ct.h source code [include/openssl/ct.h]

1	/*
2	* WARNING: do not edit!
3	* Generated by Makefile from ../include/openssl/ct.h.in
4	*
5	* Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
6	*
7	* Licensed under the Apache License 2.0 (the "License"). You may not use
8	* this file except in compliance with the License. You can obtain a copy
9	* in the file LICENSE in the source distribution or at
10	* https://www.openssl.org/source/license.html
11	*/
12
13
14
15	#ifndef OPENSSL_CT_H
16	# define OPENSSL_CT_H
17	# pragma once
18
19	# include <openssl/macros.h>
20	# ifndef OPENSSL_NO_DEPRECATED_3_0
21	# define HEADER_CT_H
22	# endif
23
24	# include <openssl/opensslconf.h>
25
26	# ifndef OPENSSL_NO_CT
27	# include <openssl/types.h>
28	# include <openssl/safestack.h>
29	# include <openssl/x509.h>
30	# include <openssl/cterr.h>
31	# ifdef __cplusplus
32	extern "C" {
33	# endif
34
35
36	/ Minimum RSA key size, from RFC6962 /
37	# define SCT_MIN_RSA_BITS 2048
38
39	/ All hashes are SHA256 in v1 of Certificate Transparency /
40	# define CT_V1_HASHLEN SHA256_DIGEST_LENGTH
41
42	SKM_DEFINE_STACK_OF_INTERNAL(SCT, SCT, SCT)
43	#define sk_SCT_num(sk) OPENSSL_sk_num(ossl_check_const_SCT_sk_type(sk))
44	#define sk_SCT_value(sk, idx) ((SCT *)OPENSSL_sk_value(ossl_check_const_SCT_sk_type(sk), (idx)))
45	#define sk_SCT_new(cmp) ((STACK_OF(SCT) *)OPENSSL_sk_new(ossl_check_SCT_compfunc_type(cmp)))
46	#define sk_SCT_new_null() ((STACK_OF(SCT) *)OPENSSL_sk_new_null())
47	#define sk_SCT_new_reserve(cmp, n) ((STACK_OF(SCT) *)OPENSSL_sk_new_reserve(ossl_check_SCT_compfunc_type(cmp), (n)))
48	#define sk_SCT_reserve(sk, n) OPENSSL_sk_reserve(ossl_check_SCT_sk_type(sk), (n))
49	#define sk_SCT_free(sk) OPENSSL_sk_free(ossl_check_SCT_sk_type(sk))
50	#define sk_SCT_zero(sk) OPENSSL_sk_zero(ossl_check_SCT_sk_type(sk))
51	#define sk_SCT_delete(sk, i) ((SCT *)OPENSSL_sk_delete(ossl_check_SCT_sk_type(sk), (i)))
52	#define sk_SCT_delete_ptr(sk, ptr) ((SCT *)OPENSSL_sk_delete_ptr(ossl_check_SCT_sk_type(sk), ossl_check_SCT_type(ptr)))
53	#define sk_SCT_push(sk, ptr) OPENSSL_sk_push(ossl_check_SCT_sk_type(sk), ossl_check_SCT_type(ptr))
54	#define sk_SCT_unshift(sk, ptr) OPENSSL_sk_unshift(ossl_check_SCT_sk_type(sk), ossl_check_SCT_type(ptr))
55	#define sk_SCT_pop(sk) ((SCT *)OPENSSL_sk_pop(ossl_check_SCT_sk_type(sk)))
56	#define sk_SCT_shift(sk) ((SCT *)OPENSSL_sk_shift(ossl_check_SCT_sk_type(sk)))
57	#define sk_SCT_pop_free(sk, freefunc) OPENSSL_sk_pop_free(ossl_check_SCT_sk_type(sk),ossl_check_SCT_freefunc_type(freefunc))
58	#define sk_SCT_insert(sk, ptr, idx) OPENSSL_sk_insert(ossl_check_SCT_sk_type(sk), ossl_check_SCT_type(ptr), (idx))
59	#define sk_SCT_set(sk, idx, ptr) ((SCT *)OPENSSL_sk_set(ossl_check_SCT_sk_type(sk), (idx), ossl_check_SCT_type(ptr)))
60	#define sk_SCT_find(sk, ptr) OPENSSL_sk_find(ossl_check_SCT_sk_type(sk), ossl_check_SCT_type(ptr))
