1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
|
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE erlref SYSTEM "erlref.dtd">
<erlref>
<header>
<copyright>
<year>2015</year><year>2022</year>
<holder>Ericsson AB. All Rights Reserved.</holder>
</copyright>
<legalnotice>
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
</legalnotice>
<title>ssl_crl_cache_api</title>
<file>ssl_crl_cache_api.xml</file>
</header>
<module since="OTP 18.0">ssl_crl_cache_api</module>
<modulesummary>API for a TLS CRL (Certificate Revocation List) cache.</modulesummary>
<description>
<p>
When TLS performs certificate path validation according to
<url href="http://www.ietf.org/rfc/rfc5280.txt">RFC 5280 </url>
it should also perform CRL validation checks. To enable the CRL
checks the application needs access to CRLs. A database of CRLs
can be set up in many different ways. This module provides the
behavior of the API needed to integrate an arbitrary CRL cache
with the erlang ssl application. It is also used by the
application itself to provide a simple default implementation of
a CRL cache.
</p>
</description>
<!--
================================================================
= Data types =
================================================================
-->
<datatypes>
<datatype>
<name name="crl_cache_ref"/>
<desc>
<p>Reference to the CRL cache.</p>
</desc>
</datatype>
<datatype>
<name name="dist_point"/>
<desc>
<p>For description see <seeguide
marker="public_key:public_key_records"> X509 certificates records</seeguide></p>
</desc>
</datatype>
<datatype>
<name name="logger_info"/>
<desc>
<p>Information for ssl applications use of <seeerl
marker="kernel:logger"> Logger(3)</seeerl></p>
</desc>
</datatype>
</datatypes>
<funcs>
<func>
<name since="OTP 22.2">Module:fresh_crl(DistributionPoint, CRL) -> FreshCRL </name>
<name since="OTP 18.0">Module:fresh_crl(DistributionPoint, CRL) -> FreshCRL | {LoggerInfo, FreshCRL}</name>
<fsummary> <c>fun fresh_crl/2 </c> will be used as input option <c>update_crl</c> to
public_key:pkix_crls_validate/3 </fsummary>
<type>
<v> DistributionPoint = <seetype marker="#dist_point"> dist_point() </seetype> </v>
<v> CRL = [<seetype
marker="public_key:public_key#der_encoded">public_key:der_encoded()</seetype>] </v>
<v> FreshCRL = [<seetype
marker="public_key:public_key#der_encoded">public_key:der_encoded()</seetype>] </v>
<v> LoggerInfo = {logger, <seetype marker="#logger_info"> logger_info() </seetype>}} </v>
</type>
<desc>
<p> <c>fun fresh_crl/2 </c> will be used as input option <c>update_crl</c> to
<seemfa marker="public_key:public_key#pkix_crls_validate/3">public_key:pkix_crls_validate/3 </seemfa> </p>
<p>It is possible to return logger info that will be used by the TLS connection
to produce log events.
</p>
</desc>
</func>
<func>
<name since="OTP 22.2">Module:lookup(DistributionPoint, Issuer, DbHandle) -> not_available | CRLs |
{LoggerInfo, CRLs} </name>
<name since="OTP 19.0">Module:lookup(DistributionPoint, Issuer, DbHandle) -> not_available | CRLs </name>
<name since="OTP 18.0">Module:lookup(DistributionPoint, DbHandle) -> not_available | CRLs </name>
<fsummary> </fsummary>
<type>
<v> DistributionPoint = <seetype marker="#dist_point"> dist_point() </seetype> </v>
<v> Issuer = <seetype
marker="public_key:public_key#issuer_name">public_key:issuer_name()</seetype> </v>
<v> DbHandle = <seetype marker="#crl_cache_ref"> crl_cache_ref() </seetype></v>
<v> CRLs = [<seetype
marker="public_key:public_key#der_encoded">public_key:der_encoded()</seetype>]</v>
<v> LoggerInfo = {logger, <seetype marker="#logger_info"> logger_info() </seetype>}} </v>
</type>
<desc> <p>Lookup the CRLs belonging to the distribution point <c> Distributionpoint</c>.
This function may choose to only look in the cache or to follow distribution point
links depending on how the cache is administrated. </p>
<p>The <c>Issuer</c> argument contains the issuer name of the
certificate to be checked. Normally the returned CRL should
be issued by this issuer, except if the <c>cRLIssuer</c> field
of <c>DistributionPoint</c> has a value, in which case that
value should be used instead.</p>
<p>In an earlier version of this API, the <c>lookup</c>
function received two arguments, omitting <c>Issuer</c>. For
compatibility, this is still supported: if there is no
<c>lookup/3</c> function in the callback module,
<c>lookup/2</c> is called instead.</p>
<p>It is possible to return logger info that will be used by the TLS connection
to produce log events.
</p>
</desc>
</func>
<func>
<name since="OTP 22.2">Module:select(Issuer, DbHandle) -> CRLs | {LoggerInfo, CRLs} </name>
<name since="OTP 18.0">Module:select(Issuer, DbHandle) -> CRLs </name>
<fsummary>Select the CRLs in the cache that are issued by <c>Issuer</c></fsummary>
<type>
<v> Issuer = <seetype
marker="public_key:public_key#issuer_name">public_key:issuer_name()</seetype> | list() </v>
<v> DbHandle = <seetype marker="#crl_cache_ref"> cache_ref() </seetype></v>
<v> LoggerInfo = {logger, <seetype marker="#logger_info"> logger_info() </seetype>} </v>
</type>
<desc>
<p>Select the CRLs in the cache that are issued by <c>Issuer</c> unless
the value is a list of so called general names, see <seeguide
marker="public_key:public_key_records"> X509 certificates records</seeguide>,
originating form <c>#'DistributionPoint'.cRLissuer</c> and
representing different mechanism to obtain the CRLs. The cache
callback needs to use the appropriate entry to retrieve the CRLs or
return an empty list if it does not exist.
</p>
<p>It is possible to return logger info that will be used by the TLS connection
to produce log events.</p>
</desc>
</func>
</funcs>
</erlref>
|