提交 797a89a1 编写于 作者: D Dr. Stephen Henson

Add some OCSP documentation.

Reviewed-by: NMatt Caswell <matt@openssl.org>
上级 431f458d
=pod
OCSP_REQUEST_new, OCSP_REQUEST_free, OCSP_request_add0_id, OCSP_request_sign,
OCSP_request_add1_cert, OCSP_request_onereq_count,
OCSP_request_onereq_get0 - OCSP request functions.
=head1 SYNOPSIS
#include <openssl/ocsp.h>
OCSP_REQUEST *OCSP_REQUEST_new(void);
void OCSP_REQUEST_free(OCSP_REQUEST *req);
OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
int OCSP_request_sign(OCSP_REQUEST *req,
X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
STACK_OF(X509) *certs, unsigned long flags);
int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
int OCSP_request_onereq_count(OCSP_REQUEST *req);
OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
=head1 DESCRIPTION
OCSP_REQUEST_new() allocates and returns an empty B<OCSP_REQUEST> structure.
OCSP_REQUEST_free() frees up the request structure B<req>.
OCSP_request_add0_id() adds certificate ID B<cid> to B<req>. It returns
the B<OCSP_ONEREQ> structure added so an application can add additional
extensions to the request. The B<id> parameter B<MUST NOT> be freed up after
the operation.
OCSP_request_sign() signs OCSP request B<req> using certificate
B<signer>, private key B<key>, digest B<dgst> and additional certificates
B<certs>. If the B<flags> option B<OCSP_NOCERTS> is set then no certificates
will be included in the request.
OCSP_request_add1_cert() adds certificate B<cert> to request B<req>. The
application is responsible for freeing up B<cert> after use.
OCSP_request_onereq_count() returns the total number of B<OCSP_ONEREQ>
structures in B<req>.
OCSP_request_onereq_get0() returns an internal pointer to the B<OCSP_ONEREQ>
contained in B<req> of index B<i>. The index value B<i> runs from 0 to
OCSP_request_onereq_count(req) - 1.
=head1 RETURN VALUES
OCSP_REQUEST_new() returns an empty B<OCSP_REQUEST> structure or B<NULL> if
an error occurred.
OCSP_request_add0_id() returns the B<OCSP_ONEREQ> structure containing B<cid>
or B<NULL> if an error occurred.
OCSP_request_sign() and OCSP_request_add1_cert() return 1 for success and 0
for failure.
OCSP_request_onereq_count() returns the total number of B<OCSP_ONEREQ>
structures in B<req>.
OCSP_request_onereq_get0() returns a pointer to an B<OCSP_ONEREQ> structure
or B<NULL> if the index value is out or range.
=head1 NOTES
An OCSP request structure contains one or more B<OCSP_ONEREQ> structures
corresponding to each certificate.
OCSP_request_onereq_count() and OCSP_request_onereq_get0() are mainly used by
OCSP responders.
=head1 EXAMPLE
Create an B<OCSP_REQUEST> structure for certificate B<cert> with issuer
B<issuer>:
OCSP_REQUEST *req;
OCSP_ID *cid;
req = OCSP_REQUEST_new();
if (req == NULL)
/* error */
cid = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
if (cid == NULL)
/* error */
if (OCSP_REQUEST_add0_id(req, cid) == NULL)
/* error */
/* Do something with req, e.g. query responder */
OCSP_REQUEST_free(req);
=head1 SEE ALSO
L<crypto(3)|crypto(3)>,
L<OCSP_cert_to_id(3)|OCSP_cert_to_id(3)>,
L<OCSP_request_add1_nonce(3)|OCSP_request_add1_nonce(3)>,
L<OCSP_response_find_status(3)|OCSP_response_find_status(3)>,
L<OCSP_response_status(3)|OCSP_response_status(3)>,
L<OCSP_sendreq_new(3)|OCSP_sendreq_new(3)>
=cut
=pod
OCSP_cert_to_id, OCSP_cert_id_new, OCSP_CERTID_free, OCSP_id_issuer_cmp,
OCSP_id_cmp, OCSP_id_get0_info - OCSP certificate ID utility functions.