61	#define sk_SCT_find_ex(sk, ptr) OPENSSL_sk_find_ex(ossl_check_SCT_sk_type(sk), ossl_check_SCT_type(ptr))
62	#define sk_SCT_find_all(sk, ptr, pnum) OPENSSL_sk_find_all(ossl_check_SCT_sk_type(sk), ossl_check_SCT_type(ptr), pnum)
63	#define sk_SCT_sort(sk) OPENSSL_sk_sort(ossl_check_SCT_sk_type(sk))
64	#define sk_SCT_is_sorted(sk) OPENSSL_sk_is_sorted(ossl_check_const_SCT_sk_type(sk))
65	#define sk_SCT_dup(sk) ((STACK_OF(SCT) *)OPENSSL_sk_dup(ossl_check_const_SCT_sk_type(sk)))
66	#define sk_SCT_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(SCT) *)OPENSSL_sk_deep_copy(ossl_check_const_SCT_sk_type(sk), ossl_check_SCT_copyfunc_type(copyfunc), ossl_check_SCT_freefunc_type(freefunc)))
67	#define sk_SCT_set_cmp_func(sk, cmp) ((sk_SCT_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_SCT_sk_type(sk), ossl_check_SCT_compfunc_type(cmp)))
68	SKM_DEFINE_STACK_OF_INTERNAL(CTLOG, CTLOG, CTLOG)
69	#define sk_CTLOG_num(sk) OPENSSL_sk_num(ossl_check_const_CTLOG_sk_type(sk))
70	#define sk_CTLOG_value(sk, idx) ((CTLOG *)OPENSSL_sk_value(ossl_check_const_CTLOG_sk_type(sk), (idx)))
71	#define sk_CTLOG_new(cmp) ((STACK_OF(CTLOG) *)OPENSSL_sk_new(ossl_check_CTLOG_compfunc_type(cmp)))
72	#define sk_CTLOG_new_null() ((STACK_OF(CTLOG) *)OPENSSL_sk_new_null())
73	#define sk_CTLOG_new_reserve(cmp, n) ((STACK_OF(CTLOG) *)OPENSSL_sk_new_reserve(ossl_check_CTLOG_compfunc_type(cmp), (n)))
74	#define sk_CTLOG_reserve(sk, n) OPENSSL_sk_reserve(ossl_check_CTLOG_sk_type(sk), (n))
75	#define sk_CTLOG_free(sk) OPENSSL_sk_free(ossl_check_CTLOG_sk_type(sk))
76	#define sk_CTLOG_zero(sk) OPENSSL_sk_zero(ossl_check_CTLOG_sk_type(sk))
77	#define sk_CTLOG_delete(sk, i) ((CTLOG *)OPENSSL_sk_delete(ossl_check_CTLOG_sk_type(sk), (i)))
78	#define sk_CTLOG_delete_ptr(sk, ptr) ((CTLOG *)OPENSSL_sk_delete_ptr(ossl_check_CTLOG_sk_type(sk), ossl_check_CTLOG_type(ptr)))
79	#define sk_CTLOG_push(sk, ptr) OPENSSL_sk_push(ossl_check_CTLOG_sk_type(sk), ossl_check_CTLOG_type(ptr))
80	#define sk_CTLOG_unshift(sk, ptr) OPENSSL_sk_unshift(ossl_check_CTLOG_sk_type(sk), ossl_check_CTLOG_type(ptr))
81	#define sk_CTLOG_pop(sk) ((CTLOG *)OPENSSL_sk_pop(ossl_check_CTLOG_sk_type(sk)))
82	#define sk_CTLOG_shift(sk) ((CTLOG *)OPENSSL_sk_shift(ossl_check_CTLOG_sk_type(sk)))
83	#define sk_CTLOG_pop_free(sk, freefunc) OPENSSL_sk_pop_free(ossl_check_CTLOG_sk_type(sk),ossl_check_CTLOG_freefunc_type(freefunc))
84	#define sk_CTLOG_insert(sk, ptr, idx) OPENSSL_sk_insert(ossl_check_CTLOG_sk_type(sk), ossl_check_CTLOG_type(ptr), (idx))
85	#define sk_CTLOG_set(sk, idx, ptr) ((CTLOG *)OPENSSL_sk_set(ossl_check_CTLOG_sk_type(sk), (idx), ossl_check_CTLOG_type(ptr)))
86	#define sk_CTLOG_find(sk, ptr) OPENSSL_sk_find(ossl_check_CTLOG_sk_type(sk), ossl_check_CTLOG_type(ptr))
87	#define sk_CTLOG_find_ex(sk, ptr) OPENSSL_sk_find_ex(ossl_check_CTLOG_sk_type(sk), ossl_check_CTLOG_type(ptr))
