121
117
<!-- that would satisfy this policy in the certificate x+1. </item> -->
122
118
<!-- </taglist> -->
127
<name>decode_private_key(KeyInfo) -> </name>
128
<name>decode_private_key(KeyInfo, Password) -> {ok, PrivateKey} | {error, Reason}</name>
129
<fsummary> Decodes an asn1 der encoded private key.</fsummary>
131
<v> KeyInfo = {KeyType, der_bin(), ChipherInfo} </v>
132
<d> As returned from pem_to_der/1 for private keys</d>
133
<v> KeyType = rsa_private_key | dsa_private_key </v>
134
<v> ChipherInfo = opaque() | no_encryption </v>
135
<d> ChipherInfo may contain encryption parameters if the private key is password
136
protected, these are opaque to the user just pass the value returned by pem_to_der/1
137
to this function.</d>
138
<v> Password = string() </v>
139
<d>Must be specified if CipherInfo =/= no_encryption</d>
140
<v> PrivateKey = private_key() </v>
141
<v> Reason = term() </v>
144
<p>Decodes an asn1 der encoded private key.</p>
149
<name>pem_to_der(File) -> {ok, [Entry]}</name>
150
<fsummary>Reads a PEM file and translates it into its asn1 der
151
encoded parts.</fsummary>
154
<v>Password = string()</v>
155
<v>Entry = {entry_type(), der_bin(), CipherInfo}</v>
156
<v> ChipherInfo = opaque() | no_encryption </v>
157
<d> ChipherInfo may contain encryption parameters if the private key is password
158
protected, these will be handled by the function decode_private_key/2. </d>
159
<v>entry_type() = cert | cert_req | rsa_private_key | dsa_private_key |
163
<p>Reads a PEM file and translates it into its asn1 der
169
<name>pkix_decode_cert(Cert, Type) -> {ok, DecodedCert} | {error, Reason}</name>
170
<fsummary> Decodes an asn1 der encoded pkix certificate. </fsummary>
172
<v>Cert = asn1_der_encoded() </v>
173
<v>Type = plain | otp</v>
174
<v>DecodeCert = x509_certificate() </v>
175
<d>When type is specified as otp the asn1 spec OTP-PKIX.asn1 is used to decode known
176
extensions and enhance the signature field in
177
#'Certificate'{} and '#TBSCertificate'{}. This is currently used by the new ssl
178
implementation but not documented and supported for the public_key application.</d>
179
<v>Reason = term() </v>
182
<p> Decodes an asn1 encoded pkix certificate.</p>
187
<!-- <name> pkix_encode_cert(Cert) -> {ok, EncodedCert} | {error, Reason}</name> -->
188
<!-- <fsummary>Encodes a certificate record using asn1. </fsummary> -->
190
<!-- <v>Cert = x509_certificate() </v> -->
191
<!-- <v>EncodedCert = asn1_der_encoded() </v> -->
192
<!-- <v>Reason = term() </v> -->
195
<!-- <p> Encodes a certificate record using asn1.</p> -->
200
<!-- <name>pkix_path_validation(TrustedCert, CertChain, Options) -> {ok, Result} | {error, Reason}</name> -->
202
<!-- <fsummary>Performs a basic path validation according to RFC 3280</fsummary> -->
204
<!-- <v>TrustedCert = asn1_der_encoded()</v> -->
205
<!-- <v>CertChain = [asn1_der_encoded()]</v> -->
206
<!-- <v>Options = [{Option, Value}]</v> -->
207
<!-- <v>Result = {{algorithm(), public_key(), -->
208
<!-- public_key_params()}, policy_tree()}</v> -->
212
<!-- <p>Available options are: </p> -->
214
<!-- <tag>{validate_extension_fun, fun()}</tag> -->
215
<!-- <item> A fun behaving according to the following outline: -->
218
<!-- ValidateExtensionFun = fun(Extensions, UserState) -> -->
219
<!-- validate_extensions(Extensions, UserState, []) -->
223
<!-- validate_extensions([], UserState, UnknowExtension) -> -->
224
<!-- {UserState, UnknowExtension}; -->
225
<!-- validate_extensions([#'Extension'{} = Ext | Rest], UserState, UnknowExtension) -> -->
226
<!-- case valid_extension(Ext) of -->
227
<!-- {true, NewUserState} -> -->
