gnutls_ocsp_resp_verify - Man Page

API function


#include <gnutls/ocsp.h>

int gnutls_ocsp_resp_verify(gnutls_ocsp_resp_const_t resp, gnutls_x509_trust_list_t trustlist, unsigned int * verify, unsigned int flags);


gnutls_ocsp_resp_const_t resp

should contain a gnutls_ocsp_resp_t type

gnutls_x509_trust_list_t trustlist

trust anchors as a gnutls_x509_trust_list_t type

unsigned int * verify

output variable with verification status, an gnutls_ocsp_verify_reason_t

unsigned int flags

verification flags from gnutls_certificate_verify_flags


Verify signature of the Basic OCSP Response against the public key in the certificate of a trusted signer.  The  trustlist should be populated with trust anchors.  The function will extract the signer certificate from the Basic OCSP Response and will verify it against the  trustlist .  A trusted signer is a certificate that is either in  trustlist , or it is signed directly by a certificate in
trustlist and has the id-ad-ocspSigning Extended Key Usage bit set.

The output  verify variable will hold verification status codes (e.g., GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND, GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM) which are only valid if the function returned GNUTLS_E_SUCCESS.

Note that the function returns GNUTLS_E_SUCCESS even when verification failed.  The caller must always inspect the  verify variable to find out the verification status.

The  flags variable should be 0 for now.


On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Reporting Bugs

Report bugs to <>.
Home page:

See Also

The full documentation for gnutls is maintained as a Texinfo manual. If the /usr/share/doc/gnutls/ directory does not contain the HTML form visit


3.8.0 gnutls