.TH public_key 3erl "public_key 1.3" "Ericsson AB" "Erlang Module Definition" .SH NAME public_key \- API module for public-key infrastructure. .SH DESCRIPTION .LP Provides functions to handle public-key infrastructure, for details see \fBpublic_key(7)\fR\&\&. .SH "DATA TYPES" .LP .RS -4 .B Note: .RE All records used in this Reference Manual are generated from ASN\&.1 specifications and are documented in the User\&'s Guide\&. See \fBPublic-key Records\fR\&\&. .LP Use the following include directive to get access to the records and constant macros described here and in the User\&'s Guide: .LP .nf -include_lib("public_key/include/public_key.hrl"). .fi .LP The following data types are used in the functions for \fIpublic_key\fR\&: .RS 2 .TP 2 .B \fIoid()\fR\&: Object identifier, a tuple of integers as generated by the \fIASN\&.1\fR\& compiler\&. .TP 2 .B \fIboolean() =\fR\&: \fItrue | false\fR\& .TP 2 .B \fIstring() =\fR\&: \fI[bytes()]\fR\& .TP 2 .B \fIder_encoded() =\fR\&: \fIbinary()\fR\& .TP 2 .B \fIpki_asn1_type() =\fR\&: \fI\&'Certificate\&'\fR\& .RS 2 .LP \fI| \&'RSAPrivateKey\&'\fR\& .RE .RS 2 .LP \fI| \&'RSAPublicKey\&'\fR\& .RE .RS 2 .LP \fI| \&'DSAPrivateKey\&'\fR\& .RE .RS 2 .LP \fI| \&'DSAPublicKey\&'\fR\& .RE .RS 2 .LP \fI| \&'DHParameter\&'\fR\& .RE .RS 2 .LP \fI| \&'SubjectPublicKeyInfo\&'\fR\& .RE .RS 2 .LP \fI| \&'PrivateKeyInfo\&'\fR\& .RE .RS 2 .LP \fI| \&'CertificationRequest\&'\fR\& .RE .RS 2 .LP \fI| \&'CertificateList\&'\fR\& .RE .RS 2 .LP \fI| \&'ECPrivateKey\&'\fR\& .RE .RS 2 .LP \fI| \&'EcpkParameters\&'\fR\& .RE .TP 2 .B \fIpem_entry () =\fR\&: \fI{pki_asn1_type(), binary(), %% DER or encrypted DER\fR\& .RS 2 .LP \fI not_encrypted | cipher_info()}\fR\& .RE .TP 2 .B \fIcipher_info() = \fR\&: \fI{"RC2-CBC" | "DES-CBC" | "DES-EDE3-CBC", crypto:strong_rand_bytes(8)\fR\& .RS 2 .LP \fI| {#\&'PBEParameter{}, digest_type()} | #\&'PBES2-params\&'{}}\fR\& .RE .TP 2 .B \fIpublic_key() =\fR\&: \fIrsa_public_key() | dsa_public_key() | ec_public_key()\fR\& .TP 2 .B \fIprivate_key() =\fR\&: \fIrsa_private_key() | dsa_private_key() | ec_private_key()\fR\& .TP 2 .B \fIrsa_public_key() =\fR\&: \fI#\&'RSAPublicKey\&'{}\fR\& .TP 2 .B \fIrsa_private_key() =\fR\&: \fI#\&'RSAPrivateKey\&'{}\fR\& .TP 2 .B \fIdsa_public_key() =\fR\&: \fI{integer(), #\&'Dss-Parms\&'{}}\fR\& .TP 2 .B \fIdsa_private_key() =\fR\&: \fI#\&'DSAPrivateKey\&'{}\fR\& .TP 2 .B \fIec_public_key()\fR\&: = \fI{#\&'ECPoint\&'{}, #\&'ECParameters\&'{} | {namedCurve, oid()}}\fR\& .TP 2 .B \fIec_private_key() =\fR\&: \fI#\&'ECPrivateKey\&'{}\fR\& .TP 2 .B \fIpublic_crypt_options() =\fR\&: \fI[{rsa_pad, rsa_padding()}]\fR\& .TP 2 .B \fIrsa_padding() =\fR\&: \fI\&'rsa_pkcs1_padding\&'\fR\& .RS 2 .LP \fI| \&'rsa_pkcs1_oaep_padding\&'\fR\& .RE .RS 2 .LP \fI| \&'rsa_no_padding\&'\fR\& .RE .TP 2 .B \fIdigest_type() = \fR\&: Union of \fIrsa_digest_type()\fR\&, \fIdss_digest_type()\fR\&, and \fIecdsa_digest_type()\fR\&\&. .TP 2 .B \fIrsa_digest_type() = \fR\&: \fI\&'md5\&' | \&'sha\&' | \&'sha224\&' | \&'sha256\&' | \&'sha384\&' | \&'sha512\&'\fR\& .TP 2 .B \fIdss_digest_type() = \fR\&: \fI\&'sha\&'\fR\& .TP 2 .B \fIecdsa_digest_type() = \fR\&: \fI\&'sha\&'| \&'sha224\&' | \&'sha256\&' | \&'sha384\&' | \&'sha512\&'\fR\& .TP 2 .B \fIcrl_reason() = \fR\&: \fIunspecified\fR\& .RS 2 .LP \fI| keyCompromise\fR\& .RE .RS 2 .LP \fI| cACompromise\fR\& .RE .RS 2 .LP \fI| affiliationChanged\fR\& .RE .RS 2 .LP \fI| superseded\fR\& .RE .RS 2 .LP \fI| cessationOfOperation\fR\& .RE .RS 2 .LP \fI| certificateHold\fR\& .RE .RS 2 .LP \fI| privilegeWithdrawn\fR\& .RE .RS 2 .LP \fI| aACompromise\fR\& .RE .TP 2 .B \fIissuer_name() =\fR\&: \fI{rdnSequence,[#\&'AttributeTypeAndValue\&'{}]}\fR\& .TP 2 .B \fIssh_file() =\fR\&: \fIopenssh_public_key\fR\& .RS 2 .LP \fI| rfc4716_public_key\fR\& .RE .RS 2 .LP \fI| known_hosts\fR\& .RE .RS 2 .LP \fI| auth_keys\fR\& .RE .RE .SH EXPORTS .LP .B compute_key(OthersKey, MyKey)-> .br .B compute_key(OthersKey, MyKey, Params)-> .br .RS .LP Types: .RS 3 OthersKey = #\&'ECPoint\&'{} | binary(), MyKey = #\&'ECPrivateKey\&'{} | binary() .br Params = #\&'DHParameter\&'{} .br .RE .RE .RS .LP Computes shared secret\&. .RE .LP .B decrypt_private(CipherText, Key) -> binary() .br .B decrypt_private(CipherText, Key, Options) -> binary() .br .RS .LP Types: .RS 3 CipherText = binary() .br Key = rsa_private_key() .br Options = public_crypt_options() .br .RE .RE .RS .LP Public-key decryption using the private key\&. See also \fBcrypto:private_decrypt/4\fR\& .RE .LP .B decrypt_public(CipherText, Key) - > binary() .br .B decrypt_public(CipherText, Key, Options) - > binary() .br .RS .LP Types: .RS 3 CipherText = binary() .br Key = rsa_public_key() .br Options = public_crypt_options() .br .RE .RE .RS .LP Public-key decryption using the public key\&. See also \fBcrypto:public_decrypt/4\fR\& .RE .LP .B der_decode(Asn1type, Der) -> term() .br .RS .LP Types: .RS 3 Asn1Type = atom() .br .RS 2 ASN\&.1 type present in the Public Key applications ASN\&.1 specifications\&. .RE Der = der_encoded() .br .RE .RE .RS .LP Decodes a public-key ASN\&.1 DER encoded entity\&. .RE .LP .B der_encode(Asn1Type, Entity) -> der_encoded() .br .RS .LP Types: .RS 3 Asn1Type = atom() .br .RS 2 ASN\&.1 type present in the Public Key applications ASN\&.1 specifications\&. .RE Entity = term() .br .RS 2 Erlang representation of \fIAsn1Type\fR\& .RE .RE .RE .RS .LP Encodes a public-key entity with ASN\&.1 DER encoding\&. .RE .LP .B dh_gex_group(MinSize, SuggestedSize, MaxSize, Groups) -> {ok, {Size,Group}} | {error,Error} .br .RS .LP Types: .RS 3 MinSize = positive_integer() .br SuggestedSize = positive_integer() .br MaxSize = positive_integer() .br Groups = undefined | [{Size,[{G,P}]}] .br Size = positive_integer() .br Group = {G,P} .br G = positive_integer() .br P = positive_integer() .br .RE .RE .RS .LP Selects a group for Diffie-Hellman key exchange with the key size in the range \fIMinSize\&.\&.