vendor/openssl-src/openssl/doc/man3/OCSP_resp_find_status.pod - toolchain/rustc - Git at Google

 =pod

 =head1 NAME

 OCSP_resp_get0_certs,
 OCSP_resp_get0_signer,
 OCSP_resp_get0_id,
 OCSP_resp_get1_id,
 OCSP_resp_get0_produced_at,
 OCSP_resp_get0_signature,
 OCSP_resp_get0_tbs_sigalg,
 OCSP_resp_get0_respdata,
 OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find,
 OCSP_single_get0_status, OCSP_check_validity,
 OCSP_basic_verify
 - OCSP response utility functions

 =head1 SYNOPSIS

  #include <openssl/ocsp.h>

  int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
                            int *reason,
                            ASN1_GENERALIZEDTIME **revtime,
                            ASN1_GENERALIZEDTIME **thisupd,
                            ASN1_GENERALIZEDTIME **nextupd);

  int OCSP_resp_count(OCSP_BASICRESP *bs);
  OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
  int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
  int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
                              ASN1_GENERALIZEDTIME **revtime,
                              ASN1_GENERALIZEDTIME **thisupd,
                              ASN1_GENERALIZEDTIME **nextupd);

  const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
                              const OCSP_BASICRESP* single);

  const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
  const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs);
  const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs);
  const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);

  int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
                            STACK_OF(X509) *extra_certs);

  int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
                        const ASN1_OCTET_STRING **pid,
                        const X509_NAME **pname);
  int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
                        ASN1_OCTET_STRING **pid,
                        X509_NAME **pname);

  int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
                          ASN1_GENERALIZEDTIME *nextupd,
                          long sec, long maxsec);

  int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
                       X509_STORE *st, unsigned long flags);

 =head1 DESCRIPTION

 OCSP_resp_find_status() searches B<bs> for an OCSP response for B<id>. If it is
 successful the fields of the response are returned in B<*status>, B<*reason>,
 B<*revtime>, B<*thisupd> and B<*nextupd>.  The B<*status> value will be one of
 B<V_OCSP_CERTSTATUS_GOOD>, B<V_OCSP_CERTSTATUS_REVOKED> or
 B<V_OCSP_CERTSTATUS_UNKNOWN>. The B<*reason> and B<*revtime> fields are only
 set if the status is B<V_OCSP_CERTSTATUS_REVOKED>. If set the B<*reason> field
 will be set to the revocation reason which will be one of
 B<OCSP_REVOKED_STATUS_NOSTATUS>, B<OCSP_REVOKED_STATUS_UNSPECIFIED>,
 B<OCSP_REVOKED_STATUS_KEYCOMPROMISE>, B<OCSP_REVOKED_STATUS_CACOMPROMISE>,
 B<OCSP_REVOKED_STATUS_AFFILIATIONCHANGED>, B<OCSP_REVOKED_STATUS_SUPERSEDED>,
 B<OCSP_REVOKED_STATUS_CESSATIONOFOPERATION>,
 B<OCSP_REVOKED_STATUS_CERTIFICATEHOLD> or B<OCSP_REVOKED_STATUS_REMOVEFROMCRL>.

 OCSP_resp_count() returns the number of B<OCSP_SINGLERESP> structures in B<bs>.

 OCSP_resp_get0() returns the B<OCSP_SINGLERESP> structure in B<bs>
 corresponding to index B<idx>. Where B<idx> runs from 0 to
 OCSP_resp_count(bs) - 1.

 OCSP_resp_find() searches B<bs> for B<id> and returns the index of the first
 matching entry after B<last> or starting from the beginning if B<last> is -1.

 OCSP_single_get0_status() extracts the fields of B<single> in B<*reason>,
 B<*revtime>, B<*thisupd> and B<*nextupd>.

 OCSP_resp_get0_produced_at() extracts the B<producedAt> field from the
 single response B<bs>.

 OCSP_resp_get0_signature() returns the signature from B<bs>.

 OCSP_resp_get0_tbs_sigalg() returns the B<signatureAlgorithm> from B<bs>.

 OCSP_resp_get0_respdata() returns the B<tbsResponseData> from B<bs>.

 OCSP_resp_get0_certs() returns any certificates included in B<bs>.

 OCSP_resp_get0_signer() attempts to retrieve the certificate that directly
 signed B<bs>.  The OCSP protocol does not require that this certificate
 is included in the B<certs> field of the response, so additional certificates
 can be supplied in B<extra_certs> if the certificates that may have
 signed the response are known via some out-of-band mechanism.

