2014-06-22 03:13:37 +08:00
|
|
|
=pod
|
|
|
|
|
2016-05-22 02:49:33 +08:00
|
|
|
=head1 NAME
|
|
|
|
|
2016-07-29 05:00:05 +08:00
|
|
|
OCSP_resp_get0_certs,
|
2017-10-19 04:29:18 +08:00
|
|
|
OCSP_resp_get0_signer,
|
2016-07-29 05:00:05 +08:00
|
|
|
OCSP_resp_get0_id,
|
2016-11-08 17:16:45 +08:00
|
|
|
OCSP_resp_get1_id,
|
2016-06-21 19:03:34 +08:00
|
|
|
OCSP_resp_get0_produced_at,
|
2018-09-01 22:50:28 +08:00
|
|
|
OCSP_resp_get0_signature,
|
2018-09-01 12:05:55 +08:00
|
|
|
OCSP_resp_get0_tbs_sigalg,
|
|
|
|
OCSP_resp_get0_respdata,
|
2016-06-21 19:03:34 +08:00
|
|
|
OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find,
|
2018-02-10 22:45:11 +08:00
|
|
|
OCSP_single_get0_status, OCSP_check_validity,
|
|
|
|
OCSP_basic_verify
|
2016-06-21 19:03:34 +08:00
|
|
|
- OCSP response utility functions
|
2014-06-22 03:13:37 +08:00
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
|
|
|
#include <openssl/ocsp.h>
|
|
|
|
|
|
|
|
int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
|
|
|
|
int *reason,
|
|
|
|
ASN1_GENERALIZEDTIME **revtime,
|
|
|
|
ASN1_GENERALIZEDTIME **thisupd,
|
|
|
|
ASN1_GENERALIZEDTIME **nextupd);
|
|
|
|
|
|
|
|
int OCSP_resp_count(OCSP_BASICRESP *bs);
|
|
|
|
OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
|
|
|
|
int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
|
|
|
|
int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
|
|
|
|
ASN1_GENERALIZEDTIME **revtime,
|
|
|
|
ASN1_GENERALIZEDTIME **thisupd,
|
|
|
|
ASN1_GENERALIZEDTIME **nextupd);
|
|
|
|
|
2016-08-13 04:37:55 +08:00
|
|
|
const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
|
|
|
|
const OCSP_BASICRESP* single);
|
2016-01-18 03:39:57 +08:00
|
|
|
|
2018-09-01 22:50:28 +08:00
|
|
|
const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
|
2018-09-01 12:05:55 +08:00
|
|
|
const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs);
|
|
|
|
const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs);
|
2016-07-13 21:20:15 +08:00
|
|
|
const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);
|
|
|
|
|
2017-11-13 08:32:52 +08:00
|
|
|
int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
|
2017-10-19 04:29:18 +08:00
|
|
|
STACK_OF(X509) *extra_certs);
|
|
|
|
|
2016-07-13 21:20:15 +08:00
|
|
|
int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
|
|
|
|
const ASN1_OCTET_STRING **pid,
|
|
|
|
const X509_NAME **pname);
|
2016-11-08 17:16:45 +08:00
|
|
|
int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
|
|
|
|
ASN1_OCTET_STRING **pid,
|
|
|
|
X509_NAME **pname);
|
2016-07-13 21:20:15 +08:00
|
|
|
|
2014-06-22 03:13:37 +08:00
|
|
|
int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
|
|
|
|
ASN1_GENERALIZEDTIME *nextupd,
|
|
|
|
long sec, long maxsec);
|
|
|
|
|
2018-02-10 22:45:11 +08:00
|
|
|
int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
|
|
|
|
X509_STORE *st, unsigned long flags);
|
|
|
|
|
2014-06-22 03:13:37 +08:00
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
2020-09-22 14:18:31 +08:00
|
|
|
OCSP_resp_find_status() searches I<bs> for an OCSP response for I<id>. If it is
|
|
|
|
successful the fields of the response are returned in I<*status>, I<*reason>,
|
|
|
|
I<*revtime>, I<*thisupd> and I<*nextupd>. The I<*status> value will be one of
|
2014-06-22 03:13:37 +08:00
|
|
|
B<V_OCSP_CERTSTATUS_GOOD>, B<V_OCSP_CERTSTATUS_REVOKED> or
|
2020-09-22 14:18:31 +08:00
|
|
|
B<V_OCSP_CERTSTATUS_UNKNOWN>. The I<*reason> and I<*revtime> fields are only
|
|
|
|
set if the status is B<V_OCSP_CERTSTATUS_REVOKED>. If set the I<*reason> field
|
2014-06-22 03:13:37 +08:00
|
|
|
will be set to the revocation reason which will be one of
|
|
|
|
B<OCSP_REVOKED_STATUS_NOSTATUS>, B<OCSP_REVOKED_STATUS_UNSPECIFIED>,
|
|
|
|
B<OCSP_REVOKED_STATUS_KEYCOMPROMISE>, B<OCSP_REVOKED_STATUS_CACOMPROMISE>,
|
|
|
|
B<OCSP_REVOKED_STATUS_AFFILIATIONCHANGED>, B<OCSP_REVOKED_STATUS_SUPERSEDED>,
|
|
|
|
B<OCSP_REVOKED_STATUS_CESSATIONOFOPERATION>,
|
|
|
|
B<OCSP_REVOKED_STATUS_CERTIFICATEHOLD> or B<OCSP_REVOKED_STATUS_REMOVEFROMCRL>.
