Initial commit for Certificate Transparency support

Original authors:
Rob Stradling <rob@comodo.com>
Dr. Stephen Henson <steve@openssl.org>

Reviewed-by: Emilia Kasper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

4 files changed, 634 insertions, 0 deletions

diff --git a/crypto/ct/Makefile b/crypto/ct/Makefile
new file mode 100644
index 0000000000..ce3a6b1fb2
--- /dev/null
+++ b/crypto/ct/Makefile
@@ -0,0 +1,83 @@
+#
+# OpenSSL/crypto/ct/Makefile
+#
+
+DIR=	ct
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I$(TOP) -I../../include
+CFLAG=-g
+MAKEFILE=	Makefile
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= ct_lib.c
+LIBOBJ= ct_lib.o
+
+SRC= $(LIBSRC)
+
+HEADER=	ct_lcl.h
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+test:
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB) || echo Never mind.
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+
+tags:
+	ctags $(SRC)
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+update:  depend
+
+depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
+	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+ct_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ct_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+ct_lib.o: ../../include/openssl/comp.h ../../include/openssl/crypto.h
+ct_lib.o: ../../include/openssl/dsa.h ../../include/openssl/dtls1.h
+ct_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ct_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+ct_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+ct_lib.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
+ct_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+ct_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ct_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
+ct_lib.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+ct_lib.o: ../../include/openssl/pqueue.h ../../include/openssl/rsa.h
+ct_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ct_lib.o: ../../include/openssl/srtp.h ../../include/openssl/ssl.h
+ct_lib.o: ../../include/openssl/ssl2.h ../../include/openssl/ssl3.h
+ct_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ct_lib.o: ../../include/openssl/tls1.h ../../include/openssl/x509.h
+ct_lib.o: ../../include/openssl/x509_vfy.h ../../ssl/packet_locl.h
+ct_lib.o: ../../ssl/record/record.h ../../ssl/ssl_locl.h
+ct_lib.o: ../include/internal/cryptlib.h ct_lib.c ct_locl.h
diff --git a/crypto/ct/ct_err.c b/crypto/ct/ct_err.c
new file mode 100644
index 0000000000..d2781c5b5f
--- /dev/null
+++ b/crypto/ct/ct_err.c
@@ -0,0 +1,101 @@
+/* crypto/ct/ct_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/ct_locl.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+# define ERR_FUNC(func) ERR_PACK(ERR_LIB_CT,func,0)
+# define ERR_REASON(reason) ERR_PACK(ERR_LIB_CT,0,reason)
+
+static ERR_STRING_DATA CT_str_functs[] = {
+    {ERR_FUNC(CT_F_SCT_NEW), "SCT_new"},
+    {ERR_FUNC(CT_F_SCT_SET0_LOG_ID), "SCT_set0_log_id"},
+    {ERR_FUNC(CT_F_SCT_SET_LOG_ENTRY_TYPE), "SCT_set_log_entry_type"},
+    {ERR_FUNC(CT_F_SCT_SET_SIGNATURE_NID), "SCT_set_signature_nid"},
+    {ERR_FUNC(CT_F_SCT_SET_VERSION), "SCT_set_version"},
+    {0, NULL}
+};
+
+static ERR_STRING_DATA CT_str_reasons[] = {
+    {ERR_REASON(CT_R_INVALID_LOG_ID_LENGTH), "invalid log id length"},
+    {ERR_REASON(CT_R_UNRECOGNIZED_SIGNATURE_NID),
+     "unrecognized signature nid"},
+    {ERR_REASON(CT_R_UNSUPPORTED_ENTRY_TYPE), "unsupported entry type"},
+    {ERR_REASON(CT_R_UNSUPPORTED_VERSION), "unsupported version"},
+    {0, NULL}
+};
+
+#endif
+
+void ERR_load_CT_strings(void)
+{
+#ifndef OPENSSL_NO_ERR
+
+    if (ERR_func_error_string(CT_str_functs[0].error) == NULL) {
+        ERR_load_strings(0, CT_str_functs);
+        ERR_load_strings(0, CT_str_reasons);
+    }
+#endif
+}
diff --git a/crypto/ct/ct_lib.c b/crypto/ct/ct_lib.c
new file mode 100644
index 0000000000..7945745da7
--- /dev/null
+++ b/crypto/ct/ct_lib.c
@@ -0,0 +1,208 @@
+/*
+ * Written by Rob Stradling (rob@comodo.com) and Stephen Henson
+ * (steve@openssl.org) for the OpenSSL project 2014.
