.TH ssl_crl_cache_api 3erl "ssl 10.9.1.3" "Ericsson AB" "Erlang Module Definition" .SH NAME ssl_crl_cache_api \- API for a TLS CRL (Certificate Revocation List) cache. .SH DESCRIPTION .LP When TLS performs certificate path validation according to RFC 5280 it should also perform CRL validation checks\&. To enable the CRL checks the application needs access to CRLs\&. A database of CRLs can be set up in many different ways\&. This module provides the behavior of the API needed to integrate an arbitrary CRL cache with the erlang ssl application\&. It is also used by the application itself to provide a simple default implementation of a CRL cache\&. .SH DATA TYPES .nf \fBcrl_cache_ref()\fR\& = any() .br .fi .RS .LP Reference to the CRL cache\&. .RE .nf \fBdist_point()\fR\& = #\&'DistributionPoint\&'{} .br .fi .RS .LP For description see X509 certificates records .RE .nf \fBlogger_info()\fR\& = .br {logger:level(), .br Report :: #{description => string(), reason => term()}, .br logger:metadata()} .br .fi .RS .LP Information for ssl applications use of Logger(3erl) .RE .SH EXPORTS .LP .B Module:fresh_crl(DistributionPoint, CRL) -> FreshCRL .br .B Module:fresh_crl(DistributionPoint, CRL) -> FreshCRL | {LoggerInfo, FreshCRL} .br .RS .LP Types: .RS 3 DistributionPoint = dist_point() .br CRL = [public_key:der_encoded()] .br FreshCRL = [public_key:der_encoded()] .br LoggerInfo = {logger, logger_info() }} .br .RE .RE .RS .LP \fIfun fresh_crl/2 \fR\& will be used as input option \fIupdate_crl\fR\& to public_key:pkix_crls_validate/3 .LP It is possible to return logger info that will be used by the TLS connection to produce log events\&. .RE .LP .B Module:lookup(DistributionPoint, Issuer, DbHandle) -> not_available | CRLs | {LoggerInfo, CRLs} .br .B Module:lookup(DistributionPoint, Issuer, DbHandle) -> not_available | CRLs .br .B Module:lookup(DistributionPoint, DbHandle) -> not_available | CRLs .br .RS .LP Types: .RS 3 DistributionPoint = dist_point() .br Issuer = public_key:issuer_name() .br DbHandle = crl_cache_ref() .br CRLs = [public_key:der_encoded()] .br LoggerInfo = {logger, logger_info() }} .br .RE .RE .RS .LP Lookup the CRLs belonging to the distribution point \fI Distributionpoint\fR\&\&. This function may choose to only look in the cache or to follow distribution point links depending on how the cache is administrated\&. .LP The \fIIssuer\fR\& argument contains the issuer name of the certificate to be checked\&. Normally the returned CRL should be issued by this issuer, except if the \fIcRLIssuer\fR\& field of \fIDistributionPoint\fR\& has a value, in which case that value should be used instead\&. .LP In an earlier version of this API, the \fIlookup\fR\& function received two arguments, omitting \fIIssuer\fR\&\&. For compatibility, this is still supported: if there is no \fIlookup/3\fR\& function in the callback module, \fIlookup/2\fR\& is called instead\&. .LP It is possible to return logger info that will be used by the TLS connection to produce log events\&. .RE .LP .B Module:select(Issuer, DbHandle) -> CRLs | {LoggerInfo, CRLs} .br .B Module:select(Issuer, DbHandle) -> CRLs .br .RS .LP Types: .RS 3 Issuer = public_key:issuer_name() | list() .br DbHandle = cache_ref() .br LoggerInfo = {logger, logger_info() } .br .RE .RE .RS .LP Select the CRLs in the cache that are issued by \fIIssuer\fR\& unless the value is a list of so called general names, see X509 certificates records, originating form \fI#\&'DistributionPoint\&'\&.cRLissuer\fR\& and representing different mechanism to obtain the CRLs\&. The cache callback needs to use the appropriate entry to retrieve the CRLs or return an empty list if it does not exist\&. .LP It is possible to return logger info that will be used by the TLS connection to produce log events\&. .RE