doc/man3/OCSP_resp_find_status.pod - third_party/openssl - Git at Google

 =pod

 =head1 NAME

 OCSP_resp_find_status, OCSP_resp_count,
 OCSP_resp_get0, OCSP_resp_find, OCSP_single_get0_status,
 OCSP_resp_get0_produced_at, OCSP_resp_get0_signature,
 OCSP_resp_get0_tbs_sigalg, OCSP_resp_get0_respdata,
 OCSP_resp_get0_certs, OCSP_resp_get0_signer,
 OCSP_resp_get0_id, OCSP_resp_get1_id,
 OCSP_check_validity, OCSP_basic_verify
 - OCSP response utility functions

 =head1 SYNOPSIS

  #include <openssl/ocsp.h>

  int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
                            int *reason,
                            ASN1_GENERALIZEDTIME **revtime,
                            ASN1_GENERALIZEDTIME **thisupd,
                            ASN1_GENERALIZEDTIME **nextupd);

  int OCSP_resp_count(OCSP_BASICRESP *bs);
  OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
  int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
  int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
                              ASN1_GENERALIZEDTIME **revtime,
                              ASN1_GENERALIZEDTIME **thisupd,
                              ASN1_GENERALIZEDTIME **nextupd);

  const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
                              const OCSP_BASICRESP* single);

  const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
  const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs);
  const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs);
  const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);

  int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
                            STACK_OF(X509) *extra_certs);

  int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
                        const ASN1_OCTET_STRING **pid,
                        const X509_NAME **pname);
  int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
                        ASN1_OCTET_STRING **pid,
                        X509_NAME **pname);

  int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
                          ASN1_GENERALIZEDTIME *nextupd,
                          long sec, long maxsec);

  int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
                       X509_STORE *st, unsigned long flags);

 =head1 DESCRIPTION

 OCSP_resp_find_status() searches I<bs> for an OCSP response for I<id>. If it is
 successful the fields of the response are returned in I<*status>, I<*reason>,
 I<*revtime>, I<*thisupd> and I<*nextupd>.  The I<*status> value will be one of
 B<V_OCSP_CERTSTATUS_GOOD>, B<V_OCSP_CERTSTATUS_REVOKED> or
 B<V_OCSP_CERTSTATUS_UNKNOWN>. The I<*reason> and I<*revtime> fields are only
 set if the status is B<V_OCSP_CERTSTATUS_REVOKED>. If set the I<*reason> field
 will be set to the revocation reason which will be one of
 B<OCSP_REVOKED_STATUS_NOSTATUS>, B<OCSP_REVOKED_STATUS_UNSPECIFIED>,
 B<OCSP_REVOKED_STATUS_KEYCOMPROMISE>, B<OCSP_REVOKED_STATUS_CACOMPROMISE>,
 B<OCSP_REVOKED_STATUS_AFFILIATIONCHANGED>, B<OCSP_REVOKED_STATUS_SUPERSEDED>,
 B<OCSP_REVOKED_STATUS_CESSATIONOFOPERATION>,
 B<OCSP_REVOKED_STATUS_CERTIFICATEHOLD> or B<OCSP_REVOKED_STATUS_REMOVEFROMCRL>.

 OCSP_resp_count() returns the number of B<OCSP_SINGLERESP> structures in I<bs>.

 OCSP_resp_get0() returns the B<OCSP_SINGLERESP> structure in I<bs> corresponding
 to index I<idx>, where I<idx> runs from 0 to OCSP_resp_count(bs) - 1.

 OCSP_resp_find() searches I<bs> for I<id> and returns the index of the first
 matching entry after I<last> or starting from the beginning if I<last> is -1.

 OCSP_single_get0_status() extracts the fields of I<single> in I<*reason>,
 I<*revtime>, I<*thisupd> and I<*nextupd>.

 OCSP_resp_get0_produced_at() extracts the B<producedAt> field from the
 single response I<bs>.

 OCSP_resp_get0_signature() returns the signature from I<bs>.

 OCSP_resp_get0_tbs_sigalg() returns the B<signatureAlgorithm> from I<bs>.

 OCSP_resp_get0_respdata() returns the B<tbsResponseData> from I<bs>.

 OCSP_resp_get0_certs() returns any certificates included in I<bs>.

