6 files changed, 109 insertions, 82 deletions
diff --git a/lib/public_key/doc/src/Makefile b/lib/public_key/doc/src/Makefile
index 5bdc5d4159..f5157fe87a 100644
--- a/lib/public_key/doc/src/Makefile
+++ b/lib/public_key/doc/src/Makefile
@@ -1,7 +1,7 @@
 #
 # %CopyrightBegin%
 #
-# Copyright Ericsson AB 2008-2016. All Rights Reserved.
+# Copyright Ericsson AB 2008-2017. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -40,7 +40,7 @@ XML_APPLICATION_FILES = ref_man.xml
 XML_REF3_FILES = public_key.xml
 XML_REF6_FILES = public_key_app.xml
 
-XML_PART_FILES = part.xml part_notes.xml
+XML_PART_FILES = part.xml
 XML_CHAPTER_FILES = \
 	introduction.xml \
         public_key_records.xml \
@@ -50,9 +50,9 @@ XML_CHAPTER_FILES = \
 BOOK_FILES = book.xml
 
 XML_FILES = $(BOOK_FILES) $(XML_APPLICATION_FILES) $(XML_REF3_FILES) \
-             $(XML_REF6_FILES) $(XML_PART_FILES) $(XML_CHAPTER_FILES) 
+             $(XML_REF6_FILES) $(XML_PART_FILES) $(XML_CHAPTER_FILES)
 
-GIF_FILES = note.gif
+GIF_FILES =
 
 # ----------------------------------------------------
 
diff --git a/lib/public_key/doc/src/fascicules.xml b/lib/public_key/doc/src/fascicules.xml
deleted file mode 100644
index 25e7008537..0000000000
--- a/lib/public_key/doc/src/fascicules.xml
+++ /dev/null
@@ -1,19 +0,0 @@
-<?xml version="1.0" encoding="utf-8" ?>
-<!DOCTYPE fascicules SYSTEM "fascicules.dtd">
-
-<fascicules>
-  <fascicule file="usersguide" href="part_frame.html" entry="no">
-    User's Guide
-  </fascicule>
-  <fascicule file="ref_man" href="ref_man_frame.html" entry="yes">
-    Reference  Manual
-  </fascicule>
-  <fascicule file="release_notes" href="part_notes_frame.html" entry="no">
-    Release Notes
-  </fascicule>
-  <fascicule file="" href="../../../../doc/print.html" entry="no">
-    Off-Print
-  </fascicule>
-</fascicules>
-
-
diff --git a/lib/public_key/doc/src/note.gif b/lib/public_key/doc/src/note.gif
deleted file mode 100644
index 6fffe30419..0000000000
--- a/lib/public_key/doc/src/note.gif
+++ /dev/null
diff --git a/lib/public_key/doc/src/part_notes.xml b/lib/public_key/doc/src/part_notes.xml
deleted file mode 100644
index 17f06d14f5..0000000000
--- a/lib/public_key/doc/src/part_notes.xml
+++ /dev/null
@@ -1,39 +0,0 @@
-<?xml version="1.0" encoding="utf-8" ?>
-<!DOCTYPE part SYSTEM "part.dtd">
-
-<part xmlns:xi="http://www.w3.org/2001/XInclude">
-  <header>
-    <copyright>
-      <year>2008</year>
-      <year>2016</year>
-      <holder>Ericsson AB, All Rights Reserved</holder>
-    </copyright>
-    <legalnotice>
-  Licensed under the Apache License, Version 2.0 (the "License");
-  you may not use this file except in compliance with the License.
-  You may obtain a copy of the License at
- 
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
-
-  The Initial Developer of the Original Code is Ericsson AB.
-    </legalnotice>
-
-    <title>public_key Release Notes</title>
-    <prepared>Ingela Anderton Andin</prepared>
-    <docno></docno>
-    <date>2008-01-22</date>
-    <rev></rev>
-  </header>
-  <description>
-    <p></p>
-  </description>
-  <xi:include href="notes.xml"/>
-</part>
-
-
diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml
index 3040f2db0d..dea35bc390 100644
--- a/lib/public_key/doc/src/public_key.xml
+++ b/lib/public_key/doc/src/public_key.xml
@@ -774,6 +774,7 @@ fun(#'DistributionPoint'{}, #'CertificateList'{},
 
