2
0

OCSP_resp_find_status.pod 6.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159
  1. =pod
  2. =head1 NAME
  3. OCSP_resp_get0_certs,
  4. OCSP_resp_get0_signer,
  5. OCSP_resp_get0_id,
  6. OCSP_resp_get1_id,
  7. OCSP_resp_get0_produced_at,
  8. OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find,
  9. OCSP_single_get0_status, OCSP_check_validity
  10. - OCSP response utility functions
  11. =head1 SYNOPSIS
  12. #include <openssl/ocsp.h>
  13. int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
  14. int *reason,
  15. ASN1_GENERALIZEDTIME **revtime,
  16. ASN1_GENERALIZEDTIME **thisupd,
  17. ASN1_GENERALIZEDTIME **nextupd);
  18. int OCSP_resp_count(OCSP_BASICRESP *bs);
  19. OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
  20. int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
  21. int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
  22. ASN1_GENERALIZEDTIME **revtime,
  23. ASN1_GENERALIZEDTIME **thisupd,
  24. ASN1_GENERALIZEDTIME **nextupd);
  25. const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
  26. const OCSP_BASICRESP* single);
  27. const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);
  28. int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
  29. STACK_OF(X509) *extra_certs);
  30. int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
  31. const ASN1_OCTET_STRING **pid,
  32. const X509_NAME **pname);
  33. int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
  34. ASN1_OCTET_STRING **pid,
  35. X509_NAME **pname);
  36. int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
  37. ASN1_GENERALIZEDTIME *nextupd,
  38. long sec, long maxsec);
  39. =head1 DESCRIPTION
  40. OCSP_resp_find_status() searches B<bs> for an OCSP response for B<id>. If it is
  41. successful the fields of the response are returned in B<*status>, B<*reason>,
  42. B<*revtime>, B<*thisupd> and B<*nextupd>. The B<*status> value will be one of
  43. B<V_OCSP_CERTSTATUS_GOOD>, B<V_OCSP_CERTSTATUS_REVOKED> or
  44. B<V_OCSP_CERTSTATUS_UNKNOWN>. The B<*reason> and B<*revtime> fields are only
  45. set if the status is B<V_OCSP_CERTSTATUS_REVOKED>. If set the B<*reason> field
  46. will be set to the revocation reason which will be one of
  47. B<OCSP_REVOKED_STATUS_NOSTATUS>, B<OCSP_REVOKED_STATUS_UNSPECIFIED>,
  48. B<OCSP_REVOKED_STATUS_KEYCOMPROMISE>, B<OCSP_REVOKED_STATUS_CACOMPROMISE>,
  49. B<OCSP_REVOKED_STATUS_AFFILIATIONCHANGED>, B<OCSP_REVOKED_STATUS_SUPERSEDED>,
  50. B<OCSP_REVOKED_STATUS_CESSATIONOFOPERATION>,
  51. B<OCSP_REVOKED_STATUS_CERTIFICATEHOLD> or B<OCSP_REVOKED_STATUS_REMOVEFROMCRL>.
  52. OCSP_resp_count() returns the number of B<OCSP_SINGLERESP> structures in B<bs>.
  53. OCSP_resp_get0() returns the B<OCSP_SINGLERESP> structure in B<bs>
  54. corresponding to index B<idx>. Where B<idx> runs from 0 to
  55. OCSP_resp_count(bs) - 1.
  56. OCSP_resp_find() searches B<bs> for B<id> and returns the index of the first
  57. matching entry after B<last> or starting from the beginning if B<last> is -1.
  58. OCSP_single_get0_status() extracts the fields of B<single> in B<*reason>,
  59. B<*revtime>, B<*thisupd> and B<*nextupd>.
  60. OCSP_resp_get0_produced_at() extracts the B<producedAt> field from the
  61. single response B<bs>.
  62. OCSP_resp_get0_certs() returns any certificates included in B<bs>.
  63. OCSP_resp_get0_signer() attempts to retrieve the certificate that directly
  64. signed B<bs>. The OCSP protocol does not require that this certificate
  65. is included in the B<certs> field of the response, so additional certificates
  66. can be supplied in B<extra_certs> if the certificates that may have
  67. signed the response are known via some out-of-band mechanism.
  68. OCSP_resp_get0_id() gets the responder id of B<bs>. If the responder ID is
  69. a name then <*pname> is set to the name and B<*pid> is set to NULL. If the
  70. responder ID is by key ID then B<*pid> is set to the key ID and B<*pname>
  71. is set to NULL. OCSP_resp_get1_id() leaves ownership of B<*pid> and B<*pname>
  72. with the caller, who is responsible for freeing them. Both functions return 1
  73. in case of success and 0 in case of failure. If OCSP_resp_get1_id() returns 0,
  74. no freeing of the results is necessary.
  75. OCSP_check_validity() checks the validity of B<thisupd> and B<nextupd> values
  76. which will be typically obtained from OCSP_resp_find_status() or
  77. OCSP_single_get0_status(). If B<sec> is non-zero it indicates how many seconds
  78. leeway should be allowed in the check. If B<maxsec> is positive it indicates
  79. the maximum age of B<thisupd> in seconds.
  80. =head1 RETURN VALUES
  81. OCSP_resp_find_status() returns 1 if B<id> is found in B<bs> and 0 otherwise.
  82. OCSP_resp_count() returns the total number of B<OCSP_SINGLERESP> fields in
  83. B<bs>.
  84. OCSP_resp_get0() returns a pointer to an B<OCSP_SINGLERESP> structure or
  85. B<NULL> if B<idx> is out of range.
  86. OCSP_resp_find() returns the index of B<id> in B<bs> (which may be 0) or -1 if
  87. B<id> was not found.
  88. OCSP_single_get0_status() returns the status of B<single> or -1 if an error
  89. occurred.
  90. OCSP_resp_get0_signer() returns 1 if the signing certificate was located,
  91. or 0 on error.
  92. =head1 NOTES
  93. Applications will typically call OCSP_resp_find_status() using the certificate
  94. ID of interest and then check its validity using OCSP_check_validity(). They
  95. can then take appropriate action based on the status of the certificate.
  96. An OCSP response for a certificate contains B<thisUpdate> and B<nextUpdate>
  97. fields. Normally the current time should be between these two values. To
  98. account for clock skew the B<maxsec> field can be set to non-zero in
  99. OCSP_check_validity(). Some responders do not set the B<nextUpdate> field, this
  100. would otherwise mean an ancient response would be considered valid: the
  101. B<maxsec> parameter to OCSP_check_validity() can be used to limit the permitted
  102. age of responses.
  103. The values written to B<*revtime>, B<*thisupd> and B<*nextupd> by
  104. OCSP_resp_find_status() and OCSP_single_get0_status() are internal pointers
  105. which B<MUST NOT> be freed up by the calling application. Any or all of these
  106. parameters can be set to NULL if their value is not required.
  107. =head1 SEE ALSO
  108. L<crypto(7)>,
  109. L<OCSP_cert_to_id(3)>,
  110. L<OCSP_request_add1_nonce(3)>,
  111. L<OCSP_REQUEST_new(3)>,
  112. L<OCSP_response_status(3)>,
  113. L<OCSP_sendreq_new(3)>
  114. =head1 COPYRIGHT
  115. Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
  116. Licensed under the OpenSSL license (the "License"). You may not use
  117. this file except in compliance with the License. You can obtain a copy
  118. in the file LICENSE in the source distribution or at
  119. L<https://www.openssl.org/source/license.html>.
  120. =cut