diff options
author | Rob Percival <robpercival@google.com> | 2016-03-08 18:37:16 +0000 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2016-03-09 11:34:48 -0500 |
commit | 98af73106444d23982e759e0d3684700a97092d8 (patch) | |
tree | 0e0ddb3c4c6bcba2fe111e85ab42777c7c59a347 /crypto/ct/ct_sct_ctx.c | |
parent | e5a7ac446b799cb2f24189c1367c8f3c32c2dd24 (diff) | |
download | openssl-98af73106444d23982e759e0d3684700a97092d8.tar.gz |
Improved documentation of SCT_CTX_* functions
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'crypto/ct/ct_sct_ctx.c')
-rw-r--r-- | crypto/ct/ct_sct_ctx.c | 30 |
1 files changed, 20 insertions, 10 deletions
diff --git a/crypto/ct/ct_sct_ctx.c b/crypto/ct/ct_sct_ctx.c index 89051d2f7c..13937c75ca 100644 --- a/crypto/ct/ct_sct_ctx.c +++ b/crypto/ct/ct_sct_ctx.c @@ -164,13 +164,13 @@ int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner) int poison_ext_is_dup, sct_ext_is_dup; int poison_idx = ct_x509_get_ext(cert, NID_ct_precert_poison, &poison_ext_is_dup); - /* Duplicate poison */ + /* Duplicate poison extensions are present - error */ if (poison_ext_is_dup) goto err; - /* If no poison extension, store encoding */ + /* If *cert doesn't have a poison extension, it isn't a precert */ if (poison_idx == -1) { - /* presigner must have poison */ + /* cert isn't a precert, so we shouldn't have a presigner */ if (presigner != NULL) goto err; @@ -179,20 +179,30 @@ int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner) goto err; } - /* See if have precert scts extension */ + /* See if cert has a precert SCTs extension */ idx = ct_x509_get_ext(cert, NID_ct_precert_scts, &sct_ext_is_dup); - /* Duplicate scts */ + /* Duplicate SCT extensions are present - error */ if (sct_ext_is_dup) goto err; - if (idx >= 0) { - /* Can't have both poison and scts */ - if (poison_idx >= 0) - goto err; - } else { + if (idx >= 0 && poison_idx >= 0) { + /* + * cert can't both contain SCTs (i.e. have an SCT extension) and be a + * precert (i.e. have a poison extension). + */ + goto err; + } + + if (idx == -1) { idx = poison_idx; } + /* + * If either a poison or SCT extension is present, remove it before encoding + * cert. This, along with ct_x509_cert_fixup(), gets a TBSCertificate (see + * RFC5280) from cert, which is what the CT log signed when it produced the + * SCT. + */ if (idx >= 0) { X509_EXTENSION *ext; |