=head1 SYNOPSIS
#include <openssl/ocsp.h>
OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst,
X509 *subject, X509 *issuer);
OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
X509_NAME *issuerName,
ASN1_BIT_STRING *issuerKey,
ASN1_INTEGER *serialNumber);
void OCSP_CERTID_free(OCSP_CERTID *id);
int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
ASN1_OCTET_STRING **pikeyHash,
ASN1_INTEGER **pserial, OCSP_CERTID *cid);
=head1 DESCRIPTION
OCSP_cert_to_id() creates and returns a new B<OCSP_CERTID> structure using
message digest B<dgst> for certificate B<subject> with issuer B<issuer>. If
B<dgst> is B<NULL> then SHA1 is used.
OCSP_cert_id_new() creates and returns a new B<OCSP_CERTID> using B<dgst> and
issuer name B<issuerName>, issuer key hash B<issuerKey> and serial number
B<serialNumber>.
OCSP_CERTID_free() frees up B<id>.
OCSP_id_cmp() compares B<OCSP_CERTID> B<a> and B<b>.
OCSP_id_issuer_cmp() compares only the issuer name of B<OCSP_CERTID> B<a> and B<b>.
OCSP_id_get0_info() returns the issuer name hash, hash OID, issuer key hash and
serial number contained in B<cid>. If any of the values are not required the
corresponding parameter can be set to B<NULL>.
=head1 RETURN VALUES
OCSP_cert_to_id() and OCSP_cert_id_new() return either a pointer to a valid
B<OCSP_CERTID> structure or B<NULL> if an error occurred.
OCSP_id_cmp() and OCSP_id_issuer_cmp() returns zero for a match and non-zero
otherwise.
OCSP_CERTID_free() does not return a value.
OCSP_id_get0_info() returns 1 for sucess and 0 for failure.
=head1 NOTES
OCSP clients will typically only use OCSP_cert_to_id() or OCSP_cert_id_new():
the other functions are used by responder applications.
The values returned by OCSP_id_get0_info() are internal pointers and B<MUST
NOT> be freed up by an application: they will be freed when the corresponding
B<OCSP_CERTID> structure is freed.
=head1 SEE ALSO
L<crypto(3)|crypto(3)>,
L<OCSP_request_add1_nonce(3)|OCSP_request_add1_nonce(3)>,
L<OCSP_REQUEST_new(3)|OCSP_REQUEST_new(3)>,
L<OCSP_response_find_status(3)|OCSP_response_find_status(3)>,
L<OCSP_response_status(3)|OCSP_response_status(3)>,
L<OCSP_sendreq_new(3)|OCSP_sendreq_new(3)>
=cut
=pod
OCSP_request_add1_nonce, OCSP_basic_add1_nonce, OCSP_check_nonce, OCSP_copy_nonce - OCSP nonce functions.
=head1 SYNOPSIS
#include <openssl/ocsp.h>
int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *resp);
=head1 DESCRIPTION
OCSP_request_add1_nonce() adds a nonce of value B<val> and length B<len> to
OCSP request B<req>. If B<val> is B<NULL> a random nonce is used. If B<len>
is zero or negative a default length will be used (currently 16 bytes).
OCSP_basic_add1_nonce() is identical to OCSP_request_add1_nonce() except
it adds a nonce to OCSP basic response B<resp>.
OCSP_check_nonce() compares the nonce value in B<req> and B<resp>.
OCSP_copy_nonce() copys any nonce value present in B<req> to B<resp>.
=head1 RETURN VALUES
OCSP_request_add1_nonce() and OCSP_basic_add1_nonce() return 1 for success
and 0 for failure.
OCSP_copy_nonce() returns 1 if a nonce was successfully copied, 2 if no nonce
was present in B<req> and 0 if an error occurred.
OCSP_check_nonce() returns the result of the nonce comparison between B<req>
and B<resp>. The return value indicates the result of the comparison. If
nonces are present and equal 1 is returned. If the nonces are absent 2 is
returned. If a nonce is present in the response only 3 is returned. If nonces
are present and unequal 0 is returned. If the nonce is present in the request
only then -1 is returned.
=head1 NOTES
For most purposes the nonce value in a request is set to a random value so
the B<val> parameter in OCSP_request_add1_nonce() is usually NULL.
An OCSP nonce is typically added to an OCSP request to thwart replay attacks
by checking the same nonce value appears in the response.
Some responders may include a nonce in all responses even if one is not
supplied.
