1public_key(3) Erlang Module Definition public_key(3)
2
6 public_key - API module for public-key infrastructure.
7
9 Provides functions to handle public-key infrastructure, for details see
10 public_key(6).
11
13 Note:
14 All records used in this Reference Manual are generated from ASN.1
15 specifications and are documented in the User's Guide. See Public-key
16 Records.
17 Use the following include directive to get access to the records and
20 constant macros described here and in the User's Guide:
21 -include_lib("public_key/include/public_key.hrl").
23 The following data types are used in the functions for public_key:
25 oid():
27 Object identifier, a tuple of integers as generated by the ASN.1
28 compiler.
29 boolean() =:
31 true | false
32 string() =:
34 [bytes()]
35 der_encoded() =:
37 binary()
38 pki_asn1_type() =:
40 'Certificate'
41 | 'RSAPrivateKey'
43 | 'RSAPublicKey'
45 | 'DSAPrivateKey'
47 | 'DSAPublicKey'
49 | 'DHParameter'
51 | 'SubjectPublicKeyInfo'
53 | 'PrivateKeyInfo'
55 | 'CertificationRequest'
57 | 'CertificateList'
59 | 'ECPrivateKey'
61 | 'EcpkParameters'
63 pem_entry () =:
65 {pki_asn1_type(), binary(), %% DER or encrypted DER
66 not_encrypted | cipher_info()}
68 cipher_info() = :
70 {"RC2-CBC" | "DES-CBC" | "DES-EDE3-CBC",
71 crypto:strong_rand_bytes(8)
72 | {#'PBEParameter{}, digest_type()} | #'PBES2-params'{}}
74 public_key() =:
76 rsa_public_key() | dsa_public_key() | ec_public_key()
77 private_key() =:
79 rsa_private_key() | dsa_private_key() | ec_private_key()
80 rsa_public_key() =:
82 #'RSAPublicKey'{}
83 rsa_private_key() =:
85 #'RSAPrivateKey'{}
86 dsa_public_key() =:
88 {integer(), #'Dss-Parms'{}}
89 dsa_private_key() =:
91 #'DSAPrivateKey'{}
92 ec_public_key():
94 = {#'ECPoint'{}, #'ECParameters'{} | {namedCurve, oid()}}
95 ec_private_key() =:
97 #'ECPrivateKey'{}
98 key_params() =:
100 #'DHParameter'{} | {namedCurve, oid()} | #'ECParameters'{} | {rsa,
101 Size::integer(), PubExp::integer()}
102 public_crypt_options() =:
104 [{rsa_pad, rsa_padding()}]
105 rsa_padding() =:
107 'rsa_pkcs1_padding'
108 | 'rsa_pkcs1_oaep_padding'
110 | 'rsa_no_padding'
112 public_sign_options() =:
114 [{rsa_pad, rsa_sign_padding()} | {rsa_pss_saltlen, integer()}]
115 rsa_sign_padding() =:
117 'rsa_pkcs1_padding'
118 | 'rsa_pkcs1_pss_padding'
120 digest_type() = :
122 Union of rsa_digest_type(), dss_digest_type(), and
123 ecdsa_digest_type().
124 rsa_digest_type() = :
126 'md5' | 'ripemd160' | 'sha' | 'sha224' | 'sha256' | 'sha384' |
127 'sha512'
128 dss_digest_type() = :
130 'sha' | 'sha224' | 'sha256' | 'sha384' | 'sha512'
131 Note that the actual supported dss_digest_type depends on the
133 underlying crypto library. In OpenSSL version >= 1.0.1 the listed
134 digest are supported, while in 1.0.0 only sha, sha224 and sha256
135 are supported. In version 0.9.8 only sha is supported.
136 ecdsa_digest_type() = :
138 'sha' | 'sha224' | 'sha256' | 'sha384' | 'sha512'
139 crl_reason() = :
141 unspecified
142 | keyCompromise
144 | cACompromise
146 | affiliationChanged
148 | superseded
150 | cessationOfOperation
152 | certificateHold
154 | privilegeWithdrawn
156 | aACompromise
158 issuer_name() =:
160 {rdnSequence,[#'AttributeTypeAndValue'{}]}
161 ssh_file() =:
163 openssh_public_key
164 | rfc4716_public_key
166 | known_hosts
168 | auth_keys
170
172 compute_key(OthersKey, MyKey)->
173 compute_key(OthersKey, MyKey, Params)->
174 Types:
176 OthersKey = #'ECPoint'{} | binary(), MyKey = #'ECPri‐
178 vateKey'{} | binary()
