1*4724848cSchristos=pod 2*4724848cSchristos 3*4724848cSchristos=head1 NAME 4*4724848cSchristos 5*4724848cSchristosSCT_validate, SCT_LIST_validate, SCT_get_validation_status - 6*4724848cSchristoschecks Signed Certificate Timestamps (SCTs) are valid 7*4724848cSchristos 8*4724848cSchristos=head1 SYNOPSIS 9*4724848cSchristos 10*4724848cSchristos #include <openssl/ct.h> 11*4724848cSchristos 12*4724848cSchristos typedef enum { 13*4724848cSchristos SCT_VALIDATION_STATUS_NOT_SET, 14*4724848cSchristos SCT_VALIDATION_STATUS_UNKNOWN_LOG, 15*4724848cSchristos SCT_VALIDATION_STATUS_VALID, 16*4724848cSchristos SCT_VALIDATION_STATUS_INVALID, 17*4724848cSchristos SCT_VALIDATION_STATUS_UNVERIFIED, 18*4724848cSchristos SCT_VALIDATION_STATUS_UNKNOWN_VERSION 19*4724848cSchristos } sct_validation_status_t; 20*4724848cSchristos 21*4724848cSchristos int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx); 22*4724848cSchristos int SCT_LIST_validate(const STACK_OF(SCT) *scts, CT_POLICY_EVAL_CTX *ctx); 23*4724848cSchristos sct_validation_status_t SCT_get_validation_status(const SCT *sct); 24*4724848cSchristos 25*4724848cSchristos=head1 DESCRIPTION 26*4724848cSchristos 27*4724848cSchristosSCT_validate() will check that an SCT is valid and verify its signature. 28*4724848cSchristosSCT_LIST_validate() performs the same checks on an entire stack of SCTs. 29*4724848cSchristosThe result of the validation checks can be obtained by passing the SCT to 30*4724848cSchristosSCT_get_validation_status(). 31*4724848cSchristos 32*4724848cSchristosA CT_POLICY_EVAL_CTX must be provided that specifies: 33*4724848cSchristos 34*4724848cSchristos=over 2 35*4724848cSchristos 36*4724848cSchristos=item * 37*4724848cSchristos 38*4724848cSchristosThe certificate the SCT was issued for. 39*4724848cSchristos 40*4724848cSchristosFailure to provide the certificate will result in the validation status being 41*4724848cSchristosSCT_VALIDATION_STATUS_UNVERIFIED. 42*4724848cSchristos 43*4724848cSchristos=item * 44*4724848cSchristos 45*4724848cSchristosThe issuer of that certificate. 46*4724848cSchristos 47*4724848cSchristosThis is only required if the SCT was issued for a pre-certificate 48*4724848cSchristos(see RFC 6962). If it is required but not provided, the validation status will 49*4724848cSchristosbe SCT_VALIDATION_STATUS_UNVERIFIED. 50*4724848cSchristos 51*4724848cSchristos=item * 52*4724848cSchristos 53*4724848cSchristosA CTLOG_STORE that contains the CT log that issued this SCT. 54*4724848cSchristos 55*4724848cSchristosIf the SCT was issued by a log that is not in this CTLOG_STORE, the validation 56*4724848cSchristosstatus will be SCT_VALIDATION_STATUS_UNKNOWN_LOG. 57*4724848cSchristos 58*4724848cSchristos=back 59*4724848cSchristos 60*4724848cSchristosIf the SCT is of an unsupported version (only v1 is currently supported), the 61*4724848cSchristosvalidation status will be SCT_VALIDATION_STATUS_UNKNOWN_VERSION. 62*4724848cSchristos 63*4724848cSchristosIf the SCT's signature is incorrect, its timestamp is in the future (relative to 64*4724848cSchristosthe time in CT_POLICY_EVAL_CTX), or if it is otherwise invalid, the validation 65*4724848cSchristosstatus will be SCT_VALIDATION_STATUS_INVALID. 66*4724848cSchristos 67*4724848cSchristosIf all checks pass, the validation status will be SCT_VALIDATION_STATUS_VALID. 68*4724848cSchristos 69*4724848cSchristos=head1 NOTES 70*4724848cSchristos 71*4724848cSchristosA return value of 0 from SCT_LIST_validate() should not be interpreted as a 72*4724848cSchristosfailure. At a minimum, only one valid SCT may provide sufficient confidence 73*4724848cSchristosthat a certificate has been publicly logged. 74*4724848cSchristos 75*4724848cSchristos=head1 RETURN VALUES 76*4724848cSchristos 77*4724848cSchristosSCT_validate() returns a negative integer if an internal error occurs, 0 if the 78*4724848cSchristosSCT fails validation, or 1 if the SCT passes validation. 79*4724848cSchristos 80*4724848cSchristosSCT_LIST_validate() returns a negative integer if an internal error occurs, 0 81*4724848cSchristosif any of SCTs fails validation, or 1 if they all pass validation. 82*4724848cSchristos 83*4724848cSchristosSCT_get_validation_status() returns the validation status of the SCT. 84*4724848cSchristosIf SCT_validate() or SCT_LIST_validate() have not been passed that SCT, the 85*4724848cSchristosreturned value will be SCT_VALIDATION_STATUS_NOT_SET. 86*4724848cSchristos 87*4724848cSchristos=head1 SEE ALSO 88*4724848cSchristos 89*4724848cSchristosL<ct(7)> 90*4724848cSchristos 91*4724848cSchristos=head1 HISTORY 92*4724848cSchristos 93*4724848cSchristosThese functions were added in OpenSSL 1.1.0. 94*4724848cSchristos 95*4724848cSchristos=head1 COPYRIGHT 96*4724848cSchristos 97*4724848cSchristosCopyright 2016 The OpenSSL Project Authors. All Rights Reserved. 98*4724848cSchristos 99*4724848cSchristosLicensed under the OpenSSL license (the "License"). You may not use 100*4724848cSchristosthis file except in compliance with the License. You can obtain a copy 101*4724848cSchristosin the file LICENSE in the source distribution or at 102*4724848cSchristosL<https://www.openssl.org/source/license.html>. 103*4724848cSchristos 104*4724848cSchristos=cut 105