File Coverage

/usr/include/openssl/ct.h

Criterion	Covered	Total	%
statement	0	3	0.0
branch			n/a
condition			n/a
subroutine			n/a
pod			n/a
total	0	3	0.0

line	stmt	code
1		/*
2		* WARNING: do not edit!
3		* Generated by Makefile from ../include/openssl/ct.h.in
4		*
5		* Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
6		*
7		* Licensed under the Apache License 2.0 (the "License"). You may not use
8		* this file except in compliance with the License. You can obtain a copy
9		* in the file LICENSE in the source distribution or at
10		* https://www.openssl.org/source/license.html
11		*/
12
13
14
15		#ifndef OPENSSL_CT_H
16		# define OPENSSL_CT_H
17		# pragma once
18
19		# include
20		# ifndef OPENSSL_NO_DEPRECATED_3_0
21		# define HEADER_CT_H
22		# endif
23
24		# include
25
26		# ifndef OPENSSL_NO_CT
27		# include
28		# include
29		# include
30		# include
31		# ifdef __cplusplus
32		extern "C" {
33		# endif
34
35
36		/* Minimum RSA key size, from RFC6962 */
37		# define SCT_MIN_RSA_BITS 2048
38
39		/* All hashes are SHA256 in v1 of Certificate Transparency */
40		# define CT_V1_HASHLEN SHA256_DIGEST_LENGTH
41
42	0	SKM_DEFINE_STACK_OF_INTERNAL(SCT, SCT, SCT)
	0
	0
43		#define sk_SCT_num(sk) OPENSSL_sk_num(ossl_check_const_SCT_sk_type(sk))
44		#define sk_SCT_value(sk, idx) ((SCT *)OPENSSL_sk_value(ossl_check_const_SCT_sk_type(sk), (idx)))
45		#define sk_SCT_new(cmp) ((STACK_OF(SCT) *)OPENSSL_sk_new(ossl_check_SCT_compfunc_type(cmp)))
46		#define sk_SCT_new_null() ((STACK_OF(SCT) *)OPENSSL_sk_new_null())
47		#define sk_SCT_new_reserve(cmp, n) ((STACK_OF(SCT) *)OPENSSL_sk_new_reserve(ossl_check_SCT_compfunc_type(cmp), (n)))
48		#define sk_SCT_reserve(sk, n) OPENSSL_sk_reserve(ossl_check_SCT_sk_type(sk), (n))
49		#define sk_SCT_free(sk) OPENSSL_sk_free(ossl_check_SCT_sk_type(sk))
50		#define sk_SCT_zero(sk) OPENSSL_sk_zero(ossl_check_SCT_sk_type(sk))
51		#define sk_SCT_delete(sk, i) ((SCT *)OPENSSL_sk_delete(ossl_check_SCT_sk_type(sk), (i)))
52		#define sk_SCT_delete_ptr(sk, ptr) ((SCT *)OPENSSL_sk_delete_ptr(ossl_check_SCT_sk_type(sk), ossl_check_SCT_type(ptr)))
53		#define sk_SCT_push(sk, ptr) OPENSSL_sk_push(ossl_check_SCT_sk_type(sk), ossl_check_SCT_type(ptr))
54		#define sk_SCT_unshift(sk, ptr) OPENSSL_sk_unshift(ossl_check_SCT_sk_type(sk), ossl_check_SCT_type(ptr))
55		#define sk_SCT_pop(sk) ((SCT *)OPENSSL_sk_pop(ossl_check_SCT_sk_type(sk)))
56		#define sk_SCT_shift(sk) ((SCT *)OPENSSL_sk_shift(ossl_check_SCT_sk_type(sk)))
57		#define sk_SCT_pop_free(sk, freefunc) OPENSSL_sk_pop_free(ossl_check_SCT_sk_type(sk),ossl_check_SCT_freefunc_type(freefunc))
58		#define sk_SCT_insert(sk, ptr, idx) OPENSSL_sk_insert(ossl_check_SCT_sk_type(sk), ossl_check_SCT_type(ptr), (idx))
59		#define sk_SCT_set(sk, idx, ptr) ((SCT *)OPENSSL_sk_set(ossl_check_SCT_sk_type(sk), (idx), ossl_check_SCT_type(ptr)))
60		#define sk_SCT_find(sk, ptr) OPENSSL_sk_find(ossl_check_SCT_sk_type(sk), ossl_check_SCT_type(ptr))
