Add server-side support for Signed Certificate Timestamps.
Change-Id: Ifa44fef160fc9d67771eed165f8fc277f28a0222
Reviewed-on: https://boringssl-review.googlesource.com/5840
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 4e2a64d..7109214 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -624,6 +624,18 @@
OPENSSL_EXPORT int SSL_get0_chain_certs(const SSL *ssl,
STACK_OF(X509) **out_chain);
+/* SSL_CTX_set_signed_cert_timestamp_list sets the list of signed certificate
+ * timestamps that is sent to clients that request it. The |list| argument must
+ * contain one or more SCT structures serialised as a SignedCertificateTimestamp
+ * List (see https://tools.ietf.org/html/rfc6962#section-3.3) – i.e. each SCT
+ * is prefixed by a big-endian, uint16 length and the concatenation of one or
+ * more such prefixed SCTs are themselves also prefixed by a uint16 length. It
+ * returns one on success and zero on error. The caller retains ownership of
+ * |list|. */
+OPENSSL_EXPORT int SSL_CTX_set_signed_cert_timestamp_list(SSL_CTX *ctx,
+ const uint8_t *list,
+ size_t list_len);
+
/* SSL_CTX_set_ocsp_response sets the OCSP reponse that is sent to clients
* which request it. It returns one on success and zero on error. The caller
* retains ownership of |response|. */
@@ -1472,6 +1484,10 @@
/* If true, a client will request certificate timestamps. */
char signed_cert_timestamps_enabled;
+ /* Signed certificate timestamp list to be sent to the client, if requested */
+ uint8_t *signed_cert_timestamp_list;
+ size_t signed_cert_timestamp_list_length;
+
/* If true, a client will request a stapled OCSP response. */
char ocsp_stapling_enabled;