 OCSP_resp_get0_id() gets the responder id of B<bs>. If the responder ID is
 a name then <*pname> is set to the name and B<*pid> is set to NULL. If the
 responder ID is by key ID then B<*pid> is set to the key ID and B<*pname>
 is set to NULL. OCSP_resp_get1_id() leaves ownership of B<*pid> and B<*pname>
 with the caller, who is responsible for freeing them. Both functions return 1
 in case of success and 0 in case of failure. If OCSP_resp_get1_id() returns 0,
 no freeing of the results is necessary.

 OCSP_check_validity() checks the validity of B<thisupd> and B<nextupd> values
 which will be typically obtained from OCSP_resp_find_status() or
 OCSP_single_get0_status(). If B<sec> is non-zero it indicates how many seconds
 leeway should be allowed in the check. If B<maxsec> is positive it indicates
 the maximum age of B<thisupd> in seconds.

 OCSP_basic_verify() checks that the basic response message B<bs> is correctly
 signed and that the signer certificate can be validated. It takes B<st> as
 the trusted store and B<certs> as a set of untrusted intermediate certificates.
 The function first tries to find the signer certificate of the response
 in <certs>. It also searches the certificates the responder may have included
 in B<bs> unless the B<flags> contain B<OCSP_NOINTERN>.
 It fails if the signer certificate cannot be found.
 Next, the function checks the signature of B<bs> and fails on error
 unless the B<flags> contain B<OCSP_NOSIGS>. Then the function already returns
 success if the B<flags> contain B<OCSP_NOVERIFY> or if the signer certificate
 was found in B<certs> and the B<flags> contain B<OCSP_TRUSTOTHER>.
 Otherwise the function continues by validating the signer certificate.
 To this end, all certificates in B<cert> and in B<bs> are considered as
 untrusted certificates for the construction of the validation path for the
 signer certificate unless the B<OCSP_NOCHAIN> flag is set. After successful path
 validation the function returns success if the B<OCSP_NOCHECKS> flag is set.
 Otherwise it verifies that the signer certificate meets the OCSP issuer
 criteria including potential delegation. If this does not succeed and the
 B<flags> do not contain B<OCSP_NOEXPLICIT> the function checks for explicit
 trust for OCSP signing in the root CA certificate.

 =head1 RETURN VALUES

 OCSP_resp_find_status() returns 1 if B<id> is found in B<bs> and 0 otherwise.

 OCSP_resp_count() returns the total number of B<OCSP_SINGLERESP> fields in
 B<bs>.

 OCSP_resp_get0() returns a pointer to an B<OCSP_SINGLERESP> structure or
 B<NULL> if B<idx> is out of range.

 OCSP_resp_find() returns the index of B<id> in B<bs> (which may be 0) or -1 if
 B<id> was not found.

 OCSP_single_get0_status() returns the status of B<single> or -1 if an error
 occurred.

 OCSP_resp_get0_signer() returns 1 if the signing certificate was located,
 or 0 on error.

 OCSP_basic_verify() returns 1 on success, 0 on error, or -1 on fatal error such
 as malloc failure.

 =head1 NOTES

 Applications will typically call OCSP_resp_find_status() using the certificate
 ID of interest and then check its validity using OCSP_check_validity(). They
 can then take appropriate action based on the status of the certificate.

 An OCSP response for a certificate contains B<thisUpdate> and B<nextUpdate>
 fields. Normally the current time should be between these two values. To
 account for clock skew the B<maxsec> field can be set to non-zero in
 OCSP_check_validity(). Some responders do not set the B<nextUpdate> field, this
 would otherwise mean an ancient response would be considered valid: the
 B<maxsec> parameter to OCSP_check_validity() can be used to limit the permitted
 age of responses.

 The values written to B<*revtime>, B<*thisupd> and B<*nextupd> by
 OCSP_resp_find_status() and OCSP_single_get0_status() are internal pointers
 which B<MUST NOT> be freed up by the calling application. Any or all of these
 parameters can be set to NULL if their value is not required.

 =head1 SEE ALSO

 L<crypto(7)>,
 L<OCSP_cert_to_id(3)>,
 L<OCSP_request_add1_nonce(3)>,
 L<OCSP_REQUEST_new(3)>,
 L<OCSP_response_status(3)>,
 L<OCSP_sendreq_new(3)>

 =head1 COPYRIGHT

 Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.

 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file LICENSE in the source distribution or at
 L<https://www.openssl.org/source/license.html>.