61		#define sk_SCT_find_ex(sk, ptr) OPENSSL_sk_find_ex(ossl_check_SCT_sk_type(sk), ossl_check_SCT_type(ptr))
62		#define sk_SCT_find_all(sk, ptr, pnum) OPENSSL_sk_find_all(ossl_check_SCT_sk_type(sk), ossl_check_SCT_type(ptr), pnum)
63		#define sk_SCT_sort(sk) OPENSSL_sk_sort(ossl_check_SCT_sk_type(sk))
64		#define sk_SCT_is_sorted(sk) OPENSSL_sk_is_sorted(ossl_check_const_SCT_sk_type(sk))
65		#define sk_SCT_dup(sk) ((STACK_OF(SCT) *)OPENSSL_sk_dup(ossl_check_const_SCT_sk_type(sk)))
66		#define sk_SCT_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(SCT) *)OPENSSL_sk_deep_copy(ossl_check_const_SCT_sk_type(sk), ossl_check_SCT_copyfunc_type(copyfunc), ossl_check_SCT_freefunc_type(freefunc)))
67		#define sk_SCT_set_cmp_func(sk, cmp) ((sk_SCT_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_SCT_sk_type(sk), ossl_check_SCT_compfunc_type(cmp)))
68		SKM_DEFINE_STACK_OF_INTERNAL(CTLOG, CTLOG, CTLOG)
69		#define sk_CTLOG_num(sk) OPENSSL_sk_num(ossl_check_const_CTLOG_sk_type(sk))
70		#define sk_CTLOG_value(sk, idx) ((CTLOG *)OPENSSL_sk_value(ossl_check_const_CTLOG_sk_type(sk), (idx)))
71		#define sk_CTLOG_new(cmp) ((STACK_OF(CTLOG) *)OPENSSL_sk_new(ossl_check_CTLOG_compfunc_type(cmp)))
72		#define sk_CTLOG_new_null() ((STACK_OF(CTLOG) *)OPENSSL_sk_new_null())
73		#define sk_CTLOG_new_reserve(cmp, n) ((STACK_OF(CTLOG) *)OPENSSL_sk_new_reserve(ossl_check_CTLOG_compfunc_type(cmp), (n)))
74		#define sk_CTLOG_reserve(sk, n) OPENSSL_sk_reserve(ossl_check_CTLOG_sk_type(sk), (n))
75		#define sk_CTLOG_free(sk) OPENSSL_sk_free(ossl_check_CTLOG_sk_type(sk))
76		#define sk_CTLOG_zero(sk) OPENSSL_sk_zero(ossl_check_CTLOG_sk_type(sk))
77		#define sk_CTLOG_delete(sk, i) ((CTLOG *)OPENSSL_sk_delete(ossl_check_CTLOG_sk_type(sk), (i)))
78		#define sk_CTLOG_delete_ptr(sk, ptr) ((CTLOG *)OPENSSL_sk_delete_ptr(ossl_check_CTLOG_sk_type(sk), ossl_check_CTLOG_type(ptr)))
79		#define sk_CTLOG_push(sk, ptr) OPENSSL_sk_push(ossl_check_CTLOG_sk_type(sk), ossl_check_CTLOG_type(ptr))
80		#define sk_CTLOG_unshift(sk, ptr) OPENSSL_sk_unshift(ossl_check_CTLOG_sk_type(sk), ossl_check_CTLOG_type(ptr))
81		#define sk_CTLOG_pop(sk) ((CTLOG *)OPENSSL_sk_pop(ossl_check_CTLOG_sk_type(sk)))
82		#define sk_CTLOG_shift(sk) ((CTLOG *)OPENSSL_sk_shift(ossl_check_CTLOG_sk_type(sk)))
83		#define sk_CTLOG_pop_free(sk, freefunc) OPENSSL_sk_pop_free(ossl_check_CTLOG_sk_type(sk),ossl_check_CTLOG_freefunc_type(freefunc))
84		#define sk_CTLOG_insert(sk, ptr, idx) OPENSSL_sk_insert(ossl_check_CTLOG_sk_type(sk), ossl_check_CTLOG_type(ptr), (idx))
85		#define sk_CTLOG_set(sk, idx, ptr) ((CTLOG *)OPENSSL_sk_set(ossl_check_CTLOG_sk_type(sk), (idx), ossl_check_CTLOG_type(ptr)))
86		#define sk_CTLOG_find(sk, ptr) OPENSSL_sk_find(ossl_check_CTLOG_sk_type(sk), ossl_check_CTLOG_type(ptr))
87		#define sk_CTLOG_find_ex(sk, ptr) OPENSSL_sk_find_ex(ossl_check_CTLOG_sk_type(sk), ossl_check_CTLOG_type(ptr))
