From a99b7ff68aa194c260134ab2461af1a14a03e697 Mon Sep 17 00:00:00 2001 From: tmanevik Date: Thu, 23 Apr 2015 15:06:05 +0200 Subject: Editorial changes --- lib/public_key/doc/src/public_key.xml | 505 +++++++++++++++++++--------------- 1 file changed, 283 insertions(+), 222 deletions(-) (limited to 'lib/public_key/doc/src/public_key.xml') diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml index b86d0fe0ab..ddaa8c2530 100644 --- a/lib/public_key/doc/src/public_key.xml +++ b/lib/public_key/doc/src/public_key.xml @@ -31,11 +31,11 @@ public_key - API module for public key infrastructure. + API module for public-key infrastructure. -

This module provides functions to handle public key infrastructure. It can - encode/decode different file formats (PEM, openssh), sign and verify digital signatures and validate - certificate paths and certificate revocation lists. +

This module provides functions to handle public-key infrastructure. It can + encode/decode different file formats (PEM, OpenSSH), sign and verify digital signatures, + and validate certificate paths and certificate revocation lists.

@@ -43,94 +43,152 @@ public_key - public_key requires the crypto and asn1 applications, the latter since R16 (hopefully the runtime dependency on asn1 will - be removed again in the future). + public_key requires the crypto and ASN.1 applications, + the latter as OTP R16 (hopefully the runtime dependency on ASN.1 will + be removed again in the future). Supports RFC 5280 - - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile - Supports PKCS-1 - RSA Cryptography Standard - Supports DSS- Digital Signature Standard (DSA - Digital Signature Algorithm) - Supports PKCS-3 - Diffie-Hellman Key Agreement Standard - Supports PKCS-5 - Password-Based Cryptography Standard - Supports PKCS-8 - Private-Key Information Syntax Standard - Supports PKCS-10 - Certification Request Syntax Standard + Internet X.509 Public-Key Infrastructure Certificate and Certificate Revocation List + (CRL) Profile + Supports PKCS-1 - + RSA Cryptography Standard + Supports DSS - + Digital Signature Standard (DSA - Digital Signature Algorithm) + Supports + PKCS-3 - + Diffie-Hellman Key Agreement Standard + Supports PKCS-5 - + Password-Based Cryptography Standard + Supports PKCS-8 - + Private-Key Information Syntax Standard + Supports PKCS-10 - + Certification Request Syntax Standard
- COMMON DATA TYPES + DATA TYPES -

All records used in this manual +

All records used in this Reference Manual are generated from ASN.1 specifications and are documented in the User's Guide. See Public key records and X.509 Certificate records. + marker="public_key_records">Public-key Records and X.509 Certificate Records.

Use the following include directive to get access to the - records and constant macros described here and in the User's Guide.

+ records and constant macros described here and in the User's Guide:

-include_lib("public_key/include/public_key.hrl"). -

Data Types

- -

oid() - Object Identifier, a tuple of integers as generated by the ASN1 compiler.

- -

boolean() = true | false

- -

string() = [bytes()]

- -

der_encoded() = binary()

- -

pki_asn1_type() = 'Certificate' | 'RSAPrivateKey'| 'RSAPublicKey' | - 'DSAPrivateKey' | 'DSAPublicKey' | 'DHParameter' | - 'SubjectPublicKeyInfo' | 'PrivateKeyInfo' | - 'CertificationRequest' | 'ECPrivateKey' | 'EcpkParameters'

- -

pem_entry () = {pki_asn1_type(), binary(), %% DER or encrypted DER - not_encrypted | cipher_info()}

- -

cipher_info() = {"RC2-CBC | "DES-CBC" | "DES-EDE3-CBC", - crypto:rand_bytes(8) | {#'PBEParameter{}, digest_type()} |#'PBES2-params'{}}

- -

public_key() = rsa_public_key() | dsa_public_key() | ec_public_key()

-

private_key() = rsa_private_key() | dsa_private_key() | ec_private_key()

-

rsa_public_key() = #'RSAPublicKey'{}

- -

rsa_private_key() = #'RSAPrivateKey'{}

- -

dsa_public_key() = {integer(), #'Dss-Parms'{}}

- -

dsa_private_key() = #'DSAPrivateKey'{}

- -

ec_public_key() = {#'ECPoint'{}, #'EcpkParameters'{} | - {namedCurve, oid()}}

- -

ec_private_key() = #'ECPrivateKey'{}

- -

public_crypt_options() = [{rsa_pad, rsa_padding()}].