 =cut
	=pod

	=head1 NAME

	OCSP_resp_get0_certs,
	OCSP_resp_get0_signer,
	OCSP_resp_get0_id,
	OCSP_resp_get1_id,
	OCSP_resp_get0_produced_at,
	OCSP_resp_get0_signature,
	OCSP_resp_get0_tbs_sigalg,
	OCSP_resp_get0_respdata,
	OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find,
	OCSP_single_get0_status, OCSP_check_validity,
	OCSP_basic_verify
	- OCSP response utility functions

	=head1 SYNOPSIS

	#include <openssl/ocsp.h>

	int OCSP_resp_find_status(OCSP_BASICRESP bs, OCSP_CERTID id, int *status,
	int *reason,
	ASN1_GENERALIZEDTIME **revtime,
	ASN1_GENERALIZEDTIME **thisupd,
	ASN1_GENERALIZEDTIME **nextupd);

	int OCSP_resp_count(OCSP_BASICRESP *bs);
	OCSP_SINGLERESP OCSP_resp_get0(OCSP_BASICRESP bs, int idx);
	int OCSP_resp_find(OCSP_BASICRESP bs, OCSP_CERTID id, int last);
	int OCSP_single_get0_status(OCSP_SINGLERESP single, int reason,
	ASN1_GENERALIZEDTIME **revtime,
	ASN1_GENERALIZEDTIME **thisupd,
	ASN1_GENERALIZEDTIME **nextupd);

	const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
	const OCSP_BASICRESP* single);

	const ASN1_OCTET_STRING OCSP_resp_get0_signature(const OCSP_BASICRESP bs);
	const X509_ALGOR OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP bs);
	const OCSP_RESPDATA OCSP_resp_get0_respdata(const OCSP_BASICRESP bs);
	const STACK_OF(X509) OCSP_resp_get0_certs(const OCSP_BASICRESP bs);

	int OCSP_resp_get0_signer(OCSP_BASICRESP bs, X509 *signer,
	STACK_OF(X509) *extra_certs);

	int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
	const ASN1_OCTET_STRING **pid,
	const X509_NAME **pname);
	int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
	ASN1_OCTET_STRING **pid,
	X509_NAME **pname);

	int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
	ASN1_GENERALIZEDTIME *nextupd,
	long sec, long maxsec);

	int OCSP_basic_verify(OCSP_BASICRESP bs, STACK_OF(X509) certs,
	X509_STORE *st, unsigned long flags);

	=head1 DESCRIPTION

	OCSP_resp_find_status() searches B<bs> for an OCSP response for B<id>. If it is
	successful the fields of the response are returned in B<status>, B<reason>,
	B<revtime>, B<thisupd> and B<nextupd>. The B<status> value will be one of
	B<V_OCSP_CERTSTATUS_GOOD>, B<V_OCSP_CERTSTATUS_REVOKED> or
	B<V_OCSP_CERTSTATUS_UNKNOWN>. The B<reason> and B<revtime> fields are only
	set if the status is B<V_OCSP_CERTSTATUS_REVOKED>. If set the B<*reason> field
	will be set to the revocation reason which will be one of
	B<OCSP_REVOKED_STATUS_NOSTATUS>, B<OCSP_REVOKED_STATUS_UNSPECIFIED>,
	B<OCSP_REVOKED_STATUS_KEYCOMPROMISE>, B<OCSP_REVOKED_STATUS_CACOMPROMISE>,
	B<OCSP_REVOKED_STATUS_AFFILIATIONCHANGED>, B<OCSP_REVOKED_STATUS_SUPERSEDED>,
	B<OCSP_REVOKED_STATUS_CESSATIONOFOPERATION>,
	B<OCSP_REVOKED_STATUS_CERTIFICATEHOLD> or B<OCSP_REVOKED_STATUS_REMOVEFROMCRL>.

	OCSP_resp_count() returns the number of B<OCSP_SINGLERESP> structures in B<bs>.

	OCSP_resp_get0() returns the B<OCSP_SINGLERESP> structure in B<bs>
	corresponding to index B<idx>. Where B<idx> runs from 0 to
	OCSP_resp_count(bs) - 1.

	OCSP_resp_find() searches B<bs> for B<id> and returns the index of the first
	matching entry after B<last> or starting from the beginning if B<last> is -1.

	OCSP_single_get0_status() extracts the fields of B<single> in B<*reason>,
	B<revtime>, B<thisupd> and B<*nextupd>.

	OCSP_resp_get0_produced_at() extracts the B<producedAt> field from the
	single response B<bs>.

	OCSP_resp_get0_signature() returns the signature from B<bs>.

	OCSP_resp_get0_tbs_sigalg() returns the B<signatureAlgorithm> from B<bs>.

	OCSP_resp_get0_respdata() returns the B<tbsResponseData> from B<bs>.

	OCSP_resp_get0_certs() returns any certificates included in B<bs>.

	OCSP_resp_get0_signer() attempts to retrieve the certificate that directly
	signed B<bs>. The OCSP protocol does not require that this certificate
	is included in the B<certs> field of the response, so additional certificates
	can be supplied in B<extra_certs> if the certificates that may have
	signed the response are known via some out-of-band mechanism.