   <func>
     <name>pkix_test_data(Options) -> Config </name>
+    <name>pkix_test_data([chain_opts()]) -> [conf_opt()]</name>
     <fsummary>Creates certificate test data.</fsummary>
     <type>
       <v>Options = #{chain_type() := chain_opts()} </v>
@@ -781,30 +782,83 @@ fun(#'DistributionPoint'{}, #'CertificateList'{},
       
       <v>chain_type() = server_chain | client_chain </v>
 
-      <v>chain_opts() = #{chain_end() := [cert_opt()],
-          intermediates => [[cert_opt()]]}</v>
-      <d>A valid chain must have at least a ROOT and a peer cert</d>
-
-      <v>chain_end() = root | peer </v>
-
+      <v>chain_opts() = #{root := [cert_opt()] | root_cert(),
+      peer := [cert_opt()],
+      intermediates => [[cert_opt()]]}</v>
+      <d>
+	A valid chain must have at least a ROOT and a peer cert.
+	The root cert can be given either as a cert pre-generated by
+	<seealso marker="#pkix_test_root_cert-2">
+	  pkix_test_root_cert/2
+	</seealso>, or as root cert generation options.
+      </d>
+      <v>root_cert() = #{cert := der_encoded(), key := Key}</v>
+      <d>
+	A root certificate generated by
+	<seealso marker="#pkix_test_root_cert-2">
+	  pkix_test_root_cert/2
+	</seealso>.
+      </d>
       <v>cert_opt() = {Key, Value}</v>
       <d>For available options see <seealso marker="#cert_opt"> cert_opt()</seealso> below.</d>
 
       <v>Config = #{server_config := [conf_opt()],
       client_config := [conf_opt()]}</v>
 
-      <v>conf_opt() = {cert, der_encoded()} | {key, der_encoded()} |{cacerts, [der_encoded()]}</v>
-      <d>This is a subset of the type <seealso marker="ssl:ssl#type-ssloption"> ssl:ssl_option()</seealso> </d>
+      <v>conf_opt() = {cert, der_encoded()} | {key, PrivateKey} |{cacerts, [der_encoded()]}</v>
+      <d>
+	This is a subset of the type
+	<seealso marker="ssl:ssl#type-ssloption"> ssl:ssl_option()</seealso>.
+	<c>PrivateKey</c> is what
+	<seealso marker="#generate_key-1">generate_key/1</seealso>
+	returns.
+      </d>
     </type>
     
     <desc>
-      <p>Creates certificate test data to facilitate automated testing
-      of applications using X509-certificates often through
-      SSL/TLS. The test data can be used when you have control
-      over both the client and the server in a test scenario.
+      <p>
+	Creates certificate configuration(s) consisting of certificate
+	and its private key plus CA certificate bundle, for a client
+	and a server, intended to facilitate automated testing
+	of applications using X509-certificates,
+	often through SSL/TLS. The test data can be used
+	when you have control over both the client and the server
+	in a test scenario.
+      </p>
+      <p>
+	When this function is called with a map containing
+	client and server chain specifications;
+	it generates both a client and a server certificate chain
+	where the <c>cacerts</c>
+	returned for the server contains the root cert the server
+	should trust and the intermediate certificates the server
+	should present to connecting clients.
+	The root cert the server should trust is the one used
+	as root of the client certificate chain.
+	Vice versa applies to the <c>cacerts</c> returned for the client.
+	The root cert(s) can either be pre-generated with
+	<seealso marker="#pkix_test_root_cert-2">
+	  pkix_test_root_cert/2
+	</seealso>, or if options are specified; it is (they are)
+	 generated.
+      </p>
+      <p>
+	When this function is called with a list of certificate options;
+	it generates a configuration with just one node certificate
+	where <c>cacerts</c> contains the root cert
+	and the intermediate certs that should be presented to a peer.
+	In this case the same root cert must be used for all peers.
+	This is useful in for example an Erlang distributed cluster
+	where any node,	towards another node, acts either
+	as a server or as a client depending on who connects to whom.
+	The generated certificate contains a subject altname,
+	which is not needed in a client certificate,
+	but makes the certificate useful for both roles.
+      </p>
+      <p>
+	The <marker id="cert_opt"/><c>cert_opt()</c>
+	type consists of the following options:
       </p>
-      
-      <p> The <marker id="cert_opt"/> cert_opt() type consists of the following options: </p>
       <taglist>
 	<tag> {digest, digest_type()}</tag>
 	<item><p>Hash algorithm to be used for
@@ -851,6 +905,36 @@ fun(#'DistributionPoint'{}, #'CertificateList'{},
     </desc>
   </func>
   
