLASS_C ) ) );
4366  REQUIRES_B( !( subTypeB & ( SUBTYPE_CLASS_A | SUBTYPE_CLASS_C ) ) );
4367  REQUIRES_B( !( subTypeC & ( SUBTYPE_CLASS_A | SUBTYPE_CLASS_B ) ) );
4368 
4369  /* General consistency checks. We can only check the attribute type in
4370  the debug build because it's not present in the release to save
4371  space */
4372 #ifndef NDEBUG
4373  if( attributeACL->attribute != attribute )
4374  return( FALSE );
4375 #endif /* !NDEBUG */
4376  if( attributeACL->flags >= ATTRIBUTE_FLAG_LAST )
4377  return( FALSE );
4378  if( ( attributeACL->subTypeA & ( SUBTYPE_CLASS_B | SUBTYPE_CLASS_C ) ) || \
4379  ( attributeACL->subTypeB & ( SUBTYPE_CLASS_A | SUBTYPE_CLASS_C ) ) || \
4380  ( attributeACL->subTypeC & ( SUBTYPE_CLASS_A | SUBTYPE_CLASS_B ) ) )
4381  return( FALSE );
4382  if( ( attributeACL->subTypeA & ~( SUBTYPE_CLASS_A | subTypeA ) ) != 0 || \
4383  ( attributeACL->subTypeB & ~( SUBTYPE_CLASS_B | subTypeB ) ) != 0 || \
4384  ( attributeACL->subTypeC & ~( SUBTYPE_CLASS_C | subTypeC ) ) != 0 )
4385  return( FALSE );
4386 
4387  /* ACL-specific checks */
4388  switch( attributeACL->valueType )
4389  {
4390  case ATTRIBUTE_VALUE_BOOLEAN:
4391  /* Some boolean values can only be set to TRUE or FALSE, so it's
4392  possible to have a range of { FALSE, FALSE } or
4393  { TRUE, TRUE } */
4394  if( ( attributeACL->lowRange != FALSE && \
4395  attributeACL->lowRange != TRUE ) || \
4396  ( attributeACL->highRange != FALSE && \
4397  attributeACL->highRange != TRUE ) || \
4398  attributeACL->extendedInfo != NULL )
4399  return( FALSE );
4400  break;
4401 
4402  case ATTRIBUTE_VALUE_NUMERIC:
4403  if( isSpecialRange( attributeACL ) )
4404  {
4405  if( !specialRangeConsistent( attributeACL ) )
4406  return( FALSE );
4407  }
4408  else
4409  {
4410  if( attributeACL->lowRange < 0 )
4411  {
4412  if( !( attributeACL->lowRange < 0 && \
4413  attributeACL->highRange < 0 ) || \
4414  attributeACL->lowRange < attributeACL->highRange )
4415  return( FALSE );
4416  }
4417  else
4418  {
4419  if( !( attributeACL->lowRange >= 0 && \
4420  attributeACL->highRange >= 0 ) || \
4421  attributeACL->lowRange > attributeACL->highRange )
4422  return( FALSE );
4423  }
4424  if( attributeACL->extendedInfo != NULL )
4425  return( FALSE );
4426  }
4427  break;
4428 
4429  case ATTRIBUTE_VALUE_STRING:
4430  if( isSpecialRange( attributeACL ) )
4431  {
4432  if( getSpecialRangeType( attributeACL ) != RANGEVAL_ALLOWEDVALUES || \
4433  getSpecialRangeInfo( attributeACL ) == NULL )
4434  return( FALSE );
4435  if( !specialRangeConsistent( attributeACL ) )
4436  return( FALSE );
4437  }
4438  else
4439  {
4440  /* The special-case check for MAX_INTLENGTH is needed for
4441  polled entropy data, which can be of arbitrary length */
4442  if( attributeACL->extendedInfo != NULL )
4443  return( FALSE );
4444  if( attributeACL->lowRange < 0 || \
4445  ( attributeACL->highRange > 16384 && \
4446  attributeACL->highRange != MAX_INTLENGTH - 1 ) || \
4447  attributeACL->lowRange > attributeACL->highRange )
4448  return( FALSE );
4449  }
4450  break;
4451 
4452  case ATTRIBUTE_VALUE_WCSTRING:
4453  if( attributeACL->extendedInfo != NULL )
4454  return( FALSE );
4455  if( attributeACL->lowRange < 0 || \
4456  attributeACL->highRange > 16384 || \
4457  attributeACL->lowRange > attributeACL->highRange )
4458  return( FALSE );
4459  break;
4460 
