summaryrefslogtreecommitdiffstats
path: root/doc/ocsp-api.texi
diff options
context:
space:
mode:
Diffstat (limited to 'doc/ocsp-api.texi')
-rw-r--r--doc/ocsp-api.texi758
1 files changed, 758 insertions, 0 deletions
diff --git a/doc/ocsp-api.texi b/doc/ocsp-api.texi
new file mode 100644
index 0000000..f3183ed
--- /dev/null
+++ b/doc/ocsp-api.texi
@@ -0,0 +1,758 @@
+
+@subheading gnutls_ocsp_req_add_cert
+@anchor{gnutls_ocsp_req_add_cert}
+@deftypefun {int} {gnutls_ocsp_req_add_cert} (gnutls_ocsp_req_t @var{req}, gnutls_digest_algorithm_t @var{digest}, gnutls_x509_crt_t @var{issuer}, gnutls_x509_crt_t @var{cert})
+@var{req}: should contain a @code{gnutls_ocsp_req_t} type
+
+@var{digest}: hash algorithm, a @code{gnutls_digest_algorithm_t} value
+
+@var{issuer}: issuer of @code{subject} certificate
+
+@var{cert}: certificate to request status for
+
+This function will add another request to the OCSP request for a
+particular certificate. The issuer name hash, issuer key hash, and
+serial number fields is populated as follows. The issuer name and
+the serial number is taken from @code{cert} . The issuer key is taken
+from @code{issuer} . The hashed values will be hashed using the @code{digest} algorithm, normally @code{GNUTLS_DIG_SHA1} .
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error code is returned.
+@end deftypefun
+
+@subheading gnutls_ocsp_req_add_cert_id
+@anchor{gnutls_ocsp_req_add_cert_id}
+@deftypefun {int} {gnutls_ocsp_req_add_cert_id} (gnutls_ocsp_req_t @var{req}, gnutls_digest_algorithm_t @var{digest}, const gnutls_datum_t * @var{issuer_name_hash}, const gnutls_datum_t * @var{issuer_key_hash}, const gnutls_datum_t * @var{serial_number})
+@var{req}: should contain a @code{gnutls_ocsp_req_t} type
+
+@var{digest}: hash algorithm, a @code{gnutls_digest_algorithm_t} value
+
+@var{issuer_name_hash}: hash of issuer's DN
+
+@var{issuer_key_hash}: hash of issuer's public key
+
+@var{serial_number}: serial number of certificate to check
+
+This function will add another request to the OCSP request for a
+particular certificate having the issuer name hash of
+ @code{issuer_name_hash} and issuer key hash of @code{issuer_key_hash} (both
+hashed using @code{digest} ) and serial number @code{serial_number} .
+
+The information needed corresponds to the CertID structure:
+
+<informalexample><programlisting>
+CertID ::= SEQUENCE @{
+hashAlgorithm AlgorithmIdentifier,
+issuerNameHash OCTET STRING, -- Hash of Issuer's DN
+issuerKeyHash OCTET STRING, -- Hash of Issuers public key
+serialNumber CertificateSerialNumber @}
+</programlisting></informalexample>
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error code is returned.
+@end deftypefun
+
+@subheading gnutls_ocsp_req_deinit
+@anchor{gnutls_ocsp_req_deinit}
+@deftypefun {void} {gnutls_ocsp_req_deinit} (gnutls_ocsp_req_t @var{req})
+@var{req}: The data to be deinitialized
+
+This function will deinitialize a OCSP request structure.
+@end deftypefun
+
+@subheading gnutls_ocsp_req_export
+@anchor{gnutls_ocsp_req_export}
+@deftypefun {int} {gnutls_ocsp_req_export} (gnutls_ocsp_req_const_t @var{req}, gnutls_datum_t * @var{data})
+@var{req}: Holds the OCSP request
+
+@var{data}: newly allocate buffer holding DER encoded OCSP request
+
+This function will export the OCSP request to DER format.
+
+@strong{Returns:} In case of failure a negative error code will be
+returned, and 0 on success.