88	#define sk_CTLOG_find_all(sk, ptr, pnum) OPENSSL_sk_find_all(ossl_check_CTLOG_sk_type(sk), ossl_check_CTLOG_type(ptr), pnum)
89	#define sk_CTLOG_sort(sk) OPENSSL_sk_sort(ossl_check_CTLOG_sk_type(sk))
90	#define sk_CTLOG_is_sorted(sk) OPENSSL_sk_is_sorted(ossl_check_const_CTLOG_sk_type(sk))
91	#define sk_CTLOG_dup(sk) ((STACK_OF(CTLOG) *)OPENSSL_sk_dup(ossl_check_const_CTLOG_sk_type(sk)))
92	#define sk_CTLOG_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(CTLOG) *)OPENSSL_sk_deep_copy(ossl_check_const_CTLOG_sk_type(sk), ossl_check_CTLOG_copyfunc_type(copyfunc), ossl_check_CTLOG_freefunc_type(freefunc)))
93	#define sk_CTLOG_set_cmp_func(sk, cmp) ((sk_CTLOG_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_CTLOG_sk_type(sk), ossl_check_CTLOG_compfunc_type(cmp)))
94
95
96
97	typedef enum {
98	CT_LOG_ENTRY_TYPE_NOT_SET = -`1`,
99	CT_LOG_ENTRY_TYPE_X509 = `0`,
100	CT_LOG_ENTRY_TYPE_PRECERT = `1`
101	} ct_log_entry_type_t;
102
103	typedef enum {
104	SCT_VERSION_NOT_SET = -`1`,
105	SCT_VERSION_V1 = `0`
106	} sct_version_t;
107
108	typedef enum {
109	SCT_SOURCE_UNKNOWN,
110	SCT_SOURCE_TLS_EXTENSION,
111	SCT_SOURCE_X509V3_EXTENSION,
112	SCT_SOURCE_OCSP_STAPLED_RESPONSE
113	} sct_source_t;
114
115	typedef enum {
116	SCT_VALIDATION_STATUS_NOT_SET,
117	SCT_VALIDATION_STATUS_UNKNOWN_LOG,
118	SCT_VALIDATION_STATUS_VALID,
119	SCT_VALIDATION_STATUS_INVALID,
120	SCT_VALIDATION_STATUS_UNVERIFIED,
121	SCT_VALIDATION_STATUS_UNKNOWN_VERSION
122	} sct_validation_status_t;
123
124	/******************************************
125	* CT policy evaluation context functions *
126	******************************************/
127
128	/*
129	* Creates a new, empty policy evaluation context associated with the given
130	* library context and property query string.
131	* The caller is responsible for calling CT_POLICY_EVAL_CTX_free when finished
132	* with the CT_POLICY_EVAL_CTX.
133	*/
134	CT_POLICY_EVAL_CTX CT_POLICY_EVAL_CTX_new_ex(OSSL_LIB_CTX libctx,
135	const char *propq);
136
137	/*
138	* The same as CT_POLICY_EVAL_CTX_new_ex() but the default library
139	* context and property query string is used.
140	*/
141	CT_POLICY_EVAL_CTX CT_POLICY_EVAL_CTX_new(void*);
142
143	/ Deletes a policy evaluation context and anything it owns. /
144	void CT_POLICY_EVAL_CTX_free(CT_POLICY_EVAL_CTX *ctx);
145
146	/ Gets the peer certificate that the SCTs are for /
147	X509* CT_POLICY_EVAL_CTX_get0_cert(const CT_POLICY_EVAL_CTX *ctx);
148
149	/*
150	* Sets the certificate associated with the received SCTs.
151	* Increments the reference count of cert.
152	* Returns 1 on success, 0 otherwise.
153	*/
154	int CT_POLICY_EVAL_CTX_set1_cert(CT_POLICY_EVAL_CTX ctx, X509 cert);
155
156	/ Gets the issuer of the aforementioned certificate /
157	X509* CT_POLICY_EVAL_CTX_get0_issuer(const CT_POLICY_EVAL_CTX *ctx);
158
159	/*
160	* Sets the issuer of the certificate associated with the received SCTs.