Some responders cache OCSP responses and do not sign each response for
performance reasons. As a result they do not support nonces.
The return values of OCSP_check_nonce() can be checked to cover each case. A
positive return value effectively indicates success: nonces are both present
and match, both absent or present in the response only. A non-zero return
additionally covers the case where the nonce is present in the request only:
this will happen if the responder doesn't support nonces. A zero return value
indicates present and mismatched nonces: this should be treated as an error
condition.
=head1 SEE ALSO
L<crypto(3)|crypto(3)>,
L<OCSP_cert_to_id(3)|OCSP_cert_to_id(3)>,
L<OCSP_REQUEST_new(3)|OCSP_REQUEST_new(3)>,
L<OCSP_response_find_status(3)|OCSP_response_find_status(3)>,
L<OCSP_response_status(3)|OCSP_response_status(3)>,
L<OCSP_sendreq_new(3)|OCSP_sendreq_new(3)>
=cut
=pod
OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find, OCSP_single_get0_status, OCSP_check_validity - OCSP reponse utility functions.
=head1 SYNOPSIS
#include <openssl/ocsp.h>
int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
int *reason,
ASN1_GENERALIZEDTIME **revtime,
ASN1_GENERALIZEDTIME **thisupd,
ASN1_GENERALIZEDTIME **nextupd);
int OCSP_resp_count(OCSP_BASICRESP *bs);
OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
ASN1_GENERALIZEDTIME **revtime,
ASN1_GENERALIZEDTIME **thisupd,
ASN1_GENERALIZEDTIME **nextupd);
int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
ASN1_GENERALIZEDTIME *nextupd,
long sec, long maxsec);
=head1 DESCRIPTION
OCSP_resp_find_status() searches B<bs> for an OCSP response for B<id>. If it is
successful the fields of the response are returned in B<*status>, B<*reason>,
B<*revtime>, B<*thisupd> and B<*nextupd>. The B<*status> value will be one of
B<V_OCSP_CERTSTATUS_GOOD>, B<V_OCSP_CERTSTATUS_REVOKED> or
B<V_OCSP_CERTSTATUS_UNKNOWN>. The B<*reason> and B<*revtime> fields are only
set if the status is B<V_OCSP_CERTSTATUS_REVOKED>. If set the B<*reason> field
will be set to the revocation reason which will be one of
B<OCSP_REVOKED_STATUS_NOSTATUS>, B<OCSP_REVOKED_STATUS_UNSPECIFIED>,
B<OCSP_REVOKED_STATUS_KEYCOMPROMISE>, B<OCSP_REVOKED_STATUS_CACOMPROMISE>,
B<OCSP_REVOKED_STATUS_AFFILIATIONCHANGED>, B<OCSP_REVOKED_STATUS_SUPERSEDED>,
B<OCSP_REVOKED_STATUS_CESSATIONOFOPERATION>,
B<OCSP_REVOKED_STATUS_CERTIFICATEHOLD> or B<OCSP_REVOKED_STATUS_REMOVEFROMCRL>.
OCSP_resp_count() returns the number of B<OCSP_SINGLERESP> structures in B<bs>.
OCSP_resp_get0() returns the B<OCSP_SINGLERESP> structure in B<bs>
corresponding to index B<idx>. Where B<idx> runs from 0 to
OCSP_resp_count(bs) - 1.
OCSP_resp_find() searches B<bs> for B<id> and returns the index of the first
matching entry after B<last> or starting from the beginning if B<last> is -1.
OCSP_single_get0_status() extracts the fields of B<single> in B<*reason>,
B<*revtime>, B<*thisupd> and B<*nextupd>.
OCSP_check_validity() checks the validity of B<thisupd> and B<nextupd> values
which will be typically obtained from OCSP_resp_find_status() or
OCSP_single_get0_status(). If B<sec> is non-zero it indicates how many seconds
leeway should be allowed in the check. If B<maxsec> is positive it indicates
the maximum age of B<thisupd> in seconds.
=head1 RETURN VALUES
OCSP_resp_find_status() returns 1 if B<id> is found in B<bs> and 0 otherwise.
OCSP_resp_count() returns the total number of B<OCSP_SINGLERESP> fields in
B<bs>.
