1public_key(3) Erlang Module Definition public_key(3)
2
3
4
6 public_key - API module for public-key infrastructure.
7
9 Provides functions to handle public-key infrastructure, for details see
10 public_key(6).
11
13 Note:
14 All records used in this Reference Manual are generated from ASN.1
15 specifications and are documented in the User's Guide. See Public-key
16 Records.
17
18
19 Use the following include directive to get access to the records and
20 constant macros described here and in the User's Guide:
21
22 -include_lib("public_key/include/public_key.hrl").
23
24 The following data types are used in the functions for public_key:
25
26 oid():
27 Object identifier, a tuple of integers as generated by the ASN.1
28 compiler.
29
30 boolean() =:
31 true | false
32
33 string() =:
34 [bytes()]
35
36 der_encoded() =:
37 binary()
38
39 pki_asn1_type() =:
40 'Certificate'
41
42 | 'RSAPrivateKey'
43
44 | 'RSAPublicKey'
45
46 | 'DSAPrivateKey'
47
48 | 'DSAPublicKey'
49
50 | 'DHParameter'
51
52 | 'SubjectPublicKeyInfo'
53
54 | 'PrivateKeyInfo'
55
56 | 'CertificationRequest'
57
58 | 'CertificateList'
59
60 | 'ECPrivateKey'
61
62 | 'EcpkParameters'
63
64 pem_entry () =:
65 {pki_asn1_type(), binary(), %% DER or encrypted DER
66
67 not_encrypted | cipher_info()}
68
69 cipher_info() = :
70 {"RC2-CBC" | "DES-CBC" | "DES-EDE3-CBC",
71 crypto:strong_rand_bytes(8)
72
73 | {#'PBEParameter{}, digest_type()} | #'PBES2-params'{}}
74
75 public_key() =:
76 rsa_public_key() | dsa_public_key() | ec_public_key()
77
78 private_key() =:
79 rsa_private_key() | dsa_private_key() | ec_private_key()
80
81 rsa_public_key() =:
82 #'RSAPublicKey'{}
83
84 rsa_private_key() =:
85 #'RSAPrivateKey'{}
86
87 dsa_public_key() =:
88 {integer(), #'Dss-Parms'{}}
89
90 dsa_private_key() =:
91 #'DSAPrivateKey'{}
92
93 ec_public_key():
94 = {#'ECPoint'{}, #'ECParameters'{} | {namedCurve, oid()}}
95
96 ec_private_key() =:
97 #'ECPrivateKey'{}
98
99 key_params() =:
100 #'DHParameter'{} | {namedCurve, oid()} | #'ECParameters'{} | {rsa,
101 Size::integer(), PubExp::integer()}
102
103 public_crypt_options() =:
104 [{rsa_pad, rsa_padding()}]
105
106 rsa_padding() =:
107 'rsa_pkcs1_padding'
108
109 | 'rsa_pkcs1_oaep_padding'
110
111 | 'rsa_no_padding'
112
113 public_sign_options() =:
114 [{rsa_pad, rsa_sign_padding()} | {rsa_pss_saltlen, integer()}]
115
116 rsa_sign_padding() =:
117 'rsa_pkcs1_padding'
118
119 | 'rsa_pkcs1_pss_padding'
120
121 digest_type() = :
122 Union of rsa_digest_type(), dss_digest_type(), and
123 ecdsa_digest_type().
124
125 rsa_digest_type() = :
126 'md5' | 'ripemd160' | 'sha' | 'sha224' | 'sha256' | 'sha384' |
127 'sha512'
128
129 dss_digest_type() = :
130 'sha' | 'sha224' | 'sha256' | 'sha384' | 'sha512'
131
132 Note that the actual supported dss_digest_type depends on the
133 underlying crypto library. In OpenSSL version >= 1.0.1 the listed
134 digest are supported, while in 1.0.0 only sha, sha224 and sha256
135 are supported. In version 0.9.8 only sha is supported.