88		#define sk_CTLOG_find_all(sk, ptr, pnum) OPENSSL_sk_find_all(ossl_check_CTLOG_sk_type(sk), ossl_check_CTLOG_type(ptr), pnum)
89		#define sk_CTLOG_sort(sk) OPENSSL_sk_sort(ossl_check_CTLOG_sk_type(sk))
90		#define sk_CTLOG_is_sorted(sk) OPENSSL_sk_is_sorted(ossl_check_const_CTLOG_sk_type(sk))
91		#define sk_CTLOG_dup(sk) ((STACK_OF(CTLOG) *)OPENSSL_sk_dup(ossl_check_const_CTLOG_sk_type(sk)))
92		#define sk_CTLOG_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(CTLOG) *)OPENSSL_sk_deep_copy(ossl_check_const_CTLOG_sk_type(sk), ossl_check_CTLOG_copyfunc_type(copyfunc), ossl_check_CTLOG_freefunc_type(freefunc)))
93		#define sk_CTLOG_set_cmp_func(sk, cmp) ((sk_CTLOG_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_CTLOG_sk_type(sk), ossl_check_CTLOG_compfunc_type(cmp)))
94
95
96
97		typedef enum {
98		CT_LOG_ENTRY_TYPE_NOT_SET = -1,
99		CT_LOG_ENTRY_TYPE_X509 = 0,
100		CT_LOG_ENTRY_TYPE_PRECERT = 1
101		} ct_log_entry_type_t;
102
103		typedef enum {
104		SCT_VERSION_NOT_SET = -1,
105		SCT_VERSION_V1 = 0
106		} sct_version_t;
107
108		typedef enum {
109		SCT_SOURCE_UNKNOWN,
110		SCT_SOURCE_TLS_EXTENSION,
111		SCT_SOURCE_X509V3_EXTENSION,
112		SCT_SOURCE_OCSP_STAPLED_RESPONSE
113		} sct_source_t;
114
115		typedef enum {
116		SCT_VALIDATION_STATUS_NOT_SET,
117		SCT_VALIDATION_STATUS_UNKNOWN_LOG,
118		SCT_VALIDATION_STATUS_VALID,
119		SCT_VALIDATION_STATUS_INVALID,
120		SCT_VALIDATION_STATUS_UNVERIFIED,
121		SCT_VALIDATION_STATUS_UNKNOWN_VERSION
122		} sct_validation_status_t;
123
124		/******************************************
125		* CT policy evaluation context functions *
126		******************************************/
127
128		/*
129		* Creates a new, empty policy evaluation context associated with the given
130		* library context and property query string.
131		* The caller is responsible for calling CT_POLICY_EVAL_CTX_free when finished
132		* with the CT_POLICY_EVAL_CTX.
133		*/
134		CT_POLICY_EVAL_CTX CT_POLICY_EVAL_CTX_new_ex(OSSL_LIB_CTX libctx,
135		const char *propq);
136
137		/*
138		* The same as CT_POLICY_EVAL_CTX_new_ex() but the default library
139		* context and property query string is used.
140		*/
141		CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void);
142
143		/* Deletes a policy evaluation context and anything it owns. */
144		void CT_POLICY_EVAL_CTX_free(CT_POLICY_EVAL_CTX *ctx);
145
146		/* Gets the peer certificate that the SCTs are for */
147		X509* CT_POLICY_EVAL_CTX_get0_cert(const CT_POLICY_EVAL_CTX *ctx);
148
149		/*
150		* Sets the certificate associated with the received SCTs.
151		* Increments the reference count of cert.
152		* Returns 1 on success, 0 otherwise.
153		*/
154		int CT_POLICY_EVAL_CTX_set1_cert(CT_POLICY_EVAL_CTX ctx, X509 cert);
155
156		/* Gets the issuer of the aforementioned certificate */
157		X509* CT_POLICY_EVAL_CTX_get0_issuer(const CT_POLICY_EVAL_CTX *ctx);
158
159		/*
160		* Sets the issuer of the certificate associated with the received SCTs.
