1*e71b7053SJung-uk Kim=pod 2*e71b7053SJung-uk Kim 3*e71b7053SJung-uk Kim=head1 NAME 4*e71b7053SJung-uk Kim 5*e71b7053SJung-uk KimSCT_validate, SCT_LIST_validate, SCT_get_validation_status - 6*e71b7053SJung-uk Kimchecks Signed Certificate Timestamps (SCTs) are valid 7*e71b7053SJung-uk Kim 8*e71b7053SJung-uk Kim=head1 SYNOPSIS 9*e71b7053SJung-uk Kim 10*e71b7053SJung-uk Kim #include <openssl/ct.h> 11*e71b7053SJung-uk Kim 12*e71b7053SJung-uk Kim typedef enum { 13*e71b7053SJung-uk Kim SCT_VALIDATION_STATUS_NOT_SET, 14*e71b7053SJung-uk Kim SCT_VALIDATION_STATUS_UNKNOWN_LOG, 15*e71b7053SJung-uk Kim SCT_VALIDATION_STATUS_VALID, 16*e71b7053SJung-uk Kim SCT_VALIDATION_STATUS_INVALID, 17*e71b7053SJung-uk Kim SCT_VALIDATION_STATUS_UNVERIFIED, 18*e71b7053SJung-uk Kim SCT_VALIDATION_STATUS_UNKNOWN_VERSION 19*e71b7053SJung-uk Kim } sct_validation_status_t; 20*e71b7053SJung-uk Kim 21*e71b7053SJung-uk Kim int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx); 22*e71b7053SJung-uk Kim int SCT_LIST_validate(const STACK_OF(SCT) *scts, CT_POLICY_EVAL_CTX *ctx); 23*e71b7053SJung-uk Kim sct_validation_status_t SCT_get_validation_status(const SCT *sct); 24*e71b7053SJung-uk Kim 25*e71b7053SJung-uk Kim=head1 DESCRIPTION 26*e71b7053SJung-uk Kim 27*e71b7053SJung-uk KimSCT_validate() will check that an SCT is valid and verify its signature. 28*e71b7053SJung-uk KimSCT_LIST_validate() performs the same checks on an entire stack of SCTs. 29*e71b7053SJung-uk KimThe result of the validation checks can be obtained by passing the SCT to 30*e71b7053SJung-uk KimSCT_get_validation_status(). 31*e71b7053SJung-uk Kim 32*e71b7053SJung-uk KimA CT_POLICY_EVAL_CTX must be provided that specifies: 33*e71b7053SJung-uk Kim 34*e71b7053SJung-uk Kim=over 2 35*e71b7053SJung-uk Kim 36*e71b7053SJung-uk Kim=item * 37*e71b7053SJung-uk Kim 38*e71b7053SJung-uk KimThe certificate the SCT was issued for. 39*e71b7053SJung-uk Kim 40*e71b7053SJung-uk KimFailure to provide the certificate will result in the validation status being 41*e71b7053SJung-uk KimSCT_VALIDATION_STATUS_UNVERIFIED. 42*e71b7053SJung-uk Kim 43*e71b7053SJung-uk Kim=item * 44*e71b7053SJung-uk Kim 45*e71b7053SJung-uk KimThe issuer of that certificate. 46*e71b7053SJung-uk Kim 47*e71b7053SJung-uk KimThis is only required if the SCT was issued for a pre-certificate 48*e71b7053SJung-uk Kim(see RFC 6962). If it is required but not provided, the validation status will 49*e71b7053SJung-uk Kimbe SCT_VALIDATION_STATUS_UNVERIFIED. 