4461  case ATTRIBUTE_VALUE_OBJECT:
4462  if( attributeACL->lowRange != 0 || \
4463  attributeACL->highRange != 0 || \
4464  attributeACL->extendedInfo == NULL )
4465  return( FALSE );
4466  break;
4467 
4468  case ATTRIBUTE_VALUE_TIME:
4469  if( attributeACL->lowRange != 0 || \
4470  attributeACL->highRange != 0 || \
4471  attributeACL->extendedInfo != NULL )
4472  return( FALSE );
4473  break;
4474 
4475  case ATTRIBUTE_VALUE_SPECIAL:
4476  {
4477  const ATTRIBUTE_ACL *attributeACLPtr;
4478  int access = attributeACL->access;
4479  int subTypes = attributeACL->subTypeA | \
4480  attributeACL->subTypeB | \
4481  attributeACL->subTypeC;
4482  int iterationCount;
4483 
4484  if( !isSpecialRange( attributeACL ) || \
4485  getSpecialRangeType( attributeACL ) != RANGEVAL_SUBTYPED || \
4486  getSpecialRangeInfo( attributeACL ) == NULL )
4487  return( FALSE );
4488 
4489  /* Recursively check the sub-ACLs */
4490  for( attributeACLPtr = getSpecialRangeInfo( attributeACL ), \
4491  iterationCount = 0;
4492  attributeACLPtr->valueType != ATTRIBUTE_VALUE_NONE && \
4493  iterationCount < FAILSAFE_ITERATIONS_MED;
4494  attributeACLPtr++, iterationCount++ )
4495  {
4496  if( !aclConsistent( attributeACLPtr,
4497 #ifndef NDEBUG
4498  attributeACL->attribute,
4499 #else
4500  CRYPT_ATTRIBUTE_NONE,
4501 #endif /* !NDEBUG */
4502  attributeACL->subTypeA,
4503  attributeACL->subTypeB,
4504  attributeACL->subTypeC ) )
4505  return( FALSE );
4506  }
4507  ENSURES_B( iterationCount < FAILSAFE_ITERATIONS_MED );
4508 
4509  /* Make sure that all subtypes and acess settings in the main
4510  attribute are handled in the sub-attributes */
4511  for( attributeACLPtr = getSpecialRangeInfo( attributeACL ), \
4512  iterationCount = 0;
4513  attributeACLPtr->valueType != ATTRIBUTE_VALUE_NONE && \
4514  iterationCount < FAILSAFE_ITERATIONS_MED;
4515  attributeACLPtr++, iterationCount++ )
4516  {
4517  subTypes &= ~( attributeACLPtr->subTypeA | \
4518  attributeACLPtr->subTypeB | \
4519  attributeACLPtr->subTypeC );
4520  access &= ~attributeACLPtr->access;
4521  }
4522  ENSURES_B( iterationCount < FAILSAFE_ITERATIONS_MED );
4523  if( subTypes != 0 || access != 0 )
4524  return( FALSE );
4525  break;
4526  }
4527 
4528  default:
4529  return( FALSE );
4530  }
4531 
4532  return( TRUE );
4533  }
4534 
4535 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \
4536 int initAttributeACL( INOUT KERNEL_DATA *krnlDataPtr )
4537  {
4538  int i;
4539 
4540  UNUSED_ARG( krnlDataPtr );
4541 
4542  /* Perform a consistency check on values used to handle ACL subranges.
4543  These are somewhat tricky to check automatically since they represent
4544  variable start and end ranges, we hardcode in absolute values to
4545  ensure that adding new attributes in the header file will trigger an
4546  exception here to provide a reminder to change the range-end
4547  definitions as well */
4548  static_assert( CRYPT_CERTINFO_FIRST_CERTINFO == 2001, "Attribute value" );
4549  static_assert( CRYPT_CERTINFO_LAST_CERTINFO == 2033, "Attribute value" );
4550  static_assert( CRYPT_CERTINFO_FIRST_PSEUDOINFO == 2001, "Attribute value" );
4551  static_assert( CRYPT_CERTINFO_LAST_PSEUDOINFO == 2012, "Attribute value" );
4552  static_assert( CRYPT_CERTINFO_FIRST_NAME == 2100, "Attribute value" );
4553  static_assert( CRYPT_CERTINFO_LAST_NAME == 2115, "Attribute value" );