161		* Increments the reference count of issuer.
162		* Returns 1 on success, 0 otherwise.
163		*/
164		int CT_POLICY_EVAL_CTX_set1_issuer(CT_POLICY_EVAL_CTX ctx, X509 issuer);
165
166		/* Gets the CT logs that are trusted sources of SCTs */
167		const CTLOG_STORE CT_POLICY_EVAL_CTX_get0_log_store(const CT_POLICY_EVAL_CTX ctx);
168
169		/* Sets the log store that is in use. It must outlive the CT_POLICY_EVAL_CTX. */
170		void CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(CT_POLICY_EVAL_CTX *ctx,
171		CTLOG_STORE *log_store);
172
173		/*
174		* Gets the time, in milliseconds since the Unix epoch, that will be used as the
175		* current time when checking whether an SCT was issued in the future.
176		* Such SCTs will fail validation, as required by RFC6962.
177		*/
178		uint64_t CT_POLICY_EVAL_CTX_get_time(const CT_POLICY_EVAL_CTX *ctx);
179
180		/*
181		* Sets the time to evaluate SCTs against, in milliseconds since the Unix epoch.
182		* If an SCT's timestamp is after this time, it will be interpreted as having
183		* been issued in the future. RFC6962 states that "TLS clients MUST reject SCTs
184		* whose timestamp is in the future", so an SCT will not validate in this case.
185		*/
186		void CT_POLICY_EVAL_CTX_set_time(CT_POLICY_EVAL_CTX *ctx, uint64_t time_in_ms);
187
188		/*****************
189		* SCT functions *
190		*****************/
191
192		/*
193		* Creates a new, blank SCT.
194		* The caller is responsible for calling SCT_free when finished with the SCT.
195		*/
196		SCT *SCT_new(void);
197
198		/*
199		* Creates a new SCT from some base64-encoded strings.
200		* The caller is responsible for calling SCT_free when finished with the SCT.
201		*/
202		SCT *SCT_new_from_base64(unsigned char version,
203		const char *logid_base64,
204		ct_log_entry_type_t entry_type,
205		uint64_t timestamp,
206		const char *extensions_base64,
207		const char *signature_base64);
208
209		/*
210		* Frees the SCT and the underlying data structures.
211		*/
212		void SCT_free(SCT *sct);
213
214		/*
215		* Free a stack of SCTs, and the underlying SCTs themselves.
216		* Intended to be compatible with X509V3_EXT_FREE.
217		*/
218		void SCT_LIST_free(STACK_OF(SCT) *a);
219
220		/*
221		* Returns the version of the SCT.
222		*/
223		sct_version_t SCT_get_version(const SCT *sct);
224
225		/*
226		* Set the version of an SCT.
227		* Returns 1 on success, 0 if the version is unrecognized.
228		*/
229		__owur int SCT_set_version(SCT *sct, sct_version_t version);
230
231		/*
232		* Returns the log entry type of the SCT.
233		*/
234		ct_log_entry_type_t SCT_get_log_entry_type(const SCT *sct);
235
236		/*
237		* Set the log entry type of an SCT.
238		* Returns 1 on success, 0 otherwise.
239		*/
240		__owur int SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type);
241
242		/*
243		* Gets the ID of the log that an SCT came from.
244		* Ownership of the log ID remains with the SCT.
245		* Returns the length of the log ID.
246		*/
247		size_t SCT_get0_log_id(const SCT sct, unsigned char *log_id);
248
249		/*
250		* Set the log ID of an SCT to point directly to the *log_id specified.
251		* The SCT takes ownership of the specified pointer.
252		* Returns 1 on success, 0 otherwise.
253		*/
254		__owur int SCT_set0_log_id(SCT sct, unsigned char log_id, size_t log_id_len);
255
256		/*
257		* Set the log ID of an SCT.
258		* This makes a copy of the log_id.
259		* Returns 1 on success, 0 otherwise.
260		*/
261		__owur int SCT_set1_log_id(SCT sct, const unsigned char log_id,
262		size_t log_id_len);
263
264		/*
265		* Returns the timestamp for the SCT (epoch time in milliseconds).