179 Params = #'DHParameter'{}
180 Computes shared secret.
182 decrypt_private(CipherText, Key) -> binary()
184 decrypt_private(CipherText, Key, Options) -> binary()
185 Types:
187 CipherText = binary()
189 Key = rsa_private_key()
190 Options = public_crypt_options()
191 Public-key decryption using the private key. See also
193 crypto:private_decrypt/4
194 decrypt_public(CipherText, Key) - > binary()
196 decrypt_public(CipherText, Key, Options) - > binary()
197 Types:
199 CipherText = binary()
201 Key = rsa_public_key()
202 Options = public_crypt_options()
203 Public-key decryption using the public key. See also crypto:pub‐
205 lic_decrypt/4
206 der_decode(Asn1type, Der) -> term()
208 Types:
210 Asn1Type = atom()
212 ASN.1 type present in the Public Key applications ASN.1
213 specifications.
214 Der = der_encoded()
215 Decodes a public-key ASN.1 DER encoded entity.
217 der_encode(Asn1Type, Entity) -> der_encoded()
219 Types:
221 Asn1Type = atom()
223 ASN.1 type present in the Public Key applications ASN.1
224 specifications.
225 Entity = term()
226 Erlang representation of Asn1Type
227 Encodes a public-key entity with ASN.1 DER encoding.
229 dh_gex_group(MinSize, SuggestedSize, MaxSize, Groups) -> {ok,
231 {Size,Group}} | {error,Error}
232 Types:
234 MinSize = positive_integer()
236 SuggestedSize = positive_integer()
237 MaxSize = positive_integer()
238 Groups = undefined | [{Size,[{G,P}]}]
239 Size = positive_integer()
240 Group = {G,P}
241 G = positive_integer()
242 P = positive_integer()
243 Selects a group for Diffie-Hellman key exchange with the key
245 size in the range MinSize...MaxSize and as close to Suggested‐
246 Size as possible. If Groups == undefined a default set will be
247 used, otherwise the group is selected from Groups.
248 First a size, as close as possible to SuggestedSize, is
250 selected. Then one group with that key size is randomly selected
251 from the specified set of groups. If no size within the limits
252 of MinSize and MaxSize is available, {error,no_group_found} is
253 returned.
254 The default set of groups is listed in lib/public_key/priv/mod‐
256 uli. This file may be regenerated like this:
257 $> cd $ERL_TOP/lib/public_key/priv/
259 $> generate
260 ---- wait until all background jobs has finished. It may take several days !
261 $> cat moduli-* > moduli
262 $> cd ..; make
263 encrypt_private(PlainText, Key) -> binary()
266 Types:
268 PlainText = binary()
270 Key = rsa_private_key()
271 Public-key encryption using the private key. See also
273 crypto:private_encrypt/4.
274 encrypt_public(PlainText, Key) -> binary()
276 Types:
278 PlainText = binary()
280 Key = rsa_public_key()
281 Public-key encryption using the public key. See also crypto:pub‐
283 lic_encrypt/4.
284 generate_key(Params) -> {Public::binary(), Private::binary()} |
286 #'ECPrivateKey'{} | #'RSAPrivateKey'{}
287 Types:
289 Params = key_params()
291 Generates a new keypair. Note that except for Diffie-Hellman the
293 public key is included in the private key structure. See also
294 crypto:generate_key/2
295 pem_decode(PemBin) -> [pem_entry()]
297 Types:
299 PemBin = binary()
301 Example {ok, PemBin} = file:read_file("cert.pem").
302 Decodes PEM binary data and returns entries as ASN.1 DER encoded
304 entities.
305 pem_encode(PemEntries) -> binary()
307 Types:
309 PemEntries = [pem_entry()]
311 Creates a PEM binary.
313 pem_entry_decode(PemEntry) -> term()
315 pem_entry_decode(PemEntry, Password) -> term()
316 Types:
318 PemEntry = pem_entry()
320 Password = string()
321 Decodes a PEM entry. pem_decode/1 returns a list of PEM entries.
323 Notice that if the PEM entry is of type 'SubjectPublickeyInfo',
324 it is further decoded to an rsa_public_key() or dsa_pub‐
325 lic_key().
