View Source X509.Certificate.Extension (X509 v0.8.9)
Convenience functions for creating :Extension
records for use in
certificates.
Link to this section Summary
Types
Supported values in the key usage extension
An entry for use in the subject alternate name extension. Strings are mapped
to DNSName values, tuples must contain values supported by Erlang's
:public_key
module
:Extension
record, as used in Erlang's :public_key
module
Functions
The authority information access extension indicates how to access information and services for the issuer of the certificate in which the extension appears.
The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a certificate.
The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate.
The CRL distribution points extension identifies how CRL information is obtained.
This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates.
Looks up the value of a specific extension in a list.
The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.
The OCSP Nocheck extension indicates that the OCSP client can trust this OCSP responder certificate for the lifetime of the certificate, and no revocation checks are needed.
The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).
The subject key identifier extension provides a means of identifying certificates that contain a particular public key.
Link to this section Types
@type aia_access_method() :: :ocsp | :ca_issuers | :time_stamping | :ca_repository
@type extension_id() ::
:basic_constraints
| :key_usage
| :ext_key_usage
| :subject_key_identifier
| :authority_key_identifier
| :subject_alt_name
| :crl_distribution_point
| :authority_information_access
| :ocsp_nocheck
@type key_usage_value() ::
:digitalSignature
| :nonRepudiation
| :keyEncipherment
| :dataEncipherment
| :keyAgreement
| :keyCertSign
| :cRLSign
| :encipherOnly
| :decipherOnly
Supported values in the key usage extension
An entry for use in the subject alternate name extension. Strings are mapped
to DNSName values, tuples must contain values supported by Erlang's
:public_key
module
@type t() :: X509.ASN1.record(:extension)
:Extension
record, as used in Erlang's :public_key
module
Link to this section Functions
@spec authority_info_access([{aia_access_method(), String.t()}]) :: t()
The authority information access extension indicates how to access information and services for the issuer of the certificate in which the extension appears.
Information and services may include on-line validation services and CA policy data. This extension may be included in end entity or CA certificates.
This extension is marked as non-critical.
Example:
iex> X509.Certificate.Extension.authority_info_access(
...> ocsp: "http://ocsp.example.net/"
...> )
{:Extension, {1, 3, 6, 1, 5, 5, 7, 1, 1}, false,
[
{:AccessDescription, {1, 3, 6, 1, 5, 5, 7, 48, 1},
{:uniformResourceIdentifier, "http://ocsp.example.net/"}}
]}
@spec authority_key_identifier(X509.PublicKey.t() | binary()) :: t()
The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a certificate.
The value should be a public key record. It is possible to pass a pre-calculated SHA-1 value, though it is preferred to let the function calculate the correct value over the original public key.
This extension is marked as non-critical.
Example:
iex> X509.Certificate.Extension.authority_key_identifier({:RSAPublicKey, 55, 3})
{:Extension, {2, 5, 29, 35}, false,
{:AuthorityKeyIdentifier,
<<187, 230, 143, 92, 27, 37, 166, 93, 176, 137, 154, 111, 62, 152,
215, 114, 3, 214, 71, 170>>, :asn1_NOVALUE, :asn1_NOVALUE}}
The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate.
This extension is always marked as critical for CA certificates, and non-critical when CA is set to false.
Examples:
iex> X509.Certificate.Extension.basic_constraints(false)
{:Extension, {2, 5, 29, 19}, false,
{:BasicConstraints, false, :asn1_NOVALUE}}
iex> X509.Certificate.Extension.basic_constraints(true)
{:Extension, {2, 5, 29, 19}, true, {:BasicConstraints, true, :asn1_NOVALUE}}
iex> X509.Certificate.Extension.basic_constraints(true, 0)
{:Extension, {2, 5, 29, 19}, true, {:BasicConstraints, true, 0}}
The CRL distribution points extension identifies how CRL information is obtained.
