[thirdparty/openssl.git] / doc / man3 / OCSP_resp_find_status.pod

=pod

=head1 NAME

OCSP_resp_get0_certs,
OCSP_resp_get0_signer,
OCSP_resp_get0_id,
OCSP_resp_get1_id,
OCSP_resp_get0_produced_at,
OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find,
OCSP_single_get0_status, OCSP_check_validity
- OCSP response utility functions

=head1 SYNOPSIS

 #include <openssl/ocsp.h>

 int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
                           int *reason,
                           ASN1_GENERALIZEDTIME **revtime,
                           ASN1_GENERALIZEDTIME **thisupd,
                           ASN1_GENERALIZEDTIME **nextupd);

 int OCSP_resp_count(OCSP_BASICRESP *bs);
 OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
 int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
 int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
                             ASN1_GENERALIZEDTIME **revtime,
                             ASN1_GENERALIZEDTIME **thisupd,
                             ASN1_GENERALIZEDTIME **nextupd);

 const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
                             const OCSP_BASICRESP* single);

 const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);

 int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
                           STACK_OF(X509) *extra_certs);

 int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
                       const ASN1_OCTET_STRING **pid,
                       const X509_NAME **pname);
 int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
                       ASN1_OCTET_STRING **pid,
                       X509_NAME **pname);

 int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
                         ASN1_GENERALIZEDTIME *nextupd,
                         long sec, long maxsec);

=head1 DESCRIPTION

OCSP_resp_find_status() searches B<bs> for an OCSP response for B<id>. If it is
successful the fields of the response are returned in B<*status>, B<*reason>,
B<*revtime>, B<*thisupd> and B<*nextupd>.  The B<*status> value will be one of
B<V_OCSP_CERTSTATUS_GOOD>, B<V_OCSP_CERTSTATUS_REVOKED> or
B<V_OCSP_CERTSTATUS_UNKNOWN>. The B<*reason> and B<*revtime> fields are only
set if the status is B<V_OCSP_CERTSTATUS_REVOKED>. If set the B<*reason> field
will be set to the revocation reason which will be one of
B<OCSP_REVOKED_STATUS_NOSTATUS>, B<OCSP_REVOKED_STATUS_UNSPECIFIED>,
B<OCSP_REVOKED_STATUS_KEYCOMPROMISE>, B<OCSP_REVOKED_STATUS_CACOMPROMISE>,
B<OCSP_REVOKED_STATUS_AFFILIATIONCHANGED>, B<OCSP_REVOKED_STATUS_SUPERSEDED>,
B<OCSP_REVOKED_STATUS_CESSATIONOFOPERATION>,
B<OCSP_REVOKED_STATUS_CERTIFICATEHOLD> or B<OCSP_REVOKED_STATUS_REMOVEFROMCRL>.

OCSP_resp_count() returns the number of B<OCSP_SINGLERESP> structures in B<bs>.

OCSP_resp_get0() returns the B<OCSP_SINGLERESP> structure in B<bs>
corresponding to index B<idx>. Where B<idx> runs from 0 to
OCSP_resp_count(bs) - 1.

OCSP_resp_find() searches B<bs> for B<id> and returns the index of the first
matching entry after B<last> or starting from the beginning if B<last> is -1.

OCSP_single_get0_status() extracts the fields of B<single> in B<*reason>,
B<*revtime>, B<*thisupd> and B<*nextupd>.

OCSP_resp_get0_produced_at() extracts the B<producedAt> field from the
single response B<bs>.

OCSP_resp_get0_certs() returns any certificates included in B<bs>.

OCSP_resp_get0_signer() attempts to retrieve the certificate that directly
signed B<bs>.  The OCSP protocol does not require that this certificate
is included in the B<certs> field of the response, so additional certificates
can be supplied in B<extra_certs> if the certificates that may have
signed the response are known via some out-of-band mechanism.