326 pem_entry_encode(Asn1Type, Entity) -> pem_entry()
328 pem_entry_encode(Asn1Type, Entity, {CipherInfo, Password}) ->
329 pem_entry()
330 Types:
332 Asn1Type = pki_asn1_type()
334 Entity = term()
335 Erlang representation of Asn1Type. If Asn1Type is 'Subject‐
336 PublicKeyInfo', Entity must be either an rsa_public_key(),
337 dsa_public_key() or an ec_public_key() and this function
338 creates the appropriate 'SubjectPublicKeyInfo' entry.
339 CipherInfo = cipher_info()
340 Password = string()
341 Creates a PEM entry that can be feed to pem_encode/1.
343 pkix_decode_cert(Cert, otp|plain) -> #'Certificate'{} | #'OTPCertifi‐
345 cate'{}
346 Types:
348 Cert = der_encoded()
350 Decodes an ASN.1 DER-encoded PKIX certificate. Option otp uses
352 the customized ASN.1 specification OTP-PKIX.asn1 for decoding
353 and also recursively decode most of the standard parts.
354 pkix_encode(Asn1Type, Entity, otp | plain) -> der_encoded()
356 Types:
358 Asn1Type = atom()
360 The ASN.1 type can be 'Certificate', 'OTPCertificate' or a
361 subtype of either.
362 Entity = #'Certificate'{} | #'OTPCertificate'{} | a valid
363 subtype
364 DER encodes a PKIX x509 certificate or part of such a certifi‐
366 cate. This function must be used for encoding certificates or
367 parts of certificates that are decoded/created in the otp for‐
368 mat, whereas for the plain format this function directly calls
369 der_encode/2.
370 pkix_is_issuer(Cert, IssuerCert) -> boolean()
372 Types:
374 Cert = der_encoded() | #'OTPCertificate'{} | #'Certifi‐
376 cateList'{}
377 IssuerCert = der_encoded() | #'OTPCertificate'{}
378 Checks if IssuerCert issued Cert.
380 pkix_is_fixed_dh_cert(Cert) -> boolean()
382 Types:
384 Cert = der_encoded() | #'OTPCertificate'{}
386 Checks if a certificate is a fixed Diffie-Hellman certificate.
388 pkix_is_self_signed(Cert) -> boolean()
390 Types:
392 Cert = der_encoded() | #'OTPCertificate'{}
394 Checks if a certificate is self-signed.
396 pkix_issuer_id(Cert, IssuedBy) -> {ok, IssuerID} | {error, Reason}
398 Types:
400 Cert = der_encoded() | #'OTPCertificate'{}
402 IssuedBy = self | other
403 IssuerID = {integer(), issuer_name()}
404 The issuer id consists of the serial number and the issuers
405 name.
406 Reason = term()
407 Returns the issuer id.
409 pkix_normalize_name(Issuer) -> Normalized
411 Types:
413 Issuer = issuer_name()
415 Normalized = issuer_name()
416 Normalizes an issuer name so that it can be easily compared to
418 another issuer name.
419 pkix_path_validation(TrustedCert, CertChain, Options) -> {ok, {PublicK‐
421 eyInfo, PolicyTree}} | {error, {bad_cert, Reason}}
422 Types:
424 TrustedCert = #'OTPCertificate'{} | der_encoded() | atom()
426 Normally a trusted certificate, but it can also be a path-
427 validation error that can be discovered while constructing
428 the input to this function and that is to be run through
429 the verify_fun. Examples are unknown_ca and self‐
430 signed_peer.
431 CertChain = [der_encoded()]
432 A list of DER-encoded certificates in trust order ending
433 with the peer certificate.
434 Options = proplists:proplist()
435 PublicKeyInfo = {?'rsaEncryption' | ?'id-dsa', rsa_pub‐
436 lic_key() | integer(), 'NULL' | 'Dss-Parms'{}}
437 PolicyTree = term()
438 At the moment this is always an empty list as policies are
439 not currently supported.
440 Reason = cert_expired | invalid_issuer | invalid_signature |
441 name_not_permitted | missing_basic_constraint |
442 invalid_key_usage | {revoked, crl_reason()} | atom()
443 Performs a basic path validation according to RFC 5280. However,
445 CRL validation is done separately by pkix_crls_validate/3 and
446 is to be called from the supplied verify_fun.
