OCSP_resp_find_status.pod 9.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220
  1. =pod
  2. =head1 NAME
  3. OCSP_resp_find_status, OCSP_resp_count,
  4. OCSP_resp_get0, OCSP_resp_find, OCSP_single_get0_status,
  5. OCSP_resp_get0_produced_at, OCSP_resp_get0_signature,
  6. OCSP_resp_get0_tbs_sigalg, OCSP_resp_get0_respdata,
  7. OCSP_resp_get0_certs, OCSP_resp_get0_signer,
  8. OCSP_resp_get0_id, OCSP_resp_get1_id,
  9. OCSP_check_validity, OCSP_basic_verify
  10. - OCSP response utility functions
  11. =head1 SYNOPSIS
  12. #include <openssl/ocsp.h>
  13. int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
  14. int *reason,
  15. ASN1_GENERALIZEDTIME **revtime,
  16. ASN1_GENERALIZEDTIME **thisupd,
  17. ASN1_GENERALIZEDTIME **nextupd);
  18. int OCSP_resp_count(OCSP_BASICRESP *bs);
  19. OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
  20. int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
  21. int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
  22. ASN1_GENERALIZEDTIME **revtime,
  23. ASN1_GENERALIZEDTIME **thisupd,
  24. ASN1_GENERALIZEDTIME **nextupd);
  25. const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
  26. const OCSP_BASICRESP* single);
  27. const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
  28. const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs);
  29. const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs);
  30. const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);
  31. int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
  32. STACK_OF(X509) *extra_certs);
  33. int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
  34. const ASN1_OCTET_STRING **pid,
  35. const X509_NAME **pname);
  36. int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
  37. ASN1_OCTET_STRING **pid,
  38. X509_NAME **pname);
  39. int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
  40. ASN1_GENERALIZEDTIME *nextupd,
  41. long sec, long maxsec);
  42. int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
  43. X509_STORE *st, unsigned long flags);
  44. =head1 DESCRIPTION
  45. OCSP_resp_find_status() searches I<bs> for an OCSP response for I<id>. If it is
  46. successful the fields of the response are returned in I<*status>, I<*reason>,
  47. I<*revtime>, I<*thisupd> and I<*nextupd>. The I<*status> value will be one of
  48. B<V_OCSP_CERTSTATUS_GOOD>, B<V_OCSP_CERTSTATUS_REVOKED> or
  49. B<V_OCSP_CERTSTATUS_UNKNOWN>. The I<*reason> and I<*revtime> fields are only
  50. set if the status is B<V_OCSP_CERTSTATUS_REVOKED>. If set the I<*reason> field
  51. will be set to the revocation reason which will be one of
  52. B<OCSP_REVOKED_STATUS_NOSTATUS>, B<OCSP_REVOKED_STATUS_UNSPECIFIED>,
  53. B<OCSP_REVOKED_STATUS_KEYCOMPROMISE>, B<OCSP_REVOKED_STATUS_CACOMPROMISE>,
  54. B<OCSP_REVOKED_STATUS_AFFILIATIONCHANGED>, B<OCSP_REVOKED_STATUS_SUPERSEDED>,
  55. B<OCSP_REVOKED_STATUS_CESSATIONOFOPERATION>,
  56. B<OCSP_REVOKED_STATUS_CERTIFICATEHOLD> or B<OCSP_REVOKED_STATUS_REMOVEFROMCRL>.
  57. OCSP_resp_count() returns the number of B<OCSP_SINGLERESP> structures in I<bs>.
  58. OCSP_resp_get0() returns the B<OCSP_SINGLERESP> structure in I<bs> corresponding
  59. to index I<idx>, where I<idx> runs from 0 to OCSP_resp_count(bs) - 1.
  60. OCSP_resp_find() searches I<bs> for I<id> and returns the index of the first
  61. matching entry after I<last> or starting from the beginning if I<last> is -1.
  62. OCSP_single_get0_status() extracts the fields of I<single> in I<*reason>,
  63. I<*revtime>, I<*thisupd> and I<*nextupd>.
  64. OCSP_resp_get0_produced_at() extracts the B<producedAt> field from the
  65. single response I<bs>.
  66. OCSP_resp_get0_signature() returns the signature from I<bs>.
  67. OCSP_resp_get0_tbs_sigalg() returns the B<signatureAlgorithm> from I<bs>.
  68. OCSP_resp_get0_respdata() returns the B<tbsResponseData> from I<bs>.
  69. OCSP_resp_get0_certs() returns any certificates included in I<bs>.
  70. OCSP_resp_get0_signer() attempts to retrieve the certificate that directly
  71. signed I<bs>. The OCSP protocol does not require that this certificate
  72. is included in the B<certs> field of the response, so additional certificates
  73. can be supplied via the I<extra_certs> if the certificates that may have
  74. signed the response are known via some out-of-band mechanism.
  75. OCSP_resp_get0_id() gets the responder id of I<bs>. If the responder ID is
  76. a name then <*pname> is set to the name and I<*pid> is set to NULL. If the
  77. responder ID is by key ID then I<*pid> is set to the key ID and I<*pname>
  78. is set to NULL.
  79. OCSP_resp_get1_id() is the same as OCSP_resp_get0_id()
  80. but leaves ownership of I<*pid> and I<*pname> with the caller,
  81. who is responsible for freeing them unless the function returns 0.
  82. OCSP_check_validity() checks the validity of its I<thisupd> and I<nextupd>
  83. arguments, which will be typically obtained from OCSP_resp_find_status() or
  84. OCSP_single_get0_status(). If I<sec> is nonzero it indicates how many seconds
  85. leeway should be allowed in the check. If I<maxsec> is positive it indicates
  86. the maximum age of I<thisupd> in seconds.
