NAME

OCSP_sendreq_new, OCSP_sendreq_nbio, OCSP_REQ_CTX_free, OCSP_REQ_CTX_add1_header, OCSP_REQ_CTX_set1_req, OCSP_parse_url, OCSP_sendreq_bio — OCSP responder query functions

SYNOPSIS

#include <openssl/ocsp.h> OCSP_REQ_CTX *
OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req, int maxline); int
OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx); void
OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); int
OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name, const char *value); int
OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req); int
OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath, int *pssl); OCSP_RESPONSE *
OCSP_sendreq_bio(BIO *io, const char *path, OCSP_REQUEST *req);

DESCRIPTION

The function OCSP_sendreq_new() returns an OCSP_REQ_CTX structure using the responder io, the URI path path, the OCSP request req and with a response header maximum line length of maxline. If maxline is zero, a default value of 4k is used. The OCSP request req may be set to NULL and provided later if required. The arguments to OCSP_sendreq_new() correspond to the components of the URI. For example, if the responder URI is http://ocsp.com/ocspreq, the BIO io should be connected to host ocsp.com on port 80 and path should be set to “/ocspreq”. OCSP_sendreq_nbio() performs non-blocking I/O on the OCSP request context rctx. When the operation is complete it returns the response in *presp. If OCSP_sendreq_nbio() indicates an operation should be retried, the corresponding BIO can be examined to determine which operation (read or write) should be retried and appropriate action can be taken, for example a select(2) call on the underlying socket. OCSP_REQ_CTX_free() frees up the OCSP context rctx. OCSP_REQ_CTX_add1_header() adds header name with value value to the context rctx. The added headers are of the form “name: value” or just “name” if value is NULL. OCSP_REQ_CTX_add1_header() can be called more than once to add multiple headers. It must be called before any calls to OCSP_sendreq_nbio(). The req parameter in the initial to OCSP_sendreq_new() call must be set to NULL if additional headers are set. OCSP_REQ_CTX_set1_req() sets the OCSP request in rctx to req. This function should be called after any calls to OCSP_REQ_CTX_add1_header(). OCSP_parse_url() is a utility function to parse a url of the form http [s]://host[:port][/path] and store pointers to newly allocated copies of the strings host, port, and path in *phost, *pport, and *ppath, respectively. By default, *ppath is set to “/” and *pport to “443” for https or “80” for http. For https, *pssl is set to 1; otherwise, to 0. OCSP_sendreq_bio() performs an OCSP request using the responder io, the URI path path, the OCSP request req. It does not support retries and so cannot handle non-blocking I/O efficiently. It is retained for compatibility and its use in new applications is not recommended.

RETURN VALUES

OCSP_sendreq_new() returns a valid OCSP_REQ_CTX structure or NULL if an error occurred. OCSP_sendreq_nbio() returns 1 if the operation was completed successfully, -1 if the operation should be retried, or 0 if an error occurred. OCSP_REQ_CTX_add1_header(), OCSP_REQ_CTX_set1_req(), and OCSP_parse_url() return 1 for success or 0 for failure. OCSP_sendreq_bio() returns the OCSP_RESPONSE structure sent by the responder or NULL if an error occurred.

EXAMPLES

Add a Host header for ocsp.com:

SEE ALSO

OCSP_cert_to_id(3), OCSP_request_add1_nonce(3), OCSP_REQUEST_new(3), OCSP_resp_find_status(3), OCSP_response_status(3), X509_get1_ocsp(3)

HISTORY

OCSP_parse_url() and OCSP_sendreq_bio() first appeared in OpenSSL 0.9.7 and have been available since OpenBSD 3.2. OCSP_sendreq_new(), OCSP_sendreq_nbio(), and OCSP_REQ_CTX_free() first appeared in OpenSSL 0.9.8h and have been available since OpenBSD 4.5. OCSP_REQ_CTX_add1_header() and OCSP_REQ_CTX_set1_req() first appeared in OpenSSL 1.0.0 and have been available since OpenBSD 4.9.

CAVEATS

These functions only perform a minimal HTTP query to a responder. If an application wishes to support more advanced features, it should use an alternative, more complete, HTTP library. Currently only HTTP POST queries to responders are supported.