+ */
+/* ====================================================================
+ * Copyright (c) 2014 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef OPENSSL_NO_CT
+
+# include <limits.h>
+# include "internal/cryptlib.h"
+# include "../ssl/ssl_locl.h"
+# include "ct_locl.h"
+
+SCT *SCT_new(void)
+{
+    SCT *sct = OPENSSL_zalloc(sizeof(SCT));
+    if (sct == NULL) {
+        CTerr(CT_F_SCT_NEW, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+    sct->entry_type = UNSET_ENTRY;
+    sct->version = UNSET_VERSION;
+    return sct;
+}
+
+void SCT_free(SCT *sct)
+{
+    if (sct) {
+        OPENSSL_free(sct->log_id);
+        OPENSSL_free(sct->ext);
+        OPENSSL_free(sct->sig);
+        OPENSSL_free(sct->sct);
+        OPENSSL_free(sct);
+    }
+}
+
+int SCT_set_version(SCT *sct, sct_version_t version)
+{
+    if (version != SCT_V1) {
+        CTerr(CT_F_SCT_SET_VERSION, CT_R_UNSUPPORTED_VERSION);
+        return 0;
+    }
+    sct->version = version;
+    return 1;
+}
+
+int SCT_set_log_entry_type(SCT *sct, log_entry_type_t entry_type)
+{
+    if (entry_type != X509_ENTRY && entry_type != PRECERT_ENTRY) {
+        CTerr(CT_F_SCT_SET_LOG_ENTRY_TYPE, CT_R_UNSUPPORTED_ENTRY_TYPE);
+        return 0;
+    }
+    sct->entry_type = entry_type;
+    return 1;
+}
+
+int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len)
+{
+    /* Currently only SHA-256 allowed so length must be SCT_V1_HASHLEN */
+    if (log_id_len != SCT_V1_HASHLEN) {
+        CTerr(CT_F_SCT_SET0_LOG_ID, CT_R_INVALID_LOG_ID_LENGTH);
+        return 0;
+    }
+    OPENSSL_free(sct->log_id);
+    sct->log_id = log_id;
+    sct->log_id_len = log_id_len;
+    return 1;
+}
+
+void SCT_set_timestamp(SCT *sct, uint64_t timestamp)
+{
+    sct->timestamp = timestamp;
+}
+
+int SCT_set_signature_nid(SCT *sct, int nid)
+{
+  switch (nid) {
+    case NID_sha256WithRSAEncryption:
+        sct->hash_alg = TLSEXT_hash_sha256;
+        sct->sig_alg = TLSEXT_signature_rsa;
+        return 1;
+    case NID_ecdsa_with_SHA256:
+        sct->hash_alg = TLSEXT_hash_sha256;
+        sct->sig_alg = TLSEXT_signature_ecdsa;
+        return 1;
+    default:
+        CTerr(CT_F_SCT_SET_SIGNATURE_NID, CT_R_UNRECOGNIZED_SIGNATURE_NID);
+        return 0;
+    }
+}
+
+void SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len)
+{
+    OPENSSL_free(sct->ext);
+    sct->ext = ext;
+    sct->ext_len = ext_len;
+}
+
+void SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len)
+{
+    OPENSSL_free(sct->sig);
+    sct->sig = sig;
+    sct->sig_len = sig_len;
+}
+
+sct_version_t SCT_get_version(const SCT *sct)
+{
+    return sct->version;
+}
+
+log_entry_type_t SCT_get_log_entry_type(const SCT *sct)
+{
+    return sct->entry_type;
+}
+
+size_t SCT_get0_log_id(const SCT *sct, unsigned char **log_id)
+{
+    *log_id = sct->log_id;