4554  static_assert( CRYPT_CERTINFO_FIRST_DN == 2100, "Attribute value" );
4555  static_assert( CRYPT_CERTINFO_LAST_DN == 2105, "Attribute value" );
4556  static_assert( CRYPT_CERTINFO_FIRST_GENERALNAME == 2106, "Attribute value" );
4557  static_assert( CRYPT_CERTINFO_LAST_GENERALNAME == 2115, "Attribute value" );
4558  static_assert( CRYPT_CERTINFO_FIRST_EXTENSION == 2200, "Attribute value" );
4559  static_assert( CRYPT_CERTINFO_FIRST_CMS == 2500, "Attribute value" );
4560  static_assert( CRYPT_SESSINFO_FIRST_SPECIFIC == 6016, "Attribute value" );
4561  static_assert( CRYPT_SESSINFO_LAST_SPECIFIC == 6027, "Attribute value" );
4562  static_assert( CRYPT_CERTFORMAT_LAST == 12, "Attribute value" );
4563 
4564  /* Perform a consistency check on the attribute ACLs. The ACLs are
4565  complex enough that we assert on each one to quickly catch problems
4566  when one is changed. First we check the universal property, generic,
4567  and option ACLs */
4568  for( i = 0; i < CRYPT_PROPERTY_LAST - CRYPT_PROPERTY_FIRST - 1 && \
4569  i < FAILSAFE_ARRAYSIZE( propertyACL, ATTRIBUTE_ACL ); i++ )
4570  {
4571  if( !aclConsistent( &propertyACL[ i ], i + CRYPT_PROPERTY_FIRST + 1,
4572  ST_ANY_A, ST_ANY_B, ST_ANY_C ) )
4573  {
4574  DEBUG_DIAG(( "Property ACLs inconsistent" ));
4575  retIntError();
4576  }
4577  }
4578  ENSURES( i < FAILSAFE_ARRAYSIZE( propertyACL, ATTRIBUTE_ACL ) );
4579 #ifndef NDEBUG
4580  ENSURES( propertyACL[ CRYPT_PROPERTY_LAST - \
4581  CRYPT_PROPERTY_FIRST - 1 ].attribute == CRYPT_ERROR );
4582 #endif /* !NDEBUG */
4583  for( i = 0; i < CRYPT_GENERIC_LAST - CRYPT_GENERIC_FIRST - 1 && \
4584  i < FAILSAFE_ARRAYSIZE( genericACL, ATTRIBUTE_ACL ); i++ )
4585  {
4586  if( !aclConsistent( &genericACL[ i ], i + CRYPT_GENERIC_FIRST + 1,
4587  ST_ANY_A, ST_ANY_B, ST_ANY_C ) )
4588  {
4589  DEBUG_DIAG(( "Generic ACLs inconsistent" ));
4590  retIntError();
4591  }
4592  }
4593  ENSURES( i < FAILSAFE_ARRAYSIZE( genericACL, ATTRIBUTE_ACL ) );
4594 #ifndef NDEBUG
4595  ENSURES( genericACL[ CRYPT_GENERIC_LAST - \
4596  CRYPT_GENERIC_FIRST - 1 ].attribute == CRYPT_ERROR );
4597 #endif /* !NDEBUG */
4598  for( i = 0; i < CRYPT_OPTION_LAST - CRYPT_OPTION_FIRST - 1 && \
4599  i < FAILSAFE_ARRAYSIZE( optionACL, ATTRIBUTE_ACL ); i++ )
4600  {
4601  if( !aclConsistent( &optionACL[ i ], i + CRYPT_OPTION_FIRST + 1,
4602  ST_CTX_CONV | ST_CTX_PKC,
4603  ST_ENV_ENV | ST_ENV_ENV_PGP | ST_KEYSET_LDAP,
4604  ST_SESS_ANY | ST_USER_ANY ) )
4605  {
4606  DEBUG_DIAG(( "Option ACLs inconsistent" ));
4607  retIntError();
4608  }
4609 #ifndef NDEBUG
4610  if( optionACL[ i ].attribute >= CRYPT_OPTION_KEYING_ALGO && \
4611  optionACL[ i ].attribute <= CRYPT_OPTION_KEYING_ITERATIONS )
4612  {
4613  ENSURES( optionACL[ i ].subTypeA == ST_CTX_CONV );
4614  ENSURES( optionACL[ i ].subTypeB == ST_NONE );
4615  ENSURES( ( optionACL[ i ].subTypeC & ~( SUBTYPE_CLASS_C | \
4616  ST_USER_ANY ) ) == 0 );
4617  }
4618  else
4619  if( optionACL[ i ].attribute >= CRYPT_OPTION_KEYS_LDAP_OBJECTCLASS && \
4620  optionACL[ i ].attribute <= CRYPT_OPTION_KEYS_LDAP_EMAILNAME )
4621  {
4622  ENSURES( optionACL[ i ].subTypeA == ST_NONE );
4623  ENSURES( optionACL[ i ].subTypeB == ST_KEYSET_LDAP );
4624  ENSURES( ( optionACL[ i ].subTypeC & ~( SUBTYPE_CLASS_C | \
4625  ST_USER_ANY ) ) == 0 );
4626  }
4627  else
4628  if( optionACL[ i ].attribute == CRYPT_OPTION_MISC_SIDECHANNELPROTECTION )
4629  {