- -

rsa_padding() = 'rsa_pkcs1_padding' | 'rsa_pkcs1_oaep_padding' | - 'rsa_no_padding'

+

The following data types are used in the functions for public_key:

-

digest_type() - Union of below digest types

+ + oid() +

Object identifier, a tuple of integers as generated by the ASN.1 compiler.

 + + boolean() +

= true | false

 + + string() +

= [bytes()]

 + + der_encoded() +

= binary()

 + + pki_asn1_type() + =

'Certificate'

+

| 'RSAPrivateKey'

+

| 'RSAPublicKey'

+

| 'DSAPrivateKey'

+

| 'DSAPublicKey'

+

| 'DHParameter'

+

| 'SubjectPublicKeyInfo'

+

| 'PrivateKeyInfo'

+

| 'CertificationRequest'

+

| 'ECPrivateKey'

+

| 'EcpkParameters'

 + + pem_entry () +

= {pki_asn1_type(), binary(), %% DER or encrypted DER not_encrypted

+

| cipher_info()}

 + + cipher_info() +

= {"RC2-CBC" | "DES-CBC" | "DES-EDE3-CBC", crypto:rand_bytes(8)

+

| {#'PBEParameter{}, digest_type()} | #'PBES2-params'{}}

+ + + public_key() +

= rsa_public_key() | dsa_public_key() | ec_public_key()

 + + private_key() +

= rsa_private_key() | dsa_private_key() | ec_private_key()

 + + rsa_public_key() +

= #'RSAPublicKey'{}

 + + rsa_private_key() +

= #'RSAPrivateKey'{}

 + + dsa_public_key() +

= {integer(), #'Dss-Parms'{}}

 + + dsa_private_key() +

= #'DSAPrivateKey'{}

 + + ec_public_key() +

= {#'ECPoint'{}, #'EcpkParameters'{} | {namedCurve, oid()}}

 + + ec_private_key() +

= #'ECPrivateKey'{}

 + + public_crypt_options() +

= [{rsa_pad, rsa_padding()}]

 + + rsa_padding() +

= 'rsa_pkcs1_padding'

+

| 'rsa_pkcs1_oaep_padding'

+

| 'rsa_no_padding'

+ + + digest_type() +

Union of rsa_digest_type(), dss_digest_type(), + and ecdsa_digest_type().

 + + rsa_digest_type() +

= 'md5' | 'sha' | 'sha224' | 'sha256' | 'sha384' | 'sha512'

 + + dss_digest_type() +

= 'sha'

 + + ecdsa_digest_type() +

= 'sha'| 'sha224' | 'sha256' | 'sha384' | 'sha512'

 + + crl_reason() +

= unspecified

+

| keyCompromise

+

| cACompromise

+

| affiliationChanged

+

| superseded

+

| cessationOfOperation

+

| certificateHold

+

| privilegeWithdrawn

+

| aACompromise

+ + + issuer_name() +

= {rdnSequence,[#'AttributeTypeAndValue'{}]}

+ + + ssh_file() +

= openssh_public_key

+

| rfc4716_public_key

+

| known_hosts

+

| auth_keys

+ + -

rsa_digest_type() = 'md5' | 'sha' | 'sha224' | 'sha256' | 'sha384' | - 'sha512'

- -

dss_digest_type() = 'sha'

- -

ecdsa_digest_type() = 'sha'| 'sha224' | 'sha256' | 'sha384' | 'sha512'

- -

crl_reason() = unspecified | keyCompromise | cACompromise | - affiliationChanged | superseded | cessationOfOperation | - certificateHold | privilegeWithdrawn | aACompromise