 OCSP_resp_get0_signer() attempts to retrieve the certificate that directly
 signed I<bs>.  The OCSP protocol does not require that this certificate
 is included in the B<certs> field of the response, so additional certificates
 can be supplied via the I<extra_certs> if the certificates that may have
 signed the response are known via some out-of-band mechanism.

 OCSP_resp_get0_id() gets the responder id of I<bs>. If the responder ID is
 a name then <*pname> is set to the name and I<*pid> is set to NULL. If the
 responder ID is by key ID then I<*pid> is set to the key ID and I<*pname>
 is set to NULL.

 OCSP_resp_get1_id() is the same as OCSP_resp_get0_id()
 but leaves ownership of I<*pid> and I<*pname> with the caller,
 who is responsible for freeing them unless the function returns 0.

 OCSP_check_validity() checks the validity of its I<thisupd> and I<nextupd>
 arguments, which will be typically obtained from OCSP_resp_find_status() or
 OCSP_single_get0_status(). If I<sec> is nonzero it indicates how many seconds
 leeway should be allowed in the check. If I<maxsec> is positive it indicates
 the maximum age of I<thisupd> in seconds.

 OCSP_basic_verify() checks that the basic response message I<bs> is correctly
 signed and that the signer certificate can be validated. It takes I<st> as
 the trusted store and I<certs> as a set of untrusted intermediate certificates.
 The function first tries to find the signer certificate of the response
 in I<certs>. It then searches the certificates the responder may have included
 in I<bs> unless I<flags> contains B<OCSP_NOINTERN>.
 It fails if the signer certificate cannot be found.
 Next, unless I<flags> contains B<OCSP_NOSIGS>, the function checks
 the signature of I<bs> and fails on error. Then the function already returns
 success if I<flags> contains B<OCSP_NOVERIFY> or if the signer certificate
 was found in I<certs> and I<flags> contains B<OCSP_TRUSTOTHER>.
 Otherwise the function continues by validating the signer certificate.
 If I<flags> contains B<OCSP_PARTIAL_CHAIN> it takes intermediate CA
 certificates in I<st> as trust anchors.
 For more details, see the description of B<X509_V_FLAG_PARTIAL_CHAIN>
 in L<X509_VERIFY_PARAM_set_flags(3)/VERIFICATION FLAGS>.
 If I<flags> contains B<OCSP_NOCHAIN> it ignores all certificates in I<certs>
 and in I<bs>, else it takes them as untrusted intermediate CA certificates
 and uses them for constructing the validation path for the signer certificate.
 Certificate revocation status checks using CRLs is disabled during path validation
 if the signer certificate contains the B<id-pkix-ocsp-no-check> extension.
 After successful path
 validation the function returns success if the B<OCSP_NOCHECKS> flag is set.
 Otherwise it verifies that the signer certificate meets the OCSP issuer
 criteria including potential delegation. If this does not succeed and the
 B<OCSP_NOEXPLICIT> flag is not set the function checks for explicit
 trust for OCSP signing in the root CA certificate.

 =head1 RETURN VALUES

 OCSP_resp_find_status() returns 1 if I<id> is found in I<bs> and 0 otherwise.

 OCSP_resp_count() returns the total number of B<OCSP_SINGLERESP> fields in I<bs>
 or -1 on error.

 OCSP_resp_get0() returns a pointer to an B<OCSP_SINGLERESP> structure or
 NULL on error, such as I<idx> being out of range.

 OCSP_resp_find() returns the index of I<id> in I<bs> (which may be 0)
 or -1 on error, such as when I<id> was not found.

 OCSP_single_get0_status() returns the status of I<single> or -1 if an error
 occurred.

 OCSP_resp_get0_produced_at() returns the B<producedAt> field from I<bs>.

 OCSP_resp_get0_signature() returns the signature from I<bs>.

 OCSP_resp_get0_tbs_sigalg() returns the B<signatureAlgorithm> field from I<bs>.

 OCSP_resp_get0_respdata() returns the B<tbsResponseData> field from I<bs>.

 OCSP_resp_get0_certs() returns any certificates included in I<bs>.

 OCSP_resp_get0_signer() returns 1 if the signing certificate was located,
 or 0 if not found or on error.

 OCSP_resp_get0_id() and OCSP_resp_get1_id() return 1 on success, 0 on failure.

