NAME¶

OCSP_SERVICELOC_new, OCSP_SERVICELOC_free, OCSP_url_svcloc_new — OCSP service locator extension

SYNOPSIS¶

#include <openssl/ocsp.h>

OCSP_SERVICELOC *
OCSP_SERVICELOC_new(void);

void
OCSP_SERVICELOC_free(OCSP_SERVICELOC *sloc);

X509_EXTENSION *
OCSP_url_svcloc_new(X509_NAME *issuer, const char **urls);

DESCRIPTION¶

Due to restrictions of network routing, a client may be unable to directly contact the authoritative OCSP server for a certificate that needs to be checked. In that case, the request can be sent via a proxy server. An ASN.1 ServiceLocator structure is included in the singleRequestExtensions field of the Request structure to indicate where to forward the request. The ServiceLocator is represented by a OCSP_SERVICELOC object, which will be stored inside the OCSP_ONEREQ object documented in OCSP_ONEREQ_new(3).

OCSP_SERVICELOC_new() allocates and initializes an empty OCSP_SERVICELOC object. OCSP_SERVICELOC_free() frees sloc.

OCSP_url_svcloc_new() requires an issuer name and optionally accepts an array of urls. If urls or its first element is NULL, the locator field is omitted from the ServiceLocator structure and only the issuer is included. The resulting ServiceLocator structure is encoded in ASN.1 using X509V3_EXT_i2d(3) with criticality 0.

RETURN VALUES¶

OCSP_SERVICELOC_new() returns a new OCSP_SERVICELOC object or NULL if an error occurred.

OCSP_url_svcloc_new() returns a new X509_EXTENSION object or NULL if an error occurred.

SEE ALSO¶

OCSP_REQUEST_new(3), X509_EXTENSION_new(3), X509_get1_ocsp(3), X509_get_issuer_name(3), X509_NAME_new(3)

STANDARDS¶

RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol, section 4.4.6: Service Locator

HISTORY¶

OCSP_SERVICELOC_new(), OCSP_SERVICELOC_free(), and OCSP_url_svcloc_new() first appeared in OpenSSL 0.9.7 and have been available since OpenBSD 3.2.