OpenBSD manual page server

Manual Page Search Parameters

OCSP_RESP_FIND_STATUS(3) Library Functions Manual OCSP_RESP_FIND_STATUS(3)

OCSP_SINGLERESP_new, OCSP_SINGLERESP_free, OCSP_CERTSTATUS_new, OCSP_CERTSTATUS_free, OCSP_REVOKEDINFO_new, OCSP_REVOKEDINFO_free, OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find, OCSP_SINGLERESP_get0_id, OCSP_single_get0_status, OCSP_check_validityOCSP response utility functions

#include <openssl/ocsp.h>

OCSP_SINGLERESP *
OCSP_SINGLERESP_new(void);

void
OCSP_SINGLERESP_free(OCSP_SINGLERESP *single);

OCSP_CERTSTATUS *
OCSP_CERTSTATUS_new(void);

void
OCSP_CERTSTATUS_free(OCSP_CERTSTATUS *certstatus);

OCSP_REVOKEDINFO *
OCSP_REVOKEDINFO_new(void);

void
OCSP_REVOKEDINFO_free(OCSP_REVOKEDINFO *revokedinfo);

int
OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status, int *reason, ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd, ASN1_GENERALIZEDTIME **nextupd);

int
OCSP_resp_count(OCSP_BASICRESP *bs);

OCSP_SINGLERESP *
OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);

int
OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);

const OCSP_CERTID *
OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single);

int
OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason, ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd, ASN1_GENERALIZEDTIME **nextupd);

int
OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec);

() allocates and initializes an empty OCSP_SINGLERESP object, representing an ASN.1 SingleResponse structure defined in RFC 6960. Each such object can store the server's answer regarding the validity of one individual certificate. Such objects are used inside the OCSP_RESPDATA of OCSP_BASICRESP objects, which are described in OCSP_BASICRESP_new(3). () frees single.

() allocates and initializes an empty OCSP_CERTSTATUS object, representing an ASN.1 CertStatus structure defined in RFC 6960. Such an object is used inside OCSP_SINGLERESP. () frees certstatus.

() allocates and initializes an empty OCSP_REVOKEDINFO object, representing an ASN.1 RevokedInfo structure defined in RFC 6960. Such an object is used inside OCSP_CERTSTATUS. () frees revokedinfo.

() searches bs for an OCSP response for id. If it is successful, the fields of the response are returned in *status, *reason, *revtime, *thisupd and *nextupd. The *status value will be one of V_OCSP_CERTSTATUS_GOOD, V_OCSP_CERTSTATUS_REVOKED, or V_OCSP_CERTSTATUS_UNKNOWN. The *reason and *revtime fields are only set if the status is V_OCSP_CERTSTATUS_REVOKED. If set, the *reason field will be set to the revocation reason which will be one of OCSP_REVOKED_STATUS_NOSTATUS, OCSP_REVOKED_STATUS_UNSPECIFIED, OCSP_REVOKED_STATUS_KEYCOMPROMISE, OCSP_REVOKED_STATUS_CACOMPROMISE, OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, OCSP_REVOKED_STATUS_SUPERSEDED, OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, OCSP_REVOKED_STATUS_CERTIFICATEHOLD or OCSP_REVOKED_STATUS_REMOVEFROMCRL.

() returns the number of OCSP_SINGLERESP structures in bs.

() returns the OCSP_SINGLERESP structure in bs corresponding to index idx, where idx runs from 0 to OCSP_resp_count(bs) - 1.

() searches bs for id and returns the index of the first matching entry after last or starting from the beginning if last is -1.

() extracts the fields of single in *reason, *revtime, *thisupd, and *nextupd.

() checks the validity of thisupd and nextupd values which will be typically obtained from OCSP_resp_find_status() or OCSP_single_get0_status(). If sec is non-zero it indicates how many seconds leeway should be allowed in the check. If maxsec is positive it indicates the maximum age of thisupd in seconds.

Applications will typically call () using the certificate ID of interest and then check its validity using OCSP_check_validity(). They can then take appropriate action based on the status of the certificate.

An OCSP response for a certificate contains and nextUpdate fields. Normally the current time should be between these two values. To account for clock skew, the maxsec field can be set to non-zero in (). Some responders do not set the nextUpdate field. This would otherwise mean an ancient response would be considered valid: the maxsec parameter to OCSP_check_validity() can be used to limit the permitted age of responses.

The values written to *revtime, *thisupd, and *nextupd by () and OCSP_single_get0_status() are internal pointers which must not be freed up by the calling application. Any or all of these parameters can be set to NULL if their value is not required.

OCSP_SINGLERESP_new(), OCSP_CERTSTATUS_new(), and OCSP_REVOKEDINFO_new() return a pointer to an empty OCSP_SINGLERESP, OCSP_CERTSTATUS, or OCSP_REVOKEDINFO object, respectively, or NULL if an error occurred.

OCSP_resp_find_status() returns 1 if id is found in bs or 0 otherwise.

OCSP_resp_count() returns the total number of OCSP_SINGLERESP fields in bs.

OCSP_resp_get0() returns a pointer to an OCSP_SINGLERESP structure or NULL if idx is out of range.

OCSP_resp_find() returns the index of id in bs (which may be 0) or -1 if id was not found.

OCSP_SINGLERESP_get0_id() returns an internal pointer to the certificate ID object used by single; the returned pointer should not be freed by the caller.

OCSP_single_get0_status() returns the status of single or -1 if an error occurred.

OCSP_cert_to_id(3), OCSP_CRLID_new(3), OCSP_request_add1_nonce(3), OCSP_REQUEST_new(3), OCSP_response_status(3), OCSP_sendreq_new(3)

RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol, section 4.2: Response Syntax

OCSP_SINGLERESP_new(), OCSP_SINGLERESP_free(), OCSP_CERTSTATUS_new(), OCSP_CERTSTATUS_free(), OCSP_REVOKEDINFO_new(), OCSP_REVOKEDINFO_free(), OCSP_resp_find_status(), OCSP_resp_count(), OCSP_resp_get0(), OCSP_resp_find(), OCSP_single_get0_status(), and OCSP_check_validity() first appeared in OpenSSL 0.9.7 and have been available since OpenBSD 3.2.

OCSP_SINGLERESP_get0_id() first appeared in OpenSSL 1.1.0 and has been available since OpenBSD 6.3.

March 23, 2018 OpenBSD-6.4