|
|
|
|
|
2020-09-22 14:18:31 +08:00
|
|
|
OCSP_resp_count() returns the number of B<OCSP_SINGLERESP> structures in I<bs>.
|
2014-06-22 03:13:37 +08:00
|
|
|
|
2020-09-22 14:18:31 +08:00
|
|
|
OCSP_resp_get0() returns the B<OCSP_SINGLERESP> structure in I<bs>
|
|
|
|
corresponding to index I<idx>. Where I<idx> runs from 0 to
|
2014-06-22 03:13:37 +08:00
|
|
|
OCSP_resp_count(bs) - 1.
|
|
|
|
|
2020-09-22 14:18:31 +08:00
|
|
|
OCSP_resp_find() searches I<bs> for I<id> and returns the index of the first
|
|
|
|
matching entry after I<last> or starting from the beginning if I<last> is -1.
|
2014-06-22 03:13:37 +08:00
|
|
|
|
2020-09-22 14:18:31 +08:00
|
|
|
OCSP_single_get0_status() extracts the fields of I<single> in I<*reason>,
|
|
|
|
I<*revtime>, I<*thisupd> and I<*nextupd>.
|
2014-06-22 03:13:37 +08:00
|
|
|
|
2016-01-18 03:39:57 +08:00
|
|
|
OCSP_resp_get0_produced_at() extracts the B<producedAt> field from the
|
2020-09-22 14:18:31 +08:00
|
|
|
single response I<bs>.
|
2016-01-18 03:39:57 +08:00
|
|
|
|
2020-09-22 14:18:31 +08:00
|
|
|
OCSP_resp_get0_signature() returns the signature from I<bs>.
|
2018-09-01 22:50:28 +08:00
|
|
|
|
2020-09-22 14:18:31 +08:00
|
|
|
OCSP_resp_get0_tbs_sigalg() returns the B<signatureAlgorithm> from I<bs>.
|
2018-09-01 12:05:55 +08:00
|
|
|
|
2020-09-22 14:18:31 +08:00
|
|
|
OCSP_resp_get0_respdata() returns the B<tbsResponseData> from I<bs>.
|
2018-09-01 12:05:55 +08:00
|
|
|
|
2020-09-22 14:18:31 +08:00
|
|
|
OCSP_resp_get0_certs() returns any certificates included in I<bs>.
|
2016-07-13 21:20:15 +08:00
|
|
|
|
2017-12-13 01:41:26 +08:00
|
|
|
OCSP_resp_get0_signer() attempts to retrieve the certificate that directly
|
2020-09-22 14:18:31 +08:00
|
|
|
signed I<bs>. The OCSP protocol does not require that this certificate
|
2017-10-19 04:29:18 +08:00
|
|
|
is included in the B<certs> field of the response, so additional certificates
|
2020-09-22 14:18:31 +08:00
|
|
|
can be supplied via the I<extra_certs> if the certificates that may have
|
2017-10-19 04:29:18 +08:00
|
|
|
signed the response are known via some out-of-band mechanism.
