Next: PKCS 12 API, Previous: PKCS 7 API, Up: API reference [Contents][Index]
The following functions are for OCSP certificate status checking. Their prototypes lie in gnutls/ocsp.h.
req: should contain a gnutls_ocsp_req_t type
digest: hash algorithm, a gnutls_digest_algorithm_t value
issuer: issuer of subject certificate
cert: certificate to request status for
This function will add another request to the OCSP request for a
particular certificate. The issuer name hash, issuer key hash, and
serial number fields is populated as follows. The issuer name and
the serial number is taken from cert . The issuer key is taken
from issuer . The hashed values will be hashed using the digest algorithm, normally GNUTLS_DIG_SHA1 .
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error code is returned.
req: should contain a gnutls_ocsp_req_t type
digest: hash algorithm, a gnutls_digest_algorithm_t value
issuer_name_hash: hash of issuer’s DN
issuer_key_hash: hash of issuer’s public key
serial_number: serial number of certificate to check
This function will add another request to the OCSP request for a
particular certificate having the issuer name hash of
issuer_name_hash and issuer key hash of issuer_key_hash (both
hashed using digest ) and serial number serial_number .
The information needed corresponds to the CertID structure:
<informalexample><programlisting> CertID ::= SEQUENCE { hashAlgorithm AlgorithmIdentifier, issuerNameHash OCTET STRING, – Hash of Issuer’s DN issuerKeyHash OCTET STRING, – Hash of Issuers public key serialNumber CertificateSerialNumber } </programlisting></informalexample>
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error code is returned.
req: The data to be deinitialized
This function will deinitialize a OCSP request structure.
req: Holds the OCSP request
data: newly allocate buffer holding DER encoded OCSP request
This function will export the OCSP request to DER format.
Returns: In case of failure a negative error code will be returned, and 0 on success.
req: should contain a gnutls_ocsp_req_t type
indx: Specifies which extension OID to get. Use (0) to get the first one.
digest: output variable with gnutls_digest_algorithm_t hash algorithm
issuer_name_hash: output buffer with hash of issuer’s DN
issuer_key_hash: output buffer with hash of issuer’s public key
serial_number: output buffer with serial number of certificate to check
This function will return the certificate information of the
indx ’ed request in the OCSP request. The information returned
corresponds to the CertID structure:
<informalexample><programlisting> CertID ::= SEQUENCE { hashAlgorithm AlgorithmIdentifier, issuerNameHash OCTET STRING, – Hash of Issuer’s DN issuerKeyHash OCTET STRING, – Hash of Issuers public key serialNumber CertificateSerialNumber } </programlisting></informalexample>
Each of the pointers to output variables may be NULL to indicate that the caller is not interested in that value.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error code is returned. If you have reached the last
CertID available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
returned.
req: should contain a gnutls_ocsp_req_t type
indx: Specifies which extension OID to get. Use (0) to get the first one.
oid: will hold newly allocated buffer with OID of extension, may be NULL
critical: output variable with critical flag, may be NULL.
data: will hold newly allocated buffer with extension data, may be NULL
This function will return all information about the requested
extension in the OCSP request. The information returned is the
OID, the critical flag, and the data itself. The extension OID
will be stored as a string. Any of oid , critical , and data may
be NULL which means that the caller is not interested in getting
that information back.
The caller needs to deallocate memory by calling gnutls_free() on
oid ->data and data ->data.
Since 3.7.0 oid ->size does not account for the terminating null byte.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error code is returned. If you have reached the last
extension available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will
be returned.
req: should contain a gnutls_ocsp_req_t type
critical: whether nonce extension is marked critical, or NULL
nonce: will hold newly allocated buffer with nonce data
This function will return the OCSP request nonce extension data.
The caller needs to deallocate memory by calling gnutls_free() on
nonce ->data.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error code is returned.
req: should contain a gnutls_ocsp_req_t type
This function will return the version of the OCSP request. Typically this is always 1 indicating version 1.
