lib/ssl/doc/src/ssl_crl_cache_api.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE erlref SYSTEM "erlref.dtd">

<erlref>
  <header>
    <copyright>
      <year>2015</year><year>2022</year>
      <holder>Ericsson AB. All Rights Reserved.</holder>
    </copyright>
    <legalnotice>
      Licensed under the Apache License, Version 2.0 (the "License");
      you may not use this file except in compliance with the License.
      You may obtain a copy of the License at
 
          http://www.apache.org/licenses/LICENSE-2.0

      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      See the License for the specific language governing permissions and
      limitations under the License.
    </legalnotice>
    <title>ssl_crl_cache_api</title>
    <file>ssl_crl_cache_api.xml</file>
  </header>
  
  <module since="OTP 18.0">ssl_crl_cache_api</module>
  <modulesummary>API for a TLS CRL (Certificate Revocation List) cache.</modulesummary>
  <description>
    <p>
      When TLS performs certificate path validation according to
      <url href="http://www.ietf.org/rfc/rfc5280.txt">RFC 5280 </url>
      it should also perform CRL validation checks. To enable the CRL
      checks the application needs access to CRLs. A database of CRLs
      can be set up in many different ways. This module provides the
      behavior of the API needed to integrate an arbitrary CRL cache
      with the erlang ssl application. It is also used by the
      application itself to provide a simple default implementation of
      a CRL cache.
    </p>
  </description>


  <!--
      ================================================================
      =  Data types                                                  =
      ================================================================
  -->

  <datatypes>
    
     <datatype>
	<name name="crl_cache_ref"/>
	<desc>
	  <p>Reference to the CRL cache.</p>
	</desc>
      </datatype>

     <datatype>
	<name name="dist_point"/>
	<desc>
	  <p>For description see <seeguide 
	  marker="public_key:public_key_records"> X509 certificates records</seeguide></p>
	</desc>
     </datatype>

     <datatype>
     	<name name="logger_info"/>
	<desc>
	  <p>Information for ssl applications use of <seeerl 
	  marker="kernel:logger"> Logger(3)</seeerl></p>
	</desc>
     </datatype>

     
   </datatypes>
  
  <funcs>
    <func>
      <name since="OTP 22.2">Module:fresh_crl(DistributionPoint, CRL) -> FreshCRL </name>
      <name since="OTP 18.0">Module:fresh_crl(DistributionPoint, CRL) -> FreshCRL |   {LoggerInfo, FreshCRL}</name>
      <fsummary> <c>fun fresh_crl/2 </c> will be used as input option <c>update_crl</c> to
      public_key:pkix_crls_validate/3 </fsummary>
      <type>
	<v> DistributionPoint = <seetype marker="#dist_point"> dist_point() </seetype> </v>
	<v> CRL = [<seetype
	marker="public_key:public_key#der_encoded">public_key:der_encoded()</seetype>] </v>
	<v> FreshCRL = [<seetype
	marker="public_key:public_key#der_encoded">public_key:der_encoded()</seetype>] </v>
	<v> LoggerInfo = {logger,  <seetype marker="#logger_info"> logger_info() </seetype>}} </v>
      </type>
      <desc>
	<p> <c>fun fresh_crl/2 </c> will be used as input option <c>update_crl</c> to
	<seemfa marker="public_key:public_key#pkix_crls_validate/3">public_key:pkix_crls_validate/3 </seemfa> </p>
	
	<p>It is possible to return logger info that will be used by the TLS connection
	to produce log events.
	</p>
      </desc>
    </func>
    
    <func>
      <name since="OTP 22.2">Module:lookup(DistributionPoint, Issuer, DbHandle) -> not_available | CRLs |
      {LoggerInfo, CRLs} </name>
      <name since="OTP 19.0">Module:lookup(DistributionPoint, Issuer, DbHandle) -> not_available | CRLs </name>
      <name since="OTP 18.0">Module:lookup(DistributionPoint, DbHandle) -> not_available | CRLs </name>
      <fsummary> </fsummary>
      <type>
	<v> DistributionPoint = <seetype marker="#dist_point"> dist_point() </seetype> </v>
        <v> Issuer = <seetype
	marker="public_key:public_key#issuer_name">public_key:issuer_name()</seetype> </v>
	<v> DbHandle = <seetype marker="#crl_cache_ref"> crl_cache_ref() </seetype></v>
	<v> CRLs = [<seetype
	marker="public_key:public_key#der_encoded">public_key:der_encoded()</seetype>]</v>
	<v> LoggerInfo = {logger,  <seetype marker="#logger_info"> logger_info() </seetype>}} </v>
	</type>
	<desc> <p>Lookup the CRLs belonging to the distribution point <c> Distributionpoint</c>.
	This function may choose to only look in the cache or to follow distribution point
	links depending on how the cache is administrated. </p>

	<p>The <c>Issuer</c> argument contains the issuer name of the
	certificate to be checked.  Normally the returned CRL should
	be issued by this issuer, except if the <c>cRLIssuer</c> field
	of <c>DistributionPoint</c> has a value, in which case that
	value should be used instead.</p>

	<p>In an earlier version of this API, the <c>lookup</c>
	function received two arguments, omitting <c>Issuer</c>.  For
	compatibility, this is still supported: if there is no
	<c>lookup/3</c> function in the callback module,
	<c>lookup/2</c> is called instead.</p>

	<p>It is possible to return logger info that will be used by the TLS connection
	to produce log events.
	</p>
	</desc>
    </func>
    
    <func>
      <name since="OTP 22.2">Module:select(Issuer, DbHandle) -> CRLs | {LoggerInfo, CRLs} </name>
      <name since="OTP 18.0">Module:select(Issuer, DbHandle) -> CRLs </name>
      <fsummary>Select the CRLs in the cache that are issued by <c>Issuer</c></fsummary>
      <type>
	<v> Issuer = <seetype
	marker="public_key:public_key#issuer_name">public_key:issuer_name()</seetype> | list() </v>
	<v> DbHandle = <seetype marker="#crl_cache_ref"> cache_ref() </seetype></v>
	<v> LoggerInfo = {logger, <seetype marker="#logger_info"> logger_info() </seetype>} </v>
      </type>
	<desc>
	  <p>Select the CRLs in the cache that are issued by <c>Issuer</c> unless
	  the value is a list of so called general names, see <seeguide 
	  marker="public_key:public_key_records"> X509 certificates records</seeguide>,
	  originating form <c>#'DistributionPoint'.cRLissuer</c> and  
	  representing different mechanism to obtain the CRLs. The cache
	  callback needs to use the appropriate entry to retrieve the CRLs or
	  return an empty list if it does not exist.
	  </p>

	  <p>It is possible to return logger info that will be used by the TLS connection
	  to produce log events.</p>
	</desc>
    </func>
  </funcs>
</erlref>