161	* Increments the reference count of issuer.
162	* Returns 1 on success, 0 otherwise.
163	*/
164	int CT_POLICY_EVAL_CTX_set1_issuer(CT_POLICY_EVAL_CTX ctx, X509 issuer);
165
166	/ Gets the CT logs that are trusted sources of SCTs /
167	const CTLOG_STORE CT_POLICY_EVAL_CTX_get0_log_store(const* CT_POLICY_EVAL_CTX *ctx);
168
169	/ Sets the log store that is in use. It must outlive the CT_POLICY_EVAL_CTX. /
170	void CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(CT_POLICY_EVAL_CTX *ctx,
171	CTLOG_STORE *log_store);
172
173	/*
174	* Gets the time, in milliseconds since the Unix epoch, that will be used as the
175	* current time when checking whether an SCT was issued in the future.
176	* Such SCTs will fail validation, as required by RFC6962.
177	*/
178	uint64_t CT_POLICY_EVAL_CTX_get_time(const CT_POLICY_EVAL_CTX *ctx);
179
180	/*
181	* Sets the time to evaluate SCTs against, in milliseconds since the Unix epoch.
182	* If an SCT's timestamp is after this time, it will be interpreted as having
183	* been issued in the future. RFC6962 states that "TLS clients MUST reject SCTs
184	* whose timestamp is in the future", so an SCT will not validate in this case.
185	*/
186	void CT_POLICY_EVAL_CTX_set_time(CT_POLICY_EVAL_CTX *ctx, uint64_t time_in_ms);
187
188	/*****************
189	* SCT functions *
190	*****************/
191
192	/*
193	* Creates a new, blank SCT.
194	* The caller is responsible for calling SCT_free when finished with the SCT.
195	*/
196	SCT SCT_new(void*);
197
198	/*
199	* Creates a new SCT from some base64-encoded strings.
200	* The caller is responsible for calling SCT_free when finished with the SCT.
201	*/
202	SCT SCT_new_from_base64(unsigned* char version,
203	const char *logid_base64,
204	ct_log_entry_type_t entry_type,
205	uint64_t timestamp,
206	const char *extensions_base64,
207	const char *signature_base64);
208
209	/*
210	* Frees the SCT and the underlying data structures.
211	*/
212	void SCT_free(SCT *sct);
213
214	/*
215	* Free a stack of SCTs, and the underlying SCTs themselves.
216	* Intended to be compatible with X509V3_EXT_FREE.
217	*/
218	void SCT_LIST_free(STACK_OF(SCT) *a);
219
220	/*
221	* Returns the version of the SCT.
222	*/
223	sct_version_t SCT_get_version(const SCT *sct);
224
225	/*
226	* Set the version of an SCT.
227	* Returns 1 on success, 0 if the version is unrecognized.
228	*/
229	__owur int SCT_set_version(SCT *sct, sct_version_t version);
230
231	/*
232	* Returns the log entry type of the SCT.
233	*/
234	ct_log_entry_type_t SCT_get_log_entry_type(const SCT *sct);
235
236	/*
237	* Set the log entry type of an SCT.
238	* Returns 1 on success, 0 otherwise.
239	*/
240	__owur int SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type);
241
242	/*
243	* Gets the ID of the log that an SCT came from.
244	* Ownership of the log ID remains with the SCT.
245	* Returns the length of the log ID.
246	*/
247	size_t SCT_get0_log_id(const SCT sct, unsigned* char **log_id);
248
249	/*
250	* Set the log ID of an SCT to point directly to the *log_id specified.
251	* The SCT takes ownership of the specified pointer.
252	* Returns 1 on success, 0 otherwise.
253	*/
254	__owur int SCT_set0_log_id(SCT sct, unsigned* char *log_id, size_t log_id_len);
255
256	/*
257	* Set the log ID of an SCT.
258	* This makes a copy of the log_id.
259	* Returns 1 on success, 0 otherwise.
260	*/
261	__owur int SCT_set1_log_id(SCT sct, const* unsigned char *log_id,
262	size_t log_id_len);
263
264	/*
265	* Returns the timestamp for the SCT (epoch time in milliseconds).