4630  ENSURES( optionACL[ i ].subTypeA == ST_CTX_PKC );
4631  ENSURES( optionACL[ i ].subTypeB == ST_NONE );
4632  ENSURES( optionACL[ i ].subTypeC == ST_USER_SO );
4633  }
4634  else
4635  if( optionACL[ i ].attribute >= CRYPT_OPTION_ENCR_ALGO && \
4636  optionACL[ i ].attribute <= CRYPT_OPTION_ENCR_MAC )
4637  {
4638  if( optionACL[ i ].subTypeA != ST_NONE || \
4639  optionACL[ i ].subTypeB & ~( SUBTYPE_CLASS_B | ST_ENV_ENV | \
4640  ST_ENV_ENV_PGP ) ||
4641  optionACL[ i ].subTypeC & ~( SUBTYPE_CLASS_C | ST_USER_ANY ) )
4642  {
4643  DEBUG_DIAG(( "Encryption property ACLs inconsistent" ));
4644  retIntError();
4645  }
4646  }
4647  else
4648  if( optionACL[ i ].attribute >= CRYPT_OPTION_NET_SOCKS_SERVER && \
4649  optionACL[ i ].attribute <= CRYPT_OPTION_NET_WRITETIMEOUT )
4650  {
4651  ENSURES( optionACL[ i ].subTypeA == ST_NONE && \
4652  optionACL[ i ].subTypeB == ST_NONE );
4653  ENSURES( optionACL[ i ].subTypeC == ( ST_SESS_ANY | ST_USER_ANY ) );
4654  }
4655  else
4656  if( optionACL[ i ].subTypeA != ST_NONE || \
4657  optionACL[ i ].subTypeB != ST_NONE || \
4658  optionACL[ i ].subTypeC & ~( SUBTYPE_CLASS_C | ST_USER_ANY ) )
4659  {
4660  DEBUG_DIAG(( "Networking property ACLs inconsistent" ));
4661  retIntError();
4662  }
4663 #endif /* !NDEBUG */
4664  }
4665  ENSURES( i < FAILSAFE_ARRAYSIZE( optionACL, ATTRIBUTE_ACL ) );
4666 #ifndef NDEBUG
4667  ENSURES( optionACL[ CRYPT_OPTION_LAST - \
4668  CRYPT_OPTION_FIRST - 1 ].attribute == CRYPT_ERROR );
4669 #endif /* !NDEBUG */
4670 
4671  /* Check the context ACLs */
4672  for( i = 0; i < CRYPT_CTXINFO_LAST - CRYPT_CTXINFO_FIRST - 1 && \
4673  i < FAILSAFE_ARRAYSIZE( contextACL, ATTRIBUTE_ACL ); i++ )
4674  {
4675  if( !aclConsistent( &contextACL[ i ], i + CRYPT_CTXINFO_FIRST + 1,
4676  ST_CTX_ANY, ST_NONE, ST_NONE ) )
4677  {
4678  DEBUG_DIAG(( "Context ACLs inconsistent" ));
4679  retIntError();
4680  }
4681  }
4682  ENSURES( i < FAILSAFE_ARRAYSIZE( contextACL, ATTRIBUTE_ACL ) );
4683 #ifndef NDEBUG
4684  ENSURES( contextACL[ CRYPT_CTXINFO_LAST - \
4685  CRYPT_CTXINFO_FIRST - 1 ].attribute == CRYPT_ERROR );
4686 #endif /* !NDEBUG */
4687 
4688  /* Check the certificate ACLs */
4689  for( i = 0; i < CRYPT_CERTINFO_LAST_CERTINFO - CRYPT_CERTINFO_FIRST_CERTINFO && \
4690  i < FAILSAFE_ARRAYSIZE( certificateACL, ATTRIBUTE_ACL ); i++ )
4691  {
4692  if( !aclConsistent( &certificateACL[ i ],
4693  i + CRYPT_CERTINFO_FIRST_CERTINFO,
4694  ST_CERT_ANY, ST_NONE, ST_NONE ) )
4695  {
4696  DEBUG_DIAG(( "Certificate ACLs inconsistent" ));
4697  retIntError();
4698  }
4699  }
4700  ENSURES( i < FAILSAFE_ARRAYSIZE( certificateACL, ATTRIBUTE_ACL ) );
4701 #ifndef NDEBUG
4702  ENSURES( certificateACL[ CRYPT_CERTINFO_LAST_CERTINFO - \
4703  CRYPT_CERTINFO_FIRST_CERTINFO + 1 ].attribute == CRYPT_ERROR );
4704 #endif /* !NDEBUG */
4705  for( i = 0; i < CRYPT_CERTINFO_LAST_NAME - CRYPT_CERTINFO_FIRST_NAME && \
4706  i < FAILSAFE_ARRAYSIZE( certNameACL, ATTRIBUTE_ACL ); i++ )
4707  {
4708  if( !aclConsistent( &certNameACL[ i ], i + CRYPT_CERTINFO_FIRST_NAME,
4709  ST_CERT_ANY, ST_NONE, ST_NONE ) )
4710  {
4711  DEBUG_DIAG(( "Certificate name ACLs inconsistent" ));
4712  retIntError();
4713  }
4714 #ifdef USE_CERTIFICATES
4715  #ifndef NDEBUG
4716  ENSURES( certNameACL[ i ].attribute == CRYPT_CERTINFO_DIRECTORYNAME || \
4717  certNameACL[ i ].access == ACCESS_Rxx_RWD );
