1ssl_crl_cache_api(3)       Erlang Module Definition       ssl_crl_cache_api(3)
2
3
4

NAME

6       ssl_crl_cache_api  -  API  for  a TLS CRL (Certificate Revocation List)
7       cache.
8

DESCRIPTION

10       When TLS performs certificate path validation according to RFC 5280  it
11       should also perform CRL validation checks. To enable the CRL checks the
12       application needs access to CRLs. A database of CRLs can be set  up  in
13       many  different  ways.  This  module  provides  the behavior of the API
14       needed to integrate an arbitrary CRL cache with the erlang ssl applica‐
15       tion. It is also used by the application itself to provide a simple de‐
16       fault implementation of a CRL cache.
17

DATA TYPES

19       crl_cache_ref() = any()
20
21              Reference to the CRL cache.
22
23       dist_point() = #'DistributionPoint'{}
24
25              For description see  X509 certificates records
26
27       logger_info() =
28           {logger:level(),
29            Report :: #{description => string(), reason => term()},
30            logger:metadata()}
31
32              Information for ssl applications use of  Logger(3)
33

EXPORTS

35       Module:fresh_crl(DistributionPoint, CRL) -> FreshCRL
36       Module:fresh_crl(DistributionPoint, CRL)  ->  FreshCRL  |  {LoggerInfo,
37       FreshCRL}
38
39              Types:
40
41                  DistributionPoint =  dist_point()
42                  CRL = [public_key:der_encoded()]
43                  FreshCRL = [public_key:der_encoded()]
44                  LoggerInfo = {logger,  logger_info() }}
45
46              fun fresh_crl/2  will be used as input option update_crl to pub‐
47              lic_key:pkix_crls_validate/3
48
49              It is possible to return logger info that will be  used  by  the
50              TLS connection to produce log events.
51
52       Module:lookup(DistributionPoint,  Issuer,  DbHandle) -> not_available |
53       CRLs | {LoggerInfo, CRLs}
54       Module:lookup(DistributionPoint, Issuer, DbHandle) ->  not_available  |
55       CRLs
56       Module:lookup(DistributionPoint, DbHandle) -> not_available | CRLs
57
58              Types:
59
60                  DistributionPoint =  dist_point()
61                  Issuer = public_key:issuer_name()
62                  DbHandle =  crl_cache_ref()
63                  CRLs = [public_key:der_encoded()]
64                  LoggerInfo = {logger,  logger_info() }}
65
66              Lookup  the  CRLs belonging to the distribution point  Distribu‐
67              tionpoint. This function may choose to only look in the cache or
68              to follow distribution point links depending on how the cache is
69              administrated.
70
71              The Issuer argument contains the issuer name of the  certificate
72              to  be  checked.  Normally  the returned CRL should be issued by
73              this issuer, except if the cRLIssuer field of  DistributionPoint
74              has a value, in which case that value should be used instead.
75
76              In  an earlier version of this API, the lookup function received
77              two arguments, omitting Issuer. For compatibility, this is still
78              supported: if there is no lookup/3 function in the callback mod‐
79              ule, lookup/2 is called instead.
80
81              It is possible to return logger info that will be  used  by  the
82              TLS connection to produce log events.
83
84       Module:select(Issuer, DbHandle) -> CRLs | {LoggerInfo, CRLs}
85       Module:select(Issuer, DbHandle) -> CRLs
86
87              Types:
88
89                  Issuer = public_key:issuer_name() | list()
90                  DbHandle =  cache_ref()
91                  LoggerInfo = {logger,  logger_info() }
92
93              Select  the  CRLs  in the cache that are issued by Issuer unless
94              the value is a list of so called general names, see   X509  cer‐
95              tificates  records, originating form #'DistributionPoint'.cRLis‐
96              suer and representing different mechanism to  obtain  the  CRLs.
97              The cache callback needs to use the appropriate entry to retrive
98              the CRLs or return an empty list if it does not exist.
99
100              It is possible to return logger info that will be  used  by  the
101              TLS connection to produce log events.
102
103
104
105Ericsson AB                       ssl 10.5.3              ssl_crl_cache_api(3)
Impressum