* ====================================================================
*/
-#ifdef OPENSSL_NO_CT
-# error "CT is disabled"
-#endif
-
#ifndef HEADER_CT_H
# define HEADER_CT_H
+# include <openssl/opensslconf.h>
+
+# ifndef OPENSSL_NO_CT
# include <openssl/ossl_typ.h>
# include <openssl/safestack.h>
# include <openssl/x509.h>
-
# ifdef __cplusplus
extern "C" {
# endif
+
/* Minimum RSA key size, from RFC6962 */
# define SCT_MIN_RSA_BITS 2048
void CT_POLICY_EVAL_CTX_free(CT_POLICY_EVAL_CTX *ctx);
/* Gets the peer certificate that the SCTs are for */
-X509* CT_POLICY_EVAL_CTX_get0_cert(CT_POLICY_EVAL_CTX *ctx);
+X509* CT_POLICY_EVAL_CTX_get0_cert(const CT_POLICY_EVAL_CTX *ctx);
/* Sets the certificate associated with the received SCTs */
void CT_POLICY_EVAL_CTX_set0_cert(CT_POLICY_EVAL_CTX *ctx, X509 *cert);
/* Gets the issuer of the aforementioned certificate */
-X509* CT_POLICY_EVAL_CTX_get0_issuer(CT_POLICY_EVAL_CTX *ctx);
+X509* CT_POLICY_EVAL_CTX_get0_issuer(const CT_POLICY_EVAL_CTX *ctx);
/* Sets the issuer of the certificate associated with the received SCTs */
void CT_POLICY_EVAL_CTX_set0_issuer(CT_POLICY_EVAL_CTX *ctx, X509 *issuer);
/* Gets the CT logs that are trusted sources of SCTs */
-CTLOG_STORE *CT_POLICY_EVAL_CTX_get0_log_store(CT_POLICY_EVAL_CTX *ctx);
+const CTLOG_STORE *CT_POLICY_EVAL_CTX_get0_log_store(const CT_POLICY_EVAL_CTX *ctx);
/* Sets the log store that is in use */
void CT_POLICY_EVAL_CTX_set0_log_store(CT_POLICY_EVAL_CTX *ctx,
CTLOG_STORE *log_store);
-/*
- * A callback for verifying that the received SCTs are sufficient.
- * Expected to return 1 if they are sufficient, otherwise 0.
- * May return a negative integer if an error occurs.
- * A connection should be aborted if the SCTs are deemed insufficient.
- */
-typedef int(*ct_validation_cb)(const CT_POLICY_EVAL_CTX *ctx,
- const STACK_OF(SCT) *scts, void *arg);
-/* Returns 0 if there are invalid SCTs */
-int CT_verify_no_bad_scts(const CT_POLICY_EVAL_CTX *ctx,
- const STACK_OF(SCT) *scts, void *arg);
-/* Returns 0 if there are invalid SCTS or fewer than one valid SCT */
-int CT_verify_at_least_one_good_sct(const CT_POLICY_EVAL_CTX *ctx,
- const STACK_OF(SCT) *scts, void *arg);
-
/*****************
* SCT functions *
*****************/
__owur int SCT_set1_log_id(SCT *sct, const unsigned char *log_id,
size_t log_id_len);
-/*
- * Gets the name of the log that an SCT came from.
- * Ownership of the log name remains with the SCT.
- * Returns the log name, or NULL if it is not known.
- */
-const char *SCT_get0_log_name(const SCT *sct);
-
/*
* Returns the timestamp for the SCT (epoch time in milliseconds).
*/
__owur int SCT_set_source(SCT *sct, sct_source_t source);
/*
- * Sets the source of all of the SCTs to the same value.
- * Returns the number of SCTs whose source was set successfully.
+ * Returns a text string describing the validation status of |sct|.
*/
-__owur int SCT_LIST_set_source(const STACK_OF(SCT) *scts, sct_source_t source);
-
-/*
- * Gets information about the log the SCT came from, if set.
- */
-CTLOG *SCT_get0_log(const SCT *sct);
-
-/*
- * Looks up information about the log the SCT came from using a CT log store.
- * Returns 1 if information about the log is found, 0 otherwise.
- * The information can be accessed via SCT_get0_log.
- */
-int SCT_set0_log(SCT *sct, const CTLOG_STORE* ct_logs);
-
-/*
- * Looks up information about the logs the SCTs came from using a CT log store.
- * Returns the number of SCTs that now have a log set.
- * If any SCTs already have a log set, they will be skipped.
- */
-int SCT_LIST_set0_logs(STACK_OF(SCT) *sct_list, const CTLOG_STORE *ct_logs);
+const char *SCT_validation_status_string(const SCT *sct);
/*
* Pretty-prints an |sct| to |out|.
* It will be indented by the number of spaces specified by |indent|.
+ * If |logs| is not NULL, it will be used to lookup the CT log that the SCT came
+ * from, so that the log name can be printed.
*/
-void SCT_print(const SCT *sct, BIO *out, int indent);
+void SCT_print(const SCT *sct, BIO *out, int indent, const CTLOG_STORE *logs);
/*
* Pretty-prints an |sct_list| to |out|.
* It will be indented by the number of spaces specified by |indent|.
* SCTs will be delimited by |separator|.
+ * If |logs| is not NULL, it will be used to lookup the CT log that each SCT
+ * came from, so that the log names can be printed.
*/
void SCT_LIST_print(const STACK_OF(SCT) *sct_list, BIO *out, int indent,
- const char *separator);
+ const char *separator, const CTLOG_STORE *logs);
/*
* Verifies an SCT with the given context.
* Returns < 0 on error, >= 0 indicating bytes written (or would have been)
* on success.
*/
-__owur int i2d_SCT_LIST(STACK_OF(SCT) *a, unsigned char **pp);
+__owur int i2d_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp);
/*
* Parses an SCT list in DER format and returns it.
# define CT_F_CT_POLICY_EVAL_CTX_SET0_ISSUER 135
# define CT_F_CT_POLICY_EVAL_CTX_SET0_LOG_STORE 136
# define CT_F_CT_V1_LOG_ID_FROM_PKEY 125
-# define CT_F_CT_VERIFY_AT_LEAST_ONE_GOOD_SCT 137
-# define CT_F_CT_VERIFY_NO_BAD_SCTS 138
# define CT_F_D2I_SCT_LIST 105
# define CT_F_I2D_SCT_LIST 106
# define CT_F_I2O_SCT 107
# define CT_R_UNSUPPORTED_ENTRY_TYPE 102
# define CT_R_UNSUPPORTED_VERSION 103
-#ifdef __cplusplus
+# ifdef __cplusplus
}
-#endif
+# endif
+# endif
+
#endif