From ead4a921a06e852a55b89efef89b48f1a4d1e3d3 Mon Sep 17 00:00:00 2001 From: schwarze <> Date: Sun, 27 Nov 2016 20:40:07 +0000 Subject: Import OCSP documentation from OpenSSL, leaving out some stuff that we don't have, fixing some bugs and tweaking some parts for readability. P.S. Why did some people write a HTTP client implementation and then decide that the best place to publish it might be a crypto(3) library? Oh never mind, to go easy on my sanity, i should probably stop asking such questions and just document what i find. --- src/lib/libcrypto/man/Makefile | 8 +- src/lib/libcrypto/man/OCSP_REQUEST_new.3 | 241 ++++++++++++++++++++ src/lib/libcrypto/man/OCSP_cert_to_id.3 | 187 ++++++++++++++++ src/lib/libcrypto/man/OCSP_request_add1_nonce.3 | 160 +++++++++++++ src/lib/libcrypto/man/OCSP_resp_find_status.3 | 285 ++++++++++++++++++++++++ src/lib/libcrypto/man/OCSP_response_status.3 | 134 +++++++++++ src/lib/libcrypto/man/OCSP_sendreq_new.3 | 245 ++++++++++++++++++++ 7 files changed, 1259 insertions(+), 1 deletion(-) create mode 100644 src/lib/libcrypto/man/OCSP_REQUEST_new.3 create mode 100644 src/lib/libcrypto/man/OCSP_cert_to_id.3 create mode 100644 src/lib/libcrypto/man/OCSP_request_add1_nonce.3 create mode 100644 src/lib/libcrypto/man/OCSP_resp_find_status.3 create mode 100644 src/lib/libcrypto/man/OCSP_response_status.3 create mode 100644 src/lib/libcrypto/man/OCSP_sendreq_new.3 (limited to 'src') diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile index 447c7d23c3..a1cc37cb35 100644 --- a/src/lib/libcrypto/man/Makefile +++ b/src/lib/libcrypto/man/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.55 2016/11/26 18:09:35 schwarze Exp $ +# $OpenBSD: Makefile,v 1.56 2016/11/27 20:40:07 schwarze Exp $ .include @@ -122,6 +122,12 @@ MAN= \ HMAC.3 \ MD5.3 \ OBJ_nid2obj.3 \ + OCSP_REQUEST_new.3 \ + OCSP_cert_to_id.3 \ + OCSP_request_add1_nonce.3 \ + OCSP_resp_find_status.3 \ + OCSP_response_status.3 \ + OCSP_sendreq_new.3 \ OPENSSL_VERSION_NUMBER.3 \ OPENSSL_config.3 \ OPENSSL_load_builtin_modules.3 \ diff --git a/src/lib/libcrypto/man/OCSP_REQUEST_new.3 b/src/lib/libcrypto/man/OCSP_REQUEST_new.3 new file mode 100644 index 0000000000..dd08b7c2ca --- /dev/null +++ b/src/lib/libcrypto/man/OCSP_REQUEST_new.3 @@ -0,0 +1,241 @@ +.\" $OpenBSD: OCSP_REQUEST_new.3,v 1.1 2016/11/27 20:40:07 schwarze Exp $ +.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 +.\" +.\" This file was written by Dr. Stephen Henson . +.\" Copyright (c) 2014, 2016 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: November 27 2016 $ +.Dt OCSP_REQUEST_NEW 3 +.Os +.Sh NAME +.Nm OCSP_REQUEST_new , +.Nm OCSP_REQUEST_free , +.Nm OCSP_request_add0_id , +.Nm OCSP_request_sign , +.Nm OCSP_request_add1_cert , +.Nm OCSP_request_onereq_count , +.Nm OCSP_request_onereq_get0 , +.Nd OCSP request functions +.Sh SYNOPSIS +.In openssl/ocsp.h +.Ft OCSP_REQUEST * +.Fn OCSP_REQUEST_new void +.Ft void +.Fo OCSP_REQUEST_free +.Fa "OCSP_REQUEST *req" +.Fc +.Ft OCSP_ONEREQ * +.Fo OCSP_request_add0_id +.Fa "OCSP_REQUEST *req" +.Fa "OCSP_CERTID *cid" +.Fc +.Ft int +.Fo OCSP_request_sign +.Fa "OCSP_REQUEST *req" +.Fa "X509 *signer" +.Fa "EVP_PKEY *key" +.Fa "const EVP_MD *dgst" +.Fa "STACK_OF(X509) *certs" +.Fa "unsigned long flags" +.Fc +.Ft int +.Fo OCSP_request_add1_cert +.Fa "OCSP_REQUEST *req" +.Fa "X509 *cert" +.Fc +.Ft int +.Fo OCSP_request_onereq_count +.Fa "OCSP_REQUEST *req" +.Fc +.Ft OCSP_ONEREQ * +.Fo OCSP_request_onereq_get0 +.Fa "OCSP_REQUEST *req" +.Fa "int i" +.Fc +.Sh DESCRIPTION +.Fn OCSP_REQUEST_new +allocates and returns an empty +.Vt OCSP_REQUEST +structure. +.Pp +.Fn OCSP_REQUEST_free +frees up the request structure +.Fa req . +.Pp +.Fn OCSP_request_add0_id +adds certificate ID +.Fa cid +to +.Fa req . +It returns the +.Vt OCSP_ONEREQ +structure added so an application can add additional extensions to the +request. +The +.Fa cid +parameter must not be freed up after the operation. +.Pp +.Fn OCSP_request_sign +signs OCSP request +.Fa req +using certificate +.Fa signer , +private key +.Fa key , +digest +.Fa dgst , +and additional certificates +.Fa certs . +If the +.Fa flags +option +.Dv OCSP_NOCERTS +is set, then no certificates will be included in the request. +.Pp +.Fn OCSP_request_add1_cert +adds certificate +.Fa cert +to request +.Fa req . +The application is responsible for freeing up +.Fa cert +after use. +.Pp +.Fn OCSP_request_onereq_count +returns the total number of +.Vt OCSP_ONEREQ +structures in +.Fa req . +.Pp +.Fn OCSP_request_onereq_get0 +returns an internal pointer to the +.Vt OCSP_ONEREQ +contained in +.Fa req +of index +.Fa i . +The index value +.Fa i +runs from 0 to +.Fn OCSP_request_onereq_count req No - 1 . +.Pp +An +.Vt OCSP_REQUEST +structure contains one or more +.Vt OCSP_ONEREQ +structures corresponding to each certificate. +.Pp +.Fn OCSP_request_onereq_count +and +.Fn OCSP_request_onereq_get0 +are mainly used by OCSP responders. +.Sh RETURN VALUES +.Fn OCSP_REQUEST_new +returns an empty +.Vt OCSP_REQUEST +structure or +.Dv NULL +if an error occurred. +.Pp +.Fn OCSP_request_add0_id +returns the +.Vt OCSP_ONEREQ +structure containing +.Fa cid +or +.Dv NULL +if an error occurred. +.Pp +.Fn OCSP_request_sign +and +.Fn OCSP_request_add1_cert +return 1 for success or 0 for failure. +.Pp +.Fn OCSP_request_onereq_count +returns the total number of +.Vt OCSP_ONEREQ +structures in +.Fa req . +.Pp +.Fn OCSP_request_onereq_get0 +returns a pointer to an +.Vt OCSP_ONEREQ +structure or +.Dv NULL +if the index value is out or range. +.Sh EXAMPLE +Create an +.Vt OCSP_REQUEST +structure for certificate +.Fa cert +with issuer +.Fa issuer : +.Bd -literal -offset indent +OCSP_REQUEST *req; +OCSP_ID *cid; + +req = OCSP_REQUEST_new(); +if (req == NULL) + /* error */ +cid = OCSP_cert_to_id(EVP_sha1(), cert, issuer); +if (cid == NULL) + /* error */ + +if (OCSP_REQUEST_add0_id(req, cid) == NULL) + /* error */ + + /* Do something with req, e.g. query responder */ + +OCSP_REQUEST_free(req); +.Ed +.Sh SEE ALSO +.Xr crypto 3 , +.Xr OCSP_cert_to_id 3 , +.Xr OCSP_request_add1_nonce 3 , +.Xr OCSP_resp_find_status 3 , +.Xr OCSP_response_status 3 , +.Xr OCSP_sendreq_new 3 diff --git a/src/lib/libcrypto/man/OCSP_cert_to_id.3 b/src/lib/libcrypto/man/OCSP_cert_to_id.3 new file mode 100644 index 0000000000..6742e45415 --- /dev/null +++ b/src/lib/libcrypto/man/OCSP_cert_to_id.3 @@ -0,0 +1,187 @@ +.