diff options
| author | schwarze <> | 2019-03-15 11:15:33 +0000 |
|---|---|---|
| committer | schwarze <> | 2019-03-15 11:15:33 +0000 |
| commit | 1ae659b659e875d4fce992845cb9c2c6b6151155 (patch) | |
| tree | 3c6596efe97667a800532d8c6d63f7d14c864d67 /src | |
| parent | e44d7af88579ebe18a2d8ef57242b067993706b1 (diff) | |
| download | openbsd-1ae659b659e875d4fce992845cb9c2c6b6151155.tar.gz openbsd-1ae659b659e875d4fce992845cb9c2c6b6151155.tar.bz2 openbsd-1ae659b659e875d4fce992845cb9c2c6b6151155.zip | |
Document OCSP_basic_verify(3).
From David dot von dot Oheimb at siemens dot com
via OpenSSL commit b8c32081 Feb 10 15:45:11 2018 +0100, which is still
under a free license because it is before the 1.1.1 branch point.
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/man/OCSP_resp_find_status.3 | 80 |
1 files changed, 75 insertions, 5 deletions
diff --git a/src/lib/libcrypto/man/OCSP_resp_find_status.3 b/src/lib/libcrypto/man/OCSP_resp_find_status.3 index 1c4da4e99e..a32019c4d6 100644 --- a/src/lib/libcrypto/man/OCSP_resp_find_status.3 +++ b/src/lib/libcrypto/man/OCSP_resp_find_status.3 | |||
| @@ -1,5 +1,6 @@ | |||
| 1 | .\" $OpenBSD: OCSP_resp_find_status.3,v 1.8 2018/03/23 23:18:17 schwarze Exp $ | 1 | .\" $OpenBSD: OCSP_resp_find_status.3,v 1.9 2019/03/15 11:15:33 schwarze Exp $ |
| 2 | .\" full merge up to: OpenSSL c952780c Jun 21 07:03:34 2016 -0400 | 2 | .\" full merge up to: OpenSSL c952780c Jun 21 07:03:34 2016 -0400 |
| 3 | .\" selective merge up to: OpenSSL 1212818e Sep 11 13:22:14 2018 +0100 | ||
| 3 | .\" | 4 | .\" |
| 4 | .\" This file is a derived work. | 5 | .\" This file is a derived work. |
| 5 | .\" The changes are covered by the following Copyright and license: | 6 | .\" The changes are covered by the following Copyright and license: |
| @@ -18,8 +19,9 @@ | |||
| 18 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | 19 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| 19 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 20 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 20 | .\" | 21 | .\" |
| 21 | .\" The original file was written by Dr. Stephen Henson <steve@openssl.org>. | 22 | .\" The original file was written by Dr. Stephen Henson <steve@openssl.org> |
| 22 | .\" Copyright (c) 2014 The OpenSSL Project. All rights reserved. | 23 | .\" and David von Oheimb <David.von.Oheimb@siemens.com>. |
| 24 | .\" Copyright (c) 2014, 2018 The OpenSSL Project. All rights reserved. | ||
| 23 | .\" | 25 | .\" |
| 24 | .\" Redistribution and use in source and binary forms, with or without | 26 | .\" Redistribution and use in source and binary forms, with or without |
| 25 | .\" modification, are permitted provided that the following conditions | 27 | .\" modification, are permitted provided that the following conditions |
| @@ -65,7 +67,7 @@ | |||
| 65 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | 67 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| 66 | .\" OF THE POSSIBILITY OF SUCH DAMAGE. | 68 | .\" OF THE POSSIBILITY OF SUCH DAMAGE. |
| 67 | .\" | 69 | .\" |
| 68 | .Dd $Mdocdate: March 23 2018 $ | 70 | .Dd $Mdocdate: March 15 2019 $ |
| 69 | .Dt OCSP_RESP_FIND_STATUS 3 | 71 | .Dt OCSP_RESP_FIND_STATUS 3 |
| 70 | .Os | 72 | .Os |
| 71 | .Sh NAME | 73 | .Sh NAME |
| @@ -81,7 +83,8 @@ | |||
| 81 | .Nm OCSP_resp_find , | 83 | .Nm OCSP_resp_find , |
| 82 | .Nm OCSP_SINGLERESP_get0_id , | 84 | .Nm OCSP_SINGLERESP_get0_id , |
| 83 | .Nm OCSP_single_get0_status , | 85 | .Nm OCSP_single_get0_status , |
| 84 | .Nm OCSP_check_validity | 86 | .Nm OCSP_check_validity , |
| 87 | .Nm OCSP_basic_verify | ||
| 85 | .Nd OCSP response utility functions | 88 | .Nd OCSP response utility functions |
| 86 | .Sh SYNOPSIS | 89 | .Sh SYNOPSIS |
| 87 | .In openssl/ocsp.h | 90 | .In openssl/ocsp.h |
| @@ -141,6 +144,13 @@ | |||
