Therefore, it is useful to be able to look up more information about a log
(e.g. its public key) using this LogID.
-B<CTLOG_STORE_get0_log_by_id>() provides a way to do this. It will find a CTLOG
+CTLOG_STORE_get0_log_by_id() provides a way to do this. It will find a CTLOG
in a CTLOG_STORE that has a given LogID.
=head1 RETURN VALUES
logs). The list can be loaded from one or more files and then searched by LogID
(see RFC 6962, Section 3.2, for the definition of a LogID).
-B<CTLOG_STORE_new>() creates an empty list of CT logs. This is then populated
-by B<CTLOG_STORE_load_default_file>() or B<CTLOG_STORE_load_file>().
-B<CTLOG_STORE_load_default_file>() loads from the default file, which is named
+CTLOG_STORE_new() creates an empty list of CT logs. This is then populated
+by CTLOG_STORE_load_default_file() or CTLOG_STORE_load_file().
+CTLOG_STORE_load_default_file() loads from the default file, which is named
"ct_log_list.cnf" in the OpenSSL install directory. This can be overridden using
an environment variable named "CTLOG_FILE".
-B<CTLOG_STORE_load_file>() loads from a caller-specified file path instead.
+CTLOG_STORE_load_file() loads from a caller-specified file path instead.
Both of these functions append any loaded CT logs to the CTLOG_STORE.
The expected format of the file is:
key = <base64-encoded public key here>
Once a CTLOG_STORE is no longer required, it should be passed to
-B<CTLOG_STORE_free>(). This will delete all of the CTLOGs stored within, along
+CTLOG_STORE_free(). This will delete all of the CTLOGs stored within, along
with the CTLOG_STORE itself.
=head1 NOTES
The above requirements are met using the setters described below.
-B<CT_POLICY_EVAL_CTX_new>() creates an empty policy evaluation context. This
+CT_POLICY_EVAL_CTX_new() creates an empty policy evaluation context. This
should then be populated using:
=over
-=item * B<CT_POLICY_EVAL_CTX_set0_cert>() to provide the certificate the SCTs were issued for
+=item * CT_POLICY_EVAL_CTX_set0_cert() to provide the certificate the SCTs were issued for
-=item * B<CT_POLICY_EVAL_CTX_set0_issuer>() to provide the issuer certificate
+=item * CT_POLICY_EVAL_CTX_set0_issuer() to provide the issuer certificate
-=item * B<CT_POLICY_EVAL_CTX_set0_log_store>() to provide a list of logs that are trusted as sources of SCTs
+=item * CT_POLICY_EVAL_CTX_set0_log_store() to provide a list of logs that are trusted as sources of SCTs
=back
The getters do not transfer ownership either.
When no longer required, the B<CT_POLICY_EVAL_CTX> should be passed to
-B<CT_POLICY_EVAL_CTX_free>() to delete it.
+CT_POLICY_EVAL_CTX_free() to delete it.
=head1 NOTES
=head1 RETURN VALUES
-B<CT_POLICY_EVAL_CTX_new>() will return NULL if malloc fails.
+CT_POLICY_EVAL_CTX_new() will return NULL if malloc fails.
=head1 SEE ALSO
an SCT, some confidence can be gained that the certificate is publicly known.
An internal representation of an SCT can be created in one of two ways.
-The first option is to create a blank SCT, using B<SCT_new>(), and then populate
+The first option is to create a blank SCT, using SCT_new(), and then populate
it using:
=over
-=item * B<SCT_set_version>() to set the SCT version.
+=item * SCT_set_version() to set the SCT version.
Only SCT_VERSION_V1 is currently supported.
-=item * B<SCT_set_log_entry_type>() to set the type of certificate the SCT was issued for:
+=item * SCT_set_log_entry_type() to set the type of certificate the SCT was issued for:
B<CT_LOG_ENTRY_TYPE_X509> for a normal certificate.
B<CT_LOG_ENTRY_TYPE_PRECERT> for a pre-certificate.
-=item * B<SCT_set0_log_id>() or B<SCT_set1_log_id>() to set the LogID of the CT log that the SCT came from.
