1=pod 2 3=head1 NAME 4 5OCSP_resp_get0_certs, 6OCSP_resp_get0_signer, 7OCSP_resp_get0_id, 8OCSP_resp_get1_id, 9OCSP_resp_get0_produced_at, 10OCSP_resp_get0_signature, 11OCSP_resp_get0_tbs_sigalg, 12OCSP_resp_get0_respdata, 13OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find, 14OCSP_single_get0_status, OCSP_check_validity, 15OCSP_basic_verify 16- OCSP response utility functions 17 18=head1 SYNOPSIS 19 20 #include <openssl/ocsp.h> 21 22 int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status, 23 int *reason, 24 ASN1_GENERALIZEDTIME **revtime, 25 ASN1_GENERALIZEDTIME **thisupd, 26 ASN1_GENERALIZEDTIME **nextupd); 27 28 int OCSP_resp_count(OCSP_BASICRESP *bs); 29 OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx); 30 int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last); 31 int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason, 32 ASN1_GENERALIZEDTIME **revtime, 33 ASN1_GENERALIZEDTIME **thisupd, 34 ASN1_GENERALIZEDTIME **nextupd); 35 36 const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at( 37 const OCSP_BASICRESP* single); 38 39 const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs); 40 const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs); 41 const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs); 42 const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs); 43 44 int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, 45 STACK_OF(X509) *extra_certs); 46 47 int OCSP_resp_get0_id(const OCSP_BASICRESP *bs, 48 const ASN1_OCTET_STRING **pid, 49 const X509_NAME **pname); 50 int OCSP_resp_get1_id(const OCSP_BASICRESP *bs, 51 ASN1_OCTET_STRING **pid, 52 X509_NAME **pname); 53 54 int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, 55 ASN1_GENERALIZEDTIME *nextupd, 56 long sec, long maxsec); 57 58 int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, 59 X509_STORE *st, unsigned long flags); 60 61=head1 DESCRIPTION 62 63OCSP_resp_find_status() searches B<bs> for an OCSP response for B<id>. If it is 64successful the fields of the response are returned in B<*status>, B<*reason>, 65B<*revtime>, B<*thisupd> and B<*nextupd>. The B<*status> value will be one of 66B<V_OCSP_CERTSTATUS_GOOD>, B<V_OCSP_CERTSTATUS_REVOKED> or 67B<V_OCSP_CERTSTATUS_UNKNOWN>. The B<*reason> and B<*revtime> fields are only 68set if the status is B<V_OCSP_CERTSTATUS_REVOKED>. If set the B<*reason> field 69will be set to the revocation reason which will be one of 70B<OCSP_REVOKED_STATUS_NOSTATUS>, B<OCSP_REVOKED_STATUS_UNSPECIFIED>, 71B<OCSP_REVOKED_STATUS_KEYCOMPROMISE>, B<OCSP_REVOKED_STATUS_CACOMPROMISE>, 72B<OCSP_REVOKED_STATUS_AFFILIATIONCHANGED>, B<OCSP_REVOKED_STATUS_SUPERSEDED>, 73B<OCSP_REVOKED_STATUS_CESSATIONOFOPERATION>, 74B<OCSP_REVOKED_STATUS_CERTIFICATEHOLD> or B<OCSP_REVOKED_STATUS_REMOVEFROMCRL>. 75 76OCSP_resp_count() returns the number of B<OCSP_SINGLERESP> structures in B<bs>. 77 78OCSP_resp_get0() returns the B<OCSP_SINGLERESP> structure in B<bs> 79corresponding to index B<idx>. Where B<idx> runs from 0 to 80OCSP_resp_count(bs) - 1. 81 82OCSP_resp_find() searches B<bs> for B<id> and returns the index of the first 83matching entry after B<last> or starting from the beginning if B<last> is -1. 84 85OCSP_single_get0_status() extracts the fields of B<single> in B<*reason>, 86B<*revtime>, B<*thisupd> and B<*nextupd>. 87 88OCSP_resp_get0_produced_at() extracts the B<producedAt> field from the 89single response B<bs>. 90 91OCSP_resp_get0_signature() returns the signature from B<bs>. 92 93OCSP_resp_get0_tbs_sigalg() returns the B<signatureAlgorithm> from B<bs>. 94 95OCSP_resp_get0_respdata() returns the B<tbsResponseData> from B<bs>. 96 97OCSP_resp_get0_certs() returns any certificates included in B<bs>. 98 99OCSP_resp_get0_signer() attempts to retrieve the certificate that directly 100signed B<bs>. The OCSP protocol does not require that this certificate 101is included in the B<certs> field of the response, so additional certificates 102can be supplied in B<extra_certs> if the certificates that may have 103signed the response are known via some out-of-band mechanism. 104 105OCSP_resp_get0_id() gets the responder id of B<bs>. If the responder ID is 106a name then <*pname> is set to the name and B<*pid> is set to NULL. If the 107responder ID is by key ID then B<*pid> is set to the key ID and B<*pname> 108is set to NULL. OCSP_resp_get1_id() leaves ownership of B<*pid> and B<*pname> 109with the caller, who is responsible for freeing them. Both functions return 1 110in case of success and 0 in case of failure. If OCSP_resp_get1_id() returns 0, 111no freeing of the results is necessary. 