\" $OpenBSD: OCSP_cert_to_id.3,v 1.1 2016/11/27 20:40:07 schwarze Exp $ +.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 +.\" +.\" This file was written by Dr. Stephen Henson . +.\" Copyright (c) 2014, 2016 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: November 27 2016 $ +.Dt OCSP_CERT_TO_ID 3 +.Os +.Sh NAME +.Nm OCSP_cert_to_id , +.Nm OCSP_cert_id_new , +.Nm OCSP_CERTID_free , +.Nm OCSP_id_issuer_cmp , +.Nm OCSP_id_cmp , +.Nm OCSP_id_get0_info +.Nd OCSP certificate ID utility functions +.Sh SYNOPSIS +.In openssl/ocsp.h +.Ft OCSP_CERTID * +.Fo OCSP_cert_to_id +.Fa "const EVP_MD *dgst" +.Fa "X509 *subject" +.Fa "X509 *issuer" +.Fc +.Ft OCSP_CERTID * +.Fo OCSP_cert_id_new +.Fa "const EVP_MD *dgst" +.Fa "X509_NAME *issuerName" +.Fa "ASN1_BIT_STRING *issuerKey" +.Fa "ASN1_INTEGER *serialNumber" +.Fc +.Ft void +.Fo OCSP_CERTID_free +.Fa "OCSP_CERTID *id" +.Fc +.Ft int +.Fo OCSP_id_issuer_cmp +.Fa "OCSP_CERTID *a" +.Fa "OCSP_CERTID *b" +.Fc +.Ft int +.Fo OCSP_id_cmp +.Fa "OCSP_CERTID *a" +.Fa "OCSP_CERTID *b" +.Fc +.Ft int +.Fo OCSP_id_get0_info +.Fa "ASN1_OCTET_STRING **piNameHash" +.Fa "ASN1_OBJECT **pmd" +.Fa "ASN1_OCTET_STRING **pikeyHash" +.Fa "ASN1_INTEGER **pserial" +.Fa "OCSP_CERTID *cid" +.Fc +.Sh DESCRIPTION +.Fn OCSP_cert_to_id +creates and returns a new +.Vt OCSP_CERTID +structure using message digest +.Fa dgst +for certificate +.Fa subject +with issuer +.Fa issuer . +If +.Fa dgst +is +.Dv NULL +then SHA1 is used. +.Pp +.Fn OCSP_cert_id_new +creates and returns a new +.Vt OCSP_CERTID +using +.Fa dgst +and issuer name +.Fa issuerName , +issuer key hash +.Fa issuerKey +and serial number +.Fa serialNumber . +.Pp +.Fn OCSP_CERTID_free +frees up +.Fa id . +.Pp +.Fn OCSP_id_cmp +compares +.Vt OCSP_CERTID +.Fa a +and +.Fa b . +.Pp +.Fn OCSP_id_issuer_cmp +compares only the issuer name of +.Vt OCSP_CERTID +.Fa a +and +.Fa b . +.Pp +.Fn OCSP_id_get0_info +returns the issuer name hash, hash OID, issuer key hash and serial +number contained in +.Fa cid . +If any of the values are not required the corresponding parameter can be +set to +.Dv NULL . +The values returned by +.Fn OCSP_id_get0_info +are internal pointers and must not be freed up by an application: +they will be freed when the corresponding +.Vt OCSP_CERTID +structure is freed. +.Pp +OCSP clients will typically only use +.Fn OCSP_cert_to_id +or +.Fn OCSP_cert_id_new : +the other functions are used by responder applications. +.Sh RETURN VALUES +.Fn OCSP_cert_to_id +and +.Fn OCSP_cert_id_new +return either a pointer to a valid +.Vt OCSP_CERTID +structure or +.Dv NULL +if an error occurred. +.Pp +.Fn OCSP_id_cmp +and +.Fn OCSP_id_issuer_cmp +returns 0 for a match or non-zero otherwise. +.Pp +.Fn OCSP_id_get0_info +returns 1 for success or 0 for failure. +.Sh SEE ALSO +.Xr crypto 3 , +.Xr OCSP_request_add1_nonce 3 , +.Xr OCSP_REQUEST_new 3 , +.Xr OCSP_resp_find_status 3 , +.Xr OCSP_response_status 3 , +.Xr OCSP_sendreq_new 3 diff --git a/src/lib/libcrypto/man/OCSP_request_add1_nonce.3 b/src/lib/libcrypto/man/OCSP_request_add1_nonce.3 new file mode 100644 index 0000000000..8de58d2731 --- /dev/null +++ b/src/lib/libcrypto/man/OCSP_request_add1_nonce.3 @@ -0,0 +1,160 @@ +.