|
|
|
|
|
2020-09-22 14:18:31 +08:00
|
|
|
OCSP_resp_get0_id() gets the responder id of I<bs>. If the responder ID is
|
|
|
|
a name then <*pname> is set to the name and I<*pid> is set to NULL. If the
|
|
|
|
responder ID is by key ID then I<*pid> is set to the key ID and I<*pname>
|
|
|
|
is set to NULL. OCSP_resp_get1_id() leaves ownership of I<*pid> and I<*pname>
|
2016-11-08 17:16:45 +08:00
|
|
|
with the caller, who is responsible for freeing them. Both functions return 1
|
|
|
|
in case of success and 0 in case of failure. If OCSP_resp_get1_id() returns 0,
|
|
|
|
no freeing of the results is necessary.
|
2016-07-13 21:20:15 +08:00
|
|
|
|
2020-09-22 14:18:31 +08:00
|
|
|
OCSP_check_validity() checks the validity of its I<thisupd> and I<nextupd>
|
|
|
|
arguments, which will be typically obtained from OCSP_resp_find_status() or
|
|
|
|
OCSP_single_get0_status(). If I<sec> is nonzero it indicates how many seconds
|
|
|
|
leeway should be allowed in the check. If I<maxsec> is positive it indicates
|
|
|
|
the maximum age of I<thisupd> in seconds.
|
2014-06-22 03:13:37 +08:00
|
|
|
|
2020-09-22 14:18:31 +08:00
|
|
|
OCSP_basic_verify() checks that the basic response message I<bs> is correctly
|
|
|
|
signed and that the signer certificate can be validated. It takes I<st> as
|
|
|
|
the trusted store and I<certs> as a set of untrusted intermediate certificates.
|
2018-02-10 22:45:11 +08:00
|
|
|
The function first tries to find the signer certificate of the response
|
2020-09-22 14:18:31 +08:00
|
|
|
in I<certs>. It then searches the certificates the responder may have included
|
2020-09-22 14:31:17 +08:00
|
|
|
in I<bs> unless I<flags> contains B<OCSP_NOINTERN>.
|
2018-02-10 22:45:11 +08:00
|
|
|
It fails if the signer certificate cannot be found.
|
2020-09-22 14:31:17 +08:00
|
|
|
Next, unless I<flags> contains B<OCSP_NOSIGS>, the function checks
|
2020-09-22 14:18:31 +08:00
|
|
|
the signature of I<bs> and fails on error. Then the function already returns
|
2020-09-22 14:31:17 +08:00
|
|
|
success if I<flags> contains B<OCSP_NOVERIFY> or if the signer certificate
|
|
|
|
was found in I<certs> and I<flags> contains B<OCSP_TRUSTOTHER>.
|
2018-02-10 22:45:11 +08:00
|
|
|
Otherwise the function continues by validating the signer certificate.
|
2020-09-22 14:31:17 +08:00
|
|
|
If I<flags> contains B<OCSP_PARTIAL_CHAIN> it takes intermediate CA
|
|
|
|
certificates in I<st> as trust anchors.
|
2020-08-18 03:31:42 +08:00
|
|
|
For more details, see the description of B<X509_V_FLAG_PARTIAL_CHAIN>
|
|
|
|
in L<X509_VERIFY_PARAM_set_flags(3)/VERIFICATION FLAGS>.
|
2020-09-22 14:31:17 +08:00
|
|
|
If I<flags> contains B<OCSP_NOCHAIN> it ignores all certificates in I<certs>
|
|
|
|
and in I<bs>, else it takes them as untrusted intermediate CA certificates
|
|
|
|
and uses them for constructing the validation path for the signer certificate.
|
|
|
|
After successful path
|
2018-02-10 22:45:11 +08:00
|
|
|
validation the function returns success if the B<OCSP_NOCHECKS> flag is set.
|
|
|
|
Otherwise it verifies that the signer certificate meets the OCSP issuer
|
|
|
|
criteria including potential delegation. If this does not succeed and the
|
2020-09-22 14:31:17 +08:00
|
|
|
B<OCSP_NOEXPLICIT> flag is not set the function checks for explicit
|
2018-02-10 22:45:11 +08:00
|
|
|
trust for OCSP signing in the root CA certificate.
|
|
|
|
|
2014-06-22 03:13:37 +08:00
|
|
|
=head1 RETURN VALUES
|
|
|
|
|
2020-09-22 14:18:31 +08:00
|
|
|
OCSP_resp_find_status() returns 1 if I<id> is found in I<bs> and 0 otherwise.
