.\" $NetBSD: SCT_validate.3,v 1.4.6.2 2023/11/02 19:32:27 sborrill Exp $ .\" .\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "SCT_validate 3" .TH SCT_validate 3 "2023-05-07" "3.0.12" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" SCT_validate, SCT_LIST_validate, SCT_get_validation_status \- checks Signed Certificate Timestamps (SCTs) are valid .SH "LIBRARY" libcrypto, -lcrypto .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& typedef enum { \& SCT_VALIDATION_STATUS_NOT_SET, \& SCT_VALIDATION_STATUS_UNKNOWN_LOG, \& SCT_VALIDATION_STATUS_VALID, \& SCT_VALIDATION_STATUS_INVALID, \& SCT_VALIDATION_STATUS_UNVERIFIED, \& SCT_VALIDATION_STATUS_UNKNOWN_VERSION \& } sct_validation_status_t; \& \& int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx); \& int SCT_LIST_validate(const STACK_OF(SCT) *scts, CT_POLICY_EVAL_CTX *ctx); \& sct_validation_status_t SCT_get_validation_status(const SCT *sct); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fBSCT_validate()\fR will check that an \s-1SCT\s0 is valid and verify its signature. \&\fBSCT_LIST_validate()\fR performs the same checks on an entire stack of SCTs. The result of the validation checks can be obtained by passing the \s-1SCT\s0 to \&\fBSCT_get_validation_status()\fR. .PP A \s-1CT_POLICY_EVAL_CTX\s0 must be provided that specifies: .IP "\(bu" 2 The certificate the \s-1SCT\s0 was issued for. .Sp Failure to provide the certificate will result in the validation status being \&\s-1SCT_VALIDATION_STATUS_UNVERIFIED.\s0 .IP "\(bu" 2 The issuer of that certificate. .Sp This is only required if the \s-1SCT\s0 was issued for a pre-certificate (see \s-1RFC 6962\s0). If it is required but not provided, the validation status will be \s-1SCT_VALIDATION_STATUS_UNVERIFIED.\s0 .IP "\(bu" 2 A \s-1CTLOG_STORE\s0 that contains the \s-1CT\s0 log that issued this \s-1SCT.\s0 .Sp If the \s-1SCT\s0 was issued by a log that is not in this \s-1CTLOG_STORE,\s0 the validation status will be \s-1SCT_VALIDATION_STATUS_UNKNOWN_LOG.\s0 .PP If the \s-1SCT\s0 is of an unsupported version (only v1 is currently supported), the validation status will be \s-1SCT_VALIDATION_STATUS_UNKNOWN_VERSION.\s0 .PP If the \s-1SCT\s0's signature is incorrect, its timestamp is in the future (relative to the time in \s-1CT_POLICY_EVAL_CTX\s0), or if it is otherwise invalid, the validation status will be \s-1SCT_VALIDATION_STATUS_INVALID.\s0 .PP If all checks pass, the validation status will be \s-1SCT_VALIDATION_STATUS_VALID.\s0 .SH "NOTES" .IX Header "NOTES" A return value of 0 from \fBSCT_LIST_validate()\fR should not be interpreted as a failure. At a minimum, only one valid \s-1SCT\s0 may provide sufficient confidence that a certificate has been publicly logged. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBSCT_validate()\fR returns a negative integer if an internal error occurs, 0 if the \&\s-1SCT\s0 fails validation, or 1 if the \s-1SCT\s0 passes validation. .PP \&\fBSCT_LIST_validate()\fR returns a negative integer if an internal error occurs, 0 if any of SCTs fails validation, or 1 if they all pass validation. .PP \&\fBSCT_get_validation_status()\fR returns the validation status of the \s-1SCT.\s0 If \fBSCT_validate()\fR or \fBSCT_LIST_validate()\fR have not been passed that \s-1SCT,\s0 the returned value will be \s-1SCT_VALIDATION_STATUS_NOT_SET.\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBct\fR\|(7) .SH "HISTORY" .IX Header "HISTORY" These functions were added in OpenSSL 1.1.0. .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at .