gnutls_ocsp_resp_verify — API function

Synopsis

#include <gnutls/ocsp.h>

int gnutls_ocsp_resp_verify(gnutls_ocsp_resp_t resp, gnutls_x509_trust_list_t trustlist, unsigned int * verify, unsigned int flags);

Arguments

gnutls_ocsp_resp_t resp

should contain a gnutls_ocsp_resp_t type

gnutls_x509_trust_list_t trustlist

trust anchors as a gnutls_x509_trust_list_t type

unsigned int * verify

output variable with verification status, an gnutls_ocsp_verify_reason_t

unsigned int flags

verification flags from gnutls_certificate_verify_flags

Description

Verify signature of the Basic OCSP Response against the public key in the certificate of a trusted signer.  The  trustlist should be populated with trust anchors.  The function will extract the signer certificate from the Basic OCSP Response and will verify it against the  trustlist .  A trusted signer is a certificate that is either in  trustlist , or it is signed directly by a certificate in
trustlist and has the id-ad-ocspSigning Extended Key Usage bit set.

The output  verify variable will hold verification status codes (e.g., GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND, GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM) which are only valid if the function returned GNUTLS_E_SUCCESS.

Note that the function returns GNUTLS_E_SUCCESS even when verification failed.  The caller must always inspect the  verify variable to find out the verification status.

The  flags variable should be 0 for now.

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Reporting Bugs

Report bugs to <bugs@gnutls.org>.
Home page: https://www.gnutls.org

See Also

The full documentation for gnutls is maintained as a Texinfo manual. If the /usr/share/doc/gnutls/ directory does not contain the HTML form visit

https://www.gnutls.org/manual/

Info

3.6.9 gnutls