+@end deftypefun
+
+@subheading gnutls_ocsp_req_get_cert_id
+@anchor{gnutls_ocsp_req_get_cert_id}
+@deftypefun {int} {gnutls_ocsp_req_get_cert_id} (gnutls_ocsp_req_const_t @var{req}, unsigned @var{indx}, gnutls_digest_algorithm_t * @var{digest}, gnutls_datum_t * @var{issuer_name_hash}, gnutls_datum_t * @var{issuer_key_hash}, gnutls_datum_t * @var{serial_number})
+@var{req}: should contain a @code{gnutls_ocsp_req_t} type
+
+@var{indx}: Specifies which extension OID to get. Use (0) to get the first one.
+
+@var{digest}: output variable with @code{gnutls_digest_algorithm_t} hash algorithm
+
+@var{issuer_name_hash}: output buffer with hash of issuer's DN
+
+@var{issuer_key_hash}: output buffer with hash of issuer's public key
+
+@var{serial_number}: output buffer with serial number of certificate to check
+
+This function will return the certificate information of the
+ @code{indx} 'ed request in the OCSP request. The information returned
+corresponds to the CertID structure:
+
+<informalexample><programlisting>
+CertID ::= SEQUENCE @{
+hashAlgorithm AlgorithmIdentifier,
+issuerNameHash OCTET STRING, -- Hash of Issuer's DN
+issuerKeyHash OCTET STRING, -- Hash of Issuers public key
+serialNumber CertificateSerialNumber @}
+</programlisting></informalexample>
+
+Each of the pointers to output variables may be NULL to indicate
+that the caller is not interested in that value.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error code is returned. If you have reached the last
+CertID available @code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} will be
+returned.
+@end deftypefun
+
+@subheading gnutls_ocsp_req_get_extension
+@anchor{gnutls_ocsp_req_get_extension}
+@deftypefun {int} {gnutls_ocsp_req_get_extension} (gnutls_ocsp_req_const_t @var{req}, unsigned @var{indx}, gnutls_datum_t * @var{oid}, unsigned int * @var{critical}, gnutls_datum_t * @var{data})
+@var{req}: should contain a @code{gnutls_ocsp_req_t} type
+
+@var{indx}: Specifies which extension OID to get. Use (0) to get the first one.
+
+@var{oid}: will hold newly allocated buffer with OID of extension, may be NULL
+
+@var{critical}: output variable with critical flag, may be NULL.
+
+@var{data}: will hold newly allocated buffer with extension data, may be NULL
+
+This function will return all information about the requested
+extension in the OCSP request. The information returned is the
+OID, the critical flag, and the data itself. The extension OID
+will be stored as a string. Any of @code{oid} , @code{critical} , and @code{data} may
+be NULL which means that the caller is not interested in getting
+that information back.
+
+The caller needs to deallocate memory by calling @code{gnutls_free()} on
+ @code{oid} ->data and @code{data} ->data.
+
+Since 3.7.0 @code{oid} ->size does not account for the terminating null byte.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error code is returned. If you have reached the last
+extension available @code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} will
+be returned.
+@end deftypefun
+
+@subheading gnutls_ocsp_req_get_nonce
+@anchor{gnutls_ocsp_req_get_nonce}
+@deftypefun {int} {gnutls_ocsp_req_get_nonce} (gnutls_ocsp_req_const_t @var{req}, unsigned int * @var{critical}, gnutls_datum_t * @var{nonce})
+@var{req}: should contain a @code{gnutls_ocsp_req_t} type
+
+@var{critical}: whether nonce extension is marked critical, or NULL
+
+@var{nonce}: will hold newly allocated buffer with nonce data
+
+This function will return the OCSP request nonce extension data.
+
+The caller needs to deallocate memory by calling @code{gnutls_free()} on
+ @code{nonce} ->data.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error code is returned.
+@end deftypefun
+
+@subheading gnutls_ocsp_req_get_version
+@anchor{gnutls_ocsp_req_get_version}
+@deftypefun {int} {gnutls_ocsp_req_get_version} (gnutls_ocsp_req_const_t @var{req})
+@var{req}: should contain a @code{gnutls_ocsp_req_t} type
+
+This function will return the version of the OCSP request.