- -

issuer_name() = {rdnSequence,[#'AttributeTypeAndValue'{}]}

- -

ssh_file() = openssh_public_key | rfc4716_public_key | known_hosts | - auth_keys

@@ -138,12 +196,12 @@ - + - + @@ -151,13 +209,13 @@ - + - + - - + +
@@ -166,27 +224,27 @@ compute_key(OthersKey, MyKey)-> compute_key(OthersKey, MyKey, Params)-> - Compute shared secret + Computes shared secret. OthersKey = #'ECPoint'{} | binary(), MyKey = #'ECPrivateKey'{} | binary() Params = #'DHParameter'{} -

Compute shared secret

+

Computes shared secret.

 decrypt_private(CipherText, Key) -> binary() decrypt_private(CipherText, Key, Options) -> binary() - Public key decryption. + Public-key decryption. CipherText = binary() Key = rsa_private_key() Options = public_crypt_options() -

Public key decryption using the private key. See also Public-key decryption using the private key. See also crypto:private_decrypt/4

 @@ -194,156 +252,156 @@ decrypt_public(CipherText, Key) - > binary() decrypt_public(CipherText, Key, Options) - > binary() - + Public-key decryption. CipherText = binary() Key = rsa_public_key() Options = public_crypt_options() -

Public key decryption using the public key. See also Public-key decryption using the public key. See also crypto:public_decrypt/4

 der_decode(Asn1type, Der) -> term() - Decodes a public key ASN.1 DER encoded entity. + Decodes a public-key ASN.1 DER encoded entity. Asn1Type = atom() - ASN.1 type present in the public_key applications - asn1 specifications. + ASN.1 type present in the public_key applications + ASN.1 specifications. Der = der_encoded() -

Decodes a public key ASN.1 DER encoded entity.

+

Decodes a public-key ASN.1 DER encoded entity.

 der_encode(Asn1Type, Entity) -> der_encoded() - Encodes a public key entity with asn1 DER encoding. + Encodes a public-key entity with ASN.1 DER encoding. Asn1Type = atom() - Asn1 type present in the public_key applications + ASN.1 type present in the public_key applications ASN.1 specifications. Entity = term() - The erlang representation of Asn1Type + Erlang representation of Asn1Type -

Encodes a public key entity with ASN.1 DER encoding.

+

Encodes a public-key entity with ASN.1 DER encoding.

 generate_key(Params) -> {Public::binary(), Private::binary()} | #'ECPrivateKey'{} - Generates a new keypair + Generates a new keypair. - Params = #'DHParameter'{} | {namedCurve, oid()} | #'ECParameters'{} + Params = #'DHParameter'{} | {namedCurve, oid()} | #'ECParameters'{} -

Generates a new keypair

+

Generates a new keypair.

 pem_decode(PemBin) -> [pem_entry()] - Decode PEM binary data and return - entries as ASN.1 DER encoded entities. + Decodes PEM binary data and returns + entries as ASN.1 DER encoded entities. PemBin = binary() Example {ok, PemBin} = file:read_file("cert.pem"). -

Decode PEM binary data and return +

Decodes PEM binary data and returns entries as ASN.1 DER encoded entities.

 pem_encode(PemEntries) -> binary() - Creates a PEM binary + Creates a PEM binary. PemEntries = [pem_entry()] -

Creates a PEM binary

+

Creates a PEM binary.

 pem_entry_decode(PemEntry) -> term() pem_entry_decode(PemEntry, Password) -> term() - Decodes a pem entry. + Decodes a PEM entry. - PemEntry = pem_entry() - Password = string() + PemEntry = pem_entry() + Password = string() -

Decodes a PEM entry. pem_decode/1 returns a list of PEM - entries. Note that if the PEM entry is of type - 'SubjectPublickeyInfo' it will be further decoded to an - rsa_public_key() or dsa_public_key().