\" $OpenBSD: OCSP_request_add1_nonce.3,v 1.1 2016/11/27 20:40:07 schwarze Exp $ +.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 +.\" +.\" This file was written by Dr. Stephen Henson . +.\" Copyright (c) 2014, 2016 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: November 27 2016 $ +.Dt OCSP_REQUEST_ADD1_NONCE 3 +.Os +.Sh NAME +.Nm OCSP_request_add1_nonce , +.Nm OCSP_basic_add1_nonce , +.Nm OCSP_check_nonce , +.Nm OCSP_copy_nonce +.Nd OCSP nonce functions +.Sh SYNOPSIS +.In openssl/ocsp.h +.Ft int +.Fo OCSP_request_add1_nonce +.Fa "OCSP_REQUEST *req" +.Fa "unsigned char *val" +.Fa "int len" +.Fc +.Ft int +.Fo OCSP_basic_add1_nonce +.Fa "OCSP_BASICRESP *resp" +.Fa "unsigned char *val" +.Fa "int len" +.Fc +.Ft int +.Fo OCSP_copy_nonce +.Fa "OCSP_BASICRESP *resp" +.Fa "OCSP_REQUEST *req" +.Fc +.Ft int +.Fo OCSP_check_nonce +.Fa "OCSP_REQUEST *req" +.Fa "OCSP_BASICRESP *resp" +.Fc +.Sh DESCRIPTION +An OCSP nonce is typically added to an OCSP request to thwart replay +attacks by checking the same nonce value appears in the response. +.Pp +.Fn OCSP_request_add1_nonce +adds a nonce of value +.Fa val +and length +.Fa len +to OCSP request +.Fa req . +If +.Fa val +is +.Dv NULL , +a random nonce is used. +If +.Fa len +is zero or negative, a default length will be used (currently 16 bytes). +For most purposes the nonce value in a request is set to a random value +so the +.Fa val +parameter in +.Fn OCSP_request_add1_nonce +is usually NULL. +.Pp +.Fn OCSP_basic_add1_nonce +is identical to +.Fn OCSP_request_add1_nonce +except it adds a nonce to OCSP basic response +.Fa resp . +.Pp +.Fn OCSP_check_nonce +compares the nonce value in +.Fa req +and +.Fa resp . +.Pp +.Fn OCSP_copy_nonce +copies any nonce value present in +.Fa req +to +.Fa resp . +.Pp +Some responders may include a nonce in all responses even if one is not +supplied. +.Pp +Some responders cache OCSP responses and do not sign each response for +performance reasons. +As a result they do not support nonces. +.Sh RETURN VALUES +.Fn OCSP_request_add1_nonce +and +.Fn OCSP_basic_add1_nonce +return 1 for success or 0 for failure. +.Pp +.Fn OCSP_copy_nonce +returns 1 if a nonce was successfully copied, 2 if no nonce was +present in +.Fa req , +or 0 if an error occurred. +.Pp +.Fn OCSP_check_nonce +returns positive values for success: 1 if nonces are present and +equal, 2 if both nonces are absent, or 3 if a nonce is present in +the response only. +A zero return value indicates that both nonces are present but +mismatch: this should be treated as an error condition. +A return value of -1 indicates that a nonce is present in the request +only: this will happen if the responder doesn't support nonces. +.Sh SEE ALSO +.Xr crypto 3 , +.Xr OCSP_cert_to_id 3 , +.Xr OCSP_REQUEST_new 3 , +.Xr OCSP_resp_find_status 3 , +.Xr OCSP_response_status 3 , +.Xr OCSP_sendreq_new 3 diff --git a/src/lib/libcrypto/man/OCSP_resp_find_status.3 b/src/lib/libcrypto/man/OCSP_resp_find_status.3 new file mode 100644 index 0000000000..603b155455 --- /dev/null +++ b/src/lib/libcrypto/man/OCSP_resp_find_status.3 @@ -0,0 +1,285 @@ +.