447 Available options:
449 {verify_fun, fun()}:
451 The fun must be defined as:
452 fun(OtpCert :: #'OTPCertificate'{},
454 Event :: {bad_cert, Reason :: atom() | {revoked, atom()}} |
455 {extension, #'Extension'{}},
456 InitialUserState :: term()) ->
457 {valid, UserState :: term()} |
458 {valid_peer, UserState :: term()} |
459 {fail, Reason :: term()} |
460 {unknown, UserState :: term()}.
461 If the verify callback fun returns {fail, Reason}, the veri‐
464 fication process is immediately stopped. If the verify call‐
465 back fun returns {valid, UserState}, the verification
466 process is continued. This can be used to accept specific
467 path validation errors, such as selfsigned_peer, as well as
468 verifying application-specific extensions. If called with an
469 extension unknown to the user application, the return value
470 {unknown, UserState} is to be used.
471 {max_path_length, integer()}:
473 The max_path_length is the maximum number of non-self-
474 issued intermediate certificates that can follow the peer
475 certificate in a valid certification path. So, if
476 max_path_length is 0, the PEER must be signed by the trusted
477 ROOT-CA directly, if it is 1, the path can be PEER, CA,
478 ROOT-CA, if it is 2, the path can be PEER, CA, CA, ROOT-CA,
479 and so on.
480 Possible reasons for a bad certificate:
482 cert_expired:
484 Certificate is no longer valid as its expiration date has
485 passed.
486 invalid_issuer:
488 Certificate issuer name does not match the name of the
489 issuer certificate in the chain.
490 invalid_signature:
492 Certificate was not signed by its issuer certificate in the
493 chain.
494 name_not_permitted:
496 Invalid Subject Alternative Name extension.
497 missing_basic_constraint:
499 Certificate, required to have the basic constraints exten‐
500 sion, does not have a basic constraints extension.
501 invalid_key_usage:
503 Certificate key is used in an invalid way according to the
504 key-usage extension.
505 {revoked, crl_reason()}:
507 Certificate has been revoked.
508 atom():
510 Application-specific error reason that is to be checked by
511 the verify_fun.
512 pkix_crl_issuer(CRL) -> issuer_name()
514 Types:
516 CRL = der_encoded() | #'CertificateList'{}
518 Returns the issuer of the CRL.
520 pkix_crls_validate(OTPCertificate, DPAndCRLs, Options) -> CRLStatus()
522 Types:
524 OTPCertificate = #'OTPCertificate'{}
526 DPAndCRLs = [{DP::#'DistributionPoint'{}, {Der‐
527 CRL::der_encoded(), CRL::#'CertificateList'{}}}]
528 Options = proplists:proplist()
529 CRLStatus() = valid | {bad_cert, revocation_status_undeter‐
530 mined} | {bad_cert, {revocation_status_undetermined,
531 {bad_crls, Details::term()}}} | {bad_cert, {revoked, crl_rea‐
532 son()}}
533 Performs CRL validation. It is intended to be called from the
535 verify fun of pkix_path_validation/3 .
536 Available options:
538 {update_crl, fun()}:
540 The fun has the following type specification:
541 fun(#'DistributionPoint'{}, #'CertificateList'{}) ->
543 #'CertificateList'{}
544 The fun uses the information in the distribution point to
546 access the latest possible version of the CRL. If this fun
547 is not specified, Public Key uses the default implementa‐
548 tion:
549 fun(_DP, CRL) -> CRL end
551 {issuer_fun, fun()}:
553 The fun has the following type specification:
554 fun(#'DistributionPoint'{}, #'CertificateList'{},
556 {rdnSequence,[#'AttributeTypeAndValue'{}]}, term()) ->
557 {ok, #'OTPCertificate'{}, [der_encoded]}
558 The fun returns the root certificate and certificate chain
560 that has signed the CRL.
561 fun(DP, CRL, Issuer, UserState) -> {ok, RootCert, CertChain}
563 {undetermined_details, boolean()}:
565 Defaults to false. When revocation status can not be deter‐
566 mined, and this option is set to true, details of why no
567 CRLs where accepted are included in the return value.
568 pkix_crl_verify(CRL, Cert) -> boolean()
