ssl_crl_cache

20152016 Ericsson AB. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ssl_crl_cache_api ssl_crl_cache_api.xml

ssl_crl_cache_api API for a SSL/TLS CRL (Certificate Revocation List) cache.

When SSL/TLS performs certificate path validation according to RFC 5280 it should also perform CRL validation checks. To enable the CRL checks the application needs access to CRLs. A database of CRLs can be set up in many different ways. This module provides the behavior of the API needed to integrate an arbitrary CRL cache with the erlang ssl application. It is also used by the application itself to provide a simple default implementation of a CRL cache.

DATA TYPES

The following data types are used in the functions below:

cache_ref() = opaque() dist_point() =

#'DistributionPoint'{} see X509 certificates records

fresh_crl(DistributionPoint, CRL) -> FreshCRL fun fresh_crl/2 will be used as input option update_crl to public_key:pkix_crls_validate/3 DistributionPoint = dist_point() CRL = [public_key:der_encoded()] FreshCRL = [public_key:der_encoded()]

fun fresh_crl/2 will be used as input option update_crl to public_key:pkix_crls_validate/3

lookup(DistributionPoint, Issuer, DbHandle) -> not_available | CRLs lookup(DistributionPoint, DbHandle) -> not_available | CRLs DistributionPoint = dist_point() Issuer = public_key:issuer_name() DbHandle = cache_ref() CRLs = [public_key:der_encoded()]

Lookup the CRLs belonging to the distribution point Distributionpoint. This function may choose to only look in the cache or to follow distribution point links depending on how the cache is administrated.

The Issuer argument contains the issuer name of the certificate to be checked. Normally the returned CRL should be issued by this issuer, except if the cRLIssuer field of DistributionPoint has a value, in which case that value should be used instead.

In an earlier version of this API, the lookup function received two arguments, omitting Issuer. For compatibility, this is still supported: if there is no lookup/3 function in the callback module, lookup/2 is called instead.

select(Issuer, DbHandle) -> CRLs Select the CRLs in the cache that are issued by Issuer Issuer = public_key:issuer_name() DbHandle = cache_ref()

Select the CRLs in the cache that are issued by Issuer