Update TLS SCT

2026-06-19 19:33:38 +08:00 · 2026-06-10 23:44:31 +08:00
parent 79c6947ee9
commit b48f2c3772
4 changed files with 77 additions and 40 deletions
--- a/include/gmssl/sct.h
+++ b/include/gmssl/sct.h
@@ -24,21 +24,6 @@ extern "C" {
 #endif


-/*
-Certificate Transparency (RFC 6962) uses TLS-style presentation language for
-Signed Certificate Timestamp (SCT) objects. When SCTs are carried in an X.509
-or OCSP extension, the extension value is an ASN.1 OCTET STRING whose contents
-are the TLS-serialized SignedCertificateTimestampList.
-
-id-ct OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 11129 2 4 }
-
-id-ct-precertificate-scts OBJECT IDENTIFIER ::= { id-ct 2 }
-
-ExtnValue contents ::=
-	SignedCertificateTimestampList
-*/
-
-
 enum {
 	SCT_version_v1 = 0,
 };
@@ -139,11 +124,6 @@ int signed_certificate_timestamp_verify(const uint8_t *sct, size_t sct_len,
 	X509_KEY *key, const DIGEST *digest);


-/*
-在验证sct_list的时候，我们需要提供一组公钥的信息，包括X509_KEY, Key_hash, URL , description 这三个是最重要的了
-*/
-
-
 typedef struct {
 	X509_KEY log_key;
 	uint8_t log_id[32];
--- a/include/gmssl/tls.h
+++ b/include/gmssl/tls.h
@@ -22,6 +22,7 @@
 #include <gmssl/block_cipher.h>
 #include <gmssl/socket.h>
 #include <gmssl/x509_key.h>
+#include <gmssl/sct.h>


 #ifdef __cplusplus
@@ -843,6 +844,9 @@ typedef struct {
 	int signed_certificate_timestamp;
 	uint8_t signed_certificate_timestamp_lists[512]; // list of uint16array
 	size_t signed_certificate_timestamp_lists_len;
+	const CT_LOG_INFO *ct_logs;
+	size_t ct_logs_cnt;
+	size_t ct_at_least;

 	// 35. session_ticket
 	// session_ticket only supported in tls12
@@ -1878,11 +1882,16 @@ int tls_process_signature_algorithms(const uint8_t *ext_data, size_t ext_datalen
 // signed_certificate_timestamp response is set by tls_ctx_add_certificate_list_and_key()
 int tls_ctx_enable_signed_certificate_timestamp(TLS_CTX *ctx, int enable); // 这里enable的是什么？是否请求吗？
 int tls_enable_signed_certificate_timestamp(TLS_CONNECT *conn, int enable);
+int tls_ctx_set_ct_logs(TLS_CTX *ctx, const CT_LOG_INFO *ct_logs,
+	size_t ct_logs_cnt, size_t at_least);


 // 客户端需要一组SCT服务器的公钥列表才能够去验证SCT，我们假定这个公钥列表在CTX中

-int tls13_signed_certificate_timestamp_verify(const uint8_t *sct_list, size_t sct_list_len);
+int tls13_signed_certificate_timestamp_verify(const uint8_t *sct_list, size_t sct_list_len,
+	int entry_type, const uint8_t issuer_key_hash[SCT_ISSUER_KEY_HASH_SIZE],
+	const uint8_t *entry, size_t entry_len,
+	const CT_LOG_INFO *ct_logs, size_t ct_logs_cnt, size_t at_least);

 int tls_signed_certificate_timestamp_entry_to_bytes(const uint8_t key_id[32],
 	uint64_t timestamp, const uint8_t *signature, size_t signature_len,