OCSP_resp_get0() returns a pointer to an B<OCSP_SINGLERESP> structure or
B<NULL> if B<idx> is out of range.
OCSP_resp_find() returns the index of B<id> in B<bs> (which may be 0) or -1 if
B<id> was not found.
OCSP_single_get0_status() returns the status of B<single> or -1 if an error
occurred.
=head1 NOTES
Applications will typically call OCSP_resp_find_status() using the certificate
ID of interest and then check its validity using OCSP_check_validity(). They
can then take appropriate action based on the status of the certificate.
An OCSP response for a certificate contains B<thisUpdate> and B<nextUpdate>
fields. Normally the current time should be between these two values. To
account for clock skew the B<maxsec> field can be set to non-zero in
OCSP_check_validity(). Some responders do not set the B<nextUpdate> field, this
would otherwise mean an ancient response would be considered valid: the
B<maxsec> parameter to OCSP_check_validity() can be used to limit the permitted
age of responses.
The values written to B<*revtime>, B<*thisupd> and B<*nextupd> by
OCSP_resp_find_status() and OCSP_single_get0_status() are internal pointers
which B<MUST NOT> be freed up by the calling application. Any or all of these
parameters can be set to NULL if their value is not required.
=head1 SEE ALSO
L<crypto(3)|crypto(3)>,
L<OCSP_cert_to_id(3)|OCSP_cert_to_id(3)>,
L<OCSP_request_add1_nonce(3)|OCSP_request_add1_nonce(3)>,
L<OCSP_REQUEST_new(3)|OCSP_REQUEST_new(3)>,
L<OCSP_response_status(3)|OCSP_response_status(3)>,
L<OCSP_sendreq_new(3)|OCSP_sendreq_new(3)>
=cut
=pod
OCSP_response_status, OCSP_response_get1_basic, OCSP_response_create,
OCSP_RESPONSE_free - OCSP response functions.
=head1 SYNOPSIS
#include <openssl/ocsp.h>
int OCSP_response_status(OCSP_RESPONSE *resp);
OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
void OCSP_RESPONSE_free(OCSP_RESPONSE *resp);
=head1 DESCRIPTION
OCSP_response_status() returns the OCSP response status of B<resp>. It returns
one of the values: B<OCSP_RESPONSE_STATUS_SUCCESSFUL>,
B<OCSP_RESPONSE_STATUS_MALFORMEDREQUEST>,
B<OCSP_RESPONSE_STATUS_INTERNALERROR>, B<OCSP_RESPONSE_STATUS_TRYLATER>
B<OCSP_RESPONSE_STATUS_SIGREQUIRED>, or B<OCSP_RESPONSE_STATUS_UNAUTHORIZED>.
OCSP_response_get1_basic() decodes and returns the B<OCSP_BASICRESP> structure
contained in B<resp>.
OCSP_response_create() creates and returns an B<OCSP_RESPONSE> structure for
B<status> and optionally including basic response B<bs>.
OCSP_RESPONSE_free() frees up OCSP reponse B<resp>.
=head1 RETURN VALUES
OCSP_RESPONSE_status() returns a status value.
OCSP_response_get1_basic() returns an B<OCSP_BASICRESP> structure pointer or
B<NULL> if an error occurred.
OCSP_response_create() returns an B<OCSP_RESPONSE> structure pointer or B<NULL>
if an error occurred.
OCSP_RESPONSE_free() does not return a value.
=head1 NOTES
OCSP_response_get1_basic() is only called if the status of a response is
B<OCSP_RESPONSE_STATUS_SUCCESSFUL>.
