Update TLS SCT

2026-06-20 03:44:15 +08:00 · 2026-06-10 23:44:31 +08:00
parent 79c6947ee9
commit b48f2c3772
4 changed files with 77 additions and 40 deletions
--- a/src/tls_sct.c
+++ b/src/tls_sct.c
@@ -22,6 +22,7 @@
 #include <gmssl/pem.h>
 #include <gmssl/mem.h>
 #include <gmssl/tls.h>
+#include <gmssl/sct.h>


 /*
@@ -38,8 +39,10 @@ Certificate.certificate_list.CertificateEntry.exts.signed_certificate_timestamp
 		uint64 timestamp;
 		opaque signature<0..2^16-1>;
 	} SignedCertificateTimestamp;
+	// SignedCertificateTimestamp 的格式不对
 */

+/*
 int tls_signed_certificate_timestamp_entry_to_bytes(const uint8_t key_id[32],
 	uint64_t timestamp, const uint8_t *signature, size_t signature_len,
 	uint8_t **out, size_t *outlen)
@@ -71,6 +74,7 @@ int tls_signed_certificate_timestamp_entry_from_bytes(const uint8_t **key_id,
 	}
 	return 1;
 }
+*/

 int tls_signed_certificate_timestamp_ext_to_bytes(const uint8_t *sct_list, size_t sct_list_len,
 	uint8_t **out, size_t *outlen)
@@ -101,8 +105,14 @@ int tls_signed_certificate_timestamp_print(FILE *fp, int fmt, int ind, const uin
 {
 	const uint8_t *sct_list;
 	size_t sct_list_len;
+	size_t i = 0;

-	if (tls_uint16array_from_bytes(&sct_list, &sct_list_len, &d, &dlen) != 1) {
+	if (!fp || !d) {
+		error_print();
+		return -1;
+	}
+	if (tls_uint16array_from_bytes(&sct_list, &sct_list_len, &d, &dlen) != 1
+		|| dlen) {
 		error_print();
 		return -1;
 	}
@@ -113,24 +123,18 @@ int tls_signed_certificate_timestamp_print(FILE *fp, int fmt, int ind, const uin
 		format_print(fp, fmt, ind, "(null)\n");
 	}
 	while (sct_list_len) {
-		const uint8_t *key_id;
-		uint64_t timestamp;
-		const uint8_t *signature;
-		size_t signature_len;
-		int entry_ind = ind + 4;
+		const uint8_t *sct;
+		size_t sct_len;
+		char label[64];

-		format_print(fp, fmt, ind, "SignedCertificateTimestamp\n");
-
-		if (tls_array_from_bytes(&key_id, 32, &sct_list, &sct_list_len) != 1
-			|| tls_uint64_from_bytes(&timestamp, &sct_list, &sct_list_len) != 1
-			|| tls_uint16array_from_bytes(&signature, &signature_len, &sct_list, &sct_list_len) != 1) {
+		if (tls_uint16array_from_bytes(&sct, &sct_len,
+			&sct_list, &sct_list_len) != 1) {
 			error_print();
 			return -1;
 		}
-		format_bytes(fp, fmt, entry_ind, "key_id", key_id, 32);
-		format_print(fp, fmt, entry_ind, "timestamp: %"PRIu64"\n", timestamp);
-		format_bytes(fp, fmt, entry_ind, "signature", signature, signature_len);
-		if (dlen) {
+		snprintf(label, sizeof(label), "SignedCertificateTimestamp[%zu]", i++);
+		if (signed_certificate_timestamp_print(fp, fmt, ind, label,
+			sct, sct_len) != 1) {
 			error_print();
 			return -1;
 		}
@@ -158,8 +162,30 @@ int tls_ctx_enable_signed_certificate_timestamp(TLS_CTX *ctx, int enable)
 	return 1;
 }

-int tls13_signed_certificate_timestamp_verify(const uint8_t *sct_list, size_t sct_list_len)
+int tls_ctx_set_ct_logs(TLS_CTX *ctx, const CT_LOG_INFO *ct_logs,
+	size_t ct_logs_cnt, size_t at_least)
 {
-	error_print();
+	if (!ctx || (ct_logs_cnt && !ct_logs) || at_least > ct_logs_cnt) {
+		error_print();
+		return -1;
+	}
+	ctx->ct_logs = ct_logs;
+	ctx->ct_logs_cnt = ct_logs_cnt;
+	ctx->ct_at_least = at_least;
 	return 1;
 }
+
+int tls13_signed_certificate_timestamp_verify(const uint8_t *sct_list, size_t sct_list_len,
+	int entry_type, const uint8_t issuer_key_hash[SCT_ISSUER_KEY_HASH_SIZE],
+	const uint8_t *entry, size_t entry_len,
+	const CT_LOG_INFO *ct_logs, size_t ct_logs_cnt, size_t at_least)
+{
+	if (!ct_logs_cnt) {
+		return 1;
+	}
+	if (!at_least) {
+		at_least = 1;
+	}
+	return sct_list_verify(sct_list, sct_list_len, entry_type,
+		issuer_key_hash, entry, entry_len, ct_logs, ct_logs_cnt, at_least);
+}