+Typically this is always 1 indicating version 1.
+
+@strong{Returns:} version of OCSP request, or a negative error code on error.
+@end deftypefun
+
+@subheading gnutls_ocsp_req_import
+@anchor{gnutls_ocsp_req_import}
+@deftypefun {int} {gnutls_ocsp_req_import} (gnutls_ocsp_req_t @var{req}, const gnutls_datum_t * @var{data})
+@var{req}: The data to store the parsed request.
+
+@var{data}: DER encoded OCSP request.
+
+This function will convert the given DER encoded OCSP request to
+the native @code{gnutls_ocsp_req_t} format. The output will be stored in
+ @code{req} .
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error value.
+@end deftypefun
+
+@subheading gnutls_ocsp_req_init
+@anchor{gnutls_ocsp_req_init}
+@deftypefun {int} {gnutls_ocsp_req_init} (gnutls_ocsp_req_t * @var{req})
+@var{req}: A pointer to the type to be initialized
+
+This function will initialize an OCSP request structure.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error value.
+@end deftypefun
+
+@subheading gnutls_ocsp_req_print
+@anchor{gnutls_ocsp_req_print}
+@deftypefun {int} {gnutls_ocsp_req_print} (gnutls_ocsp_req_const_t @var{req}, gnutls_ocsp_print_formats_t @var{format}, gnutls_datum_t * @var{out})
+@var{req}: The data to be printed
+
+@var{format}: Indicate the format to use
+
+@var{out}: Newly allocated datum with (0) terminated string.
+
+This function will pretty print a OCSP request, suitable for
+display to a human.
+
+If the format is @code{GNUTLS_OCSP_PRINT_FULL} then all fields of the
+request will be output, on multiple lines.
+
+The output @code{out} ->data needs to be deallocate using @code{gnutls_free()} .
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error value.
+@end deftypefun
+
+@subheading gnutls_ocsp_req_randomize_nonce
+@anchor{gnutls_ocsp_req_randomize_nonce}
+@deftypefun {int} {gnutls_ocsp_req_randomize_nonce} (gnutls_ocsp_req_t @var{req})
+@var{req}: should contain a @code{gnutls_ocsp_req_t} type
+
+This function will add or update an nonce extension to the OCSP
+request with a newly generated random value.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error code is returned.
+@end deftypefun
+
+@subheading gnutls_ocsp_req_set_extension
+@anchor{gnutls_ocsp_req_set_extension}
+@deftypefun {int} {gnutls_ocsp_req_set_extension} (gnutls_ocsp_req_t @var{req}, const char * @var{oid}, unsigned int @var{critical}, const gnutls_datum_t * @var{data})
+@var{req}: should contain a @code{gnutls_ocsp_req_t} type
+
+@var{oid}: buffer with OID of extension as a string.
+
+@var{critical}: critical flag, normally false.
+
+@var{data}: the extension data
+
+This function will add an extension to the OCSP request. Calling
+this function multiple times for the same OID will overwrite values
+from earlier calls.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error code is returned.
+@end deftypefun
+
+@subheading gnutls_ocsp_req_set_nonce
+@anchor{gnutls_ocsp_req_set_nonce}
+@deftypefun {int} {gnutls_ocsp_req_set_nonce} (gnutls_ocsp_req_t @var{req}, unsigned int @var{critical}, const gnutls_datum_t * @var{nonce})
+@var{req}: should contain a @code{gnutls_ocsp_req_t} type
+
+@var{critical}: critical flag, normally false.
+
+@var{nonce}: the nonce data
+
+This function will add an nonce extension to the OCSP request.
+Calling this function multiple times will overwrite values from
+earlier calls.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error code is returned.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_check_crt
+@anchor{gnutls_ocsp_resp_check_crt}
+@deftypefun {int} {gnutls_ocsp_resp_check_crt} (gnutls_ocsp_resp_const_t @var{resp}, unsigned int @var{indx}, gnutls_x509_crt_t @var{crt})
+@var{resp}: should contain a @code{gnutls_ocsp_resp_t} type
+
+@var{indx}: Specifies response number to get. Use (0) to get the first one.