\" $OpenBSD: OCSP_resp_find_status.3,v 1.1 2016/11/27 20:40:07 schwarze Exp $ +.\" OpenSSL c952780c Jun 21 07:03:34 2016 -0400 +.\" +.\" This file was written by Dr. Stephen Henson . +.\" Copyright (c) 2014 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: November 27 2016 $ +.Dt OCSP_RESP_FIND_STATUS 3 +.Os +.Sh NAME +.Nm OCSP_resp_find_status , +.Nm OCSP_resp_count , +.Nm OCSP_resp_get0 , +.Nm OCSP_resp_find , +.Nm OCSP_single_get0_status , +.Nm OCSP_check_validity +.Nd OCSP response utility functions +.Sh SYNOPSIS +.In openssl/ocsp.h +.Ft int +.Fo OCSP_resp_find_status +.Fa "OCSP_BASICRESP *bs" +.Fa "OCSP_CERTID *id" +.Fa "int *status" +.Fa "int *reason" +.Fa "ASN1_GENERALIZEDTIME **revtime" +.Fa "ASN1_GENERALIZEDTIME **thisupd" +.Fa "ASN1_GENERALIZEDTIME **nextupd" +.Fc +.Ft int +.Fo OCSP_resp_count +.Fa "OCSP_BASICRESP *bs" +.Fc +.Ft OCSP_SINGLERESP * +.Fo OCSP_resp_get0 +.Fa "OCSP_BASICRESP *bs" +.Fa "int idx" +.Fc +.Ft int +.Fo OCSP_resp_find +.Fa "OCSP_BASICRESP *bs" +.Fa "OCSP_CERTID *id" +.Fa "int last" +.Fc +.Ft int +.Fo OCSP_single_get0_status +.Fa "OCSP_SINGLERESP *single" +.Fa "int *reason" +.Fa "ASN1_GENERALIZEDTIME **revtime" +.Fa "ASN1_GENERALIZEDTIME **thisupd" +.Fa "ASN1_GENERALIZEDTIME **nextupd" +.Fc +.Ft int +.Fo OCSP_check_validity +.Fa "ASN1_GENERALIZEDTIME *thisupd" +.Fa "ASN1_GENERALIZEDTIME *nextupd" +.Fa "long sec" +.Fa "long maxsec" +.Fc +.Sh DESCRIPTION +.Fn OCSP_resp_find_status +searches +.Fa bs +for an OCSP response for +.Fa id . +If it is successful, the fields of the response are returned in +.Pf * Fa status , +.Pf * Fa reason , +.Pf * Fa revtime , +.Pf * Fa thisupd +and +.Pf * Fa nextupd . +The +.Pf * Fa status +value will be one of +.Dv V_OCSP_CERTSTATUS_GOOD , +.Dv V_OCSP_CERTSTATUS_REVOKED , +or +.Dv V_OCSP_CERTSTATUS_UNKNOWN . +The +.Pf * Fa reason +and +.Pf * Fa revtime +fields are only set if the status is +.Dv V_OCSP_CERTSTATUS_REVOKED . +If set, the +.Pf * Fa reason +field will be set to the revocation reason which will be one of +.Dv OCSP_REVOKED_STATUS_NOSTATUS , +.Dv OCSP_REVOKED_STATUS_UNSPECIFIED , +.Dv OCSP_REVOKED_STATUS_KEYCOMPROMISE , +.Dv OCSP_REVOKED_STATUS_CACOMPROMISE , +.Dv OCSP_REVOKED_STATUS_AFFILIATIONCHANGED , +.Dv OCSP_REVOKED_STATUS_SUPERSEDED , +.Dv OCSP_REVOKED_STATUS_CESSATIONOFOPERATION , +.Dv OCSP_REVOKED_STATUS_CERTIFICATEHOLD +or +.Dv OCSP_REVOKED_STATUS_REMOVEFROMCRL . +.Pp +.Fn OCSP_resp_count +returns the number of +.Vt OCSP_SINGLERESP +structures in +.Fa bs . +.Pp +.Fn OCSP_resp_get0 +returns the +.Vt OCSP_SINGLERESP +structure in +.Fa bs +corresponding to index +.Fa idx , +where +.Fa idx +runs from 0 to +.Fn OCSP_resp_count bs No - 1 . +.Pp +.Fn OCSP_resp_find +searches +.Fa bs +for +.Fa id +and returns the index of the first matching entry after +.Fa last +or starting from the beginning if +.Fa last +is -1. +.Pp +.Fn OCSP_single_get0_status +extracts the fields of +.Fa single +in +.Pf * Fa reason , +.Pf * Fa revtime , +.Pf * Fa thisupd , +and +.Pf * Fa nextupd . +.Pp +.Fn OCSP_check_validity +checks the validity of +.Fa thisupd +and +.Fa nextupd +values which will be typically obtained from +.Fn OCSP_resp_find_status +or +.Fn OCSP_single_get0_status . +If +.Fa sec +is non-zero it indicates how many seconds leeway should be allowed in +the check. +If +.Fa maxsec +is positive it indicates the maximum age of +.Fa thisupd +in seconds. +.Pp +Applications will typically call +.Fn OCSP_resp_find_status +using the certificate ID of interest and then check its validity using +.Fn OCSP_check_validity . +They can then take appropriate action based on the status of the +certificate. +.Pp +An OCSP response for a certificate contains +.Sy thisUpdate +and +.Sy nextUpdate +fields. +Normally the current time should be between these two values. +To account for clock skew, the +.Fa maxsec +field can be set to non-zero in +.Fn OCSP_check_validity . +Some responders do not set the +.Sy nextUpdate +field. +This would otherwise mean an ancient response would be considered +valid: the +.Fa maxsec +parameter to +.Fn OCSP_check_validity +can be used to limit the permitted age of responses. +.Pp +The values written to +.Pf * Fa revtime , +.Pf * Fa thisupd , +and +.Pf * Fa nextupd +by +.Fn OCSP_resp_find_status +and +.Fn OCSP_single_get0_status +are internal pointers which must not be freed up by the calling +application. +Any or all of these parameters can be set to +.Dv NULL +if their value is not required. +.Sh RETURN VALUES +.Fn OCSP_resp_find_status +returns 1 if +.Fa id +is found in +.Fa bs +or 0 otherwise. +.Pp +.Fn OCSP_resp_count +returns the total number of +.Vt OCSP_SINGLERESP +fields in +.Fa bs . +.Pp +.Fn OCSP_resp_get0 +returns a pointer to an +.Vt OCSP_SINGLERESP +structure or +.Dv NULL +if +.Fa idx +is out of range. +.Pp +.Fn OCSP_resp_find +returns the index of +.Fa id +in +.Fa bs +(which may be 0) or -1 if +.Fa id +was not found. +.Pp +.Fn OCSP_single_get0_status +returns the status of +.Fa single +or -1 if an error occurred. +.Sh SEE ALSO +.Xr crypto 3 , +.Xr OCSP_cert_to_id 3 , +.Xr OCSP_request_add1_nonce 3 , +.Xr OCSP_REQUEST_new 3 , +.Xr OCSP_response_status 3 , +.Xr OCSP_sendreq_new 3 diff --git a/src/lib/libcrypto/man/OCSP_response_status.3 b/src/lib/libcrypto/man/OCSP_response_status.3 new file mode 100644 index 0000000000..c6fef0dc2e --- /dev/null +++ b/src/lib/libcrypto/man/OCSP_response_status.3 @@ -0,0 +1,134 @@ +.\" $OpenBSD: OCSP_response_status.3,v 1.1 2016/11/27 20:40:07 schwarze Exp $ +.\" OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400 +.\" +.\" This file was written by Dr. Stephen Henson . +.