TLS_OCSP_PROCESS_RESPONSE(3) FreeBSD Library Functions Manual
NAME
tls_ocsp_process_response, tls_peer_ocsp_url,
tls_peer_ocsp_response_status, tls_peer_ocsp_cert_status,
tls_peer_ocsp_crl_reason, tls_peer_ocsp_result,
tls_peer_ocsp_revocation_time, tls_peer_ocsp_this_update,
tls_peer_ocsp_next_update - inspect an OCSP response
SYNOPSIS
#include <tls.h>
int
tls_ocsp_process_response(struct tls *ctx, const unsigned char *response,
size_t size);
const char *
tls_peer_ocsp_url(struct tls *ctx);
int
tls_peer_ocsp_response_status(struct tls *ctx);
int
tls_peer_ocsp_cert_status(struct tls *ctx);
int
tls_peer_ocsp_crl_reason(struct tls *ctx);
const char *
tls_peer_ocsp_result(struct tls *ctx);
time_t
tls_peer_ocsp_revocation_time(struct tls *ctx);
time_t
tls_peer_ocsp_this_update(struct tls *ctx);
time_t
tls_peer_ocsp_next_update(struct tls *ctx);
DESCRIPTION
tls_ocsp_process_response() processes a raw OCSP response in response of
size size to check the revocation status of the peer certificate from
ctx. A successful return code of 0 indicates that the certificate has
not been revoked.
tls_peer_ocsp_url() returns the URL for OCSP validation of the peer
certificate from ctx.
The following functions return information about the peer certificate
from ctx that was obtained by validating a stapled OCSP response during
the handshake, or via a previous call to tls_ocsp_process_response().
tls_peer_ocsp_response_status() returns the OCSP response status as per
RFC 6960 section 2.3.
tls_peer_ocsp_cert_status() returns the OCSP certificate status code as
per RFC 6960 section 2.2.
tls_peer_ocsp_crl_reason() returns the OCSP certificate revocation reason
status code as per RFC 5280 section 5.3.1.
tls_peer_ocsp_result() returns a textual representation of the OCSP
status code returned by one of the previous three functions. If the OCSP
response was valid and the certificate was not revoked, the string
indicates the OCSP certificate status. Otherwise, the string indicates
the OCSP certificate revocation reason or the OCSP error.
tls_peer_ocsp_revocation_time() returns the OCSP revocation time.
tls_peer_ocsp_this_update() returns the OCSP this update time.
tls_peer_ocsp_next_update() returns the OCSP next update time.
RETURN VALUES
tls_ocsp_process_response() returns 0 on success or -1 on error.
tls_peer_ocsp_url() and tls_peer_ocsp_result() return NULL on error or an
out of memory condition.
The tls_peer_ocsp_response_status() function returns one of
TLS_OCSP_RESPONSE_SUCCESSFUL, TLS_OCSP_RESPONSE_MALFORMED,
TLS_OCSP_RESPONSE_INTERNALERROR, TLS_OCSP_RESPONSE_TRYLATER,
TLS_OCSP_RESPONSE_SIGREQUIRED, or TLS_OCSP_RESPONSE_UNAUTHORIZED on
success or -1 on error.
The tls_peer_ocsp_cert_status() function returns one of
TLS_OCSP_CERT_GOOD, TLS_OCSP_CERT_REVOKED, or TLS_OCSP_CERT_UNKNOWN on
success, and -1 on error.
The tls_peer_ocsp_crl_reason() function returns one of
TLS_CRL_REASON_UNSPECIFIED, TLS_CRL_REASON_KEY_COMPROMISE,
TLS_CRL_REASON_CA_COMPROMISE, TLS_CRL_REASON_AFFILIATION_CHANGED,
TLS_CRL_REASON_SUPERSEDED, TLS_CRL_REASON_CESSATION_OF_OPERATION,
TLS_CRL_REASON_CERTIFICATE_HOLD, TLS_CRL_REASON_REMOVE_FROM_CRL,
TLS_CRL_REASON_PRIVILEGE_WITHDRAWN, or TLS_CRL_REASON_AA_COMPROMISE on
success or -1 on error.
tls_peer_ocsp_revocation_time(), tls_peer_ocsp_this_update(), and
tls_peer_ocsp_next_update() return a time in epoch-seconds on success or
-1 on error.
SEE ALSO
tls_client(3), tls_config_ocsp_require_stapling(3), tls_conn_version(3),
tls_connect(3), tls_handshake(3), tls_init(3)
HISTORY
These functions appeared in OpenBSD 6.1.
AUTHORS
Bob Beck <
[email protected]>
Marko Kreen <
[email protected]>
FreeBSD 14.1-RELEASE-p8 July 24, 2018 FreeBSD 14.1-RELEASE-p8