+    return sct->log_id_len;
+}
+
+uint64_t SCT_get_timestamp(const SCT *sct)
+{
+    return sct->timestamp;
+}
+
+int SCT_get_signature_nid(const SCT *sct)
+{
+    if (sct->version == SCT_V1) {
+        if (sct->hash_alg == TLSEXT_hash_sha256) {
+            switch (sct->sig_alg) {
+            case TLSEXT_signature_ecdsa:
+                return NID_ecdsa_with_SHA256;
+            case TLSEXT_signature_rsa:
+                return NID_sha256WithRSAEncryption;
+            default:
+                return NID_undef;
+            }
+        }
+    }
+    return NID_undef;
+}
+
+size_t SCT_get0_extensions(const SCT *sct, unsigned char **ext)
+{
+    *ext = sct->ext;
+    return sct->ext_len;
+}
+
+size_t SCT_get0_signature(const SCT *sct, unsigned char **sig)
+{
+    *sig = sct->sig;
+    return sct->sig_len;
+}
+
+#endif
diff --git a/crypto/ct/ct_locl.h b/crypto/ct/ct_locl.h
new file mode 100644
index 0000000000..a6164336d1
--- /dev/null
+++ b/crypto/ct/ct_locl.h
@@ -0,0 +1,242 @@
+/* crypto/ct/ct_locl.h */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2015.
+ */
+/* ====================================================================
+ * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+#ifndef HEADER_CT_LOCL_H
+# define HEADER_CT_LOCL_H
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+
+# ifndef OPENSSL_NO_CT
+
+/* All hashes are currently SHA256 */
+#  define SCT_V1_HASHLEN  32
+/* Minimum RSA key size, from RFC6962 */
+#  define SCT_MIN_RSA_BITS 2048
+
+/*
+ * From RFC6962: opaque SerializedSCT<1..2^16-1>; struct { SerializedSCT
+ * sct_list <1..2^16-1>; } SignedCertificateTimestampList;
+ */
+
+#  define MAX_SCT_SIZE            65535
+#  define MAX_SCT_LIST_SIZE       MAX_SCT_SIZE
+
+typedef enum {
+    UNSET_ENTRY = -1,
+    X509_ENTRY = 0,
+    PRECERT_ENTRY = 1
+} log_entry_type_t;
+
+typedef enum {
+    UNSET_VERSION = -1,
+    SCT_V1 = 0
+} sct_version_t;
+
+typedef struct {
+    sct_version_t version;
+    /* If version is not SCT_V1 this contains the encoded SCT */
+    unsigned char *sct;
+    size_t sct_len;
+    /*
+     * If version is SCT_V1 fields below contain components of the SCT. "logid",
+     * "ext" and "sig" point to buffers allocated with OPENSSL_malloc().
+     */
+    unsigned char *log_id;
+    size_t log_id_len;
+
+    /*
+     * Note, we cannot distinguish between an unset timestamp, and one
+     * that is set to 0.  However since CT didn't exist in 1970, no real
+     * SCT should ever be set as such.
+     */
+    uint64_t timestamp;
+    unsigned char *ext;
+    size_t ext_len;
+    unsigned char hash_alg;
+    unsigned char sig_alg;
+    unsigned char *sig;
+    size_t sig_len;
+    /* Log entry type */
+    log_entry_type_t entry_type;
+} SCT;
+
+DECLARE_STACK_OF(SCT)
+
+/*
+ * Allocate new SCT.
+ * Caller is responsible for calling SCT_free when done.
