diff options
author | Matt Caswell <matt@openssl.org> | 2020-03-20 14:54:55 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-03-27 11:20:39 +0000 |
commit | be6aeda6474a77e97b344f300334f5fe3612e4b4 (patch) | |
tree | 9a6c33e8298c4dd87e7ec7f2ec8cdb0c99c3b034 /doc | |
parent | 5fcb97c61e6796b20c8ee1b0daab25151bf65bd0 (diff) |
Add OCSP_RESPID_set_by_key_ex() and OCSP_RESPID_match_ex()
OCSP_RESPID_set_by_key() calculates a SHA1 hash of the supplied
certificate. We need to be able to specify which libctx and property
query string is used to fetch that algorithm so we introduce
OCSP_RESPID_set_by_key_ex() which does the same thing but enables you to
speicfy the library context and propery query string explicitly.
OCSP_RESPID_match() matches with certificates based on the SHA1 hash.
Therefore for the same reason we introduce OCSP_RESPID_match_ex().
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11407)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man3/OCSP_response_status.pod | 72 |
1 files changed, 44 insertions, 28 deletions
diff --git a/doc/man3/OCSP_response_status.pod b/doc/man3/OCSP_response_status.pod index c1de86b199..6c02b55fa1 100644 --- a/doc/man3/OCSP_response_status.pod +++ b/doc/man3/OCSP_response_status.pod @@ -4,8 +4,9 @@ OCSP_response_status, OCSP_response_get1_basic, OCSP_response_create, OCSP_RESPONSE_free, OCSP_RESPID_set_by_name, -OCSP_RESPID_set_by_key, OCSP_RESPID_match, -OCSP_basic_sign, OCSP_basic_sign_ctx - OCSP response functions +OCSP_RESPID_set_by_key_ex, OCSP_RESPID_set_by_key, OCSP_RESPID_match_ex, +OCSP_RESPID_match, OCSP_basic_sign, OCSP_basic_sign_ctx +- OCSP response functions =head1 SYNOPSIS @@ -17,7 +18,11 @@ OCSP_basic_sign, OCSP_basic_sign_ctx - OCSP response functions void OCSP_RESPONSE_free(OCSP_RESPONSE *resp); int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert); + int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert, + OPENSSL_CTX *libctx, const char *propq); int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert); + int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OPENSSL_CTX *libctx, + const char *propq); int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert); int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key, @@ -28,49 +33,60 @@ OCSP_basic_sign, OCSP_basic_sign_ctx - OCSP response functions =head1 DESCRIPTION -OCSP_response_status() returns the OCSP response status of B<resp>. It returns -one of the values: B<OCSP_RESPONSE_STATUS_SUCCESSFUL>, -B<OCSP_RESPONSE_STATUS_MALFORMEDREQUEST>, -B<OCSP_RESPONSE_STATUS_INTERNALERROR>, B<OCSP_RESPONSE_STATUS_TRYLATER> -B<OCSP_RESPONSE_STATUS_SIGREQUIRED>, or B<OCSP_RESPONSE_STATUS_UNAUTHORIZED>. +OCSP_response_status() returns the OCSP response status of I<resp>. It returns +one of the values: I<OCSP_RESPONSE_STATUS_SUCCESSFUL>, +I<OCSP_RESPONSE_STATUS_MALFORMEDREQUEST>, +I<OCSP_RESPONSE_STATUS_INTERNALERROR>, I<OCSP_RESPONSE_STATUS_TRYLATER> +I<OCSP_RESPONSE_STATUS_SIGREQUIRED>, or I<OCSP_RESPONSE_STATUS_UNAUTHORIZED>. -OCSP_response_get1_basic() decodes and returns the B<OCSP_BASICRESP> structure -contained in B<resp>. +OCSP_response_get1_basic() decodes and returns the I<OCSP_BASICRESP> structure +contained in I<resp>. -OCSP_response_create() creates and returns an B<OCSP_RESPONSE> structure for -B<status> and optionally including basic response B<bs>. +OCSP_response_create() creates and returns an I<OCSP_RESPONSE> structure for +I<status> and optionally including basic response I<bs>. -OCSP_RESPONSE_free() frees