diff options
Diffstat (limited to 'lib/public_key/doc/src')
-rw-r--r-- | lib/public_key/doc/src/notes.xml | 55 | ||||
-rw-r--r-- | lib/public_key/doc/src/public_key.xml | 46 |
2 files changed, 94 insertions, 7 deletions
diff --git a/lib/public_key/doc/src/notes.xml b/lib/public_key/doc/src/notes.xml index 87db5bd9f4..8eb56f7354 100644 --- a/lib/public_key/doc/src/notes.xml +++ b/lib/public_key/doc/src/notes.xml @@ -35,6 +35,61 @@ <file>notes.xml</file> </header> +<section><title>Public_Key 1.1</title> + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + The 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384' and + 'ecdsa-sha2-nistp521' signature algorithms for ssh are + implemented. See RFC 5656.</p> + <p> + Own Id: OTP-12936</p> + </item> + <item> + <p> + There is now a file (public_key/priv/moduli) which lists + size-generator-modulus triples. The purpose is to give + servers the possibility to select the crypto primes + randomly among a list of pregenerated triples. This + reduces the risk for some attacks on diffie-hellman + negotiation.</p> + <p> + See the reference manual for public_key:dh_gex_group/4 + where the handling of this is described.</p> + <p> + The ssh server (ssh:daemon) uses this.</p> + <p> + Own Id: OTP-13054 Aux Id: OTP-13052 </p> + </item> + <item> + <p> + Add different upper bounds for diffrent string types as + suggested by comment in PKIX1Explicit88.</p> + <p> + Own Id: OTP-13132</p> + </item> + </list> + </section> + +</section> + +<section><title>Public_Key 1.0.1</title> + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + Document enhancements</p> + <p> + Own Id: OTP-12986</p> + </item> + </list> + </section> + +</section> + <section><title>Public_Key 1.0</title> <section><title>Improvements and New Features</title> diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml index 394fe54428..258e7cd1b9 100644 --- a/lib/public_key/doc/src/public_key.xml +++ b/lib/public_key/doc/src/public_key.xml @@ -108,8 +108,9 @@ <p><c>| 'SubjectPublicKeyInfo'</c></p> <p><c>| 'PrivateKeyInfo'</c></p> <p><c>| 'CertificationRequest'</c></p> + <p><c>| 'CertificateList'</c></p> <p><c>| 'ECPrivateKey'</c></p> - <p><c>| 'EcpkParameters'</c></p> + <p><c>| 'EcpkParameters'</c></p> </item> <tag><c>pem_entry () =</c></tag> @@ -298,6 +299,37 @@ </desc> </func> + <func> + <name>dh_gex_group(MinSize, SuggestedSize, MaxSize, Groups) -> {ok, {Size,Group}} | {error,Error}</name> + <fsummary>Selects a group for Diffie-Hellman key exchange</fsummary> + <type> + <v>MinSize = positive_integer()</v> + <v>SuggestedSize = positive_integer()</v> + <v>MaxSize = positive_integer()</v> + <v>Groups = undefined | [{Size,[{G,P}]}]</v> + <v>Size = positive_integer()</v> + <v>Group = {G,P}</v> + <v>G = positive_integer()</v> + <v>P = positive_integer()</v> + </type> + <desc> + <p>Selects a group for Diffie-Hellman key exchange with the key size in the range <c>MinSize...MaxSize</c> + and as close to <c>SuggestedSize</c> as possible. If <c>Groups == undefined</c> a default set will be + used, otherwise the group is selected from <c>Groups</c>.</p> + <p>First a size, as close as possible to SuggestedSize, is selected. Then one group with that key size + is randomly selected from the specified set of groups. If no size within the limits of <c>MinSize</c> + and <c>MaxSize</c> is available, <c>{error,no_group_found}</c> is returned.</p> + <p>The default set of groups is listed in <c>lib/public_key/priv/moduli</c>. This file may be regenerated like this:</p> + <pre> + $> cd $ERL_TOP/lib/public_key/priv/ + $> generate + ---- wait until all background jobs has finished. It may take several days ! + $> cat moduli-* > moduli + $> cd ..; make + </pre> + </desc> + </func> + <func> <name>encrypt_private(PlainText, Key) -> binary()</name> <fsummary>Public-key encryption using the private key.</fsummary> @@ -433,7 +465,7 @@ <name>pkix_is_issuer(Cert, IssuerCert) -> boolean()</name> <fsummary>Checks if <c>IssuerCert</c> issued <c>Cert</c>.</fsummary> <type> - <v>Cert = der_encoded() | #'OTPCertificate'{}</v> + <v>Cert = der_encoded() | #'OTPCertificate'{} | #'CertificateList'{}</v> <v>IssuerCert = der_encoded() | #'OTPCertificate'{}</v> </type> <desc> @@ -497,13 +529,13 @@ <name>pkix_path_validation(TrustedCert, CertChain, Options) -> {ok, {PublicKeyInfo, PolicyTree}} | {error, {bad_cert, Reason}} </name> <fsummary>Performs a basic path validation according to RFC 5280.</fsummary> <type> - <v>TrustedCert = #'OTPCertificate'{} | der_encode() | atom()</v> + <v>TrustedCert = #'OTPCertificate'{} | der_encoded() | atom()</v> <d>Normally a trusted certificate, but it can also be a path-validation error that can be discovered while constructing the input to this function and that is to be run through the <c>verify_fun</c>. Examples are <c>unknown_ca</c> and <c>selfsigned_peer.</c> </d> - <v>CertChain = [der_encode()]</v> + <v>CertChain = [der_encoded()]</v> <d>A list of DER-encoded certificates in trust order ending with the peer certificate.</d> <v>Options = proplists:proplist()</v> <v>PublicKeyInfo = {?'rsaEncryption' | ?'id-dsa', @@ -698,7 +730,7 @@ fun(#'DistributionPoint'{}, #'CertificateList'{}, <name>pkix_sign(#'OTPTBSCertificate'{}, Key) -> der_encoded()</name> <fsummary>Signs certificate.</fsummary> <type> - <v>Key = rsa_public_key() | dsa_public_key()</v> + <v>Key = rsa_private_key() | dsa_private_key()</v> </type> <desc> <p>Signs an 'OTPTBSCertificate'. Returns the corresponding @@ -713,7 +745,7 @@ fun(#'DistributionPoint'{}, #'CertificateList'{}, <v>AlgorithmId = oid()</v> <d>Signature OID from a certificate or a certificate revocation list.</d> <v>DigestType = rsa_digest_type() | dss_digest_type()</v> - <v>SignatureType = rsa | dsa</v> + <v>SignatureType = rsa | dsa | ecdsa</v> </type> <desc> <p>Translates signature algorithm OID to Erlang digest and signature types. @@ -726,7 +758,7 @@ fun(#'DistributionPoint'{}, #'CertificateList'{}, <fsummary>Verifies PKIX x.509 certificate signature.</fsummary> <type> <v>Cert = der_encoded()</v> - <v>Key = rsa_public_key() | dsa_public_key()</v> + <v>Key = rsa_public_key() | dsa_public_key() | ec_public_key()</v> </type> <desc> <p>Verifies PKIX x.509 certificate signature.</p> |