NAME
tls_ocsp_process_response
,
tls_peer_ocsp_cert_status
,
tls_peer_ocsp_crl_reason
,
tls_peer_ocsp_next_update
,
tls_peer_ocsp_response_status
,
tls_peer_ocsp_result_msg
,
tls_peer_ocsp_revocation_time
,
tls_peer_ocsp_this_update
,
tls_peer_ocsp_url
—
inspect an OCSP response
SYNOPSIS
#include
<tls.h>
int
tls_ocsp_process_response
(struct tls
*ctx, const unsigned char *response,
size_t size);
int
tls_peer_ocsp_cert_status
(struct
tls *ctx);
int
tls_peer_ocsp_crl_reason
(struct
tls *ctx);
time_t
tls_peer_ocsp_next_update
(struct
tls *ctx);
int
tls_peer_ocsp_response_status
(struct
tls *ctx);
const char *
tls_peer_ocsp_result_msg
(struct
tls *ctx);
time_t
tls_peer_ocsp_revocation_time
(struct
tls *ctx);
time_t
tls_peer_ocsp_this_update
(struct
tls *ctx);
const char *
tls_peer_ocsp_url
(struct
tls *ctx);
DESCRIPTION
tls_ocsp_process_response
()
processes a raw OCSP response in response of size
size to check the revocation status of the peer
certificate from ctx. A successful return code of 0
indicates that the certificate has not been revoked.
tls_peer_ocsp_url
()
returns the URL for OCSP validation of the peer certificate from
ctx.
The following functions return
information about the peer certificate from ctx that
was obtained by validating a stapled OCSP response during the handshake, or
via a previous call to
tls_ocsp_process_response
().
tls_peer_ocsp_cert_status
()
returns the OCSP certificate status code as per RFC 6960 section 2.2.
tls_peer_ocsp_crl_reason
()
returns the OCSP certificate revocation reason status code as per RFC 5280
section 5.3.1.
tls_peer_ocsp_next_update
()
returns the OCSP next update time.
tls_peer_ocsp_response_status
()
returns the OCSP response status as per RFC 6960 section 2.3.
tls_peer_ocsp_revocation_time
()
returns the OCSP revocation time.
tls_peer_ocsp_this_update
()
returns the OCSP this update time.
RETURN VALUES
tls_ocsp_process_response
() returns 0 on
success or -1 on error.
The tls_peer_ocsp_response_status
()
function returns one of
TLS_OCSP_RESPONSE_SUCCESSFUL
,
TLS_OCSP_RESPONSE_MALFORMED
,
TLS_OCSP_RESPONSE_INTERNALERROR
,
TLS_OCSP_RESPONSE_TRYLATER
,
TLS_OCSP_RESPONSE_SIGREQUIRED
, or
TLS_OCSP_RESPONSE_UNAUTHORIZED
on success or -1 on
error.
The tls_peer_ocsp_cert_status
() function
returns one of TLS_OCSP_CERT_GOOD
,
TLS_OCSP_CERT_REVOKED
, or
TLS_OCSP_CERT_UNKNOWN
on success, and -1 on
error.
The tls_peer_ocsp_crl_reason
() function
returns one of TLS_CRL_REASON_UNSPECIFIED
,
TLS_CRL_REASON_KEY_COMPROMISE
,
TLS_CRL_REASON_CA_COMPROMISE
,
TLS_CRL_REASON_AFFILIATION_CHANGED
,
TLS_CRL_REASON_SUPERSEDED
,
TLS_CRL_REASON_CESSATION_OF_OPERATION
,
TLS_CRL_REASON_CERTIFICATE_HOLD
,
TLS_CRL_REASON_REMOVE_FROM_CRL
,
TLS_CRL_REASON_PRIVILEGE_WITHDRAWN
, or
TLS_CRL_REASON_AA_COMPROMISE
on success or -1 on
error.
tls_peer_ocsp_next_update
(),
tls_peer_ocsp_revocation_time
(), and
tls_peer_ocsp_this_update
() return a time in
epoch-seconds on success or -1 on error.
tls_peer_ocsp_result_msg
() and
tls_peer_ocsp_url
() return
NULL
on error or an out of memory condition.
SEE ALSO
tls_client(3), tls_config_ocsp_require_stapling(3), tls_conn_version(3), tls_connect(3), tls_handshake(3), tls_init(3)
HISTORY
These functions appeared in OpenBSD 6.1.
AUTHORS
Bob Beck
<beck@openbsd.org>
Marko Kreen
<markokr@gmail.com>