+

Decodes a PEM entry. pem_decode/1 returns a list of PEM + entries. Notice that if the PEM entry is of type + 'SubjectPublickeyInfo', it is further decoded to an + rsa_public_key() or dsa_public_key().

 pem_entry_encode(Asn1Type, Entity) -> pem_entry() pem_entry_encode(Asn1Type, Entity, {CipherInfo, Password}) -> pem_entry() - Creates a PEM entry that can be fed to pem_encode/1. + Creates a PEM entry that can be fed to pem_encode/1. Asn1Type = pki_asn1_type() Entity = term() - The Erlang representation of - Asn1Type. If Asn1Type is 'SubjectPublicKeyInfo' - then Entity must be either an rsa_public_key() or a - dsa_public_key() and this function will create the appropriate + Erlang representation of + Asn1Type. If Asn1Type is 'SubjectPublicKeyInfo', + Entity must be either an rsa_public_key() or a + dsa_public_key() and this function creates the appropriate 'SubjectPublicKeyInfo' entry. CipherInfo = cipher_info() Password = string() -

Creates a PEM entry that can be feed to pem_encode/1.

+

Creates a PEM entry that can be feed to pem_encode/1.

 encrypt_private(PlainText, Key) -> binary() - Public key encryption using the private key. + Public-key encryption using the private key. PlainText = binary() Key = rsa_private_key() -

Public key encryption using the private key. +

Public-key encryption using the private key. See also crypto:private_encrypt/4

+ marker="crypto:crypto#private_encrypt/4">crypto:private_encrypt/4.

 encrypt_public(PlainText, Key) -> binary() - Public key encryption using the public key. + Public-key encryption using the public key. PlainText = binary() Key = rsa_public_key() -

Public key encryption using the public key. See also crypto:public_encrypt/4

+

Public-key encryption using the public key. See also crypto:public_encrypt/4.

 pkix_decode_cert(Cert, otp|plain) -> #'Certificate'{} | #'OTPCertificate'{} - Decodes an ASN.1 DER encoded PKIX x509 certificate. + Decodes an ASN.1 DER-encoded PKIX x509 certificate. Cert = der_encoded() -

Decodes an ASN.1 DER encoded PKIX certificate. The otp option - will use the customized ASN.1 specification OTP-PKIX.asn1 for +

Decodes an ASN.1 DER-encoded PKIX certificate. Option otp + uses the customized ASN.1 specification OTP-PKIX.asn1 for decoding and also recursively decode most of the standard parts.

 @@ -355,54 +413,54 @@ certificate. Asn1Type = atom() - The ASN.1 type can be 'Certificate', 'OTPCertificate' or a subtype of either . + The ASN.1 type can be 'Certificate', 'OTPCertificate' or a subtype of either. Entity = #'Certificate'{} | #'OTPCertificate'{} | a valid subtype

DER encodes a PKIX x509 certificate or part of such a certificate. This function must be used for encoding certificates or parts of certificates - that are decoded/created in the otp format, whereas for the plain format this - function will directly call der_encode/2.

+ that are decoded/created in the otp format, whereas for the plain format this + function directly calls der_encode/2.

 pkix_is_issuer(Cert, IssuerCert) -> boolean() - Checks if IssuerCert issued Cert + Checks if IssuerCert issued Cert. Cert = der_encoded() | #'OTPCertificate'{} IssuerCert = der_encoded() | #'OTPCertificate'{} -

Checks if IssuerCert issued Cert

+

Checks if IssuerCert issued Cert.

 pkix_is_fixed_dh_cert(Cert) -> boolean() - Checks if a Certificate is a fixed Diffie-Hellman Cert. + Checks if a certificate is a fixed Diffie-Hellman certificate. Cert = der_encoded() | #'OTPCertificate'{} -

Checks if a Certificate is a fixed Diffie-Hellman Cert.

+

Checks if a certificate is a fixed Diffie-Hellman certificate.

 pkix_is_self_signed(Cert) -> boolean() - Checks if a Certificate is self signed. + Checks if a certificate is self-signed. Cert = der_encoded() | #'OTPCertificate'{} -

Checks if a Certificate is self signed.