112 113OCSP_check_validity() checks the validity of B<thisupd> and B<nextupd> values 114which will be typically obtained from OCSP_resp_find_status() or 115OCSP_single_get0_status(). If B<sec> is non-zero it indicates how many seconds 116leeway should be allowed in the check. If B<maxsec> is positive it indicates 117the maximum age of B<thisupd> in seconds. 118 119OCSP_basic_verify() checks that the basic response message B<bs> is correctly 120signed and that the signer certificate can be validated. It takes B<st> as 121the trusted store and B<certs> as a set of untrusted intermediate certificates. 122The function first tries to find the signer certificate of the response 123in <certs>. It also searches the certificates the responder may have included 124in B<bs> unless the B<flags> contain B<OCSP_NOINTERN>. 125It fails if the signer certificate cannot be found. 126Next, the function checks the signature of B<bs> and fails on error 127unless the B<flags> contain B<OCSP_NOSIGS>. Then the function already returns 128success if the B<flags> contain B<OCSP_NOVERIFY> or if the signer certificate 129was found in B<certs> and the B<flags> contain B<OCSP_TRUSTOTHER>. 130Otherwise the function continues by validating the signer certificate. 131To this end, all certificates in B<cert> and in B<bs> are considered as 132untrusted certificates for the construction of the validation path for the 133signer certificate unless the B<OCSP_NOCHAIN> flag is set. After successful path 134validation the function returns success if the B<OCSP_NOCHECKS> flag is set. 135Otherwise it verifies that the signer certificate meets the OCSP issuer 136criteria including potential delegation. If this does not succeed and the 137B<flags> do not contain B<OCSP_NOEXPLICIT> the function checks for explicit 138trust for OCSP signing in the root CA certificate. 139 140=head1 RETURN VALUES 141 142OCSP_resp_find_status() returns 1 if B<id> is found in B<bs> and 0 otherwise. 143 144OCSP_resp_count() returns the total number of B<OCSP_SINGLERESP> fields in 145B<bs>. 146 147OCSP_resp_get0() returns a pointer to an B<OCSP_SINGLERESP> structure or 148B<NULL> if B<idx> is out of range. 149 150OCSP_resp_find() returns the index of B<id> in B<bs> (which may be 0) or -1 if 151B<id> was not found. 152 153OCSP_single_get0_status() returns the status of B<single> or -1 if an error 154occurred. 155 156OCSP_resp_get0_signer() returns 1 if the signing certificate was located, 157or 0 on error. 158 159OCSP_basic_verify() returns 1 on success, 0 on error, or -1 on fatal error such 160as malloc failure. 161 162=head1 NOTES 163 164Applications will typically call OCSP_resp_find_status() using the certificate 165ID of interest and then check its validity using OCSP_check_validity(). They 166can then take appropriate action based on the status of the certificate. 167 168An OCSP response for a certificate contains B<thisUpdate> and B<nextUpdate> 169fields. Normally the current time should be between these two values. To 170account for clock skew the B<maxsec> field can be set to non-zero in 171OCSP_check_validity(). Some responders do not set the B<nextUpdate> field, this 172would otherwise mean an ancient response would be considered valid: the 173B<maxsec> parameter to OCSP_check_validity() can be used to limit the permitted 174age of responses. 175 176The values written to B<*revtime>, B<*thisupd> and B<*nextupd> by 177OCSP_resp_find_status() and OCSP_single_get0_status() are internal pointers 178which B<MUST NOT> be freed up by the calling application. Any or all of these 179parameters can be set to NULL if their value is not required. 180 181=head1 SEE ALSO 182 183L<crypto(7)>, 184L<OCSP_cert_to_id(3)>, 185L<OCSP_request_add1_nonce(3)>, 186L<OCSP_REQUEST_new(3)>, 187L<OCSP_response_status(3)>, 188L<OCSP_sendreq_new(3)> 189 190=head1 COPYRIGHT 191 192Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. 193 194Licensed under the OpenSSL license (the "License"). You may not use 195this file except in compliance with the License. You can obtain a copy 196in the file LICENSE in the source distribution or at 197L<https://www.openssl.org/source/license.html>. 198 199=cut 200