DragonFly On-Line Manual Pages
OCSP_RESP_FIND_STA... DragonFly Library Functions Manual OCSP_RESP_FIND_STA...
NAME
OCSP_SINGLERESP_new, OCSP_SINGLERESP_free, OCSP_CERTSTATUS_new,
OCSP_CERTSTATUS_free, OCSP_REVOKEDINFO_new, OCSP_REVOKEDINFO_free,
OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find,
OCSP_SINGLERESP_get0_id, OCSP_single_get0_status, OCSP_check_validity --
OCSP response utility functions
SYNOPSIS
#include <openssl/ocsp.h>
OCSP_SINGLERESP *
OCSP_SINGLERESP_new(void);
void
OCSP_SINGLERESP_free(OCSP_SINGLERESP *single);
OCSP_CERTSTATUS *
OCSP_CERTSTATUS_new(void);
void
OCSP_CERTSTATUS_free(OCSP_CERTSTATUS *certstatus);
OCSP_REVOKEDINFO *
OCSP_REVOKEDINFO_new(void);
void
OCSP_REVOKEDINFO_free(OCSP_REVOKEDINFO *revokedinfo);
int
OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
int *reason, ASN1_GENERALIZEDTIME **revtime,
ASN1_GENERALIZEDTIME **thisupd, ASN1_GENERALIZEDTIME **nextupd);
int
OCSP_resp_count(OCSP_BASICRESP *bs);
OCSP_SINGLERESP *
OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
int
OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
const OCSP_CERTID *
OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single);
int
OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
ASN1_GENERALIZEDTIME **nextupd);
int
OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec);
DESCRIPTION
OCSP_SINGLERESP_new() allocates and initializes an empty OCSP_SINGLERESP
object, representing an ASN.1 SingleResponse structure defined in RFC
6960. Each such object can store the server's answer regarding the
validity of one individual certificate. Such objects are used inside the
OCSP_RESPDATA of OCSP_BASICRESP objects, which are described in
OCSP_BASICRESP_new(3). OCSP_SINGLERESP_free() frees single.
OCSP_CERTSTATUS_new() allocates and initializes an empty OCSP_CERTSTATUS
object, representing an ASN.1 CertStatus structure defined in RFC 6960.
Such an object is used inside OCSP_SINGLERESP. OCSP_CERTSTATUS_free()
frees certstatus.
OCSP_REVOKEDINFO_new() allocates and initializes an empty
OCSP_REVOKEDINFO object, representing an ASN.1 RevokedInfo structure
defined in RFC 6960. Such an object is used inside OCSP_CERTSTATUS.
OCSP_REVOKEDINFO_free() frees revokedinfo.
OCSP_resp_find_status() searches bs for an OCSP response for id. If it
is successful, the fields of the response are returned in *status,
*reason, *revtime, *thisupd and *nextupd. The *status value will be one
of V_OCSP_CERTSTATUS_GOOD, V_OCSP_CERTSTATUS_REVOKED, or
V_OCSP_CERTSTATUS_UNKNOWN. The *reason and *revtime fields are only set
if the status is V_OCSP_CERTSTATUS_REVOKED. If set, the *reason field
will be set to the revocation reason which will be one of
OCSP_REVOKED_STATUS_NOSTATUS, OCSP_REVOKED_STATUS_UNSPECIFIED,
OCSP_REVOKED_STATUS_KEYCOMPROMISE, OCSP_REVOKED_STATUS_CACOMPROMISE,
OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, OCSP_REVOKED_STATUS_SUPERSEDED,
OCSP_REVOKED_STATUS_CESSATIONOFOPERATION,
OCSP_REVOKED_STATUS_CERTIFICATEHOLD or OCSP_REVOKED_STATUS_REMOVEFROMCRL.
OCSP_resp_count() returns the number of OCSP_SINGLERESP structures in bs.
OCSP_resp_get0() returns the OCSP_SINGLERESP structure in bs correspond-
ing to index idx, where idx runs from 0 to OCSP_resp_count(bs) - 1.
OCSP_resp_find() searches bs for id and returns the index of the first
matching entry after last or starting from the beginning if last is -1.
OCSP_single_get0_status() extracts the fields of single in *reason,
*revtime, *thisupd, and *nextupd.
OCSP_check_validity() checks the validity of thisupd and nextupd values
which will be typically obtained from OCSP_resp_find_status() or
OCSP_single_get0_status(). If sec is non-zero it indicates how many sec-
onds leeway should be allowed in the check. If maxsec is positive it
indicates the maximum age of thisupd in seconds.
Applications will typically call OCSP_resp_find_status() using the cer-
tificate ID of interest and then check its validity using
OCSP_check_validity(). They can then take appropriate action based on
the status of the certificate.
An OCSP response for a certificate contains thisUpdate and nextUpdate
fields. Normally the current time should be between these two values.
To account for clock skew, the maxsec field can be set to non-zero in
OCSP_check_validity(). Some responders do not set the nextUpdate field.
This would otherwise mean an ancient response would be considered valid:
the maxsec parameter to OCSP_check_validity() can be used to limit the
permitted age of responses.
The values written to *revtime, *thisupd, and *nextupd by
OCSP_resp_find_status() and OCSP_single_get0_status() are internal point-
ers which must not be freed up by the calling application. Any or all of
these parameters can be set to NULL if their value is not required.
RETURN VALUES
OCSP_SINGLERESP_new(), OCSP_CERTSTATUS_new(), and OCSP_REVOKEDINFO_new()
return a pointer to an empty OCSP_SINGLERESP, OCSP_CERTSTATUS, or
OCSP_REVOKEDINFO object, respectively, or NULL if an error occurred.
OCSP_resp_find_status() returns 1 if id is found in bs or 0 otherwise.
OCSP_resp_count() returns the total number of OCSP_SINGLERESP fields in
bs.
OCSP_resp_get0() returns a pointer to an OCSP_SINGLERESP structure or
NULL if idx is out of range.
OCSP_resp_find() returns the index of id in bs (which may be 0) or -1 if
id was not found.
OCSP_SINGLERESP_get0_id() returns an internal pointer to the certificate
ID object used by single; the returned pointer should not be freed by the
caller.
OCSP_single_get0_status() returns the status of single or -1 if an error
occurred.
SEE ALSO
OCSP_cert_to_id(3), OCSP_CRLID_new(3), OCSP_request_add1_nonce(3),
OCSP_REQUEST_new(3), OCSP_response_status(3), OCSP_sendreq_new(3)
STANDARDS
RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate
Status Protocol, section 4.2: Response Syntax
HISTORY
OCSP_SINGLERESP_new(), OCSP_SINGLERESP_free(), OCSP_CERTSTATUS_new(),
OCSP_CERTSTATUS_free(), OCSP_REVOKEDINFO_new(), OCSP_REVOKEDINFO_free(),
OCSP_resp_find_status(), OCSP_resp_count(), OCSP_resp_get0(),
OCSP_resp_find(), OCSP_single_get0_status(), and OCSP_check_validity()
first appeared in OpenSSL 0.9.7 and have been available since
OpenBSD 3.2.
OCSP_SINGLERESP_get0_id() first appeared in OpenSSL 1.1.0 and has been
available since OpenBSD 6.3.
DragonFly 5.5 March 23, 2018 DragonFly 5.5