228
<!-- validate_extensions(Rest, NewUserState, UnknowExtension); -->
230
<!-- validate_extensions(Rest, UserState, [Ext | UnknowExtension]); -->
231
<!-- {false, Reason} -> -->
232
<!-- throw(bad_cert, Reason) -->
238
<!-- <tag>{policy_set, [oid()]}</tag> -->
239
<!-- <item>A set of certificate policy -->
240
<!-- identifiers naming the policies that are acceptable to the -->
241
<!-- certificate user. If the user is not concerned about -->
242
<!-- certificate policy there is no need -->
243
<!-- to set this option. Defaults to the -->
244
<!-- special value [?anyPolicy]. -->
247
<!-- <tag>{policy_mapping, boolean()}</tag> -->
248
<!-- <item>Indicates if policy -->
249
<!-- mapping, initially, is allowed in the certification path. -->
250
<!-- Defaults to false. -->
253
<!-- <tag> {explicit_policy, boolean()}</tag> -->
254
<!-- <item>Indicates if the path, initially, must be -->
255
<!-- valid for at least one of the certificate policies in the user -->
256
<!-- specified policy set. -->
257
<!-- Defaults to false. -->
260
<!-- <tag>{inhibit_any_policy, boolean()}</tag> -->
261
<!-- <item>Indicates whether the anyPolicy OID, initially, should -->
262
<!-- be processed if it is included in a certificate. -->
263
<!-- Defaults to false. -->
268
<!-- <p>Performs a basic path validation according to RFC 3280, -->
269
<!-- e.i. signature validation, time validation, issuer validation, -->
270
<!-- alternative subject name validation, CRL validation, policy -->
271
<!-- validation and checks that no unknown extensions -->
272
<!-- are marked as critical. The option <c>validate_extension_fun</c> -->
273
<!-- may be used to validate application specific extensions. If -->
274
<!-- a validation criteria is found to be invalid the validation process -->
275
<!-- will immediately be stopped and this functions will return -->
276
<!-- {error, Reason}. -->
282
<!-- <name>sign(DigestOrTBSCert, Key) -> </name> -->
283
<!-- <name>sign(DigestOrTBSCert, Key, KeyParams) -> {ok, SignatureOrDerCert} | {error, Reason}</name> -->
284
<!-- <fsummary>Signs Digest/Certificate using Key.</fsummary> -->
286
<!-- <v>DigestOrTBSCert = binary() | x509_tbs_certificate()</v> -->
287
<!-- <v>Key = private_key()</v> -->
288
<!-- <v>SignatureORDerCert = binary() | der_bin() </v> -->
289
<!-- <v>Reason = term() </v> -->
292
<!-- <p> Signs Digest/Certificate using Key, in the later -->
293
<!-- case a der encoded x509_certificate() will be returned. </p> -->
298
<!-- <name>verify_signature(Digest, Signature, Key) -> </name> -->
299
<!-- <name>verify_signature(DerCert, Key, KeyParams) -> </name> -->
300
<!-- <name>verify_signature(Digest, Signature, Key, Params) -> Verified </name> -->
301
<!-- <fsummary> Verifies the signature. </fsummary> -->
303
<!-- <v>Digest = binary() </v> -->
304
<!-- <v>DerCert = der_bin() </v> -->
305
<!-- <v>Signature = binary() </v> -->
306
<!-- <v>Key = public_key() </v> -->
307
<!-- <v>Params = key_params()</v> -->
308
<!-- <v>Verified = boolean()</v> -->
311
<!-- <p> Verifies the signature Signature. If the key is an rsa-key no -->
312
<!-- paramters are neeed.</p> -->
124
<name>decrypt_private(CipherText, Key [, Options]) -> binary()</name>
125
<fsummary>Public key decryption.</fsummary>
127
<v>CipherText = binary()</v>
128
<v>Key = rsa_private_key()</v>
129
<v>Options = public_crypt_options()</v>
132
<p>Public key decryption using the private key.</p>
137
<name>decrypt_public(CipherText, Key [, Options]) - > binary()</name>
138
<fsummary></fsummary>
140
<v>CipherText = binary()</v>
141
<v>Key = rsa_public_key()</v>
142
