aboutsummaryrefslogtreecommitdiffstats
path: root/lib/public_key/doc
diff options
context:
space:
mode:
Diffstat (limited to 'lib/public_key/doc')
-rw-r--r--lib/public_key/doc/src/notes.xml55
-rw-r--r--lib/public_key/doc/src/public_key.xml46
2 files changed, 94 insertions, 7 deletions
diff --git a/lib/public_key/doc/src/notes.xml b/lib/public_key/doc/src/notes.xml
index 87db5bd9f4..8eb56f7354 100644
--- a/lib/public_key/doc/src/notes.xml
+++ b/lib/public_key/doc/src/notes.xml
@@ -35,6 +35,61 @@
<file>notes.xml</file>
</header>
+<section><title>Public_Key 1.1</title>
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ The 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384' and
+ 'ecdsa-sha2-nistp521' signature algorithms for ssh are
+ implemented. See RFC 5656.</p>
+ <p>
+ Own Id: OTP-12936</p>
+ </item>
+ <item>
+ <p>
+ There is now a file (public_key/priv/moduli) which lists
+ size-generator-modulus triples. The purpose is to give
+ servers the possibility to select the crypto primes
+ randomly among a list of pregenerated triples. This
+ reduces the risk for some attacks on diffie-hellman
+ negotiation.</p>
+ <p>
+ See the reference manual for public_key:dh_gex_group/4
+ where the handling of this is described.</p>
+ <p>
+ The ssh server (ssh:daemon) uses this.</p>
+ <p>
+ Own Id: OTP-13054 Aux Id: OTP-13052 </p>
+ </item>
+ <item>
+ <p>
+ Add different upper bounds for diffrent string types as
+ suggested by comment in PKIX1Explicit88.</p>
+ <p>
+ Own Id: OTP-13132</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>Public_Key 1.0.1</title>
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ Document enhancements</p>
+ <p>
+ Own Id: OTP-12986</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
<section><title>Public_Key 1.0</title>
<section><title>Improvements and New Features</title>
diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml
index 394fe54428..258e7cd1b9 100644
--- a/lib/public_key/doc/src/public_key.xml
+++ b/lib/public_key/doc/src/public_key.xml
@@ -108,8 +108,9 @@
<p><c>| 'SubjectPublicKeyInfo'</c></p>
<p><c>| 'PrivateKeyInfo'</c></p>
<p><c>| 'CertificationRequest'</c></p>
+ <p><c>| 'CertificateList'</c></p>
<p><c>| 'ECPrivateKey'</c></p>
- <p><c>| 'EcpkParameters'</c></p>
+ <p><c>| 'EcpkParameters'</c></p>
</item>
<tag><c>pem_entry () =</c></tag>
@@ -298,6 +299,37 @@
</desc>
</func>
+ <func>
+ <name>dh_gex_group(MinSize, SuggestedSize, MaxSize, Groups) -> {ok, {Size,Group}} | {error,Error}</name>
+ <fsummary>Selects a group for Diffie-Hellman key exchange</fsummary>
+ <type>
+ <v>MinSize = positive_integer()</v>
+ <v>SuggestedSize = positive_integer()</v>
+ <v>MaxSize = positive_integer()</v>
+ <v>Groups = undefined | [{Size,[{G,P}]}]</v>
+ <v>Size = positive_integer()</v>
+ <v>Group = {G,P}</v>
+ <v>G = positive_integer()</v>
+ <v>P = positive_integer()</v>
+ </type>
+ <desc>
+ <p>Selects a group for Diffie-Hellman key exchange with the key size in the range <c>MinSize...MaxSize</c>
+ and as close to <c>SuggestedSize</c> as possible. If <c>Groups == undefined</c> a default set will be
+ used, otherwise the group is selected from <c>Groups</c>.</p>
+ <p>First a size, as close as possible to SuggestedSize, is selected. Then one group with that key size
+ is randomly selected from the specified set of groups. If no size within the limits of <c>MinSize</c>
+ and <c>MaxSize</c> is available, <c>{error,no_group_found}</c> is returned.</p>
+ <p>The default set of groups is listed in <c>lib/public_key/priv/moduli</c>. This file may be regenerated like this:</p>
+ <pre>
+ $> cd $ERL_TOP/lib/public_key/priv/
+ $> generate
+ ---- wait until all background jobs has finished. It may take several days !
