From 4e0a5e36b38e3f15ed8f7d700d26f2424a47111c Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Wed, 11 Feb 2015 14:53:10 +0100 Subject: ssl: Integrate public_key CRL verification with the ssl application --- lib/ssl/doc/src/ssl_crl_cache_api.xml | 97 +++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 lib/ssl/doc/src/ssl_crl_cache_api.xml (limited to 'lib/ssl/doc/src/ssl_crl_cache_api.xml') diff --git a/lib/ssl/doc/src/ssl_crl_cache_api.xml b/lib/ssl/doc/src/ssl_crl_cache_api.xml new file mode 100644 index 0000000000..24365c9f59 --- /dev/null +++ b/lib/ssl/doc/src/ssl_crl_cache_api.xml @@ -0,0 +1,97 @@ + + + + +
+ + 20152015 + Ericsson AB. All Rights Reserved. + + + The contents of this file are subject to the Erlang Public License, + Version 1.1, (the "License"); you may not use this file except in + compliance with the License. You should have received a copy of the + Erlang Public License along with this software. If not, it can be + retrieved online at http://www.erlang.org/. + + Software distributed under the License is distributed on an "AS IS" + basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See + the License for the specific language governing rights and limitations + under the License. + + ssl_crl_cache_api + ssl_crl_cache_api.xml +
+ + ssl_crl_cache_api + API for a SSL/TLS CRL (Certificate Revocation List) cache. + +

+ When SSL/TLS performs certificate path validation according to + RFC 5280 it should + also perform CRL validation checks. To enable the CRL checks the application + needs access to CRLs. A database of CRLs can be set up in many different ways. + This module provides an API to integrate an arbitrary CRL cache with the erlang + ssl application. It is also used by the application itself to provide a simple + default implementation of a CRL cache. +

+ + +
+ Common Data Types + +

The following data types are used in the functions below: +

+ +

cache_ref() = opaque()

+

dist_point() = #'DistributionPoint'{} see X509 certificates records

+
+ + + + lookup(DistributionPoint, DbHandle) -> not_available | CRLs + + + DistributionPoint = dist_point() + DbHandle = cache_ref() + CRLs = [public_key:der_encoded()] + +

Lookup the CRLs belonging to the distribution point Distributionpoint

. + This function may choose to only look in the cache or to follow distribution point + links depending on how the cache is administrated. + + + + + select(Issuer, DbHandle) -> CRLs + Select the CRLs in the cache that are issued by Issuer + + Issuer = public_key:issuer_name() + DbHandle = cache_ref() + + +

Select the CRLs in the cache that are issued by Issuer

+ + + + + fresh_crl(DistributionPoint, CRL) -> FreshCRL + fun fresh_crl/2 will be used as input option update_crl to + public_key:pkix_crls_validate/3 + + DistributionPoint = dist_point() + CRL = [public_key:der_encoded()] + FreshCRL = [public_key:der_encoded()] + + +

fun fresh_crl/2 will be used as input option update_crl to + public_key:pkix_crls_validate/3

+ + + + \ No newline at end of file -- cgit v1.2.3