• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1=pod
2
3=head1 NAME
4
5OCSP_resp_find_status, OCSP_resp_count,
6OCSP_resp_get0, OCSP_resp_find, OCSP_single_get0_status,
7OCSP_resp_get0_produced_at, OCSP_resp_get0_signature,
8OCSP_resp_get0_tbs_sigalg, OCSP_resp_get0_respdata,
9OCSP_resp_get0_certs, OCSP_resp_get0_signer,
10OCSP_resp_get0_id, OCSP_resp_get1_id,
11OCSP_check_validity, OCSP_basic_verify
12- OCSP response utility functions
13
14=head1 SYNOPSIS
15
16 #include <openssl/ocsp.h>
17
18 int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
19                           int *reason,
20                           ASN1_GENERALIZEDTIME **revtime,
21                           ASN1_GENERALIZEDTIME **thisupd,
22                           ASN1_GENERALIZEDTIME **nextupd);
23
24 int OCSP_resp_count(OCSP_BASICRESP *bs);
25 OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
26 int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
27 int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
28                             ASN1_GENERALIZEDTIME **revtime,
29                             ASN1_GENERALIZEDTIME **thisupd,
30                             ASN1_GENERALIZEDTIME **nextupd);
31
32 const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
33                             const OCSP_BASICRESP* single);
34
35 const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
36 const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs);
37 const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs);
38 const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);
39
40 int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
41                           STACK_OF(X509) *extra_certs);
42
43 int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
44                       const ASN1_OCTET_STRING **pid,
45                       const X509_NAME **pname);
46 int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
47                       ASN1_OCTET_STRING **pid,
48                       X509_NAME **pname);
49
50 int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
51                         ASN1_GENERALIZEDTIME *nextupd,
52                         long sec, long maxsec);
53
54 int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
55                      X509_STORE *st, unsigned long flags);
56
57=head1 DESCRIPTION
58
59OCSP_resp_find_status() searches I<bs> for an OCSP response for I<id>. If it is
60successful the fields of the response are returned in I<*status>, I<*reason>,
61I<*revtime>, I<*thisupd> and I<*nextupd>.  The I<*status> value will be one of
62B<V_OCSP_CERTSTATUS_GOOD>, B<V_OCSP_CERTSTATUS_REVOKED> or
63B<V_OCSP_CERTSTATUS_UNKNOWN>. The I<*reason> and I<*revtime> fields are only
64set if the status is B<V_OCSP_CERTSTATUS_REVOKED>. If set the I<*reason> field
65will be set to the revocation reason which will be one of
66B<OCSP_REVOKED_STATUS_NOSTATUS>, B<OCSP_REVOKED_STATUS_UNSPECIFIED>,
67B<OCSP_REVOKED_STATUS_KEYCOMPROMISE>, B<OCSP_REVOKED_STATUS_CACOMPROMISE>,
68B<OCSP_REVOKED_STATUS_AFFILIATIONCHANGED>, B<OCSP_REVOKED_STATUS_SUPERSEDED>,
69B<OCSP_REVOKED_STATUS_CESSATIONOFOPERATION>,
70B<OCSP_REVOKED_STATUS_CERTIFICATEHOLD> or B<OCSP_REVOKED_STATUS_REMOVEFROMCRL>.
71
72OCSP_resp_count() returns the number of B<OCSP_SINGLERESP> structures in I<bs>.
73
74OCSP_resp_get0() returns the B<OCSP_SINGLERESP> structure in I<bs> corresponding
75to index I<idx>, where I<idx> runs from 0 to OCSP_resp_count(bs) - 1.
76
77OCSP_resp_find() searches I<bs> for I<id> and returns the index of the first
78matching entry after I<last> or starting from the beginning if I<last> is -1.
79
80OCSP_single_get0_status() extracts the fields of I<single> in I<*reason>,
81I<*revtime>, I<*thisupd> and I<*nextupd>.
82
83OCSP_resp_get0_produced_at() extracts the B<producedAt> field from the
84single response I<bs>.
85
86OCSP_resp_get0_signature() returns the signature from I<bs>.
87
88OCSP_resp_get0_tbs_sigalg() returns the B<signatureAlgorithm> from I<bs>.
89
90OCSP_resp_get0_respdata() returns the B<tbsResponseData> from I<bs>.
91
92OCSP_resp_get0_certs() returns any certificates included in I<bs>.
93
94OCSP_resp_get0_signer() attempts to retrieve the certificate that directly
95signed I<bs>.  The OCSP protocol does not require that this certificate
96is included in the B<certs> field of the response, so additional certificates
97can be supplied via the I<extra_certs> if the certificates that may have
98signed the response are known via some out-of-band mechanism.
99
100OCSP_resp_get0_id() gets the responder id of I<bs>. If the responder ID is
101a name then <*pname> is set to the name and I<*pid> is set to NULL. If the
102responder ID is by key ID then I<*pid> is set to the key ID and I<*pname>
103is set to NULL.
104
105OCSP_resp_get1_id() is the same as OCSP_resp_get0_id()
106but leaves ownership of I<*pid> and I<*pname> with the caller,
107who is responsible for freeing them unless the function returns 0.
108
109OCSP_check_validity() checks the validity of its I<thisupd> and I<nextupd>
110arguments, which will be typically obtained from OCSP_resp_find_status() or
111OCSP_single_get0_status(). If I<sec> is nonzero it indicates how many seconds
112leeway should be allowed in the check. If I<maxsec> is positive it indicates
113the maximum age of I<thisupd> in seconds.
