X509 v0.5.1 X509.CRL View Source

Module for generating and parsing Certificate Revocation Lists (CRLs).

The corresponding ASN.1 data type, used in Erlang’s :public_key module, is called :CertificateList.

Please note that maintaining a CRL typically requires keeping state: the list of revoked certificates, along with their revocation date and expiry date (when they can be removed from the CRL), as well as the CRLs sequence number and the date/time of the next update. This module offers a purely functional interface for generating CRLs based on state kept by the caller.

Delta CRLs are not currently supported.

Link to this section Summary

Types

t()

:CertificateList record, as used in Erlang’s :public_key module

Functions

Looks up the value of a specific extension in a CRL

Returns the list of extensions included in a CRL

Attempts to parse a CRL in DER (binary) format. Raises in case of failure

Parses a CRL in DER (binary) format

Attempts to parse a CRL in PEM format. Raises in case of failure

Parses a CRL in PEM format

Returns the Issuer field of the CRL

Returns the list of CRL entries included in a CRL

Returns a new :CertificateList record for the specified CRL entries

Returns the date and time when the next CRL update is expected

Returns the date and time when the CRL was issued

Converts a CRL to DER (binary) format

Converts a CRL to PEM format

Verifies whether a CRL matches the given issuer certificate and has a valid signature

Link to this section Types

:CertificateList record, as used in Erlang’s :public_key module

Link to this section Functions

Link to this function extension(crl, extension_id) View Source (since 0.5.0)

Looks up the value of a specific extension in a CRL.

The desired extension can be specified as an atom or an OID value. Returns nil if the specified extension is not present in the CRL.

Link to this function extensions(arg) View Source (since 0.5.0)
extensions(t()) :: [X509.CRL.Extension.t()]

Returns the list of extensions included in a CRL.

Link to this function from_der!(der) View Source (since 0.5.0)
from_der!(binary()) :: t() | no_return()

Attempts to parse a CRL in DER (binary) format. Raises in case of failure.

Link to this function from_der(der) View Source (since 0.5.0)
from_der(binary()) :: {:ok, t()} | {:error, :malformed}

Parses a CRL in DER (binary) format.

Returns an :ok tuple in case of success, or an :error tuple in case of failure. Possible error reasons are:

  • :malformed - the data could not be decoded as a CRL
Link to this function from_pem!(pem) View Source (since 0.5.0)
from_pem!(String.t()) :: t() | no_return()

Attempts to parse a CRL in PEM format. Raises in case of failure.

Processes the first PEM entry of type X509 CRL found in the input.

Link to this function from_pem(pem) View Source (since 0.5.0)
from_pem(String.t()) :: {:ok, t()} | {:error, :malformed | :not_found}

Parses a CRL in PEM format.

Processes the first PEM entry of type X509 CRL found in the input. Returns an :ok tuple in case of success, or an :error tuple in case of failure. Possible error reasons are:

  • :not_found - no PEM entry of type X509 CRL was found
  • :malformed - the entry could not be decoded as a CRL
Link to this function issuer(arg) View Source (since 0.5.0)
issuer(t()) :: X509.RDNSequence.t()

Returns the Issuer field of the CRL.

Link to this function list(arg) View Source (since 0.5.0)
list(t()) :: [X509.CRL.Entry.t()]

Returns the list of CRL entries included in a CRL.

Link to this function new(revoked, issuer, issuer_key, opts \\ []) View Source (since 0.5.0)

Returns a new :CertificateList record for the specified CRL entries.

The first argument is a, possibly empty, list of CRL entries. Use X509.CRL.Entry.new/3 to create a CRL entry for a given certificate.

The second and third argument are the issuing certificate and the associated private key. The certificate must include the :cRLSign key usage.

Options:

  • :hash - the hashing algorithm to use when signing the CRL (default: :sha256)
  • :this_update - a DateTime struct specifying the timestamp of the CRL update (default: the current time)
  • :next_update - a DateTime struct specifying the timestamp of next scheduled CRL update (default: see :next_update_in_days)
  • :next_update_in_days - if no :next_update timestamp is specified, this parameter defines the number of days in the future the next CRL update is expected (default: 30)
  • :extensions - a keyword list of extension names and values; by default the authority_key_identifier extension will be included, with a value derived from the issuer’s subject_key_identifier (if present); to disable this extension, specify authority_key_identifier: false; other extension values will be included in the CRL as-is
Link to this function next_update(arg) View Source (since 0.5.0)
next_update(t()) :: DateTime.t()

Returns the date and time when the next CRL update is expected.

Link to this function this_update(arg) View Source (since 0.5.0)
this_update(t()) :: DateTime.t()

Returns the date and time when the CRL was issued.

Link to this function to_der(crl) View Source (since 0.5.0)
to_der(t()) :: binary()

Converts a CRL to DER (binary) format.

Link to this function to_pem(crl) View Source (since 0.5.0)
to_pem(t()) :: String.t()

Converts a CRL to PEM format.

Link to this function valid?(crl, issuer) View Source (since 0.5.0)
valid?(t(), X509.Certificate.t()) :: boolean()

Verifies whether a CRL matches the given issuer certificate and has a valid signature.