View Source X509.CRL (X509 v0.8.7)

Module for generating and parsing Certificate Revocation Lists (CRLs).

The corresponding ASN.1 data type, used in Erlang's :public_key module, is called :CertificateList.

Please note that maintaining a CRL typically requires keeping state: the list of revoked certificates, along with their revocation date and expiry date (when they can be removed from the CRL), as well as the CRLs sequence number and the date/time of the next update. This module offers a purely functional interface for generating CRLs based on state kept by the caller.

Delta CRLs are not currently supported.

Link to this section Summary

Types

t()

:CertificateList record, as used in Erlang's :public_key module

Functions

Looks up the value of a specific extension in a CRL.

Returns the list of extensions included in a CRL.

Parses a CRL in DER (binary) format.

Attempts to parse a CRL in DER (binary) format. Raises in case of failure.

Parses a CRL in PEM format.

Attempts to parse a CRL in PEM format. Raises in case of failure.

Returns the Issuer field of the CRL.

Returns the list of CRL entries included in a CRL.

Returns a new :CertificateList record for the specified CRL entries.

Returns the date and time when the next CRL update is expected.

Returns the date and time when the CRL was issued.

Converts a CRL to DER (binary) format.

Converts a CRL to PEM format.

Verifies whether a CRL matches the given issuer certificate and has a valid signature.

Link to this section Types

@opaque t()

:CertificateList record, as used in Erlang's :public_key module

Link to this section Functions

Link to this function

extension(crl, extension_id)

View Source

Looks up the value of a specific extension in a CRL.

The desired extension can be specified as an atom or an OID value. Returns nil if the specified extension is not present in the CRL.

@spec extensions(t()) :: [X509.CRL.Extension.t()]

Returns the list of extensions included in a CRL.

@spec from_der(binary()) :: {:ok, t()} | {:error, :malformed}

Parses a CRL in DER (binary) format.

Returns an :ok tuple in case of success, or an :error tuple in case of failure. Possible error reasons are:

  • :malformed - the data could not be decoded as a CRL
@spec from_der!(binary()) :: t() | no_return()

Attempts to parse a CRL in DER (binary) format. Raises in case of failure.

@spec from_pem(String.t()) :: {:ok, t()} | {:error, :malformed | :not_found}

Parses a CRL in PEM format.

Processes the first PEM entry of type X509 CRL found in the input. Returns an :ok tuple in case of success, or an :error tuple in case of failure. Possible error reasons are:

  • :not_found - no PEM entry of type X509 CRL was found
  • :malformed - the entry could not be decoded as a CRL
@spec from_pem!(String.t()) :: t() | no_return()

Attempts to parse a CRL in PEM format. Raises in case of failure.

Processes the first PEM entry of type X509 CRL found in the input.

@spec issuer(t()) :: X509.RDNSequence.t()

Returns the Issuer field of the CRL.

@spec list(t()) :: [X509.CRL.Entry.t()]

Returns the list of CRL entries included in a CRL.

Link to this function

new(revoked, issuer, issuer_key, opts \\ [])

View Source

Returns a new :CertificateList record for the specified CRL entries.

The first argument is a, possibly empty, list of CRL entries. Use X509.CRL.Entry.new/3 to create a CRL entry for a given certificate.

The second and third argument are the issuing certificate and the associated private key. The certificate must include the :cRLSign key usage.

options

Options:

  • :hash - the hashing algorithm to use when signing the CRL (default: :sha256)
  • :this_update - a DateTime struct specifying the timestamp of the CRL update (default: the current time)
  • :next_update - a DateTime struct specifying the timestamp of next scheduled CRL update (default: see :next_update_in_days)
  • :next_update_in_days - if no :next_update timestamp is specified, this parameter defines the number of days in the future the next CRL update is expected (default: 30)
  • :extensions - a keyword list of extension names and values; by default the authority_key_identifier extension will be included, with a value derived from the issuer's subject_key_identifier (if present); to disable this extension, specify authority_key_identifier: false; other extension values will be included in the CRL as-is
@spec next_update(t()) :: DateTime.t()

Returns the date and time when the next CRL update is expected.

@spec this_update(t()) :: DateTime.t()

Returns the date and time when the CRL was issued.

@spec to_der(t()) :: binary()

Converts a CRL to DER (binary) format.

@spec to_pem(t()) :: String.t()

Converts a CRL to PEM format.

@spec valid?(t(), X509.Certificate.t()) :: boolean()

Verifies whether a CRL matches the given issuer certificate and has a valid signature.