Encoding and decoding in ASN.1 DER format
encode_der crl is buffer, the ASN.1 DER encoding of the given certificate revocation list.
val decode_der : Cstruct.t -> (t, [> Rresult.R.msg ]) Rresult.resultdecode_der buffer is crl, the certificate revocation list of the ASN.1 encoded buffer.
Operations on CRLs
val issuer : t -> Distinguished_name.tissuer c is the issuer of the revocation list.
next_update t is either None or Some ts, the timestamp of the next update.
The type of a revoked certificate, which consists of a serial number, the revocation date, and possibly extensions. See RFC 5280 section 5.3 for allowed extensions (not enforced).
val reason : revoked_cert -> Extension.reason optionreason revoked extracts the Reason extension from revoked if present.
val revoked_certificates : t -> revoked_cert listrevoked_certificates t is the list of revoked certificates of the revocation list.
val extensions : t -> Extension.textensions t is the list of extensions, see RFC 5280 section 5.2 for possible values.
val crl_number : t -> int optioncrl_number t is the number of the CRL.
val signature_algorithm : t -> ([ `RSA | `ECDSA ] * Mirage_crypto.Hash.hash) optionsignature_algorithm t is the algorithm used for the signature.
Validation and verification of CRLs
val validate : t -> ?hash_whitelist:Mirage_crypto.Hash.hash list -> Public_key.t -> (unit, [> Validation.signature_error ]) Rresult.resultvalidate t ~hash_whitelist pk validates the digital signature of the revocation list. The hash_whitelist defaults to SHA-2.
type verification_error = [ | Validation.signature_error |
| `Issuer_subject_mismatch of Distinguished_name.t * Distinguished_name.t |
| `Not_yet_valid of Distinguished_name.t * Ptime.t * Ptime.t |
| `Next_update_scheduled of Distinguished_name.t * Ptime.t * Ptime.t |
]The type of CRL verification errors.
val pp_verification_error : verification_error Fmt.tpp_validation_error ppf vere pretty-prints the CRL verification error vere on ppf.
val verify : t -> ?hash_whitelist:Mirage_crypto.Hash.hash list -> ?time:Ptime.t -> Certificate.t -> (unit, [> verification_error ]) Rresult.resultverify t ~hash_whitelist ~time cert verifies that the issuer of t matches the subject of cert, and validates the digital signature of the revocation list. The used hash algorithm must be in the hash_whitelist (defaults to SHA-2). If time is provided, it must be after this_update and before next_update of t.
val is_revoked : t list -> ?hash_whitelist:Mirage_crypto.Hash.hash list -> issuer:Certificate.t -> cert:Certificate.t -> boolis_revoked crls ~hash_whitelist ~issuer ~cert is true if there exists a revocation of cert in crls which is signed by the issuer. The subject of issuer must match the issuer of the crl. The hash algorithm used for signing must be in the hash_whitelist (defaults to SHA-2).
Construction and signing of CRLs
val revoke : ?digest:Mirage_crypto.Hash.hash -> issuer:Distinguished_name.t -> this_update:Ptime.t -> ?next_update:Ptime.t -> ?extensions:Extension.t -> revoked_cert list -> Private_key.t -> trevoked ~digest ~issuer ~this_update ~next_update ~extensions certs priv constructs a revocation list with the given parameters.
val revoke_certificate : revoked_cert -> this_update:Ptime.t -> ?next_update:Ptime.t -> t -> Private_key.t -> trevoke_certificate cert ~this_update ~next_update t priv adds cert to the revocation list, increments its counter, adjusts this_update and next_update timestamps, and digitally signs it using priv.
val revoke_certificates : revoked_cert list -> this_update:Ptime.t -> ?next_update:Ptime.t -> t -> Private_key.t -> trevoke_certificates certs ~this_update ~next_update t priv adds certs to the revocation list, increments its counter, adjusts this_update and next_update timestamps, and digitally signs it using priv.