diff options
Diffstat (limited to 'doc/crypto/CT_POLICY_EVAL_CTX_new.pod')
| -rw-r--r-- | doc/crypto/CT_POLICY_EVAL_CTX_new.pod | 96 |
1 files changed, 0 insertions, 96 deletions
diff --git a/doc/crypto/CT_POLICY_EVAL_CTX_new.pod b/doc/crypto/CT_POLICY_EVAL_CTX_new.pod deleted file mode 100644 index 62792992e2..0000000000 --- a/doc/crypto/CT_POLICY_EVAL_CTX_new.pod +++ /dev/null @@ -1,96 +0,0 @@ -=pod - -=head1 NAME - -CT_POLICY_EVAL_CTX_new, CT_POLICY_EVAL_CTX_free, -CT_POLICY_EVAL_CTX_get0_cert, CT_POLICY_EVAL_CTX_set1_cert, -CT_POLICY_EVAL_CTX_get0_issuer, CT_POLICY_EVAL_CTX_set1_issuer, -CT_POLICY_EVAL_CTX_get0_log_store, CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE - -Encapsulates the data required to evaluate whether SCTs meet a Certificate Transparency policy - -=head1 SYNOPSIS - - #include <openssl/ct.h> - - CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void); - void CT_POLICY_EVAL_CTX_free(CT_POLICY_EVAL_CTX *ctx); - X509* CT_POLICY_EVAL_CTX_get0_cert(const CT_POLICY_EVAL_CTX *ctx); - int CT_POLICY_EVAL_CTX_set1_cert(CT_POLICY_EVAL_CTX *ctx, X509 *cert); - X509* CT_POLICY_EVAL_CTX_get0_issuer(const CT_POLICY_EVAL_CTX *ctx); - int CT_POLICY_EVAL_CTX_set1_issuer(CT_POLICY_EVAL_CTX *ctx, X509 *issuer); - const CTLOG_STORE *CT_POLICY_EVAL_CTX_get0_log_store(const CT_POLICY_EVAL_CTX *ctx); - void CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(CT_POLICY_EVAL_CTX *ctx, CTLOG_STORE *log_store); - -=head1 DESCRIPTION - -A B<CT_POLICY_EVAL_CTX> is used by functions that evaluate whether Signed -Certificate Timestamps (SCTs) fulfil a Certificate Transparency (CT) policy. -This policy may be, for example, that at least one valid SCT is available. To -determine this, an SCT's signature must be verified. This requires: - -=over - -=item * the public key of the log that issued the SCT - -=item * the certificate that the SCT was issued for - -=item * the issuer certificate (if the SCT was issued for a pre-certificate) - -=back - -The above requirements are met using the setters described below. - -CT_POLICY_EVAL_CTX_new() creates an empty policy evaluation context. This -should then be populated using: - -=over - -=item * CT_POLICY_EVAL_CTX_set1_cert() to provide the certificate the SCTs were issued for - -Increments the reference count of the certificate. - -=item * CT_POLICY_EVAL_CTX_set1_issuer() to provide the issuer certificate - -Increments the reference count of the certificate. - -=item * CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE() to provide a list of logs that are trusted as sources of SCTs - -Holds a pointer to the CTLOG_STORE, so the CTLOG_STORE must outlive the -CT_POLICY_EVAL_CTX. - -=back - -Each setter has a matching getter for accessing the current value. - -When no longer required, the B<CT_POLICY_EVAL_CTX> should be passed to -CT_POLICY_EVAL_CTX_free() to delete it. - -=head1 NOTES - -The issuer certificate only needs to be provided if at least one of the SCTs -was issued for a pre-certificate. This will be the case for SCTs embedded in a -certificate (i.e. those in an X.509 extension), but may not be the case for SCTs -found in the TLS SCT extension or OCSP response. - -=head1 RETURN VALUES - -CT_POLICY_EVAL_CTX_new() will return NULL if malloc fails. - -=head1 SEE ALSO - -L<ct(3)> - -=head1 HISTORY - -These functions were added in OpenSSL 1.1.0. - -=head1 COPYRIGHT - -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. - -Licensed under the OpenSSL license (the "License"). You may not use -this file except in compliance with the License. You can obtain a copy -in the file LICENSE in the source distribution or at -L<https://www.openssl.org/source/license.html>. - -=cut |