Library
Module
Module type
Parameter
Class
Class type
X.509 Certificate Revocation Lists.
A certificate revocation list is a signed structure consisting of an issuer, a timestamp, possibly a timestamp when to expect the next update, and a list of revoked certificates (represented by a serial, a revocation date, and extensions (e.g. reason) - see RFC 5280 section 5.2 for a list of available extensions (not enforced)). It also may contain any extensions, e.g. a CRL number and whether it is partial or complete.
val encode_der : t -> Cstruct.t
encode_der crl
is buffer
, the ASN.1 DER encoding of the given certificate revocation list.
val decode_der : Cstruct.t -> (t, [> Rresult.R.msg ]) Rresult.result
decode_der buffer
is crl
, the certificate revocation list of the ASN.1 encoded buffer.
val issuer : t -> Distinguished_name.t
issuer c
is the issuer of the revocation list.
val this_update : t -> Ptime.t
this_update t
is the timestamp of the revocation list.
val next_update : t -> Ptime.t option
next_update t
is either None
or Some ts
, the timestamp of the next update.
The type of a revoked certificate, which consists of a serial number, the revocation date, and possibly extensions. See RFC 5280 section 5.3 for allowed extensions (not enforced).
val reason : revoked_cert -> Extension.reason option
reason revoked
extracts the Reason
extension from revoked
if present.
val revoked_certificates : t -> revoked_cert list
revoked_certificates t
is the list of revoked certificates of the revocation list.
val extensions : t -> Extension.t
extensions t
is the list of extensions, see RFC 5280 section 5.2 for possible values.
val crl_number : t -> int option
crl_number t
is the number of the CRL.
val signature_algorithm :
t ->
(Key_type.signature_scheme * Mirage_crypto.Hash.hash) option
signature_algorithm t
is the algorithm used for the signature.
val validate :
t ->
?allowed_hashes:Mirage_crypto.Hash.hash list ->
Public_key.t ->
(unit, [> Validation.signature_error ]) Rresult.result
validate t ~allowed_hashes pk
validates the digital signature of the revocation list. The allowed_hashes
defaults to SHA-2.
type verification_error = [
| Validation.signature_error
| `Issuer_subject_mismatch of Distinguished_name.t * Distinguished_name.t
| `Not_yet_valid of Distinguished_name.t * Ptime.t * Ptime.t
| `Next_update_scheduled of Distinguished_name.t * Ptime.t * Ptime.t
]
The type of CRL verification errors.
val pp_verification_error : verification_error Fmt.t
pp_verification_error ppf vere
pretty-prints the CRL verification error vere
on ppf
.
val verify :
t ->
?allowed_hashes:Mirage_crypto.Hash.hash list ->
?time:Ptime.t ->
Certificate.t ->
(unit, [> verification_error ]) Rresult.result
verify t ~allowed_hashes ~time cert
verifies that the issuer of t
matches the subject of cert
, and validates the digital signature of the revocation list. The used hash algorithm must be in the allowed_hashes
(defaults to SHA-2). If time
is provided, it must be after this_update
and before next_update
of t
.
val is_revoked :
?allowed_hashes:Mirage_crypto.Hash.hash list ->
issuer:Certificate.t ->
cert:Certificate.t ->
t list ->
bool
is_revoked ~allowed_hashes ~issuer ~cert crls
is true
if there exists a revocation of cert
in crls
which is signed by the issuer
. The subject of issuer
must match the issuer of the crl. The hash algorithm used for signing must be in the allowed_hashes
(defaults to SHA-2).
val revoke :
?digest:Mirage_crypto.Hash.hash ->
issuer:Distinguished_name.t ->
this_update:Ptime.t ->
?next_update:Ptime.t ->
?extensions:Extension.t ->
revoked_cert list ->
Private_key.t ->
(t, [> Rresult.R.msg ]) Rresult.result
revoked ~digest ~issuer ~this_update ~next_update ~extensions certs priv
constructs a revocation list with the given parameters.
val revoke_certificate :
revoked_cert ->
this_update:Ptime.t ->
?next_update:Ptime.t ->
t ->
Private_key.t ->
(t, [> Rresult.R.msg ]) Rresult.result
revoke_certificate cert ~this_update ~next_update t priv
adds cert
to the revocation list, increments its counter, adjusts this_update
and next_update
timestamps, and digitally signs it using priv
.
val revoke_certificates :
revoked_cert list ->
this_update:Ptime.t ->
?next_update:Ptime.t ->
t ->
Private_key.t ->
(t, [> Rresult.R.msg ]) Rresult.result
revoke_certificates certs ~this_update ~next_update t priv
adds certs
to the revocation list, increments its counter, adjusts this_update
and next_update
timestamps, and digitally signs it using priv
.