266	*/
267	uint64_t SCT_get_timestamp(const SCT *sct);
268
269	/*
270	* Set the timestamp of an SCT (epoch time in milliseconds).
271	*/
272	void SCT_set_timestamp(SCT *sct, uint64_t timestamp);
273
274	/*
275	* Return the NID for the signature used by the SCT.
276	* For CT v1, this will be either NID_sha256WithRSAEncryption or
277	* NID_ecdsa_with_SHA256 (or NID_undef if incorrect/unset).
278	*/
279	int SCT_get_signature_nid(const SCT *sct);
280
281	/*
282	* Set the signature type of an SCT
283	* For CT v1, this should be either NID_sha256WithRSAEncryption or
284	* NID_ecdsa_with_SHA256.
285	* Returns 1 on success, 0 otherwise.
286	*/
287	__owur int SCT_set_signature_nid(SCT sct, int* nid);
288
289	/*
290	* Set *ext to point to the extension data for the SCT. ext must not be NULL.
291	* The SCT retains ownership of this pointer.
292	* Returns length of the data pointed to.
293	*/
294	size_t SCT_get0_extensions(const SCT sct, unsigned* char **ext);
295
296	/*
297	* Set the extensions of an SCT to point directly to the *ext specified.
298	* The SCT takes ownership of the specified pointer.
299	*/
300	void SCT_set0_extensions(SCT sct, unsigned* char *ext, size_t ext_len);
301
302	/*
303	* Set the extensions of an SCT.
304	* This takes a copy of the ext.
305	* Returns 1 on success, 0 otherwise.
306	*/
307	__owur int SCT_set1_extensions(SCT sct, const* unsigned char *ext,
308	size_t ext_len);
309
310	/*
311	* Set *sig to point to the signature for the SCT. sig must not be NULL.
312	* The SCT retains ownership of this pointer.
313	* Returns length of the data pointed to.
314	*/
315	size_t SCT_get0_signature(const SCT sct, unsigned* char **sig);
316
317	/*
318	* Set the signature of an SCT to point directly to the *sig specified.
319	* The SCT takes ownership of the specified pointer.
320	*/
321	void SCT_set0_signature(SCT sct, unsigned* char *sig, size_t sig_len);
322
323	/*
324	* Set the signature of an SCT to be a copy of the *sig specified.
325	* Returns 1 on success, 0 otherwise.
326	*/
327	__owur int SCT_set1_signature(SCT sct, const* unsigned char *sig,
328	size_t sig_len);
329
330	/*
331	* The origin of this SCT, e.g. TLS extension, OCSP response, etc.
332	*/
333	sct_source_t SCT_get_source(const SCT *sct);
334
335	/*
336	* Set the origin of this SCT, e.g. TLS extension, OCSP response, etc.
337	* Returns 1 on success, 0 otherwise.
338	*/
339	__owur int SCT_set_source(SCT *sct, sct_source_t source);
340
341	/*
342	* Returns a text string describing the validation status of \|sct\|.
343	*/
344	const char SCT_validation_status_string(const* SCT *sct);
345
346	/*
347	* Pretty-prints an \|sct\| to \|out\|.
348	* It will be indented by the number of spaces specified by \|indent\|.
349	* If \|logs\| is not NULL, it will be used to lookup the CT log that the SCT came
350	* from, so that the log name can be printed.
351	*/
352	void SCT_print(const SCT sct, BIO out, int indent, const CTLOG_STORE *logs);
353
354	/*
355	* Pretty-prints an \|sct_list\| to \|out\|.
356	* It will be indented by the number of spaces specified by \|indent\|.
357	* SCTs will be delimited by \|separator\|.
358	* If \|logs\| is not NULL, it will be used to lookup the CT log that each SCT
359	* came from, so that the log names can be printed.
360	*/
361	void SCT_LIST_print(const STACK_OF(SCT) sct_list, BIO out, int indent,
362	const char separator, const* CTLOG_STORE *logs);
363
364	/*
365	* Gets the last result of validating this SCT.
366	* If it has not been validated yet, returns SCT_VALIDATION_STATUS_NOT_SET.
367	*/
368	sct_validation_status_t SCT_get_validation_status(const SCT *sct);
369
370	/*
371	* Validates the given SCT with the provided context.
372	* Sets the "validation_status" field of the SCT.
373	* Returns 1 if the SCT is valid and the signature verifies.
374	* Returns 0 if the SCT is invalid or could not be verified.