136
137 ecdsa_digest_type() = :
138 'sha' | 'sha224' | 'sha256' | 'sha384' | 'sha512'
139
140 crl_reason() = :
141 unspecified
142
143 | keyCompromise
144
145 | cACompromise
146
147 | affiliationChanged
148
149 | superseded
150
151 | cessationOfOperation
152
153 | certificateHold
154
155 | privilegeWithdrawn
156
157 | aACompromise
158
159 issuer_name() =:
160 {rdnSequence,[#'AttributeTypeAndValue'{}]}
161
162 ssh_file() =:
163 openssh_public_key
164
165 | rfc4716_public_key
166
167 | known_hosts
168
169 | auth_keys
170
172 compute_key(OthersKey, MyKey)->
173 compute_key(OthersKey, MyKey, Params)->
174
175 Types:
176
177 OthersKey = #'ECPoint'{} | binary(), MyKey = #'ECPri‐
178 vateKey'{} | binary()
179 Params = #'DHParameter'{}
180
181 Computes shared secret.
182
183 decrypt_private(CipherText, Key) -> binary()
184 decrypt_private(CipherText, Key, Options) -> binary()
185
186 Types:
187
188 CipherText = binary()
189 Key = rsa_private_key()
190 Options = public_crypt_options()
191
192 Public-key decryption using the private key. See also
193 crypto:private_decrypt/4
194
195 decrypt_public(CipherText, Key) - > binary()
196 decrypt_public(CipherText, Key, Options) - > binary()
197
198 Types:
199
200 CipherText = binary()
201 Key = rsa_public_key()
202 Options = public_crypt_options()
203
204 Public-key decryption using the public key. See also crypto:pub‐
205 lic_decrypt/4
206
207 der_decode(Asn1type, Der) -> term()
208
209 Types:
210
211 Asn1Type = atom()
212 ASN.1 type present in the Public Key applications ASN.1
213 specifications.
214 Der = der_encoded()
215
216 Decodes a public-key ASN.1 DER encoded entity.
217
218 der_encode(Asn1Type, Entity) -> der_encoded()
219
220 Types:
221
222 Asn1Type = atom()
223 ASN.1 type present in the Public Key applications ASN.1
224 specifications.
225 Entity = term()
226 Erlang representation of Asn1Type
227
228 Encodes a public-key entity with ASN.1 DER encoding.
229
230 dh_gex_group(MinSize, SuggestedSize, MaxSize, Groups) -> {ok,
231 {Size,Group}} | {error,Error}
232
233 Types:
234
235 MinSize = positive_integer()
236 SuggestedSize = positive_integer()
237 MaxSize = positive_integer()
238 Groups = undefined | [{Size,[{G,P}]}]
239 Size = positive_integer()
240 Group = {G,P}
241 G = positive_integer()
242 P = positive_integer()
243
244 Selects a group for Diffie-Hellman key exchange with the key
245 size in the range MinSize...MaxSize and as close to Suggested‐
246 Size as possible. If Groups == undefined a default set will be
247 used, otherwise the group is selected from Groups.
248
249 First a size, as close as possible to SuggestedSize, is
250 selected. Then one group with that key size is randomly selected
251 from the specified set of groups. If no size within the limits
252 of MinSize and MaxSize is available, {error,no_group_found} is
253 returned.
254
255 The default set of groups is listed in lib/public_key/priv/mod‐
256 uli. This file may be regenerated like this:
257
258 $> cd $ERL_TOP/lib/public_key/priv/
259 $> generate
260 ---- wait until all background jobs has finished. It may take several days !
261 $> cat moduli-* > moduli
262 $> cd ..; make
263
264
265 encrypt_private(PlainText, Key) -> binary()
266
267 Types:
268
269 PlainText = binary()
270 Key = rsa_private_key()
271
272 Public-key encryption using the private key. See also
273 crypto:private_encrypt/4.
274
275 encrypt_public(PlainText, Key) -> binary()
276
277 Types:
278
279 PlainText = binary()
280 Key = rsa_public_key()
281
282 Public-key encryption using the public key. See also crypto:pub‐
283 lic_encrypt/4.