570 Types:
572 CRL = der_encoded() | #'CertificateList'{}
574 Cert = der_encoded() | #'OTPCertificate'{}
575 Verify that Cert is the CRL signer.
577 pkix_dist_point(Cert) -> DistPoint
579 Types:
581 Cert = der_encoded() | #'OTPCertificate'{}
583 DistPoint = #'DistributionPoint'{}
584 Creates a distribution point for CRLs issued by the same issuer
586 as Cert. Can be used as input to pkix_crls_validate/3
587 pkix_dist_points(Cert) -> DistPoints
589 Types:
591 Cert = der_encoded() | #'OTPCertificate'{}
593 DistPoints = [#'DistributionPoint'{}]
594 Extracts distribution points from the certificates extensions.
596 pkix_match_dist_point(CRL, DistPoint) -> boolean()
598 Types:
600 CRL = der_encoded() | #'CertificateList'{}
602 DistPoint = #'DistributionPoint'{}
603 Checks whether the given distribution point matches the Issuing
605 Distribution Point of the CRL, as described in RFC 5280. If the
606 CRL doesn't have an Issuing Distribution Point extension, the
607 distribution point always matches.
608 pkix_sign(#'OTPTBSCertificate'{}, Key) -> der_encoded()
610 Types:
612 Key = rsa_private_key() | dsa_private_key()
614 Signs an 'OTPTBSCertificate'. Returns the corresponding DER-
616 encoded certificate.
617 pkix_sign_types(AlgorithmId) -> {DigestType, SignatureType}
619 Types:
621 AlgorithmId = oid()
623 Signature OID from a certificate or a certificate revoca‐
624 tion list.
625 DigestType = rsa_digest_type() | dss_digest_type()
626 SignatureType = rsa | dsa | ecdsa
627 Translates signature algorithm OID to Erlang digest and signa‐
629 ture types.
630 pkix_test_data(Options) -> Config
632 pkix_test_data([chain_opts()]) -> [conf_opt()]
633 Types:
635 Options = #{chain_type() := chain_opts()}
637 Options for ROOT, Intermediate and Peer certs
638 chain_type() = server_chain | client_chain
639 chain_opts() = #{root := [cert_opt()] | root_cert(), peer :=
640 [cert_opt()], intermediates => [[cert_opt()]]}
641 A valid chain must have at least a ROOT and a peer cert.
642 The root cert can be given either as a cert pre-generated
643 by pkix_test_root_cert/2 , or as root cert generation
644 options.
645 root_cert() = #{cert := der_encoded(), key := Key}
646 A root certificate generated by pkix_test_root_cert/2 .
647 cert_opt() = {Key, Value}
648 For available options see cert_opt() below.
649 Config = #{server_config := [conf_opt()], client_config :=
650 [conf_opt()]}
651 conf_opt() = {cert, der_encoded()} | {key, PrivateKey} |{cac‐
652 erts, [der_encoded()]}
653 This is a subset of the type ssl:ssl_option(). PrivateKey
654 is what generate_key/1 returns.
655 Creates certificate configuration(s) consisting of certificate
657 and its private key plus CA certificate bundle, for a client and
658 a server, intended to facilitate automated testing of applica‐
659 tions using X509-certificates, often through SSL/TLS. The test
660 data can be used when you have control over both the client and
661 the server in a test scenario.
662 When this function is called with a map containing client and
664 server chain specifications; it generates both a client and a
665 server certificate chain where the cacerts returned for the
666 server contains the root cert the server should trust and the
667 intermediate certificates the server should present to connect‐
668 ing clients. The root cert the server should trust is the one
669 used as root of the client certificate chain. Vice versa applies
670 to the cacerts returned for the client. The root cert(s) can
671 either be pre-generated with pkix_test_root_cert/2 , or if
672 options are specified; it is (they are) generated.
673 When this function is called with a list of certificate options;
675 it generates a configuration with just one node certificate
676 where cacerts contains the root cert and the intermediate certs
677 that should be presented to a peer. In this case the same root
678 cert must be used for all peers. This is useful in for example
679 an Erlang distributed cluster where any node, towards another
680 node, acts either as a server or as a client depending on who
681 connects to whom. The generated certificate contains a subject
682 altname, which is not needed in a client certificate, but makes
683 the certificate useful for both roles.
684 The cert_opt() type consists of the following options:
686 {digest, digest_type()}:
688 Hash algorithm to be used for signing the certificate
689 together with the key option. Defaults to sha that is sha1.
690 {key, key_params() | private_key()}:
692 Parameters to be used to call public_key:generate_key/1, to
693 generate a key, or an existing key. Defaults to generating
694 an ECDSA key. Note this could fail if Erlang/OTP is compiled
695 with a very old cryptolib.