OCSP_resp_get0_id() gets the responder id of B<bs>. If the responder ID is
a name then <*pname> is set to the name and B<*pid> is set to NULL. If the
responder ID is by key ID then B<*pid> is set to the key ID and B<*pname>
is set to NULL. OCSP_resp_get1_id() leaves ownership of B<*pid> and B<*pname>
with the caller, who is responsible for freeing them. Both functions return 1
in case of success and 0 in case of failure. If OCSP_resp_get1_id() returns 0,
no freeing of the results is necessary.

OCSP_check_validity() checks the validity of B<thisupd> and B<nextupd> values
which will be typically obtained from OCSP_resp_find_status() or
OCSP_single_get0_status(). If B<sec> is non-zero it indicates how many seconds
leeway should be allowed in the check. If B<maxsec> is positive it indicates
the maximum age of B<thisupd> in seconds.

=head1 RETURN VALUES

OCSP_resp_find_status() returns 1 if B<id> is found in B<bs> and 0 otherwise.

OCSP_resp_count() returns the total number of B<OCSP_SINGLERESP> fields in
B<bs>.

OCSP_resp_get0() returns a pointer to an B<OCSP_SINGLERESP> structure or
B<NULL> if B<idx> is out of range.

OCSP_resp_find() returns the index of B<id> in B<bs> (which may be 0) or -1 if
B<id> was not found.

OCSP_single_get0_status() returns the status of B<single> or -1 if an error
occurred.

OCSP_resp_get0_signer() returns 1 if the signing certificate was located,
or 0 on error.

=head1 NOTES

Applications will typically call OCSP_resp_find_status() using the certificate
ID of interest and then check its validity using OCSP_check_validity(). They
can then take appropriate action based on the status of the certificate.

An OCSP response for a certificate contains B<thisUpdate> and B<nextUpdate>
fields. Normally the current time should be between these two values. To
account for clock skew the B<maxsec> field can be set to non-zero in
OCSP_check_validity(). Some responders do not set the B<nextUpdate> field, this
would otherwise mean an ancient response would be considered valid: the
B<maxsec> parameter to OCSP_check_validity() can be used to limit the permitted
age of responses.

The values written to B<*revtime>, B<*thisupd> and B<*nextupd> by
OCSP_resp_find_status() and OCSP_single_get0_status() are internal pointers
which B<MUST NOT> be freed up by the calling application. Any or all of these
parameters can be set to NULL if their value is not required.

=head1 SEE ALSO

L<crypto(7)>,
L<OCSP_cert_to_id(3)>,
L<OCSP_request_add1_nonce(3)>,
L<OCSP_REQUEST_new(3)>,
L<OCSP_response_status(3)>,
L<OCSP_sendreq_new(3)>