\" Copyright (c) 2014, 2016 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: November 27 2016 $ +.Dt OCSP_RESPONSE_STATUS 3 +.Os +.Sh NAME +.Nm OCSP_response_status , +.Nm OCSP_response_get1_basic , +.Nm OCSP_response_create , +.Nm OCSP_RESPONSE_free +.Nd OCSP response functions +.Sh SYNOPSIS +.In openssl/ocsp.h +.Ft int +.Fo OCSP_response_status +.Fa "OCSP_RESPONSE *resp" +.Fc +.Ft OCSP_BASICRESP * +.Fo OCSP_response_get1_basic +.Fa "OCSP_RESPONSE *resp" +.Fc +.Ft OCSP_RESPONSE * +.Fo OCSP_response_create +.Fa "int status" +.Fa "OCSP_BASICRESP *bs" +.Fc +.Ft void +.Fo OCSP_RESPONSE_free +.Fa "OCSP_RESPONSE *resp" +.Fc +.Sh DESCRIPTION +.Fn OCSP_response_status +returns the OCSP response status of +.Fa resp . +It returns one of the values: +.Dv OCSP_RESPONSE_STATUS_SUCCESSFUL , +.Dv OCSP_RESPONSE_STATUS_MALFORMEDREQUEST , +.Dv OCSP_RESPONSE_STATUS_INTERNALERROR , +.Dv OCSP_RESPONSE_STATUS_TRYLATER , +.Dv OCSP_RESPONSE_STATUS_SIGREQUIRED , +or +.Dv OCSP_RESPONSE_STATUS_UNAUTHORIZED . +.Pp +.Fn OCSP_response_get1_basic +decodes and returns the +.Vt OCSP_BASICRESP +structure contained in +.Fa resp . +It is only called if the status of a response is +.Dv OCSP_RESPONSE_STATUS_SUCCESSFUL . +.Pp +.Fn OCSP_response_create +creates and returns an +.Vt OCSP_RESPONSE +structure for +.Fa status +and optionally including basic response +.Fa bs . +.Pp +.Fn OCSP_RESPONSE_free +frees up OCSP response +.Fa resp . +.Sh RETURN VALUES +.Fn OCSP_response_status +returns a status value. +.Pp +.Fn OCSP_response_get1_basic +returns an +.Vt OCSP_BASICRESP +structure pointer or +.Dv NULL +if an error occurred. +.Pp +.Fn OCSP_response_create +returns an +.Vt OCSP_RESPONSE +structure pointer or +.Dv NULL +if an error occurred. +.Sh SEE ALSO +.Xr crypto 3 , +.Xr OCSP_cert_to_id 3 , +.Xr OCSP_request_add1_nonce 3 , +.Xr OCSP_REQUEST_new 3 , +.Xr OCSP_resp_find_status 3 , +.Xr OCSP_sendreq_new 3 diff --git a/src/lib/libcrypto/man/OCSP_sendreq_new.3 b/src/lib/libcrypto/man/OCSP_sendreq_new.3 new file mode 100644 index 0000000000..994ce9cc2a --- /dev/null +++ b/src/lib/libcrypto/man/OCSP_sendreq_new.3 @@ -0,0 +1,245 @@ +.\" $OpenBSD: OCSP_sendreq_new.3,v 1.1 2016/11/27 20:40:07 schwarze Exp $ +.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 +.\" +.\" This file was written by Dr. Stephen Henson . +.\" Copyright (c) 2014, 2016 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: November 27 2016 $ +.Dt OCSP_SENDREQ_NEW 3 +.Os +.Sh NAME +.Nm OCSP_sendreq_new , +.Nm OCSP_sendreq_nbio , +.Nm OCSP_REQ_CTX_free , +.Nm OCSP_REQ_CTX_add1_header , +.Nm OCSP_REQ_CTX_set1_req , +.Nm OCSP_sendreq_bio +.Nd OCSP responder query functions +.Sh SYNOPSIS +.In openssl/ocsp.h +.Ft OCSP_REQ_CTX * +.Fo OCSP_sendreq_new +.Fa "BIO *io" +.Fa "const char *path" +.Fa "OCSP_REQUEST *req" +.Fa "int maxline" +.Fc +.Ft int +.Fo OCSP_sendreq_nbio +.Fa "OCSP_RESPONSE **presp" +.Fa "OCSP_REQ_CTX *rctx" +.Fc +.Ft void +.Fo OCSP_REQ_CTX_free +.Fa "OCSP_REQ_CTX *rctx" +.Fc +.Ft int +.Fo OCSP_REQ_CTX_add1_header +.Fa "OCSP_REQ_CTX *rctx" +.Fa "const char *name" +.Fa "const char *value" +.Fc +.Ft int +.Fo OCSP_REQ_CTX_set1_req +.Fa "OCSP_REQ_CTX *rctx" +.Fa "OCSP_REQUEST *req" +.Fc +.Ft OCSP_RESPONSE * +.Fo OCSP_sendreq_bio +.Fa "BIO *io" +.Fa "const char *path" +.Fa "OCSP_REQUEST *req" +.Fc +.Sh DESCRIPTION +The function +.Fn OCSP_sendreq_new +returns an +.Vt OCSP_REQ_CTX +structure using the responder +.Fa io , +the URI path +.Fa path , +the OCSP request +.Fa req +and with a response header maximum line length of +.Fa maxline . +If +.Fa maxline +is zero, a default value of 4k is used. +The OCSP request +.Fa req +may be set to +.Dv NULL +and provided later if required. +.Pp +The arguments to +.Fn OCSP_sendreq_new +correspond to the components of the URI. +For example, if the responder URI is +.Pa http://ocsp.com/ocspreq , +the BIO +.Fa io +should be connected to host +.Pa ocsp.com +on port 80 and +.Fa path +should be set to +.Qq /ocspreq . +.Pp +.Fn OCSP_sendreq_nbio +performs non-blocking I/O on the OCSP request context +.Fa rctx . +When the operation is complete it returns the response in +.Pf * Fa presp . +If +.Fn OCSP_sendreq_nbio +indicates an operation should be retried, the corresponding BIO can +be examined to determine which operation (read or write) should be +retried and appropriate action can be taken, for example a +.Xr select 3 +call on the underlying socket. +.Pp +.Fn OCSP_REQ_CTX_free +frees up the OCSP context +.Fa rctx . +.Pp +.Fn OCSP_REQ_CTX_add1_header +adds header +.Fa name +with value +.Fa value +to the context +.Fa rctx . +The added headers are of the form +.Qq Fa name : value +or just +.Qq Fa name +if +.Fa value +is +.Dv NULL . +.Fn OCSP_REQ_CTX_add1_header +can be called more than once to add multiple headers. +It must be called before any calls to +.Fn OCSP_sendreq_nbio . +The +.Fa req +parameter in the initial to +.Fn OCSP_sendreq_new +call must be set to +.Dv NULL +if additional headers are set. +.Pp +.Fn OCSP_REQ_CTX_set1_req +sets the OCSP request in +.Fa rctx +to +.Fa req . +This function should be called after any calls to +.Fn OCSP_REQ_CTX_add1_header . +.Pp +.Fn OCSP_sendreq_bio +performs an OCSP request using the responder +.Fa io , +the URI path +.Fa path , +the OCSP request +.Fa req . +It does not support retries and so cannot handle non-blocking I/O +efficiently. +It is retained for compatibility and its use in new applications +is not recommended. +.Sh RETURN VALUES +.Fn OCSP_sendreq_new +returns a valid +.Vt OCSP_REQ_CTX +structure or +.Dv NULL +if an error occurred. +.Pp +.Fn OCSP_sendreq_nbio +returns +.Sy 1 +if the operation was completed successfully, +.Sy -1 +if the operation should be retried, or +.Sy 0 +if an error occurred. +.Pp +.Fn OCSP_REQ_CTX_add1_header +and +.Fn OCSP_REQ_CTX_set1_req +return +.Sy 1 +for success or +.Sy 0 +for failure. +.Pp +.Fn OCSP_sendreq_bio +returns the +.Vt OCSP_RESPONSE +structure sent by the responder or +.Dv NULL +if an error occurred. +.Sh EXAMPLES +Add a Host header for +.Pa ocsp.com : +.Pp +.Dl OCSP_REQ_CTX_add1_header(ctx, "Host", "ocsp.com"); +.Sh SEE ALSO +.Xr crypto 3 , +.Xr OCSP_cert_to_id 3 , +.Xr OCSP_request_add1_nonce 3 , +.Xr OCSP_REQUEST_new 3 , +.Xr OCSP_resp_find_status 3 , +.Xr OCSP_response_status 3 +.Sh CAVEATS +These functions only perform a minimal HTTP query to a responder. +If an application wishes to support more advanced features, it +should use an alternative more complete HTTP library. +.Pp +Currently only HTTP POST queries to responders are supported. -- cgit v1.2.3-55-g6feb