1OCSP_RESP_FIND_STATUS(3)            OpenSSL           OCSP_RESP_FIND_STATUS(3)
2
3
4

NAME

6       OCSP_resp_get0_certs, OCSP_resp_get0_signer, OCSP_resp_get0_id,
7       OCSP_resp_get1_id, OCSP_resp_get0_produced_at,
8       OCSP_resp_get0_signature, OCSP_resp_get0_tbs_sigalg,
9       OCSP_resp_get0_respdata, OCSP_resp_find_status, OCSP_resp_count,
10       OCSP_resp_get0, OCSP_resp_find, OCSP_single_get0_status,
11       OCSP_check_validity, OCSP_basic_verify - OCSP response utility
12       functions
13

SYNOPSIS

15        #include <openssl/ocsp.h>
16
17        int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
18                                  int *reason,
19                                  ASN1_GENERALIZEDTIME **revtime,
20                                  ASN1_GENERALIZEDTIME **thisupd,
21                                  ASN1_GENERALIZEDTIME **nextupd);
22
23        int OCSP_resp_count(OCSP_BASICRESP *bs);
24        OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
25        int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
26        int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
27                                    ASN1_GENERALIZEDTIME **revtime,
28                                    ASN1_GENERALIZEDTIME **thisupd,
29                                    ASN1_GENERALIZEDTIME **nextupd);
30
31        const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
32                                    const OCSP_BASICRESP* single);
33
34        const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
35        const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs);
36        const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs);
37        const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);
38
39        int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
40                                  STACK_OF(X509) *extra_certs);
41
42        int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
43                              const ASN1_OCTET_STRING **pid,
44                              const X509_NAME **pname);
45        int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
46                              ASN1_OCTET_STRING **pid,
47                              X509_NAME **pname);
48
49        int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
50                                ASN1_GENERALIZEDTIME *nextupd,
51                                long sec, long maxsec);
52
53        int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
54                             X509_STORE *st, unsigned long flags);
55

DESCRIPTION

57       OCSP_resp_find_status() searches bs for an OCSP response for id. If it
58       is successful the fields of the response are returned in *status,
59       *reason, *revtime, *thisupd and *nextupd.  The *status value will be
60       one of V_OCSP_CERTSTATUS_GOOD, V_OCSP_CERTSTATUS_REVOKED or
61       V_OCSP_CERTSTATUS_UNKNOWN. The *reason and *revtime fields are only set
62       if the status is V_OCSP_CERTSTATUS_REVOKED. If set the *reason field
63       will be set to the revocation reason which will be one of
64       OCSP_REVOKED_STATUS_NOSTATUS, OCSP_REVOKED_STATUS_UNSPECIFIED,
65       OCSP_REVOKED_STATUS_KEYCOMPROMISE, OCSP_REVOKED_STATUS_CACOMPROMISE,
66       OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, OCSP_REVOKED_STATUS_SUPERSEDED,
67       OCSP_REVOKED_STATUS_CESSATIONOFOPERATION,
68       OCSP_REVOKED_STATUS_CERTIFICATEHOLD or
69       OCSP_REVOKED_STATUS_REMOVEFROMCRL.
70
71       OCSP_resp_count() returns the number of OCSP_SINGLERESP structures in
72       bs.
73
74       OCSP_resp_get0() returns the OCSP_SINGLERESP structure in bs
75       corresponding to index idx. Where idx runs from 0 to
76       OCSP_resp_count(bs) - 1.
77
78       OCSP_resp_find() searches bs for id and returns the index of the first
79       matching entry after last or starting from the beginning if last is -1.
80
81       OCSP_single_get0_status() extracts the fields of single in *reason,
82       *revtime, *thisupd and *nextupd.
83
84       OCSP_resp_get0_produced_at() extracts the producedAt field from the
85       single response bs.
86
87       OCSP_resp_get0_signature() returns the signature from bs.
88
89       OCSP_resp_get0_tbs_sigalg() returns the signatureAlgorithm from bs.
90
91       OCSP_resp_get0_respdata() returns the tbsResponseData from bs.
92
93       OCSP_resp_get0_certs() returns any certificates included in bs.
94
95       OCSP_resp_get0_signer() attempts to retrieve the certificate that
96       directly signed bs.  The OCSP protocol does not require that this
97       certificate is included in the certs field of the response, so
98       additional certificates can be supplied in extra_certs if the
99       certificates that may have signed the response are known via some out-
100       of-band mechanism.
101
102       OCSP_resp_get0_id() gets the responder id of bs. If the responder ID is
103       a name then <*pname> is set to the name and *pid is set to NULL. If the
104       responder ID is by key ID then *pid is set to the key ID and *pname is
105       set to NULL. OCSP_resp_get1_id() leaves ownership of *pid and *pname
106       with the caller, who is responsible for freeing them. Both functions
107       return 1 in case of success and 0 in case of failure. If
108       OCSP_resp_get1_id() returns 0, no freeing of the results is necessary.
109
110       OCSP_check_validity() checks the validity of thisupd and nextupd values
111       which will be typically obtained from OCSP_resp_find_status() or
112       OCSP_single_get0_status(). If sec is nonzero it indicates how many
113       seconds leeway should be allowed in the check. If maxsec is positive it
114       indicates the maximum age of thisupd in seconds.
115
116       OCSP_basic_verify() checks that the basic response message bs is
117       correctly signed and that the signer certificate can be validated. It
118       takes st as the trusted store and certs as a set of untrusted
119       intermediate certificates.  The function first tries to find the signer
120       certificate of the response in <certs>. It also searches the
121       certificates the responder may have included in bs unless the flags
122       contain OCSP_NOINTERN.  It fails if the signer certificate cannot be
123       found.  Next, the function checks the signature of bs and fails on
124       error unless the flags contain OCSP_NOSIGS. Then the function already
125       returns success if the flags contain OCSP_NOVERIFY or if the signer
126       certificate was found in certs and the flags contain OCSP_TRUSTOTHER.
127       Otherwise the function continues by validating the signer certificate.
128       To this end, all certificates in cert and in bs are considered as
129       untrusted certificates for the construction of the validation path for
130       the signer certificate unless the OCSP_NOCHAIN flag is set. After
131       successful path validation the function returns success if the
132       OCSP_NOCHECKS flag is set.  Otherwise it verifies that the signer
133       certificate meets the OCSP issuer criteria including potential
134       delegation. If this does not succeed and the flags do not contain
135       OCSP_NOEXPLICIT the function checks for explicit trust for OCSP signing
136       in the root CA certificate.
137