\&.MaxSize\fR\& and as close to \fISuggestedSize\fR\& as possible\&. If \fIGroups == undefined\fR\& a default set will be used, otherwise the group is selected from \fIGroups\fR\&\&. .LP First a size, as close as possible to SuggestedSize, is selected\&. Then one group with that key size is randomly selected from the specified set of groups\&. If no size within the limits of \fIMinSize\fR\& and \fIMaxSize\fR\& is available, \fI{error,no_group_found}\fR\& is returned\&. .LP The default set of groups is listed in \fIlib/public_key/priv/moduli\fR\&\&. This file may be regenerated like this: .LP .nf $> cd $ERL_TOP/lib/public_key/priv/ $> generate ---- wait until all background jobs has finished. It may take several days ! $> cat moduli-* > moduli $> cd ..; make .fi .RE .LP .B encrypt_private(PlainText, Key) -> binary() .br .RS .LP Types: .RS 3 PlainText = binary() .br Key = rsa_private_key() .br .RE .RE .RS .LP Public-key encryption using the private key\&. See also \fBcrypto:private_encrypt/4\fR\&\&. .RE .LP .B encrypt_public(PlainText, Key) -> binary() .br .RS .LP Types: .RS 3 PlainText = binary() .br Key = rsa_public_key() .br .RE .RE .RS .LP Public-key encryption using the public key\&. See also \fBcrypto:public_encrypt/4\fR\&\&. .RE .LP .B generate_key(Params) -> {Public::binary(), Private::binary()} | #\&'ECPrivateKey\&'{} .br .RS .LP Types: .RS 3 Params = #\&'DHParameter\&'{} | {namedCurve, oid()} | #\&'ECParameters\&'{} .br .RE .RE .RS .LP Generates a new keypair\&. .RE .LP .B pem_decode(PemBin) -> [pem_entry()] .br .RS .LP Types: .RS 3 PemBin = binary() .br .RS 2 Example {ok, PemBin} = file:read_file("cert\&.pem")\&. .RE .RE .RE .RS .LP Decodes PEM binary data and returns entries as ASN\&.1 DER encoded entities\&. .RE .LP .B pem_encode(PemEntries) -> binary() .br .RS .LP Types: .RS 3 PemEntries = [pem_entry()] .br .RE .RE .RS .LP Creates a PEM binary\&. .RE .LP .B pem_entry_decode(PemEntry) -> term() .br .B pem_entry_decode(PemEntry, Password) -> term() .br .RS .LP Types: .RS 3 PemEntry = pem_entry() .br Password = string() .br .RE .RE .RS .LP Decodes a PEM entry\&. \fIpem_decode/1\fR\& returns a list of PEM entries\&. Notice that if the PEM entry is of type \&'SubjectPublickeyInfo\&', it is further decoded to an \fIrsa_public_key()\fR\& or \fIdsa_public_key()\fR\&\&. .RE .LP .B pem_entry_encode(Asn1Type, Entity) -> pem_entry() .br .B pem_entry_encode(Asn1Type, Entity, {CipherInfo, Password}) -> pem_entry() .br .RS .LP Types: .RS 3 Asn1Type = pki_asn1_type() .br Entity = term() .br .RS 2 Erlang representation of \fIAsn1Type\fR\&\&. If \fIAsn1Type\fR\& is \&'SubjectPublicKeyInfo\&', \fIEntity\fR\& must be either an \fIrsa_public_key()\fR\&, \fIdsa_public_key()\fR\& or an \fIec_public_key()\fR\& and this function creates the appropriate \&'SubjectPublicKeyInfo\&' entry\&. .RE CipherInfo = cipher_info() .br Password = string() .br .RE .RE .RS .LP Creates a PEM entry that can be feed to \fIpem_encode/1\fR\&\&. .RE .LP .B pkix_decode_cert(Cert, otp|plain) -> #\&'Certificate\&'{} | #\&'OTPCertificate\&'{} .br .RS .LP Types: .RS 3 Cert = der_encoded() .br .RE .RE .RS .LP Decodes an ASN\&.1 DER-encoded PKIX certificate\&. Option \fIotp\fR\& uses the customized ASN\&.1 specification OTP-PKIX\&.asn1 for decoding and also recursively decode most of the standard parts\&. .RE .LP .B pkix_encode(Asn1Type, Entity, otp | plain) -> der_encoded() .br .RS .LP Types: .RS 3 Asn1Type = atom() .br .RS 2 The ASN\&.1 type can be \&'Certificate\&', \&'OTPCertificate\&' or a subtype of either\&. .RE Entity = #\&'Certificate\&'{} | #\&'OTPCertificate\&'{} | a valid subtype .br .RE .RE .RS .LP DER encodes a PKIX x509 certificate or part of such a certificate\&. This function must be used for encoding certificates or parts of certificates that are decoded/created in the \fIotp\fR\& format, whereas for the plain format this function directly calls \fIder_encode/2\fR\&\&. .RE .LP .B pkix_is_issuer(Cert, IssuerCert) -> boolean() .br .RS .LP Types: .RS 3 Cert = der_encoded() | #\&'OTPCertificate\&'{} | #\&'CertificateList\&'{} .br IssuerCert = der_encoded() | #\&'OTPCertificate\&'{} .br .RE .RE .RS .LP Checks if \fIIssuerCert\fR\& issued \fICert\fR\&\&. .RE .LP .B pkix_is_fixed_dh_cert(Cert) -> boolean() .br .RS .LP Types: .RS 3 Cert = der_encoded() | #\&'OTPCertificate\&'{} .br .RE .RE .RS .LP Checks if a certificate is a fixed Diffie-Hellman certificate\&. .RE .LP .B pkix_is_self_signed(Cert) -> boolean() .br .RS .LP Types: .RS 3 Cert = der_encoded() | #\&'OTPCertificate\&'{} .br .RE .RE .RS .LP Checks if a certificate is self-signed\&. .RE .LP .B pkix_issuer_id(Cert, IssuedBy) -> {ok, IssuerID} | {error, Reason} .br .RS .LP Types: .RS 3 Cert = der_encoded() | #\&'OTPCertificate\&'{} .br IssuedBy = self | other .br IssuerID = {integer(), issuer_name()} .br .RS 2 The issuer id consists of the serial number and the issuers name\&. .RE Reason = term() .br .RE .RE .RS .LP Returns the issuer id\&. .RE .LP .B pkix_normalize_name(Issuer) -> Normalized .br .RS .LP Types: .RS 3 Issuer = issuer_name() .br Normalized = issuer_name() .br .RE .RE .RS .LP Normalizes an issuer name so that it can be easily compared to another issuer name\&. .RE .LP .B pkix_path_validation(TrustedCert, CertChain, Options) -> {ok, {PublicKeyInfo, PolicyTree}} | {error, {bad_cert, Reason}} .br .RS .LP Types: .RS 3 TrustedCert = #\&'OTPCertificate\&'{} | der_encoded() | atom() .br .RS 2 Normally a trusted certificate, but it can also be a path-validation error that can be discovered while constructing the input to this function and that is to be run through the \fIverify_fun\fR\&\&. Examples are \fIunknown_ca\fR\& and \fIselfsigned_peer\&.\fR\& .RE CertChain = [der_encoded()] .br .RS 2 A list of DER-encoded certificates in trust order ending with the peer certificate\&. .RE Options = proplists:proplist() .br PublicKeyInfo = {?\&'rsaEncryption\&' | ?\&'id-dsa\&', rsa_public_key() | integer(), \&'NULL\&' | \&'Dss-Parms\&'{}} .br PolicyTree = term() .br .RS 2 At the moment this is always an empty list as policies are not currently supported\&. .RE Reason = cert_expired | invalid_issuer | invalid_signature | name_not_permitted | missing_basic_constraint | invalid_key_usage | {revoked, crl_reason()} | atom() .br .RE .RE .RS .LP Performs a basic path validation according to RFC 5280\&. However, CRL validation is done separately by \fBpkix_crls_validate/3 \fR\& and is to be called from the supplied \fIverify_fun\fR\&\&. .LP Available options: .RS 2 .TP 2 .B {verify_fun, fun()}: The fun must be defined as: .LP .nf fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom() | {revoked, atom()}} | {extension, #'Extension'{}}, InitialUserState :: term()) -> {valid, UserState :: term()} | {valid_peer, UserState :: term()} | {fail, Reason :: term()} | {unknown, UserState :: term()}. .fi .RS 2 .LP If the verify callback fun returns \fI{fail, Reason}\fR\&, the verification process is immediately stopped\&. If the verify callback fun returns \fI{valid, UserState}\fR\&, the verification process is continued\&. This can be used to accept specific path validation errors, such as \fIselfsigned_peer\fR\&, as well as verifying application-specific extensions\&. If called with an extension unknown to the user application, the return value \fI{unknown, UserState}\fR\& is to be used\&. .RE .TP 2 .B {max_path_length, integer()}: The \fImax_path_length\fR\& is the maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path\&. So, if \fImax_path_length\fR\& is 0, the PEER must be signed by the trusted ROOT-CA directly, if it is 1, the path can be PEER, CA, ROOT-CA, if it is 2, the path can be PEER, CA, CA, ROOT-CA, and so on\&. .RE .LP Possible reasons for a bad certificate: .RS 2 .TP 2 .B cert_expired: Certificate is no longer valid as its expiration date has passed\&. .TP 2 .B invalid_issuer: Certificate issuer name does not match the name of the issuer certificate in the chain\&. .TP 2 .B invalid_signature: Certificate was not signed by its issuer certificate in the chain\&. .TP 2 .B name_not_permitted: Invalid Subject Alternative Name extension\&. .TP 2 .B missing_basic_constraint: Certificate, required to have the basic constraints extension, does not have a basic constraints extension\&. .TP 2 .B invalid_key_usage: Certificate key is used in an invalid way according to the key-usage extension\&. .TP 2 .B {revoked, crl_reason()}: Certificate has been revoked\&. .TP 2 .B atom(): Application-specific error reason that is to be checked by the \fIverify_fun\fR\&\&. .RE .RE .LP .B pkix_crl_issuer(CRL) -> issuer_name() .br .RS .LP Types: .RS 3 CRL = der_encoded() | #\&'CertificateList\&'{} .br .RE .RE .RS .LP Returns the issuer of the \fICRL\fR\&\&. .RE .LP .B pkix_crls_validate(OTPCertificate, DPAndCRLs, Options) -> CRLStatus() .br .RS .LP Types: .RS 3 OTPCertificate = #\&'OTPCertificate\&'{} .br DPAndCRLs = [{DP::#\&'DistributionPoint\&'{}, {DerCRL::der_encoded(), CRL::#\&'CertificateList\&'{}}}] .br Options = proplists:proplist() .br CRLStatus() = valid | {bad_cert, revocation_status_undetermined} | {bad_cert, {revoked, crl_reason()}} .br .RE .RE .RS .LP Performs CRL validation\&. It is intended to be called from the verify fun of \fB pkix_path_validation/3 \fR\&\&. .LP Available options: .RS 2 .TP 2 .B {update_crl, fun()}: The fun has the following type specification: .LP .nf fun(#'DistributionPoint'{}, #'CertificateList'{}) -> #'CertificateList'{} .fi .RS 2 .LP The fun uses the information in the distribution point to access the latest possible version of the CRL\&. If this fun is not specified, Public Key uses the default implementation: .RE .LP .nf fun(_DP, CRL) -> CRL end .fi .TP 2 .B {issuer_fun, fun()}: The fun has the following type