 OCSP_check_validity() returns 1 if I<thisupd> and I<nextupd> are valid time
 values and the current time + I<sec> is not before I<thisupd> and,
 if I<maxsec> >= 0, the current time - I<maxsec> is not past I<nextupd>.
 Otherwise it returns 0 to indicate an error.

 OCSP_basic_verify() returns 1 on success, 0 on verification not successful,
 or -1 on a fatal error such as malloc failure.

 =head1 NOTES

 Applications will typically call OCSP_resp_find_status() using the certificate
 ID of interest and then check its validity using OCSP_check_validity(). They
 can then take appropriate action based on the status of the certificate.

 An OCSP response for a certificate contains B<thisUpdate> and B<nextUpdate>
 fields. Normally the current time should be between these two values. To
 account for clock skew the I<maxsec> field can be set to nonzero in
 OCSP_check_validity(). Some responders do not set the B<nextUpdate> field, this
 would otherwise mean an ancient response would be considered valid: the
 I<maxsec> parameter to OCSP_check_validity() can be used to limit the permitted
 age of responses.

 The values written to I<*revtime>, I<*thisupd> and I<*nextupd> by
 OCSP_resp_find_status() and OCSP_single_get0_status() are internal pointers
 which MUST NOT be freed up by the calling application. Any or all of these
 parameters can be set to NULL if their value is not required.

 =head1 SEE ALSO

 L<crypto(7)>,
 L<OCSP_cert_to_id(3)>,
 L<OCSP_request_add1_nonce(3)>,
 L<OCSP_REQUEST_new(3)>,
 L<OCSP_response_status(3)>,
 L<OCSP_sendreq_new(3)>,
 L<X509_VERIFY_PARAM_set_flags(3)>

 =head1 COPYRIGHT

 Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.

 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file LICENSE in the source distribution or at
 L<https://www.openssl.org/source/license.html>.

 =cut
	=pod

	=head1 NAME

	OCSP_resp_find_status, OCSP_resp_count,
	OCSP_resp_get0, OCSP_resp_find, OCSP_single_get0_status,
	OCSP_resp_get0_produced_at, OCSP_resp_get0_signature,
	OCSP_resp_get0_tbs_sigalg, OCSP_resp_get0_respdata,
	OCSP_resp_get0_certs, OCSP_resp_get0_signer,
	OCSP_resp_get0_id, OCSP_resp_get1_id,
	OCSP_check_validity, OCSP_basic_verify
	- OCSP response utility functions

	=head1 SYNOPSIS

	#include <openssl/ocsp.h>

	int OCSP_resp_find_status(OCSP_BASICRESP bs, OCSP_CERTID id, int *status,
	int *reason,
	ASN1_GENERALIZEDTIME **revtime,
	ASN1_GENERALIZEDTIME **thisupd,
	ASN1_GENERALIZEDTIME **nextupd);

	int OCSP_resp_count(OCSP_BASICRESP *bs);
	OCSP_SINGLERESP OCSP_resp_get0(OCSP_BASICRESP bs, int idx);
	int OCSP_resp_find(OCSP_BASICRESP bs, OCSP_CERTID id, int last);
	int OCSP_single_get0_status(OCSP_SINGLERESP single, int reason,
	ASN1_GENERALIZEDTIME **revtime,
	ASN1_GENERALIZEDTIME **thisupd,
	ASN1_GENERALIZEDTIME **nextupd);

	const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
	const OCSP_BASICRESP* single);

	const ASN1_OCTET_STRING OCSP_resp_get0_signature(const OCSP_BASICRESP bs);
	const X509_ALGOR OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP bs);
	const OCSP_RESPDATA OCSP_resp_get0_respdata(const OCSP_BASICRESP bs);
	const STACK_OF(X509) OCSP_resp_get0_certs(const OCSP_BASICRESP bs);

	int OCSP_resp_get0_signer(OCSP_BASICRESP bs, X509 *signer,
	STACK_OF(X509) *extra_certs);

	int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
	const ASN1_OCTET_STRING **pid,
	const X509_NAME **pname);
	int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
	ASN1_OCTET_STRING **pid,
	X509_NAME **pname);

	int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
	ASN1_GENERALIZEDTIME *nextupd,
	long sec, long maxsec);

	int OCSP_basic_verify(OCSP_BASICRESP bs, STACK_OF(X509) certs,
	X509_STORE *st, unsigned long flags);

