lib/ssl/doc/src/ssl_crl_cache_api.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE erlref SYSTEM "erlref.dtd">

<erlref>
  <header>
    <copyright>
      <year>2015</year><year>2015</year>
      <holder>Ericsson AB. All Rights Reserved.</holder>
    </copyright>
    <legalnotice>
      Licensed under the Apache License, Version 2.0 (the "License");
      you may not use this file except in compliance with the License.
      You may obtain a copy of the License at
 
          http://www.apache.org/licenses/LICENSE-2.0

      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      See the License for the specific language governing permissions and
      limitations under the License.
    </legalnotice>
    <title>ssl_crl_cache_api</title>
    <file>ssl_crl_cache_api.xml</file>
  </header>
  
  <module>ssl_crl_cache_api</module>
  <modulesummary>API for a SSL/TLS CRL (Certificate Revocation List) cache.</modulesummary>
  <description>
    <p>
      When SSL/TLS performs certificate path validation according to
      <url href="http://www.ietf.org/rfc/rfc5280.txt">RFC 5280 </url>
      it should also perform CRL validation checks. To enable the CRL
      checks the application needs access to CRLs. A database of CRLs
      can be set up in many different ways. This module provides the
      behavior of the API needed to integrate an arbitrary CRL cache
      with the erlang ssl application. It is also used by the
      application itself to provide a simple default implementation of
      a CRL cache.
    </p>
  </description>
  
  <section>
    <title>DATA TYPES</title>
    
    <p>The following data types are used in the functions below:
    </p>
    
    <taglist>
      
    <tag><c>cache_ref() =</c></tag> 
    <item>opaque()</item>
    <tag><c>dist_point() =</c></tag>
    <item><p>#'DistributionPoint'{} see <seealso
    marker="public_key:public_key_records"> X509 certificates records</seealso></p></item>
    
    </taglist>
    
  </section>
  <funcs>
      <func>
      <name>fresh_crl(DistributionPoint, CRL) -> FreshCRL</name>
      <fsummary> <c>fun fresh_crl/2 </c> will be used as input option <c>update_crl</c> to
      public_key:pkix_crls_validate/3 </fsummary>
      <type>
	<v> DistributionPoint = dist_point() </v>
	<v> CRL = [<seealso
	marker="public_key:public_key">public_key:der_encoded()</seealso>] </v>
	<v> FreshCRL = [<seealso
	marker="public_key:public_key">public_key:der_encoded()</seealso>] </v>
      </type>
      <desc>
	<p> <c>fun fresh_crl/2 </c> will be used as input option <c>update_crl</c> to
	<seealso marker="public_key:public_key#pkix_crls_validate-3">public_key:pkix_crls_validate/3 </seealso> </p>
      </desc>
    </func>
    
    <func>
      <name>lookup(DistributionPoint, Issuer, DbHandle) -> not_available | CRLs </name>
      <name>lookup(DistributionPoint, DbHandle) -> not_available | CRLs </name>
      <fsummary> </fsummary>
      <type>
        <v> DistributionPoint = dist_point() </v>
        <v> Issuer = <seealso
	marker="public_key:public_key">public_key:issuer_name()</seealso> </v>
	<v> DbHandle  = cache_ref() </v>
	<v> CRLs = [<seealso
	   marker="public_key:public_key">public_key:der_encoded()</seealso>] </v>
	</type>
	<desc> <p>Lookup the CRLs belonging to the distribution point <c> Distributionpoint</c>.
	This function may choose to only look in the cache or to follow distribution point
	links depending on how the cache is administrated. </p>

	<p>The <c>Issuer</c> argument contains the issuer name of the
	certificate to be checked.  Normally the returned CRL should
	be issued by this issuer, except if the <c>cRLIssuer</c> field
	of <c>DistributionPoint</c> has a value, in which case that
	value should be used instead.</p>

	<p>In an earlier version of this API, the <c>lookup</c>
	function received two arguments, omitting <c>Issuer</c>.  For
	compatibility, this is still supported: if there is no
	<c>lookup/3</c> function in the callback module,
	<c>lookup/2</c> is called instead.</p>
	</desc>
    </func>
    
    <func>
      <name>select(Issuer, DbHandle) -> CRLs </name>
      <fsummary>Select the CRLs in the cache that are issued by <c>Issuer</c></fsummary>
      <type>
	<v> Issuer = <seealso
	marker="public_key:public_key">public_key:issuer_name()</seealso></v>
	<v> DbHandle  = cache_ref() </v>
	</type>
	<desc>
	  <p>Select the CRLs in the cache that are issued by <c>Issuer</c> </p>
	</desc>
    </func>
  </funcs>
</erlref>