OpenBSD manual page server

NAME

tls_ocsp_process_response, tls_peer_ocsp_cert_status, tls_peer_ocsp_crl_reason, tls_peer_ocsp_next_update, tls_peer_ocsp_response_status, tls_peer_ocsp_result_msg, tls_peer_ocsp_revocation_time, tls_peer_ocsp_this_update, tls_peer_ocsp_url — inspect an OCSP response

SYNOPSIS

#include <tls.h>

int
tls_ocsp_process_response(struct tls *ctx, const unsigned char *response, size_t size);

int
tls_peer_ocsp_cert_status(struct tls *ctx);

int
tls_peer_ocsp_crl_reason(struct tls *ctx);

time_t
tls_peer_ocsp_next_update(struct tls *ctx);

int
tls_peer_ocsp_response_status(struct tls *ctx);

const char *
tls_peer_ocsp_result_msg(struct tls *ctx);

time_t
tls_peer_ocsp_revocation_time(struct tls *ctx);

time_t
tls_peer_ocsp_this_update(struct tls *ctx);

const char *
tls_peer_ocsp_url(struct tls *ctx);

DESCRIPTION

tls_ocsp_process_response() processes a raw OCSP response in response of size size to check the revocation status of the peer certificate from ctx. A successful return code of 0 indicates that the certificate has not been revoked.

tls_peer_ocsp_url() returns the URL for OCSP validation of the peer certificate from ctx.

The following functions return information about the peer certificate from ctx that was obtained by validating a stapled OCSP response during the handshake, or via a previous call to tls_ocsp_process_response().

tls_peer_ocsp_cert_status() returns the OCSP certificate status code as per RFC 6960 section 2.2.

tls_peer_ocsp_crl_reason() returns the OCSP certificate revocation reason status code as per RFC 5280 section 5.3.1.

tls_peer_ocsp_next_update() returns the OCSP next update time.

tls_peer_ocsp_response_status() returns the OCSP response status as per RFC 6960 section 2.3.

tls_peer_ocsp_revocation_time() returns the OCSP revocation time.

tls_peer_ocsp_this_update() returns the OCSP this update time.

RETURN VALUES

tls_ocsp_process_response() returns 0 on success or -1 on error.

The tls_peer_ocsp_response_status() function returns one of TLS_OCSP_RESPONSE_SUCCESSFUL, TLS_OCSP_RESPONSE_MALFORMED, TLS_OCSP_RESPONSE_INTERNALERROR, TLS_OCSP_RESPONSE_TRYLATER, TLS_OCSP_RESPONSE_SIGREQUIRED, or TLS_OCSP_RESPONSE_UNAUTHORIZED on success or -1 on error.

The tls_peer_ocsp_cert_status() function returns one of TLS_OCSP_CERT_GOOD, TLS_OCSP_CERT_REVOKED, or TLS_OCSP_CERT_UNKNOWN on success, and -1 on error.

The tls_peer_ocsp_crl_reason() function returns one of TLS_CRL_REASON_UNSPECIFIED, TLS_CRL_REASON_KEY_COMPROMISE, TLS_CRL_REASON_CA_COMPROMISE, TLS_CRL_REASON_AFFILIATION_CHANGED, TLS_CRL_REASON_SUPERSEDED, TLS_CRL_REASON_CESSATION_OF_OPERATION, TLS_CRL_REASON_CERTIFICATE_HOLD, TLS_CRL_REASON_REMOVE_FROM_CRL, TLS_CRL_REASON_PRIVILEGE_WITHDRAWN, or TLS_CRL_REASON_AA_COMPROMISE on success or -1 on error.

tls_peer_ocsp_next_update(), tls_peer_ocsp_revocation_time(), and tls_peer_ocsp_this_update() return a time in epoch-seconds on success or -1 on error.

tls_peer_ocsp_result_msg() and tls_peer_ocsp_url() return NULL on error or an out of memory condition.

SEE ALSO

tls_client(3), tls_config_ocsp_require_stapling(3), tls_conn_version(3), tls_connect(3), tls_handshake(3), tls_init(3)

HISTORY

These functions appeared in OpenBSD 6.1.

AUTHORS

Bob Beck <beck@openbsd.org>
Marko Kreen <markokr@gmail.com>