OpenBSD manual page server

Manual Page Search Parameters

OCSP_RESP_FIND_STATUS(3) Library Functions Manual OCSP_RESP_FIND_STATUS(3)

OCSP_SINGLERESP_new, OCSP_SINGLERESP_free, OCSP_CERTSTATUS_new, OCSP_CERTSTATUS_free, OCSP_REVOKEDINFO_new, OCSP_REVOKEDINFO_free, OCSP_resp_find_status, OCSP_cert_status_str, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find, OCSP_SINGLERESP_get0_id, OCSP_single_get0_status, OCSP_check_validity, OCSP_basic_verifyOCSP response utility functions

#include <openssl/ocsp.h>

OCSP_SINGLERESP *
OCSP_SINGLERESP_new(void);

void
OCSP_SINGLERESP_free(OCSP_SINGLERESP *single);

OCSP_CERTSTATUS *
OCSP_CERTSTATUS_new(void);

void
OCSP_CERTSTATUS_free(OCSP_CERTSTATUS *certstatus);

OCSP_REVOKEDINFO *
OCSP_REVOKEDINFO_new(void);

void
OCSP_REVOKEDINFO_free(OCSP_REVOKEDINFO *revokedinfo);

int
OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status, int *reason, ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd, ASN1_GENERALIZEDTIME **nextupd);

const char *
OCSP_cert_status_str(long status);

int
OCSP_resp_count(OCSP_BASICRESP *bs);

OCSP_SINGLERESP *
OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);

int
OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);

const OCSP_CERTID *
OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single);

int
OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason, ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd, ASN1_GENERALIZEDTIME **nextupd);

int
OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec);

int
OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags);

() allocates and initializes an empty OCSP_SINGLERESP object, representing an ASN.1 SingleResponse structure defined in RFC 6960. Each such object can store the server's answer regarding the validity of one individual certificate. Such objects are used inside the OCSP_RESPDATA of OCSP_BASICRESP objects, which are described in OCSP_BASICRESP_new(3). () frees single.

() allocates and initializes an empty OCSP_CERTSTATUS object, representing an ASN.1 CertStatus structure defined in RFC 6960. Such an object is used inside OCSP_SINGLERESP. () frees certstatus.

() allocates and initializes an empty OCSP_REVOKEDINFO object, representing an ASN.1 RevokedInfo structure defined in RFC 6960. Such an object is used inside OCSP_CERTSTATUS. () frees revokedinfo.

() searches bs for an OCSP response for id. If it is successful, the fields of the response are returned in *status, *reason, *revtime, *thisupd and *nextupd. The *status value will be one of V_OCSP_CERTSTATUS_GOOD, V_OCSP_CERTSTATUS_REVOKED, or V_OCSP_CERTSTATUS_UNKNOWN. The *reason and *revtime fields are only set if the status is V_OCSP_CERTSTATUS_REVOKED. If set, the *reason field will be set to the revocation reason which will be one of OCSP_REVOKED_STATUS_NOSTATUS, OCSP_REVOKED_STATUS_UNSPECIFIED, OCSP_REVOKED_STATUS_KEYCOMPROMISE, OCSP_REVOKED_STATUS_CACOMPROMISE, OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, OCSP_REVOKED_STATUS_SUPERSEDED, OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, OCSP_REVOKED_STATUS_CERTIFICATEHOLD or OCSP_REVOKED_STATUS_REMOVEFROMCRL.

() converts one of the status codes retrieved by OCSP_resp_find_status() to a string consisting of one word.

() returns the number of OCSP_SINGLERESP structures in bs.

() returns the OCSP_SINGLERESP structure in bs corresponding to index idx, where idx runs from 0 to OCSP_resp_count(bs) - 1.

() searches bs for id and returns the index of the first matching entry after last or starting from the beginning if last is -1.

() extracts the fields of single in *reason, *revtime, *thisupd, and *nextupd.