<v>Options = public_crypt_options()</v>
145
<p> Public key decryption using the public key.</p>
150
<name>der_decode(Asn1type, Der) -> term()</name>
151
<fsummary> Decodes a public key asn1 der encoded entity.</fsummary>
153
<v>Asn1Type = atom() -</v>
154
<d> Asn1 type present in the public_key applications
155
asn1 specifications.</d>
156
<v>Der = der_encoded()</v>
159
<p> Decodes a public key asn1 der encoded entity.</p>
164
<name>der_encode(Asn1Type, Entity) -> der_encoded()</name>
165
<fsummary> Encodes a public key entity with asn1 DER encoding.</fsummary>
167
<v>Asn1Type = atom()</v>
168
<d> Asn1 type present in the public_key applications
169
asn1 specifications.</d>
170
<v>Entity = term() - The erlang representation of <c> Asn1Type</c></v>
173
<p> Encodes a public key entity with asn1 DER encoding.</p>
178
<name>pem_decode(PemBin) -> [pem_entry()]</name>
179
<fsummary>Decode PEM binary data and return
180
entries as asn1 der encoded entities. </fsummary>
182
<v>PemBin = binary()</v>
183
<d>Example {ok, PemBin} = file:read_file("cert.pem").</d>
186
<p>Decode PEM binary data and return
187
entries as asn1 der encoded entities.</p>
192
<name>pem_encode(PemEntries) -> binary()</name>
193
<fsummary>Creates a PEM binary</fsummary>
195
<v> PemEntries = [pem_entry()] </v>
198
<p>Creates a PEM binary</p>
203
<name>pem_entry_decode(PemEntry [, Password]) -> term()</name>
204
<fsummary>Decodes a pem entry.</fsummary>
206
<v> PemEntry = pem_entry() </v>
207
<v> Password = string() </v>
210
<p>Decodes a pem entry. pem_decode/1 returns a list of pem
211
entries. Note that if the pem entry is of type
212
'SubjectPublickeyInfo' it will be further decoded to an
213
rsa_public_key() or dsa_public_key().</p>
218
<name>pem_entry_encode(Asn1Type, Entity [,{CipherInfo, Password}]) -> pem_entry()</name>
219
<fsummary> Creates a pem entry that can be fed to pem_encode/1.</fsummary>
221
<v>Asn1Type = pki_asn1_type()</v>
222
<v>Entity = term() - The Erlang representation of
223
<c>Asn1Type</c>. If <c>Asn1Type</c> is 'SubjectPublicKeyInfo'
224
then <c>Entity</c> must be either an rsa_public_key() or a
225
dsa_public_key() and this function will create the appropriate
226
'SubjectPublicKeyInfo' entry.
228
<v>CipherInfo = {"DES-CBC" | "DES-EDE3-CBC", crypto:rand_bytes(8)}</v>
229
<v>Password = string()</v>
232
<p> Creates a pem entry that can be feed to pem_encode/1.</p>
237
<name>encrypt_private(PlainText, Key) -> binary()</name>
238
<fsummary> Public key encryption using the private key.</fsummary>
240
<v>PlainText = binary()</v>
241
<v>Key = rsa_private_key()</v>
244
<p> Public key encryption using the private key.</p>
249
<name>encrypt_public(PlainText, Key) -> binary()</name>
250
<fsummary> Public key encryption using the public key.</fsummary>
252
<v>PlainText = binary()</v>
253
<v>Key = rsa_public_key()</v>
256
<p> Public key encryption using the public key.</p>
261
<name>pkix_decode_cert(Cert, otp|plain) -> #'Certificate'{} | #'OTPCertificate'{}</name>
262
<fsummary> Decodes an asn1 der encoded pkix x509 certificate.</fsummary>
264
<v>Cert = der_encoded()</v>
267
<p>Decodes an asn1 der encoded pkix certificate. The otp option
268
will use the customized asn1 specification OTP-PKIX.asn1 for
269
decoding and also recursively decode most of the standard
275
<name>pkix_encode(Asn1Type, Entity, otp | plain) -> der_encoded()</name>
276
<fsummary>Der encodes a pkix x509 certificate or part of such a
277
certificate.</fsummary>
279
<v>Asn1Type = atom()</v>
280
<d>The asn1 type can be 'Certificate', 'OTPCertificate' or a subtype of either .</d>
283
<p>Der encodes a pkix x509 certificate or part of such a