696 {validity, {From::erlang:timestamp(), To::erlang:time‐
698 stamp()}} :
699 The validity period of the certificate.
700 {extensions, [#'Extension'{}]}:
702 Extensions to include in the certificate.
703 Default extensions included in CA certificates if not other‐
705 wise specified are:
706 [#'Extension'{extnID = ?'id-ce-keyUsage',
708 extnValue = [keyCertSign, cRLSign],
709 critical = false},
710 #'Extension'{extnID = ?'id-ce-basicConstraints',
711 extnValue = #'BasicConstraints'{cA = true},
712 critical = true}]
713 Default extensions included in the server peer cert if not
716 otherwise specified are:
717 [#'Extension'{extnID = ?'id-ce-keyUsage',
719 extnValue = [digitalSignature, keyAgreement],
720 critical = false},
721 #'Extension'{extnID = ?'id-ce-subjectAltName',
722 extnValue = [{dNSName, Hostname}],
723 critical = false}]
724 Hostname is the result of calling net_adm:localhost() in the
727 Erlang node where this funcion is called.
728 Note:
730 Note that the generated certificates and keys does not provide a
731 formally correct PKIX-trust-chain and they can not be used to
732 achieve real security. This function is provided for testing
733 purposes only.
734 pkix_test_root_cert(Name, Options) -> RootCert
737 Types:
739 Name = string()
741 The root certificate name.
742 Options = [cert_opt()]
743 For available options see cert_opt() under
744 pkix_test_data/1.
745 RootCert = #{cert := der_encoded(), key := Key}
746 A root certificate and key. The Key is generated by gener‐
747 ate_key/1.
748 Generates a root certificate that can be used in multiple calls
750 to pkix_test_data/1 when you want the same root certificate for
751 several generated certificates.
752 pkix_verify(Cert, Key) -> boolean()
754 Types:
756 Cert = der_encoded()
758 Key = rsa_public_key() | dsa_public_key() | ec_public_key()
759 Verifies PKIX x.509 certificate signature.
761 pkix_verify_hostname(Cert, ReferenceIDs) -> boolean()
763 pkix_verify_hostname(Cert, ReferenceIDs, Opts) -> boolean()
764 Types:
766 Cert = der_encoded() | #'OTPCertificate'{}
768 ReferenceIDs = [ RefID ]
769 RefID = {dns_id,string()} | {srv_id,string()} |
770 {uri_id,string()} | {ip,inet:ip_address()|string()} | {Other‐
771 RefID,term()}}
772 OtherRefID = atom()
773 Opts = [ PvhOpt() ]
774 PvhOpt = [MatchOpt | FailCallBackOpt | FqdnExtractOpt]
775 MatchOpt = {match_fun, fun(RefId | FQDN::string(), Presente‐
776 dID) -> boolean() | default}
777 PresentedID = {dNSName,string()} | {uniformResourceIdenti‐
778 fier,string() | {iPAddress,list(byte())} | {Other‐
779 PresId,term()}}
780 OtherPresID = atom()
781 FailCallBackOpt = {fail_callback, fun(#'OTPCertificate'{}) ->
782 boolean()}
783 FqdnExtractOpt = {fqdn_fun, fun(RefID) -> FQDN::string() |
784 default | undefined}
785 This function checks that the Presented Identifier (e.g host‐
787 name) in a peer certificate is in agreement with the Reference
788 Identifier that the client expects to be connected to. The
789 function is intended to be added as an extra client check of the
790 peer certificate when performing public_key:pkix_path_valida‐
791 tion/3
792 See RFC 6125 for detailed information about hostname verifica‐
794 tion. The User's Manual and code examples describes this func‐
795 tion more detailed.
796 The {OtherRefId,term()} is defined by the user and is passed to
798 the match_fun, if defined. If that term is a binary, it will be
799 converted to a string.
800 The ip Reference ID takes an inet:ip_address() or an ip address
802 in string format (E.g "10.0.1.1" or "1234::5678:9012") as second
803 element.
804 sign(Msg, DigestType, Key) -> binary()
806 sign(Msg, DigestType, Key, Options) -> binary()
807 Types:
809 Msg = binary() | {digest,binary()}
811 The Msg is either the binary "plain text" data to be signed
812 or it is the hashed value of "plain text", that is, the
813 digest.
