ssl_crl_cache_api

MODULE

ssl_crl_cache_api

MODULE SUMMARY

API for a SSL/TLS CRL (Certificate Revocation List) cache.

DESCRIPTION

When SSL/TLS performs certificate path validation according to RFC 5280 it should also perform CRL validation checks. To enable the CRL checks the application needs access to CRLs. A database of CRLs can be set up in many different ways. This module provides the behavior of the API needed to integrate an arbitrary CRL cache with the erlang ssl application. It is also used by the application itself to provide a simple default implementation of a CRL cache.

DATA TYPES

The following data types are used in the functions below:

cache_ref() =: opaque()
dist_point() =: #'DistributionPoint'{} see X509 certificates records

EXPORTS

fresh_crl(DistributionPoint, CRL) -> FreshCRL

Types:

DistributionPoint = dist_point()

CRL = [public_key:der_encoded()]

FreshCRL = [public_key:der_encoded()]

fun fresh_crl/2 will be used as input option update_crl to public_key:pkix_crls_validate/3

lookup(DistributionPoint, DbHandle) -> not_available | CRLs

Types:

DistributionPoint = dist_point()

DbHandle = cache_ref()

CRLs = [public_key:der_encoded()]

Lookup the CRLs belonging to the distribution point Distributionpoint. This function may choose to only look in the cache or to follow distribution point links depending on how the cache is administrated.

select(Issuer, DbHandle) -> CRLs

Types:

Issuer = public_key:issuer_name()

DbHandle = cache_ref()

Select the CRLs in the cache that are issued by Issuer