Legend:
Library
Module
Module type
Parameter
Class
Class type
Library
Module
Module type
Parameter
Class
Class type
package tls-async
X.509 Certificate Revocation Lists.
type t = X509.CRL.tThe type of a revocation list, kept abstract.
Encoding and decoding in ASN.1 DER format
val encode_der : t -> stringencode_der crl is buffer, the ASN.1 DER encoding of the given certificate revocation list.
Operations on CRLs
val issuer : t -> X509.Distinguished_name.tissuer c is the issuer of the revocation list.
val this_update : t -> Ptime.tthis_update t is the timestamp of the revocation list.
val next_update : t -> Ptime.t optionnext_update t is either None or Some ts, the timestamp of the next update.
type revoked_cert = X509.CRL.revoked_cert = {serial : string;date : Ptime.t;extensions : X509.Extension.t;
}The type of a revoked certificate, which consists of a serial number, the revocation date, and possibly extensions. See RFC 5280 section 5.3 for allowed extensions (not enforced).
val reason : revoked_cert -> X509.Extension.reason optionreason revoked extracts the Reason extension from revoked if present.
val revoked_certificates : t -> revoked_cert listrevoked_certificates t is the list of revoked certificates of the revocation list.
val extensions : t -> X509.Extension.textensions t is the list of extensions, see RFC 5280 section 5.2 for possible values.
val crl_number : t -> int optioncrl_number t is the number of the CRL.
val signature_algorithm :
t ->
(X509.Key_type.signature_scheme * Digestif.hash') optionsignature_algorithm t is the algorithm used for the signature.
Validation and verification of CRLs
val validate :
t ->
?allowed_hashes:Digestif.hash' list ->
X509.Public_key.t ->
(unit, [> X509.Validation.signature_error ]) Stdlib.resultvalidate t ~allowed_hashes pk validates the digital signature of the revocation list. The allowed_hashes defaults to SHA-2.
type verification_error = [ | X509.Validation.signature_error| `Issuer_subject_mismatch of X509.Distinguished_name.t * X509.Distinguished_name.t| `Not_yet_valid of X509.Distinguished_name.t * Ptime.t * Ptime.t| `Next_update_scheduled of X509.Distinguished_name.t * Ptime.t * Ptime.t
]The type of CRL verification errors.
val pp_verification_error : verification_error Fmt.tpp_verification_error ppf vere pretty-prints the CRL verification error vere on ppf.
val verify :
t ->
?allowed_hashes:Digestif.hash' list ->
?time:Ptime.t ->
X509.Certificate.t ->
(unit, [> verification_error ]) Stdlib.resultverify t ~allowed_hashes ~time cert verifies that the issuer of t matches the subject of cert, and validates the digital signature of the revocation list. The used hash algorithm must be in the allowed_hashes (defaults to SHA-2). If time is provided, it must be after this_update and before next_update of t.
val is_revoked :
?allowed_hashes:Digestif.hash' list ->
issuer:X509.Certificate.t ->
cert:X509.Certificate.t ->
t list ->
boolis_revoked ~allowed_hashes ~issuer ~cert crls is true if there exists a revocation of cert in crls which is signed by the issuer. The subject of issuer must match the issuer of the crl. The hash algorithm used for signing must be in the allowed_hashes (defaults to SHA-2).
Construction and signing of CRLs
val decode_der : contents:string -> t Core.Or_error.tval revoke :
?digest:Digestif.hash' ->
issuer:Distinguished_name.t ->
this_update:Ptime.t ->
?next_update:Ptime.t ->
?extensions:Extension.t ->
revoked_cert list ->
Private_key.t ->
t Core.Or_error.tval revoke_certificate :
revoked_cert ->
this_update:Ptime.t ->
?next_update:Ptime.t ->
t ->
Private_key.t ->
t Core.Or_error.tval revoke_certificates :
revoked_cert list ->
this_update:Ptime.t ->
?next_update:Ptime.t ->
t ->
Private_key.t ->
t Core.Or_error.tval of_pem_dir : directory:Core.Filename.t -> t list Async.Deferred.Or_error.t