From 8fbd0e8dd05ba1f76f2d02a2e4c16e7973adfd4c Mon Sep 17 00:00:00 2001 From: Magnus Henoch Date: Tue, 16 Feb 2016 15:09:07 +0000 Subject: Add issuer arg to ssl_crl_cache_api lookup callback Change the ssl_crl_cache_api callback specification, passing the certificate issuer name as an argument to the lookup callback function. Support the previous API too, for the time being. The purpose of this change is to accomodate CRL cache modules that index CRLs by issuer name, not by distribution point URL. While in most cases such lookups could be performed using the select/2 callback function, that doesn't work when the CRL in question contains an Issuing Distribution Point (IDP) extension, since RFC 5280 specifies different processing rules for CRLs specified in a distribution point (DP) and other CRLs. For the latter, a DP is assumed that most likely will not match the IDP of the CRL. In order to accommodate cache modules that index CRLs by issuer name, let's pass them the issuer as well. --- lib/ssl/doc/src/ssl_crl_cache_api.xml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'lib/ssl/doc') diff --git a/lib/ssl/doc/src/ssl_crl_cache_api.xml b/lib/ssl/doc/src/ssl_crl_cache_api.xml index 03ac010bfe..7440b6ef04 100644 --- a/lib/ssl/doc/src/ssl_crl_cache_api.xml +++ b/lib/ssl/doc/src/ssl_crl_cache_api.xml @@ -76,10 +76,13 @@ + lookup(DistributionPoint, Issuer, DbHandle) -> not_available | CRLs lookup(DistributionPoint, DbHandle) -> not_available | CRLs DistributionPoint = dist_point() + Issuer = public_key:issuer_name() DbHandle = cache_ref() CRLs = [public_key:der_encoded()] @@ -87,6 +90,18 @@

Lookup the CRLs belonging to the distribution point Distributionpoint. This function may choose to only look in the cache or to follow distribution point links depending on how the cache is administrated.

+ +

The Issuer argument contains the issuer name of the + certificate to be checked. Normally the returned CRL should + be issued by this issuer, except if the cRLIssuer field + of DistributionPoint has a value, in which case that + value should be used instead.

+ +

In an earlier version of this API, the lookup + function received two arguments, omitting Issuer. For + compatibility, this is still supported: if there is no + lookup/3 function in the callback module, + lookup/2 is called instead.

 -- cgit v1.2.3 From 1a5ef986efb0461b3b87dc836036d661def4c4b5 Mon Sep 17 00:00:00 2001 From: Magnus Henoch Date: Thu, 4 Feb 2016 18:28:16 +0000 Subject: Improve formatting for crl_{check,cache} options --- lib/ssl/doc/src/ssl.xml | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) (limited to 'lib/ssl/doc') diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index 82bede69d0..a1fba5fbff 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -331,31 +331,36 @@ marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_valid {crl_check, boolean() | peer | best_effort } - Perform CRL (Certificate Revocation List) verification +

Perform CRL (Certificate Revocation List) verification (public_key:pkix_crls_validate/3) on all the certificates during the path validation (public_key:pkix_path_validation/3) - of the certificate chain. Defaults to false. + of the certificate chain. Defaults to false.

-

peer - check is only performed on - the peer certificate.

+ + peer + check is only performed on the peer certificate. -

best_effort - if certificate revocation status can not be determined - it will be accepted as valid.

+ best_effort + if certificate revocation status can not be determined + it will be accepted as valid. +

The CA certificates specified for the connection will be used to construct the certificate chain validating the CRLs.

-

The CRLs will be fetched from a local or external cache see +

The CRLs will be fetched from a local or external cache. See ssl_crl_cache_api(3).

 {crl_cache, {Module :: atom(), {DbHandle :: internal | term(), Args :: list()}}} -

Module defaults to ssl_crl_cache with DbHandle internal and an - empty argument list. The following arguments may be specified for the internal cache.

+

Specify how to perform lookup and caching of certificate revocation lists. + Module defaults to ssl_crl_cache + with DbHandle being internal and an + empty argument list. The following arguments may be specified for the internal cache:

{http, timeout()}

-- cgit v1.2.3 From b219dbd698c74cf3c904445d13bb3453be6e1ac8 Mon Sep 17 00:00:00 2001 From: Magnus Henoch Date: Tue, 8 Dec 2015 18:23:42 +0000 Subject: Add ssl_crl_hash_dir module This module is an implementation of the ssl_crl_cache_api behaviour. It can be used when there is a directory containing CRLs for all relevant CAs, in the form used by e.g. Apache. The module assumes that the directory is being updated through an external process. --- lib/ssl/doc/src/ssl.xml | 60 ++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 52 insertions(+), 8 deletions(-) (limited to 'lib/ssl/doc') diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index a1fba5fbff..31f88f3285 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -360,15 +360,59 @@ marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_valid

Specify how to perform lookup and caching of certificate revocation lists. Module defaults to ssl_crl_cache with DbHandle being internal and an - empty argument list. The following arguments may be specified for the internal cache:

+ empty argument list.

+ +

There are two implementations available:

+ - {http, timeout()} -

- Enables fetching of CRLs specified as http URIs in X509 certificate extensions. - Requires the OTP inets application.

- - + ssl_crl_cache + +

This module maintains a cache of CRLs. CRLs can be + added to the cache using the function ssl_crl_cache:insert/1, + and optionally automatically fetched through HTTP if the + following argument is specified:

+ + + {http, timeout()} +

+ Enables fetching of CRLs specified as http URIs inX509 certificate extensions. + Requires the OTP inets application.

+ + + + + ssl_crl_hash_dir + +

This module makes use of a directory where CRLs are + stored in files named by the hash of the issuer name.

+ +

The file names consist of eight hexadecimal digits + followed by .rN, where N is an integer, + e.g. 1a2b3c4d.r0. For the first version of the + CRL, N starts at zero, and for each new version, + N is incremented by one. The OpenSSL utility + c_rehash creates symlinks according to this + pattern.

+ +

For a given hash value, this module finds all + consecutive .r* files starting from zero, and those + files taken together make up the revocation list. CRL + files whose nextUpdate fields are in the past, or + that are issued by a different CA that happens to have the + same name hash, are excluded.

+ +

The following argument is required:

+ + + {dir, string()} +

Specifies the directory in which the CRLs can be found.

 + + + + + {partial_chain, fun(Chain::[DerCert]) -> {trusted_ca, DerCert} | -- cgit v1.2.3