package x509

  1. Overview
  2. Docs

X.509 Certificate Revocation Lists.

A certificate revocation list is a signed structure consisting of an issuer, a timestamp, possibly a timestamp when to expect the next update, and a list of revoked certificates (represented by a serial, a revocation date, and extensions (e.g. reason) - see RFC 5280 section 5.2 for a list of available extensions (not enforced)). It also may contain any extensions, e.g. a CRL number and whether it is partial or complete.

type t

The type of a revocation list, kept abstract.

Encoding and decoding in ASN.1 DER format

val encode_der : t -> Cstruct.t

encode_der crl is buffer, the ASN.1 DER encoding of the given certificate revocation list.

val decode_der : Cstruct.t -> (t, [> Rresult.R.msg ]) Rresult.result

decode_der buffer is crl, the certificate revocation list of the ASN.1 encoded buffer.

Operations on CRLs

val issuer : t -> Distinguished_name.t

issuer c is the issuer of the revocation list.

val this_update : t -> Ptime.t

this_update t is the timestamp of the revocation list.

val next_update : t -> Ptime.t option

next_update t is either None or Some ts, the timestamp of the next update.

type revoked_cert = {
  1. serial : Z.t;
  2. date : Ptime.t;
  3. extensions : Extension.t;
}

The type of a revoked certificate, which consists of a serial number, the revocation date, and possibly extensions. See RFC 5280 section 5.3 for allowed extensions (not enforced).

val reason : revoked_cert -> Extension.reason option

reason revoked extracts the Reason extension from revoked if present.

val revoked_certificates : t -> revoked_cert list

revoked_certificates t is the list of revoked certificates of the revocation list.

val extensions : t -> Extension.t

extensions t is the list of extensions, see RFC 5280 section 5.2 for possible values.

val crl_number : t -> int option

crl_number t is the number of the CRL.

Validation and verification of CRLs

val validate : t -> Public_key.t -> bool

validate t pk validates the digital signature of the revocation list.

val verify : t -> ?time:Ptime.t -> Certificate.t -> bool

verify t ~time cert verifies that the issuer of t matches the subject of cert, and validates the digital signature of the revocation list. If time is provided, it must be after this_update and before next_update of t.

val is_revoked : t list -> issuer:Certificate.t -> cert:Certificate.t -> bool

is_revoked crls ~issuer ~cert is true if there exists a revocation of cert in crls which is signed by the issuer. The subject of issuer must match the issuer of the crl.

Construction and signing of CRLs

val revoke : ?digest:Nocrypto.Hash.hash -> issuer:Distinguished_name.t -> this_update:Ptime.t -> ?next_update:Ptime.t -> ?extensions:Extension.t -> revoked_cert list -> Private_key.t -> t

revoked ~digest ~issuer ~this_update ~next_update ~extensions certs priv constructs a revocation list with the given parameters.

val revoke_certificate : revoked_cert -> this_update:Ptime.t -> ?next_update:Ptime.t -> t -> Private_key.t -> t

revoke_certificate cert ~this_update ~next_update t priv adds cert to the revocation list, increments its counter, adjusts this_update and next_update timestamps, and digitally signs it using priv.

val revoke_certificates : revoked_cert list -> this_update:Ptime.t -> ?next_update:Ptime.t -> t -> Private_key.t -> t

revoke_certificates certs ~this_update ~next_update t priv adds certs to the revocation list, increments its counter, adjusts this_update and next_update timestamps, and digitally signs it using priv.