284
285 generate_key(Params) -> {Public::binary(), Private::binary()} |
286 #'ECPrivateKey'{} | #'RSAPrivateKey'{}
287
288 Types:
289
290 Params = key_params()
291
292 Generates a new keypair. Note that except for Diffie-Hellman the
293 public key is included in the private key structure. See also
294 crypto:generate_key/2
295
296 pem_decode(PemBin) -> [pem_entry()]
297
298 Types:
299
300 PemBin = binary()
301 Example {ok, PemBin} = file:read_file("cert.pem").
302
303 Decodes PEM binary data and returns entries as ASN.1 DER encoded
304 entities.
305
306 pem_encode(PemEntries) -> binary()
307
308 Types:
309
310 PemEntries = [pem_entry()]
311
312 Creates a PEM binary.
313
314 pem_entry_decode(PemEntry) -> term()
315 pem_entry_decode(PemEntry, Password) -> term()
316
317 Types:
318
319 PemEntry = pem_entry()
320 Password = string()
321
322 Decodes a PEM entry. pem_decode/1 returns a list of PEM entries.
323 Notice that if the PEM entry is of type 'SubjectPublickeyInfo',
324 it is further decoded to an rsa_public_key() or dsa_pub‐
325 lic_key().
326
327 pem_entry_encode(Asn1Type, Entity) -> pem_entry()
328 pem_entry_encode(Asn1Type, Entity, {CipherInfo, Password}) ->
329 pem_entry()
330
331 Types:
332
333 Asn1Type = pki_asn1_type()
334 Entity = term()
335 Erlang representation of Asn1Type. If Asn1Type is 'Subject‐
336 PublicKeyInfo', Entity must be either an rsa_public_key(),
337 dsa_public_key() or an ec_public_key() and this function
338 creates the appropriate 'SubjectPublicKeyInfo' entry.
339 CipherInfo = cipher_info()
340 Password = string()
341
342 Creates a PEM entry that can be feed to pem_encode/1.
343
344 pkix_decode_cert(Cert, otp|plain) -> #'Certificate'{} | #'OTPCertifi‐
345 cate'{}
346
347 Types:
348
349 Cert = der_encoded()
350
351 Decodes an ASN.1 DER-encoded PKIX certificate. Option otp uses
352 the customized ASN.1 specification OTP-PKIX.asn1 for decoding
353 and also recursively decode most of the standard parts.
354
355 pkix_encode(Asn1Type, Entity, otp | plain) -> der_encoded()
356
357 Types:
358
359 Asn1Type = atom()
360 The ASN.1 type can be 'Certificate', 'OTPCertificate' or a
361 subtype of either.
362 Entity = #'Certificate'{} | #'OTPCertificate'{} | a valid
363 subtype
364
365 DER encodes a PKIX x509 certificate or part of such a certifi‐
366 cate. This function must be used for encoding certificates or
367 parts of certificates that are decoded/created in the otp for‐
368 mat, whereas for the plain format this function directly calls
369 der_encode/2.
370
371 pkix_is_issuer(Cert, IssuerCert) -> boolean()
372
373 Types:
374
375 Cert = der_encoded() | #'OTPCertificate'{} | #'Certifi‐
376 cateList'{}
377 IssuerCert = der_encoded() | #'OTPCertificate'{}
378
379 Checks if IssuerCert issued Cert.
380
381 pkix_is_fixed_dh_cert(Cert) -> boolean()
382
383 Types:
384
385 Cert = der_encoded() | #'OTPCertificate'{}
386
387 Checks if a certificate is a fixed Diffie-Hellman certificate.
388
389 pkix_is_self_signed(Cert) -> boolean()
390
391 Types:
392
393 Cert = der_encoded() | #'OTPCertificate'{}
394
395 Checks if a certificate is self-signed.
396
397 pkix_issuer_id(Cert, IssuedBy) -> {ok, IssuerID} | {error, Reason}
398
399 Types:
400
401 Cert = der_encoded() | #'OTPCertificate'{}
402 IssuedBy = self | other
403 IssuerID = {integer(), issuer_name()}
404 The issuer id consists of the serial number and the issuers
405 name.
