gnutls_ocsp_resp_verify man page

gnutls_ocsp_resp_verify — API function

Synopsis

#include <gnutls/ocsp.h>

int gnutls_ocsp_resp_verify(gnutls_ocsp_resp_t resp, gnutls_x509_trust_list_t trustlist, unsigned int * verify, unsigned int flags);

Arguments

gnutls_ocsp_resp_t resp
should contain a gnutls_ocsp_resp_t type
gnutls_x509_trust_list_t trustlist
trust anchors as a gnutls_x509_trust_list_t type
unsigned int * verify
output variable with verification status, an gnutls_ocsp_verify_reason_t
unsigned int flags
verification flags, 0 for now.

Description

Verify signature of the Basic OCSP Response against the public key in the certificate of a trusted signer. The trustlist should be populated with trust anchors. The function will extract the signer certificate from the Basic OCSP Response and will verify it against the trustlist . A trusted signer is a certificate that is either in trustlist , or it is signed directly by a certificate in
trustlist and has the id-ad-ocspSigning Extended Key Usage bit set.

The output verify variable will hold verification status codes (e.g., GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND, GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM) which are only valid if the function returned GNUTLS_E_SUCCESS.

Note that the function returns GNUTLS_E_SUCCESS even when verification failed. The caller must always inspect the verify variable to find out the verification status.

The flags variable should be 0 for now.

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Reporting Bugs

Report bugs to <bugs@gnutls.org>.
Home page: http://www.gnutls.org

See Also

The full documentation for gnutls is maintained as a Texinfo manual. If the /usr/share/doc/gnutls/ directory does not contain the HTML form visit

http://www.gnutls.org/manual/

Info

3.5.6 gnutls gnutls