  87. OCSP_basic_verify() checks that the basic response message I<bs> is correctly
  88. signed and that the signer certificate can be validated. It takes I<st> as
  89. the trusted store and I<certs> as a set of untrusted intermediate certificates.
  90. The function first tries to find the signer certificate of the response
  91. in I<certs>. It then searches the certificates the responder may have included
  92. in I<bs> unless I<flags> contains B<OCSP_NOINTERN>.
  93. It fails if the signer certificate cannot be found.
  94. Next, unless I<flags> contains B<OCSP_NOSIGS>, the function checks
  95. the signature of I<bs> and fails on error. Then the function already returns
  96. success if I<flags> contains B<OCSP_NOVERIFY> or if the signer certificate
  97. was found in I<certs> and I<flags> contains B<OCSP_TRUSTOTHER>.
  98. Otherwise the function continues by validating the signer certificate.
  99. If I<flags> contains B<OCSP_PARTIAL_CHAIN> it takes intermediate CA
  100. certificates in I<st> as trust anchors.
  101. For more details, see the description of B<X509_V_FLAG_PARTIAL_CHAIN>
  102. in L<X509_VERIFY_PARAM_set_flags(3)/VERIFICATION FLAGS>.
  103. If I<flags> contains B<OCSP_NOCHAIN> it ignores all certificates in I<certs>
  104. and in I<bs>, else it takes them as untrusted intermediate CA certificates
  105. and uses them for constructing the validation path for the signer certificate.
  106. Certificate revocation status checks using CRLs is disabled during path validation
  107. if the signer certificate contains the B<id-pkix-ocsp-no-check> extension.
  108. After successful path
  109. validation the function returns success if the B<OCSP_NOCHECKS> flag is set.
  110. Otherwise it verifies that the signer certificate meets the OCSP issuer
  111. criteria including potential delegation. If this does not succeed and the
  112. B<OCSP_NOEXPLICIT> flag is not set the function checks for explicit
  113. trust for OCSP signing in the root CA certificate.
  114. =head1 RETURN VALUES
  115. OCSP_resp_find_status() returns 1 if I<id> is found in I<bs> and 0 otherwise.
  116. OCSP_resp_count() returns the total number of B<OCSP_SINGLERESP> fields in I<bs>
  117. or -1 on error.
  118. OCSP_resp_get0() returns a pointer to an B<OCSP_SINGLERESP> structure or
  119. NULL on error, such as I<idx> being out of range.
  120. OCSP_resp_find() returns the index of I<id> in I<bs> (which may be 0)
  121. or -1 on error, such as when I<id> was not found.
  122. OCSP_single_get0_status() returns the status of I<single> or -1 if an error
  123. occurred.
  124. OCSP_resp_get0_produced_at() returns the B<producedAt> field from I<bs>.
  125. OCSP_resp_get0_signature() returns the signature from I<bs>.
  126. OCSP_resp_get0_tbs_sigalg() returns the B<signatureAlgorithm> field from I<bs>.
  127. OCSP_resp_get0_respdata() returns the B<tbsResponseData> field from I<bs>.
  128. OCSP_resp_get0_certs() returns any certificates included in I<bs>.
  129. OCSP_resp_get0_signer() returns 1 if the signing certificate was located,
  130. or 0 if not found or on error.
  131. OCSP_resp_get0_id() and OCSP_resp_get1_id() return 1 on success, 0 on failure.
  132. OCSP_check_validity() returns 1 if I<thisupd> and I<nextupd> are valid time
  133. values and the current time + I<sec> is not before I<thisupd> and,
  134. if I<maxsec> >= 0, the current time - I<maxsec> is not past I<nextupd>.
  135. Otherwise it returns 0 to indicate an error.
  136. OCSP_basic_verify() returns 1 on success, 0 on verification not successful,
  137. or -1 on a fatal error such as malloc failure.
  138. =head1 NOTES
  139. Applications will typically call OCSP_resp_find_status() using the certificate
  140. ID of interest and then check its validity using OCSP_check_validity(). They
  141. can then take appropriate action based on the status of the certificate.
  142. An OCSP response for a certificate contains B<thisUpdate> and B<nextUpdate>
  143. fields. Normally the current time should be between these two values. To
  144. account for clock skew the I<maxsec> field can be set to nonzero in
  145. OCSP_check_validity(). Some responders do not set the B<nextUpdate> field, this
  146. would otherwise mean an ancient response would be considered valid: the
  147. I<maxsec> parameter to OCSP_check_validity() can be used to limit the permitted
  148. age of responses.
  149. The values written to I<*revtime>, I<*thisupd> and I<*nextupd> by
  150. OCSP_resp_find_status() and OCSP_single_get0_status() are internal pointers
  151. which MUST NOT be freed up by the calling application. Any or all of these
  152. parameters can be set to NULL if their value is not required.
  153. =head1 SEE ALSO
  154. L<crypto(7)>,
  155. L<OCSP_cert_to_id(3)>,
  156. L<OCSP_request_add1_nonce(3)>,
  157. L<OCSP_REQUEST_new(3)>,
  158. L<OCSP_response_status(3)>,
  159. L<OCSP_sendreq_new(3)>,
  160. L<X509_VERIFY_PARAM_set_flags(3)>
  161. =head1 COPYRIGHT
  162. Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
  163. Licensed under the Apache License 2.0 (the "License"). You may not use
  164. this file except in compliance with the License. You can obtain a copy
  165. in the file LICENSE in the source distribution or at
  166. L<https://www.openssl.org/source/license.html>.
  167. =cut