The following constants are OCSP reason codes identify the reason for the certificate revocation.

CRLReason ::= ENUMERATED { unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), -- value 7 is not used certificateHold (6), removeFromCRL (8), privilegeWithdrawn (9), aACompromise (10) }

Reason Code RFC: https://www.rfc-editor.org/rfc/rfc5280#section-5.3.1

Note: OCSP_REVOKED_STATUS_NOSTATUS is defined by OpenSSL and is not defined within the RFC.

OCSP_NOCERTS is for OCSP_request_sign and OCSP_basic_sign. Setting this excludes certificates request/response and ignores the certs parameter. Certificates are optional.

OCSP_NOINTERN is for OCSP_basic_verify and OCSP_request_verify. Certificates included within bs or req will be included in the search for the signing certificate by default, unless OCSP_NOINTERN is set.

OCSP_NOCHAIN is for OCSP_basic_verify and OCSP_request_verify. For OCSP_basic_verify, certificates in both certs and in bs are considered as certificates for the construction of the validation path for the signer certificate by default, unless OCSP_NOCHAIN is set. For OCSP_request_verify, certificates in req are considered as certificates for the construction of the validation path for the signer certificate by default, unless OCSP_NOCHAIN is set.

OCSP_NOVERIFY is for OCSP_basic_verify and OCSP_request_verify. When setting this flag, the signature on the OCSP response/request will still be verified, but additionally verification of the signer certificate will be skipped.

OCSP_NOEXPLICIT is for OCSP_basic_verify. We will check for explicit trust for OCSP signing in the root CA certificate, unless the flags contain OCSP_NOEXPLICIT.

OCSP_TRUSTOTHER is for OCSP_basic_verify and OCSP_request_verify. When set, all certificates within certs are implicitly trusted.

OCSP_RESPID_KEY is for OCSP_basic_sign. By default, the OCSP responder is identified by name and included in the response. Setting this changes the default identifier to be the hash of the issuer's public key instead.

OCSP_NOTIME is for OCSP_basic_sign. Setting this excludes the default behavior of setting the producedAt time field in resp against the current time and leaves it empty.

d2i_OCSP_REQUEST_bio parses a DER-encoded OCSP request from bp, converts it into an OCSP_REQUEST, and writes the result in preq.

d2i_OCSP_RESPONSE_bio parses a DER-encoded OCSP response from bp, converts it into an OCSP_RESPONSE, and writes the result in presp.

i2d_OCSP_RESPONSE_bio marshals presp as a DER-encoded OCSP response and writes the result to bp.

i2d_OCSP_REQUEST_bio marshals preq as a DER-encoded OCSP request and writes the result to bp.

OCSP_CERTID_dup allocates a new OCSP_CERTID and sets it equal to the state of id. It returns the new OCSP_CERTID or NULL on error.

OCSP_sendreq_bio is a blocking OCSP request handler which is a special case of non-blocking I/O. OCSP_sendreq_bio combines OCSP_sendreq_new with as many calls of OCSP_sendreq_nbio as needed and then OCSP_REQ_CTX_free, with a response header maximum line length of 4k. It waits indefinitely on a response, if BIO_should_retry is true and the BIO persists.

WARNING: This is retained only for compatibility. This does not support setting a timeout or adding your own HTTP headers. Use OCSP_sendreq_nbio and handle the timeout accordingly to the BIO type. You can also use OCSP_REQ_CTX_add1_header to add your own HTTP headers.

OCSP_sendreq_new returns an OCSP_REQ_CTX structure using the responder io, the URL path, the OCSP_REQUEST req to be sent, and with a response header maximum line length of maxline. If maxline is zero or less, a default value of 4k is used. The OCSP_REQUEST req may be set to NULL and provided later if required.

OCSP_sendreq_nbio attempts to send the request prepared in rctx and to gather the response via HTTP, using the BIO io and path that were given when calling OCSP_sendreq_new.

OCSP_REQ_CTX_new creates a new OCSP_REQ_CTX. OCSP_REQ_CTX is used to contain the information to send the OCSP request and gather the response over HTTP.