266		*/
267		uint64_t SCT_get_timestamp(const SCT *sct);
268
269		/*
270		* Set the timestamp of an SCT (epoch time in milliseconds).
271		*/
272		void SCT_set_timestamp(SCT *sct, uint64_t timestamp);
273
274		/*
275		* Return the NID for the signature used by the SCT.
276		* For CT v1, this will be either NID_sha256WithRSAEncryption or
277		* NID_ecdsa_with_SHA256 (or NID_undef if incorrect/unset).
278		*/
279		int SCT_get_signature_nid(const SCT *sct);
280
281		/*
282		* Set the signature type of an SCT
283		* For CT v1, this should be either NID_sha256WithRSAEncryption or
284		* NID_ecdsa_with_SHA256.
285		* Returns 1 on success, 0 otherwise.
286		*/
287		__owur int SCT_set_signature_nid(SCT *sct, int nid);
288
289		/*
290		* Set *ext to point to the extension data for the SCT. ext must not be NULL.
291		* The SCT retains ownership of this pointer.
292		* Returns length of the data pointed to.
293		*/
294		size_t SCT_get0_extensions(const SCT sct, unsigned char *ext);
295
296		/*
297		* Set the extensions of an SCT to point directly to the *ext specified.
298		* The SCT takes ownership of the specified pointer.
299		*/
300		void SCT_set0_extensions(SCT sct, unsigned char ext, size_t ext_len);
301
302		/*
303		* Set the extensions of an SCT.
304		* This takes a copy of the ext.
305		* Returns 1 on success, 0 otherwise.
306		*/
307		__owur int SCT_set1_extensions(SCT sct, const unsigned char ext,
308		size_t ext_len);
309
310		/*
311		* Set *sig to point to the signature for the SCT. sig must not be NULL.
312		* The SCT retains ownership of this pointer.
313		* Returns length of the data pointed to.
314		*/
315		size_t SCT_get0_signature(const SCT sct, unsigned char *sig);
316
317		/*
318		* Set the signature of an SCT to point directly to the *sig specified.
319		* The SCT takes ownership of the specified pointer.
320		*/
321		void SCT_set0_signature(SCT sct, unsigned char sig, size_t sig_len);
322
323		/*
324		* Set the signature of an SCT to be a copy of the *sig specified.
325		* Returns 1 on success, 0 otherwise.
326		*/
327		__owur int SCT_set1_signature(SCT sct, const unsigned char sig,
328		size_t sig_len);
329
330		/*
331		* The origin of this SCT, e.g. TLS extension, OCSP response, etc.
332		*/
333		sct_source_t SCT_get_source(const SCT *sct);
334
335		/*
336		* Set the origin of this SCT, e.g. TLS extension, OCSP response, etc.
337		* Returns 1 on success, 0 otherwise.
338		*/
339		__owur int SCT_set_source(SCT *sct, sct_source_t source);
340
341		/*
342		* Returns a text string describing the validation status of \|sct\|.
343		*/
344		const char SCT_validation_status_string(const SCT sct);
345
346		/*
347		* Pretty-prints an \|sct\| to \|out\|.
348		* It will be indented by the number of spaces specified by \|indent\|.
349		* If \|logs\| is not NULL, it will be used to lookup the CT log that the SCT came
350		* from, so that the log name can be printed.
351		*/
352		void SCT_print(const SCT sct, BIO out, int indent, const CTLOG_STORE *logs);
353
354		/*
355		* Pretty-prints an \|sct_list\| to \|out\|.
356		* It will be indented by the number of spaces specified by \|indent\|.
357		* SCTs will be delimited by \|separator\|.
358		* If \|logs\| is not NULL, it will be used to lookup the CT log that each SCT
359		* came from, so that the log names can be printed.
360		*/
361		void SCT_LIST_print(const STACK_OF(SCT) sct_list, BIO out, int indent,
362		const char separator, const CTLOG_STORE logs);
363
364		/*
365		* Gets the last result of validating this SCT.
366		* If it has not been validated yet, returns SCT_VALIDATION_STATUS_NOT_SET.
367		*/
368		sct_validation_status_t SCT_get_validation_status(const SCT *sct);
369
370		/*
371		* Validates the given SCT with the provided context.
372		* Sets the "validation_status" field of the SCT.
373		* Returns 1 if the SCT is valid and the signature verifies.
