xref: /freebsd/secure/lib/libcrypto/man/man3/OCSP_resp_find_status.3 (revision 5956d97f4b3204318ceb6aa9c77bd0bc6ea87a41)
Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)

Standard preamble:
========================================================================
..
..
.. Set up some character translations and predefined strings. \*(-- will
give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
double quote, and \*(R" will give a right double quote. \*(C+ will
give a nicer C++. Capital omega is used to do unbreakable dashes and
therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
nothing in troff, for use with C<>.
.tr \(*W- . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\}
Escape single quotes in literal strings from groff's Unicode transform.

If the F register is >0, we'll generate index entries on stderr for
titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
entries marked with X<> in POD. Of course, you'll have to process the
output yourself in some meaningful fashion.

Avoid warning from groff about undefined register 'F'.
.. .nr rF 0 . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF
Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] .\} . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents . \" corrections for vroff . \" for low resolution devices (crt and lpr) \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} ========================================================================

Title "OCSP_RESP_FIND_STATUS 3"
OCSP_RESP_FIND_STATUS 3 "2022-07-05" "1.1.1q" "OpenSSL"
For nroff, turn off justification. Always turn off hyphenation; it makes
way too many mistakes in technical documents.
"NAME"
OCSP_resp_get0_certs, OCSP_resp_get0_signer, OCSP_resp_get0_id, OCSP_resp_get1_id, OCSP_resp_get0_produced_at, OCSP_resp_get0_signature, OCSP_resp_get0_tbs_sigalg, OCSP_resp_get0_respdata, OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find, OCSP_single_get0_status, OCSP_check_validity, OCSP_basic_verify \- OCSP response utility functions
"SYNOPSIS"
Header "SYNOPSIS" .Vb 1 #include <openssl/ocsp.h> \& int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status, int *reason, ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd, ASN1_GENERALIZEDTIME **nextupd); \& int OCSP_resp_count(OCSP_BASICRESP *bs); OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx); int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last); int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason, ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd, ASN1_GENERALIZEDTIME **nextupd); \& const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at( const OCSP_BASICRESP* single); \& const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs); const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs); const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs); const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs); \& int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, STACK_OF(X509) *extra_certs); \& int OCSP_resp_get0_id(const OCSP_BASICRESP *bs, const ASN1_OCTET_STRING **pid, const X509_NAME **pname); int OCSP_resp_get1_id(const OCSP_BASICRESP *bs, ASN1_OCTET_STRING **pid, X509_NAME **pname); \& int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec); \& int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags); .Ve
"DESCRIPTION"
Header "DESCRIPTION" \fBOCSP_resp_find_status() searches bs for an \s-1OCSP\s0 response for id. If it is successful the fields of the response are returned in *status, *reason, \fB*revtime, *thisupd and *nextupd. The *status value will be one of \fBV_OCSP_CERTSTATUS_GOOD, V_OCSP_CERTSTATUS_REVOKED or \fBV_OCSP_CERTSTATUS_UNKNOWN. The *reason and *revtime fields are only set if the status is V_OCSP_CERTSTATUS_REVOKED. If set the *reason field will be set to the revocation reason which will be one of \fB\s-1OCSP_REVOKED_STATUS_NOSTATUS\s0, \s-1OCSP_REVOKED_STATUS_UNSPECIFIED\s0, \fB\s-1OCSP_REVOKED_STATUS_KEYCOMPROMISE\s0, \s-1OCSP_REVOKED_STATUS_CACOMPROMISE\s0, \fB\s-1OCSP_REVOKED_STATUS_AFFILIATIONCHANGED\s0, \s-1OCSP_REVOKED_STATUS_SUPERSEDED\s0, \fB\s-1OCSP_REVOKED_STATUS_CESSATIONOFOPERATION\s0, \fB\s-1OCSP_REVOKED_STATUS_CERTIFICATEHOLD\s0 or \s-1OCSP_REVOKED_STATUS_REMOVEFROMCRL\s0.

\fBOCSP_resp_count() returns the number of \s-1OCSP_SINGLERESP\s0 structures in bs.

\fBOCSP_resp_get0() returns the \s-1OCSP_SINGLERESP\s0 structure in bs corresponding to index idx. Where idx runs from 0 to OCSP_resp_count(bs) - 1.

\fBOCSP_resp_find() searches bs for id and returns the index of the first matching entry after last or starting from the beginning if last is -1.

\fBOCSP_single_get0_status() extracts the fields of single in *reason, \fB*revtime, *thisupd and *nextupd.

\fBOCSP_resp_get0_produced_at() extracts the producedAt field from the single response bs.

\fBOCSP_resp_get0_signature() returns the signature from bs.

\fBOCSP_resp_get0_tbs_sigalg() returns the signatureAlgorithm from bs.

\fBOCSP_resp_get0_respdata() returns the tbsResponseData from bs.

