Provided by: libtls-dev_3.8.1-2.1build2_amd64 bug

NAME

     tls_ocsp_process_response, tls_peer_ocsp_url, tls_peer_ocsp_response_status,
     tls_peer_ocsp_cert_status, tls_peer_ocsp_crl_reason, tls_peer_ocsp_result,
     tls_peer_ocsp_revocation_time, tls_peer_ocsp_this_update, tls_peer_ocsp_next_update —
     inspect an OCSP response

SYNOPSIS

     #include <tls.h>

     int
     tls_ocsp_process_response(struct tls *ctx, const unsigned char *response, size_t size);

     const char *
     tls_peer_ocsp_url(struct tls *ctx);

     int
     tls_peer_ocsp_response_status(struct tls *ctx);

     int
     tls_peer_ocsp_cert_status(struct tls *ctx);

     int
     tls_peer_ocsp_crl_reason(struct tls *ctx);

     const char *
     tls_peer_ocsp_result(struct tls *ctx);

     time_t
     tls_peer_ocsp_revocation_time(struct tls *ctx);

     time_t
     tls_peer_ocsp_this_update(struct tls *ctx);

     time_t
     tls_peer_ocsp_next_update(struct tls *ctx);

DESCRIPTION

     tls_ocsp_process_response() processes a raw OCSP response in response of size size to check
     the revocation status of the peer certificate from ctx.  A successful return code of 0
     indicates that the certificate has not been revoked.

     tls_peer_ocsp_url() returns the URL for OCSP validation of the peer certificate from ctx.

     The following functions return information about the peer certificate from ctx that was
     obtained by validating a stapled OCSP response during the handshake, or via a previous call
     to tls_ocsp_process_response().

     tls_peer_ocsp_response_status() returns the OCSP response status as per RFC 6960 section
     2.3.

     tls_peer_ocsp_cert_status() returns the OCSP certificate status code as per RFC 6960 section
     2.2.

     tls_peer_ocsp_crl_reason() returns the OCSP certificate revocation reason status code as per
     RFC 5280 section 5.3.1.

     tls_peer_ocsp_result() returns a textual representation of the OCSP status code returned by
     one of the previous three functions.  If the OCSP response was valid and the certificate was
     not revoked, the string indicates the OCSP certificate status.  Otherwise, the string
     indicates the OCSP certificate revocation reason or the OCSP error.

     tls_peer_ocsp_revocation_time() returns the OCSP revocation time.

     tls_peer_ocsp_this_update() returns the OCSP this update time.

     tls_peer_ocsp_next_update() returns the OCSP next update time.

RETURN VALUES

     tls_ocsp_process_response() returns 0 on success or -1 on error.

     tls_peer_ocsp_url() and tls_peer_ocsp_result() return NULL on error or an out of memory
     condition.

     The tls_peer_ocsp_response_status() function returns one of TLS_OCSP_RESPONSE_SUCCESSFUL,
     TLS_OCSP_RESPONSE_MALFORMED, TLS_OCSP_RESPONSE_INTERNALERROR, TLS_OCSP_RESPONSE_TRYLATER,
     TLS_OCSP_RESPONSE_SIGREQUIRED, or TLS_OCSP_RESPONSE_UNAUTHORIZED on success or -1 on error.

     The tls_peer_ocsp_cert_status() function returns one of TLS_OCSP_CERT_GOOD,
     TLS_OCSP_CERT_REVOKED, or TLS_OCSP_CERT_UNKNOWN on success, and -1 on error.

     The tls_peer_ocsp_crl_reason() function returns one of TLS_CRL_REASON_UNSPECIFIED,
     TLS_CRL_REASON_KEY_COMPROMISE, TLS_CRL_REASON_CA_COMPROMISE,
     TLS_CRL_REASON_AFFILIATION_CHANGED, TLS_CRL_REASON_SUPERSEDED,
     TLS_CRL_REASON_CESSATION_OF_OPERATION, TLS_CRL_REASON_CERTIFICATE_HOLD,
     TLS_CRL_REASON_REMOVE_FROM_CRL, TLS_CRL_REASON_PRIVILEGE_WITHDRAWN, or
     TLS_CRL_REASON_AA_COMPROMISE on success or -1 on error.

     tls_peer_ocsp_revocation_time(), tls_peer_ocsp_this_update(), and
     tls_peer_ocsp_next_update() return a time in epoch-seconds on success or -1 on error.

SEE ALSO

     tls_client(3), tls_config_ocsp_require_stapling(3), tls_conn_version(3), tls_connect(3),
     tls_handshake(3), tls_init(3)

HISTORY

     These functions appeared in OpenBSD 6.1.

AUTHORS

     Bob Beck <beck@openbsd.org>
     Marko Kreen <markokr@gmail.com>