diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-22 08:31:17 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-26 14:03:23 +0200 |
| commit | 37326895b75297071560eb09d167f3ac90af71b4 (patch) | |
| tree | a56242dacddb868e3b89e4414fd6b3f4ed7b682b /doc | |
| parent | 7d5ea3fecbfb12cdbcfce32cc4ea00b96ee4218d (diff) | |
OCSP_resp_find_status.pod: Slightly improve the documentation of various flags
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12947)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/man3/OCSP_resp_find_status.pod | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/doc/man3/OCSP_resp_find_status.pod b/doc/man3/OCSP_resp_find_status.pod index 00b14c7052..708bbd1765 100644 --- a/doc/man3/OCSP_resp_find_status.pod +++ b/doc/man3/OCSP_resp_find_status.pod @@ -121,24 +121,25 @@ signed and that the signer certificate can be validated. It takes I<st> as the trusted store and I<certs> as a set of untrusted intermediate certificates. The function first tries to find the signer certificate of the response in I<certs>. It then searches the certificates the responder may have included -in I<bs> unless the I<flags> contain B<OCSP_NOINTERN>. +in I<bs> unless I<flags> contains B<OCSP_NOINTERN>. It fails if the signer certificate cannot be found. -Next, unless the I<flags> contain B<OCSP_NOSIGS>, the function checks +Next, unless I<flags> contains B<OCSP_NOSIGS>, the function checks the signature of I<bs> and fails on error. Then the function already returns -success if the I<flags> contain B<OCSP_NOVERIFY> or if the signer certificate -was found in I<certs> and the I<flags> contain B<OCSP_TRUSTOTHER>. +success if I<flags> contains B<OCSP_NOVERIFY> or if the signer certificate +was found in I<certs> and I<flags> contains B<OCSP_TRUSTOTHER>. Otherwise the function continues by validating the signer certificate. -If I<flags> contains B<OCSP_PARTIAL_CHAIN>, intermediate CA certificates -in I<st> are trust anchors. +If I<flags> contains B<OCSP_PARTIAL_CHAIN> it takes intermediate CA +certificates in I<st> as trust anchors. For more details, see the description of B<X509_V_FLAG_PARTIAL_CHAIN> in L<X509_VERIFY_PARAM_set_flags(3)/VERIFICATION FLAGS>. -To this end, all certificates in I<cert> and in I<bs> are considered as -untrusted certificates for the construction of the validation path for the -signer certificate unless the B<OCSP_NOCHAIN> flag is set. After successful path +If I<flags> contains B<OCSP_NOCHAIN> it ignores all certificates in I<certs> +and in I<bs>, else it takes them as untrusted intermediate CA certificates +and uses them for constructing the validation path for the signer certificate. +After successful path validation the function returns success if the B<OCSP_NOCHECKS> flag is set. Otherwise it verifies that the signer certificate meets the OCSP issuer criteria including potential delegation. If this does not succeed and the -I<flags> do not contain B<OCSP_NOEXPLICIT> the function checks for explicit +B<OCSP_NOEXPLICIT> flag is not set the function checks for explicit trust for OCSP signing in the root CA certificate. =head1 RETURN VALUES |