406 Reason = term()
407
408 Returns the issuer id.
409
410 pkix_normalize_name(Issuer) -> Normalized
411
412 Types:
413
414 Issuer = issuer_name()
415 Normalized = issuer_name()
416
417 Normalizes an issuer name so that it can be easily compared to
418 another issuer name.
419
420 pkix_path_validation(TrustedCert, CertChain, Options) -> {ok, {PublicK‐
421 eyInfo, PolicyTree}} | {error, {bad_cert, Reason}}
422
423 Types:
424
425 TrustedCert = #'OTPCertificate'{} | der_encoded() | atom()
426 Normally a trusted certificate, but it can also be a path-
427 validation error that can be discovered while constructing
428 the input to this function and that is to be run through
429 the verify_fun. Examples are unknown_ca and self‐
430 signed_peer.
431 CertChain = [der_encoded()]
432 A list of DER-encoded certificates in trust order ending
433 with the peer certificate.
434 Options = proplists:proplist()
435 PublicKeyInfo = {?'rsaEncryption' | ?'id-dsa', rsa_pub‐
436 lic_key() | integer(), 'NULL' | 'Dss-Parms'{}}
437 PolicyTree = term()
438 At the moment this is always an empty list as policies are
439 not currently supported.
440 Reason = cert_expired | invalid_issuer | invalid_signature |
441 name_not_permitted | missing_basic_constraint |
442 invalid_key_usage | {revoked, crl_reason()} | atom()
443
444 Performs a basic path validation according to RFC 5280. However,
445 CRL validation is done separately by pkix_crls_validate/3 and
446 is to be called from the supplied verify_fun.
447
448 Available options:
449
450 {verify_fun, fun()}:
451 The fun must be defined as:
452
453 fun(OtpCert :: #'OTPCertificate'{},
454 Event :: {bad_cert, Reason :: atom() | {revoked, atom()}} |
455 {extension, #'Extension'{}},
456 InitialUserState :: term()) ->
457 {valid, UserState :: term()} |
458 {valid_peer, UserState :: term()} |
459 {fail, Reason :: term()} |
460 {unknown, UserState :: term()}.
461
462
463 If the verify callback fun returns {fail, Reason}, the veri‐
464 fication process is immediately stopped. If the verify call‐
465 back fun returns {valid, UserState}, the verification
466 process is continued. This can be used to accept specific
467 path validation errors, such as selfsigned_peer, as well as
468 verifying application-specific extensions. If called with an
469 extension unknown to the user application, the return value
470 {unknown, UserState} is to be used.
471
472 {max_path_length, integer()}:
473 The max_path_length is the maximum number of non-self-
474 issued intermediate certificates that can follow the peer
475 certificate in a valid certification path. So, if
476 max_path_length is 0, the PEER must be signed by the trusted
477 ROOT-CA directly, if it is 1, the path can be PEER, CA,
478 ROOT-CA, if it is 2, the path can be PEER, CA, CA, ROOT-CA,
479 and so on.
480
481 Possible reasons for a bad certificate:
482
483 cert_expired:
484 Certificate is no longer valid as its expiration date has
485 passed.
486
487 invalid_issuer:
488 Certificate issuer name does not match the name of the
489 issuer certificate in the chain.
490
491 invalid_signature:
492 Certificate was not signed by its issuer certificate in the
493 chain.
494
495 name_not_permitted:
496 Invalid Subject Alternative Name extension.
497
498 missing_basic_constraint:
499 Certificate, required to have the basic constraints exten‐
500 sion, does not have a basic constraints extension.
501
502 invalid_key_usage:
503 Certificate key is used in an invalid way according to the
504 key-usage extension.
505
506 {revoked, crl_reason()}:
507 Certificate has been revoked.
508
509 atom():
510 Application-specific error reason that is to be checked by
511 the verify_fun.