+ $> cat moduli-* > moduli
+ $> cd ..; make
+ </pre>
+ </desc>
+ </func>
+
<func>
<name>encrypt_private(PlainText, Key) -> binary()</name>
<fsummary>Public-key encryption using the private key.</fsummary>
@@ -433,7 +465,7 @@
<name>pkix_is_issuer(Cert, IssuerCert) -> boolean()</name>
<fsummary>Checks if <c>IssuerCert</c> issued <c>Cert</c>.</fsummary>
<type>
- <v>Cert = der_encoded() | #'OTPCertificate'{}</v>
+ <v>Cert = der_encoded() | #'OTPCertificate'{} | #'CertificateList'{}</v>
<v>IssuerCert = der_encoded() | #'OTPCertificate'{}</v>
</type>
<desc>
@@ -497,13 +529,13 @@
<name>pkix_path_validation(TrustedCert, CertChain, Options) -> {ok, {PublicKeyInfo, PolicyTree}} | {error, {bad_cert, Reason}} </name>
<fsummary>Performs a basic path validation according to RFC 5280.</fsummary>
<type>
- <v>TrustedCert = #'OTPCertificate'{} | der_encode() | atom()</v>
+ <v>TrustedCert = #'OTPCertificate'{} | der_encoded() | atom()</v>
<d>Normally a trusted certificate, but it can also be a path-validation
error that can be discovered while
constructing the input to this function and that is to be run through the <c>verify_fun</c>.
Examples are <c>unknown_ca</c> and <c>selfsigned_peer.</c>
</d>
- <v>CertChain = [der_encode()]</v>
+ <v>CertChain = [der_encoded()]</v>
<d>A list of DER-encoded certificates in trust order ending with the peer certificate.</d>
<v>Options = proplists:proplist()</v>
<v>PublicKeyInfo = {?'rsaEncryption' | ?'id-dsa',
@@ -698,7 +730,7 @@ fun(#'DistributionPoint'{}, #'CertificateList'{},
<name>pkix_sign(#'OTPTBSCertificate'{}, Key) -> der_encoded()</name>
<fsummary>Signs certificate.</fsummary>
<type>
- <v>Key = rsa_public_key() | dsa_public_key()</v>
+ <v>Key = rsa_private_key() | dsa_private_key()</v>
</type>
<desc>
<p>Signs an 'OTPTBSCertificate'. Returns the corresponding
@@ -713,7 +745,7 @@ fun(#'DistributionPoint'{}, #'CertificateList'{},
<v>AlgorithmId = oid()</v>
<d>Signature OID from a certificate or a certificate revocation list.</d>
<v>DigestType = rsa_digest_type() | dss_digest_type()</v>
- <v>SignatureType = rsa | dsa</v>
+ <v>SignatureType = rsa | dsa | ecdsa</v>
</type>
<desc>
<p>Translates signature algorithm OID to Erlang digest and signature types.
@@ -726,7 +758,7 @@ fun(#'DistributionPoint'{}, #'CertificateList'{},
<fsummary>Verifies PKIX x.509 certificate signature.</fsummary>
<type>
<v>Cert = der_encoded()</v>
- <v>Key = rsa_public_key() | dsa_public_key()</v>
+ <v>Key = rsa_public_key() | dsa_public_key() | ec_public_key()</v>
</type>
<desc>
<p>Verifies PKIX x.509 certificate signature.</p>