From 3358156b5be633b10a59c99403083624c51f4ce5 Mon Sep 17 00:00:00 2001 From: Raimo Niskanen Date: Thu, 9 Nov 2017 16:47:13 +0100 Subject: Facilitate test certs with common root --- lib/public_key/doc/src/public_key.xml | 112 +++++++++++++++++++++++++++++----- 1 file changed, 98 insertions(+), 14 deletions(-) (limited to 'lib/public_key/doc') diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml index 5230cef496..dea35bc390 100644 --- a/lib/public_key/doc/src/public_key.xml +++ b/lib/public_key/doc/src/public_key.xml @@ -774,6 +774,7 @@ fun(#'DistributionPoint'{}, #'CertificateList'{}, pkix_test_data(Options) -> Config + pkix_test_data([chain_opts()]) -> [conf_opt()] Creates certificate test data. Options = #{chain_type() := chain_opts()} @@ -781,30 +782,83 @@ fun(#'DistributionPoint'{}, #'CertificateList'{}, chain_type() = server_chain | client_chain - chain_opts() = #{chain_end() := [cert_opt()], - intermediates => [[cert_opt()]]} - A valid chain must have at least a ROOT and a peer cert - - chain_end() = root | peer - + chain_opts() = #{root := [cert_opt()] | root_cert(), + peer := [cert_opt()], + intermediates => [[cert_opt()]]} + + A valid chain must have at least a ROOT and a peer cert. + The root cert can be given either as a cert pre-generated by + + pkix_test_root_cert/2 + , or as root cert generation options. + + root_cert() = #{cert := der_encoded(), key := Key} + + A root certificate generated by + + pkix_test_root_cert/2 + . + cert_opt() = {Key, Value} For available options see cert_opt() below. Config = #{server_config := [conf_opt()], client_config := [conf_opt()]} - conf_opt() = {cert, der_encoded()} | {key, der_encoded()} |{cacerts, [der_encoded()]} - This is a subset of the type ssl:ssl_option() + conf_opt() = {cert, der_encoded()} | {key, PrivateKey} |{cacerts, [der_encoded()]} + + This is a subset of the type + ssl:ssl_option(). + PrivateKey is what + generate_key/1 + returns. + -

Creates certificate test data to facilitate automated testing - of applications using X509-certificates often through - SSL/TLS. The test data can be used when you have control - over both the client and the server in a test scenario. +

+ Creates certificate configuration(s) consisting of certificate + and its private key plus CA certificate bundle, for a client + and a server, intended to facilitate automated testing + of applications using X509-certificates, + often through SSL/TLS. The test data can be used + when you have control over both the client and the server + in a test scenario. +

+

+ When this function is called with a map containing + client and server chain specifications; + it generates both a client and a server certificate chain + where the cacerts + returned for the server contains the root cert the server + should trust and the intermediate certificates the server + should present to connecting clients. + The root cert the server should trust is the one used + as root of the client certificate chain. + Vice versa applies to the cacerts returned for the client. + The root cert(s) can either be pre-generated with + + pkix_test_root_cert/2 + , or if options are specified; it is (they are) + generated. +

+

+ When this function is called with a list of certificate options; + it generates a configuration with just one node certificate + where cacerts contains the root cert + and the intermediate certs that should be presented to a peer. + In this case the same root cert must be used for all peers. + This is useful in for example an Erlang distributed cluster + where any node, towards another node, acts either + as a server or as a client depending on who connects to whom. + The generated certificate contains a subject altname, + which is not needed in a client certificate, + but makes the certificate useful for both roles. +

+

+ The cert_opt() + type consists of the following options:

- -

The cert_opt() type consists of the following options:

{digest, digest_type()}

Hash algorithm to be used for @@ -851,6 +905,36 @@ fun(#'DistributionPoint'{}, #'CertificateList'{}, + + pkix_test_root_cert(Name, Options) -> RootCert + Generates a test data root cert. + + Name = string() + The root certificate name. + Options = [cert_opt()] + + For available options see + cert_opt() + under + pkix_test_data/1. + + RootCert = #{cert := der_encoded(), key := Key} + + A root certificate and key. The Key is generated by + generate_key/1. + + + +

+ Generates a root certificate that can be used + in multiple calls to + pkix_test_data/1 + when you want the same root certificate for + several generated certificates. +

+
+
+ pkix_verify(Cert, Key) -> boolean() Verifies PKIX x.509 certificate signature. -- cgit v1.2.3