512
513 pkix_crl_issuer(CRL) -> issuer_name()
514
515 Types:
516
517 CRL = der_encoded() | #'CertificateList'{}
518
519 Returns the issuer of the CRL.
520
521 pkix_crls_validate(OTPCertificate, DPAndCRLs, Options) -> CRLStatus()
522
523 Types:
524
525 OTPCertificate = #'OTPCertificate'{}
526 DPAndCRLs = [{DP::#'DistributionPoint'{}, {Der‐
527 CRL::der_encoded(), CRL::#'CertificateList'{}}}]
528 Options = proplists:proplist()
529 CRLStatus() = valid | {bad_cert, revocation_status_undeter‐
530 mined} | {bad_cert, {revocation_status_undetermined,
531 {bad_crls, Details::term()}}} | {bad_cert, {revoked, crl_rea‐
532 son()}}
533
534 Performs CRL validation. It is intended to be called from the
535 verify fun of pkix_path_validation/3 .
536
537 Available options:
538
539 {update_crl, fun()}:
540 The fun has the following type specification:
541
542 fun(#'DistributionPoint'{}, #'CertificateList'{}) ->
543 #'CertificateList'{}
544
545 The fun uses the information in the distribution point to
546 access the latest possible version of the CRL. If this fun
547 is not specified, Public Key uses the default implementa‐
548 tion:
549
550 fun(_DP, CRL) -> CRL end
551
552 {issuer_fun, fun()}:
553 The fun has the following type specification:
554
555 fun(#'DistributionPoint'{}, #'CertificateList'{},
556 {rdnSequence,[#'AttributeTypeAndValue'{}]}, term()) ->
557 {ok, #'OTPCertificate'{}, [der_encoded]}
558
559 The fun returns the root certificate and certificate chain
560 that has signed the CRL.
561
562 fun(DP, CRL, Issuer, UserState) -> {ok, RootCert, CertChain}
563
564 {undetermined_details, boolean()}:
565 Defaults to false. When revocation status can not be deter‐
566 mined, and this option is set to true, details of why no
567 CRLs where accepted are included in the return value.
568
569 pkix_crl_verify(CRL, Cert) -> boolean()
570
571 Types:
572
573 CRL = der_encoded() | #'CertificateList'{}
574 Cert = der_encoded() | #'OTPCertificate'{}
575
576 Verify that Cert is the CRL signer.
577
578 pkix_dist_point(Cert) -> DistPoint
579
580 Types:
581
582 Cert = der_encoded() | #'OTPCertificate'{}
583 DistPoint = #'DistributionPoint'{}
584
585 Creates a distribution point for CRLs issued by the same issuer
586 as Cert. Can be used as input to pkix_crls_validate/3
587
588 pkix_dist_points(Cert) -> DistPoints
589
590 Types:
591
592 Cert = der_encoded() | #'OTPCertificate'{}
593 DistPoints = [#'DistributionPoint'{}]
594
595 Extracts distribution points from the certificates extensions.
596
597 pkix_match_dist_point(CRL, DistPoint) -> boolean()
598
599 Types:
600
601 CRL = der_encoded() | #'CertificateList'{}
602 DistPoint = #'DistributionPoint'{}
603
604 Checks whether the given distribution point matches the Issuing
605 Distribution Point of the CRL, as described in RFC 5280. If the
606 CRL doesn't have an Issuing Distribution Point extension, the
607 distribution point always matches.
608
609 pkix_sign(#'OTPTBSCertificate'{}, Key) -> der_encoded()
610
611 Types:
612
613 Key = rsa_private_key() | dsa_private_key()
614
615 Signs an 'OTPTBSCertificate'. Returns the corresponding DER-
616 encoded certificate.
617
618 pkix_sign_types(AlgorithmId) -> {DigestType, SignatureType}
619
620 Types:
621
622 AlgorithmId = oid()
623 Signature OID from a certificate or a certificate revoca‐
624 tion list.
625 DigestType = rsa_digest_type() | dss_digest_type()
626 SignatureType = rsa | dsa | ecdsa
627
628 Translates signature algorithm OID to Erlang digest and signa‐
629 ture types.
