Use 'over 2' for bullet lists.

If you find any bugs or you have suggestions please write to

Zoltan Glozik <zglozik@opentsa.org>. Known issues:

=over 4

=over 2

=item *

=item * No support for time stamps over SMTP, though it is quite easy

No support for time stamps over SMTP, though it is quite easy

to implement an automatic e-mail based TSA with L<procmail(1)>

and L<perl(1)>. HTTP server support is provided in the form of

a separate apache module. HTTP client support is provided by

L<tsget(1)>. Pure TCP/IP protocol is not supported.

=item * The file containing the last serial number of the TSA is not

=item *

The file containing the last serial number of the TSA is not

locked when being read or written. This is a problem if more than one

instance of L<openssl(1)> is trying to create a time stamp

response at the same time. This is not an issue when using the apache

server module, it does proper locking.

=item * Look for the FIXME word in the source files.

=item *

Look for the FIXME word in the source files.

=item *

The source code should really be reviewed by somebody else, too.

=item * The source code should really be reviewed by somebody else, too.

=item *

=item * More testing is needed, I have done only some basic tests (see

More testing is needed, I have done only some basic tests (see

test/testtsa).

=back

B<dest> will share some internal state with B<b>. For this reason the following

restrictions apply to the use of B<dest>:

=over 4

=over 2

=item *

If B<cb> is not B<NULL>, it is used as follows:

=over 4

=over 2

=item *

The following multi-threading function are provided:

=over 4

=over 2

=item *

CRYPTO_THREAD_run_once() can be used to perform one-time initialization.

The B<once> argument must be a pointer to a static object of type

B<CRYPTO_ONCE> that was statically initialized to the value

which can then be used with the locking functions below.

=item *

CRYPTO_THREAD_lock_new() allocates, initializes and returns a new read/write

lock.

=item *

CRYPTO_THREAD_read_lock() locks the provided B<lock> for reading.

=item *

CRYPTO_THREAD_write_lock() locks the provided B<lock> for writing.

=item *

CRYPTO_THREAD_unlock() unlocks the previously locked B<lock>.

=item *

CRYPTO_THREAD_lock_frees() frees the provided B<lock>.

=item *

CRYPTO_atomic_add() atomically adds B<amount> to B<val> and returns the

result of the operation in B<ret>. B<lock> will be locked, unless atomic

operations are supported on the specific platform. Because of this, if a

determine this, an SCT's timestamp and signature must be verified.

This requires:

=over 4

=over 2

=item * the public key of the log that issued the SCT

=item *

=item * the certificate that the SCT was issued for

the public key of the log that issued the SCT

=item * the issuer certificate (if the SCT was issued for a pre-certificate)

=item *

=item * the current time

the certificate that the SCT was issued for

=item *

the issuer certificate (if the SCT was issued for a pre-certificate)

=item *

the current time

=back

CT_POLICY_EVAL_CTX_new() creates an empty policy evaluation context. This

should then be populated using:

=over 4

=over 2

=item * CT_POLICY_EVAL_CTX_set1_cert() to provide the certificate the SCTs were issued for

=item *

CT_POLICY_EVAL_CTX_set1_cert() to provide the certificate the SCTs were issued for

Increments the reference count of the certificate.

=item * CT_POLICY_EVAL_CTX_set1_issuer() to provide the issuer certificate

=item *

CT_POLICY_EVAL_CTX_set1_issuer() to provide the issuer certificate

Increments the reference count of the certificate.

=item * CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE() to provide a list of logs that are trusted as sources of SCTs

=item *

CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE() to provide a list of logs that are trusted as sources of SCTs

Holds a pointer to the CTLOG_STORE, so the CTLOG_STORE must outlive the

CT_POLICY_EVAL_CTX.

=item * CT_POLICY_EVAL_CTX_set_time() to set the time SCTs should be compared with to determine if they are valid

=item *

CT_POLICY_EVAL_CTX_set_time() to set the time SCTs should be compared with to determine if they are valid

The SCT timestamp will be compared to this time to check whether the SCT was

issued in the future. RFC6962 states that "TLS clients MUST reject SCTs whose