374		* Returns 0 if the SCT is invalid or could not be verified.
375		* Returns -1 if an error occurs.
376		*/
377		__owur int SCT_validate(SCT sct, const CT_POLICY_EVAL_CTX ctx);
378
379		/*
380		* Validates the given list of SCTs with the provided context.
381		* Sets the "validation_status" field of each SCT.
382		* Returns 1 if there are no invalid SCTs and all signatures verify.
383		* Returns 0 if at least one SCT is invalid or could not be verified.
384		* Returns a negative integer if an error occurs.
385		*/
386		__owur int SCT_LIST_validate(const STACK_OF(SCT) *scts,
387		CT_POLICY_EVAL_CTX *ctx);
388
389
390		/*********************************
391		* SCT parsing and serialization *
392		*********************************/
393
394		/*
395		* Serialize (to TLS format) a stack of SCTs and return the length.
396		* "a" must not be NULL.
397		* If "pp" is NULL, just return the length of what would have been serialized.
398		* If "pp" is not NULL and "*pp" is null, function will allocate a new pointer
399		* for data that caller is responsible for freeing (only if function returns
400		* successfully).
401		* If "pp" is NULL and "*pp" is not NULL, caller is responsible for ensuring
402		* that "*pp" is large enough to accept all of the serialized data.
403		* Returns < 0 on error, >= 0 indicating bytes written (or would have been)
404		* on success.
405		*/
406		__owur int i2o_SCT_LIST(const STACK_OF(SCT) a, unsigned char *pp);
407
408		/*
409		* Convert TLS format SCT list to a stack of SCTs.
410		* If "a" or "*a" is NULL, a new stack will be created that the caller is
411		* responsible for freeing (by calling SCT_LIST_free).
412		* "*pp" and "pp" must not be NULL.
413		* Upon success, "*pp" will point to after the last bytes read, and a stack
414		* will be returned.
415		* Upon failure, a NULL pointer will be returned, and the position of "*pp" is
416		* not defined.
417		*/
418		STACK_OF(SCT) o2i_SCT_LIST(STACK_OF(SCT) a, const unsigned char *pp,
419		size_t len);
420
421		/*
422		* Serialize (to DER format) a stack of SCTs and return the length.
423		* "a" must not be NULL.
424		* If "pp" is NULL, just returns the length of what would have been serialized.
425		* If "pp" is not NULL and "*pp" is null, function will allocate a new pointer
426		* for data that caller is responsible for freeing (only if function returns
427		* successfully).
428		* If "pp" is NULL and "*pp" is not NULL, caller is responsible for ensuring
429		* that "*pp" is large enough to accept all of the serialized data.
430		* Returns < 0 on error, >= 0 indicating bytes written (or would have been)
431		* on success.
432		*/
433		__owur int i2d_SCT_LIST(const STACK_OF(SCT) a, unsigned char *pp);
434
435		/*
436		* Parses an SCT list in DER format and returns it.
437		* If "a" or "*a" is NULL, a new stack will be created that the caller is
438		* responsible for freeing (by calling SCT_LIST_free).
439		* "*pp" and "pp" must not be NULL.
440		* Upon success, "*pp" will point to after the last bytes read, and a stack
441		* will be returned.
442		* Upon failure, a NULL pointer will be returned, and the position of "*pp" is
443		* not defined.
444		*/
445		STACK_OF(SCT) d2i_SCT_LIST(STACK_OF(SCT) a, const unsigned char *pp,
446		long len);
447
448		/*
449		* Serialize (to TLS format) an \|sct\| and write it to \|out\|.
450		* If \|out\| is null, no SCT will be output but the length will still be returned.
451		* If \|out\| points to a null pointer, a string will be allocated to hold the
452		* TLS-format SCT. It is the responsibility of the caller to free it.
453		* If \|out\| points to an allocated string, the TLS-format SCT will be written
454		* to it.
455		* The length of the SCT in TLS format will be returned.
456		*/
457		__owur int i2o_SCT(const SCT sct, unsigned char *out);
458
459		/*
460		* Parses an SCT in TLS format and returns it.
461		* If \|psct\| is not null, it will end up pointing to the parsed SCT. If it
462		* already points to a non-null pointer, the pointer will be free'd.
463		* \|in\| should be a pointer to a string containing the TLS-format SCT.
464		* \|in\| will be advanced to the end of the SCT if parsing succeeds.