4718  #endif /* !NDEBUG */
4719 #else
4720  ENSURES( certNameACL[ i ].access == ACCESS_xxx_xxx );
4721 #endif /* USE_CERTIFICATES */
4722  }
4723  ENSURES( i < FAILSAFE_ARRAYSIZE( certNameACL, ATTRIBUTE_ACL ) );
4724 #ifndef NDEBUG
4725  ENSURES( certNameACL[ CRYPT_CERTINFO_LAST_NAME - \
4726  CRYPT_CERTINFO_FIRST_NAME + 1 ].attribute == CRYPT_ERROR );
4727 #endif /* !NDEBUG */
4728  for( i = 0; i < CRYPT_CERTINFO_LAST_EXTENSION - CRYPT_CERTINFO_FIRST_EXTENSION && \
4729  i < FAILSAFE_ARRAYSIZE( certExtensionACL, ATTRIBUTE_ACL ); i++ )
4730  {
4731  if( !aclConsistent( &certExtensionACL[ i ],
4732  i + CRYPT_CERTINFO_FIRST_EXTENSION,
4733  ST_CERT_ANY, ST_NONE, ST_NONE ) )
4734  {
4735  DEBUG_DIAG(( "Certificate extension ACLs inconsistent" ));
4736  retIntError();
4737  }
4738 #ifndef USE_CERTIFICATES
4739  ENSURES( certExtensionACL[ i ].access == ACCESS_xxx_xxx );
4740 #endif /* !USE_CERTIFICATES */
4741  if( certExtensionACL[ i ].access == ACCESS_xxx_xxx )
4742  continue; /* Disabled attribute */
4743  if( ( certExtensionACL[ i ].access & ACCESS_RWD_xxx ) != ACCESS_Rxx_xxx )
4744  {
4745  DEBUG_DIAG(( "Certificate extension ACLs inconsistent" ));
4746  retIntError();
4747  }
4748  }
4749  ENSURES( i < FAILSAFE_ARRAYSIZE( certExtensionACL, ATTRIBUTE_ACL ) );
4750 #ifndef NDEBUG
4751  ENSURES( certExtensionACL[ CRYPT_CERTINFO_LAST_EXTENSION - \
4752  CRYPT_CERTINFO_FIRST_EXTENSION + 1 ].attribute == CRYPT_ERROR );
4753 #endif /* !NDEBUG */
4754  for( i = 0; i < CRYPT_CERTINFO_LAST_CMS - CRYPT_CERTINFO_FIRST_CMS && \
4755  i < FAILSAFE_ARRAYSIZE( certSmimeACL, ATTRIBUTE_ACL ); i++ )
4756  {
4757  if( !aclConsistent( &certSmimeACL[ i ], i + CRYPT_CERTINFO_FIRST_CMS,
4758  ST_CERT_CMSATTR | ST_CERT_RTCS_REQ, ST_NONE, ST_NONE ) )
4759  {
4760  DEBUG_DIAG(( "CMS attribute ACLs inconsistent" ));
4761  retIntError();
4762  }
4763 #ifndef NDEBUG
4764  if( certSmimeACL[ i ].attribute == CRYPT_CERTINFO_CMS_NONCE )
4765  {
4766  if( certSmimeACL[ i ].subTypeA & ~( SUBTYPE_CLASS_A | ST_CERT_CMSATTR | \
4767  ST_CERT_RTCS_REQ ) )
4768  {
4769  DEBUG_DIAG(( "CMS attribute ACLs inconsistent" ));
4770  retIntError();
4771  }
4772  }
4773  else
4774  {
4775  if( certSmimeACL[ i ].subTypeA & ~( SUBTYPE_CLASS_A | ST_CERT_CMSATTR ) )
4776  {
4777  DEBUG_DIAG(( "CMS attribute ACLs inconsistent" ));
4778  retIntError();
4779  }
4780  }
4781 #endif /* !NDEBUG */
4782 #ifndef USE_CERTIFICATES
4783  ENSURES( certSmimeACL[ i ].access == ACCESS_xxx_xxx );
4784 #endif /* !USE_CERTIFICATES */
4785  if( certSmimeACL[ i ].access == ACCESS_xxx_xxx )
4786  continue; /* Disabled attribute */
4787  if( ( certSmimeACL[ i ].access & ACCESS_RWD_xxx ) != ACCESS_Rxx_xxx )
4788  {
4789  DEBUG_DIAG(( "CMS attribute ACLs inconsistent" ));
4790  retIntError();
4791  }
4792  }
4793  ENSURES( i < FAILSAFE_ARRAYSIZE( certSmimeACL, ATTRIBUTE_ACL ) );
4794 #ifndef NDEBUG
4795  ENSURES( certSmimeACL[ CRYPT_CERTINFO_LAST_CMS - \
4796  CRYPT_CERTINFO_FIRST_CMS + 1 ].attribute == CRYPT_ERROR );
4797 #endif /* !NDEBUG */
4798 
4799  /* Check the keyset ACLs */
4800  for( i = 0; i < CRYPT_KEYINFO_LAST - CRYPT_KEYINFO_FIRST - 1 && \
4801  i < FAILSAFE_ARRAYSIZE( keysetACL, ATTRIBUTE_ACL ); i++ )
4802  {
4803  if( !aclConsistent( &keysetACL[ i ], i + CRYPT_KEYINFO_FIRST + 1,
4804  ST_NONE, ST_KEYSET_ANY, ST_NONE ) )
4805  {
4806  DEBUG_DIAG(( "Keyset ACLs inconsistent" ));