OCSP_REQ_CTX_free frees the memory allocated by OCSP_REQ_CTX.

OCSP_set_max_response_length sets the maximum response length for an OCSP request over HTTP to len. If a custom max response length is needed, this should be set before OCSP_REQ_CTX is sent out to retrieve the OCSP response.

OCSP_REQ_CTX_http adds the HTTP request line to the context.

OCSP_REQ_CTX_set1_req finalizes the HTTP request context. It is needed if an ASN.1-encoded request should be sent.

OCSP_REQ_CTX_add1_header adds header name with value value to the context rctx. It can be called more than once to add multiple header lines.

OCSP_REQ_CTX_i2d parses the ASN.1 contents of rctx into the der format.

OCSP_request_add0_id adds cid to req. Returns the new OCSP_ONEREQ pointer allocated on the stack within req. This is useful if we want to add extensions. WARNING: This allocates a new OCSP_ONEREQ and assigns the pointer to cid to it. It then adds the newly allocated OCSP_ONEREQ to the stack within req. req now takes ownership of cid, and also maintains ownership of the pointer to OCSP_ONEREQ.

OCSP_onereq_get0_id returns the certificate identifier associated with an OCSP request

OCSP_request_add1_nonce adds a nonce of value val and length len to req. If val is NULL, a random nonce is generated and used. If len is zero or negative, a default length of 16 bytes will be used. If val is non-NULL, len must equal the length of val. This is different from OpenSSL, which allows a default length for len to be used. Mis-usage of the default length could result in a read overflow, so we disallow it.

OCSP_basic_add1_nonce is identical to OCSP_request_add1_nonce, but adds the nonce to resp instead (the response).

OCSP_check_nonce checks nonce existence and equality in req and bs. If there is parsing issue with req or bs, it will be determined that a nonce does not exist within req or bs.

Return value reflects result: OCSP_NONCE_EQUAL (1: nonces present and equal.) OCSP_NONCE_BOTH_ABSENT (2: nonces both absent.) OCSP_NONCE_RESPONSE_ONLY (3: nonce present in bs only.) OCSP_NONCE_NOT_EQUAL (0: parameters are NULL or nonces are both present but not equal.) OCSP_NONCE_REQUEST_ONLY (-1: nonce in req only.)

For most responders, clients can check "return > 0". If an OCSP responder doesn't handle nonces, "return != 0" may be necessary. "return == 0" will always be an error. The error can mean that NULL parameter was passed into the function, or that the nonces are both present, but aren't equal.

OCSP_copy_nonce copies the nonce value (if any) from req to resp. Returns 1 on success and 0 on failure. If the optional nonce value does not exist in req, we return 2 instead.

Note: OCSP_copy_nonce allows for multiple OCSP nonces to exist and appends the new nonce to the end of the extension list. This causes issues with OCSP_check_nonce, since it looks for the first one in the list. The old nonce extension should be deleted prior to calling OCSP_copy_nonce.

OCSP_request_set1_name sets requestorName from an X509_NAME structure.

OCSP_request_add1_cert adds a certificate to an OCSP_REQUEST.

OCSP_request_is_signed checks if the optional signature exists for req.

OCSP_request_onereq_count returns the number of OCSP_ONEREQs in req.

OCSP_request_onereq_get0 returns the OCSP_ONEREQ in req at index i or NULL if i is out of bounds.

OCSP_request_sign signs the OCSP request req using key and dgst. key MUST be the private key of signer. One or more optional certificates can be added to resp with certs. This function will fail if a signature in req already exists.

Note: 1. The OCSP requester is identified by the subject name from signer and included in req. 2. All certificates in certs are added to req by default. Setting OCSP_NOCERTS excludes certificates from being added in req and ignores the certs parameter.

OCSP_response_status returns response status from OCSP_RESPONSE.

OCSP_response_get1_basic returns OCSP_BASICRESP from OCSP_RESPONSE.

OCSP_resp_count returns the number of OCSP_SINGLERESP responses present in bs.

OCSP_resp_get0 returns the OCSP_SINGLERESP at the idx within bs.

OCSP_single_get0_status returns the status of single.

