View Source X509.CRL (X509 v0.8.7)
Module for generating and parsing Certificate Revocation Lists (CRLs).
The corresponding ASN.1 data type, used in Erlang's :public_key
module, is
called :CertificateList
.
Please note that maintaining a CRL typically requires keeping state: the list of revoked certificates, along with their revocation date and expiry date (when they can be removed from the CRL), as well as the CRLs sequence number and the date/time of the next update. This module offers a purely functional interface for generating CRLs based on state kept by the caller.
Delta CRLs are not currently supported.
Link to this section Summary
Functions
Looks up the value of a specific extension in a CRL.
Returns the list of extensions included in a CRL.
Parses a CRL in DER (binary) format.
Attempts to parse a CRL in DER (binary) format. Raises in case of failure.
Parses a CRL in PEM format.
Attempts to parse a CRL in PEM format. Raises in case of failure.
Returns the Issuer field of the CRL.
Returns the list of CRL entries included in a CRL.
Returns a new :CertificateList
record for the specified CRL entries.
Returns the date and time when the next CRL update is expected.
Returns the date and time when the CRL was issued.
Converts a CRL to DER (binary) format.
Converts a CRL to PEM format.
Verifies whether a CRL matches the given issuer certificate and has a valid signature.
Link to this section Types
@opaque t()
:CertificateList
record, as used in Erlang's :public_key
module
Link to this section Functions
@spec extension( t(), X509.CRL.Extension.extension_id() | :public_key.oid() ) :: X509.CRL.Extension.t() | nil
Looks up the value of a specific extension in a CRL.
The desired extension can be specified as an atom or an OID value. Returns
nil
if the specified extension is not present in the CRL.
@spec extensions(t()) :: [X509.CRL.Extension.t()]
Returns the list of extensions included in a CRL.
Parses a CRL in DER (binary) format.
Returns an :ok
tuple in case of success, or an :error
tuple in case of
failure. Possible error reasons are:
:malformed
- the data could not be decoded as a CRL
Attempts to parse a CRL in DER (binary) format. Raises in case of failure.
Parses a CRL in PEM format.
Processes the first PEM entry of type X509 CRL found in the input. Returns an
:ok
tuple in case of success, or an :error
tuple in case of failure.
Possible error reasons are:
:not_found
- no PEM entry of type X509 CRL was found:malformed
- the entry could not be decoded as a CRL
Attempts to parse a CRL in PEM format. Raises in case of failure.
Processes the first PEM entry of type X509 CRL found in the input.
@spec issuer(t()) :: X509.RDNSequence.t()
Returns the Issuer field of the CRL.
@spec list(t()) :: [X509.CRL.Entry.t()]
Returns the list of CRL entries included in a CRL.
@spec new( [X509.CRL.Entry.t()], X509.Certificate.t(), X509.PrivateKey.t(), Keyword.t() ) :: t()
Returns a new :CertificateList
record for the specified CRL entries.
The first argument is a, possibly empty, list of CRL entries. Use
X509.CRL.Entry.new/3
to create a CRL entry for a given certificate.
The second and third argument are the issuing certificate and the associated
private key. The certificate must include the :cRLSign
key usage.
options
Options:
:hash
- the hashing algorithm to use when signing the CRL (default::sha256
):this_update
- aDateTime
struct specifying the timestamp of the CRL update (default: the current time):next_update
- aDateTime
struct specifying the timestamp of next scheduled CRL update (default: see:next_update_in_days
):next_update_in_days
- if no:next_update
timestamp is specified, this parameter defines the number of days in the future the next CRL update is expected (default: 30):extensions
- a keyword list of extension names and values; by default theauthority_key_identifier
extension will be included, with a value derived from the issuer'ssubject_key_identifier
(if present); to disable this extension, specifyauthority_key_identifier: false
; other extension values will be included in the CRL as-is
@spec next_update(t()) :: DateTime.t()
Returns the date and time when the next CRL update is expected.
@spec this_update(t()) :: DateTime.t()
Returns the date and time when the CRL was issued.
Converts a CRL to DER (binary) format.
Converts a CRL to PEM format.
@spec valid?(t(), X509.Certificate.t()) :: boolean()
Verifies whether a CRL matches the given issuer certificate and has a valid signature.