+

Checks if a certificate is self-signed.

 pkix_issuer_id(Cert, IssuedBy) -> {ok, IssuerID} | {error, Reason} - Returns the issuer id. + Returns the issuer id. Cert = der_encoded() | #'OTPCertificate'{} IssuedBy = self | other @@ -411,43 +469,43 @@ Reason = term() -

Returns the issuer id.

+

Returns the issuer id.

 pkix_normalize_name(Issuer) -> Normalized - Normalizes a issuer name so that it can be easily - compared to another issuer name. + Normalizes an issuer name so that it can be easily + compared to another issuer name. Issuer = issuer_name() Normalized = issuer_name() -

Normalizes a issuer name so that it can be easily +

Normalizes an issuer name so that it can be easily compared to another issuer name.

 pkix_path_validation(TrustedCert, CertChain, Options) -> {ok, {PublicKeyInfo, PolicyTree}} | {error, {bad_cert, Reason}} - Performs a basic path validation according to RFC 5280. + Performs a basic path validation according to RFC 5280. - TrustedCert = #'OTPCertificate'{} | der_encoded() | atom() - Normally a trusted certificate but it can also be a path validation + TrustedCert = #'OTPCertificate'{} | der_encode() | atom() + Normally a trusted certificate, but it can also be a path-validation error that can be discovered while - constructing the input to this function and that should be run through the verify_fun. - For example unknown_ca or selfsigned_peer + constructing the input to this function and that is to be run through the verify_fun. + Examples are unknown_ca and selfsigned_peer. - CertChain = [der_encoded()] - A list of DER encoded certificates in trust order ending with the peer certificate. - Options = proplists:proplist() + CertChain = [der_encode()] + A list of DER-encoded certificates in trust order ending with the peer certificate. + Options = proplists:proplist() PublicKeyInfo = {?'rsaEncryption' | ?'id-dsa', rsa_public_key() | integer(), 'NULL' | 'Dss-Parms'{}} - PolicyTree = term() - At the moment this will always be an empty list as Policies are not currently supported - Reason = cert_expired | invalid_issuer | invalid_signature | name_not_permitted | + PolicyTree = term() + At the moment this is always an empty list as policies are not currently supported. + Reason = cert_expired | invalid_issuer | invalid_signature | name_not_permitted | missing_basic_constraint | invalid_key_usage | {revoked, crl_reason()} | atom() @@ -455,17 +513,17 @@

Performs a basic path validation according to RFC 5280. - However CRL validation is done separately by pkix_crls_validate/3 and should be called - from the supplied verify_fun + However, CRL validation is done separately by pkix_crls_validate/3 and is to be called + from the supplied verify_fun.

- -

Available options are:

+

Available options:

+ {verify_fun, fun()} -

The fun should be defined as:

+

The fun must be defined as:

fun(OtpCert :: #'OTPCertificate'{}, @@ -478,53 +536,53 @@ fun(OtpCert :: #'OTPCertificate'{}, {unknown, UserState :: term()}. -

If the verify callback fun returns {fail, Reason}, the +

If the verify callback fun returns {fail, Reason}, the verification process is immediately stopped. If the verify - callback fun returns {valid, UserState}, the verification - process is continued, this can be used to accept specific path - validation errors such as selfsigned_peer as well as - verifying application specific extensions. If called with an - extension unknown to the user application the return value - {unknown, UserState} should be used.

+ callback fun returns {valid, UserState}, the verification + process is continued. This can be used to accept specific path + validation errors, such as selfsigned_peer, as well as + verifying application-specific extensions. If called with an + extension unknown to the user application, the return value + {unknown, UserState} is to be used.