Note: 1. reason value is allowed to be null. 2. Time values passed into function are allowed to be NULL if certificate fields are empty. 3. revtime and reason values only set if the certificate status is revoked.

OCSP_resp_find returns the index of the OCSP_SINGLERESP in bs which matches id if found, or -1 if not found.

OCSP_resp_find_status looks up a cert id and extract the update time and revocation status of certificate sent back from OCSP responder if found. Returns 1 on success.

Note: 1. Revocation status code is passed into *status parameter. Status code will not be passed if *status is NULL.

OCSP_check_validity checks the validity of thisUpdate and nextUpdate fields from an OCSP_SINGLERESP.

Note: 1. It is possible that the request will take a few seconds to process and/or the local system time isn't exactly the same as the OCSP responder's time. Therefore, to avoid rejecting otherwise valid time we allow the times to be within drift_num_seconds of the current time. 2. Also, to avoid accepting very old responses without a nextUpdate field, an optional max_age_seconds parameter specifies the maximum age the thisUpdate field can be. max_age_seconds should be the number of seconds relative to thisUpdate. You can also set max_age_seconds to "-1", if the maximum age should not be checked. 3. thisUpdate should be within the range of: (current time - max_age_seconds) < thisUpdate < (current time + drift_num_seconds). nextUpdate should be in the future: (current time + drift_num_seconds) < nextUpdate. 4. thisUpdate and nextUpdate are defined in the RFC: https://datatracker.ietf.org/doc/html/rfc6960#section-2.4

OCSP_basic_verify verifies a basic response message. It checks that bs is correctly signed and that the signer certificate can be validated. Returns 1 if the response is valid, 0 if the signature cannot be verified, or -1 on fatal errors such as malloc failure.

Note: 1. Checks that OCSP response CAN be verified, but does not imply anything about the corresponding certificate's revocation status. 2. OCSP_resp_find_status should be used to check if the OCSP response's cert status is V_OCSP_CERTSTATUS_GOOD. OCSP_check_validity should also be used to validate that the OCSP response's timestamps are correct.

OCSP_request_verify verifies the OCSP request message, req, with st. OCSP request signatures are optional according to RFC6960, but one can check that req is correctly signed and that the signer certificate can be validated if a signature exists. This returns 1 if req is valid or returns 0 if req's signature is non-existent or cannot be verified.

OCSP_cert_id_new creates and returns a new OCSP_CERTID using dgst, issuerName, issuerKey, and serialNumber as its contents.

OCSP_cert_to_id returns a OCSP_CERTID converted from a certificate and its issuer.

Note: 1. If subject is NULL, we get the subject name from the issuer and set the serial number to NULL. 2. OpenSSL's legacy OCSP code decided to make SHA-1 as default hash algorithm when the dgst is set as NULL. We keep this to maintain backwards compatibility, but strongly advise to set a digest when using this function. Even though this is not used cryptographically, there is the possibility of a response being returned with a forced issuer name when using SHA-1 (assuming a preimage attack, which is beyond the scope of how SHA-1 is currently vulnerable).

OCSP_parse_url parses an OCSP responder URL and returns its component parts. url argument must be a null-terminated string containing the URL to be parsed. The other arguments are pointers to variables that will be set to the parsed components of the URL. When OCSP_parse_url returns 1, these arguments will allocate new memory with a copy of value. It is the caller's responsibility to free these.

phost: A pointer to a char pointer that will be set to the host component of the URL. If the URL does not contain a host component, this will be set to an empty string. pport: A pointer to an int that will be set to the port number specified in the URL, or to the default port (80 for HTTP, 443 for HTTPS) if no port number is specified. ppath: A pointer to a char pointer that will be set to the path component of the URL. If the URL does not contain a path component, this will be set to "/". pssl: A pointer to an int that will be set to 1 if the URL specifies the HTTPS protocol, or 0 if HTTP.

Note: OCSP_parse_url does not perform any validation of the URL or its components beyond basic parsing. It is the responsibility of the caller to ensure that the URL is well-formed and valid.