630
631 pkix_test_data(Options) -> Config
632 pkix_test_data([chain_opts()]) -> [conf_opt()]
633
634 Types:
635
636 Options = #{chain_type() := chain_opts()}
637 Options for ROOT, Intermediate and Peer certs
638 chain_type() = server_chain | client_chain
639 chain_opts() = #{root := [cert_opt()] | root_cert(), peer :=
640 [cert_opt()], intermediates => [[cert_opt()]]}
641 A valid chain must have at least a ROOT and a peer cert.
642 The root cert can be given either as a cert pre-generated
643 by pkix_test_root_cert/2 , or as root cert generation
644 options.
645 root_cert() = #{cert := der_encoded(), key := Key}
646 A root certificate generated by pkix_test_root_cert/2 .
647 cert_opt() = {Key, Value}
648 For available options see cert_opt() below.
649 Config = #{server_config := [conf_opt()], client_config :=
650 [conf_opt()]}
651 conf_opt() = {cert, der_encoded()} | {key, PrivateKey} |{cac‐
652 erts, [der_encoded()]}
653 This is a subset of the type ssl:ssl_option(). PrivateKey
654 is what generate_key/1 returns.
655
656 Creates certificate configuration(s) consisting of certificate
657 and its private key plus CA certificate bundle, for a client and
658 a server, intended to facilitate automated testing of applica‐
659 tions using X509-certificates, often through SSL/TLS. The test
660 data can be used when you have control over both the client and
661 the server in a test scenario.
662
663 When this function is called with a map containing client and
664 server chain specifications; it generates both a client and a
665 server certificate chain where the cacerts returned for the
666 server contains the root cert the server should trust and the
667 intermediate certificates the server should present to connect‐
668 ing clients. The root cert the server should trust is the one
669 used as root of the client certificate chain. Vice versa applies
670 to the cacerts returned for the client. The root cert(s) can
671 either be pre-generated with pkix_test_root_cert/2 , or if
672 options are specified; it is (they are) generated.
673
674 When this function is called with a list of certificate options;
675 it generates a configuration with just one node certificate
676 where cacerts contains the root cert and the intermediate certs
677 that should be presented to a peer. In this case the same root
678 cert must be used for all peers. This is useful in for example
679 an Erlang distributed cluster where any node, towards another
680 node, acts either as a server or as a client depending on who
681 connects to whom. The generated certificate contains a subject
682 altname, which is not needed in a client certificate, but makes
683 the certificate useful for both roles.
684
685 The cert_opt() type consists of the following options:
686
687 {digest, digest_type()}:
688 Hash algorithm to be used for signing the certificate
689 together with the key option. Defaults to sha that is sha1.
690
691 {key, key_params() | private_key()}:
692 Parameters to be used to call public_key:generate_key/1, to
693 generate a key, or an existing key. Defaults to generating
694 an ECDSA key. Note this could fail if Erlang/OTP is compiled
695 with a very old cryptolib.
696
697 {validity, {From::erlang:timestamp(), To::erlang:time‐
698 stamp()}} :
699 The validity period of the certificate.
700
701 {extensions, [#'Extension'{}]}:
702 Extensions to include in the certificate.
703
704 Default extensions included in CA certificates if not other‐
705 wise specified are:
706
707 [#'Extension'{extnID = ?'id-ce-keyUsage',
708 extnValue = [keyCertSign, cRLSign],
709 critical = false},
710 #'Extension'{extnID = ?'id-ce-basicConstraints',
711 extnValue = #'BasicConstraints'{cA = true},
712 critical = true}]
713
714
715 Default extensions included in the server peer cert if not
716 otherwise specified are:
717
718 [#'Extension'{extnID = ?'id-ce-keyUsage',
719 extnValue = [digitalSignature, keyAgreement],
720 critical = false},
721 #'Extension'{extnID = ?'id-ce-subjectAltName',
722 extnValue = [{dNSName, Hostname}],
723 critical = false}]
724
725
726 Hostname is the result of calling net_adm:localhost() in the
727 Erlang node where this funcion is called.
728
729 Note:
730 Note that the generated certificates and keys does not provide a
731 formally correct PKIX-trust-chain and they can not be used to
732 achieve real security. This function is provided for testing
733 purposes only.