 {max_path_length, integer()} The max_path_length is the maximum number of non-self-issued - intermediate certificates that may follow the peer certificate - in a valid certification path. So if max_path_length is 0 the PEER must - be signed by the trusted ROOT-CA directly, if 1 the path can - be PEER, CA, ROOT-CA, if it is 2 PEER, CA, CA, ROOT-CA and so - on. + intermediate certificates that can follow the peer certificate + in a valid certification path. So, if max_path_length is 0, the PEER must + be signed by the trusted ROOT-CA directly, if it is 1, the path can + be PEER, CA, ROOT-CA, if it is 2, the path can + be PEER, CA, CA, ROOT-CA, and so on. -

Possible reasons for a bad certificate are:

+

Possible reasons for a bad certificate:

cert_expired - The certificate is no longer valid as its expiration date has passed. +

Certificate is no longer valid as its expiration date has passed.

 invalid_issuer - The certificate issuer name does not match the name of the issuer certificate in the chain. +

Certificate issuer name does not match the name of the issuer certificate in the chain.

 invalid_signature - The certificate was not signed by its issuer certificate in the chain. +

Certificate was not signed by its issuer certificate in the chain.

 name_not_permitted - Invalid Subject Alternative Name extension. +

Invalid Subject Alternative Name extension.

 missing_basic_constraint - Certificate, required to have the basic constraints extension, does not have - a basic constraints extension. +

Certificate, required to have the basic constraints extension, does not have + a basic constraints extension.

 invalid_key_usage - Certificate key is used in an invalid way according to the key usage extension. +

Certificate key is used in an invalid way according to the key-usage extension.

 {revoked, crl_reason()} - Certificate has been revoked. +

Certificate has been revoked.

 atom() - Application specific error reason that should be checked by the verify_fun +

Application-specific error reason that is to be checked by the verify_fun.

 @@ -543,44 +601,47 @@ fun(OtpCert :: #'OTPCertificate'{}, pkix_crls_validate(OTPCertificate, DPAndCRLs, Options) -> CRLStatus() - Performs CRL validation. + Performs CRL validation. - OTPCertificate = #'OTPCertificate'{} - DPAndCRLs = [{DP::#'DistributionPoint'{}, {DerCRL::der_encoded(), CRL::#'CertificateList'{}}}] - Options = proplists:proplist() - CRLStatus() = valid | {bad_cert, revocation_status_undetermined} | + OTPCertificate = #'OTPCertificate'{} + DPAndCRLs = [{DP::#'DistributionPoint'{}, {DerCRL::der_encoded(), CRL::#'CertificateList'{}}}] + Options = proplists:proplist() + CRLStatus() = valid | {bad_cert, revocation_status_undetermined} | {bad_cert, {revoked, crl_reason()}} -

Performs CRL validation. It is intended to be called from +

Performs CRL validation. It is intended to be called from the verify fun of pkix_path_validation/3 -

+ .

+ +

Available options:

+ -

Available options are:

+ {update_crl, fun()} -

The fun has the following type spec:

+

The fun has the following type specification:

fun(#'DistributionPoint'{}, #'CertificateList'{}) -> #'CertificateList'{} -

The fun should use the information in the distribution point to acesses - the lates possible version of the CRL. If this fun is not specified - public_key will use the default implementation: +

The fun uses the information in the distribution point to access + the latest possible version of the CRL. If this fun is not specified, + public_key uses the default implementation:

fun(_DP, CRL) -> CRL end {issuer_fun, fun()} -

The fun has the following type spec:

+

The fun has the following type specification:

fun(#'DistributionPoint'{}, #'CertificateList'{}, {rdnSequence,[#'AttributeTypeAndValue'{}]}, term()) -> {ok, #'OTPCertificate'{}, [der_encoded]} -

The fun should return the root certificate and certificate chain +

The fun returns the root certificate and certificate chain that has signed the CRL.

fun(DP, CRL, Issuer, UserState) -> {ok, RootCert, CertChain} @@ -635,83 +696,83 @@ fun(#'DistributionPoint'{}, #'CertificateList'{}, Key = rsa_public_key() | dsa_public_key() -

Signs a 'OTPTBSCertificate'. Returns the corresponding - der encoded certificate.

