xref: /openssl/doc/man3/OCSP_response_status.pod (revision 981d129a) 
1=pod
2
3=head1 NAME
4
5OCSP_response_status, OCSP_response_get1_basic, OCSP_response_create,
6OCSP_RESPONSE_free, OCSP_RESPID_set_by_name,
7OCSP_RESPID_set_by_key_ex, OCSP_RESPID_set_by_key, OCSP_RESPID_match_ex,
8OCSP_RESPID_match, OCSP_basic_sign, OCSP_basic_sign_ctx
9- OCSP response functions
10
11=head1 SYNOPSIS
12
13 #include <openssl/ocsp.h>
14
15 int OCSP_response_status(OCSP_RESPONSE *resp);
16 OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
17 OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
18 void OCSP_RESPONSE_free(OCSP_RESPONSE *resp);
19
20 int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert);
21 int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert,
22                               OSSL_LIB_CTX *libctx, const char *propq);
23 int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert);
24 int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx,
25                          const char *propq);
26 int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert);
27
28 int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
29                     const EVP_MD *dgst, STACK_OF(X509) *certs,
30                     unsigned long flags);
31 int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp, X509 *signer, EVP_MD_CTX *ctx,
32                         STACK_OF(X509) *certs, unsigned long flags);
33
34=head1 DESCRIPTION
35
36OCSP_response_status() returns the OCSP response status of I<resp>. It returns
37one of the values: I<OCSP_RESPONSE_STATUS_SUCCESSFUL>,
38I<OCSP_RESPONSE_STATUS_MALFORMEDREQUEST>,
39I<OCSP_RESPONSE_STATUS_INTERNALERROR>, I<OCSP_RESPONSE_STATUS_TRYLATER>
40I<OCSP_RESPONSE_STATUS_SIGREQUIRED>, or I<OCSP_RESPONSE_STATUS_UNAUTHORIZED>.
41
42OCSP_response_get1_basic() decodes and returns the I<OCSP_BASICRESP> structure
43contained in I<resp>.
44
45OCSP_response_create() creates and returns an I<OCSP_RESPONSE> structure for
46I<status> and optionally including basic response I<bs>.
47
48OCSP_RESPONSE_free() frees up OCSP response I<resp>.
49If the argument is NULL, nothing is done.
50
51OCSP_RESPID_set_by_name() sets the name of the OCSP_RESPID to be the same as the
52subject name in the supplied X509 certificate I<cert> for the OCSP responder.
53
54OCSP_RESPID_set_by_key_ex() sets the key of the OCSP_RESPID to be the same as the
55key in the supplied X509 certificate I<cert> for the OCSP responder. The key is
56stored as a SHA1 hash. To calculate the hash the SHA1 algorithm is fetched using
57the library ctx I<libctx> and the property query string I<propq> (see
58L<crypto(7)/ALGORITHM FETCHING> for further information).
59
60OCSP_RESPID_set_by_key() does the same as OCSP_RESPID_set_by_key_ex() except
61that the default library context is used with an empty property query string.
62
63Note that an OCSP_RESPID can only have one of the name, or the key set. Calling
64OCSP_RESPID_set_by_name() or OCSP_RESPID_set_by_key() will clear any existing
65setting.
66
67OCSP_RESPID_match_ex() tests whether the OCSP_RESPID given in I<respid> matches
68with the X509 certificate I<cert> based on the SHA1 hash. To calculate the hash
69the SHA1 algorithm is fetched using the library ctx I<libctx> and the property
70query string I<propq> (see L<crypto(7)/ALGORITHM FETCHING> for further
71information).
72
73OCSP_RESPID_match() does the same as OCSP_RESPID_match_ex() except that the
74default library context is used with an empty property query string.
75
76OCSP_basic_sign() signs OCSP response I<brsp> using certificate I<signer>, private key
77I<key>, digest I<dgst> and additional certificates I<certs>. If the I<flags> option
78I<OCSP_NOCERTS> is set then no certificates will be included in the response. If the
79I<flags> option I<OCSP_RESPID_KEY> is set then the responder is identified by key ID
80rather than by name. OCSP_basic_sign_ctx() also signs OCSP response I<brsp> but
81uses the parameters contained in digest context I<ctx>.
82
83=head1 RETURN VALUES
84
85OCSP_RESPONSE_status() returns a status value.
86
87OCSP_response_get1_basic() returns an I<OCSP_BASICRESP> structure pointer or
88I<NULL> if an error occurred.
89
90OCSP_response_create() returns an I<OCSP_RESPONSE> structure pointer or I<NULL>
91if an error occurred.
92
93OCSP_RESPONSE_free() does not return a value.
94
95OCSP_RESPID_set_by_name(), OCSP_RESPID_set_by_key(), OCSP_basic_sign(), and
96OCSP_basic_sign_ctx() return 1 on success or 0
97on failure.
98
99OCSP_RESPID_match() returns 1 if the OCSP_RESPID and the X509 certificate match
100or 0 otherwise.
101
102=head1 NOTES
103
104OCSP_response_get1_basic() is only called if the status of a response is
105I<OCSP_RESPONSE_STATUS_SUCCESSFUL>.
106
107=head1 SEE ALSO
108
109L<crypto(7)>
110L<OCSP_cert_to_id(3)>
111L<OCSP_request_add1_nonce(3)>
112L<OCSP_REQUEST_new(3)>
113L<OCSP_resp_find_status(3)>
114L<OCSP_sendreq_new(3)>
115L<OCSP_RESPID_new(3)>
116L<OCSP_RESPID_free(3)>
117
118=head1 HISTORY
119
120The OCSP_RESPID_set_by_name(), OCSP_RESPID_set_by_key() and OCSP_RESPID_match()
121functions were added in OpenSSL 1.1.0a.
122
123The OCSP_basic_sign_ctx() function was added in OpenSSL 1.1.1.
124
125=head1 COPYRIGHT
126
127Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
128
129Licensed under the Apache License 2.0 (the "License").  You may not use
130this file except in compliance with the License.  You can obtain a copy
131in the file LICENSE in the source distribution or at
132L<https://www.openssl.org/source/license.html>.
133
134=cut
135