375	* Returns -1 if an error occurs.
376	*/
377	__owur int SCT_validate(SCT sct, const* CT_POLICY_EVAL_CTX *ctx);
378
379	/*
380	* Validates the given list of SCTs with the provided context.
381	* Sets the "validation_status" field of each SCT.
382	* Returns 1 if there are no invalid SCTs and all signatures verify.
383	* Returns 0 if at least one SCT is invalid or could not be verified.
384	* Returns a negative integer if an error occurs.
385	*/
386	__owur int SCT_LIST_validate(const STACK_OF(SCT) *scts,
387	CT_POLICY_EVAL_CTX *ctx);
388
389
390	/*********************************
391	* SCT parsing and serialization *
392	*********************************/
393
394	/*
395	* Serialize (to TLS format) a stack of SCTs and return the length.
396	* "a" must not be NULL.
397	* If "pp" is NULL, just return the length of what would have been serialized.
398	* If "pp" is not NULL and "*pp" is null, function will allocate a new pointer
399	* for data that caller is responsible for freeing (only if function returns
400	* successfully).
401	* If "pp" is NULL and "*pp" is not NULL, caller is responsible for ensuring
402	* that "*pp" is large enough to accept all of the serialized data.
403	* Returns < 0 on error, >= 0 indicating bytes written (or would have been)
404	* on success.
405	*/
406	__owur int i2o_SCT_LIST(const STACK_OF(SCT) a, unsigned* char **pp);
407
408	/*
409	* Convert TLS format SCT list to a stack of SCTs.
410	* If "a" or "*a" is NULL, a new stack will be created that the caller is
411	* responsible for freeing (by calling SCT_LIST_free).
412	* "*pp" and "pp" must not be NULL.
413	* Upon success, "*pp" will point to after the last bytes read, and a stack
414	* will be returned.
415	* Upon failure, a NULL pointer will be returned, and the position of "*pp" is
416	* not defined.
417	*/
418	STACK_OF(SCT) o2i_SCT_LIST(STACK_OF(SCT) a, const* unsigned char **pp,
419	size_t len);
420
421	/*
422	* Serialize (to DER format) a stack of SCTs and return the length.
423	* "a" must not be NULL.
424	* If "pp" is NULL, just returns the length of what would have been serialized.
425	* If "pp" is not NULL and "*pp" is null, function will allocate a new pointer
426	* for data that caller is responsible for freeing (only if function returns
427	* successfully).
428	* If "pp" is NULL and "*pp" is not NULL, caller is responsible for ensuring
429	* that "*pp" is large enough to accept all of the serialized data.
430	* Returns < 0 on error, >= 0 indicating bytes written (or would have been)
431	* on success.
432	*/
433	__owur int i2d_SCT_LIST(const STACK_OF(SCT) a, unsigned* char **pp);
434
435	/*
436	* Parses an SCT list in DER format and returns it.
437	* If "a" or "*a" is NULL, a new stack will be created that the caller is
438	* responsible for freeing (by calling SCT_LIST_free).
439	* "*pp" and "pp" must not be NULL.
440	* Upon success, "*pp" will point to after the last bytes read, and a stack
441	* will be returned.
442	* Upon failure, a NULL pointer will be returned, and the position of "*pp" is
443	* not defined.
444	*/
445	STACK_OF(SCT) d2i_SCT_LIST(STACK_OF(SCT) a, const* unsigned char **pp,
446	long len);
447
448	/*
449	* Serialize (to TLS format) an \|sct\| and write it to \|out\|.
450	* If \|out\| is null, no SCT will be output but the length will still be returned.
451	* If \|out\| points to a null pointer, a string will be allocated to hold the
452	* TLS-format SCT. It is the responsibility of the caller to free it.
453	* If \|out\| points to an allocated string, the TLS-format SCT will be written
454	* to it.
455	* The length of the SCT in TLS format will be returned.
456	*/
457	__owur int i2o_SCT(const SCT sct, unsigned* char **out);
458
459	/*
460	* Parses an SCT in TLS format and returns it.
461	* If \|psct\| is not null, it will end up pointing to the parsed SCT. If it
462	* already points to a non-null pointer, the pointer will be free'd.
463	* \|in\| should be a pointer to a string containing the TLS-format SCT.
464	* \|in\| will be advanced to the end of the SCT if parsing succeeds.
465	* \|len\| should be the length of the SCT in \|in\|.