| 141 | .Fa "long sec" | 144 | .Fa "long sec" |
| 142 | .Fa "long maxsec" | 145 | .Fa "long maxsec" |
| 143 | .Fc | 146 | .Fc |
| 147 | .Ft int | ||
| 148 | .Fo OCSP_basic_verify | ||
| 149 | .Fa "OCSP_BASICRESP *bs" | ||
| 150 | .Fa "STACK_OF(X509) *certs" | ||
| 151 | .Fa "X509_STORE *st" | ||
| 152 | .Fa "unsigned long flags" | ||
| 153 | .Fc | ||
| 144 | .Sh DESCRIPTION | 154 | .Sh DESCRIPTION |
| 145 | .Fn OCSP_SINGLERESP_new | 155 | .Fn OCSP_SINGLERESP_new |
| 146 | allocates and initializes an empty | 156 | allocates and initializes an empty |
| @@ -322,6 +332,63 @@ application. | |||
| 322 | Any or all of these parameters can be set to | 332 | Any or all of these parameters can be set to |
| 323 | .Dv NULL | 333 | .Dv NULL |
| 324 | if their value is not required. | 334 | if their value is not required. |
| 335 | .Pp | ||
| 336 | .Fn OCSP_basic_verify | ||
| 337 | checks that the basic response message | ||
| 338 | .Fa bs | ||
| 339 | is correctly signed and that the signer certificate can be validated. | ||
| 340 | It takes | ||
| 341 | .Fa st | ||
| 342 | as the trusted store and | ||
| 343 | .Fa certs | ||
| 344 | as a set of untrusted intermediate certificates. | ||
| 345 | The function first tries to find the signer certificate of the response in | ||
| 346 | .Fa certs . | ||
| 347 | It also searches the certificates the responder may have included in | ||
| 348 | .Fa bs | ||
| 349 | unless the | ||
| 350 | .Fa flags | ||
| 351 | contain | ||
| 352 | .Dv OCSP_NOINTERN . | ||
| 353 | It fails if the signer certificate cannot be found. | ||
| 354 | Next, the function checks the signature of | ||
| 355 | .Fa bs | ||
| 356 | and fails on error unless the | ||
| 357 | .Fa flags | ||
| 358 | contain | ||
| 359 | .Dv OCSP_NOSIGS . | ||
| 360 | Then the function already returns | ||
| 361 | success if the | ||
| 362 | .Fa flags | ||
| 363 | contain | ||
| 364 | .Dv OCSP_NOVERIFY | ||
| 365 | or if the signer certificate was found in | ||
| 366 | .Fa certs | ||
| 367 | and the | ||
| 368 | .Fa flags | ||
| 369 | contain | ||
| 370 | .Dv OCSP_TRUSTOTHER . | ||
| 371 | Otherwise the function continues by validating the signer certificate. | ||
| 372 | To this end, all certificates in | ||
| 373 | .Fa certs | ||
| 374 | and in | ||
| 375 | .Fa bs | ||
| 376 | are considered as untrusted certificates for the construction of | ||
| 377 | the validation path for the signer certificate unless the | ||
| 378 | .Dv OCSP_NOCHAIN | ||
| 379 | flag is set. | ||
| 380 | After successful path | ||
| 381 | validation, the function returns success if the | ||
| 382 | .Dv OCSP_NOCHECKS | ||
| 383 | flag is set. | ||
| 384 | Otherwise it verifies that the signer certificate meets the OCSP issuer | ||
| 385 | criteria including potential delegation. | ||
| 386 | If this does not succeed and the | ||
| 387 | .Fa flags | ||
| 388 | do not contain | ||
| 389 | .Dv OCSP_NOEXPLICIT , | ||
| 390 | the function checks for explicit trust for OCSP signing | ||
| 391 | in the root CA certificate. | ||
| 325 | .Sh RETURN VALUES | 392 | .Sh RETURN VALUES |
| 326 | .Fn OCSP_SINGLERESP_new , | 393 | .Fn OCSP_SINGLERESP_new , |
| 327 | .Fn OCSP_CERTSTATUS_new , | 394 | .Fn OCSP_CERTSTATUS_new , |
| @@ -376,6 +443,9 @@ the returned pointer should not be freed by the caller. | |||
| 376 | returns the status of | 443 | returns the status of |
| 377 | .Fa single | 444 | .Fa single |
| 378 | or -1 if an error occurred. | 445 | or -1 if an error occurred. |
| 446 | .Pp | ||
| 447 | .Fn OCSP_basic_verify | ||
| 448 | returns 1 on success, 0 on error, or -1 on fatal error such as malloc failure. | ||
| 379 | .Sh SEE ALSO | 449 | .Sh SEE ALSO |
| 380 | .Xr OCSP_cert_to_id 3 , | 450 | .Xr OCSP_cert_to_id 3 , |
| 381 | .Xr OCSP_CRLID_new 3 , | 451 | .Xr OCSP_CRLID_new 3 , |