734
735
736 pkix_test_root_cert(Name, Options) -> RootCert
737
738 Types:
739
740 Name = string()
741 The root certificate name.
742 Options = [cert_opt()]
743 For available options see cert_opt() under
744 pkix_test_data/1.
745 RootCert = #{cert := der_encoded(), key := Key}
746 A root certificate and key. The Key is generated by gener‐
747 ate_key/1.
748
749 Generates a root certificate that can be used in multiple calls
750 to pkix_test_data/1 when you want the same root certificate for
751 several generated certificates.
752
753 pkix_verify(Cert, Key) -> boolean()
754
755 Types:
756
757 Cert = der_encoded()
758 Key = rsa_public_key() | dsa_public_key() | ec_public_key()
759
760 Verifies PKIX x.509 certificate signature.
761
762 pkix_verify_hostname(Cert, ReferenceIDs) -> boolean()
763 pkix_verify_hostname(Cert, ReferenceIDs, Opts) -> boolean()
764
765 Types:
766
767 Cert = der_encoded() | #'OTPCertificate'{}
768 ReferenceIDs = [ RefID ]
769 RefID = {dns_id,string()} | {srv_id,string()} |
770 {uri_id,string()} | {ip,inet:ip_address()|string()} | {Other‐
771 RefID,term()}}
772 OtherRefID = atom()
773 Opts = [ PvhOpt() ]
774 PvhOpt = [MatchOpt | FailCallBackOpt | FqdnExtractOpt]
775 MatchOpt = {match_fun, fun(RefId | FQDN::string(), Presente‐
776 dID) -> boolean() | default}
777 PresentedID = {dNSName,string()} | {uniformResourceIdenti‐
778 fier,string() | {iPAddress,list(byte())} | {Other‐
779 PresId,term()}}
780 OtherPresID = atom()
781 FailCallBackOpt = {fail_callback, fun(#'OTPCertificate'{}) ->
782 boolean()}
783 FqdnExtractOpt = {fqdn_fun, fun(RefID) -> FQDN::string() |
784 default | undefined}
785
786 This function checks that the Presented Identifier (e.g host‐
787 name) in a peer certificate is in agreement with the Reference
788 Identifier that the client expects to be connected to. The
789 function is intended to be added as an extra client check of the
790 peer certificate when performing public_key:pkix_path_valida‐
791 tion/3
792
793 See RFC 6125 for detailed information about hostname verifica‐
794 tion. The User's Manual and code examples describes this func‐
795 tion more detailed.
796
797 The {OtherRefId,term()} is defined by the user and is passed to
798 the match_fun, if defined. If that term is a binary, it will be
799 converted to a string.
800
801 The ip Reference ID takes an inet:ip_address() or an ip address
802 in string format (E.g "10.0.1.1" or "1234::5678:9012") as second
803 element.
804
805 sign(Msg, DigestType, Key) -> binary()
806 sign(Msg, DigestType, Key, Options) -> binary()
807
808 Types:
809
810 Msg = binary() | {digest,binary()}
811 The Msg is either the binary "plain text" data to be signed
812 or it is the hashed value of "plain text", that is, the
813 digest.
814 DigestType = rsa_digest_type() | dss_digest_type() |
815 ecdsa_digest_type()
816 Key = rsa_private_key() | dsa_private_key() | ec_pri‐
817 vate_key()
818 Options = public_sign_options()
819
820 Creates a digital signature.
821
822 ssh_decode(SshBin, Type) -> [{public_key(), Attributes::list()}]
823
824 Types:
825
826 SshBin = binary()
827 Example {ok, SshBin} = file:read_file("known_hosts").
828 Type = public_key | ssh_file()
829 If Type is public_key the binary can be either an RFC4716
830 public key or an OpenSSH public key.