	=head1 DESCRIPTION

	OCSP_resp_find_status() searches I<bs> for an OCSP response for I<id>. If it is
	successful the fields of the response are returned in I<status>, I<reason>,
	I<revtime>, I<thisupd> and I<nextupd>. The I<status> value will be one of
	B<V_OCSP_CERTSTATUS_GOOD>, B<V_OCSP_CERTSTATUS_REVOKED> or
	B<V_OCSP_CERTSTATUS_UNKNOWN>. The I<reason> and I<revtime> fields are only
	set if the status is B<V_OCSP_CERTSTATUS_REVOKED>. If set the I<*reason> field
	will be set to the revocation reason which will be one of
	B<OCSP_REVOKED_STATUS_NOSTATUS>, B<OCSP_REVOKED_STATUS_UNSPECIFIED>,
	B<OCSP_REVOKED_STATUS_KEYCOMPROMISE>, B<OCSP_REVOKED_STATUS_CACOMPROMISE>,
	B<OCSP_REVOKED_STATUS_AFFILIATIONCHANGED>, B<OCSP_REVOKED_STATUS_SUPERSEDED>,
	B<OCSP_REVOKED_STATUS_CESSATIONOFOPERATION>,
	B<OCSP_REVOKED_STATUS_CERTIFICATEHOLD> or B<OCSP_REVOKED_STATUS_REMOVEFROMCRL>.

	OCSP_resp_count() returns the number of B<OCSP_SINGLERESP> structures in I<bs>.

	OCSP_resp_get0() returns the B<OCSP_SINGLERESP> structure in I<bs> corresponding
	to index I<idx>, where I<idx> runs from 0 to OCSP_resp_count(bs) - 1.

	OCSP_resp_find() searches I<bs> for I<id> and returns the index of the first
	matching entry after I<last> or starting from the beginning if I<last> is -1.

	OCSP_single_get0_status() extracts the fields of I<single> in I<*reason>,
	I<revtime>, I<thisupd> and I<*nextupd>.

	OCSP_resp_get0_produced_at() extracts the B<producedAt> field from the
	single response I<bs>.

	OCSP_resp_get0_signature() returns the signature from I<bs>.

	OCSP_resp_get0_tbs_sigalg() returns the B<signatureAlgorithm> from I<bs>.

	OCSP_resp_get0_respdata() returns the B<tbsResponseData> from I<bs>.

	OCSP_resp_get0_certs() returns any certificates included in I<bs>.

	OCSP_resp_get0_signer() attempts to retrieve the certificate that directly
	signed I<bs>. The OCSP protocol does not require that this certificate
	is included in the B<certs> field of the response, so additional certificates
	can be supplied via the I<extra_certs> if the certificates that may have
	signed the response are known via some out-of-band mechanism.

	OCSP_resp_get0_id() gets the responder id of I<bs>. If the responder ID is
	a name then <pname> is set to the name and I<pid> is set to NULL. If the
	responder ID is by key ID then I<pid> is set to the key ID and I<pname>
	is set to NULL.

	OCSP_resp_get1_id() is the same as OCSP_resp_get0_id()
	but leaves ownership of I<pid> and I<pname> with the caller,
	who is responsible for freeing them unless the function returns 0.

	OCSP_check_validity() checks the validity of its I<thisupd> and I<nextupd>
	arguments, which will be typically obtained from OCSP_resp_find_status() or
	OCSP_single_get0_status(). If I<sec> is nonzero it indicates how many seconds
	leeway should be allowed in the check. If I<maxsec> is positive it indicates
	the maximum age of I<thisupd> in seconds.