466	* Returns NULL if an error occurs.
467	* If the SCT is an unsupported version, only the SCT's 'sct' and 'sct_len'
468	* fields will be populated (with \|in\| and \|len\| respectively).
469	*/
470	SCT o2i_SCT(SCT psct, const* unsigned char **in, size_t len);
471
472	/********************
473	* CT log functions *
474	********************/
475
476	/*
477	* Creates a new CT log instance with the given \|public_key\| and \|name\| and
478	* associates it with the give library context \|libctx\| and property query
479	* string \|propq\|.
480	* Takes ownership of \|public_key\| but copies \|name\|.
481	* Returns NULL if malloc fails or if \|public_key\| cannot be converted to DER.
482	* Should be deleted by the caller using CTLOG_free when no longer needed.
483	*/
484	CTLOG CTLOG_new_ex(EVP_PKEY public_key, const char name, OSSL_LIB_CTX libctx,
485	const char *propq);
486
487	/*
488	* The same as CTLOG_new_ex except that the default library context and
489	* property query string are used.
490	*/
491	CTLOG CTLOG_new(EVP_PKEY public_key, const char *name);
492
493	/*
494	* Creates a new CTLOG instance with the base64-encoded SubjectPublicKeyInfo DER
495	* in \|pkey_base64\| and associated with the given library context \|libctx\| and
496	* property query string \|propq\|. The \|name\| is a string to help users identify
497	* this log.
498	* Returns 1 on success, 0 on failure.
499	* Should be deleted by the caller using CTLOG_free when no longer needed.
500	*/
501	int CTLOG_new_from_base64_ex(CTLOG *ct_log, const* char *pkey_base64,
502	const char name, OSSL_LIB_CTX libctx,
503	const char *propq);
504
505	/*
506	* The same as CTLOG_new_from_base64_ex() except that the default
507	* library context and property query string are used.
508	* Returns 1 on success, 0 on failure.
509	*/
510	int CTLOG_new_from_base64(CTLOG ** ct_log,
511	const char pkey_base64, const* char *name);
512
513	/*
514	* Deletes a CT log instance and its fields.
515	*/
516	void CTLOG_free(CTLOG *log);
517
518	/ Gets the name of the CT log /
519	const char CTLOG_get0_name(const* CTLOG *log);
520	/ Gets the ID of the CT log /
521	void CTLOG_get0_log_id(const CTLOG log, const* uint8_t **log_id,
522	size_t *log_id_len);
523	/ Gets the public key of the CT log /
524	EVP_PKEY CTLOG_get0_public_key(const* CTLOG *log);
525
526	/**************************
527	* CT log store functions *
528	**************************/
529
530	/*
531	* Creates a new CT log store and associates it with the given libctx and
532	* property query string.
533	* Should be deleted by the caller using CTLOG_STORE_free when no longer needed.
534	*/
535	CTLOG_STORE CTLOG_STORE_new_ex(OSSL_LIB_CTX libctx, const char *propq);
536
537	/*
538	* Same as CTLOG_STORE_new_ex except that the default libctx and
539	* property query string are used.
540	* Should be deleted by the caller using CTLOG_STORE_free when no longer needed.
541	*/
542	CTLOG_STORE CTLOG_STORE_new(void*);
543
544	/*
545	* Deletes a CT log store and all of the CT log instances held within.
546	*/
547	void CTLOG_STORE_free(CTLOG_STORE *store);
548
549	/*
550	* Finds a CT log in the store based on its log ID.
551	* Returns the CT log, or NULL if no match is found.
552	*/
553	const CTLOG CTLOG_STORE_get0_log_by_id(const* CTLOG_STORE *store,
554	const uint8_t *log_id,
555	size_t log_id_len);
556
557	/*
558	* Loads a CT log list into a \|store\| from a \|file\|.
559	* Returns 1 if loading is successful, or 0 otherwise.
560	*/
561	__owur int CTLOG_STORE_load_file(CTLOG_STORE store, const* char *file);
562
563	/*
564	* Loads the default CT log list into a \|store\|.
565	* Returns 1 if loading is successful, or 0 otherwise.
566	*/
567	__owur int CTLOG_STORE_load_default_file(CTLOG_STORE *store);
568
569	# ifdef __cplusplus
570	}
571	# endif
572	# endif
573	#endif
574

source code of include/openssl/ct.h