1OCSP_RESP_FIND_STATUS(3ossl)        OpenSSL       OCSP_RESP_FIND_STATUS(3ossl)
2
3
4

NAME

6       OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find,
7       OCSP_single_get0_status, OCSP_resp_get0_produced_at,
8       OCSP_resp_get0_signature, OCSP_resp_get0_tbs_sigalg,
9       OCSP_resp_get0_respdata, OCSP_resp_get0_certs, OCSP_resp_get0_signer,
10       OCSP_resp_get0_id, OCSP_resp_get1_id, OCSP_check_validity,
11       OCSP_basic_verify - OCSP response utility functions
12

SYNOPSIS

14        #include <openssl/ocsp.h>
15
16        int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
17                                  int *reason,
18                                  ASN1_GENERALIZEDTIME **revtime,
19                                  ASN1_GENERALIZEDTIME **thisupd,
20                                  ASN1_GENERALIZEDTIME **nextupd);
21
22        int OCSP_resp_count(OCSP_BASICRESP *bs);
23        OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
24        int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
25        int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
26                                    ASN1_GENERALIZEDTIME **revtime,
27                                    ASN1_GENERALIZEDTIME **thisupd,
28                                    ASN1_GENERALIZEDTIME **nextupd);
29
30        const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
31                                    const OCSP_BASICRESP* single);
32
33        const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
34        const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs);
35        const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs);
36        const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);
37
38        int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
39                                  STACK_OF(X509) *extra_certs);
40
41        int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
42                              const ASN1_OCTET_STRING **pid,
43                              const X509_NAME **pname);
44        int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
45                              ASN1_OCTET_STRING **pid,
46                              X509_NAME **pname);
47
48        int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
49                                ASN1_GENERALIZEDTIME *nextupd,
50                                long sec, long maxsec);
51
52        int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
53                             X509_STORE *st, unsigned long flags);
54

DESCRIPTION

56       OCSP_resp_find_status() searches bs for an OCSP response for id. If it
57       is successful the fields of the response are returned in *status,
58       *reason, *revtime, *thisupd and *nextupd.  The *status value will be
59       one of V_OCSP_CERTSTATUS_GOOD, V_OCSP_CERTSTATUS_REVOKED or
60       V_OCSP_CERTSTATUS_UNKNOWN. The *reason and *revtime fields are only set
61       if the status is V_OCSP_CERTSTATUS_REVOKED. If set the *reason field
62       will be set to the revocation reason which will be one of
63       OCSP_REVOKED_STATUS_NOSTATUS, OCSP_REVOKED_STATUS_UNSPECIFIED,
64       OCSP_REVOKED_STATUS_KEYCOMPROMISE, OCSP_REVOKED_STATUS_CACOMPROMISE,
65       OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, OCSP_REVOKED_STATUS_SUPERSEDED,
66       OCSP_REVOKED_STATUS_CESSATIONOFOPERATION,
67       OCSP_REVOKED_STATUS_CERTIFICATEHOLD or
68       OCSP_REVOKED_STATUS_REMOVEFROMCRL.
69
70       OCSP_resp_count() returns the number of OCSP_SINGLERESP structures in
71       bs.
72
73       OCSP_resp_get0() returns the OCSP_SINGLERESP structure in bs
74       corresponding to index idx, where idx runs from 0 to
75       OCSP_resp_count(bs) - 1.
76
77       OCSP_resp_find() searches bs for id and returns the index of the first
78       matching entry after last or starting from the beginning if last is -1.
79
80       OCSP_single_get0_status() extracts the fields of single in *reason,
81       *revtime, *thisupd and *nextupd.
82
83       OCSP_resp_get0_produced_at() extracts the producedAt field from the
84       single response bs.
85
86       OCSP_resp_get0_signature() returns the signature from bs.
87
88       OCSP_resp_get0_tbs_sigalg() returns the signatureAlgorithm from bs.
89
90       OCSP_resp_get0_respdata() returns the tbsResponseData from bs.
91
92       OCSP_resp_get0_certs() returns any certificates included in bs.
93
94       OCSP_resp_get0_signer() attempts to retrieve the certificate that
95       directly signed bs.  The OCSP protocol does not require that this
96       certificate is included in the certs field of the response, so
97       additional certificates can be supplied via the extra_certs if the
98       certificates that may have signed the response are known via some out-
99       of-band mechanism.
100
101       OCSP_resp_get0_id() gets the responder id of bs. If the responder ID is
102       a name then <*pname> is set to the name and *pid is set to NULL. If the
103       responder ID is by key ID then *pid is set to the key ID and *pname is
104       set to NULL.
105
106       OCSP_resp_get1_id() is the same as OCSP_resp_get0_id() but leaves
107       ownership of *pid and *pname with the caller, who is responsible for
108       freeing them unless the function returns 0.
109
110       OCSP_check_validity() checks the validity of its thisupd and nextupd
111       arguments, which will be typically obtained from
112       OCSP_resp_find_status() or OCSP_single_get0_status(). If sec is nonzero
113       it indicates how many seconds leeway should be allowed in the check. If
114       maxsec is positive it indicates the maximum age of thisupd in seconds.
115
116       OCSP_basic_verify() checks that the basic response message bs is
117       correctly signed and that the signer certificate can be validated. It
118       takes st as the trusted store and certs as a set of untrusted
119       intermediate certificates.  The function first tries to find the signer
120       certificate of the response in certs. It then searches the certificates
121       the responder may have included in bs unless flags contains
122       OCSP_NOINTERN.  It fails if the signer certificate cannot be found.
123       Next, unless flags contains OCSP_NOSIGS, the function checks the
124       signature of bs and fails on error. Then the function already returns
125       success if flags contains OCSP_NOVERIFY or if the signer certificate
126       was found in certs and flags contains OCSP_TRUSTOTHER.  Otherwise the
127       function continues by validating the signer certificate.  If flags
128       contains OCSP_PARTIAL_CHAIN it takes intermediate CA certificates in st
129       as trust anchors.  For more details, see the description of
130       X509_V_FLAG_PARTIAL_CHAIN in "VERIFICATION FLAGS" in
131       X509_VERIFY_PARAM_set_flags(3).  If flags contains OCSP_NOCHAIN it
132       ignores all certificates in certs and in bs, else it takes them as
133       untrusted intermediate CA certificates and uses them for constructing
134       the validation path for the signer certificate.  Certicate revocation
135       status checks using CRLs is disabled during path validation if the
136       signer certificate contains the id-pkix-ocsp-no-check extension.  After
137       successful path validation the function returns success if the
138       OCSP_NOCHECKS flag is set.  Otherwise it verifies that the signer
139       certificate meets the OCSP issuer criteria including potential
140       delegation. If this does not succeed and the OCSP_NOEXPLICIT flag is
141       not set the function checks for explicit trust for OCSP signing in the
142       root CA certificate.
143