	OCSP_resp_get0_id() gets the responder id of B<bs>. If the responder ID is
	a name then <pname> is set to the name and B<pid> is set to NULL. If the
	responder ID is by key ID then B<pid> is set to the key ID and B<pname>
	is set to NULL. OCSP_resp_get1_id() leaves ownership of B<pid> and B<pname>
	with the caller, who is responsible for freeing them. Both functions return 1
	in case of success and 0 in case of failure. If OCSP_resp_get1_id() returns 0,
	no freeing of the results is necessary.

	OCSP_check_validity() checks the validity of B<thisupd> and B<nextupd> values
	which will be typically obtained from OCSP_resp_find_status() or
	OCSP_single_get0_status(). If B<sec> is non-zero it indicates how many seconds
	leeway should be allowed in the check. If B<maxsec> is positive it indicates
	the maximum age of B<thisupd> in seconds.

	OCSP_basic_verify() checks that the basic response message B<bs> is correctly
	signed and that the signer certificate can be validated. It takes B<st> as
	the trusted store and B<certs> as a set of untrusted intermediate certificates.
	The function first tries to find the signer certificate of the response
	in <certs>. It also searches the certificates the responder may have included
	in B<bs> unless the B<flags> contain B<OCSP_NOINTERN>.
	It fails if the signer certificate cannot be found.
	Next, the function checks the signature of B<bs> and fails on error
	unless the B<flags> contain B<OCSP_NOSIGS>. Then the function already returns
	success if the B<flags> contain B<OCSP_NOVERIFY> or if the signer certificate
	was found in B<certs> and the B<flags> contain B<OCSP_TRUSTOTHER>.
	Otherwise the function continues by validating the signer certificate.
	To this end, all certificates in B<cert> and in B<bs> are considered as
	untrusted certificates for the construction of the validation path for the
	signer certificate unless the B<OCSP_NOCHAIN> flag is set. After successful path
	validation the function returns success if the B<OCSP_NOCHECKS> flag is set.
	Otherwise it verifies that the signer certificate meets the OCSP issuer
	criteria including potential delegation. If this does not succeed and the
	B<flags> do not contain B<OCSP_NOEXPLICIT> the function checks for explicit
	trust for OCSP signing in the root CA certificate.

	=head1 RETURN VALUES

	OCSP_resp_find_status() returns 1 if B<id> is found in B<bs> and 0 otherwise.

	OCSP_resp_count() returns the total number of B<OCSP_SINGLERESP> fields in
	B<bs>.

	OCSP_resp_get0() returns a pointer to an B<OCSP_SINGLERESP> structure or
	B<NULL> if B<idx> is out of range.

	OCSP_resp_find() returns the index of B<id> in B<bs> (which may be 0) or -1 if
	B<id> was not found.

	OCSP_single_get0_status() returns the status of B<single> or -1 if an error
	occurred.

	OCSP_resp_get0_signer() returns 1 if the signing certificate was located,
	or 0 on error.

	OCSP_basic_verify() returns 1 on success, 0 on error, or -1 on fatal error such
	as malloc failure.

	=head1 NOTES

	Applications will typically call OCSP_resp_find_status() using the certificate
	ID of interest and then check its validity using OCSP_check_validity(). They
	can then take appropriate action based on the status of the certificate.

	An OCSP response for a certificate contains B<thisUpdate> and B<nextUpdate>
	fields. Normally the current time should be between these two values. To
	account for clock skew the B<maxsec> field can be set to non-zero in
	OCSP_check_validity(). Some responders do not set the B<nextUpdate> field, this
	would otherwise mean an ancient response would be considered valid: the
	B<maxsec> parameter to OCSP_check_validity() can be used to limit the permitted
	age of responses.

	The values written to B<revtime>, B<thisupd> and B<*nextupd> by
	OCSP_resp_find_status() and OCSP_single_get0_status() are internal pointers
	which B<MUST NOT> be freed up by the calling application. Any or all of these
	parameters can be set to NULL if their value is not required.

	=head1 SEE ALSO

	L<crypto(7)>,
	L<OCSP_cert_to_id(3)>,
	L<OCSP_request_add1_nonce(3)>,
	L<OCSP_REQUEST_new(3)>,
	L<OCSP_response_status(3)>,
	L<OCSP_sendreq_new(3)>

	=head1 COPYRIGHT

	Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.

	Licensed under the OpenSSL license (the "License"). You may not use
	this file except in compliance with the License. You can obtain a copy
	in the file LICENSE in the source distribution or at
	L<https://www.openssl.org/source/license.html>.

	=cut