Legend:
Library
Module
Module type
Parameter
Class
Class type
Library
Module
Module type
Parameter
Class
Class type
X.509 Certificate Revocation Lists.
A certificate revocation list is a signed structure consisting of an issuer, a timestamp, possibly a timestamp when to expect the next update, and a list of revoked certificates (represented by a serial, a revocation date, and extensions (e.g. reason) - see RFC 5280 section 5.2 for a list of available extensions (not enforced)). It also may contain any extensions, e.g. a CRL number and whether it is partial or complete.
val issuer : c -> distinguished_name
issuer c
is the issuer of the revocation list.
val this_update : c -> Ptime.t
this_update t
is the timestamp of the revocation list.
val next_update : c -> Ptime.t option
next_update t
is either None
or Some ts
, the timestamp of the next update.
The type of a revoked certificate, which consists of a serial number, the revocation date, and possibly extensions. See RFC 5280 setion 5.3 for allowed extensions (not enforced).
val reason : revoked_cert -> Extension.reason_code option
reason revoked
extracts the Reason
extension from revoked
if present.
val revoked_certificates : c -> revoked_cert list
revoked_certificates t
is the list of revoked certificates of the revocation list.
val extensions : c -> (bool * Extension.t) list
extensions t
is the list of extensions, see RFC 5280 section 5.2 for possible values.
val crl_number : c -> int option
crl_number t
is the number of the CRL.
val validate : c -> public_key -> bool
validate t pk
validates the digital signature of the revocation list.
verify t ~time cert
verifies that the issuer of t
matches the subject of cert
, and validates the digital signature of the revocation list. If time
is provided, it must be after this_update
and before next_update
of t
.
is_revoked crls ~issuer ~cert
is true
if there exists a revocation of cert
in crls
which is signed by the issuer
. The subject of issuer
must match the issuer of the crl.
val revoke :
?digest:Nocrypto.Hash.hash ->
issuer:distinguished_name ->
this_update:Ptime.t ->
?next_update:Ptime.t ->
?extensions:(bool * Extension.t) list ->
revoked_cert list ->
private_key ->
c
revoked ~digest ~issuer ~this_update ~next_update ~extensions certs priv
constructs a revocation list with the given parameters.
val revoke_certificate :
revoked_cert ->
this_update:Ptime.t ->
?next_update:Ptime.t ->
c ->
private_key ->
c
revoke_certificate cert ~this_update ~next_update t priv
adds cert
to the revocation list, increments its counter, adjusts this_update
and next_update
timestamps, and digitally signs it using priv
.
val revoke_certificates :
revoked_cert list ->
this_update:Ptime.t ->
?next_update:Ptime.t ->
c ->
private_key ->
c
revoke_certificates certs ~this_update ~next_update t priv
adds certs
to the revocation list, increments its counter, adjusts this_update
and next_update
timestamps, and digitally signs it using priv
.