/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
-#ifndef HEADER_CT_H
-# define HEADER_CT_H
+#ifndef OPENSSL_CT_H
+# define OPENSSL_CT_H
+# pragma once
+
+# include <openssl/macros.h>
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+# define HEADER_CT_H
+# endif
# include <openssl/opensslconf.h>
# ifndef OPENSSL_NO_CT
-# include <openssl/ossl_typ.h>
+# include <openssl/types.h>
# include <openssl/safestack.h>
# include <openssl/x509.h>
+# include <openssl/cterr.h>
# ifdef __cplusplus
extern "C" {
# endif
/* All hashes are SHA256 in v1 of Certificate Transparency */
# define CT_V1_HASHLEN SHA256_DIGEST_LENGTH
+DEFINE_OR_DECLARE_STACK_OF(SCT)
+DEFINE_OR_DECLARE_STACK_OF(CTLOG)
+
typedef enum {
CT_LOG_ENTRY_TYPE_NOT_SET = -1,
CT_LOG_ENTRY_TYPE_X509 = 0,
SCT_VALIDATION_STATUS_UNKNOWN_VERSION
} sct_validation_status_t;
-DEFINE_STACK_OF(SCT)
-DEFINE_STACK_OF(CTLOG)
-
/******************************************
* CT policy evaluation context functions *
******************************************/
-/* Creates a new, empty policy evaluation context */
+/*
+ * Creates a new, empty policy evaluation context associated with the given
+ * library context and property query string.
+ * The caller is responsible for calling CT_POLICY_EVAL_CTX_free when finished
+ * with the CT_POLICY_EVAL_CTX.
+ */
+CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new_with_libctx(OPENSSL_CTX *libctx,
+ const char *propq);
+
+/*
+ * The same as CT_POLICY_EVAL_CTX_new_with_libctx() but the default library
+ * context and property query string is used.
+ */
CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void);
/* Deletes a policy evaluation context and anything it owns. */
/*
* Sets the certificate associated with the received SCTs.
- * Incremenets the reference count of cert.
+ * Increments the reference count of cert.
* Returns 1 on success, 0 otherwise.
*/
int CT_POLICY_EVAL_CTX_set1_cert(CT_POLICY_EVAL_CTX *ctx, X509 *cert);
void CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(CT_POLICY_EVAL_CTX *ctx,
CTLOG_STORE *log_store);
+/*
+ * Gets the time, in milliseconds since the Unix epoch, that will be used as the
+ * current time when checking whether an SCT was issued in the future.
+ * Such SCTs will fail validation, as required by RFC6962.
+ */
+uint64_t CT_POLICY_EVAL_CTX_get_time(const CT_POLICY_EVAL_CTX *ctx);
+
+/*
+ * Sets the time to evaluate SCTs against, in milliseconds since the Unix epoch.
+ * If an SCT's timestamp is after this time, it will be interpreted as having
+ * been issued in the future. RFC6962 states that "TLS clients MUST reject SCTs
+ * whose timestamp is in the future", so an SCT will not validate in this case.
+ */
+void CT_POLICY_EVAL_CTX_set_time(CT_POLICY_EVAL_CTX *ctx, uint64_t time_in_ms);
+
/*****************
* SCT functions *
*****************/
********************/
/*
- * Creates a new CT log instance with the given |public_key| and |name|.
+ * Creates a new CT log instance with the given |public_key| and |name| and
+ * associates it with the give library context |libctx| and property query
+ * string |propq|.
+ * Takes ownership of |public_key| but copies |name|.
* Returns NULL if malloc fails or if |public_key| cannot be converted to DER.
* Should be deleted by the caller using CTLOG_free when no longer needed.
*/
+CTLOG *CTLOG_new_with_libctx(EVP_PKEY *public_key, const char *name,
+ OPENSSL_CTX *libctx, const char *propq);
+
+/*
+ * The same as CTLOG_new_with_libctx except that the default library context and
+ * property query string are used.
+ */
CTLOG *CTLOG_new(EVP_PKEY *public_key, const char *name);
/*
* Creates a new CTLOG instance with the base64-encoded SubjectPublicKeyInfo DER
- * in |pkey_base64|. The |name| is a string to help users identify this log.
+ * in |pkey_base64| and associated with the given library context |libctx| and
+ * property query string |propq|. The |name| is a string to help users identify
+ * this log.
* Returns 1 on success, 0 on failure.
* Should be deleted by the caller using CTLOG_free when no longer needed.
