package x509

  1. Overview
  2. Docs

X.509 Certificate Revocation Lists.

A certificate revocation list is a signed structure consisting of an issuer, a timestamp, possibly a timestamp when to expect the next update, and a list of revoked certificates (represented by a serial, a revocation date, and extensions (e.g. reason) - see RFC 5280 section 5.2 for a list of available extensions (not enforced)). It also may contain any extensions, e.g. a CRL number and whether it is partial or complete.

type c

The type of a revocation list, kept abstract.

val issuer : c -> distinguished_name

issuer c is the issuer of the revocation list.

val this_update : c -> Ptime.t

this_update t is the timestamp of the revocation list.

val next_update : c -> Ptime.t option

next_update t is either None or Some ts, the timestamp of the next update.

type revoked_cert = {
  1. serial : Z.t;
  2. date : Ptime.t;
  3. extensions : (bool * Extension.t) list;
}

The type of a revoked certificate, which consists of a serial number, the revocation date, and possibly extensions. See RFC 5280 setion 5.3 for allowed extensions (not enforced).

val reason : revoked_cert -> Extension.reason_code option

reason revoked extracts the Reason extension from revoked if present.

val revoked_certificates : c -> revoked_cert list

revoked_certificates t is the list of revoked certificates of the revocation list.

val extensions : c -> (bool * Extension.t) list

extensions t is the list of extensions, see RFC 5280 section 5.2 for possible values.

val crl_number : c -> int option

crl_number t is the number of the CRL.

val validate : c -> public_key -> bool

validate t pk validates the digital signature of the revocation list.

val verify : c -> ?time:Ptime.t -> t -> bool

verify t ~time cert verifies that the issuer of t matches the subject of cert, and validates the digital signature of the revocation list. If time is provided, it must be after this_update and before next_update of t.

val is_revoked : c list -> issuer:t -> cert:t -> bool

is_revoked crls ~issuer ~cert is true if there exists a revocation of cert in crls which is signed by the issuer. The subject of issuer must match the issuer of the crl.

val revoke : ?digest:Nocrypto.Hash.hash -> issuer:distinguished_name -> this_update:Ptime.t -> ?next_update:Ptime.t -> ?extensions:(bool * Extension.t) list -> revoked_cert list -> private_key -> c

revoked ~digest ~issuer ~this_update ~next_update ~extensions certs priv constructs a revocation list with the given parameters.

val revoke_certificate : revoked_cert -> this_update:Ptime.t -> ?next_update:Ptime.t -> c -> private_key -> c

revoke_certificate cert ~this_update ~next_update t priv adds cert to the revocation list, increments its counter, adjusts this_update and next_update timestamps, and digitally signs it using priv.

val revoke_certificates : revoked_cert list -> this_update:Ptime.t -> ?next_update:Ptime.t -> c -> private_key -> c

revoke_certificates certs ~this_update ~next_update t priv adds certs to the revocation list, increments its counter, adjusts this_update and next_update timestamps, and digitally signs it using priv.