Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
大约 1 年 前同步成功

通知 9
Star 18
Fork 1
T
Third Party Openssl

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
查找文件 普通视图历史永久链接Permalink
OCSP_response_find_status.pod 4.5 KB
Newer Older
D
Add some OCSP documentation.  
Dr. Stephen Henson 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 
=pod

OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find, OCSP_single_get0_status, OCSP_check_validity - OCSP reponse utility functions.

=head1 SYNOPSIS

 #include <openssl/ocsp.h>

 int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
                           int *reason,
                           ASN1_GENERALIZEDTIME **revtime,
                           ASN1_GENERALIZEDTIME **thisupd,
                           ASN1_GENERALIZEDTIME **nextupd);

 int OCSP_resp_count(OCSP_BASICRESP *bs);
 OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
 int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
 int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
                             ASN1_GENERALIZEDTIME **revtime,
                             ASN1_GENERALIZEDTIME **thisupd,
                             ASN1_GENERALIZEDTIME **nextupd);

 int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
                         ASN1_GENERALIZEDTIME *nextupd,
                         long sec, long maxsec);

=head1 DESCRIPTION

OCSP_resp_find_status() searches B<bs> for an OCSP response for B<id>. If it is
successful the fields of the response are returned in B<*status>, B<*reason>,
B<*revtime>, B<*thisupd> and B<*nextupd>.  The B<*status> value will be one of
B<V_OCSP_CERTSTATUS_GOOD>, B<V_OCSP_CERTSTATUS_REVOKED> or
B<V_OCSP_CERTSTATUS_UNKNOWN>. The B<*reason> and B<*revtime> fields are only
set if the status is B<V_OCSP_CERTSTATUS_REVOKED>. If set the B<*reason> field
will be set to the revocation reason which will be one of
B<OCSP_REVOKED_STATUS_NOSTATUS>, B<OCSP_REVOKED_STATUS_UNSPECIFIED>,
B<OCSP_REVOKED_STATUS_KEYCOMPROMISE>, B<OCSP_REVOKED_STATUS_CACOMPROMISE>,
B<OCSP_REVOKED_STATUS_AFFILIATIONCHANGED>, B<OCSP_REVOKED_STATUS_SUPERSEDED>,
B<OCSP_REVOKED_STATUS_CESSATIONOFOPERATION>,
B<OCSP_REVOKED_STATUS_CERTIFICATEHOLD> or B<OCSP_REVOKED_STATUS_REMOVEFROMCRL>.

OCSP_resp_count() returns the number of B<OCSP_SINGLERESP> structures in B<bs>.

OCSP_resp_get0() returns the B<OCSP_SINGLERESP> structure in B<bs>
corresponding to index B<idx>. Where B<idx> runs from 0 to
OCSP_resp_count(bs) - 1.

OCSP_resp_find() searches B<bs> for B<id> and returns the index of the first
matching entry after B<last> or starting from the beginning if B<last> is -1.

OCSP_single_get0_status() extracts the fields of B<single> in B<*reason>,
B<*revtime>, B<*thisupd> and B<*nextupd>.

OCSP_check_validity() checks the validity of B<thisupd> and B<nextupd> values
which will be typically obtained from OCSP_resp_find_status() or
OCSP_single_get0_status(). If B<sec> is non-zero it indicates how many seconds
leeway should be allowed in the check. If B<maxsec> is positive it indicates
the maximum age of B<thisupd> in seconds.

=head1 RETURN VALUES

OCSP_resp_find_status() returns 1 if B<id> is found in B<bs> and 0 otherwise.

OCSP_resp_count() returns the total number of B<OCSP_SINGLERESP> fields in
B<bs>.

OCSP_resp_get0() returns a pointer to an B<OCSP_SINGLERESP> structure or
B<NULL> if B<idx> is out of range.

OCSP_resp_find() returns the index of B<id> in B<bs> (which may be 0) or -1 if
B<id> was not found.

OCSP_single_get0_status() returns the status of B<single> or -1 if an error
occurred.

=head1 NOTES

Applications will typically call OCSP_resp_find_status() using the certificate
ID of interest and then check its validity using OCSP_check_validity(). They
can then take appropriate action based on the status of the certificate.

An OCSP response for a certificate contains B<thisUpdate> and B<nextUpdate>
fields. Normally the current time should be between these two values. To
account for clock skew the B<maxsec> field can be set to non-zero in
OCSP_check_validity(). Some responders do not set the B<nextUpdate> field, this
would otherwise mean an ancient response would be considered valid: the
B<maxsec> parameter to OCSP_check_validity() can be used to limit the permitted
age of responses.

The values written to B<*revtime>, B<*thisupd> and B<*nextupd> by
OCSP_resp_find_status() and OCSP_single_get0_status() are internal pointers
which B<MUST NOT> be freed up by the calling application. Any or all of these
parameters can be set to NULL if their value is not required.

=head1 SEE ALSO

L<crypto(3)|crypto(3)>,
L<OCSP_cert_to_id(3)|OCSP_cert_to_id(3)>,
L<OCSP_request_add1_nonce(3)|OCSP_request_add1_nonce(3)>,
L<OCSP_REQUEST_new(3)|OCSP_REQUEST_new(3)>,
L<OCSP_response_status(3)|OCSP_response_status(3)>,
L<OCSP_sendreq_new(3)|OCSP_sendreq_new(3)>

=cut