*/
+int CTLOG_new_from_base64_with_libctx(CTLOG **ct_log, const char *pkey_base64,
+ const char *name, OPENSSL_CTX *libctx,
+ const char *propq);
+
+/*
+ * The same as CTLOG_new_from_base64_with_libctx() except that the default
+ * library context and property query string are used.
+ * Returns 1 on success, 0 on failure.
+ */
int CTLOG_new_from_base64(CTLOG ** ct_log,
const char *pkey_base64, const char *name);
**************************/
/*
- * Creates a new CT log store.
+ * Creates a new CT log store and associates it with the given libctx and
+ * property query string.
+ * Should be deleted by the caller using CTLOG_STORE_free when no longer needed.
+ */
+CTLOG_STORE *CTLOG_STORE_new_with_libctx(OPENSSL_CTX *libctx, const char *propq);
+
+/*
+ * Same as CTLOG_STORE_new_with_libctx except that the default libctx and
+ * property query string are used.
* Should be deleted by the caller using CTLOG_STORE_free when no longer needed.
*/
CTLOG_STORE *CTLOG_STORE_new(void);
/*
* Loads the default CT log list into a |store|.
- * See internal/cryptlib.h for the environment variable and file path that are
- * consulted to find the default file.
* Returns 1 if loading is successful, or 0 otherwise.
*/
__owur int CTLOG_STORE_load_default_file(CTLOG_STORE *store);
-/* BEGIN ERROR CODES */
-/*
- * The following lines are auto generated by the script mkerr.pl. Any changes
- * made after this point may be overwritten when the script is next run.
- */
-
-int ERR_load_CT_strings(void);
-
-/* Error codes for the CT functions. */
-
-/* Function codes. */
-# define CT_F_CTLOG_NEW 117
-# define CT_F_CTLOG_NEW_FROM_BASE64 118
-# define CT_F_CTLOG_NEW_FROM_CONF 119
-# define CT_F_CTLOG_NEW_NULL 120
-# define CT_F_CTLOG_STORE_LOAD_CTX_NEW 122
-# define CT_F_CTLOG_STORE_LOAD_FILE 123
-# define CT_F_CTLOG_STORE_LOAD_LOG 130
-# define CT_F_CTLOG_STORE_NEW 131
-# define CT_F_CT_BASE64_DECODE 124
-# define CT_F_CT_POLICY_EVAL_CTX_NEW 133
-# define CT_F_CT_V1_LOG_ID_FROM_PKEY 125
-# define CT_F_I2O_SCT 107
-# define CT_F_I2O_SCT_LIST 108
-# define CT_F_I2O_SCT_SIGNATURE 109
-# define CT_F_O2I_SCT 110
-# define CT_F_O2I_SCT_LIST 111
-# define CT_F_O2I_SCT_SIGNATURE 112
-# define CT_F_SCT_CTX_NEW 126
-# define CT_F_SCT_NEW 100
-# define CT_F_SCT_NEW_FROM_BASE64 127
-# define CT_F_SCT_SET0_LOG_ID 101
-# define CT_F_SCT_SET1_EXTENSIONS 114
-# define CT_F_SCT_SET1_LOG_ID 115
-# define CT_F_SCT_SET1_SIGNATURE 116
-# define CT_F_SCT_SET_LOG_ENTRY_TYPE 102
-# define CT_F_SCT_SET_SIGNATURE_NID 103
-# define CT_F_SCT_SET_VERSION 104
-# define CT_F_SCT_CTX_VERIFY 128
-
-/* Reason codes. */
-# define CT_R_BASE64_DECODE_ERROR 108
-# define CT_R_INVALID_LOG_ID_LENGTH 100
-# define CT_R_LOG_CONF_INVALID 109
-# define CT_R_LOG_CONF_INVALID_KEY 110
-# define CT_R_LOG_CONF_MISSING_DESCRIPTION 111
-# define CT_R_LOG_CONF_MISSING_KEY 112
-# define CT_R_LOG_KEY_INVALID 113
-# define CT_R_SCT_INVALID 104
-# define CT_R_SCT_INVALID_SIGNATURE 107
-# define CT_R_SCT_LIST_INVALID 105
-# define CT_R_SCT_LOG_ID_MISMATCH 114
-# define CT_R_SCT_NOT_SET 106
-# define CT_R_SCT_UNSUPPORTED_VERSION 115
-# define CT_R_UNRECOGNIZED_SIGNATURE_NID 101
-# define CT_R_UNSUPPORTED_ENTRY_TYPE 102
-# define CT_R_UNSUPPORTED_VERSION 103
-
# ifdef __cplusplus
}
# endif