*/
void SCT_CTX_free(SCT_CTX *sctx);
-/* Sets the certificate that the SCT is related to */
-int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner);
-/* Sets the issuer of the certificate that the SCT is related to */
-int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer);
-/* Sets the public key of the issuer of the certificate that the SCT relates to */
-int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
-/* Sets the public key of the CT log that the SCT is from */
-int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
+/*
+ * Sets the certificate that the SCT is being verified against.
+ * This will fail if the certificate is invalid.
+ * Returns 1 on success, 0 on failure.
+ */
+__owur int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner);
+
+/*
+ * Sets the issuer of the certificate that the SCT is being verified against.
+ * This is just a convenience method to save extracting the public key and
+ * calling SCT_CTX_set1_issuer_pubkey().
+ * Issuer must not be NULL.
+ * Returns 1 on success, 0 on failure.
+ */
+__owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer);
+
+/*
+ * Sets the public key of the issuer of the certificate that the SCT is being
+ * verified against.
+ * The public key must not be NULL.
+ * Returns 1 on success, 0 on failure.
+ */
+__owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
+
+/*
+ * Sets the public key of the CT log that the SCT is from.
+ * Returns 1 on success, 0 on failure.
+ */
+__owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
/*
* Does this SCT have the minimum fields populated to be usuable?
* Returns 1 if so, 0 otherwise.
*/
-int SCT_is_complete(const SCT *sct);
+__owur int SCT_is_complete(const SCT *sct);
/*
* Does this SCT have the signature-related fields populated?
* This checks that the signature and hash algorithms are set to supported
* values and that the signature field is set.
*/
-int SCT_signature_is_complete(const SCT *sct);
+__owur int SCT_signature_is_complete(const SCT *sct);
* Set the version of an SCT.
* Returns 1 on success, 0 if the version is unrecognized.
*/
-int SCT_set_version(SCT *sct, sct_version_t version);
+__owur int SCT_set_version(SCT *sct, sct_version_t version);
/*
* Returns the log entry type of the SCT.
/*
* Set the log entry type of an SCT.
- * Returns 1 on success.
+ * Returns 1 on success, 0 otherwise.
*/
-int SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type);
+__owur int SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type);
/*
* Gets the ID of the log that an SCT came from.
/*
* Set the log ID of an SCT to point directly to the *log_id specified.
* The SCT takes ownership of the specified pointer.
- * Returns 1 on success.
+ * Returns 1 on success, 0 otherwise.
*/
-int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len);
+__owur int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len);
/*
* Set the log ID of an SCT.
* This makes a copy of the log_id.
- * Returns 1 on success.
+ * Returns 1 on success, 0 otherwise.
*/
-int SCT_set1_log_id(SCT *sct, const unsigned char *log_id, size_t log_id_len);
+__owur int SCT_set1_log_id(SCT *sct, const unsigned char *log_id,
+ size_t log_id_len);
/*
* Gets the name of the log that an SCT came from.
* Set the signature type of an SCT
* For CT v1, this should be either NID_sha256WithRSAEncryption or
* NID_ecdsa_with_SHA256.
- * Returns 1 on success.
+ * Returns 1 on success, 0 otherwise.
*/
-int SCT_set_signature_nid(SCT *sct, int nid);
+__owur int SCT_set_signature_nid(SCT *sct, int nid);
/*
* Set *ext to point to the extension data for the SCT. ext must not be NULL.
/*
* Set the extensions of an SCT.
* This takes a copy of the ext.
- * Returns 1 on success.
+ * Returns 1 on success, 0 otherwise.
*/
-int SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len);
+__owur int SCT_set1_extensions(SCT *sct, const unsigned char *ext,
+ size_t ext_len);
/*
* Set *sig to point to the signature for the SCT. sig must not be NULL.
/*
* Set the signature of an SCT to be a copy of the *sig specified.
- * Returns 1 on success.
+ * Returns 1 on success, 0 otherwise.
*/
-int SCT_set1_signature(SCT *sct, const unsigned char *sig, size_t sig_len);
+__owur int SCT_set1_signature(SCT *sct, const unsigned char *sig,
+ size_t sig_len);
/*
* The origin of this SCT, e.g. TLS extension, OCSP response, etc.
* Set the origin of this SCT, e.g. TLS extension, OCSP response, etc.
* Returns 1 on success, 0 otherwise.
*/
-int SCT_set_source(SCT *sct, sct_source_t source);
+__owur int SCT_set_source(SCT *sct, sct_source_t source);
/*
* Sets the source of all of the SCTs to the same value.
* Returns the number of SCTs whose source was set successfully.
*/
-int SCT_LIST_set_source(const STACK_OF(SCT) *scts, sct_source_t source);
+__owur int SCT_LIST_set_source(const STACK_OF(SCT) *scts, sct_source_t source);
/*
* Gets information about the log the SCT came from, if set.
* Returns 1 if the SCT verifies successfully, 0 if it cannot be verified and a
* negative integer if an error occurs.
*/
-int SCT_verify(const SCT_CTX *sctx, const SCT *sct);
+__owur int SCT_verify(const SCT_CTX *sctx, const SCT *sct);
/*
* Verifies an SCT against the provided data.
* Returns 1 if the SCT verifies successfully, 0 if it cannot be verified and a
* negative integer if an error occurs.
*/
-int SCT_verify_v1(SCT *sct, X509 *cert, X509 *preissuer,
+__owur int SCT_verify_v1(SCT *sct, X509 *cert, X509 *preissuer,
X509_PUBKEY *log_pubkey, X509 *issuer_cert);
/*
* Returns 0 if the SCT is invalid or could not be verified.
