Sortix 1.1dev nightly manual
This manual documents Sortix 1.1dev nightly, a development build that has not been officially released. You can instead view this document in the latest official manual.
| TLS_OCSP_PROCESS_RESPONSE(3) | Library Functions Manual | TLS_OCSP_PROCESS_RESPONSE(3) |
NAME
tls_ocsp_process_response,
tls_peer_ocsp_url,
tls_peer_ocsp_response_status,
tls_peer_ocsp_cert_status,
tls_peer_ocsp_crl_reason,
tls_peer_ocsp_result,
tls_peer_ocsp_revocation_time,
tls_peer_ocsp_this_update,
tls_peer_ocsp_next_update —
inspect an OCSP response
SYNOPSIS
#include
<tls.h>
int
tls_ocsp_process_response(struct
tls *ctx, const unsigned char
*response, size_t size);
const char *
tls_peer_ocsp_url(struct
tls *ctx);
int
tls_peer_ocsp_response_status(struct
tls *ctx);
int
tls_peer_ocsp_cert_status(struct
tls *ctx);
int
tls_peer_ocsp_crl_reason(struct
tls *ctx);
const char *
tls_peer_ocsp_result(struct
tls *ctx);
time_t
tls_peer_ocsp_revocation_time(struct
tls *ctx);
time_t
tls_peer_ocsp_this_update(struct
tls *ctx);
time_t
tls_peer_ocsp_next_update(struct
tls *ctx);
DESCRIPTION
tls_ocsp_process_response() processes a raw
OCSP response in response of size
size to check the revocation status of the
peer certificate from ctx. A successful
return code of 0 indicates that the certificate has not been revoked.
tls_peer_ocsp_url() returns the URL for OCSP
validation of the peer certificate from ctx.
The following functions return information about the peer certificate from
ctx that was obtained by validating a stapled
OCSP response during the handshake, or via a previous call to
tls_ocsp_process_response().
tls_peer_ocsp_response_status() returns the
OCSP response status as per RFC 6960 section 2.3.
tls_peer_ocsp_cert_status() returns the OCSP
certificate status code as per RFC 6960 section 2.2.
tls_peer_ocsp_crl_reason() returns the OCSP
certificate revocation reason status code as per RFC 5280 section 5.3.1.
tls_peer_ocsp_result() returns a textual
representation of the OCSP status code returned by one of the previous three
functions. If the OCSP response was valid and the certificate was not revoked,
the string indicates the OCSP certificate status. Otherwise, the string
indicates the OCSP certificate revocation reason or the OCSP error.
tls_peer_ocsp_revocation_time() returns the
OCSP revocation time.
tls_peer_ocsp_this_update() returns the OCSP
this update time.
tls_peer_ocsp_next_update() returns the OCSP
next update time.
RETURN VALUES
tls_ocsp_process_response() returns 0 on
success or -1 on error.
tls_peer_ocsp_url() and
tls_peer_ocsp_result() return
NULL on error or an out of memory
condition.
The tls_peer_ocsp_response_status() function
returns one of
TLS_OCSP_RESPONSE_SUCCESSFUL,
TLS_OCSP_RESPONSE_MALFORMED,
TLS_OCSP_RESPONSE_INTERNALERROR,
TLS_OCSP_RESPONSE_TRYLATER,
TLS_OCSP_RESPONSE_SIGREQUIRED, or
TLS_OCSP_RESPONSE_UNAUTHORIZED on success
or -1 on error.
The tls_peer_ocsp_cert_status() function
returns one of TLS_OCSP_CERT_GOOD,
TLS_OCSP_CERT_REVOKED, or
TLS_OCSP_CERT_UNKNOWN on success, and -1 on
error.
The tls_peer_ocsp_crl_reason() function
returns one of TLS_CRL_REASON_UNSPECIFIED,
TLS_CRL_REASON_KEY_COMPROMISE,
TLS_CRL_REASON_CA_COMPROMISE,
TLS_CRL_REASON_AFFILIATION_CHANGED,
TLS_CRL_REASON_SUPERSEDED,
TLS_CRL_REASON_CESSATION_OF_OPERATION,
TLS_CRL_REASON_CERTIFICATE_HOLD,
TLS_CRL_REASON_REMOVE_FROM_CRL,
TLS_CRL_REASON_PRIVILEGE_WITHDRAWN, or
TLS_CRL_REASON_AA_COMPROMISE on success or
-1 on error.
tls_peer_ocsp_revocation_time(),
tls_peer_ocsp_this_update(), and
tls_peer_ocsp_next_update() return a time
in epoch-seconds on success or -1 on error.
SEE ALSO
tls_client(3), tls_config_ocsp_require_stapling(3), tls_conn_version(3), tls_connect(3), tls_handshake(3), tls_init(3)HISTORY
These functions appeared in OpenBSD 6.1.AUTHORS
Bob Beck <beck@openbsd.org>Marko Kreen <markokr@gmail.com>
| July 24, 2018 | Debian |