macula_trust_store (macula v0.20.5)

View Source

Macula Certificate Trust Store

ETS-based storage for trusted realm certificates. Manages trust decisions for self-sovereign certificates.

Trust Model: - Realm certificates are added to the trust store explicitly - Instance certificates are verified against their realm's certificate - Trust-on-first-use (TOFU) can be enabled for automatic trust

Example usage:

   %% Start the trust store
   {ok, Pid} = macula_trust_store:start_link(),
  
   %% Add a trusted realm certificate
   ok = macula_trust_store:add_trusted_realm(RealmDID, RealmCert),
  
   %% Check if a realm is trusted
   true = macula_trust_store:is_trusted(RealmDID),
  
   %% Get the certificate for verification
   {ok, RealmCert} = macula_trust_store:get_realm_cert(RealmDID),
  
   %% Verify an instance certificate
   ok = macula_trust_store:verify_instance_cert(InstanceCert).

Summary

Types

macula_cert/0

Functions

add_trusted_realm(RealmDID, Cert)

Add a realm certificate to the trust store

add_trusted_realm(RealmDID, Cert, Notes)

Add a realm certificate with optional notes

clear_all()

Clear all trusted realms (use with caution!)

count()

Get the count of trusted realms

get_realm_cert(RealmDID)

Get the certificate for a trusted realm

is_trusted(RealmDID)

Check if a realm DID is in the trust store

list_trusted()

List all trusted realm DIDs

remove_trusted_realm(RealmDID)

Remove a realm from the trust store

start_link()

Start the trust store with default options

start_link(Opts)

Start the trust store with custom options

verify_instance_cert(Cert)

Verify an instance certificate against the trust store Looks up the issuer's realm certificate and verifies the chain.

Types

macula_cert/0

-type macula_cert() ::
          #macula_cert{subject_did :: binary(),
                       subject_cn :: binary(),
                       issuer_did :: binary(),
                       issuer_cn :: binary(),
                       not_before :: non_neg_integer(),
                       not_after :: non_neg_integer(),
                       public_key :: binary(),
                       signature :: binary(),
                       serial :: binary(),
                       version :: pos_integer(),
                       extensions :: map()}.

Functions

add_trusted_realm(RealmDID, Cert)

-spec add_trusted_realm(RealmDID :: binary(), Cert :: macula_cert()) -> ok | {error, term()}.

Add a realm certificate to the trust store

add_trusted_realm(RealmDID, Cert, Notes)

-spec add_trusted_realm(RealmDID :: binary(), Cert :: macula_cert(), Notes :: binary()) ->
                           ok | {error, term()}.

Add a realm certificate with optional notes

clear_all()

-spec clear_all() -> ok.

Clear all trusted realms (use with caution!)

count()

-spec count() -> non_neg_integer().

Get the count of trusted realms

get_realm_cert(RealmDID)

-spec get_realm_cert(RealmDID :: binary()) -> {ok, macula_cert()} | {error, not_found}.

Get the certificate for a trusted realm

is_trusted(RealmDID)

-spec is_trusted(RealmDID :: binary()) -> boolean().

Check if a realm DID is in the trust store

list_trusted()

-spec list_trusted() -> [binary()].

List all trusted realm DIDs

remove_trusted_realm(RealmDID)

-spec remove_trusted_realm(RealmDID :: binary()) -> ok | {error, not_found}.

Remove a realm from the trust store

start_link()

-spec start_link() -> {ok, pid()} | {error, term()}.

Start the trust store with default options

start_link(Opts)

-spec start_link(Opts :: map()) -> {ok, pid()} | {error, term()}.

Start the trust store with custom options

verify_instance_cert(Cert)

-spec verify_instance_cert(Cert :: macula_cert()) -> ok | {error, term()}.

Verify an instance certificate against the trust store Looks up the issuer's realm certificate and verifies the chain.