465		* \|len\| should be the length of the SCT in \|in\|.
466		* Returns NULL if an error occurs.
467		* If the SCT is an unsupported version, only the SCT's 'sct' and 'sct_len'
468		* fields will be populated (with \|in\| and \|len\| respectively).
469		*/
470		SCT o2i_SCT(SCT psct, const unsigned char *in, size_t len);
471
472		/********************
473		* CT log functions *
474		********************/
475
476		/*
477		* Creates a new CT log instance with the given \|public_key\| and \|name\| and
478		* associates it with the give library context \|libctx\| and property query
479		* string \|propq\|.
480		* Takes ownership of \|public_key\| but copies \|name\|.
481		* Returns NULL if malloc fails or if \|public_key\| cannot be converted to DER.
482		* Should be deleted by the caller using CTLOG_free when no longer needed.
483		*/
484		CTLOG CTLOG_new_ex(EVP_PKEY public_key, const char name, OSSL_LIB_CTX libctx,
485		const char *propq);
486
487		/*
488		* The same as CTLOG_new_ex except that the default library context and
489		* property query string are used.
490		*/
491		CTLOG CTLOG_new(EVP_PKEY public_key, const char *name);
492
493		/*
494		* Creates a new CTLOG instance with the base64-encoded SubjectPublicKeyInfo DER
495		* in \|pkey_base64\| and associated with the given library context \|libctx\| and
496		* property query string \|propq\|. The \|name\| is a string to help users identify
497		* this log.
498		* Returns 1 on success, 0 on failure.
499		* Should be deleted by the caller using CTLOG_free when no longer needed.
500		*/
501		int CTLOG_new_from_base64_ex(CTLOG *ct_log, const char pkey_base64,
502		const char name, OSSL_LIB_CTX libctx,
503		const char *propq);
504
505		/*
506		* The same as CTLOG_new_from_base64_ex() except that the default
507		* library context and property query string are used.
508		* Returns 1 on success, 0 on failure.
509		*/
510		int CTLOG_new_from_base64(CTLOG ** ct_log,
511		const char pkey_base64, const char name);
512
513		/*
514		* Deletes a CT log instance and its fields.
515		*/
516		void CTLOG_free(CTLOG *log);
517
518		/* Gets the name of the CT log */
519		const char CTLOG_get0_name(const CTLOG log);
520		/* Gets the ID of the CT log */
521		void CTLOG_get0_log_id(const CTLOG log, const uint8_t *log_id,
522		size_t *log_id_len);
523		/* Gets the public key of the CT log */
524		EVP_PKEY CTLOG_get0_public_key(const CTLOG log);
525
526		/**************************
527		* CT log store functions *
528		**************************/
529
530		/*
531		* Creates a new CT log store and associates it with the given libctx and
532		* property query string.
533		* Should be deleted by the caller using CTLOG_STORE_free when no longer needed.
534		*/
535		CTLOG_STORE CTLOG_STORE_new_ex(OSSL_LIB_CTX libctx, const char *propq);
536
537		/*
538		* Same as CTLOG_STORE_new_ex except that the default libctx and
539		* property query string are used.
540		* Should be deleted by the caller using CTLOG_STORE_free when no longer needed.
541		*/
542		CTLOG_STORE *CTLOG_STORE_new(void);
543
544		/*
545		* Deletes a CT log store and all of the CT log instances held within.
546		*/
547		void CTLOG_STORE_free(CTLOG_STORE *store);
548
549		/*
550		* Finds a CT log in the store based on its log ID.
551		* Returns the CT log, or NULL if no match is found.
552		*/
553		const CTLOG CTLOG_STORE_get0_log_by_id(const CTLOG_STORE store,
554		const uint8_t *log_id,
555		size_t log_id_len);
556
557		/*
558		* Loads a CT log list into a \|store\| from a \|file\|.
559		* Returns 1 if loading is successful, or 0 otherwise.
560		*/
561		__owur int CTLOG_STORE_load_file(CTLOG_STORE store, const char file);
562
563		/*
564		* Loads the default CT log list into a \|store\|.
565		* Returns 1 if loading is successful, or 0 otherwise.
566		*/
567		__owur int CTLOG_STORE_load_default_file(CTLOG_STORE *store);
568
569		# ifdef __cplusplus
570		}
571		# endif
572		# endif
573		#endif