=head1 COPYRIGHT

Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
797a89a1 DSH	1	=pod
797a89a1 DSH	2
aec3ecd0 RL	3	=head1 NAME
aec3ecd0 RL	4
1a627771	5	OCSP_resp_get0_certs,
ce5886dd	6	OCSP_resp_get0_signer,
1a627771	7	OCSP_resp_get0_id,
db17e43d	8	OCSP_resp_get1_id,
c952780c RS	9	OCSP_resp_get0_produced_at,
	10	OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find,
	11	OCSP_single_get0_status, OCSP_check_validity
	12	- OCSP response utility functions
797a89a1 DSH	13
	14	=head1 SYNOPSIS
	15
	16	#include <openssl/ocsp.h>
	17
	18	int OCSP_resp_find_status(OCSP_BASICRESP bs, OCSP_CERTID id, int *status,
	19	int *reason,
	20	ASN1_GENERALIZEDTIME **revtime,
	21	ASN1_GENERALIZEDTIME **thisupd,
	22	ASN1_GENERALIZEDTIME **nextupd);
	23
	24	int OCSP_resp_count(OCSP_BASICRESP *bs);
	25	OCSP_SINGLERESP OCSP_resp_get0(OCSP_BASICRESP bs, int idx);
	26	int OCSP_resp_find(OCSP_BASICRESP bs, OCSP_CERTID id, int last);
	27	int OCSP_single_get0_status(OCSP_SINGLERESP single, int reason,
	28	ASN1_GENERALIZEDTIME **revtime,
	29	ASN1_GENERALIZEDTIME **thisupd,
	30	ASN1_GENERALIZEDTIME **nextupd);
	31
79613ea8 MC	32	const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
79613ea8 MC	33	const OCSP_BASICRESP* single);
213f60bf	34
02fb7cfe DSH	35	const STACK_OF(X509) OCSP_resp_get0_certs(const OCSP_BASICRESP bs);
02fb7cfe DSH	36
b741fcd2	37	int OCSP_resp_get0_signer(OCSP_BASICRESP bs, X509 *signer,
ce5886dd BK	38	STACK_OF(X509) *extra_certs);
ce5886dd BK	39
02fb7cfe DSH	40	int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
	41	const ASN1_OCTET_STRING **pid,
	42	const X509_NAME **pname);
db17e43d SS	43	int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
	44	ASN1_OCTET_STRING **pid,
	45	X509_NAME **pname);
02fb7cfe	46
797a89a1 DSH	47	int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
	48	ASN1_GENERALIZEDTIME *nextupd,
	49	long sec, long maxsec);
	50
	51	=head1 DESCRIPTION
	52
	53	OCSP_resp_find_status() searches B<bs> for an OCSP response for B<id>. If it is
	54	successful the fields of the response are returned in B<status>, B<reason>,
	55	B<revtime>, B<thisupd> and B<nextupd>. The B<status> value will be one of
	56	B<V_OCSP_CERTSTATUS_GOOD>, B<V_OCSP_CERTSTATUS_REVOKED> or
	57	B<V_OCSP_CERTSTATUS_UNKNOWN>. The B<reason> and B<revtime> fields are only
	58	set if the status is B<V_OCSP_CERTSTATUS_REVOKED>. If set the B<*reason> field
	59	will be set to the revocation reason which will be one of
	60	B<OCSP_REVOKED_STATUS_NOSTATUS>, B<OCSP_REVOKED_STATUS_UNSPECIFIED>,
	61	B<OCSP_REVOKED_STATUS_KEYCOMPROMISE>, B<OCSP_REVOKED_STATUS_CACOMPROMISE>,
	62	B<OCSP_REVOKED_STATUS_AFFILIATIONCHANGED>, B<OCSP_REVOKED_STATUS_SUPERSEDED>,
	63	B<OCSP_REVOKED_STATUS_CESSATIONOFOPERATION>,
	64	B<OCSP_REVOKED_STATUS_CERTIFICATEHOLD> or B<OCSP_REVOKED_STATUS_REMOVEFROMCRL>.
	65
	66	OCSP_resp_count() returns the number of B<OCSP_SINGLERESP> structures in B<bs>.
	67
	68	OCSP_resp_get0() returns the B<OCSP_SINGLERESP> structure in B<bs>
	69	corresponding to index B<idx>. Where B<idx> runs from 0 to
	70	OCSP_resp_count(bs) - 1.
	71
	72	OCSP_resp_find() searches B<bs> for B<id> and returns the index of the first
	73	matching entry after B<last> or starting from the beginning if B<last> is -1.
	74
	75	OCSP_single_get0_status() extracts the fields of B<single> in B<*reason>,
	76	B<revtime>, B<thisupd> and B<*nextupd>.
	77
213f60bf RS	78	OCSP_resp_get0_produced_at() extracts the B<producedAt> field from the
	79	single response B<bs>.
	80
02fb7cfe DSH	81	OCSP_resp_get0_certs() returns any certificates included in B<bs>.
02fb7cfe DSH	82
eb48052e	83	OCSP_resp_get0_signer() attempts to retrieve the certificate that directly