+  <func>
+    <name>pkix_test_root_cert(Name, Options) -> RootCert</name>
+    <fsummary>Generates a test data root cert.</fsummary>
+    <type>
+      <v>Name = string()</v>
+      <d>The root certificate name.</d>
+      <v>Options = [cert_opt()]</v>
+      <d>
+	For available options see
+	<seealso marker="#cert_opt">cert_opt()</seealso>
+	under
+	<seealso marker="#pkix_test_data-1">pkix_test_data/1</seealso>.
+      </d>
+      <v>RootCert = #{cert := der_encoded(), key := Key}</v>
+      <d>
+	A root certificate and key.  The <c>Key</c> is generated by
+	<seealso marker="#generate_key-1">generate_key/1</seealso>.
+      </d>
+    </type>
+    <desc>
+      <p>
+	Generates a root certificate that can be used
+	in multiple calls to
+	<seealso marker="#pkix_test_data-1">pkix_test_data/1</seealso>
+	when you want the same root certificate for
+	several generated certificates.
+      </p>
+    </desc>
+  </func>
+
   <func>  
     <name>pkix_verify(Cert, Key) -> boolean()</name>
     <fsummary>Verifies PKIX x.509 certificate signature.</fsummary>
@@ -883,8 +967,8 @@ fun(#'DistributionPoint'{}, #'CertificateList'{},
     </type>
     <desc>
       <p>This function checks that the <i>Presented Identifier</i> (e.g hostname) in a peer certificate
-      conforms with the Expected Identifier that the client wants to connect to.
-      This functions is intended to be added as an extra client check to the peer certificate when performing
+      is in agreement with the <i>Reference Identifier</i> that the client expects to be connected to.
+      The function is intended to be added as an extra client check of the peer certificate when performing
       <seealso marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_validation/3</seealso>
       </p>
       <p>See <url href="https://tools.ietf.org/html/rfc6125">RFC 6125</url>
@@ -897,7 +981,8 @@ fun(#'DistributionPoint'{}, #'CertificateList'{},
       <p>The <c>{OtherRefId,term()}</c> is defined by the user and is passed to the <c>match_fun</c>, if defined.
       If that term is a binary, it will be converted to a string.
       </p>
-      <p>The <c>ip</c> takes a 4-tuple or a 
+      <p>The <c>ip</c> Reference ID takes an <seealso marker="inet:inet#type-ip_address">inet:ip_address()</seealso>
+      or an ip address in string format (E.g "10.0.1.1" or "1234::5678:9012") as second element.
       </p>
     </desc>
   </func>
diff --git a/lib/public_key/doc/src/public_key_records.xml b/lib/public_key/doc/src/public_key_records.xml
index 739310c88b..9ebdbb244d 100644
--- a/lib/public_key/doc/src/public_key_records.xml
+++ b/lib/public_key/doc/src/public_key_records.xml
@@ -70,10 +70,10 @@
       <p><c>| {dNSName, string()}</c></p>
       <p><c>| {x400Address, string()}</c></p>
       <p><c>| {directoryName, {rdnSequence, [#AttributeTypeAndValue'{}]}}</c></p>
-      <p><c>| {eidPartyName, special_string()}</c></p>
-      <p><c>| {eidPartyName, special_string(), special_string()}</c></p>
+      <p><c>| {ediPartyName, special_string()}</c></p>
+      <p><c>| {ediPartyName, special_string(), special_string()}</c></p>
       <p><c>| {uniformResourceIdentifier, string()}</c></p>
-      <p><c>| {ipAddress, string()}</c></p>
+      <p><c>| {iPAddress, string()}</c></p>
       <p><c>| {registeredId, oid()}</c></p>
       <p><c>| {otherName, term()}</c></p>
       </item>