+=item * SCT_set0_log_id() or SCT_set1_log_id() to set the LogID of the CT log that the SCT came from.
The former takes ownership, whereas the latter makes a copy.
See RFC 6962, Section 3.2 for the definition of LogID.
-=item * B<SCT_set_timestamp>() to set the time the SCT was issued (epoch time in milliseconds).
+=item * SCT_set_timestamp() to set the time the SCT was issued (epoch time in milliseconds).
-=item * B<SCT_set_signature_nid>() to set the NID of the signature.
+=item * SCT_set_signature_nid() to set the NID of the signature.
-=item * B<SCT_set0_signature>() or B<SCT_set1_signature>() to set the signature itself.
+=item * SCT_set0_signature() or SCT_set1_signature() to set the raw signature value.
The former takes ownership, whereas the latter makes a copy.
-=item * B<SCT_set0_extensions>() or B<SCT_set1_extensions> to provide SCT extensions.
+=item * SCT_set0_extensions() or B<SCT_set1_extensions> to provide SCT extensions.
The former takes ownership, whereas the latter makes a copy.
=back
Alternatively, the SCT can be pre-populated from the following data using
-B<SCT_new_from_base64>():
+SCT_new_from_base64():
=over
=back
-B<SCT_set_source>() can be used to record where the SCT was found
+SCT_set_source() can be used to record where the SCT was found
(TLS extension, X.509 certificate extension or OCSP response). This is not
required for verifying the SCT.
Most of the setters will reset the validation status of the SCT to
SCT_VALIDATION_STATUS_NOT_SET (see L<SCT_verify(3)>).
-B<SCT_set_source>() will call B<SCT_set_log_entry_type>() if the type of
+SCT_set_source() will call SCT_set_log_entry_type() if the type of
certificate the SCT was issued for can be inferred from where the SCT was found.
For example, an SCT found in an X.509 extension must have been issued for a pre-
certificate.
-B<SCT_set_source>() will not refuse unknown values.
+SCT_set_source() will not refuse unknown values.
=head1 RETURN VALUES
-B<SCT_set_version>() returns 1 if the specified version is supported, 0 otherwise.
+SCT_set_version() returns 1 if the specified version is supported, 0 otherwise.
-B<SCT_set_log_entry_type>() returns 1 if the specified log entry type is supported, 0 otherwise.
+SCT_set_log_entry_type() returns 1 if the specified log entry type is supported, 0 otherwise.
-B<SCT_set0_log_id>() and B<SCT_set1_log_id> return 1 if the specified LogID is a
+SCT_set0_log_id() and B<SCT_set1_log_id> return 1 if the specified LogID is a
valid SHA-256 hash, 0 otherwise. Aditionally, B<SCT_set1_log_id> returns 0 if
malloc fails.
=head1 DESCRIPTION
-B<SCT_print> prints a single Signed Certificate Timestamp (SCT) to a L<bio> in
-a human-readable format. B<SCT_LIST_print> prints an entire list of SCTs in a
+SCT_print() prints a single Signed Certificate Timestamp (SCT) to a L<bio> in
+a human-readable format. SCT_LIST_print() prints an entire list of SCTs in a
similar way. A separator can be specified to delimit each SCT in the output.
The output can be indented by a specified number of spaces. If a B<CTLOG_STORE>
as the CTLOG_STORE parameter to disable this feature.
B<SCT_validation_status_string> will return the validation status of an SCT as
-a human-readable string. Call L<SCT_validate> or B<SCT_LIST_validate> beforehand
-in order to set the validation status of an SCT first.
+a human-readable string. Call L<SCT_validate>() or SCT_LIST_validate()
+beforehand in order to set the validation status of an SCT first.
=head1 SEE ALSO
that a certificate has been publicly logged in a set of CT logs.
By default, these checks are disabled. They can be enabled using
-B<SSL_CTX_ct_enable>() or B<SSL_ct_enable>().
+SSL_CTX_ct_enable() or SSL_ct_enable().
This library can also be used to parse and examine CT data structures, such as
Signed Certificate Timestamps (SCTs), or to read a list of CT logs. There are
projects / openssl.git / commitdiff