+
+@var{crt}: The certificate to check
+
+This function will check whether the OCSP response
+is about the provided certificate.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error code is returned.
+
+@strong{Since:} 3.1.3
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_deinit
+@anchor{gnutls_ocsp_resp_deinit}
+@deftypefun {void} {gnutls_ocsp_resp_deinit} (gnutls_ocsp_resp_t @var{resp})
+@var{resp}: The data to be deinitialized
+
+This function will deinitialize a OCSP response structure.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_export
+@anchor{gnutls_ocsp_resp_export}
+@deftypefun {int} {gnutls_ocsp_resp_export} (gnutls_ocsp_resp_const_t @var{resp}, gnutls_datum_t * @var{data})
+@var{resp}: Holds the OCSP response
+
+@var{data}: newly allocate buffer holding DER encoded OCSP response
+
+This function will export the OCSP response to DER format.
+
+@strong{Returns:} In case of failure a negative error code will be
+returned, and 0 on success.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_export2
+@anchor{gnutls_ocsp_resp_export2}
+@deftypefun {int} {gnutls_ocsp_resp_export2} (gnutls_ocsp_resp_const_t @var{resp}, gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{fmt})
+@var{resp}: Holds the OCSP response
+
+@var{data}: newly allocate buffer holding DER or PEM encoded OCSP response
+
+@var{fmt}: DER or PEM
+
+This function will export the OCSP response to DER or PEM format.
+
+@strong{Returns:} In case of failure a negative error code will be
+returned, and 0 on success.
+
+@strong{Since:} 3.6.3
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_get_certs
+@anchor{gnutls_ocsp_resp_get_certs}
+@deftypefun {int} {gnutls_ocsp_resp_get_certs} (gnutls_ocsp_resp_const_t @var{resp}, gnutls_x509_crt_t ** @var{certs}, size_t * @var{ncerts})
+@var{resp}: should contain a @code{gnutls_ocsp_resp_t} type
+
+@var{certs}: newly allocated array with @code{gnutls_x509_crt_t} certificates
+
+@var{ncerts}: output variable with number of allocated certs.
+
+This function will extract the X.509 certificates found in the
+Basic OCSP Response. The @code{certs} output variable will hold a newly
+allocated zero-terminated array with X.509 certificates.
+
+Every certificate in the array needs to be de-allocated with
+@code{gnutls_x509_crt_deinit()} and the array itself must be freed using
+@code{gnutls_free()} .
+
+Both the @code{certs} and @code{ncerts} variables may be NULL. Then the
+function will work as normal but will not return the NULL:d
+information. This can be used to get the number of certificates
+only, or to just get the certificate array without its size.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error value.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_get_extension
+@anchor{gnutls_ocsp_resp_get_extension}
+@deftypefun {int} {gnutls_ocsp_resp_get_extension} (gnutls_ocsp_resp_const_t @var{resp}, unsigned @var{indx}, gnutls_datum_t * @var{oid}, unsigned int * @var{critical}, gnutls_datum_t * @var{data})
+@var{resp}: should contain a @code{gnutls_ocsp_resp_t} type
+
+@var{indx}: Specifies which extension OID to get. Use (0) to get the first one.
+
+@var{oid}: will hold newly allocated buffer with OID of extension, may be NULL
+
+@var{critical}: output variable with critical flag, may be NULL.
+
+@var{data}: will hold newly allocated buffer with extension data, may be NULL
+
+This function will return all information about the requested
+extension in the OCSP response. The information returned is the
+OID, the critical flag, and the data itself. The extension OID
+will be stored as a string. Any of @code{oid} , @code{critical} , and @code{data} may
+be NULL which means that the caller is not interested in getting
+that information back.
+
+The caller needs to deallocate memory by calling @code{gnutls_free()} on
+ @code{oid} ->data and @code{data} ->data.
