1OCSP_RESP_FIND_STATUS(3ossl) OpenSSL OCSP_RESP_FIND_STATUS(3ossl)
2
3
4
6 OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find,
7 OCSP_single_get0_status, OCSP_resp_get0_produced_at,
8 OCSP_resp_get0_signature, OCSP_resp_get0_tbs_sigalg,
9 OCSP_resp_get0_respdata, OCSP_resp_get0_certs, OCSP_resp_get0_signer,
10 OCSP_resp_get0_id, OCSP_resp_get1_id, OCSP_check_validity,
11 OCSP_basic_verify - OCSP response utility functions
12
14 #include <openssl/ocsp.h>
15
16 int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
17 int *reason,
18 ASN1_GENERALIZEDTIME **revtime,
19 ASN1_GENERALIZEDTIME **thisupd,
20 ASN1_GENERALIZEDTIME **nextupd);
21
22 int OCSP_resp_count(OCSP_BASICRESP *bs);
23 OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
24 int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
25 int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
26 ASN1_GENERALIZEDTIME **revtime,
27 ASN1_GENERALIZEDTIME **thisupd,
28 ASN1_GENERALIZEDTIME **nextupd);
29
30 const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
31 const OCSP_BASICRESP* single);
32
33 const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
34 const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs);
35 const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs);
36 const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);
37
38 int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
39 STACK_OF(X509) *extra_certs);
40
41 int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
42 const ASN1_OCTET_STRING **pid,
43 const X509_NAME **pname);
44 int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
45 ASN1_OCTET_STRING **pid,
46 X509_NAME **pname);
47
48 int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
49 ASN1_GENERALIZEDTIME *nextupd,
50 long sec, long maxsec);
51
52 int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
53 X509_STORE *st, unsigned long flags);
54
56 OCSP_resp_find_status() searches bs for an OCSP response for id. If it
57 is successful the fields of the response are returned in *status,
58 *reason, *revtime, *thisupd and *nextupd. The *status value will be
59 one of V_OCSP_CERTSTATUS_GOOD, V_OCSP_CERTSTATUS_REVOKED or
60 V_OCSP_CERTSTATUS_UNKNOWN. The *reason and *revtime fields are only set
61 if the status is V_OCSP_CERTSTATUS_REVOKED. If set the *reason field
62 will be set to the revocation reason which will be one of
63 OCSP_REVOKED_STATUS_NOSTATUS, OCSP_REVOKED_STATUS_UNSPECIFIED,
64 OCSP_REVOKED_STATUS_KEYCOMPROMISE, OCSP_REVOKED_STATUS_CACOMPROMISE,
65 OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, OCSP_REVOKED_STATUS_SUPERSEDED,
66 OCSP_REVOKED_STATUS_CESSATIONOFOPERATION,
67 OCSP_REVOKED_STATUS_CERTIFICATEHOLD or
68 OCSP_REVOKED_STATUS_REMOVEFROMCRL.
69
70 OCSP_resp_count() returns the number of OCSP_SINGLERESP structures in
71 bs.
72
73 OCSP_resp_get0() returns the OCSP_SINGLERESP structure in bs
74 corresponding to index idx, where idx runs from 0 to
75 OCSP_resp_count(bs) - 1.
76
77 OCSP_resp_find() searches bs for id and returns the index of the first
78 matching entry after last or starting from the beginning if last is -1.
79
80 OCSP_single_get0_status() extracts the fields of single in *reason,
81 *revtime, *thisupd and *nextupd.
82
83 OCSP_resp_get0_produced_at() extracts the producedAt field from the
84 single response bs.
85
86 OCSP_resp_get0_signature() returns the signature from bs.
87
88 OCSP_resp_get0_tbs_sigalg() returns the signatureAlgorithm from bs.
89
90 OCSP_resp_get0_respdata() returns the tbsResponseData from bs.
91
92 OCSP_resp_get0_certs() returns any certificates included in bs.
93
94 OCSP_resp_get0_signer() attempts to retrieve the certificate that
95 directly signed bs. The OCSP protocol does not require that this
96 certificate is included in the certs field of the response, so
97 additional certificates can be supplied via the extra_certs if the
98 certificates that may have signed the response are known via some out-
99 of-band mechanism.
100
101 OCSP_resp_get0_id() gets the responder id of bs. If the responder ID is
102 a name then <*pname> is set to the name and *pid is set to NULL. If the
103 responder ID is by key ID then *pid is set to the key ID and *pname is
104 set to NULL.
105
106 OCSP_resp_get1_id() is the same as OCSP_resp_get0_id() but leaves
107 ownership of *pid and *pname with the caller, who is responsible for
108 freeing them unless the function returns 0.
109
110 OCSP_check_validity() checks the validity of its thisupd and nextupd
111 arguments, which will be typically obtained from
112 OCSP_resp_find_status() or OCSP_single_get0_status(). If sec is nonzero
113 it indicates how many seconds leeway should be allowed in the check. If
114 maxsec is positive it indicates the maximum age of thisupd in seconds.