+

Signs an 'OTPTBSCertificate'. Returns the corresponding + DER-encoded certificate.

 pkix_sign_types(AlgorithmId) -> {DigestType, SignatureType} - Translates signature algorithm oid to erlang digest and signature algorithm types. + Translates signature algorithm OID to Erlang digest and signature algorithm types. AlgorithmId = oid() - Signature oid from a certificate or a certificate revocation list - DigestType = rsa_digest_type() | dss_digest_type() + Signature OID from a certificate or a certificate revocation list. + DigestType = rsa_digest_type() | dss_digest_type() SignatureType = rsa | dsa -

Translates signature algorithm oid to erlang digest and signature types. +

Translates signature algorithm OID to Erlang digest and signature types.

pkix_verify(Cert, Key) -> boolean() - Verify pkix x.509 certificate signature. + Verifies PKIX x.509 certificate signature. Cert = der_encoded() Key = rsa_public_key() | dsa_public_key() -

Verify PKIX x.509 certificate signature.

+

Verifies PKIX x.509 certificate signature.

 sign(Msg, DigestType, Key) -> binary() - Create digital signature. + Creates a digital signature. Msg = binary() | {digest,binary()} - The msg is either the binary "plain text" data to be - signed or it is the hashed value of "plain text" i.e. the + The Msg is either the binary "plain text" data to be + signed or it is the hashed value of "plain text", that is, the digest. DigestType = rsa_digest_type() | dss_digest_type() | ecdsa_digest_type() Key = rsa_private_key() | dsa_private_key() | ec_private_key() -

Creates a digital signature.

+

Creates a digital signature.

 ssh_decode(SshBin, Type) -> [{public_key(), Attributes::list()}] - Decodes a ssh file-binary. + Decodes an SSH file-binary. SshBin = binary() Example {ok, SshBin} = file:read_file("known_hosts"). - Type = public_key | ssh_file() - If Type is public_key the binary may be either - a rfc4716 public key or a openssh public key. + Type = public_key | ssh_file() + If Type is public_key the binary can be either + an RFC4716 public key or an OpenSSH public key. -

Decodes a ssh file-binary. In the case of know_hosts or - auth_keys the binary may include one or more lines of the +

Decodes an SSH file-binary. In the case of know_hosts or + auth_keys, the binary can include one or more lines of the file. Returns a list of public keys and their attributes, possible attribute values depends on the file type represented by the binary.

- rfc4716 attributes - see RFC 4716 - {headers, [{string(), utf8_string()}]} - auth_key attributes - see man sshd + RFC4716 attributes - see RFC 4716. +

{headers, [{string(), utf8_string()}]}

 + auth_key attributes - see manual page for sshd. {comment, string()} {options, [string()]} - {bits, integer()} - In ssh version 1 files - known_host attributes - see man sshd +

{bits, integer()} - In SSH version 1 files.

 + known_host attributes - see manual page for sshd. {hostnames, [string()]} {comment, string()} - {bits, integer()} - In ssh version 1 files +

{bits, integer()} - In SSH version 1 files.

 @@ -719,16 +780,16 @@ fun(#'DistributionPoint'{}, #'CertificateList'{}, ssh_encode([{Key, Attributes}], Type) -> binary() - Encodes a list of ssh file entries to a binary. + Encodes a list of SSH file entries to a binary. Key = public_key() Attributes = list() Type = ssh_file() -

Encodes a list of ssh file entries (public keys and attributes) to a binary. Possible - attributes depends on the file type, see ssh_decode/2

+

Encodes a list of SSH file entries (public keys and attributes) to a binary. Possible + attributes depend on the file type, see ssh_decode/2 .

 @@ -737,14 +798,14 @@ fun(#'DistributionPoint'{}, #'CertificateList'{}, Verifies a digital signature. Msg = binary() | {digest,binary()} - The msg is either the binary "plain text" data - or it is the hashed value of "plain text" i.e. the digest. + The Msg is either the binary "plain text" data + or it is the hashed value of "plain text", that is, the digest. DigestType = rsa_digest_type() | dss_digest_type() | ecdsa_digest_type() Signature = binary() Key = rsa_public_key() | dsa_public_key() | ec_public_key() -

Verifies a digital signature

+

Veryfies a digital signature.

 -- cgit v1.2.3