Library
Module
Module type
Parameter
Class
Class type
X.509 Certificate Revocation Lists.
type t = X509.CRL.t
The type of a revocation list, kept abstract.
val encode_der : t -> Cstruct.t
encode_der crl
is buffer
, the ASN.1 DER encoding of the given certificate revocation list.
val issuer : t -> X509.Distinguished_name.t
issuer c
is the issuer of the revocation list.
val this_update : t -> Ptime.t
this_update t
is the timestamp of the revocation list.
val next_update : t -> Ptime.t option
next_update t
is either None
or Some ts
, the timestamp of the next update.
type revoked_cert = X509.CRL.revoked_cert = {
serial : Z.t;
date : Ptime.t;
extensions : X509.Extension.t;
}
The type of a revoked certificate, which consists of a serial number, the revocation date, and possibly extensions. See RFC 5280 section 5.3 for allowed extensions (not enforced).
val reason : revoked_cert -> X509.Extension.reason option
reason revoked
extracts the Reason
extension from revoked
if present.
val revoked_certificates : t -> revoked_cert list
revoked_certificates t
is the list of revoked certificates of the revocation list.
val extensions : t -> X509.Extension.t
extensions t
is the list of extensions, see RFC 5280 section 5.2 for possible values.
val crl_number : t -> int option
crl_number t
is the number of the CRL.
val signature_algorithm :
t ->
(X509.Key_type.signature_scheme * Mirage_crypto.Hash.hash) option
signature_algorithm t
is the algorithm used for the signature.
val validate :
t ->
?allowed_hashes:Mirage_crypto.Hash.hash list ->
X509.Public_key.t ->
(unit, [> X509.Validation.signature_error ]) Rresult.result
validate t ~allowed_hashes pk
validates the digital signature of the revocation list. The allowed_hashes
defaults to SHA-2.
type verification_error = [
| X509.Validation.signature_error
| `Issuer_subject_mismatch of
X509.Distinguished_name.t * X509.Distinguished_name.t
| `Not_yet_valid of X509.Distinguished_name.t * Ptime.t * Ptime.t
| `Next_update_scheduled of X509.Distinguished_name.t * Ptime.t * Ptime.t
]
The type of CRL verification errors.
val pp_verification_error : verification_error Fmt.t
pp_verification_error ppf vere
pretty-prints the CRL verification error vere
on ppf
.
val verify :
t ->
?allowed_hashes:Mirage_crypto.Hash.hash list ->
?time:Ptime.t ->
X509.Certificate.t ->
(unit, [> verification_error ]) Rresult.result
verify t ~allowed_hashes ~time cert
verifies that the issuer of t
matches the subject of cert
, and validates the digital signature of the revocation list. The used hash algorithm must be in the allowed_hashes
(defaults to SHA-2). If time
is provided, it must be after this_update
and before next_update
of t
.
val is_revoked :
?allowed_hashes:Mirage_crypto.Hash.hash list ->
issuer:X509.Certificate.t ->
cert:X509.Certificate.t ->
t list ->
bool
is_revoked ~allowed_hashes ~issuer ~cert crls
is true
if there exists a revocation of cert
in crls
which is signed by the issuer
. The subject of issuer
must match the issuer of the crl. The hash algorithm used for signing must be in the allowed_hashes
(defaults to SHA-2).
val decode_der : contents:string -> t Core.Or_error.t
val revoke :
?digest:Mirage_crypto.Hash.hash ->
issuer:Distinguished_name.t ->
this_update:Ptime.t ->
?next_update:Ptime.t ->
?extensions:Extension.t ->
revoked_cert list ->
Private_key.t ->
t Core.Or_error.t
val revoke_certificate :
revoked_cert ->
this_update:Ptime.t ->
?next_update:Ptime.t ->
t ->
Private_key.t ->
t Core.Or_error.t
val revoke_certificates :
revoked_cert list ->
this_update:Ptime.t ->
?next_update:Ptime.t ->
t ->
Private_key.t ->
t Core.Or_error.t
val of_pem_dir : directory:Core.Filename.t -> t list Async.Deferred.Or_error.t