Returns: version of OCSP request, or a negative error code on error.
req: The data to store the parsed request.
data: DER encoded OCSP request.
This function will convert the given DER encoded OCSP request to
the native gnutls_ocsp_req_t format. The output will be stored in
req .
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
req: A pointer to the type to be initialized
This function will initialize an OCSP request structure.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
req: The data to be printed
format: Indicate the format to use
out: Newly allocated datum with (0) terminated string.
This function will pretty print a OCSP request, suitable for display to a human.
If the format is GNUTLS_OCSP_PRINT_FULL then all fields of the
request will be output, on multiple lines.
The output out ->data needs to be deallocate using gnutls_free() .
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
req: should contain a gnutls_ocsp_req_t type
This function will add or update an nonce extension to the OCSP request with a newly generated random value.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error code is returned.
req: should contain a gnutls_ocsp_req_t type
oid: buffer with OID of extension as a string.
critical: critical flag, normally false.
data: the extension data
This function will add an extension to the OCSP request. Calling this function multiple times for the same OID will overwrite values from earlier calls.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error code is returned.
req: should contain a gnutls_ocsp_req_t type
critical: critical flag, normally false.
nonce: the nonce data
This function will add an nonce extension to the OCSP request. Calling this function multiple times will overwrite values from earlier calls.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error code is returned.
resp: should contain a gnutls_ocsp_resp_t type
indx: Specifies response number to get. Use (0) to get the first one.
crt: The certificate to check
This function will check whether the OCSP response is about the provided certificate.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error code is returned.
Since: 3.1.3
resp: The data to be deinitialized
This function will deinitialize a OCSP response structure.
resp: Holds the OCSP response
data: newly allocate buffer holding DER encoded OCSP response
This function will export the OCSP response to DER format.
Returns: In case of failure a negative error code will be returned, and 0 on success.
resp: Holds the OCSP response
data: newly allocate buffer holding DER or PEM encoded OCSP response
fmt: DER or PEM
This function will export the OCSP response to DER or PEM format.
Returns: In case of failure a negative error code will be returned, and 0 on success.
Since: 3.6.3
resp: should contain a gnutls_ocsp_resp_t type
certs: newly allocated array with gnutls_x509_crt_t certificates
ncerts: output variable with number of allocated certs.
This function will extract the X.509 certificates found in the
Basic OCSP Response. The certs output variable will hold a newly
allocated zero-terminated array with X.509 certificates.
Every certificate in the array needs to be de-allocated with
gnutls_x509_crt_deinit() and the array itself must be freed using
gnutls_free() .
Both the certs and ncerts variables may be NULL. Then the
function will work as normal but will not return the NULL:d
information. This can be used to get the number of certificates
only, or to just get the certificate array without its size.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
resp: should contain a gnutls_ocsp_resp_t type
indx: Specifies which extension OID to get. Use (0) to get the first one.
oid: will hold newly allocated buffer with OID of extension, may be NULL
critical: output variable with critical flag, may be NULL.
data: will hold newly allocated buffer with extension data, may be NULL
This function will return all information about the requested
extension in the OCSP response. The information returned is the
OID, the critical flag, and the data itself. The extension OID
will be stored as a string. Any of oid , critical , and data may
be NULL which means that the caller is not interested in getting
that information back.
The caller needs to deallocate memory by calling gnutls_free() on
oid ->data and data ->data.
Since 3.7.0 oid ->size does not account for the terminating null byte.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error code is returned. If you have reached the last
extension available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will
be returned.
resp: should contain a gnutls_ocsp_resp_t type
critical: whether nonce extension is marked critical
nonce: will hold newly allocated buffer with nonce data
This function will return the Basic OCSP Response nonce extension data.
The caller needs to deallocate memory by calling gnutls_free() on
nonce ->data.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error code is returned.
resp: should contain a gnutls_ocsp_resp_t type
This function will return the time when the OCSP response was signed.
