xref: /freebsd/crypto/openssl/doc/man3/OCSP_response_status.pod (revision 9f23cbd6cae82fd77edfad7173432fa8dccd0a95)
1=pod
2
3=head1 NAME
4
5OCSP_response_status, OCSP_response_get1_basic, OCSP_response_create,
6OCSP_RESPONSE_free, OCSP_RESPID_set_by_name,
7OCSP_RESPID_set_by_key_ex, OCSP_RESPID_set_by_key, OCSP_RESPID_match_ex,
8OCSP_RESPID_match, OCSP_basic_sign, OCSP_basic_sign_ctx
9- OCSP response functions
10
11=head1 SYNOPSIS
12
13 #include <openssl/ocsp.h>
14
15 int OCSP_response_status(OCSP_RESPONSE *resp);
16 OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
17 OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
18 void OCSP_RESPONSE_free(OCSP_RESPONSE *resp);
19
20 int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert);
21 int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert,
22                               OSSL_LIB_CTX *libctx, const char *propq);
23 int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert);
24 int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx,
25                          const char *propq);
26 int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert);
27
28 int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
29                     const EVP_MD *dgst, STACK_OF(X509) *certs,
30                     unsigned long flags);
31 int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp, X509 *signer, EVP_MD_CTX *ctx,
32                         STACK_OF(X509) *certs, unsigned long flags);
33
34=head1 DESCRIPTION
35
36OCSP_response_status() returns the OCSP response status of I<resp>. It returns
37one of the values: I<OCSP_RESPONSE_STATUS_SUCCESSFUL>,
38I<OCSP_RESPONSE_STATUS_MALFORMEDREQUEST>,
39I<OCSP_RESPONSE_STATUS_INTERNALERROR>, I<OCSP_RESPONSE_STATUS_TRYLATER>
40I<OCSP_RESPONSE_STATUS_SIGREQUIRED>, or I<OCSP_RESPONSE_STATUS_UNAUTHORIZED>.
41
42OCSP_response_get1_basic() decodes and returns the I<OCSP_BASICRESP> structure
43contained in I<resp>.
44
45OCSP_response_create() creates and returns an I<OCSP_RESPONSE> structure for
46I<status> and optionally including basic response I<bs>.
47
48OCSP_RESPONSE_free() frees up OCSP response I<resp>.
49
50OCSP_RESPID_set_by_name() sets the name of the OCSP_RESPID to be the same as the
51subject name in the supplied X509 certificate I<cert> for the OCSP responder.
52
53OCSP_RESPID_set_by_key_ex() sets the key of the OCSP_RESPID to be the same as the
54key in the supplied X509 certificate I<cert> for the OCSP responder. The key is
55stored as a SHA1 hash. To calculate the hash the SHA1 algorithm is fetched using
56the library ctx I<libctx> and the property query string I<propq> (see
57L<crypto(7)/ALGORITHM FETCHING> for further information).
58
59OCSP_RESPID_set_by_key() does the same as OCSP_RESPID_set_by_key_ex() except
60that the default library context is used with an empty property query string.
61
62Note that an OCSP_RESPID can only have one of the name, or the key set. Calling
63OCSP_RESPID_set_by_name() or OCSP_RESPID_set_by_key() will clear any existing
64setting.
65
66OCSP_RESPID_match_ex() tests whether the OCSP_RESPID given in I<respid> matches
67with the X509 certificate I<cert> based on the SHA1 hash. To calculate the hash
68the SHA1 algorithm is fetched using the library ctx I<libctx> and the property
69query string I<propq> (see L<crypto(7)/ALGORITHM FETCHING> for further
70information).
71
72OCSP_RESPID_match() does the same as OCSP_RESPID_match_ex() except that the
73default library context is used with an empty property query string.
74
75OCSP_basic_sign() signs OCSP response I<brsp> using certificate I<signer>, private key
76I<key>, digest I<dgst> and additional certificates I<certs>. If the I<flags> option
77I<OCSP_NOCERTS> is set then no certificates will be included in the response. If the
78I<flags> option I<OCSP_RESPID_KEY> is set then the responder is identified by key ID
79rather than by name. OCSP_basic_sign_ctx() also signs OCSP response I<brsp> but
80uses the parameters contained in digest context I<ctx>.
81
82=head1 RETURN VALUES
83
84OCSP_RESPONSE_status() returns a status value.
85
86OCSP_response_get1_basic() returns an I<OCSP_BASICRESP> structure pointer or
87I<NULL> if an error occurred.
88
89OCSP_response_create() returns an I<OCSP_RESPONSE> structure pointer or I<NULL>
90if an error occurred.
91
92OCSP_RESPONSE_free() does not return a value.
93
94OCSP_RESPID_set_by_name(), OCSP_RESPID_set_by_key(), OCSP_basic_sign(), and
95OCSP_basic_sign_ctx() return 1 on success or 0
96on failure.
97
98OCSP_RESPID_match() returns 1 if the OCSP_RESPID and the X509 certificate match
99or 0 otherwise.
100
101=head1 NOTES
102
103OCSP_response_get1_basic() is only called if the status of a response is
104I<OCSP_RESPONSE_STATUS_SUCCESSFUL>.
105
106=head1 SEE ALSO
107
108L<crypto(7)>
109L<OCSP_cert_to_id(3)>
110L<OCSP_request_add1_nonce(3)>
111L<OCSP_REQUEST_new(3)>
112L<OCSP_resp_find_status(3)>
113L<OCSP_sendreq_new(3)>
114L<OCSP_RESPID_new(3)>
115L<OCSP_RESPID_free(3)>
116
117=head1 HISTORY
118
119The OCSP_RESPID_set_by_name(), OCSP_RESPID_set_by_key() and OCSP_RESPID_match()
120functions were added in OpenSSL 1.1.0a.
121
122The OCSP_basic_sign_ctx() function was added in OpenSSL 1.1.1.
123
124=head1 COPYRIGHT
125
126Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
127
128Licensed under the Apache License 2.0 (the "License").  You may not use
129this file except in compliance with the License.  You can obtain a copy
130in the file LICENSE in the source distribution or at
131L<https://www.openssl.org/source/license.html>.
132
133=cut
134