114
115OCSP_basic_verify() checks that the basic response message I<bs> is correctly
116signed and that the signer certificate can be validated. It takes I<st> as
117the trusted store and I<certs> as a set of untrusted intermediate certificates.
118The function first tries to find the signer certificate of the response
119in I<certs>. It then searches the certificates the responder may have included
120in I<bs> unless I<flags> contains B<OCSP_NOINTERN>.
121It fails if the signer certificate cannot be found.
122Next, unless I<flags> contains B<OCSP_NOSIGS>, the function checks
123the signature of I<bs> and fails on error. Then the function already returns
124success if I<flags> contains B<OCSP_NOVERIFY> or if the signer certificate
125was found in I<certs> and I<flags> contains B<OCSP_TRUSTOTHER>.
126Otherwise the function continues by validating the signer certificate.
127If I<flags> contains B<OCSP_PARTIAL_CHAIN> it takes intermediate CA
128certificates in I<st> as trust anchors.
129For more details, see the description of B<X509_V_FLAG_PARTIAL_CHAIN>
130in L<X509_VERIFY_PARAM_set_flags(3)/VERIFICATION FLAGS>.
131If I<flags> contains B<OCSP_NOCHAIN> it ignores all certificates in I<certs>
132and in I<bs>, else it takes them as untrusted intermediate CA certificates
133and uses them for constructing the validation path for the signer certificate.
134Certicate revocation status checks using CRLs is disabled during path validation
135if the signer certificate contains the B<id-pkix-ocsp-no-check> extension.
136After successful path
137validation the function returns success if the B<OCSP_NOCHECKS> flag is set.
138Otherwise it verifies that the signer certificate meets the OCSP issuer
139criteria including potential delegation. If this does not succeed and the
140B<OCSP_NOEXPLICIT> flag is not set the function checks for explicit
141trust for OCSP signing in the root CA certificate.
142
143=head1 RETURN VALUES
144
145OCSP_resp_find_status() returns 1 if I<id> is found in I<bs> and 0 otherwise.
146
147OCSP_resp_count() returns the total number of B<OCSP_SINGLERESP> fields in I<bs>
148or -1 on error.
149
150OCSP_resp_get0() returns a pointer to an B<OCSP_SINGLERESP> structure or
151NULL on error, such as I<idx> being out of range.
152
153OCSP_resp_find() returns the index of I<id> in I<bs> (which may be 0)
154or -1 on error, such as when I<id> was not found.
155
156OCSP_single_get0_status() returns the status of I<single> or -1 if an error
157occurred.
158
159OCSP_resp_get0_produced_at() returns the B<producedAt> field from I<bs>.
160
161OCSP_resp_get0_signature() returns the signature from I<bs>.
162
163OCSP_resp_get0_tbs_sigalg() returns the B<signatureAlgorithm> field from I<bs>.
164
165OCSP_resp_get0_respdata() returns the B<tbsResponseData> field from I<bs>.
166
167OCSP_resp_get0_certs() returns any certificates included in I<bs>.
168
169OCSP_resp_get0_signer() returns 1 if the signing certificate was located,
170or 0 if not found or on error.
171
172OCSP_resp_get0_id() and OCSP_resp_get1_id() return 1 on success, 0 on failure.
173
174OCSP_check_validity() returns 1 if I<thisupd> and I<nextupd> are valid time
175values and the current time + I<sec> is not before I<thisupd> and,
176if I<maxsec> >= 0, the current time - I<maxsec> is not past I<nextupd>.
177Otherwise it returns 0 to indicate an error.
178
179OCSP_basic_verify() returns 1 on success, 0 on verification not successful,
180or -1 on a fatal error such as malloc failure.
181
182=head1 NOTES
183
184Applications will typically call OCSP_resp_find_status() using the certificate
185ID of interest and then check its validity using OCSP_check_validity(). They
186can then take appropriate action based on the status of the certificate.
187
188An OCSP response for a certificate contains B<thisUpdate> and B<nextUpdate>
189fields. Normally the current time should be between these two values. To
190account for clock skew the I<maxsec> field can be set to nonzero in
191OCSP_check_validity(). Some responders do not set the B<nextUpdate> field, this
192would otherwise mean an ancient response would be considered valid: the
193I<maxsec> parameter to OCSP_check_validity() can be used to limit the permitted
194age of responses.
195
196The values written to I<*revtime>, I<*thisupd> and I<*nextupd> by
197OCSP_resp_find_status() and OCSP_single_get0_status() are internal pointers
198which MUST NOT be freed up by the calling application. Any or all of these
199parameters can be set to NULL if their value is not required.
200
201=head1 SEE ALSO
202
203L<crypto(7)>,
204L<OCSP_cert_to_id(3)>,
205L<OCSP_request_add1_nonce(3)>,
206L<OCSP_REQUEST_new(3)>,
207L<OCSP_response_status(3)>,
208L<OCSP_sendreq_new(3)>,
209L<X509_VERIFY_PARAM_set_flags(3)>
210
211=head1 COPYRIGHT
212
213Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
214
215Licensed under the Apache License 2.0 (the "License").  You may not use
216this file except in compliance with the License.  You can obtain a copy
217in the file LICENSE in the source distribution or at
218L<https://www.openssl.org/source/license.html>.
219
220=cut
221