RETURN VALUES

139       OCSP_resp_find_status() returns 1 if id is found in bs and 0 otherwise.
140
141       OCSP_resp_count() returns the total number of OCSP_SINGLERESP fields in
142       bs.
143
144       OCSP_resp_get0() returns a pointer to an OCSP_SINGLERESP structure or
145       NULL if idx is out of range.
146
147       OCSP_resp_find() returns the index of id in bs (which may be 0) or -1
148       if id was not found.
149
150       OCSP_single_get0_status() returns the status of single or -1 if an
151       error occurred.
152
153       OCSP_resp_get0_signer() returns 1 if the signing certificate was
154       located, or 0 on error.
155
156       OCSP_basic_verify() returns 1 on success, 0 on error, or -1 on fatal
157       error such as malloc failure.
158

NOTES

160       Applications will typically call OCSP_resp_find_status() using the
161       certificate ID of interest and then check its validity using
162       OCSP_check_validity(). They can then take appropriate action based on
163       the status of the certificate.
164
165       An OCSP response for a certificate contains thisUpdate and nextUpdate
166       fields. Normally the current time should be between these two values.
167       To account for clock skew the maxsec field can be set to nonzero in
168       OCSP_check_validity(). Some responders do not set the nextUpdate field,
169       this would otherwise mean an ancient response would be considered
170       valid: the maxsec parameter to OCSP_check_validity() can be used to
171       limit the permitted age of responses.
172
173       The values written to *revtime, *thisupd and *nextupd by
174       OCSP_resp_find_status() and OCSP_single_get0_status() are internal
175       pointers which MUST NOT be freed up by the calling application. Any or
176       all of these parameters can be set to NULL if their value is not
177       required.
178

SEE ALSO

180       crypto(7), OCSP_cert_to_id(3), OCSP_request_add1_nonce(3),
181       OCSP_REQUEST_new(3), OCSP_response_status(3), OCSP_sendreq_new(3)
182
184       Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
185
186       Licensed under the OpenSSL license (the "License").  You may not use
187       this file except in compliance with the License.  You can obtain a copy
188       in the file LICENSE in the source distribution or at
189       <https://www.openssl.org/source/license.html>.
190
191
192
1931.1.1q                            2022-07-21          OCSP_RESP_FIND_STATUS(3)
Impressum