* Returns -1 if an error occurs.
*/
-int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx);
+__owur int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx);
/*
* Validates the given list of SCTs with the provided context.
* Returns 0 if at least one SCT is invalid or could not be verified.
* Returns a negative integer if an error occurs.
*/
-int SCT_LIST_validate(const STACK_OF(SCT) *scts, CT_POLICY_EVAL_CTX *ctx);
+__owur int SCT_LIST_validate(const STACK_OF(SCT) *scts,
+ CT_POLICY_EVAL_CTX *ctx);
/*********************************
* Returns < 0 on error, >= 0 indicating bytes written (or would have been)
* on success.
*/
-int i2o_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp);
+__owur int i2o_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp);
/*
* Convert TLS format SCT list to a stack of SCTs.
* Returns < 0 on error, >= 0 indicating bytes written (or would have been)
* on success.
*/
-int i2d_SCT_LIST(STACK_OF(SCT) *a, unsigned char **pp);
+__owur int i2d_SCT_LIST(STACK_OF(SCT) *a, unsigned char **pp);
/*
* Parses an SCT list in DER format and returns it.
* to it.
* The length of the SCT in TLS format will be returned.
*/
-int i2o_SCT(const SCT *sct, unsigned char **out);
+__owur int i2o_SCT(const SCT *sct, unsigned char **out);
/*
* Parses an SCT in TLS format and returns it.
* If |out| points to an allocated string, the signature will be written to it.
* The length of the signature in TLS format will be returned.
*/
-int i2o_SCT_signature(const SCT *sct, unsigned char **out);
+__owur int i2o_SCT_signature(const SCT *sct, unsigned char **out);
/*
* Parses an SCT signature in TLS format and populates the |sct| with it.
* |len| should be the length of the signature in |in|.
* Returns the number of bytes parsed, or a negative integer if an error occurs.
*/
-int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len);
+__owur int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len);
/********************
* CT log functions *
* Loads a CT log list into a |store| from a |file|.
* Returns 1 if loading is successful, or 0 otherwise.
*/
-int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file);
+__owur int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file);
/*
* Loads the default CT log list into a |store|.
* consulted to find the default file.
* Returns 1 if loading is successful, or 0 otherwise.
*/
-int CTLOG_STORE_load_default_file(CTLOG_STORE *store);
+__owur int CTLOG_STORE_load_default_file(CTLOG_STORE *store);
/* BEGIN ERROR CODES */
/*
if (fixture.test_validity) {
int are_scts_validated = 0;
scts = X509V3_EXT_d2i(sct_extension);
- SCT_LIST_set_source(scts, SCT_SOURCE_X509V3_EXTENSION);
+ if (SCT_LIST_set_source(scts, SCT_SOURCE_X509V3_EXTENSION) !=
+ sk_SCT_num(scts)) {
+ fprintf(stderr,
+ "Error setting SCT source to X509v3 extension\n");
+ test_failed = 1;
+ }
are_scts_validated = SCT_LIST_validate(scts, ct_policy_ctx);
if (are_scts_validated < 0) {
SETUP_CT_TEST_FIXTURE();
SCT *sct = SCT_new();
- SCT_set_version(sct, 0);
- SCT_set1_log_id(sct, (unsigned char *)
+ if (!SCT_set_version(sct, 0)) {
+ fprintf(stderr, "Failed to set SCT version\n");
+ return 1;
+ }
+ if (!SCT_set1_log_id(sct, (unsigned char *)
"\xDF\x1C\x2E\xC1\x15\x00\x94\x52\x47\xA9\x61\x68\x32\x5D\xDC\x5C\x79"
- "\x59\xE8\xF7\xC6\xD3\x88\xFC\x00\x2E\x0B\xBD\x3F\x74\xD7\x64", 32);
+ "\x59\xE8\xF7\xC6\xD3\x88\xFC\x00\x2E\x0B\xBD\x3F\x74\xD7\x64", 32)) {
+ fprintf(stderr, "Failed to set SCT log ID\n");
+ return 1;
+ }
SCT_set_timestamp(sct, 1);
- SCT_set1_extensions(sct, (unsigned char *)"", 0);
- SCT_set_signature_nid(sct, NID_ecdsa_with_SHA256);
- SCT_set1_signature(sct, (unsigned char *)
+ if (!SCT_set1_extensions(sct, (unsigned char *)"", 0)) {
+ fprintf(stderr, "Failed to set SCT extensions\n");
+ return 1;
+ }
+ if (!SCT_set_signature_nid(sct, NID_ecdsa_with_SHA256)) {
+ fprintf(stderr, "Failed to set SCT signature NID\n");
+ return 1;
+ }
+ if (!SCT_set1_signature(sct, (unsigned char *)
"\x45\x02\x20\x48\x2F\x67\x51\xAF\x35\xDB\xA6\x54\x36\xBE"
"\x1F\xD6\x64\x0F\x3D\xBF\x9A\x41\x42\x94\x95\x92\x45\x30\x28\x8F\xA3"
"\xE5\xE2\x3E\x06\x02\x21\x00\xE4\xED\xC0\xDB\x3A\xC5\x72\xB1\xE2\xF5"
"\xE8\xAB\x6A\x68\x06\x53\x98\x7D\xCF\x41\x02\x7D\xFE\xFF\xA1\x05\x51"
- "\x9D\x89\xED\xBF\x08", 71);
+ "\x9D\x89\xED\xBF\x08", 71)) {
+ fprintf(stderr, "Failed to set SCT signature\n");
+ return 1;
+ }
fixture.sct = sct;
fixture.sct_dir = ct_dir;
fixture.sct_text_file = "tls1.sct";
projects / openssl.git / commitdiff