|
2014-06-22 03:13:37 +08:00
|
|
|
|
|
|
|
OCSP_resp_count() returns the total number of B<OCSP_SINGLERESP> fields in
|
2020-09-22 14:18:31 +08:00
|
|
|
I<bs>.
|
2014-06-22 03:13:37 +08:00
|
|
|
|
|
|
|
OCSP_resp_get0() returns a pointer to an B<OCSP_SINGLERESP> structure or
|
2020-09-22 14:18:31 +08:00
|
|
|
NULL if I<idx> is out of range.
|
2014-06-22 03:13:37 +08:00
|
|
|
|
2020-09-22 14:18:31 +08:00
|
|
|
OCSP_resp_find() returns the index of I<id> in I<bs> (which may be 0) or -1 if
|
|
|
|
I<id> was not found.
|
2014-06-22 03:13:37 +08:00
|
|
|
|
2020-09-22 14:18:31 +08:00
|
|
|
OCSP_single_get0_status() returns the status of I<single> or -1 if an error
|
2014-06-22 03:13:37 +08:00
|
|
|
occurred.
|
|
|
|
|
2017-10-19 04:29:18 +08:00
|
|
|
OCSP_resp_get0_signer() returns 1 if the signing certificate was located,
|
|
|
|
or 0 on error.
|
|
|
|
|
2018-02-10 22:45:11 +08:00
|
|
|
OCSP_basic_verify() returns 1 on success, 0 on error, or -1 on fatal error such
|
|
|
|
as malloc failure.
|
|
|
|
|
2014-06-22 03:13:37 +08:00
|
|
|
=head1 NOTES
|
|
|
|
|
|
|
|
Applications will typically call OCSP_resp_find_status() using the certificate
|
|
|
|
ID of interest and then check its validity using OCSP_check_validity(). They
|
|
|
|
can then take appropriate action based on the status of the certificate.
|
|
|
|
|
|
|
|
An OCSP response for a certificate contains B<thisUpdate> and B<nextUpdate>
|
|
|
|
fields. Normally the current time should be between these two values. To
|
2020-09-22 14:18:31 +08:00
|
|
|
account for clock skew the I<maxsec> field can be set to nonzero in
|
2014-06-22 03:13:37 +08:00
|
|
|
OCSP_check_validity(). Some responders do not set the B<nextUpdate> field, this
|
|
|
|
would otherwise mean an ancient response would be considered valid: the
|
2020-09-22 14:18:31 +08:00
|
|
|
I<maxsec> parameter to OCSP_check_validity() can be used to limit the permitted
|
2014-06-22 03:13:37 +08:00
|
|
|
age of responses.
|
|
|
|
|
2020-09-22 14:18:31 +08:00
|
|
|
The values written to I<*revtime>, I<*thisupd> and I<*nextupd> by
|
2014-06-22 03:13:37 +08:00
|
|
|
OCSP_resp_find_status() and OCSP_single_get0_status() are internal pointers
|
2020-09-22 14:18:31 +08:00
|
|
|
which MUST NOT be freed up by the calling application. Any or all of these
|
2014-06-22 03:13:37 +08:00
|
|
|
parameters can be set to NULL if their value is not required.
|
|
|
|
|
|
|
|
=head1 SEE ALSO
|
|
|
|
|
2016-11-11 16:33:09 +08:00
|
|
|
L<crypto(7)>,
|
2015-08-18 03:21:33 +08:00
|
|
|
L<OCSP_cert_to_id(3)>,
|
|
|
|
L<OCSP_request_add1_nonce(3)>,
|
|
|
|
L<OCSP_REQUEST_new(3)>,
|
|
|
|
L<OCSP_response_status(3)>,
|
2020-08-18 03:31:42 +08:00
|
|
|
L<OCSP_sendreq_new(3)>,
|
|
|
|
L<X509_VERIFY_PARAM_set_flags(3)>
|
2014-06-22 03:13:37 +08:00
|
|
|
|
2016-05-18 23:44:05 +08:00
|
|
|
=head1 COPYRIGHT
|
|
|
|
|
2018-09-11 20:22:14 +08:00
|
|
|
Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
|
2016-05-18 23:44:05 +08:00
|
|
|
|
2018-12-06 21:04:44 +08:00
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use
|
2016-05-18 23:44:05 +08:00
|
|
|
this file except in compliance with the License. You can obtain a copy
|
|
|
|
in the file LICENSE in the source distribution or at
|
|
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
|
|
|
|
=cut
|