+
+Since 3.7.0 @code{oid} ->size does not account for the terminating null byte.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error code is returned. If you have reached the last
+extension available @code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} will
+be returned.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_get_nonce
+@anchor{gnutls_ocsp_resp_get_nonce}
+@deftypefun {int} {gnutls_ocsp_resp_get_nonce} (gnutls_ocsp_resp_const_t @var{resp}, unsigned int * @var{critical}, gnutls_datum_t * @var{nonce})
+@var{resp}: should contain a @code{gnutls_ocsp_resp_t} type
+
+@var{critical}: whether nonce extension is marked critical
+
+@var{nonce}: will hold newly allocated buffer with nonce data
+
+This function will return the Basic OCSP Response nonce extension
+data.
+
+The caller needs to deallocate memory by calling @code{gnutls_free()} on
+ @code{nonce} ->data.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error code is returned.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_get_produced
+@anchor{gnutls_ocsp_resp_get_produced}
+@deftypefun {time_t} {gnutls_ocsp_resp_get_produced} (gnutls_ocsp_resp_const_t @var{resp})
+@var{resp}: should contain a @code{gnutls_ocsp_resp_t} type
+
+This function will return the time when the OCSP response was
+signed.
+
+@strong{Returns:} signing time, or (time_t)-1 on error.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_get_responder
+@anchor{gnutls_ocsp_resp_get_responder}
+@deftypefun {int} {gnutls_ocsp_resp_get_responder} (gnutls_ocsp_resp_const_t @var{resp}, gnutls_datum_t * @var{dn})
+@var{resp}: should contain a @code{gnutls_ocsp_resp_t} type
+
+@var{dn}: newly allocated buffer with name
+
+This function will extract the name of the Basic OCSP Response in
+the provided buffer. The name will be in the form
+"C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string
+will be ASCII or UTF-8 encoded, depending on the certificate data.
+
+If the responder ID is not a name but a hash, this function
+will return zero and the @code{dn} elements will be set to @code{NULL} .
+
+The caller needs to deallocate memory by calling @code{gnutls_free()} on
+ @code{dn} ->data.
+
+This function does not output a fully RFC4514 compliant string, if
+that is required see @code{gnutls_ocsp_resp_get_responder2()} .
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error code is returned. When no data exist it will
+return success and set @code{dn} elements to zero.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_get_responder2
+@anchor{gnutls_ocsp_resp_get_responder2}
+@deftypefun {int} {gnutls_ocsp_resp_get_responder2} (gnutls_ocsp_resp_const_t @var{resp}, gnutls_datum_t * @var{dn}, unsigned @var{flags})
+@var{resp}: should contain a @code{gnutls_ocsp_resp_t} type
+
+@var{dn}: newly allocated buffer with name
+
+@var{flags}: zero or @code{GNUTLS_X509_DN_FLAG_COMPAT}
+
+This function will extract the name of the Basic OCSP Response in
+the provided buffer. The name will be in the form
+"C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string
+will be ASCII or UTF-8 encoded, depending on the certificate data.
+
+If the responder ID is not a name but a hash, this function
+will return zero and the @code{dn} elements will be set to @code{NULL} .
+
+The caller needs to deallocate memory by calling @code{gnutls_free()} on
+ @code{dn} ->data.
+
+When the flag @code{GNUTLS_X509_DN_FLAG_COMPAT} is specified, the output
+format will match the format output by previous to 3.5.6 versions of GnuTLS
+which was not not fully RFC4514-compliant.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error code is returned. When no data exist it will return
+@code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} .
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_get_responder_raw_id
+@anchor{gnutls_ocsp_resp_get_responder_raw_id}
+@deftypefun {int} {gnutls_ocsp_resp_get_responder_raw_id} (gnutls_ocsp_resp_const_t @var{resp}, unsigned @var{type}, gnutls_datum_t * @var{raw})
+@var{resp}: should contain a @code{gnutls_ocsp_resp_t} type
+
+@var{type}: should be @code{GNUTLS_OCSP_RESP_ID_KEY} or @code{GNUTLS_OCSP_RESP_ID_DN}
+
+@var{raw}: newly allocated buffer with the raw ID
+
+This function will extract the raw key (or DN) ID of the Basic OCSP Response in
+the provided buffer. If the responder ID is not a key ID then
+this function will return @code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} .