284
certificate. This function must be used for encoding certificates or parts of certificates
285
that are decoded/created on the otp format, whereas for the plain format this
286
function will directly call der_encode/2. </p>
291
<name>pkix_is_issuer(Cert, IssuerCert) -> boolean()</name>
292
<fsummary> Checks if <c>IssuerCert</c> issued <c>Cert</c> </fsummary>
294
<v>Cert = der_encode() | #'OTPCertificate'{}</v>
295
<v>IssuerCert = der_encode() | #'OTPCertificate'{}</v>
298
<p> Checks if <c>IssuerCert</c> issued <c>Cert</c> </p>
303
<name>pkix_is_fixed_dh_cert(Cert) -> boolean()</name>
304
<fsummary> Checks if a Certificate is a fixed Diffie-Hellman Cert.</fsummary>
306
<v>Cert = der_encode() | #'OTPCertificate'{}</v>
309
<p> Checks if a Certificate is a fixed Diffie-Hellman Cert.</p>
314
<name>pkix_is_self_signed(Cert) -> boolean()</name>
315
<fsummary> Checks if a Certificate is self signed.</fsummary>
317
<v>Cert = der_encode() | #'OTPCertificate'{}</v>
320
<p> Checks if a Certificate is self signed.</p>
325
<name>pkix_issuer_id(Cert, IssuedBy) -> {ok, IssuerID} | {error, Reason}</name>
326
<fsummary> Returns the issuer id.</fsummary>
328
<v>Cert = der_encode() | #'OTPCertificate'{}</v>
329
<v>IssuedBy = self | other</v>
330
<v>IssuerID = {integer(), {rdnSequence, [#'AttributeTypeAndValue'{}]}}</v>
331
<d>The issuer id consists of the serial number and the issuers name.</d>
332
<v>Reason = term()</v>
335
<p> Returns the issuer id.</p>
340
<name>pkix_normalize_name(Issuer) -> Normalized</name>
341
<fsummary>Normalizes a issuer name so that it can be easily
342
compared to another issuer name. </fsummary>
344
<v>Issuer = {rdnSequence,[#'AttributeTypeAndValue'{}]}</v>
345
<v>Normalized = {rdnSequence, [#'AttributeTypeAndValue'{}]}</v>
348
<p>Normalizes a issuer name so that it can be easily
349
compared to another issuer name.</p>
354
<!-- <name>pkix_path_validation()</name> -->
355
<!-- <fsummary> Performs a basic path validation according to RFC 5280.</fsummary> -->
360
<!-- <p> Performs a basic path validation according to RFC 5280.</p> -->
366
<name>pkix_sign(#'OTPTBSCertificate'{}, Key) -> der_encode()</name>
367
<fsummary>Signs certificate.</fsummary>
369
<v>Key = rsa_public_key() | dsa_public_key()</v>
372
<p>Signs a 'OTPTBSCertificate'. Returns the corresponding
373
der encoded certificate.</p>
378
<name>pkix_verify(Cert, Key) -> boolean()</name>
379
<fsummary> Verify pkix x.509 certificate signature.</fsummary>
381
<v>Cert = der_encode()</v>
382
<v>Key = rsa_public_key() | dsa_public_key()</v>
385
<p> Verify pkix x.509 certificate signature.</p>
390
<name>sign(Msg, DigestType, Key) -> binary()</name>
391
<fsummary> Create digital signature.</fsummary>
393
<v>Msg = binary()</v>
394
<d>The msg is either the binary "plain text" data to be
395
signed or in the case that digest type is <c>none</c>
396
it is the hashed value of "plain text" i.e. the digest.</d>
397
<v>DigestType = rsa_digest_type() | dsa_digest_type()</v>
398
<v>Key = rsa_public_key() | dsa_public_key()</v>
401
<p> Creates a digital signature.</p>
406
<name>verify(Msg, DigestType, Signature, Key) -> boolean()</name>
407
<fsummary>Verifies a digital signature.</fsummary>
409
<v>Msg = binary()</v>
410
<d>The msg is either the binary "plain text" data
411
or in the case that digest type is <c>none</c>
412
it is the hashed value of "plain text" i.e. the digest.</d>
413
<v>DigestType = rsa_digest_type() | dsa_digest_type()</v>
414
<v>Signature = binary()</v>
415
<v>Key = rsa_public_key() | dsa_public_key()</v>
418
<p>Verifies a digital signature</p>