RETURN VALUES

145       OCSP_resp_find_status() returns 1 if id is found in bs and 0 otherwise.
146
147       OCSP_resp_count() returns the total number of OCSP_SINGLERESP fields in
148       bs or -1 on error.
149
150       OCSP_resp_get0() returns a pointer to an OCSP_SINGLERESP structure or
151       NULL on error, such as idx being out of range.
152
153       OCSP_resp_find() returns the index of id in bs (which may be 0) or -1
154       on error, such as when id was not found.
155
156       OCSP_single_get0_status() returns the status of single or -1 if an
157       error occurred.
158
159       OCSP_resp_get0_produced_at() returns the producedAt field from bs.
160
161       OCSP_resp_get0_signature() returns the signature from bs.
162
163       OCSP_resp_get0_tbs_sigalg() returns the signatureAlgorithm field from
164       bs.
165
166       OCSP_resp_get0_respdata() returns the tbsResponseData field from bs.
167
168       OCSP_resp_get0_certs() returns any certificates included in bs.
169
170       OCSP_resp_get0_signer() returns 1 if the signing certificate was
171       located, or 0 if not found or on error.
172
173       OCSP_resp_get0_id() and OCSP_resp_get1_id() return 1 on success, 0 on
174       failure.
175
176       OCSP_check_validity() returns 1 if thisupd and nextupd are valid time
177       values and the current time + sec is not before thisupd and, if maxsec
178       >= 0, the current time - maxsec is not past nextupd.  Otherwise it
179       returns 0 to indicate an error.
180
181       OCSP_basic_verify() returns 1 on success, 0 on verification not
182       successful, or -1 on a fatal error such as malloc failure.
183

NOTES

185       Applications will typically call OCSP_resp_find_status() using the
186       certificate ID of interest and then check its validity using
187       OCSP_check_validity(). They can then take appropriate action based on
188       the status of the certificate.
189
190       An OCSP response for a certificate contains thisUpdate and nextUpdate
191       fields. Normally the current time should be between these two values.
192       To account for clock skew the maxsec field can be set to nonzero in
193       OCSP_check_validity(). Some responders do not set the nextUpdate field,
194       this would otherwise mean an ancient response would be considered
195       valid: the maxsec parameter to OCSP_check_validity() can be used to
196       limit the permitted age of responses.
197
198       The values written to *revtime, *thisupd and *nextupd by
199       OCSP_resp_find_status() and OCSP_single_get0_status() are internal
200       pointers which MUST NOT be freed up by the calling application. Any or
201       all of these parameters can be set to NULL if their value is not
202       required.
203

SEE ALSO

205       crypto(7), OCSP_cert_to_id(3), OCSP_request_add1_nonce(3),
206       OCSP_REQUEST_new(3), OCSP_response_status(3), OCSP_sendreq_new(3),
207       X509_VERIFY_PARAM_set_flags(3)
208
210       Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
211
212       Licensed under the Apache License 2.0 (the "License").  You may not use
213       this file except in compliance with the License.  You can obtain a copy
214       in the file LICENSE in the source distribution or at
215       <https://www.openssl.org/source/license.html>.
216
217
218
2193.0.5                             2022-07-05      OCSP_RESP_FIND_STATUS(3ossl)
Impressum