5 OCSP_resp_get0_produced_at,
6 OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find,
7 OCSP_single_get0_status, OCSP_check_validity
8 - OCSP response utility functions
12 #include <openssl/ocsp.h>
14 int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
16 ASN1_GENERALIZEDTIME **revtime,
17 ASN1_GENERALIZEDTIME **thisupd,
18 ASN1_GENERALIZEDTIME **nextupd);
20 int OCSP_resp_count(OCSP_BASICRESP *bs);
21 OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
22 int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
23 int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
24 ASN1_GENERALIZEDTIME **revtime,
25 ASN1_GENERALIZEDTIME **thisupd,
26 ASN1_GENERALIZEDTIME **nextupd);
28 ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(OCSP_BASICRESP* single);
30 int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
31 ASN1_GENERALIZEDTIME *nextupd,
32 long sec, long maxsec);
36 OCSP_resp_find_status() searches B<bs> for an OCSP response for B<id>. If it is
37 successful the fields of the response are returned in B<*status>, B<*reason>,
38 B<*revtime>, B<*thisupd> and B<*nextupd>. The B<*status> value will be one of
39 B<V_OCSP_CERTSTATUS_GOOD>, B<V_OCSP_CERTSTATUS_REVOKED> or
40 B<V_OCSP_CERTSTATUS_UNKNOWN>. The B<*reason> and B<*revtime> fields are only
41 set if the status is B<V_OCSP_CERTSTATUS_REVOKED>. If set the B<*reason> field
42 will be set to the revocation reason which will be one of
43 B<OCSP_REVOKED_STATUS_NOSTATUS>, B<OCSP_REVOKED_STATUS_UNSPECIFIED>,
44 B<OCSP_REVOKED_STATUS_KEYCOMPROMISE>, B<OCSP_REVOKED_STATUS_CACOMPROMISE>,
45 B<OCSP_REVOKED_STATUS_AFFILIATIONCHANGED>, B<OCSP_REVOKED_STATUS_SUPERSEDED>,
46 B<OCSP_REVOKED_STATUS_CESSATIONOFOPERATION>,
47 B<OCSP_REVOKED_STATUS_CERTIFICATEHOLD> or B<OCSP_REVOKED_STATUS_REMOVEFROMCRL>.
49 OCSP_resp_count() returns the number of B<OCSP_SINGLERESP> structures in B<bs>.
51 OCSP_resp_get0() returns the B<OCSP_SINGLERESP> structure in B<bs>
52 corresponding to index B<idx>. Where B<idx> runs from 0 to
53 OCSP_resp_count(bs) - 1.
55 OCSP_resp_find() searches B<bs> for B<id> and returns the index of the first
56 matching entry after B<last> or starting from the beginning if B<last> is -1.
58 OCSP_single_get0_status() extracts the fields of B<single> in B<*reason>,
59 B<*revtime>, B<*thisupd> and B<*nextupd>.
61 OCSP_resp_get0_produced_at() extracts the B<producedAt> field from the
62 single response B<bs>.
64 OCSP_check_validity() checks the validity of B<thisupd> and B<nextupd> values
65 which will be typically obtained from OCSP_resp_find_status() or
66 OCSP_single_get0_status(). If B<sec> is non-zero it indicates how many seconds
67 leeway should be allowed in the check. If B<maxsec> is positive it indicates
68 the maximum age of B<thisupd> in seconds.
72 OCSP_resp_find_status() returns 1 if B<id> is found in B<bs> and 0 otherwise.
74 OCSP_resp_count() returns the total number of B<OCSP_SINGLERESP> fields in
77 OCSP_resp_get0() returns a pointer to an B<OCSP_SINGLERESP> structure or
78 B<NULL> if B<idx> is out of range.
80 OCSP_resp_find() returns the index of B<id> in B<bs> (which may be 0) or -1 if
83 OCSP_single_get0_status() returns the status of B<single> or -1 if an error
88 Applications will typically call OCSP_resp_find_status() using the certificate
89 ID of interest and then check its validity using OCSP_check_validity(). They
90 can then take appropriate action based on the status of the certificate.
92 An OCSP response for a certificate contains B<thisUpdate> and B<nextUpdate>
93 fields. Normally the current time should be between these two values. To
94 account for clock skew the B<maxsec> field can be set to non-zero in
95 OCSP_check_validity(). Some responders do not set the B<nextUpdate> field, this
96 would otherwise mean an ancient response would be considered valid: the
97 B<maxsec> parameter to OCSP_check_validity() can be used to limit the permitted
100 The values written to B<*revtime>, B<*thisupd> and B<*nextupd> by
101 OCSP_resp_find_status() and OCSP_single_get0_status() are internal pointers
102 which B<MUST NOT> be freed up by the calling application. Any or all of these
103 parameters can be set to NULL if their value is not required.
108 L<OCSP_cert_to_id(3)>,
109 L<OCSP_request_add1_nonce(3)>,
110 L<OCSP_REQUEST_new(3)>,
111 L<OCSP_response_status(3)>,
112 L<OCSP_sendreq_new(3)>
116 Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
118 Licensed under the OpenSSL license (the "License"). You may not use
119 this file except in compliance with the License. You can obtain a copy
120 in the file LICENSE in the source distribution or at
121 L<https://www.openssl.org/source/license.html>.