+
+The caller needs to deallocate memory by calling @code{gnutls_free()} on
+ @code{dn} ->data.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error code is returned.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_get_response
+@anchor{gnutls_ocsp_resp_get_response}
+@deftypefun {int} {gnutls_ocsp_resp_get_response} (gnutls_ocsp_resp_const_t @var{resp}, gnutls_datum_t * @var{response_type_oid}, gnutls_datum_t * @var{response})
+@var{resp}: should contain a @code{gnutls_ocsp_resp_t} type
+
+@var{response_type_oid}: newly allocated output buffer with response type OID
+
+@var{response}: newly allocated output buffer with DER encoded response
+
+This function will extract the response type OID in and the
+response data from an OCSP response. Normally the
+ @code{response_type_oid} is always "1.3.6.1.5.5.7.48.1.1" which means the
+ @code{response} should be decoded as a Basic OCSP Response, but
+technically other response types could be used.
+
+This function is typically only useful when you want to extract the
+response type OID of an response for diagnostic purposes.
+Otherwise @code{gnutls_ocsp_resp_import()} will decode the basic OCSP
+response part and the caller need not worry about that aspect.
+
+Since 3.7.0 @code{response_type_oid} ->size does not account for the terminating
+null byte.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error value.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_get_signature
+@anchor{gnutls_ocsp_resp_get_signature}
+@deftypefun {int} {gnutls_ocsp_resp_get_signature} (gnutls_ocsp_resp_const_t @var{resp}, gnutls_datum_t * @var{sig})
+@var{resp}: should contain a @code{gnutls_ocsp_resp_t} type
+
+@var{sig}: newly allocated output buffer with signature data
+
+This function will extract the signature field of a OCSP response.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error value.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_get_signature_algorithm
+@anchor{gnutls_ocsp_resp_get_signature_algorithm}
+@deftypefun {int} {gnutls_ocsp_resp_get_signature_algorithm} (gnutls_ocsp_resp_const_t @var{resp})
+@var{resp}: should contain a @code{gnutls_ocsp_resp_t} type
+
+This function will return a value of the @code{gnutls_sign_algorithm_t}
+enumeration that is the signature algorithm that has been used to
+sign the OCSP response.
+
+@strong{Returns:} a @code{gnutls_sign_algorithm_t} value, or a negative error code
+on error.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_get_single
+@anchor{gnutls_ocsp_resp_get_single}
+@deftypefun {int} {gnutls_ocsp_resp_get_single} (gnutls_ocsp_resp_const_t @var{resp}, unsigned @var{indx}, gnutls_digest_algorithm_t * @var{digest}, gnutls_datum_t * @var{issuer_name_hash}, gnutls_datum_t * @var{issuer_key_hash}, gnutls_datum_t * @var{serial_number}, unsigned int * @var{cert_status}, time_t * @var{this_update}, time_t * @var{next_update}, time_t * @var{revocation_time}, unsigned int * @var{revocation_reason})
+@var{resp}: should contain a @code{gnutls_ocsp_resp_t} type
+
+@var{indx}: Specifies response number to get. Use (0) to get the first one.
+
+@var{digest}: output variable with @code{gnutls_digest_algorithm_t} hash algorithm
+
+@var{issuer_name_hash}: output buffer with hash of issuer's DN
+
+@var{issuer_key_hash}: output buffer with hash of issuer's public key
+
+@var{serial_number}: output buffer with serial number of certificate to check
+
+@var{cert_status}: a certificate status, a @code{gnutls_ocsp_cert_status_t} enum.
+
+@var{this_update}: time at which the status is known to be correct.