115
116 OCSP_basic_verify() checks that the basic response message bs is
117 correctly signed and that the signer certificate can be validated. It
118 takes st as the trusted store and certs as a set of untrusted
119 intermediate certificates. The function first tries to find the signer
120 certificate of the response in certs. It then searches the certificates
121 the responder may have included in bs unless flags contains
122 OCSP_NOINTERN. It fails if the signer certificate cannot be found.
123 Next, unless flags contains OCSP_NOSIGS, the function checks the
124 signature of bs and fails on error. Then the function already returns
125 success if flags contains OCSP_NOVERIFY or if the signer certificate
126 was found in certs and flags contains OCSP_TRUSTOTHER. Otherwise the
127 function continues by validating the signer certificate. If flags
128 contains OCSP_PARTIAL_CHAIN it takes intermediate CA certificates in st
129 as trust anchors. For more details, see the description of
130 X509_V_FLAG_PARTIAL_CHAIN in "VERIFICATION FLAGS" in
131 X509_VERIFY_PARAM_set_flags(3). If flags contains OCSP_NOCHAIN it
132 ignores all certificates in certs and in bs, else it takes them as
133 untrusted intermediate CA certificates and uses them for constructing
134 the validation path for the signer certificate. Certicate revocation
135 status checks using CRLs is disabled during path validation if the
136 signer certificate contains the id-pkix-ocsp-no-check extension. After
137 successful path validation the function returns success if the
138 OCSP_NOCHECKS flag is set. Otherwise it verifies that the signer
139 certificate meets the OCSP issuer criteria including potential
140 delegation. If this does not succeed and the OCSP_NOEXPLICIT flag is
141 not set the function checks for explicit trust for OCSP signing in the
142 root CA certificate.
143
145 OCSP_resp_find_status() returns 1 if id is found in bs and 0 otherwise.
146
147 OCSP_resp_count() returns the total number of OCSP_SINGLERESP fields in
148 bs or -1 on error.
149
150 OCSP_resp_get0() returns a pointer to an OCSP_SINGLERESP structure or
151 NULL on error, such as idx being out of range.
152
153 OCSP_resp_find() returns the index of id in bs (which may be 0) or -1
154 on error, such as when id was not found.
155
156 OCSP_single_get0_status() returns the status of single or -1 if an
157 error occurred.
158
159 OCSP_resp_get0_produced_at() returns the producedAt field from bs.
160
161 OCSP_resp_get0_signature() returns the signature from bs.
162
163 OCSP_resp_get0_tbs_sigalg() returns the signatureAlgorithm field from
164 bs.
165
166 OCSP_resp_get0_respdata() returns the tbsResponseData field from bs.
167
168 OCSP_resp_get0_certs() returns any certificates included in bs.
169
170 OCSP_resp_get0_signer() returns 1 if the signing certificate was
171 located, or 0 if not found or on error.
172
173 OCSP_resp_get0_id() and OCSP_resp_get1_id() return 1 on success, 0 on
174 failure.
175
176 OCSP_check_validity() returns 1 if thisupd and nextupd are valid time
177 values and the current time + sec is not before thisupd and, if maxsec
178 >= 0, the current time - maxsec is not past nextupd. Otherwise it
179 returns 0 to indicate an error.
180
181 OCSP_basic_verify() returns 1 on success, 0 on verification not
182 successful, or -1 on a fatal error such as malloc failure.
183
185 Applications will typically call OCSP_resp_find_status() using the
186 certificate ID of interest and then check its validity using
187 OCSP_check_validity(). They can then take appropriate action based on
188 the status of the certificate.
189
190 An OCSP response for a certificate contains thisUpdate and nextUpdate
191 fields. Normally the current time should be between these two values.
192 To account for clock skew the maxsec field can be set to nonzero in
193 OCSP_check_validity(). Some responders do not set the nextUpdate field,
194 this would otherwise mean an ancient response would be considered
195 valid: the maxsec parameter to OCSP_check_validity() can be used to
196 limit the permitted age of responses.
197
198 The values written to *revtime, *thisupd and *nextupd by
199 OCSP_resp_find_status() and OCSP_single_get0_status() are internal
200 pointers which MUST NOT be freed up by the calling application. Any or
201 all of these parameters can be set to NULL if their value is not
202 required.
203
205 crypto(7), OCSP_cert_to_id(3), OCSP_request_add1_nonce(3),
206 OCSP_REQUEST_new(3), OCSP_response_status(3), OCSP_sendreq_new(3),
207 X509_VERIFY_PARAM_set_flags(3)
208
210 Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
211
212 Licensed under the Apache License 2.0 (the "License"). You may not use
213 this file except in compliance with the License. You can obtain a copy
214 in the file LICENSE in the source distribution or at
215 <https://www.openssl.org/source/license.html>.
216
217
218
2193.0.5 2022-11-01 OCSP_RESP_FIND_STATUS(3ossl)