/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
# include <openssl/ossl_typ.h>
# include <openssl/safestack.h>
# include <openssl/x509.h>
+# include <openssl/cterr.h>
# ifdef __cplusplus
extern "C" {
# endif
* CT policy evaluation context functions *
******************************************/
-/* Creates a new, empty policy evaluation context */
+/*
+ * Creates a new, empty policy evaluation context.
+ * The caller is responsible for calling CT_POLICY_EVAL_CTX_free when finished
+ * with the CT_POLICY_EVAL_CTX.
+ */
CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void);
/* Deletes a policy evaluation context and anything it owns. */
/*
* Sets the certificate associated with the received SCTs.
- * Incremenets the reference count of cert.
+ * Increments the reference count of cert.
* Returns 1 on success, 0 otherwise.
*/
int CT_POLICY_EVAL_CTX_set1_cert(CT_POLICY_EVAL_CTX *ctx, X509 *cert);
void CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(CT_POLICY_EVAL_CTX *ctx,
CTLOG_STORE *log_store);
+/*
+ * Gets the time, in milliseconds since the Unix epoch, that will be used as the
+ * current time when checking whether an SCT was issued in the future.
+ * Such SCTs will fail validation, as required by RFC6962.
+ */
+uint64_t CT_POLICY_EVAL_CTX_get_time(const CT_POLICY_EVAL_CTX *ctx);
+
+/*
+ * Sets the time to evaluate SCTs against, in milliseconds since the Unix epoch.
+ * If an SCT's timestamp is after this time, it will be interpreted as having
+ * been issued in the future. RFC6962 states that "TLS clients MUST reject SCTs
+ * whose timestamp is in the future", so an SCT will not validate in this case.
+ */
+void CT_POLICY_EVAL_CTX_set_time(CT_POLICY_EVAL_CTX *ctx, uint64_t time_in_ms);
+
/*****************
* SCT functions *
*****************/
/*
* Validates the given list of SCTs with the provided context.
- * Populates the "good_scts" and "bad_scts" of the evaluation context.
+ * Sets the "validation_status" field of each SCT.
* Returns 1 if there are no invalid SCTs and all signatures verify.
* Returns 0 if at least one SCT is invalid or could not be verified.
* Returns a negative integer if an error occurs.
/*
* Creates a new CT log instance with the given |public_key| and |name|.
+ * Takes ownership of |public_key| but copies |name|.
* Returns NULL if malloc fails or if |public_key| cannot be converted to DER.
* Should be deleted by the caller using CTLOG_free when no longer needed.
*/
*/
__owur int CTLOG_STORE_load_default_file(CTLOG_STORE *store);
-/* BEGIN ERROR CODES */
-/*
- * The following lines are auto generated by the script mkerr.pl. Any changes
- * made after this point may be overwritten when the script is next run.
- */
-
-int ERR_load_CT_strings(void);
-
-/* Error codes for the CT functions. */
-
-/* Function codes. */
-# define CT_F_CTLOG_NEW 117
-# define CT_F_CTLOG_NEW_FROM_BASE64 118
-# define CT_F_CTLOG_NEW_FROM_CONF 119
-# define CT_F_CTLOG_NEW_NULL 120
-# define CT_F_CTLOG_STORE_LOAD_CTX_NEW 122
-# define CT_F_CTLOG_STORE_LOAD_FILE 123
-# define CT_F_CTLOG_STORE_LOAD_LOG 130
-# define CT_F_CTLOG_STORE_NEW 131
-# define CT_F_CT_BASE64_DECODE 124
-# define CT_F_CT_POLICY_EVAL_CTX_NEW 133
-# define CT_F_CT_V1_LOG_ID_FROM_PKEY 125
-# define CT_F_I2O_SCT 107
-# define CT_F_I2O_SCT_LIST 108
-# define CT_F_I2O_SCT_SIGNATURE 109
-# define CT_F_O2I_SCT 110
-# define CT_F_O2I_SCT_LIST 111
-# define CT_F_O2I_SCT_SIGNATURE 112
-# define CT_F_SCT_CTX_NEW 126
-# define CT_F_SCT_NEW 100
-# define CT_F_SCT_NEW_FROM_BASE64 127
-# define CT_F_SCT_SET0_LOG_ID 101
-# define CT_F_SCT_SET1_EXTENSIONS 114
-# define CT_F_SCT_SET1_LOG_ID 115
-# define CT_F_SCT_SET1_SIGNATURE 116
-# define CT_F_SCT_SET_LOG_ENTRY_TYPE 102
-# define CT_F_SCT_SET_SIGNATURE_NID 103
-# define CT_F_SCT_SET_VERSION 104
-# define CT_F_SCT_CTX_VERIFY 128
-
-/* Reason codes. */
-# define CT_R_BASE64_DECODE_ERROR 108
-# define CT_R_INVALID_LOG_ID_LENGTH 100
-# define CT_R_LOG_CONF_INVALID 109
-# define CT_R_LOG_CONF_INVALID_KEY 110
-# define CT_R_LOG_CONF_MISSING_DESCRIPTION 111
-# define CT_R_LOG_CONF_MISSING_KEY 112
-# define CT_R_LOG_KEY_INVALID 113
-# define CT_R_SCT_INVALID 104
-# define CT_R_SCT_INVALID_SIGNATURE 107
-# define CT_R_SCT_LIST_INVALID 105
-# define CT_R_SCT_LOG_ID_MISMATCH 114
-# define CT_R_SCT_NOT_SET 106
-# define CT_R_SCT_UNSUPPORTED_VERSION 115
-# define CT_R_UNRECOGNIZED_SIGNATURE_NID 101
-# define CT_R_UNSUPPORTED_ENTRY_TYPE 102
-# define CT_R_UNSUPPORTED_VERSION 103
-
# ifdef __cplusplus
}
# endif
projects / openssl.git / blobdiff