+ */
+SCT *SCT_new(void);
+
+/*
+ * Free SCT and underlying datastructures.
+ */
+void SCT_free(SCT *sct);
+
+/*
+ * Set the version of an SCT.
+ * Returns 1 on success, 0 if the version is unrecognized.
+ */
+int SCT_set_version(SCT *sct, sct_version_t version);
+
+/*
+ * Set the log entry type of an SCT.
+ * Returns 1 on success.
+ */
+int SCT_set_log_entry_type(SCT *sct, log_entry_type_t entry_type);
+
+/*
+ * Set the log id of an SCT to point directly to the *logid specified.
+ * The SCT takes ownership of the specified pointer.
+ * Returns 1 on success.
+ */
+int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len);
+
+/*
+ * Set the timestamp of an SCT.
+ */
+void SCT_set_timestamp(SCT *sct, uint64_t timestamp);
+
+/*
+ * Set the signature type of an SCT
+ * Currently NID_sha256WithRSAEncryption or NID_ecdsa_with_SHA256.
+ * Returns 1 on success.
+ */
+int SCT_set_signature_nid(SCT *sct, int nid);
+
+/*
+ * Set the extensions of an SCT to point directly to the *ext specified.
+ * The SCT takes ownership of the specified pointer.
+ */
+void SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len);
+
+/*
+ * Set the signature of an SCT to point directly to the *sig specified.
+ * The SCT takes ownership of the specified pointer.
+ */
+void SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len);
+
+/*
+ * Returns the version of the SCT.
+ */
+sct_version_t SCT_get_version(const SCT *sct);
+
+/*
+ * Returns the log entry type of the SCT.
+ */
+log_entry_type_t SCT_get_log_entry_type(const SCT *sct);
+
+/*
+ * Set *logid to point to the log id for the SCT. logid must not be NULL.
+ * The SCT retains ownership of this pointer.
+ * Returns length of the data pointed to.
+ */
+size_t SCT_get0_log_id(const SCT *sct, unsigned char **log_id);
+
+/*
+ * Returns the timestamp for the SCT.
+ */
+uint64_t SCT_get_timestamp(const SCT *sct);
+
+/*
+ * Return the nid for the signature used by the SCT.
+ * Currently NID_sha256WithRSAEncryption or NID_ecdsa_with_SHA256 (or NID_undef)
+ */
+int SCT_get_signature_nid(const SCT *sct);
+
+/*
+ * Set *ext to point to the extension data for the SCT. ext must not be NULL.
+ * The SCT retains ownership of this pointer.
+ * Returns length of the data pointed to.
+ */
+size_t SCT_get0_extensions(const SCT *sct, unsigned char **ext);
+
+/*
+ * Set *sig to point to the signature for the SCT. sig must not be NULL.
+ * The SCT retains ownership of this pointer.
+ * Returns length of the data pointed to.
+ */
+size_t SCT_get0_signature(const SCT *sct, unsigned char **sig);
+
+
+# endif
+
+/* BEGIN ERROR CODES */
+/*
+ * The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_CT_strings(void);
+
+/* Error codes for the CT functions. */
+
+/* Function codes. */
+# define CT_F_SCT_NEW                                     100
+# define CT_F_SCT_SET0_LOG_ID                             101
+# define CT_F_SCT_SET_LOG_ENTRY_TYPE                      102
+# define CT_F_SCT_SET_SIGNATURE_NID                       103
+# define CT_F_SCT_SET_VERSION                             104
+
+/* Reason codes. */
+# define CT_R_INVALID_LOG_ID_LENGTH                       100
+# define CT_R_UNRECOGNIZED_SIGNATURE_NID                  101
+# define CT_R_UNSUPPORTED_ENTRY_TYPE                      102
+# define CT_R_UNSUPPORTED_VERSION                         103
+
+#ifdef  __cplusplus
+}
+#endif
+#endif