package tls-async

  1. Overview
  2. Docs

X.509 Certificate Revocation Lists.

type t = X509.CRL.t

The type of a revocation list, kept abstract.

Encoding and decoding in ASN.1 DER format

val encode_der : t -> Cstruct.t

encode_der crl is buffer, the ASN.1 DER encoding of the given certificate revocation list.

Operations on CRLs

issuer c is the issuer of the revocation list.

val this_update : t -> Ptime.t

this_update t is the timestamp of the revocation list.

val next_update : t -> Ptime.t option

next_update t is either None or Some ts, the timestamp of the next update.

type revoked_cert = X509.CRL.revoked_cert = {
  1. serial : Z.t;
  2. date : Ptime.t;
  3. extensions : X509.Extension.t;
}

The type of a revoked certificate, which consists of a serial number, the revocation date, and possibly extensions. See RFC 5280 section 5.3 for allowed extensions (not enforced).

val reason : revoked_cert -> X509.Extension.reason option

reason revoked extracts the Reason extension from revoked if present.

val revoked_certificates : t -> revoked_cert list

revoked_certificates t is the list of revoked certificates of the revocation list.

val extensions : t -> X509.Extension.t

extensions t is the list of extensions, see RFC 5280 section 5.2 for possible values.

val crl_number : t -> int option

crl_number t is the number of the CRL.

val signature_algorithm : t -> (X509.Key_type.signature_scheme * Mirage_crypto.Hash.hash) option

signature_algorithm t is the algorithm used for the signature.

Validation and verification of CRLs

val validate : t -> ?allowed_hashes:Mirage_crypto.Hash.hash list -> X509.Public_key.t -> (unit, [> X509.Validation.signature_error ]) result

validate t ~allowed_hashes pk validates the digital signature of the revocation list. The allowed_hashes defaults to SHA-2.

type verification_error = [
  1. | X509.Validation.signature_error
  2. | `Issuer_subject_mismatch of X509.Distinguished_name.t * X509.Distinguished_name.t
  3. | `Not_yet_valid of X509.Distinguished_name.t * Ptime.t * Ptime.t
  4. | `Next_update_scheduled of X509.Distinguished_name.t * Ptime.t * Ptime.t
]

The type of CRL verification errors.

val pp_verification_error : verification_error Fmt.t

pp_verification_error ppf vere pretty-prints the CRL verification error vere on ppf.

val verify : t -> ?allowed_hashes:Mirage_crypto.Hash.hash list -> ?time:Ptime.t -> X509.Certificate.t -> (unit, [> verification_error ]) result

verify t ~allowed_hashes ~time cert verifies that the issuer of t matches the subject of cert, and validates the digital signature of the revocation list. The used hash algorithm must be in the allowed_hashes (defaults to SHA-2). If time is provided, it must be after this_update and before next_update of t.

val is_revoked : ?allowed_hashes:Mirage_crypto.Hash.hash list -> issuer:X509.Certificate.t -> cert:X509.Certificate.t -> t list -> bool

is_revoked ~allowed_hashes ~issuer ~cert crls is true if there exists a revocation of cert in crls which is signed by the issuer. The subject of issuer must match the issuer of the crl. The hash algorithm used for signing must be in the allowed_hashes (defaults to SHA-2).

Construction and signing of CRLs

val decode_der : contents:string -> t Core.Or_error.t
val revoke : ?digest:Mirage_crypto.Hash.hash -> issuer:Distinguished_name.t -> this_update:Ptime.t -> ?next_update:Ptime.t -> ?extensions:Extension.t -> revoked_cert list -> Private_key.t -> t Core.Or_error.t
val revoke_certificate : revoked_cert -> this_update:Ptime.t -> ?next_update:Ptime.t -> t -> Private_key.t -> t Core.Or_error.t
val revoke_certificates : revoked_cert list -> this_update:Ptime.t -> ?next_update:Ptime.t -> t -> Private_key.t -> t Core.Or_error.t
val of_pem_dir : directory:Core.Filename.t -> t list Async.Deferred.Or_error.t