X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=doc%2Fman3%2FCT_POLICY_EVAL_CTX_new.pod;h=f068fde62684d2d0809b539e58edd3849fba408c;hp=37f3ed598a0e193ff97063faf81cd6d0baf3ae43;hb=b524b808a1d1ba204dbdcbb42de4e3bddb3472ac;hpb=b97fdb57a269656fa20024a4404d3f543f06ac61 diff --git a/doc/man3/CT_POLICY_EVAL_CTX_new.pod b/doc/man3/CT_POLICY_EVAL_CTX_new.pod index 37f3ed598a..f068fde626 100644 --- a/doc/man3/CT_POLICY_EVAL_CTX_new.pod +++ b/doc/man3/CT_POLICY_EVAL_CTX_new.pod @@ -5,7 +5,8 @@ CT_POLICY_EVAL_CTX_new, CT_POLICY_EVAL_CTX_free, CT_POLICY_EVAL_CTX_get0_cert, CT_POLICY_EVAL_CTX_set1_cert, CT_POLICY_EVAL_CTX_get0_issuer, CT_POLICY_EVAL_CTX_set1_issuer, -CT_POLICY_EVAL_CTX_get0_log_store, CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE - +CT_POLICY_EVAL_CTX_get0_log_store, CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE, +CT_POLICY_EVAL_CTX_get_time, CT_POLICY_EVAL_CTX_set_time - Encapsulates the data required to evaluate whether SCTs meet a Certificate Transparency policy =head1 SYNOPSIS @@ -19,22 +20,36 @@ Encapsulates the data required to evaluate whether SCTs meet a Certificate Trans X509* CT_POLICY_EVAL_CTX_get0_issuer(const CT_POLICY_EVAL_CTX *ctx); int CT_POLICY_EVAL_CTX_set1_issuer(CT_POLICY_EVAL_CTX *ctx, X509 *issuer); const CTLOG_STORE *CT_POLICY_EVAL_CTX_get0_log_store(const CT_POLICY_EVAL_CTX *ctx); - void CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(CT_POLICY_EVAL_CTX *ctx, CTLOG_STORE *log_store); + void CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(CT_POLICY_EVAL_CTX *ctx, + CTLOG_STORE *log_store); + uint64_t CT_POLICY_EVAL_CTX_get_time(const CT_POLICY_EVAL_CTX *ctx); + void CT_POLICY_EVAL_CTX_set_time(CT_POLICY_EVAL_CTX *ctx, uint64_t time_in_ms); =head1 DESCRIPTION A B is used by functions that evaluate whether Signed Certificate Timestamps (SCTs) fulfil a Certificate Transparency (CT) policy. This policy may be, for example, that at least one valid SCT is available. To -determine this, an SCT's signature must be verified. This requires: +determine this, an SCT's timestamp and signature must be verified. +This requires: -=over +=over 2 -=item * the public key of the log that issued the SCT +=item * -=item * the certificate that the SCT was issued for +the public key of the log that issued the SCT -=item * the issuer certificate (if the SCT was issued for a pre-certificate) +=item * + +the certificate that the SCT was issued for + +=item * + +the issuer certificate (if the SCT was issued for a pre-certificate) + +=item * + +the current time =back @@ -43,21 +58,38 @@ The above requirements are met using the setters described below. CT_POLICY_EVAL_CTX_new() creates an empty policy evaluation context. This should then be populated using: -=over +=over 2 + +=item * -=item * CT_POLICY_EVAL_CTX_set1_cert() to provide the certificate the SCTs were issued for +CT_POLICY_EVAL_CTX_set1_cert() to provide the certificate the SCTs were issued for Increments the reference count of the certificate. -=item * CT_POLICY_EVAL_CTX_set1_issuer() to provide the issuer certificate +=item * + +CT_POLICY_EVAL_CTX_set1_issuer() to provide the issuer certificate Increments the reference count of the certificate. -=item * CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE() to provide a list of logs that are trusted as sources of SCTs +=item * + +CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE() to provide a list of logs that are trusted as sources of SCTs Holds a pointer to the CTLOG_STORE, so the CTLOG_STORE must outlive the CT_POLICY_EVAL_CTX. +=item * + +CT_POLICY_EVAL_CTX_set_time() to set the time SCTs should be compared with to determine if they are valid + +The SCT timestamp will be compared to this time to check whether the SCT was +issued in the future. RFC6962 states that "TLS clients MUST reject SCTs whose +timestamp is in the future". By default, this will be set to 5 minutes in the +future (e.g. (time() + 300) * 1000), to allow for clock drift. + +The time should be in milliseconds since the Unix epoch. + =back Each setter has a matching getter for accessing the current value.