+
+@var{next_update}: when newer information will be available, or (time_t)-1 if unspecified
+
+@var{revocation_time}: when @code{cert_status} is @code{GNUTLS_OCSP_CERT_REVOKED} , holds time of revocation.
+
+@var{revocation_reason}: revocation reason, a @code{gnutls_x509_crl_reason_t} enum.
+
+This function will return the certificate information of the
+ @code{indx} 'ed response in the Basic OCSP Response @code{resp} . The
+information returned corresponds to the OCSP SingleResponse structure
+except the final singleExtensions.
+
+Each of the pointers to output variables may be NULL to indicate
+that the caller is not interested in that value.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error code is returned. If you have reached the last
+CertID available @code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} will be
+returned.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_get_status
+@anchor{gnutls_ocsp_resp_get_status}
+@deftypefun {int} {gnutls_ocsp_resp_get_status} (gnutls_ocsp_resp_const_t @var{resp})
+@var{resp}: should contain a @code{gnutls_ocsp_resp_t} type
+
+This function will return the status of a OCSP response, an
+@code{gnutls_ocsp_resp_status_t} enumeration.
+
+@strong{Returns:} status of OCSP request as a @code{gnutls_ocsp_resp_status_t} , or
+a negative error code on error.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_get_version
+@anchor{gnutls_ocsp_resp_get_version}
+@deftypefun {int} {gnutls_ocsp_resp_get_version} (gnutls_ocsp_resp_const_t @var{resp})
+@var{resp}: should contain a @code{gnutls_ocsp_resp_t} type
+
+This function will return the version of the Basic OCSP Response.
+Typically this is always 1 indicating version 1.
+
+@strong{Returns:} version of Basic OCSP response, or a negative error code
+on error.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_import
+@anchor{gnutls_ocsp_resp_import}
+@deftypefun {int} {gnutls_ocsp_resp_import} (gnutls_ocsp_resp_t @var{resp}, const gnutls_datum_t * @var{data})
+@var{resp}: The data to store the parsed response.
+
+@var{data}: DER encoded OCSP response.
+
+This function will convert the given DER encoded OCSP response to
+the native @code{gnutls_ocsp_resp_t} format. It also decodes the Basic
+OCSP Response part, if any. The output will be stored in @code{resp} .
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error value.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_import2
+@anchor{gnutls_ocsp_resp_import2}
+@deftypefun {int} {gnutls_ocsp_resp_import2} (gnutls_ocsp_resp_t @var{resp}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{fmt})
+@var{resp}: The data to store the parsed response.
+
+@var{data}: DER or PEM encoded OCSP response.
+
+@var{fmt}: DER or PEM
+
+This function will convert the given OCSP response to
+the native @code{gnutls_ocsp_resp_t} format. It also decodes the Basic
+OCSP Response part, if any. The output will be stored in @code{resp} .
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error value.
+
+@strong{Since:} 3.6.3
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_init
+@anchor{gnutls_ocsp_resp_init}
+@deftypefun {int} {gnutls_ocsp_resp_init} (gnutls_ocsp_resp_t * @var{resp})
+@var{resp}: A pointer to the type to be initialized
+
+This function will initialize an OCSP response structure.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error value.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_list_import2
+@anchor{gnutls_ocsp_resp_list_import2}
+@deftypefun {int} {gnutls_ocsp_resp_list_import2} (gnutls_ocsp_resp_t ** @var{ocsps}, unsigned int * @var{size}, const gnutls_datum_t * @var{resp_data}, gnutls_x509_crt_fmt_t @var{format}, unsigned int @var{flags})
+@var{ocsps}: Will hold the parsed OCSP response list.
+
+@var{size}: It will contain the size of the list.
+
+@var{resp_data}: The PEM encoded OCSP list.
+
+@var{format}: One of @code{GNUTLS_X509_FMT_PEM} or @code{GNUTLS_X509_FMT_DER}
+
+@var{flags}: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
+
+This function will convert the given PEM encoded OCSP response list
+to the native gnutls_ocsp_resp_t format. The output will be stored
+in @code{ocsps} which will be allocated and initialized.