=head1 SEE ALSO
L<crypto(3)|crypto(3)>
L<OCSP_cert_to_id(3)|OCSP_cert_to_id(3)>
L<OCSP_request_add1_nonce(3)|OCSP_request_add1_nonce(3)>
L<OCSP_REQUEST_new(3)|OCSP_REQUEST_new(3)>
L<OCSP_response_find_status(3)|OCSP_response_find_status(3)>
L<OCSP_sendreq_new(3)|OCSP_sendreq_new(3)>
=cut
=pod
=head1 NAME
OCSP_sendreq_new, OCSP_sendreq_nbio, OCSP_REQ_CTX_free,
OCSP_set_max_response_length, OCSP_REQ_CTX_add1_header,
OCSP_REQ_CTX_set1_req, OCSP_sendreq_bio - OCSP responder query functions
=head1 SYNOPSIS
#include <openssl/ocsp.h>
OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req,
int maxline);
int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);
void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);
void OCSP_set_max_response_length(OCSP_REQ_CTX *rctx, unsigned long len);
int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
const char *name, const char *value);
int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req);
OCSP_RESPONSE *OCSP_sendreq_bio(BIO *io, const char *path, OCSP_REQUEST *req,
int maxline);
=head1 DESCRIPTION
The function OCSP_sendreq_new() returns an B<OCSP_CTX> structure using the
responder B<io>, the URL path B<path>, the OCSP request B<req> and with a
response header maximum line length of B<maxline>. If B<maxline> is zero a
default value of 4k is used. The OCSP request B<req> may be set to B<NULL>
and provided later if required.
OCSP_sendreq_nbio() performs non-blocking I/O on the OCSP request context
B<rctx>. When the operation is complete it returns the response in B<*presp>.
OCSP_REQ_CTX_free() frees up the OCSP context B<rctx>.
OCSP_set_max_response_length() sets the maximum reponse length for B<rctx>
to B<len>. If the response exceeds this length an error occurs. If not
set a default value of 100k is used.
OCSP_REQ_CTX_add1_header() adds header B<name> with value B<value> to the
context B<rctx>. It can be called more than once to add multiple headers.
It B<MUST> be called before any calls to OCSP_sendreq_nbio(). The B<req>
parameter in the initial to OCSP_sendreq_new() call MUST be set to B<NULL> if
additional headers are set.
OCSP_REQ_CTX_set1_req() sets the OCSP request in B<rctx> to B<req>. This
function should be called after any calls to OCSP_REQ_CTX_add1_header().
OCSP_sendreq_bio() performs an OCSP request using the responder B<io>, the URL
path B<path>, the OCSP request B<req> and with a response header maximum line
length of B<maxline>. If B<maxline> is zero a default value of 4k is used.
=head1 RETURN VALUES
OCSP_sendreq_new() returns a valid B<OCSP_REQ_CTX> structure or B<NULL> if
an error occurred.
OCSP_sendreq_nbio() returns B<1> if the operation was completed successfully,
B<-1> if the operation should be retried and B<0> if an error occurred.
OCSP_REQ_CTX_add1_header() and OCSP_REQ_CTX_set1_req() return B<1> for success
and B<0> for failure.
OCSP_sendreq_bio() returns the B<OCSP_RESPONSE> structure sent by the
responder or B<NULL> if an error occurred.
OCSP_REQ_CTX_free() and OCSP_set_max_response_length() do not return values.
=head1 NOTES
These functions only perform a minimal HTTP query to a responder. If an
application wishes to support more advanced features it should use an
alternative more complete HTTP library.
Currently only HTTP POST queries to responders are supported.
The arguments to OCSP_sendreq_new() correspond to the components of the URL.
For example if the responder URL is B<http://ocsp.com/ocspreq> the BIO
B<io> should be connected to host B<ocsp.com> on port 80 and B<path>
should be set to B<"/ocspreq">
The headers added with OCSP_REQ_CTX_add1_header() are of the form
"B<name>: B<value>" or just "B<name>" if B<value> is B<NULL>. So to add
a Host header for B<ocsp.com> you would call:
OCSP_REQ_CTX_add1_header(ctx, "Host", "ocsp.com");
If OCSP_sendreq_nbio() indicates an operation should be retried the
corresponding BIO can be examined to determine which operation (read or
write) should be retried and appropriate action taken (for example a select()
call on the underlying socket).
OCSP_sendreq_bio() does not support retries and so cannot handle non-blocking
I/O efficiently. It is retained for compatibility and its use in new
applications is not recommended.
=head1 SEE ALSO
L<crypto(3)|crypto(3)>,
L<OCSP_cert_to_id(3)|OCSP_cert_to_id(3)>,
L<OCSP_request_add1_nonce(3)|OCSP_request_add1_nonce(3)>,
L<OCSP_REQUEST_new(3)|OCSP_REQUEST_new(3)>,
L<OCSP_response_find_status(3)|OCSP_response_find_status(3)>,
L<OCSP_response_status(3)|OCSP_response_status(3)>
=cut
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册