diff options
| author | Benjamin Kaduk <bkaduk@akamai.com> | 2017-10-18 22:29:18 +0200 |
|---|---|---|
| committer | Ben Kaduk <kaduk@mit.edu> | 2017-11-12 03:03:49 +0100 |
| commit | ce5886dda80b6f60fb30762381506d5c6f2d995c (patch) | |
| tree | edaba1bdce2192f8665da3d2c77bf83acaaca6cf /doc | |
| parent | Typo fix (diff) | |
| download | openssl-ce5886dda80b6f60fb30762381506d5c6f2d995c.tar.xz openssl-ce5886dda80b6f60fb30762381506d5c6f2d995c.zip | |
Add an API to get the signer of an OCSP response
Add a new function OCSP_resp_get0_signer() that looks in the
certs bundled with the response as well as in additional certificates
provided as a function argument, returning the certificate that signed
the given response (if present).
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4573)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/man3/OCSP_resp_find_status.pod | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/doc/man3/OCSP_resp_find_status.pod b/doc/man3/OCSP_resp_find_status.pod index e1442eb97e..a3695090dc 100644 --- a/doc/man3/OCSP_resp_find_status.pod +++ b/doc/man3/OCSP_resp_find_status.pod @@ -3,6 +3,7 @@ =head1 NAME OCSP_resp_get0_certs, +OCSP_resp_get0_signer, OCSP_resp_get0_id, OCSP_resp_get1_id, OCSP_resp_get0_produced_at, @@ -33,6 +34,9 @@ OCSP_single_get0_status, OCSP_check_validity const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs); + int OCSP_resp get0_signer(OCSP_BASICRESP *bs, X509 **signer, + STACK_OF(X509) *extra_certs); + int OCSP_resp_get0_id(const OCSP_BASICRESP *bs, const ASN1_OCTET_STRING **pid, const X509_NAME **pname); @@ -76,7 +80,13 @@ single response B<bs>. OCSP_resp_get0_certs() returns any certificates included in B<bs>. -OCSP_resp_get0_id() gets the responder id of <bs>. If the responder ID is +OCSP_resp_get0_signer() attempts to retrive the certificate that directly +signed B<bs>. The OCSP protocol does not require that this certificate +is included in the B<certs> field of the response, so additional certificates +can be supplied in B<extra_certs> if the certificates that may have +signed the response are known via some out-of-band mechanism. + +OCSP_resp_get0_id() gets the responder id of B<bs>. If the responder ID is a name then <*pname> is set to the name and B<*pid> is set to NULL. If the responder ID is by key ID then B<*pid> is set to the key ID and B<*pname> is set to NULL. OCSP_resp_get1_id() leaves ownership of B<*pid> and B<*pname> @@ -106,6 +116,9 @@ B<id> was not found. OCSP_single_get0_status() returns the status of B<single> or -1 if an error occurred. +OCSP_resp_get0_signer() returns 1 if the signing certificate was located, +or 0 on error. + =head1 NOTES Applications will typically call OCSP_resp_find_status() using the certificate |