+
+The OCSP responses should have a header of "OCSP RESPONSE".
+
+To deinitialize responses, you need to deinitialize each @code{gnutls_ocsp_resp_t}
+structure independently, and use @code{gnutls_free()} at @code{ocsps} .
+
+In PEM files, when no OCSP responses are detected
+@code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} will be returned.
+
+@strong{Returns:} the number of responses read or a negative error value.
+
+@strong{Since:} 3.6.3
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_print
+@anchor{gnutls_ocsp_resp_print}
+@deftypefun {int} {gnutls_ocsp_resp_print} (gnutls_ocsp_resp_const_t @var{resp}, gnutls_ocsp_print_formats_t @var{format}, gnutls_datum_t * @var{out})
+@var{resp}: The data to be printed
+
+@var{format}: Indicate the format to use
+
+@var{out}: Newly allocated datum with (0) terminated string.
+
+This function will pretty print a OCSP response, suitable for
+display to a human.
+
+If the format is @code{GNUTLS_OCSP_PRINT_FULL} then all fields of the
+response will be output, on multiple lines.
+
+The output @code{out} ->data needs to be deallocate using @code{gnutls_free()} .
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error value.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_verify
+@anchor{gnutls_ocsp_resp_verify}
+@deftypefun {int} {gnutls_ocsp_resp_verify} (gnutls_ocsp_resp_const_t @var{resp}, gnutls_x509_trust_list_t @var{trustlist}, unsigned int * @var{verify}, unsigned int @var{flags})
+@var{resp}: should contain a @code{gnutls_ocsp_resp_t} type
+
+@var{trustlist}: trust anchors as a @code{gnutls_x509_trust_list_t} type
+
+@var{verify}: output variable with verification status, an @code{gnutls_ocsp_verify_reason_t}
+
+@var{flags}: verification flags from @code{gnutls_certificate_verify_flags}
+
+Verify signature of the Basic OCSP Response against the public key
+in the certificate of a trusted signer. The @code{trustlist} should be
+populated with trust anchors. The function will extract the signer
+certificate from the Basic OCSP Response and will verify it against
+the @code{trustlist} . A trusted signer is a certificate that is either
+in @code{trustlist} , or it is signed directly by a certificate in
+ @code{trustlist} and has the id-ad-ocspSigning Extended Key Usage bit
+set.
+
+The output @code{verify} variable will hold verification status codes
+(e.g., @code{GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND} ,
+@code{GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM} ) which are only valid if the
+function returned @code{GNUTLS_E_SUCCESS} .
+
+Note that the function returns @code{GNUTLS_E_SUCCESS} even when
+verification failed. The caller must always inspect the @code{verify} variable to find out the verification status.
+
+The @code{flags} variable should be 0 for now.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error value.
+@end deftypefun
+
+@subheading gnutls_ocsp_resp_verify_direct
+@anchor{gnutls_ocsp_resp_verify_direct}
+@deftypefun {int} {gnutls_ocsp_resp_verify_direct} (gnutls_ocsp_resp_const_t @var{resp}, gnutls_x509_crt_t @var{issuer}, unsigned int * @var{verify}, unsigned int @var{flags})
+@var{resp}: should contain a @code{gnutls_ocsp_resp_t} type
+
+@var{issuer}: certificate believed to have signed the response
+
+@var{verify}: output variable with verification status, an @code{gnutls_ocsp_verify_reason_t}
+
+@var{flags}: verification flags from @code{gnutls_certificate_verify_flags}
+
+Verify signature of the Basic OCSP Response against the public key
+in the @code{issuer} certificate.
+
+The output @code{verify} variable will hold verification status codes
+(e.g., @code{GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND} ,
+@code{GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM} ) which are only valid if the
+function returned @code{GNUTLS_E_SUCCESS} .
+
+Note that the function returns @code{GNUTLS_E_SUCCESS} even when
+verification failed. The caller must always inspect the @code{verify} variable to find out the verification status.
+
+The @code{flags} variable should be 0 for now.
+
+@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
+negative error value.
+@end deftypefun
+