ce5886dd BK	84	signed B<bs>. The OCSP protocol does not require that this certificate
	85	is included in the B<certs> field of the response, so additional certificates
	86	can be supplied in B<extra_certs> if the certificates that may have
	87	signed the response are known via some out-of-band mechanism.
	88
	89	OCSP_resp_get0_id() gets the responder id of B<bs>. If the responder ID is
02fb7cfe DSH	90	a name then <pname> is set to the name and B<pid> is set to NULL. If the
02fb7cfe DSH	91	responder ID is by key ID then B<pid> is set to the key ID and B<pname>
db17e43d SS	92	is set to NULL. OCSP_resp_get1_id() leaves ownership of B<pid> and B<pname>
	93	with the caller, who is responsible for freeing them. Both functions return 1
	94	in case of success and 0 in case of failure. If OCSP_resp_get1_id() returns 0,
	95	no freeing of the results is necessary.
02fb7cfe	96
797a89a1 DSH	97	OCSP_check_validity() checks the validity of B<thisupd> and B<nextupd> values
	98	which will be typically obtained from OCSP_resp_find_status() or
	99	OCSP_single_get0_status(). If B<sec> is non-zero it indicates how many seconds
	100	leeway should be allowed in the check. If B<maxsec> is positive it indicates
	101	the maximum age of B<thisupd> in seconds.
	102
	103	=head1 RETURN VALUES
	104
	105	OCSP_resp_find_status() returns 1 if B<id> is found in B<bs> and 0 otherwise.
	106
	107	OCSP_resp_count() returns the total number of B<OCSP_SINGLERESP> fields in
	108	B<bs>.
	109
	110	OCSP_resp_get0() returns a pointer to an B<OCSP_SINGLERESP> structure or
	111	B<NULL> if B<idx> is out of range.
	112
	113	OCSP_resp_find() returns the index of B<id> in B<bs> (which may be 0) or -1 if
	114	B<id> was not found.
	115
	116	OCSP_single_get0_status() returns the status of B<single> or -1 if an error
	117	occurred.
	118
ce5886dd BK	119	OCSP_resp_get0_signer() returns 1 if the signing certificate was located,
	120	or 0 on error.
	121
797a89a1 DSH	122	=head1 NOTES
	123
	124	Applications will typically call OCSP_resp_find_status() using the certificate
	125	ID of interest and then check its validity using OCSP_check_validity(). They
	126	can then take appropriate action based on the status of the certificate.
	127
	128	An OCSP response for a certificate contains B<thisUpdate> and B<nextUpdate>
	129	fields. Normally the current time should be between these two values. To
	130	account for clock skew the B<maxsec> field can be set to non-zero in
	131	OCSP_check_validity(). Some responders do not set the B<nextUpdate> field, this
	132	would otherwise mean an ancient response would be considered valid: the
	133	B<maxsec> parameter to OCSP_check_validity() can be used to limit the permitted
	134	age of responses.
	135
	136	The values written to B<revtime>, B<thisupd> and B<*nextupd> by
	137	OCSP_resp_find_status() and OCSP_single_get0_status() are internal pointers
	138	which B<MUST NOT> be freed up by the calling application. Any or all of these
	139	parameters can be set to NULL if their value is not required.
	140
	141	=head1 SEE ALSO
	142
b97fdb57	143	L<crypto(7)>,
9b86974e RS	144	L<OCSP_cert_to_id(3)>,
	145	L<OCSP_request_add1_nonce(3)>,
	146	L<OCSP_REQUEST_new(3)>,
	147	L<OCSP_response_status(3)>,
	148	L<OCSP_sendreq_new(3)>
797a89a1	149
e2f92610 RS	150	=head1 COPYRIGHT
	151
	152	Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
	153
	154	Licensed under the OpenSSL license (the "License"). You may not use
	155	this file except in compliance with the License. You can obtain a copy
	156	in the file LICENSE in the source distribution or at
	157	L<https://www.openssl.org/source/license.html>.
	158
	159	=cut