1e71b7053SJung-uk Kim=pod 2e71b7053SJung-uk Kim 3e71b7053SJung-uk Kim=head1 NAME 4e71b7053SJung-uk Kim 5e71b7053SJung-uk KimSCT_validate, SCT_LIST_validate, SCT_get_validation_status - 6e71b7053SJung-uk Kimchecks Signed Certificate Timestamps (SCTs) are valid 7e71b7053SJung-uk Kim 8e71b7053SJung-uk Kim=head1 SYNOPSIS 9e71b7053SJung-uk Kim 10e71b7053SJung-uk Kim #include <openssl/ct.h> 11e71b7053SJung-uk Kim 12e71b7053SJung-uk Kim typedef enum { 13e71b7053SJung-uk Kim SCT_VALIDATION_STATUS_NOT_SET, 14e71b7053SJung-uk Kim SCT_VALIDATION_STATUS_UNKNOWN_LOG, 15e71b7053SJung-uk Kim SCT_VALIDATION_STATUS_VALID, 16e71b7053SJung-uk Kim SCT_VALIDATION_STATUS_INVALID, 17e71b7053SJung-uk Kim SCT_VALIDATION_STATUS_UNVERIFIED, 18e71b7053SJung-uk Kim SCT_VALIDATION_STATUS_UNKNOWN_VERSION 19e71b7053SJung-uk Kim } sct_validation_status_t; 20e71b7053SJung-uk Kim 21e71b7053SJung-uk Kim int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx); 22e71b7053SJung-uk Kim int SCT_LIST_validate(const STACK_OF(SCT) *scts, CT_POLICY_EVAL_CTX *ctx); 23e71b7053SJung-uk Kim sct_validation_status_t SCT_get_validation_status(const SCT *sct); 24e71b7053SJung-uk Kim 25e71b7053SJung-uk Kim=head1 DESCRIPTION 26e71b7053SJung-uk Kim 27e71b7053SJung-uk KimSCT_validate() will check that an SCT is valid and verify its signature. 28e71b7053SJung-uk KimSCT_LIST_validate() performs the same checks on an entire stack of SCTs. 29e71b7053SJung-uk KimThe result of the validation checks can be obtained by passing the SCT to 30e71b7053SJung-uk KimSCT_get_validation_status(). 31e71b7053SJung-uk Kim 32e71b7053SJung-uk KimA CT_POLICY_EVAL_CTX must be provided that specifies: 33e71b7053SJung-uk Kim 34e71b7053SJung-uk Kim=over 2 35e71b7053SJung-uk Kim 36e71b7053SJung-uk Kim=item * 37e71b7053SJung-uk Kim 38e71b7053SJung-uk KimThe certificate the SCT was issued for. 39e71b7053SJung-uk Kim 40e71b7053SJung-uk KimFailure to provide the certificate will result in the validation status being 41e71b7053SJung-uk KimSCT_VALIDATION_STATUS_UNVERIFIED. 42e71b7053SJung-uk Kim 43e71b7053SJung-uk Kim=item * 44e71b7053SJung-uk Kim 45e71b7053SJung-uk KimThe issuer of that certificate. 46e71b7053SJung-uk Kim 47e71b7053SJung-uk KimThis is only required if the SCT was issued for a pre-certificate 48e71b7053SJung-uk Kim(see RFC 6962). If it is required but not provided, the validation status will 49e71b7053SJung-uk Kimbe SCT_VALIDATION_STATUS_UNVERIFIED. 50e71b7053SJung-uk Kim 51e71b7053SJung-uk Kim=item * 52e71b7053SJung-uk Kim 53e71b7053SJung-uk KimA CTLOG_STORE that contains the CT log that issued this SCT. 54e71b7053SJung-uk Kim 55e71b7053SJung-uk KimIf the SCT was issued by a log that is not in this CTLOG_STORE, the validation 56e71b7053SJung-uk Kimstatus will be SCT_VALIDATION_STATUS_UNKNOWN_LOG. 57e71b7053SJung-uk Kim 58e71b7053SJung-uk Kim=back 59e71b7053SJung-uk Kim 60e71b7053SJung-uk KimIf the SCT is of an unsupported version (only v1 is currently supported), the 61e71b7053SJung-uk Kimvalidation status will be SCT_VALIDATION_STATUS_UNKNOWN_VERSION. 62e71b7053SJung-uk Kim 63e71b7053SJung-uk KimIf the SCT's signature is incorrect, its timestamp is in the future (relative to 64e71b7053SJung-uk Kimthe time in CT_POLICY_EVAL_CTX), or if it is otherwise invalid, the validation 65e71b7053SJung-uk Kimstatus will be SCT_VALIDATION_STATUS_INVALID. 66e71b7053SJung-uk Kim 67e71b7053SJung-uk KimIf all checks pass, the validation status will be SCT_VALIDATION_STATUS_VALID. 68e71b7053SJung-uk Kim 69e71b7053SJung-uk Kim=head1 NOTES 70e71b7053SJung-uk Kim 71e71b7053SJung-uk KimA return value of 0 from SCT_LIST_validate() should not be interpreted as a 72e71b7053SJung-uk Kimfailure. At a minimum, only one valid SCT may provide sufficient confidence 73e71b7053SJung-uk Kimthat a certificate has been publicly logged. 74e71b7053SJung-uk Kim 75e71b7053SJung-uk Kim=head1 RETURN VALUES 76e71b7053SJung-uk Kim 77e71b7053SJung-uk KimSCT_validate() returns a negative integer if an internal error occurs, 0 if the 78e71b7053SJung-uk KimSCT fails validation, or 1 if the SCT passes validation. 79e71b7053SJung-uk Kim 80e71b7053SJung-uk KimSCT_LIST_validate() returns a negative integer if an internal error occurs, 0 81e71b7053SJung-uk Kimif any of SCTs fails validation, or 1 if they all pass validation. 82e71b7053SJung-uk Kim 83e71b7053SJung-uk KimSCT_get_validation_status() returns the validation status of the SCT. 84e71b7053SJung-uk KimIf SCT_validate() or SCT_LIST_validate() have not been passed that SCT, the 85e71b7053SJung-uk Kimreturned value will be SCT_VALIDATION_STATUS_NOT_SET. 86e71b7053SJung-uk Kim 87e71b7053SJung-uk Kim=head1 SEE ALSO 88e71b7053SJung-uk Kim 89e71b7053SJung-uk KimL<ct(7)> 90e71b7053SJung-uk Kim 91e71b7053SJung-uk Kim=head1 HISTORY 92e71b7053SJung-uk Kim 93e71b7053SJung-uk KimThese functions were added in OpenSSL 1.1.0. 94e71b7053SJung-uk Kim 95e71b7053SJung-uk Kim=head1 COPYRIGHT 96e71b7053SJung-uk Kim 97e71b7053SJung-uk KimCopyright 2016 The OpenSSL Project Authors. All Rights Reserved. 98e71b7053SJung-uk Kim 99*b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License"). You may not use 100e71b7053SJung-uk Kimthis file except in compliance with the License. You can obtain a copy 101e71b7053SJung-uk Kimin the file LICENSE in the source distribution or at 102e71b7053SJung-uk KimL<https://www.openssl.org/source/license.html>. 103e71b7053SJung-uk Kim 104e71b7053SJung-uk Kim=cut 105