From: David von Oheimb Date: Sat, 10 Feb 2018 14:45:11 +0000 (+0100) Subject: add documentation for OCSP_basic_verify() X-Git-Tag: OpenSSL_1_1_1-pre9~260 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=b8c32081e02b7008a90d878eccce46da256dfe86;p=oweals%2Fopenssl.git add documentation for OCSP_basic_verify() Reviewed-by: Rich Salz Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6227) --- diff --git a/doc/man3/OCSP_resp_find_status.pod b/doc/man3/OCSP_resp_find_status.pod index af7fb1dea6..1bbc4e324c 100644 --- a/doc/man3/OCSP_resp_find_status.pod +++ b/doc/man3/OCSP_resp_find_status.pod @@ -8,7 +8,8 @@ OCSP_resp_get0_id, OCSP_resp_get1_id, OCSP_resp_get0_produced_at, OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find, -OCSP_single_get0_status, OCSP_check_validity +OCSP_single_get0_status, OCSP_check_validity, +OCSP_basic_verify - OCSP response utility functions =head1 SYNOPSIS @@ -48,6 +49,9 @@ OCSP_single_get0_status, OCSP_check_validity ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec); + int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, + X509_STORE *st, unsigned long flags); + =head1 DESCRIPTION OCSP_resp_find_status() searches B for an OCSP response for B. If it is @@ -100,6 +104,27 @@ OCSP_single_get0_status(). If B is non-zero it indicates how many seconds leeway should be allowed in the check. If B is positive it indicates the maximum age of B in seconds. +OCSP_basic_verify() checks that the basic response message B is correctly +signed and that the signer certificate can be validated. It takes B as +the trusted store and B as a set of untrusted intermediate certificates. +The function first tries to find the signer certificate of the response +in . It also searches the certificates the responder may have included +in B unless the B contain B. +It fails if the signer certificate cannot be found. +Next, the function checks the signature of B and fails on error +unless the B contain B. Then the function already returns +success if the B contain B or if the signer certificate +was found in B and the B contain B. +Otherwise the function continues by validating the signer certificate. +To this end, all certificates in B and in B are considered as +untrusted certificates for the construction of the validation path for the +signer certificate unless the B flag is set. After successful path +validation the function returns success if the B flag is set. +Otherwise it verifies that the signer certificate meets the OCSP issuer +criteria including potential delegation. If this does not succeed and the +B do not contain B the function checks for explicit +trust for OCSP signing in the root CA certificate. + =head1 RETURN VALUES OCSP_resp_find_status() returns 1 if B is found in B and 0 otherwise. @@ -119,6 +144,9 @@ occurred. OCSP_resp_get0_signer() returns 1 if the signing certificate was located, or 0 on error. +OCSP_basic_verify() returns 1 on success, 0 on error, or -1 on fatal error such +as malloc failure. + =head1 NOTES Applications will typically call OCSP_resp_find_status() using the certificate