831
832 Decodes an SSH file-binary. In the case of known_hosts or
833 auth_keys, the binary can include one or more lines of the file.
834 Returns a list of public keys and their attributes, possible
835 attribute values depends on the file type represented by the
836 binary.
837
838 RFC4716 attributes - see RFC 4716.:
839 {headers, [{string(), utf8_string()}]}
840
841 auth_key attributes - see manual page for sshd.:
842 {comment, string()}{options, [string()]}{bits, integer()} -
843 In SSH version 1 files.
844
845 known_host attributes - see manual page for sshd.:
846 {hostnames, [string()]}{comment, string()}{bits, integer()}
847 - In SSH version 1 files.
848
849 ssh_encode([{Key, Attributes}], Type) -> binary()
850
851 Types:
852
853 Key = public_key()
854 Attributes = list()
855 Type = ssh_file()
856
857 Encodes a list of SSH file entries (public keys and attributes)
858 to a binary. Possible attributes depend on the file type, see
859 ssh_decode/2 .
860
861 ssh_hostkey_fingerprint(HostKey) -> string()
862 ssh_hostkey_fingerprint(DigestType, HostKey) -> string()
863 ssh_hostkey_fingerprint([DigestType], HostKey) -> [string()]
864
865 Types:
866
867 Key = public_key()
868 DigestType = digest_type()
869
870 Calculates a ssh fingerprint from a public host key as openssh
871 does.
872
873 The algorithm in ssh_hostkey_fingerprint/1 is md5 to be compati‐
874 ble with older ssh-keygen commands. The string from the second
875 variant is prepended by the algorithm name in uppercase as in
876 newer ssh-keygen commands.
877
878 Examples:
879
880 2> public_key:ssh_hostkey_fingerprint(Key).
881 "f5:64:a6:c1:5a:cb:9f:0a:10:46:a2:5c:3e:2f:57:84"
882
883 3> public_key:ssh_hostkey_fingerprint(md5,Key).
884 "MD5:f5:64:a6:c1:5a:cb:9f:0a:10:46:a2:5c:3e:2f:57:84"
885
886 4> public_key:ssh_hostkey_fingerprint(sha,Key).
887 "SHA1:bSLY/C4QXLDL/Iwmhyg0PGW9UbY"
888
889 5> public_key:ssh_hostkey_fingerprint(sha256,Key).
890 "SHA256:aZGXhabfbf4oxglxltItWeHU7ub3Dc31NcNw2cMJePQ"
891
892 6> public_key:ssh_hostkey_fingerprint([sha,sha256],Key).
893 ["SHA1:bSLY/C4QXLDL/Iwmhyg0PGW9UbY",
894 "SHA256:aZGXhabfbf4oxglxltItWeHU7ub3Dc31NcNw2cMJePQ"]
895
896
897 verify(Msg, DigestType, Signature, Key) -> boolean()
898 verify(Msg, DigestType, Signature, Key, Options) -> boolean()
899
900 Types:
901
902 Msg = binary() | {digest,binary()}
903 The Msg is either the binary "plain text" data or it is the
904 hashed value of "plain text", that is, the digest.
905 DigestType = rsa_digest_type() | dss_digest_type() |
906 ecdsa_digest_type()
907 Signature = binary()
908 Key = rsa_public_key() | dsa_public_key() | ec_public_key()
909 Options = public_sign_options()
910
911 Verifies a digital signature.
912
913 short_name_hash(Name) -> string()
914
915 Types:
916
917 Name = issuer_name()
918
919 Generates a short hash of an issuer name. The hash is returned
920 as a string containing eight hexadecimal digits.
921
922 The return value of this function is the same as the result of
923 the commands openssl crl -hash and openssl x509 -issuer_hash,
924 when passed the issuer name of a CRL or a certificate, respec‐
925 tively. This hash is used by the c_rehash tool to maintain a
926 directory of symlinks to CRL files, in order to facilitate look‐
927 ing up a CRL by its issuer name.
928
929
930
931Ericsson AB public_key 1.5.2 public_key(3)