\fBOCSP_resp_get0_certs() returns any certificates included in bs.

\fBOCSP_resp_get0_signer() attempts to retrieve the certificate that directly signed bs. The \s-1OCSP\s0 protocol does not require that this certificate is included in the certs field of the response, so additional certificates can be supplied in extra_certs if the certificates that may have signed the response are known via some out-of-band mechanism.

\fBOCSP_resp_get0_id() gets the responder id of bs. If the responder \s-1ID\s0 is a name then <*pname> is set to the name and *pid is set to \s-1NULL.\s0 If the responder \s-1ID\s0 is by key \s-1ID\s0 then *pid is set to the key \s-1ID\s0 and *pname is set to \s-1NULL.\s0 OCSP_resp_get1_id() leaves ownership of *pid and *pname with the caller, who is responsible for freeing them. Both functions return 1 in case of success and 0 in case of failure. If OCSP_resp_get1_id() returns 0, no freeing of the results is necessary.

\fBOCSP_check_validity() checks the validity of thisupd and nextupd values which will be typically obtained from OCSP_resp_find_status() or \fBOCSP_single_get0_status(). If sec is nonzero it indicates how many seconds leeway should be allowed in the check. If maxsec is positive it indicates the maximum age of thisupd in seconds.

\fBOCSP_basic_verify() checks that the basic response message bs is correctly signed and that the signer certificate can be validated. It takes st as the trusted store and certs as a set of untrusted intermediate certificates. The function first tries to find the signer certificate of the response in <certs>. It also searches the certificates the responder may have included in bs unless the flags contain \s-1OCSP_NOINTERN\s0. It fails if the signer certificate cannot be found. Next, the function checks the signature of bs and fails on error unless the flags contain \s-1OCSP_NOSIGS\s0. Then the function already returns success if the flags contain \s-1OCSP_NOVERIFY\s0 or if the signer certificate was found in certs and the flags contain \s-1OCSP_TRUSTOTHER\s0. Otherwise the function continues by validating the signer certificate. To this end, all certificates in cert and in bs are considered as untrusted certificates for the construction of the validation path for the signer certificate unless the \s-1OCSP_NOCHAIN\s0 flag is set. After successful path validation the function returns success if the \s-1OCSP_NOCHECKS\s0 flag is set. Otherwise it verifies that the signer certificate meets the \s-1OCSP\s0 issuer criteria including potential delegation. If this does not succeed and the \fBflags do not contain \s-1OCSP_NOEXPLICIT\s0 the function checks for explicit trust for \s-1OCSP\s0 signing in the root \s-1CA\s0 certificate.

"RETURN VALUES"
Header "RETURN VALUES" \fBOCSP_resp_find_status() returns 1 if id is found in bs and 0 otherwise.

\fBOCSP_resp_count() returns the total number of \s-1OCSP_SINGLERESP\s0 fields in \fBbs.

\fBOCSP_resp_get0() returns a pointer to an \s-1OCSP_SINGLERESP\s0 structure or \fB\s-1NULL\s0 if idx is out of range.

\fBOCSP_resp_find() returns the index of id in bs (which may be 0) or -1 if \fBid was not found.

\fBOCSP_single_get0_status() returns the status of single or -1 if an error occurred.

\fBOCSP_resp_get0_signer() returns 1 if the signing certificate was located, or 0 on error.

\fBOCSP_basic_verify() returns 1 on success, 0 on error, or -1 on fatal error such as malloc failure.

"NOTES"
Header "NOTES" Applications will typically call OCSP_resp_find_status() using the certificate \s-1ID\s0 of interest and then check its validity using OCSP_check_validity(). They can then take appropriate action based on the status of the certificate.

An \s-1OCSP\s0 response for a certificate contains thisUpdate and nextUpdate fields. Normally the current time should be between these two values. To account for clock skew the maxsec field can be set to nonzero in \fBOCSP_check_validity(). Some responders do not set the nextUpdate field, this would otherwise mean an ancient response would be considered valid: the \fBmaxsec parameter to OCSP_check_validity() can be used to limit the permitted age of responses.

The values written to *revtime, *thisupd and *nextupd by \fBOCSP_resp_find_status() and OCSP_single_get0_status() are internal pointers which \s-1MUST NOT\s0 be freed up by the calling application. Any or all of these parameters can be set to \s-1NULL\s0 if their value is not required.

"SEE ALSO"
Header "SEE ALSO" \fBcrypto\|(7), \fBOCSP_cert_to_id\|(3), \fBOCSP_request_add1_nonce\|(3), \fBOCSP_REQUEST_new\|(3), \fBOCSP_response_status\|(3), \fBOCSP_sendreq_new\|(3)
"COPYRIGHT"
Header "COPYRIGHT" Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at <https://www.openssl.org/source/license.html>.