50*e71b7053SJung-uk Kim 51*e71b7053SJung-uk Kim=item * 52*e71b7053SJung-uk Kim 53*e71b7053SJung-uk KimA CTLOG_STORE that contains the CT log that issued this SCT. 54*e71b7053SJung-uk Kim 55*e71b7053SJung-uk KimIf the SCT was issued by a log that is not in this CTLOG_STORE, the validation 56*e71b7053SJung-uk Kimstatus will be SCT_VALIDATION_STATUS_UNKNOWN_LOG. 57*e71b7053SJung-uk Kim 58*e71b7053SJung-uk Kim=back 59*e71b7053SJung-uk Kim 60*e71b7053SJung-uk KimIf the SCT is of an unsupported version (only v1 is currently supported), the 61*e71b7053SJung-uk Kimvalidation status will be SCT_VALIDATION_STATUS_UNKNOWN_VERSION. 62*e71b7053SJung-uk Kim 63*e71b7053SJung-uk KimIf the SCT's signature is incorrect, its timestamp is in the future (relative to 64*e71b7053SJung-uk Kimthe time in CT_POLICY_EVAL_CTX), or if it is otherwise invalid, the validation 65*e71b7053SJung-uk Kimstatus will be SCT_VALIDATION_STATUS_INVALID. 66*e71b7053SJung-uk Kim 67*e71b7053SJung-uk KimIf all checks pass, the validation status will be SCT_VALIDATION_STATUS_VALID. 68*e71b7053SJung-uk Kim 69*e71b7053SJung-uk Kim=head1 NOTES 70*e71b7053SJung-uk Kim 71*e71b7053SJung-uk KimA return value of 0 from SCT_LIST_validate() should not be interpreted as a 72*e71b7053SJung-uk Kimfailure. At a minimum, only one valid SCT may provide sufficient confidence 73*e71b7053SJung-uk Kimthat a certificate has been publicly logged. 74*e71b7053SJung-uk Kim 75*e71b7053SJung-uk Kim=head1 RETURN VALUES 76*e71b7053SJung-uk Kim 77*e71b7053SJung-uk KimSCT_validate() returns a negative integer if an internal error occurs, 0 if the 78*e71b7053SJung-uk KimSCT fails validation, or 1 if the SCT passes validation. 79*e71b7053SJung-uk Kim 80*e71b7053SJung-uk KimSCT_LIST_validate() returns a negative integer if an internal error occurs, 0 81*e71b7053SJung-uk Kimif any of SCTs fails validation, or 1 if they all pass validation. 82*e71b7053SJung-uk Kim 83*e71b7053SJung-uk KimSCT_get_validation_status() returns the validation status of the SCT. 84*e71b7053SJung-uk KimIf SCT_validate() or SCT_LIST_validate() have not been passed that SCT, the 85*e71b7053SJung-uk Kimreturned value will be SCT_VALIDATION_STATUS_NOT_SET. 86*e71b7053SJung-uk Kim 87*e71b7053SJung-uk Kim=head1 SEE ALSO 88*e71b7053SJung-uk Kim 89*e71b7053SJung-uk KimL<ct(7)> 90*e71b7053SJung-uk Kim 91*e71b7053SJung-uk Kim=head1 HISTORY 92*e71b7053SJung-uk Kim 93*e71b7053SJung-uk KimThese functions were added in OpenSSL 1.1.0. 94*e71b7053SJung-uk Kim 95*e71b7053SJung-uk Kim=head1 COPYRIGHT 96*e71b7053SJung-uk Kim 97*e71b7053SJung-uk KimCopyright 2016 The OpenSSL Project Authors. All Rights Reserved. 98*e71b7053SJung-uk Kim 99*e71b7053SJung-uk KimLicensed under the OpenSSL license (the "License"). You may not use 100*e71b7053SJung-uk Kimthis file except in compliance with the License. You can obtain a copy 101*e71b7053SJung-uk Kimin the file LICENSE in the source distribution or at 102*e71b7053SJung-uk KimL<https://www.openssl.org/source/license.html>. 103*e71b7053SJung-uk Kim 104*e71b7053SJung-uk Kim=cut 105