1TLS_OCSP_PROCESS_RESP... BSD Library Functions Manual TLS_OCSP_PROCESS_RESP...
2
4 tls_ocsp_process_response, tls_peer_ocsp_url,
5 tls_peer_ocsp_response_status, tls_peer_ocsp_cert_status,
6 tls_peer_ocsp_crl_reason, tls_peer_ocsp_result,
7 tls_peer_ocsp_revocation_time, tls_peer_ocsp_this_update,
8 tls_peer_ocsp_next_update — inspect an OCSP response
9
11 #include <tls.h>
12 int
14 tls_ocsp_process_response(struct tls *ctx, const unsigned char *response,
15 size_t size);
16 const char *
18 tls_peer_ocsp_url(struct tls *ctx);
19 int
21 tls_peer_ocsp_response_status(struct tls *ctx);
22 int
24 tls_peer_ocsp_cert_status(struct tls *ctx);
25 int
27 tls_peer_ocsp_crl_reason(struct tls *ctx);
28 const char *
30 tls_peer_ocsp_result(struct tls *ctx);
31 time_t
33 tls_peer_ocsp_revocation_time(struct tls *ctx);
34 time_t
36 tls_peer_ocsp_this_update(struct tls *ctx);
37 time_t
39 tls_peer_ocsp_next_update(struct tls *ctx);
40
42 tls_ocsp_process_response() processes a raw OCSP response in response of
43 size size to check the revocation status of the peer certificate from
44 ctx. A successful return code of 0 indicates that the certificate has
45 not been revoked.
46 tls_peer_ocsp_url() returns the URL for OCSP validation of the peer cer‐
48 tificate from ctx.
49 The following functions return information about the peer certificate
51 from ctx that was obtained by validating a stapled OCSP response during
52 the handshake, or via a previous call to tls_ocsp_process_response().
53 tls_peer_ocsp_response_status() returns the OCSP response status as per
55 RFC 6960 section 2.3.
56 tls_peer_ocsp_cert_status() returns the OCSP certificate status code as
58 per RFC 6960 section 2.2.
59 tls_peer_ocsp_crl_reason() returns the OCSP certificate revocation reason
61 status code as per RFC 5280 section 5.3.1.
62 tls_peer_ocsp_result() returns a textual representation of the OCSP sta‐
64 tus code returned by one of the previous three functions. If the OCSP
65 response was valid and the certificate was not revoked, the string indi‐
66 cates the OCSP certificate status. Otherwise, the string indicates the
67 OCSP certificate revocation reason or the OCSP error.
68 tls_peer_ocsp_revocation_time() returns the OCSP revocation time.
70 tls_peer_ocsp_this_update() returns the OCSP this update time.
72 tls_peer_ocsp_next_update() returns the OCSP next update time.
74
76 tls_ocsp_process_response() returns 0 on success or -1 on error.
77 tls_peer_ocsp_url() and tls_peer_ocsp_result() return NULL on error or an
79 out of memory condition.
80 The tls_peer_ocsp_response_status() function returns one of
82 TLS_OCSP_RESPONSE_SUCCESSFUL, TLS_OCSP_RESPONSE_MALFORMED,
83 TLS_OCSP_RESPONSE_INTERNALERROR, TLS_OCSP_RESPONSE_TRYLATER,
84 TLS_OCSP_RESPONSE_SIGREQUIRED, or TLS_OCSP_RESPONSE_UNAUTHORIZED on suc‐
85 cess or -1 on error.
86 The tls_peer_ocsp_cert_status() function returns one of
88 TLS_OCSP_CERT_GOOD, TLS_OCSP_CERT_REVOKED, or TLS_OCSP_CERT_UNKNOWN on
89 success, and -1 on error.
90 The tls_peer_ocsp_crl_reason() function returns one of
92 TLS_CRL_REASON_UNSPECIFIED, TLS_CRL_REASON_KEY_COMPROMISE,
93 TLS_CRL_REASON_CA_COMPROMISE, TLS_CRL_REASON_AFFILIATION_CHANGED,
94 TLS_CRL_REASON_SUPERSEDED, TLS_CRL_REASON_CESSATION_OF_OPERATION,
95 TLS_CRL_REASON_CERTIFICATE_HOLD, TLS_CRL_REASON_REMOVE_FROM_CRL,
96 TLS_CRL_REASON_PRIVILEGE_WITHDRAWN, or TLS_CRL_REASON_AA_COMPROMISE on
97 success or -1 on error.
98 tls_peer_ocsp_revocation_time(), tls_peer_ocsp_this_update(), and
100 tls_peer_ocsp_next_update() return a time in epoch-seconds on success or
101 -1 on error.
102
104 tls_client(3), tls_config_ocsp_require_stapling(3), tls_conn_version(3),
105 tls_connect(3), tls_handshake(3), tls_init(3)
106
108 These functions appeared in OpenBSD 6.1.
109
111 Bob Beck <beck@openbsd.org>
112 Marko Kreen <markokr@gmail.com>
113BSD July 24, 2018 BSD