X509 v0.5.4 X509.Certificate.Extension View Source
Convenience functions for creating :Extension
records for use in
certificates.
Link to this section Summary
Types
Supported values in the key usage extension
An entry for use in the subject alternate name extension. Strings are mapped
to DNSName values, tuples must contain values supported by Erlang’s
:public_key
module
:Extension
record, as used in Erlang’s :public_key
module
Functions
The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a certificate
The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate
The CRL distribution points extension identifies how CRL information is obtained
This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates
Looks up the value of a specific extension in a list
The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate
The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI)
The subject key identifier extension provides a means of identifying certificates that contain a particular public key
Link to this section Types
extension_id() :: :basic_constraints | :key_usage | :ext_key_usage | :subject_key_identifier | :authority_key_identifier | :subject_alt_name | :crl_distribution_point
key_usage_value() :: :digitalSignature | :nonRepudiation | :keyEncipherment | :dataEncipherment | :keyAgreement | :keyCertSign | :cRLSign | :encipherOnly | :decipherOnly
Supported values in the key usage extension
An entry for use in the subject alternate name extension. Strings are mapped
to DNSName values, tuples must contain values supported by Erlang’s
:public_key
module
:Extension
record, as used in Erlang’s :public_key
module
Link to this section Functions
authority_key_identifier(X509.PublicKey.t() | binary()) :: t()
The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a certificate.
The value should be a public key record. It is possible to pass a pre-calculated SHA-1 value, though it is preferred to let the function calculate the correct value over the original public key.
This extension is marked as non-critical.
Example:
iex> X509.Certificate.Extension.authority_key_identifier({:RSAPublicKey, 55, 3})
{:Extension, {2, 5, 29, 35}, false,
{:AuthorityKeyIdentifier,
<<187, 230, 143, 92, 27, 37, 166, 93, 176, 137, 154, 111, 62, 152,
215, 114, 3, 214, 71, 170>>, :asn1_NOVALUE, :asn1_NOVALUE}}
The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate.
This extension is always marked as critical for CA certificates, and non-criticial when CA is set to false.
Examples:
iex> X509.Certificate.Extension.basic_constraints(false)
{:Extension, {2, 5, 29, 19}, false,
{:BasicConstraints, false, :asn1_NOVALUE}}
iex> X509.Certificate.Extension.basic_constraints(true)
{:Extension, {2, 5, 29, 19}, true, {:BasicConstraints, true, :asn1_NOVALUE}}
iex> X509.Certificate.Extension.basic_constraints(true, 0)
{:Extension, {2, 5, 29, 19}, true, {:BasicConstraints, true, 0}}
The CRL distribution points extension identifies how CRL information is obtained.
The list of distribution points must be specified as a list of strings containing HTTP, FTP and/or LDAP URIs. Other types of distribution points are defined in RFC 5280, but are not supported by this function at this time.
This extension is marked as non-critical.
Example:
iex> X509.Certificate.Extension.crl_distribution_points(["http://crl.example.org/root.crl"])
{:Extension, {2, 5, 29, 31}, false,
[
{:DistributionPoint,
{:fullName, [uniformResourceIdentifier: 'http://crl.example.org/root.crl']},
:asn1_NOVALUE, :asn1_NOVALUE}
]}
ext_key_usage([atom() | :public_key.oid()]) :: t()
This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates.
Each of the values in the list must be an OID, either in raw tuple format or as an atom representing a well-known OID. Typical examples include:
:serverAuth
- TLS WWW server authentication:clientAuth
- TLS WWW client authentication:codeSigning
- Signing of downloadable executable code:emailProtection
- Email protection:timeStamping
- Binding the hash of an object to a time:ocspSigning
- Signing OCSP responses
This extension is marked as non-critical.
Example:
iex> X509.Certificate.Extension.ext_key_usage([:serverAuth, :clientAuth])
{:Extension, {2, 5, 29, 37}, false,
[{1, 3, 6, 1, 5, 5, 7, 3, 1}, {1, 3, 6, 1, 5, 5, 7, 3, 2}]}
find([t()], extension_id() | :public_key.oid()) :: t() | nil
Looks up the value of a specific extension in a list.
The desired extension can be specified as an atom or an OID value. Returns
nil
if the specified extension is not present in the certificate.
The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.
Each of the key usage values must be one of the atoms recognized by Erlang’s
:public_key
module, though this is not verified by this function.
This extension is always marked as critical.
Example:
iex> X509.Certificate.Extension.key_usage([:digitalSignature, :keyEncipherment])
{:Extension, {2, 5, 29, 15}, true, [:digitalSignature, :keyEncipherment]}
The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).
Typically the subject alternative name extension is used to define the
DNS domains or hostnames for which a certificate is valid, so this
function maps string values to DNSName entries. Values of other types
can be passed in a type/value tuples as supported by Erlang’s :public_key
module, if required. Note that Erlang will typically require the value
to be a character list.
This extension is marked as non-critical.
Example:
iex> X509.Certificate.Extension.subject_alt_name(["www.example.com", "example.com"])
{:Extension, {2, 5, 29, 17}, false,
[dNSName: 'www.example.com', dNSName: 'example.com']}
iex> X509.Certificate.Extension.subject_alt_name(emailAddress: 'user@example.com')
{:Extension, {2, 5, 29, 17}, false,
[emailAddress: 'user@example.com']}
subject_key_identifier(X509.PublicKey.t() | binary()) :: t()
The subject key identifier extension provides a means of identifying certificates that contain a particular public key.
The value should be a public key record or a pre-calculated binary SHA-1 value.
This extension is marked as non-critical.
Example:
iex> X509.Certificate.Extension.subject_key_identifier({:RSAPublicKey, 55, 3})
{:Extension, {2, 5, 29, 14}, false,
<<187, 230, 143, 92, 27, 37, 166, 93, 176, 137, 154, 111, 62, 152,
215, 114, 3, 214, 71, 170>>}