4807  retIntError();
4808  }
4809 #ifndef USE_KEYSETS
4810  ENSURES( keysetACL[ i ].access == ACCESS_xxx_xxx );
4811 #endif /* !USE_KEYSETS */
4812  }
4813  ENSURES( i < FAILSAFE_ARRAYSIZE( keysetACL, ATTRIBUTE_ACL ) );
4814 #ifndef NDEBUG
4815  ENSURES( keysetACL[ CRYPT_KEYINFO_LAST - \
4816  CRYPT_KEYINFO_FIRST - 1 ].attribute == CRYPT_ERROR );
4817 #endif /* !NDEBUG */
4818 
4819  /* Check the device ACLs. We don't perform a USE_DEVICES check to
4820  parallel the checks done for other object classes because the
4821  system device is always enabled */
4822  for( i = 0; i < CRYPT_DEVINFO_LAST - CRYPT_DEVINFO_FIRST - 1 && \
4823  i < FAILSAFE_ARRAYSIZE( deviceACL, ATTRIBUTE_ACL ); i++ )
4824  {
4825  if( !aclConsistent( &deviceACL[ i ], i + CRYPT_DEVINFO_FIRST + 1,
4826  ST_NONE, ST_DEV_ANY_STD, ST_NONE ) )
4827  {
4828  DEBUG_DIAG(( "Device ACLs inconsistent" ));
4829  retIntError();
4830  }
4831  }
4832  ENSURES( i < FAILSAFE_ARRAYSIZE( deviceACL, ATTRIBUTE_ACL ) );
4833 #ifndef NDEBUG
4834  ENSURES( deviceACL[ CRYPT_DEVINFO_LAST - \
4835  CRYPT_DEVINFO_FIRST - 1 ].attribute == CRYPT_ERROR );
4836 #endif /* !NDEBUG */
4837 
4838  /* Check the envelope ACLs */
4839  for( i = 0; i < CRYPT_ENVINFO_LAST - CRYPT_ENVINFO_FIRST - 1 && \
4840  i < FAILSAFE_ARRAYSIZE( envelopeACL, ATTRIBUTE_ACL ); i++ )
4841  {
4842  if( !aclConsistent( &envelopeACL[ i ], i + CRYPT_ENVINFO_FIRST + 1,
4843  ST_NONE, ST_ENV_ANY, ST_NONE ) )
4844  {
4845  DEBUG_DIAG(( "Envelope ACLs inconsistent" ));
4846  retIntError();
4847  }
4848 #ifndef USE_ENVELOPES
4849  ENSURES( envelopeACL[ i ].access == ACCESS_xxx_xxx );
4850 #endif /* !USE_ENVELOPES */
4851  }
4852  ENSURES( i < FAILSAFE_ARRAYSIZE( envelopeACL, ATTRIBUTE_ACL ) );
4853 #ifndef NDEBUG
4854  ENSURES( envelopeACL[ CRYPT_ENVINFO_LAST - \
4855  CRYPT_ENVINFO_FIRST - 1 ].attribute == CRYPT_ERROR );
4856 #endif /* !NDEBUG */
4857 
4858  /* Check the session ACLs */
4859  for( i = 0; i < CRYPT_SESSINFO_LAST - CRYPT_SESSINFO_FIRST - 1 && \
4860  i < FAILSAFE_ARRAYSIZE( sessionACL, ATTRIBUTE_ACL ); i++ )
4861  {
4862  if( !aclConsistent( &sessionACL[ i ], i + CRYPT_SESSINFO_FIRST + 1,
4863  ST_NONE, ST_NONE, ST_SESS_ANY ) )
4864  {
4865  DEBUG_DIAG(( "Session ACLs inconsistent" ));
4866  retIntError();
4867  }
4868 #ifndef USE_SESSIONS
4869  ENSURES( sessionACL[ i ].access == ACCESS_xxx_xxx );
4870 #endif /* !USE_SESSIONS */
4871  }
4872  ENSURES( i < FAILSAFE_ARRAYSIZE( sessionACL, ATTRIBUTE_ACL ) );
4873 #ifndef NDEBUG
4874  ENSURES( sessionACL[ CRYPT_SESSINFO_LAST - \
4875  CRYPT_SESSINFO_FIRST - 1 ].attribute == CRYPT_ERROR );
4876 #endif /* !NDEBUG */
4877 
4878  /* Check the user ACLs */
4879  for( i = 0; i < CRYPT_USERINFO_LAST - CRYPT_USERINFO_FIRST - 1 && \
4880  i < FAILSAFE_ARRAYSIZE( userACL, ATTRIBUTE_ACL ); i++ )
4881  {
4882  if( !aclConsistent( &userACL[ i ], i + CRYPT_USERINFO_FIRST + 1,
4883  ST_NONE, ST_NONE, ST_USER_ANY ) )
4884  {
4885  DEBUG_DIAG(( "User ACLs inconsistent" ));
4886  retIntError();
4887  }
4888  }
4889  ENSURES( i < FAILSAFE_ARRAYSIZE( userACL, ATTRIBUTE_ACL ) );
4890 #ifndef NDEBUG
4891  ENSURES( userACL[ CRYPT_USERINFO_LAST - \
4892  CRYPT_USERINFO_FIRST - 1 ].attribute == CRYPT_ERROR );
4893 #endif /* !NDEBUG */
4894 
4895  /* Check the internal ACLs */
4896  for( i = 0; i < CRYPT_IATTRIBUTE_LAST - CRYPT_IATTRIBUTE_FIRST - 1 && \
