Library
Module
Module type
Parameter
Class
Class type
X.509 Certificate Revocation Lists.
A certificate revocation list is a signed structure consisting of an issuer, a timestamp, possibly a timestamp when to expect the next update, and a list of revoked certificates (represented by a serial, a revocation date, and extensions (e.g. reason) - see RFC 5280 section 5.2 for a list of available extensions (not enforced)). It also may contain any extensions, e.g. a CRL number and whether it is partial or complete.
val encode_der : t -> Cstruct.t
encode_der crl
is buffer
, the ASN.1 DER encoding of the given certificate revocation list.
val decode_der : Cstruct.t -> (t, [> Rresult.R.msg ]) Rresult.result
decode_der buffer
is crl
, the certificate revocation list of the ASN.1 encoded buffer.
val issuer : t -> Distinguished_name.t
issuer c
is the issuer of the revocation list.
val this_update : t -> Ptime.t
this_update t
is the timestamp of the revocation list.
val next_update : t -> Ptime.t option
next_update t
is either None
or Some ts
, the timestamp of the next update.
The type of a revoked certificate, which consists of a serial number, the revocation date, and possibly extensions. See RFC 5280 section 5.3 for allowed extensions (not enforced).
val reason : revoked_cert -> Extension.reason option
reason revoked
extracts the Reason
extension from revoked
if present.
val revoked_certificates : t -> revoked_cert list
revoked_certificates t
is the list of revoked certificates of the revocation list.
val extensions : t -> Extension.t
extensions t
is the list of extensions, see RFC 5280 section 5.2 for possible values.
val crl_number : t -> int option
crl_number t
is the number of the CRL.
val validate : t -> Public_key.t -> bool
validate t pk
validates the digital signature of the revocation list.
val verify : t -> ?time:Ptime.t -> Certificate.t -> bool
verify t ~time cert
verifies that the issuer of t
matches the subject of cert
, and validates the digital signature of the revocation list. If time
is provided, it must be after this_update
and before next_update
of t
.
val is_revoked : t list -> issuer:Certificate.t -> cert:Certificate.t -> bool
is_revoked crls ~issuer ~cert
is true
if there exists a revocation of cert
in crls
which is signed by the issuer
. The subject of issuer
must match the issuer of the crl.
val revoke :
?digest:Nocrypto.Hash.hash ->
issuer:Distinguished_name.t ->
this_update:Ptime.t ->
?next_update:Ptime.t ->
?extensions:Extension.t ->
revoked_cert list ->
Private_key.t ->
t
revoked ~digest ~issuer ~this_update ~next_update ~extensions certs priv
constructs a revocation list with the given parameters.
val revoke_certificate :
revoked_cert ->
this_update:Ptime.t ->
?next_update:Ptime.t ->
t ->
Private_key.t ->
t
revoke_certificate cert ~this_update ~next_update t priv
adds cert
to the revocation list, increments its counter, adjusts this_update
and next_update
timestamps, and digitally signs it using priv
.
val revoke_certificates :
revoked_cert list ->
this_update:Ptime.t ->
?next_update:Ptime.t ->
t ->
Private_key.t ->
t
revoke_certificates certs ~this_update ~next_update t priv
adds certs
to the revocation list, increments its counter, adjusts this_update
and next_update
timestamps, and digitally signs it using priv
.