Returns: signing time, or (time_t)-1 on error.
resp: should contain a gnutls_ocsp_resp_t type
dn: newly allocated buffer with name
This function will extract the name of the Basic OCSP Response in the provided buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string will be ASCII or UTF-8 encoded, depending on the certificate data.
If the responder ID is not a name but a hash, this function
will return zero and the dn elements will be set to NULL .
The caller needs to deallocate memory by calling gnutls_free() on
dn ->data.
This function does not output a fully RFC4514 compliant string, if
that is required see gnutls_ocsp_resp_get_responder2() .
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error code is returned. When no data exist it will
return success and set dn elements to zero.
resp: should contain a gnutls_ocsp_resp_t type
dn: newly allocated buffer with name
flags: zero or GNUTLS_X509_DN_FLAG_COMPAT
This function will extract the name of the Basic OCSP Response in the provided buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string will be ASCII or UTF-8 encoded, depending on the certificate data.
If the responder ID is not a name but a hash, this function
will return zero and the dn elements will be set to NULL .
The caller needs to deallocate memory by calling gnutls_free() on
dn ->data.
When the flag GNUTLS_X509_DN_FLAG_COMPAT is specified, the output
format will match the format output by previous to 3.5.6 versions of GnuTLS
which was not not fully RFC4514-compliant.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error code is returned. When no data exist it will return
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE .
resp: should contain a gnutls_ocsp_resp_t type
type: should be GNUTLS_OCSP_RESP_ID_KEY or GNUTLS_OCSP_RESP_ID_DN
raw: newly allocated buffer with the raw ID
This function will extract the raw key (or DN) ID of the Basic OCSP Response in
the provided buffer. If the responder ID is not a key ID then
this function will return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE .
The caller needs to deallocate memory by calling gnutls_free() on
dn ->data.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error code is returned.
resp: should contain a gnutls_ocsp_resp_t type
response_type_oid: newly allocated output buffer with response type OID
response: newly allocated output buffer with DER encoded response
This function will extract the response type OID in and the
response data from an OCSP response. Normally the
response_type_oid is always "1.3.6.1.5.5.7.48.1.1" which means the
response should be decoded as a Basic OCSP Response, but
technically other response types could be used.
This function is typically only useful when you want to extract the
response type OID of an response for diagnostic purposes.
Otherwise gnutls_ocsp_resp_import() will decode the basic OCSP
response part and the caller need not worry about that aspect.
Since 3.7.0 response_type_oid ->size does not account for the terminating
null byte.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
resp: should contain a gnutls_ocsp_resp_t type
sig: newly allocated output buffer with signature data
This function will extract the signature field of a OCSP response.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
resp: should contain a gnutls_ocsp_resp_t type
This function will return a value of the gnutls_sign_algorithm_t
enumeration that is the signature algorithm that has been used to
sign the OCSP response.
Returns: a gnutls_sign_algorithm_t value, or a negative error code
on error.
resp: should contain a gnutls_ocsp_resp_t type
indx: Specifies response number to get. Use (0) to get the first one.
digest: output variable with gnutls_digest_algorithm_t hash algorithm
issuer_name_hash: output buffer with hash of issuer’s DN
issuer_key_hash: output buffer with hash of issuer’s public key
serial_number: output buffer with serial number of certificate to check
cert_status: a certificate status, a gnutls_ocsp_cert_status_t enum.
this_update: time at which the status is known to be correct.
next_update: when newer information will be available, or (time_t)-1 if unspecified
revocation_time: when cert_status is GNUTLS_OCSP_CERT_REVOKED , holds time of revocation.
revocation_reason: revocation reason, a gnutls_x509_crl_reason_t enum.
This function will return the certificate information of the
indx ’ed response in the Basic OCSP Response resp . The
information returned corresponds to the OCSP SingleResponse structure
except the final singleExtensions.
