Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
TLS_OCSP_PROCESS_RESPONS(3) Library Functions ManuaTLS_OCSP_PROCESS_RESPONS(3)

NAME
       tls_ocsp_process_response,			    tls_peer_ocsp_url,
       tls_peer_ocsp_response_status,		    tls_peer_ocsp_cert_status,
       tls_peer_ocsp_crl_reason,			 tls_peer_ocsp_result,
       tls_peer_ocsp_revocation_time,		    tls_peer_ocsp_this_update,
       tls_peer_ocsp_next_update -- inspect an OCSP response

SYNOPSIS
       #include	<tls.h>

       int
       tls_ocsp_process_response(struct	tls *ctx,
	   const unsigned char *response, size_t size);

       const char *
       tls_peer_ocsp_url(struct	tls *ctx);

       int
       tls_peer_ocsp_response_status(struct tls	*ctx);

       int
       tls_peer_ocsp_cert_status(struct	tls *ctx);

       int
       tls_peer_ocsp_crl_reason(struct tls *ctx);

       const char *
       tls_peer_ocsp_result(struct tls *ctx);

       time_t
       tls_peer_ocsp_revocation_time(struct tls	*ctx);

       time_t
       tls_peer_ocsp_this_update(struct	tls *ctx);

       time_t
       tls_peer_ocsp_next_update(struct	tls *ctx);

DESCRIPTION
       tls_ocsp_process_response()  processes  a raw OCSP response in response
       of size size to check the revocation status  of	the  peer  certificate
       from ctx.  A successful return code of 0	indicates that the certificate
       has not been revoked.

       tls_peer_ocsp_url()  returns  the  URL  for OCSP	validation of the peer
       certificate from	ctx.

       The following functions return information about	the  peer  certificate
       from ctx	that was obtained by validating	a stapled OCSP response	during
       the handshake, or via a previous	call to	tls_ocsp_process_response().

       tls_peer_ocsp_response_status() returns the OCSP	response status	as per
       RFC 6960	section	2.3.

       tls_peer_ocsp_cert_status() returns the OCSP certificate	status code as
       per RFC 6960 section 2.2.

       tls_peer_ocsp_crl_reason() returns the OCSP certificate revocation rea-
       son status code as per RFC 5280 section 5.3.1.

       tls_peer_ocsp_result()  returns	a  textual  representation of the OCSP
       status code returned by one of the previous three  functions.   If  the
       OCSP response was valid and the certificate was not revoked, the	string
       indicates the OCSP certificate status.  Otherwise, the string indicates
       the OCSP	certificate revocation reason or the OCSP error.

       tls_peer_ocsp_revocation_time() returns the OCSP	revocation time.

       tls_peer_ocsp_this_update() returns the OCSP this update	time.

       tls_peer_ocsp_next_update() returns the OCSP next update	time.

RETURN VALUES
       tls_ocsp_process_response() returns 0 on	success	or -1 on error.

       tls_peer_ocsp_url()  and	tls_peer_ocsp_result() return NULL on error or
       an out of memory	condition.

       The   tls_peer_ocsp_response_status()   function	  returns    one    of
       TLS_OCSP_RESPONSE_SUCCESSFUL,		  TLS_OCSP_RESPONSE_MALFORMED,
       TLS_OCSP_RESPONSE_INTERNALERROR,		   TLS_OCSP_RESPONSE_TRYLATER,
       TLS_OCSP_RESPONSE_SIGREQUIRED,	or  TLS_OCSP_RESPONSE_UNAUTHORIZED  on
       success or -1 on	error.

       The    tls_peer_ocsp_cert_status()    function	 returns    one	    of
       TLS_OCSP_CERT_GOOD,  TLS_OCSP_CERT_REVOKED, or TLS_OCSP_CERT_UNKNOWN on
       success,	and -1 on error.

       The    tls_peer_ocsp_crl_reason()    function	returns	    one	    of
       TLS_CRL_REASON_UNSPECIFIED,		TLS_CRL_REASON_KEY_COMPROMISE,
       TLS_CRL_REASON_CA_COMPROMISE,	   TLS_CRL_REASON_AFFILIATION_CHANGED,
       TLS_CRL_REASON_SUPERSEDED,	TLS_CRL_REASON_CESSATION_OF_OPERATION,
       TLS_CRL_REASON_CERTIFICATE_HOLD,	       TLS_CRL_REASON_REMOVE_FROM_CRL,
       TLS_CRL_REASON_PRIVILEGE_WITHDRAWN,  or TLS_CRL_REASON_AA_COMPROMISE on
       success or -1 on	error.

       tls_peer_ocsp_revocation_time(),	   tls_peer_ocsp_this_update(),	   and
       tls_peer_ocsp_next_update()  return  a time in epoch-seconds on success
       or -1 on	error.

SEE ALSO
       tls_client(3),			  tls_config_ocsp_require_stapling(3),
       tls_conn_version(3), tls_connect(3), tls_handshake(3), tls_init(3)

HISTORY
       These functions appeared	in OpenBSD 6.1.

AUTHORS
       Bob Beck	<beck@openbsd.org>
       Marko Kreen <markokr@gmail.com>

FreeBSD	Ports 14.quarterly	 July 24, 2018	  TLS_OCSP_PROCESS_RESPONSE(3)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=tls_ocsp_process_response&sektion=3&manpath=FreeBSD+Ports+14.3.quarterly>

home | help