quic_cert (quic v1.7.0)

View Source

Summary

Functions

Validate a client's certificate chain (mutual TLS, RFC 8446 §4.4.2.4).

Validate a server's certificate chain and identity.

Functions

validate_client(Leaf, Intermediates, CaCerts)

-spec validate_client(binary() | undefined, [binary()], [binary()] | undefined) -> ok | {error, term()}.

Validate a client's certificate chain (mutual TLS, RFC 8446 §4.4.2.4).

Same trust-anchor chain validation as validate_server/4, but with no identity/hostname check: a client certificate is not bound to a server name, and the peer's application identity is established separately (e.g. from the certificate subject plus an out-of-band token). Leaf is the client's end-entity certificate (DER), Intermediates the rest of the chain in wire (leaf-to-root) order, and CaCerts the trust anchors (DER list, or undefined for the OS trust store).

validate_server(Leaf, Intermediates, CaCerts, ServerName)

-spec validate_server(binary() | undefined, [binary()], [binary()] | undefined, binary() | undefined) ->
                         ok | {error, term()}.

Validate a server's certificate chain and identity.

Leaf is the server's end-entity certificate (DER). Intermediates are the remaining certificates sent by the peer (DER), in the leaf-to-root order they arrive on the wire. CaCerts are the trust anchors as a DER list, or undefined to use the OS trust store. ServerName is the expected identity (binary hostname or IP literal), or undefined to skip the hostname check.