1SCT_VALIDATE(3)                     OpenSSL                    SCT_VALIDATE(3)
2
3
4

NAME

6       SCT_validate, SCT_LIST_validate, SCT_get_validation_status - checks
7       Signed Certificate Timestamps (SCTs) are valid
8

SYNOPSIS

10        #include <openssl/ct.h>
11
12        typedef enum {
13            SCT_VALIDATION_STATUS_NOT_SET,
14            SCT_VALIDATION_STATUS_UNKNOWN_LOG,
15            SCT_VALIDATION_STATUS_VALID,
16            SCT_VALIDATION_STATUS_INVALID,
17            SCT_VALIDATION_STATUS_UNVERIFIED,
18            SCT_VALIDATION_STATUS_UNKNOWN_VERSION
19        } sct_validation_status_t;
20
21        int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx);
22        int SCT_LIST_validate(const STACK_OF(SCT) *scts, CT_POLICY_EVAL_CTX *ctx);
23        sct_validation_status_t SCT_get_validation_status(const SCT *sct);
24

DESCRIPTION

26       SCT_validate() will check that an SCT is valid and verify its
27       signature.  SCT_LIST_validate() performs the same checks on an entire
28       stack of SCTs.  The result of the validation checks can be obtained by
29       passing the SCT to SCT_get_validation_status().
30
31       A CT_POLICY_EVAL_CTX must be provided that specifies:
32
33       • The certificate the SCT was issued for.
34
35         Failure to provide the certificate will result in the validation
36         status being SCT_VALIDATION_STATUS_UNVERIFIED.
37
38       • The issuer of that certificate.
39
40         This is only required if the SCT was issued for a pre-certificate
41         (see RFC 6962). If it is required but not provided, the validation
42         status will be SCT_VALIDATION_STATUS_UNVERIFIED.
43
44       • A CTLOG_STORE that contains the CT log that issued this SCT.
45
46         If the SCT was issued by a log that is not in this CTLOG_STORE, the
47         validation status will be SCT_VALIDATION_STATUS_UNKNOWN_LOG.
48
49       If the SCT is of an unsupported version (only v1 is currently
50       supported), the validation status will be
51       SCT_VALIDATION_STATUS_UNKNOWN_VERSION.
52
53       If the SCT's signature is incorrect, its timestamp is in the future
54       (relative to the time in CT_POLICY_EVAL_CTX), or if it is otherwise
55       invalid, the validation status will be SCT_VALIDATION_STATUS_INVALID.
56
57       If all checks pass, the validation status will be
58       SCT_VALIDATION_STATUS_VALID.
59

NOTES

61       A return value of 0 from SCT_LIST_validate() should not be interpreted
62       as a failure. At a minimum, only one valid SCT may provide sufficient
63       confidence that a certificate has been publicly logged.
64

RETURN VALUES

66       SCT_validate() returns a negative integer if an internal error occurs,
67       0 if the SCT fails validation, or 1 if the SCT passes validation.
68
69       SCT_LIST_validate() returns a negative integer if an internal error
70       occurs, 0 if any of SCTs fails validation, or 1 if they all pass
71       validation.
72
73       SCT_get_validation_status() returns the validation status of the SCT.
74       If SCT_validate() or SCT_LIST_validate() have not been passed that SCT,
75       the returned value will be SCT_VALIDATION_STATUS_NOT_SET.
76

SEE ALSO

78       ct(7)
79

HISTORY

81       These functions were added in OpenSSL 1.1.0.
82
84       Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
85
86       Licensed under the OpenSSL license (the "License").  You may not use
87       this file except in compliance with the License.  You can obtain a copy
88       in the file LICENSE in the source distribution or at
89       <https://www.openssl.org/source/license.html>.
90
91
92
931.1.1i                            2021-01-26                   SCT_VALIDATE(3)
Impressum