814 DigestType = rsa_digest_type() | dss_digest_type() |
815 ecdsa_digest_type()
816 Key = rsa_private_key() | dsa_private_key() | ec_pri‐
817 vate_key()
818 Options = public_sign_options()
819 Creates a digital signature.
821 ssh_decode(SshBin, Type) -> [{public_key(), Attributes::list()}]
823 Types:
825 SshBin = binary()
827 Example {ok, SshBin} = file:read_file("known_hosts").
828 Type = public_key | ssh_file()
829 If Type is public_key the binary can be either an RFC4716
830 public key or an OpenSSH public key.
831 Decodes an SSH file-binary. In the case of known_hosts or
833 auth_keys, the binary can include one or more lines of the file.
834 Returns a list of public keys and their attributes, possible
835 attribute values depends on the file type represented by the
836 binary.
837 RFC4716 attributes - see RFC 4716.:
839 {headers, [{string(), utf8_string()}]}
840 auth_key attributes - see manual page for sshd.:
842 {comment, string()}{options, [string()]}{bits, integer()} -
843 In SSH version 1 files.
844 known_host attributes - see manual page for sshd.:
846 {hostnames, [string()]}{comment, string()}{bits, integer()}
847 - In SSH version 1 files.
848 ssh_encode([{Key, Attributes}], Type) -> binary()
850 Types:
852 Key = public_key()
854 Attributes = list()
855 Type = ssh_file()
856 Encodes a list of SSH file entries (public keys and attributes)
858 to a binary. Possible attributes depend on the file type, see
859 ssh_decode/2 .
860 ssh_hostkey_fingerprint(HostKey) -> string()
862 ssh_hostkey_fingerprint(DigestType, HostKey) -> string()
863 ssh_hostkey_fingerprint([DigestType], HostKey) -> [string()]
864 Types:
866 Key = public_key()
868 DigestType = digest_type()
869 Calculates a ssh fingerprint from a public host key as openssh
871 does.
872 The algorithm in ssh_hostkey_fingerprint/1 is md5 to be compati‐
874 ble with older ssh-keygen commands. The string from the second
875 variant is prepended by the algorithm name in uppercase as in
876 newer ssh-keygen commands.
877 Examples:
879 2> public_key:ssh_hostkey_fingerprint(Key).
881 "f5:64:a6:c1:5a:cb:9f:0a:10:46:a2:5c:3e:2f:57:84"
882 3> public_key:ssh_hostkey_fingerprint(md5,Key).
884 "MD5:f5:64:a6:c1:5a:cb:9f:0a:10:46:a2:5c:3e:2f:57:84"
885 4> public_key:ssh_hostkey_fingerprint(sha,Key).
887 "SHA1:bSLY/C4QXLDL/Iwmhyg0PGW9UbY"
888 5> public_key:ssh_hostkey_fingerprint(sha256,Key).
890 "SHA256:aZGXhabfbf4oxglxltItWeHU7ub3Dc31NcNw2cMJePQ"
891 6> public_key:ssh_hostkey_fingerprint([sha,sha256],Key).
893 ["SHA1:bSLY/C4QXLDL/Iwmhyg0PGW9UbY",
894 "SHA256:aZGXhabfbf4oxglxltItWeHU7ub3Dc31NcNw2cMJePQ"]
895 verify(Msg, DigestType, Signature, Key) -> boolean()
898 verify(Msg, DigestType, Signature, Key, Options) -> boolean()
899 Types:
901 Msg = binary() | {digest,binary()}
903 The Msg is either the binary "plain text" data or it is the
904 hashed value of "plain text", that is, the digest.
905 DigestType = rsa_digest_type() | dss_digest_type() |
906 ecdsa_digest_type()
907 Signature = binary()
908 Key = rsa_public_key() | dsa_public_key() | ec_public_key()
909 Options = public_sign_options()
910 Verifies a digital signature.
912 short_name_hash(Name) -> string()
914 Types:
916 Name = issuer_name()
918 Generates a short hash of an issuer name. The hash is returned
920 as a string containing eight hexadecimal digits.
921 The return value of this function is the same as the result of
923 the commands openssl crl -hash and openssl x509 -issuer_hash,
924 when passed the issuer name of a CRL or a certificate, respec‐
925 tively. This hash is used by the c_rehash tool to maintain a
926 directory of symlinks to CRL files, in order to facilitate look‐
927 ing up a CRL by its issuer name.
928Ericsson AB public_key 1.5.2 public_key(3)