Improved documentation of SCT_CTX_* functions
Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
parent
e5a7ac446b
commit
98af731064
2 changed files with 29 additions and 15 deletions
|
@ -168,14 +168,18 @@ SCT_CTX *SCT_CTX_new(void);
|
|||
void SCT_CTX_free(SCT_CTX *sctx);
|
||||
|
||||
/*
|
||||
* Sets the certificate that the SCT is being verified against.
|
||||
* This will fail if the certificate is invalid.
|
||||
* Sets the certificate that the SCT was created for.
|
||||
* If *cert does not have a poison extension, presigner must be NULL.
|
||||
* If *cert does not have a poison extension, it may have a single SCT
|
||||
* (NID_ct_precert_scts) extension.
|
||||
* If either *cert or *presigner have an AKID (NID_authority_key_identifier)
|
||||
* extension, both must have one.
|
||||
* Returns 1 on success, 0 on failure.
|
||||
*/
|
||||
__owur int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner);
|
||||
|
||||
/*
|
||||
* Sets the issuer of the certificate that the SCT is being verified against.
|
||||
* Sets the issuer of the certificate that the SCT was created for.
|
||||
* This is just a convenience method to save extracting the public key and
|
||||
* calling SCT_CTX_set1_issuer_pubkey().
|
||||
* Issuer must not be NULL.
|
||||
|
@ -184,8 +188,8 @@ __owur int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner);
|
|||
__owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer);
|
||||
|
||||
/*
|
||||
* Sets the public key of the issuer of the certificate that the SCT is being
|
||||
* verified against.
|
||||
* Sets the public key of the issuer of the certificate that the SCT was created
|
||||
* for.
|
||||
* The public key must not be NULL.
|
||||
* Returns 1 on success, 0 on failure.
|
||||
*/
|
||||
|
|
|
@ -164,13 +164,13 @@ int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner)
|
|||
int poison_ext_is_dup, sct_ext_is_dup;
|
||||
int poison_idx = ct_x509_get_ext(cert, NID_ct_precert_poison, &poison_ext_is_dup);
|
||||
|
||||
/* Duplicate poison */
|
||||
/* Duplicate poison extensions are present - error */
|
||||
if (poison_ext_is_dup)
|
||||
goto err;
|
||||
|
||||
/* If no poison extension, store encoding */
|
||||
/* If *cert doesn't have a poison extension, it isn't a precert */
|
||||
if (poison_idx == -1) {
|
||||
/* presigner must have poison */
|
||||
/* cert isn't a precert, so we shouldn't have a presigner */
|
||||
if (presigner != NULL)
|
||||
goto err;
|
||||
|
||||
|
@ -179,20 +179,30 @@ int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner)
|
|||
goto err;
|
||||
}
|
||||
|
||||
/* See if have precert scts extension */
|
||||
/* See if cert has a precert SCTs extension */
|
||||
idx = ct_x509_get_ext(cert, NID_ct_precert_scts, &sct_ext_is_dup);
|
||||
/* Duplicate scts */
|
||||
/* Duplicate SCT extensions are present - error */
|
||||
if (sct_ext_is_dup)
|
||||
goto err;
|
||||
|
||||
if (idx >= 0) {
|
||||
/* Can't have both poison and scts */
|
||||
if (poison_idx >= 0)
|
||||
if (idx >= 0 && poison_idx >= 0) {
|
||||
/*
|
||||
* cert can't both contain SCTs (i.e. have an SCT extension) and be a
|
||||
* precert (i.e. have a poison extension).
|
||||
*/
|
||||
goto err;
|
||||
} else {
|
||||
}
|
||||
|
||||
if (idx == -1) {
|
||||
idx = poison_idx;
|
||||
}
|
||||
|
||||
/*
|
||||
* If either a poison or SCT extension is present, remove it before encoding
|
||||
* cert. This, along with ct_x509_cert_fixup(), gets a TBSCertificate (see
|
||||
* RFC5280) from cert, which is what the CT log signed when it produced the
|
||||
* SCT.
|
||||
*/
|
||||
if (idx >= 0) {
|
||||
X509_EXTENSION *ext;
|
||||
|
||||
|
|
Loading…
Reference in a new issue