1ssl_crl_cache_api(3) Erlang Module Definition ssl_crl_cache_api(3)
2
3
4
6 ssl_crl_cache_api - API for a TLS CRL (Certificate Revocation List)
7 cache.
8
10 When TLS performs certificate path validation according to RFC 5280 it
11 should also perform CRL validation checks. To enable the CRL checks the
12 application needs access to CRLs. A database of CRLs can be set up in
13 many different ways. This module provides the behavior of the API
14 needed to integrate an arbitrary CRL cache with the erlang ssl applica‐
15 tion. It is also used by the application itself to provide a simple
16 default implementation of a CRL cache.
17
19 crl_cache_ref() = any()
20
21 Reference to the CRL cache.
22
23 dist_point() = #'DistributionPoint'{}
24
25 For description see X509 certificates records
26
27 logger_info() =
28 {logger:level(),
29 Report :: #{description => string(), reason => term()},
30 logger:metadata()}
31
32 Information for ssl applications use of Logger(3)
33
35 Module:fresh_crl(DistributionPoint, CRL) -> FreshCRL
36 Module:fresh_crl(DistributionPoint, CRL) -> FreshCRL | {LoggerInfo,
37 FreshCRL}
38
39 Types:
40
41 DistributionPoint = dist_point()
42 CRL = [public_key:der_encoded()]
43 FreshCRL = [public_key:der_encoded()]
44 LoggerInfo = {logger, logger_info() }}
45
46 fun fresh_crl/2 will be used as input option update_crl to pub‐
47 lic_key:pkix_crls_validate/3
48
49 It is possible to return logger info that will be used by the
50 TLS connection to produce log events.
51
52 Module:lookup(DistributionPoint, Issuer, DbHandle) -> not_available |
53 CRLs | {LoggerInfo, CRLs}
54 Module:lookup(DistributionPoint, Issuer, DbHandle) -> not_available |
55 CRLs
56 Module:lookup(DistributionPoint, DbHandle) -> not_available | CRLs
57
58 Types:
59
60 DistributionPoint = dist_point()
61 Issuer = public_key:issuer_name()
62 DbHandle = crl_cache_ref()
63 CRLs = [public_key:der_encoded()]
64 LoggerInfo = {logger, logger_info() }}
65
66 Lookup the CRLs belonging to the distribution point Distribu‐
67 tionpoint. This function may choose to only look in the cache or
68 to follow distribution point links depending on how the cache is
69 administrated.
70
71 The Issuer argument contains the issuer name of the certificate
72 to be checked. Normally the returned CRL should be issued by
73 this issuer, except if the cRLIssuer field of DistributionPoint
74 has a value, in which case that value should be used instead.
75
76 In an earlier version of this API, the lookup function received
77 two arguments, omitting Issuer. For compatibility, this is still
78 supported: if there is no lookup/3 function in the callback mod‐
79 ule, lookup/2 is called instead.
80
81 It is possible to return logger info that will be used by the
82 TLS connection to produce log events.
83
84 Module:select(Issuer, DbHandle) -> CRLs | {LoggerInfo, CRLs}
85 Module:select(Issuer, DbHandle) -> CRLs
86
87 Types:
88
89 Issuer = public_key:issuer_name() | list()
90 DbHandle = cache_ref()
91 LoggerInfo = {logger, logger_info() }
92
93 Select the CRLs in the cache that are issued by Issuer unless
94 the value is a list of so called general names, see X509 cer‐
95 tificates records, originating form #'DistributionPoint'.cRLis‐
96 suer and representing different mechanism to obtain the CRLs.
97 The cache callback needs to use the appropriate entry to retrive
98 the CRLs or return an empty list if it does not exist.
99
100 It is possible to return logger info that will be used by the
101 TLS connection to produce log events.
102
103
104
105Ericsson AB ssl 10.3 ssl_crl_cache_api(3)