CT_POLICY_EVAL_CTX_new.3ssl man page

CT_POLICY_EVAL_CTX_new, CT_POLICY_EVAL_CTX_free, CT_POLICY_EVAL_CTX_get0_cert, CT_POLICY_EVAL_CTX_set1_cert, CT_POLICY_EVAL_CTX_get0_issuer, CT_POLICY_EVAL_CTX_set1_issuer, CT_POLICY_EVAL_CTX_get0_log_store, CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE — Encapsulates the data required to evaluate whether SCTs meet a Certificate Transparency policy


 #include <openssl/ct.h>
 X509* CT_POLICY_EVAL_CTX_get0_cert(const CT_POLICY_EVAL_CTX *ctx);
 int CT_POLICY_EVAL_CTX_set1_cert(CT_POLICY_EVAL_CTX *ctx, X509 *cert);
 X509* CT_POLICY_EVAL_CTX_get0_issuer(const CT_POLICY_EVAL_CTX *ctx);
 int CT_POLICY_EVAL_CTX_set1_issuer(CT_POLICY_EVAL_CTX *ctx, X509 *issuer);
 const CTLOG_STORE *CT_POLICY_EVAL_CTX_get0_log_store(const CT_POLICY_EVAL_CTX *ctx);


A CT_POLICY_EVAL_CTX is used by functions that evaluate whether Signed Certificate Timestamps (SCTs) fulfil a Certificate Transparency (CT) policy. This policy may be, for example, that at least one valid SCT is available. To determine this, an SCT's signature must be verified. This requires:


the public key of the log that issued the SCT


the certificate that the SCT was issued for


the issuer certificate (if the SCT was issued for a pre-certificate)

The above requirements are met using the setters described below.

CT_POLICY_EVAL_CTX_new() creates an empty policy evaluation context. This should then be populated using:


CT_POLICY_EVAL_CTX_set1_cert() to provide the certificate the SCTs were issued for

Increments the reference count of the certificate.


CT_POLICY_EVAL_CTX_set1_issuer() to provide the issuer certificate

Increments the reference count of the certificate.


CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE() to provide a list of logs that are trusted as sources of SCTs

Holds a pointer to the CTLOG_STORE, so the CTLOG_STORE must outlive the CT_POLICY_EVAL_CTX.

Each setter has a matching getter for accessing the current value.

When no longer required, the CT_POLICY_EVAL_CTX should be passed to CT_POLICY_EVAL_CTX_free() to delete it.


The issuer certificate only needs to be provided if at least one of the SCTs was issued for a pre-certificate. This will be the case for SCTs embedded in a certificate (i.e. those in an X.509 extension), but may not be the case for SCTs found in the TLS SCT extension or OCSP response.

Return Values

CT_POLICY_EVAL_CTX_new() will return NULL if malloc fails.

See Also



These functions were added in OpenSSL 1.1.0.


2017-02-11 1.1.0d OpenSSL