up OCSP response B<resp>. +OCSP_RESPONSE_free() frees up OCSP response I<resp>. OCSP_RESPID_set_by_name() sets the name of the OCSP_RESPID to be the same as the -subject name in the supplied X509 certificate B<cert> for the OCSP responder. +subject name in the supplied X509 certificate I<cert> for the OCSP responder. -OCSP_RESPID_set_by_key() sets the key of the OCSP_RESPID to be the same as the -key in the supplied X509 certificate B<cert> for the OCSP responder. The key is -stored as a SHA1 hash. +OCSP_RESPID_set_by_key_ex() sets the key of the OCSP_RESPID to be the same as the +key in the supplied X509 certificate I<cert> for the OCSP responder. The key is +stored as a SHA1 hash. To calculate the hash the SHA1 algorithm is fetched using +the library ctx I<libctx> and the property query string I<propq> (see +L<provider(7)/Fetching algorithms> for further information). + +OCSP_RESPID_set_by_key() does the same as OCSP_RESPID_set_by_key_ex() except +that the default library context is used with an empty property query string. Note that an OCSP_RESPID can only have one of the name, or the key set. Calling OCSP_RESPID_set_by_name() or OCSP_RESPID_set_by_key() will clear any existing setting. -OCSP_RESPID_match() tests whether the OCSP_RESPID given in B<respid> matches -with the X509 certificate B<cert>. +OCSP_RESPID_match_ex() tests whether the OCSP_RESPID given in I<respid> matches +with the X509 certificate I<cert> based on the SHA1 hash. To calculate the hash +the SHA1 algorithm is fetched using the library ctx I<libctx> and the property +query string I<propq> (see L<provider(7)/Fetching algorithms> for further +information). + +OCSP_RESPID_match() does the same as OCSP_RESPID_match_ex() except that the +default library context is used with an empty property query string. -OCSP_basic_sign() signs OCSP response B<brsp> using certificate B<signer>, private key -B<key>, digest B<dgst> and additional certificates B<certs>. If the B<flags> option -B<OCSP_NOCERTS> is set then no certificates will be included in the response. If the -B<flags> option B<OCSP_RESPID_KEY> is set then the responder is identified by key ID -rather than by name. OCSP_basic_sign_ctx() also signs OCSP response B<brsp> but -uses the parameters contained in digest context B<ctx>. +OCSP_basic_sign() signs OCSP response I<brsp> using certificate I<signer>, private key +I<key>, digest I<dgst> and additional certificates I<certs>. If the I<flags> option +I<OCSP_NOCERTS> is set then no certificates will be included in the response. If the +I<flags> option I<OCSP_RESPID_KEY> is set then the responder is identified by key ID +rather than by name. OCSP_basic_sign_ctx() also signs OCSP response I<brsp> but +uses the parameters contained in digest context I<ctx>. =head1 RETURN VALUES OCSP_RESPONSE_status() returns a status value. -OCSP_response_get1_basic() returns an B<OCSP_BASICRESP> structure pointer or -B<NULL> if an error occurred. +OCSP_response_get1_basic() returns an I<OCSP_BASICRESP> structure pointer or +I<NULL> if an error occurred. -OCSP_response_create() returns an B<OCSP_RESPONSE> structure pointer or B<NULL> +OCSP_response_create() returns an I<OCSP_RESPONSE> structure pointer or I<NULL> if an error occurred. OCSP_RESPONSE_free() does not return a value. @@ -85,7 +101,7 @@ or 0 otherwise. =head1 NOTES OCSP_response_get1_basic() is only called if the status of a response is -B<OCSP_RESPONSE_STATUS_SUCCESSFUL>. +I<OCSP_RESPONSE_STATUS_SUCCESSFUL>. =head1 SEE ALSO |