OCSP_id_issuer_cmp compares the issuers' name and key hash of a and b. It returns 0 on equal.

OCSP_id_cmp calls OCSP_id_issuer_cmp and additionally compares the serialNumber of a and b. It returns 0 on equal.

OCSP_id_get0_info returns the issuer name hash, hash OID, issuer key hash, and the serial number contained in cid. If any of the values are not required, the corresponding parameter can be set to NULL.

OCSP_basic_add1_cert adds cert to the resp.

OCSP_basic_add1_status creates and returns an OCSP_SINGLERESP with cid, status, this_update and next_update. The newly created OCSP_SINGLERESP is pushed onto the internal OCSP_SINGLERESP stack in resp. status should be a value defined by V_OCSP_CERTSTATUS_*.

1. If status has the value V_OCSP_CERTSTATUS_REVOKED, revoked_reason should be a valid OCSP_REVOKED_STATUS_* value and revoked_time cannot be empty.
2. If status has the value of either V_OCSP_CERTSTATUS_GOOD or V_OCSP_CERTSTATUS_UNKNOWN, revoked_reason and revoked_time are ignored.

OCSP_basic_sign signs the OCSP response resp using key and dgst. key MUST be the private key of signer. One or more optional certificates can be added to resp with certs.

Note: 1. By default, the OCSP responder is identified by the subject name from signer and included in resp. Users can set OCSP_RESPID_KEY with flags, if they wish for the responder to be identified by the hash of signer's public key instead. 2. All certificates in certs are added to resp by default. Setting OCSP_NOCERTS excludes certificates from being added in resp and ignores the certs parameter. 3. The producedAt time field is set to the current time by default. Setting OCSP_NOTIME excludes setting the producedAt time field in resp and leaves it empty.

OCSP_response_create creates an OCSP_RESPONSE and encodes an optional bs within it.

OCSP_SINGLERESP_get0_id returns the OCSP_CERTID within x.

OCSP_response_status_str returns the OCSP response status of status_code as a string.

OCSP_cert_status_str returns the OCSP cert status of status_code as a string.

OCSP_crl_reason_str returns the OCSP CRL reason of status_code as a string. OCSP_resp_find_status can be used to retrieve the reason status code if an OCSP response is revoked.

OCSP_REQUEST_print prints the contents of an OCSP request to bp. flags is used to configure printing of the req's extensions (See X509V3_extensions_print for more information). This is typically used for debugging or diagnostic purposes.

OCSP_RESPONSE_print prints the contents of an OCSP response to bp. flags is used to configure printing of the resp's extensions (See X509V3_extensions_print for more information). This is typically used for debugging or diagnostic purposes.

OCSP_BASICRESP_get_ext_by_NID returns the index of an extension bs by its NID. Returns -1 if not found.

OCSP_BASICRESP_get_ext returns the X509_EXTENSION in bs at index loc, or NULL if loc is out of bounds.

OCSP_BASICRESP_delete_ext removes the extension in x at index loc and returns the removed extension, or NULL if loc was out of bounds. If an extension was returned, the caller must release it with X509_EXTENSION_free.

OCSP_SINGLERESP_add_ext adds a copy of ex to the extension list in *sresp. It returns 1 on success and 0 on error. The new extension is inserted at index loc, shifting extensions to the right. If loc is -1 or out of bounds, the new extension is appended to the list.

OCSP_SINGLERESP_get_ext_count returns the number of X509_EXTENSIONs in sresp.

OCSP_SINGLERESP_get_ext returns the X509_EXTENSION in sresp at index loc, or NULL if loc is out of bounds.

OCSP_NOSIGS does nothing. In OpenSSL, this skips signature verification in OCSP_basic_verify and OCSP_request_verify.

OCSP_NOCASIGN does nothing. It's a legacy OCSP flag deprecated since OpenSSL 1.0.1g.

OCSP_NODELEGATED does nothing. It's a legacy OCSP flag deprecated since OpenSSL 1.0.1g.

OCSP_NOCHECKS does nothing. In OpenSSL, this disables verifying that the signer certificate has met the OCSP issuer criteria or any potential delegation in OCSP_basic_verify.