specification: .LP .nf fun(#'DistributionPoint'{}, #'CertificateList'{}, {rdnSequence,[#'AttributeTypeAndValue'{}]}, term()) -> {ok, #'OTPCertificate'{}, [der_encoded]} .fi .RS 2 .LP The fun returns the root certificate and certificate chain that has signed the CRL\&. .RE .LP .nf fun(DP, CRL, Issuer, UserState) -> {ok, RootCert, CertChain} .fi .RE .RE .LP .B pkix_crl_verify(CRL, Cert) -> boolean() .br .RS .LP Types: .RS 3 CRL = der_encoded() | #\&'CertificateList\&'{} .br Cert = der_encoded() | #\&'OTPCertificate\&'{} .br .RE .RE .RS .LP Verify that \fICert\fR\& is the \fICRL\fR\& signer\&. .RE .LP .B pkix_dist_point(Cert) -> DistPoint .br .RS .LP Types: .RS 3 Cert = der_encoded() | #\&'OTPCertificate\&'{} .br DistPoint = #\&'DistributionPoint\&'{} .br .RE .RE .RS .LP Creates a distribution point for CRLs issued by the same issuer as \fICert\fR\&\&. Can be used as input to \fBpkix_crls_validate/3 \fR\& .RE .LP .B pkix_dist_points(Cert) -> DistPoints .br .RS .LP Types: .RS 3 Cert = der_encoded() | #\&'OTPCertificate\&'{} .br DistPoints = [#\&'DistributionPoint\&'{}] .br .RE .RE .RS .LP Extracts distribution points from the certificates extensions\&. .RE .LP .B pkix_match_dist_point(CRL, DistPoint) -> boolean() .br .RS .LP Types: .RS 3 CRL = der_encoded() | #\&'CertificateList\&'{} .br DistPoint = #\&'DistributionPoint\&'{} .br .RE .RE .RS .LP Checks whether the given distribution point matches the Issuing Distribution Point of the CRL, as described in RFC 5280\&. If the CRL doesn\&'t have an Issuing Distribution Point extension, the distribution point always matches\&. .RE .LP .B pkix_sign(#\&'OTPTBSCertificate\&'{}, Key) -> der_encoded() .br .RS .LP Types: .RS 3 Key = rsa_private_key() | dsa_private_key() .br .RE .RE .RS .LP Signs an \&'OTPTBSCertificate\&'\&. Returns the corresponding DER-encoded certificate\&. .RE .LP .B pkix_sign_types(AlgorithmId) -> {DigestType, SignatureType} .br .RS .LP Types: .RS 3 AlgorithmId = oid() .br .RS 2 Signature OID from a certificate or a certificate revocation list\&. .RE DigestType = rsa_digest_type() | dss_digest_type() .br SignatureType = rsa | dsa | ecdsa .br .RE .RE .RS .LP Translates signature algorithm OID to Erlang digest and signature types\&. .RE .LP .B pkix_verify(Cert, Key) -> boolean() .br .RS .LP Types: .RS 3 Cert = der_encoded() .br Key = rsa_public_key() | dsa_public_key() | ec_public_key() .br .RE .RE .RS .LP Verifies PKIX x\&.509 certificate signature\&. .RE .LP .B sign(Msg, DigestType, Key) -> binary() .br .RS .LP Types: .RS 3 Msg = binary() | {digest,binary()} .br .RS 2 The \fIMsg\fR\& is either the binary "plain text" data to be signed or it is the hashed value of "plain text", that is, the digest\&. .RE DigestType = rsa_digest_type() | dss_digest_type() | ecdsa_digest_type() .br Key = rsa_private_key() | dsa_private_key() | ec_private_key() .br .RE .RE .RS .LP Creates a digital signature\&. .RE .LP .B ssh_decode(SshBin, Type) -> [{public_key(), Attributes::list()}] .br .RS .LP Types: .RS 3 SshBin = binary() .br .RS 2 Example \fI{ok, SshBin} = file:read_file("known_hosts")\fR\&\&. .RE Type = public_key | ssh_file() .br .RS 2 If \fIType\fR\& is \fIpublic_key\fR\& the binary can be either an RFC4716 public key or an OpenSSH public key\&. .RE .RE .RE .RS .LP Decodes an SSH file-binary\&. In the case of \fIknown_hosts\fR\& or \fIauth_keys\fR\&, the binary can include one or more lines of the file\&. Returns a list of public keys and their attributes, possible attribute values depends on the file type represented by the binary\&. .RS 2 .TP 2 .B RFC4716 attributes - see RFC 4716\&.: {headers, [{string(), utf8_string()}]} .TP 2 .B auth_key attributes - see manual page for sshd\&.: {comment, string()}{options, [string()]}{bits, integer()} - In SSH version 1 files\&. .TP 2 .B known_host attributes - see manual page for sshd\&.: {hostnames, [string()]}{comment, string()}{bits, integer()} - In SSH version 1 files\&. .RE .RE .LP .B ssh_encode([{Key, Attributes}], Type) -> binary() .br .RS .LP Types: .RS 3 Key = public_key() .br Attributes = list() .br Type = ssh_file() .br .RE .RE .RS .LP Encodes a list of SSH file entries (public keys and attributes) to a binary\&. Possible attributes depend on the file type, see \fB ssh_decode/2 \fR\&\&. .RE .LP .B ssh_hostkey_fingerprint(HostKey) -> string() .br .B ssh_hostkey_fingerprint(DigestType, HostKey) -> string() .br .RS .LP Types: .RS 3 Key = public_key() .br DigestType = digest_type() .br .RE .RE .RS .LP Calculates a ssh fingerprint from a public host key as openssh does\&. .LP The algorithm in \fIssh_hostkey_fingerprint/1\fR\& is md5 to be compatible with older ssh-keygen commands\&. The string from the second variant is prepended by the algorithm name in uppercase as in newer ssh-keygen commands\&. .LP Examples: .LP .nf 2> public_key:ssh_hostkey_fingerprint(Key). "f5:64:a6:c1:5a:cb:9f:0a:10:46:a2:5c:3e:2f:57:84" 3> public_key:ssh_hostkey_fingerprint(md5,Key). "MD5:f5:64:a6:c1:5a:cb:9f:0a:10:46:a2:5c:3e:2f:57:84" 4> public_key:ssh_hostkey_fingerprint(sha,Key). "SHA1:bSLY/C4QXLDL/Iwmhyg0PGW9UbY" 5> public_key:ssh_hostkey_fingerprint(sha256,Key). "SHA256:aZGXhabfbf4oxglxltItWeHU7ub3Dc31NcNw2cMJePQ" .fi .RE .LP .B verify(Msg, DigestType, Signature, Key) -> boolean() .br .RS .LP Types: .RS 3 Msg = binary() | {digest,binary()} .br .RS 2 The \fIMsg\fR\& is either the binary "plain text" data or it is the hashed value of "plain text", that is, the digest\&. .RE DigestType = rsa_digest_type() | dss_digest_type() | ecdsa_digest_type() .br Signature = binary() .br Key = rsa_public_key() | dsa_public_key() | ec_public_key() .br .RE .RE .RS .LP Verifies a digital signature\&. .RE .LP .B short_name_hash(Name) -> string() .br .RS .LP Types: .RS 3 Name = issuer_name() .br .RE .RE .RS .LP Generates a short hash of an issuer name\&. The hash is returned as a string containing eight hexadecimal digits\&. .LP The return value of this function is the same as the result of the commands \fIopenssl crl -hash\fR\& and \fIopenssl x509 -issuer_hash\fR\&, when passed the issuer name of a CRL or a certificate, respectively\&. This hash is used by the \fIc_rehash\fR\& tool to maintain a directory of symlinks to CRL files, in order to facilitate looking up a CRL by its issuer name\&. .RE