	OCSP_basic_verify() checks that the basic response message I<bs> is correctly
	signed and that the signer certificate can be validated. It takes I<st> as
	the trusted store and I<certs> as a set of untrusted intermediate certificates.
	The function first tries to find the signer certificate of the response
	in I<certs>. It then searches the certificates the responder may have included
	in I<bs> unless I<flags> contains B<OCSP_NOINTERN>.
	It fails if the signer certificate cannot be found.
	Next, unless I<flags> contains B<OCSP_NOSIGS>, the function checks
	the signature of I<bs> and fails on error. Then the function already returns
	success if I<flags> contains B<OCSP_NOVERIFY> or if the signer certificate
	was found in I<certs> and I<flags> contains B<OCSP_TRUSTOTHER>.
	Otherwise the function continues by validating the signer certificate.
	If I<flags> contains B<OCSP_PARTIAL_CHAIN> it takes intermediate CA
	certificates in I<st> as trust anchors.
	For more details, see the description of B<X509_V_FLAG_PARTIAL_CHAIN>
	in L<X509_VERIFY_PARAM_set_flags(3)/VERIFICATION FLAGS>.
	If I<flags> contains B<OCSP_NOCHAIN> it ignores all certificates in I<certs>
	and in I<bs>, else it takes them as untrusted intermediate CA certificates
	and uses them for constructing the validation path for the signer certificate.
	Certificate revocation status checks using CRLs is disabled during path validation
	if the signer certificate contains the B<id-pkix-ocsp-no-check> extension.
	After successful path
	validation the function returns success if the B<OCSP_NOCHECKS> flag is set.
	Otherwise it verifies that the signer certificate meets the OCSP issuer
	criteria including potential delegation. If this does not succeed and the
	B<OCSP_NOEXPLICIT> flag is not set the function checks for explicit
	trust for OCSP signing in the root CA certificate.

	=head1 RETURN VALUES

	OCSP_resp_find_status() returns 1 if I<id> is found in I<bs> and 0 otherwise.

	OCSP_resp_count() returns the total number of B<OCSP_SINGLERESP> fields in I<bs>
	or -1 on error.

	OCSP_resp_get0() returns a pointer to an B<OCSP_SINGLERESP> structure or
	NULL on error, such as I<idx> being out of range.

	OCSP_resp_find() returns the index of I<id> in I<bs> (which may be 0)
	or -1 on error, such as when I<id> was not found.

	OCSP_single_get0_status() returns the status of I<single> or -1 if an error
	occurred.

	OCSP_resp_get0_produced_at() returns the B<producedAt> field from I<bs>.

	OCSP_resp_get0_signature() returns the signature from I<bs>.

	OCSP_resp_get0_tbs_sigalg() returns the B<signatureAlgorithm> field from I<bs>.

	OCSP_resp_get0_respdata() returns the B<tbsResponseData> field from I<bs>.

	OCSP_resp_get0_certs() returns any certificates included in I<bs>.

	OCSP_resp_get0_signer() returns 1 if the signing certificate was located,
	or 0 if not found or on error.

	OCSP_resp_get0_id() and OCSP_resp_get1_id() return 1 on success, 0 on failure.

	OCSP_check_validity() returns 1 if I<thisupd> and I<nextupd> are valid time
	values and the current time + I<sec> is not before I<thisupd> and,
	if I<maxsec> >= 0, the current time - I<maxsec> is not past I<nextupd>.
	Otherwise it returns 0 to indicate an error.

	OCSP_basic_verify() returns 1 on success, 0 on verification not successful,
	or -1 on a fatal error such as malloc failure.

	=head1 NOTES

	Applications will typically call OCSP_resp_find_status() using the certificate
	ID of interest and then check its validity using OCSP_check_validity(). They
	can then take appropriate action based on the status of the certificate.

	An OCSP response for a certificate contains B<thisUpdate> and B<nextUpdate>
	fields. Normally the current time should be between these two values. To
	account for clock skew the I<maxsec> field can be set to nonzero in
	OCSP_check_validity(). Some responders do not set the B<nextUpdate> field, this
	would otherwise mean an ancient response would be considered valid: the
	I<maxsec> parameter to OCSP_check_validity() can be used to limit the permitted
	age of responses.

	The values written to I<revtime>, I<thisupd> and I<*nextupd> by
	OCSP_resp_find_status() and OCSP_single_get0_status() are internal pointers
	which MUST NOT be freed up by the calling application. Any or all of these
	parameters can be set to NULL if their value is not required.

	=head1 SEE ALSO

	L<crypto(7)>,
	L<OCSP_cert_to_id(3)>,
	L<OCSP_request_add1_nonce(3)>,
	L<OCSP_REQUEST_new(3)>,
	L<OCSP_response_status(3)>,
	L<OCSP_sendreq_new(3)>,
	L<X509_VERIFY_PARAM_set_flags(3)>

	=head1 COPYRIGHT

	Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.

	Licensed under the Apache License 2.0 (the "License"). You may not use
	this file except in compliance with the License. You can obtain a copy
	in the file LICENSE in the source distribution or at
	L<https://www.openssl.org/source/license.html>.

	=cut