Each of the pointers to output variables may be NULL to indicate that the caller is not interested in that value.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error code is returned. If you have reached the last
CertID available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
returned.
resp: should contain a gnutls_ocsp_resp_t type
This function will return the status of a OCSP response, an
gnutls_ocsp_resp_status_t enumeration.
Returns: status of OCSP request as a gnutls_ocsp_resp_status_t , or
a negative error code on error.
resp: should contain a gnutls_ocsp_resp_t type
This function will return the version of the Basic OCSP Response. Typically this is always 1 indicating version 1.
Returns: version of Basic OCSP response, or a negative error code on error.
resp: The data to store the parsed response.
data: DER encoded OCSP response.
This function will convert the given DER encoded OCSP response to
the native gnutls_ocsp_resp_t format. It also decodes the Basic
OCSP Response part, if any. The output will be stored in resp .
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
resp: The data to store the parsed response.
data: DER or PEM encoded OCSP response.
fmt: DER or PEM
This function will convert the given OCSP response to
the native gnutls_ocsp_resp_t format. It also decodes the Basic
OCSP Response part, if any. The output will be stored in resp .
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 3.6.3
resp: A pointer to the type to be initialized
This function will initialize an OCSP response structure.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
ocsps: Will hold the parsed OCSP response list.
size: It will contain the size of the list.
resp_data: The PEM encoded OCSP list.
format: One of GNUTLS_X509_FMT_PEM or GNUTLS_X509_FMT_DER
flags: must be (0) or an OR’d sequence of gnutls_certificate_import_flags.
This function will convert the given PEM encoded OCSP response list
to the native gnutls_ocsp_resp_t format. The output will be stored
in ocsps which will be allocated and initialized.
The OCSP responses should have a header of "OCSP RESPONSE".
To deinitialize responses, you need to deinitialize each gnutls_ocsp_resp_t
structure independently, and use gnutls_free() at ocsps .
In PEM files, when no OCSP responses are detected
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
Returns: the number of responses read or a negative error value.
Since: 3.6.3
resp: The data to be printed
format: Indicate the format to use
out: Newly allocated datum with (0) terminated string.
This function will pretty print a OCSP response, suitable for display to a human.
If the format is GNUTLS_OCSP_PRINT_FULL then all fields of the
response will be output, on multiple lines.
The output out ->data needs to be deallocate using gnutls_free() .
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
resp: should contain a gnutls_ocsp_resp_t type
trustlist: trust anchors as a gnutls_x509_trust_list_t type
verify: output variable with verification status, an gnutls_ocsp_verify_reason_t
flags: verification flags from gnutls_certificate_verify_flags
Verify signature of the Basic OCSP Response against the public key
in the certificate of a trusted signer. The trustlist should be
populated with trust anchors. The function will extract the signer
certificate from the Basic OCSP Response and will verify it against
the trustlist . A trusted signer is a certificate that is either
in trustlist , or it is signed directly by a certificate in
trustlist and has the id-ad-ocspSigning Extended Key Usage bit
set.
The output verify variable will hold verification status codes
(e.g., GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND ,
GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM ) which are only valid if the
function returned GNUTLS_E_SUCCESS .
Note that the function returns GNUTLS_E_SUCCESS even when
verification failed. The caller must always inspect the verify variable to find out the verification status.
The flags variable should be 0 for now.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
resp: should contain a gnutls_ocsp_resp_t type
issuer: certificate believed to have signed the response
verify: output variable with verification status, an gnutls_ocsp_verify_reason_t
flags: verification flags from gnutls_certificate_verify_flags
Verify signature of the Basic OCSP Response against the public key
in the issuer certificate.
The output verify variable will hold verification status codes
(e.g., GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND ,
GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM ) which are only valid if the
function returned GNUTLS_E_SUCCESS .
Note that the function returns GNUTLS_E_SUCCESS even when
verification failed. The caller must always inspect the verify variable to find out the verification status.
The flags variable should be 0 for now.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Next: PKCS 12 API, Previous: PKCS 7 API, Up: API reference [Contents][Index]