4897  i < FAILSAFE_ARRAYSIZE( internalACL, ATTRIBUTE_ACL ); i++ )
4898  {
4899  if( !aclConsistent( &internalACL[ i ],
4900  i + CRYPT_IATTRIBUTE_FIRST + 1,
4901  ST_ANY_A, ST_ANY_B, ST_ANY_C ) )
4902  {
4903  DEBUG_DIAG(( "Internal ACLs inconsistent" ));
4904  retIntError();
4905  }
4906  ENSURES( ( internalACL[ i ].access & ACCESS_MASK_EXTERNAL ) == 0 );
4907  }
4908  ENSURES( i < FAILSAFE_ARRAYSIZE( internalACL, ATTRIBUTE_ACL ) );
4909 #ifndef NDEBUG
4910  ENSURES( internalACL[ CRYPT_IATTRIBUTE_LAST - \
4911  CRYPT_IATTRIBUTE_FIRST - 1 ].attribute == CRYPT_ERROR );
4912 #endif /* !NDEBUG */
4913 
4914  return( CRYPT_OK );
4915  }
4916 
4917 void endAttributeACL( void )
4918  {
4919  }
4920 
4921 /****************************************************************************
4922 * *
4923 * ACL Lookup Functions *
4924 * *
4925 ****************************************************************************/
4926 
4927 /* Find the ACL for an object attribute */
4928 
4929 CHECK_RETVAL_PTR \
4930 const void *findAttributeACL( IN_ATTRIBUTE const CRYPT_ATTRIBUTE_TYPE attribute,
4931  const BOOLEAN isInternalMessage )
4932  {
4933  /* Precondition: If it's an internal message (i.e. not raw data from the
4934  user) then the attribute is valid */
4935  REQUIRES_N( !isInternalMessage || \
4936  isAttribute( attribute ) || isInternalAttribute( attribute ) );
4937 
4938  /* Perform a hardcoded binary search for the attribute ACL, this minimises
4939  the number of comparisons necessary to find a match.
4940 
4941  All of the checks here are specified as debug-only assertions rather
4942  than REQUIRES() preconditions since the attribute values that are
4943  being checked are only present in the debug build to save space.
4944  This isn't a major issue since it just catches cases where the static
4945  list of attributes has expanded but the equally static ACL table
4946  hasn't, which will be caught by the first run of the self-test */
4947  if( attribute < CRYPT_CTXINFO_LAST )
4948  {
4949  if( attribute < CRYPT_GENERIC_LAST )
4950  {
4951  if( attribute > CRYPT_PROPERTY_FIRST && \
4952  attribute < CRYPT_PROPERTY_LAST )
4953  {
4954  assert( propertyACL[ attribute - CRYPT_PROPERTY_FIRST - 1 ].attribute == attribute );
4955  return( &propertyACL[ attribute - CRYPT_PROPERTY_FIRST - 1 ] );
4956  }
4957  if( attribute > CRYPT_GENERIC_FIRST && \
4958  attribute < CRYPT_GENERIC_LAST )
4959  {
4960  assert( genericACL[ attribute - CRYPT_GENERIC_FIRST - 1 ].attribute == attribute );
4961  return( &genericACL[ attribute - CRYPT_GENERIC_FIRST - 1 ] );
4962  }
4963  }
4964  else
4965  {
4966  if( attribute > CRYPT_OPTION_FIRST && \
4967  attribute < CRYPT_OPTION_LAST )
4968  {
4969  assert( optionACL[ attribute - CRYPT_OPTION_FIRST - 1 ].attribute == attribute );
4970  return( &optionACL[ attribute - CRYPT_OPTION_FIRST - 1 ] );
4971  }
4972  if( attribute > CRYPT_CTXINFO_FIRST && \
4973  attribute < CRYPT_CTXINFO_LAST )
4974  {
4975  assert( contextACL[ attribute - CRYPT_CTXINFO_FIRST - 1 ].attribute == attribute );
4976  return( &contextACL[ attribute - CRYPT_CTXINFO_FIRST - 1 ] );
4977  }
4978  }
4979 
4980  return( NULL );
4981  }
4982  if( attribute < CRYPT_KEYINFO_LAST )
4983  {
4984  if( attribute > CRYPT_CERTINFO_FIRST && \
4985  attribute < CRYPT_CERTINFO_LAST )
4986  {
4987  /* Certificate attributes are split into subranges so we have to