() checks the validity of thisupd and nextupd values which will be typically obtained from OCSP_resp_find_status() or OCSP_single_get0_status(). If sec is non-zero it indicates how many seconds leeway should be allowed in the check. If maxsec is positive it indicates the maximum age of thisupd in seconds.

Applications will typically call () using the certificate ID of interest and then check its validity using OCSP_check_validity(). They can then take appropriate action based on the status of the certificate.

An OCSP response for a certificate contains and nextUpdate fields. Normally the current time should be between these two values. To account for clock skew, the maxsec field can be set to non-zero in (). Some responders do not set the nextUpdate field. This would otherwise mean an ancient response would be considered valid: the maxsec parameter to OCSP_check_validity() can be used to limit the permitted age of responses.

The values written to *revtime, *thisupd, and *nextupd by () and OCSP_single_get0_status() are internal pointers which must not be freed up by the calling application. Any or all of these parameters can be set to NULL if their value is not required.

() checks that the basic response message bs is correctly signed and that the signer certificate can be validated. It takes st as the trusted store and certs as a set of untrusted intermediate certificates. The function first tries to find the signer certificate of the response in certs. It also searches the certificates the responder may have included in bs unless the flags contain OCSP_NOINTERN. It fails if the signer certificate cannot be found. Next, the function checks the signature of bs and fails on error unless the flags contain OCSP_NOSIGS. Then the function already returns success if the flags contain OCSP_NOVERIFY or if the signer certificate was found in certs and the flags contain OCSP_TRUSTOTHER. Otherwise the function continues by validating the signer certificate. To this end, all certificates in certs and in bs are considered as untrusted certificates for the construction of the validation path for the signer certificate unless the OCSP_NOCHAIN flag is set. After successful path validation, the function returns success if the OCSP_NOCHECKS flag is set. Otherwise it verifies that the signer certificate meets the OCSP issuer criteria including potential delegation. If this does not succeed and the flags do not contain OCSP_NOEXPLICIT, the function checks for explicit trust for OCSP signing in the root CA certificate.

OCSP_SINGLERESP_new(), OCSP_CERTSTATUS_new(), and OCSP_REVOKEDINFO_new() return a pointer to an empty OCSP_SINGLERESP, OCSP_CERTSTATUS, or OCSP_REVOKEDINFO object, respectively, or NULL if an error occurred.

OCSP_resp_find_status() returns 1 if id is found in bs or 0 otherwise.

OCSP_cert_status_str() returns a pointer to a static string.

OCSP_resp_count() returns the total number of OCSP_SINGLERESP fields in bs.

OCSP_resp_get0() returns a pointer to an OCSP_SINGLERESP structure or NULL if idx is out of range.

OCSP_resp_find() returns the index of id in bs (which may be 0) or -1 if id was not found.

OCSP_SINGLERESP_get0_id() returns an internal pointer to the certificate ID object used by single; the returned pointer should not be freed by the caller.

OCSP_single_get0_status() returns the status of single or -1 if an error occurred.

OCSP_basic_verify() returns 1 on success, 0 on error, or -1 on fatal error such as malloc failure.

OCSP_cert_to_id(3), OCSP_CRLID_new(3), OCSP_request_add1_nonce(3), OCSP_REQUEST_new(3), OCSP_response_status(3), OCSP_sendreq_new(3)

RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol, section 4.2: Response Syntax

OCSP_SINGLERESP_new(), OCSP_SINGLERESP_free(), OCSP_CERTSTATUS_new(), OCSP_CERTSTATUS_free(), OCSP_REVOKEDINFO_new(), OCSP_REVOKEDINFO_free(), OCSP_resp_find_status(), OCSP_cert_status_str(), OCSP_resp_count(), OCSP_resp_get0(), OCSP_resp_find(), OCSP_single_get0_status(), and OCSP_check_validity() first appeared in OpenSSL 0.9.7 and have been available since OpenBSD 3.2.

OCSP_SINGLERESP_get0_id() first appeared in OpenSSL 1.1.0 and has been available since OpenBSD 6.3.

August 27, 2019 OpenBSD-6.7