The list of distribution points must be specified as a list of strings containing HTTP, FTP and/or LDAP URIs. Other types of distribution points are defined in RFC 5280, but are not supported by this function at this time.
This extension is marked as non-critical.
Example:
iex> X509.Certificate.Extension.crl_distribution_points(["http://crl.example.org/root.crl"])
{:Extension, {2, 5, 29, 31}, false,
[
{:DistributionPoint,
{:fullName, [uniformResourceIdentifier: ~c"http://crl.example.org/root.crl"]},
:asn1_NOVALUE, :asn1_NOVALUE}
]}
@spec ext_key_usage([atom() | :public_key.oid()]) :: t()
This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates.
Each of the values in the list must be an OID, either in raw tuple format or as an atom representing a well-known OID. Typical examples include:
:serverAuth
- TLS WWW server authentication:clientAuth
- TLS WWW client authentication:codeSigning
- Signing of downloadable executable code:emailProtection
- Email protection:timeStamping
- Binding the hash of an object to a time:ocspSigning
- Signing OCSP responses
This extension is marked as non-critical.
Example:
iex> X509.Certificate.Extension.ext_key_usage([:serverAuth, :clientAuth])
{:Extension, {2, 5, 29, 37}, false,
[{1, 3, 6, 1, 5, 5, 7, 3, 1}, {1, 3, 6, 1, 5, 5, 7, 3, 2}]}
@spec find([t()], extension_id() | :public_key.oid()) :: t() | nil
Looks up the value of a specific extension in a list.
The desired extension can be specified as an atom or an OID value. Returns
nil
if the specified extension is not present in the certificate.
@spec key_usage([key_usage_value()]) :: t()
The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.
Each of the key usage values must be one of the atoms recognized by Erlang's
:public_key
module, though this is not verified by this function.
This extension is always marked as critical.
Example:
iex> X509.Certificate.Extension.key_usage([:digitalSignature, :keyEncipherment])
{:Extension, {2, 5, 29, 15}, true, [:digitalSignature, :keyEncipherment]}
@spec ocsp_nocheck() :: t()
The OCSP Nocheck extension indicates that the OCSP client can trust this OCSP responder certificate for the lifetime of the certificate, and no revocation checks are needed.
This extension has no value, it acts as a flag simply by being present in a certificate's extension list.
This extension is marked as non-critical.
Example:
iex> X509.Certificate.Extension.ocsp_nocheck()
{:Extension, {1, 3, 6, 1, 5, 5, 7, 48, 1, 5}, false, <<5, 0>>}
The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).
Typically the subject alternative name extension is used to define the
DNS domains or hostnames for which a certificate is valid, so this
function maps string values to DNSName entries. Values of other types
can be passed in a type/value tuples as supported by Erlang's :public_key
module, if required. Note that Erlang will typically require the value
to be a character list.
This extension is marked as non-critical.
Example:
iex> X509.Certificate.Extension.subject_alt_name(["www.example.com", "example.com"])
{:Extension, {2, 5, 29, 17}, false,
[dNSName: ~c"www.example.com", dNSName: ~c"example.com"]}
iex> X509.Certificate.Extension.subject_alt_name(emailAddress: ~c"user@example.com")
{:Extension, {2, 5, 29, 17}, false,
[emailAddress: ~c"user@example.com"]}
@spec subject_key_identifier(X509.PublicKey.t() | binary()) :: t()
The subject key identifier extension provides a means of identifying certificates that contain a particular public key.
The value should be a public key record or a pre-calculated binary SHA-1 value.
This extension is marked as non-critical.
Example:
iex> X509.Certificate.Extension.subject_key_identifier({:RSAPublicKey, 55, 3})
{:Extension, {2, 5, 29, 14}, false,
<<187, 230, 143, 92, 27, 37, 166, 93, 176, 137, 154, 111, 62, 152,
215, 114, 3, 214, 71, 170>>}