4988  adjust the offsets to get the right ACL. The subrange
4989  specifiers are inclusive ranges rather than bounding values,
4990  so we use >= rather than > comparisons */
4991  if( attribute < CRYPT_CERTINFO_FIRST_EXTENSION )
4992  {
4993  if( attribute >= CRYPT_CERTINFO_FIRST_CERTINFO && \
4994  attribute <= CRYPT_CERTINFO_LAST_CERTINFO )
4995  {
4996  assert( certificateACL[ attribute - CRYPT_CERTINFO_FIRST_CERTINFO ].attribute == attribute );
4997  return( &certificateACL[ attribute - CRYPT_CERTINFO_FIRST_CERTINFO ] );
4998  }
4999  if( attribute >= CRYPT_CERTINFO_FIRST_NAME && \
5000  attribute <= CRYPT_CERTINFO_LAST_NAME )
5001  {
5002  assert( certNameACL[ attribute - CRYPT_CERTINFO_FIRST_NAME ].attribute == attribute );
5003  return( &certNameACL[ attribute - CRYPT_CERTINFO_FIRST_NAME ] );
5004  }
5005  }
5006  else
5007  {
5008  if( attribute >= CRYPT_CERTINFO_FIRST_EXTENSION && \
5009  attribute <= CRYPT_CERTINFO_LAST_EXTENSION )
5010  {
5011  assert( certExtensionACL[ attribute - CRYPT_CERTINFO_FIRST_EXTENSION ].attribute == attribute );
5012  return( &certExtensionACL[ attribute - CRYPT_CERTINFO_FIRST_EXTENSION ] );
5013  }
5014  if( attribute >= CRYPT_CERTINFO_FIRST_CMS && \
5015  attribute <= CRYPT_CERTINFO_LAST_CMS )
5016  {
5017  assert( certSmimeACL[ attribute - CRYPT_CERTINFO_FIRST_CMS ].attribute == attribute );
5018  return( &certSmimeACL[ attribute - CRYPT_CERTINFO_FIRST_CMS ] );
5019  }
5020  }
5021  }
5022  if( attribute > CRYPT_KEYINFO_FIRST && \
5023  attribute < CRYPT_KEYINFO_LAST )
5024  {
5025  assert( keysetACL[ attribute - CRYPT_KEYINFO_FIRST - 1 ].attribute == attribute );
5026  return( &keysetACL[ attribute - CRYPT_KEYINFO_FIRST - 1 ] );
5027  }
5028 
5029  return( NULL );
5030  }
5031  if( attribute < CRYPT_USERINFO_LAST )
5032  {
5033  if( attribute > CRYPT_DEVINFO_FIRST && \
5034  attribute < CRYPT_DEVINFO_LAST )
5035  {
5036  assert( deviceACL[ attribute - CRYPT_DEVINFO_FIRST - 1 ].attribute == attribute );
5037  return( &deviceACL[ attribute - CRYPT_DEVINFO_FIRST - 1 ] );
5038  }
5039  if( attribute > CRYPT_ENVINFO_FIRST && \
5040  attribute < CRYPT_ENVINFO_LAST )
5041  {
5042  assert( envelopeACL[ attribute - CRYPT_ENVINFO_FIRST - 1 ].attribute == attribute );
5043  return( &envelopeACL[ attribute - CRYPT_ENVINFO_FIRST - 1 ] );
5044  }
5045  if( attribute > CRYPT_SESSINFO_FIRST && \
5046  attribute < CRYPT_SESSINFO_LAST )
5047  {
5048  assert( sessionACL[ attribute - CRYPT_SESSINFO_FIRST - 1 ].attribute == attribute );
5049  return( &sessionACL[ attribute - CRYPT_SESSINFO_FIRST - 1 ] );
5050  }
5051  if( attribute > CRYPT_USERINFO_FIRST && \
5052  attribute < CRYPT_USERINFO_LAST )
5053  {
5054  assert( userACL[ attribute - CRYPT_USERINFO_FIRST - 1 ].attribute == attribute );
5055  return( &userACL[ attribute - CRYPT_USERINFO_FIRST - 1 ] );
5056  }
5057 
5058  return( NULL );
5059  }
5060 
5061  /* If it's an external message then the internal attributes don't
5062  exist */
5063  if( !isInternalMessage )
5064  return( NULL );
5065  if( attribute > CRYPT_IATTRIBUTE_FIRST && \
5066  attribute < CRYPT_IATTRIBUTE_LAST )
5067  {
5068  assert( internalACL[ attribute - CRYPT_IATTRIBUTE_FIRST - 1 ].attribute == attribute );
5069  return( &internalACL[ attribute - CRYPT_IATTRIBUTE_FIRST - 1 ] );
5070  }
5071 
5072  return( NULL );
5073  }
Generated on Thu Jan 10 2013 10:00:49 for cryptlib by   doxygen 1.8.2