Provided by: erlang-manpages_25.2.3+dfsg-1_all bug

NAME

       public_key - API module for public-key infrastructure.

DESCRIPTION

       Provides functions to handle public-key infrastructure, for details see public_key(7).

COMMON RECORDS AND ASN.1 TYPES

   Note:
       All  records used in this Reference Manual are generated from ASN.1 specifications and are
       documented in the User's Guide. See Public-key Records.

       Use the following include directive to get access  to  the  records  and  constant  macros
       described here and in the User's Guide:

        -include_lib("public_key/include/public_key.hrl").

DATA TYPES

       oid() = tuple()

              Object identifier, a tuple of integers as generated by the ASN.1 compiler.

       key_oid_name() =
           rsaEncryption | 'id-RSASSA-PSS' | 'id-ecPublicKey' |
           'id-Ed25519' | 'id-Ed448' | 'id-dsa'

              Macro names for key object identifiers used by prefixing with ?

       der_encoded() = binary()

       pki_asn1_type() =
           'Certificate' | 'RSAPrivateKey' | 'RSAPublicKey' |
           'SubjectPublicKeyInfo' | 'DSAPrivateKey' | 'DHParameter' |
           'PrivateKeyInfo' | 'CertificationRequest' | 'ContentInfo' |
           'CertificateList' | 'ECPrivateKey' | 'OneAsymmetricKey' |
           'EcpkParameters'

       asn1_type() = atom()

              ASN.1 type present in the Public Key applications ASN.1 specifications.

       pem_entry() =
           {pki_asn1_type(),
            der_or_encrypted_der(),
            not_encrypted | cipher_info()}

       der_or_encrypted_der() = binary()

       cipher_info() = {cipher(), cipher_info_params()}

       cipher() = string()

       salt() = binary()

       cipher_info_params() =
           salt() |
           {#'PBEParameter'{}, digest_type()} |
           #'PBES2-params'{}

              Cipher = "RC2-CBC" | "DES-CBC" | "DES-EDE3-CBC"

              Salt could be generated with crypto:strong_rand_bytes(8).

       public_key() =
           rsa_public_key() |
           rsa_pss_public_key() |
           dsa_public_key() |
           ec_public_key() |
           ed_public_key()

       rsa_public_key() = #'RSAPublicKey'{}

       dss_public_key() = integer()

       rsa_pss_public_key() =
           {rsa_pss_public_key(), #'RSASSA-PSS-params'{}}

       dsa_public_key() = {dss_public_key(), #'Dss-Parms'{}}

       ec_public_key() = {#'ECPoint'{}, ecpk_parameters_api()}

       public_key_params() =
           'NULL' |
           #'RSASSA-PSS-params'{} |
           {namedCurve, oid()} |
           #'ECParameters'{} |
           #'Dss-Parms'{}

       ecpk_parameters() =
           {ecParameters, #'ECParameters'{}} |
           {namedCurve, Oid :: tuple()}

       ecpk_parameters_api() =
           ecpk_parameters() |
           #'ECParameters'{} |
           {namedCurve, Name :: crypto:ec_named_curve()}

       public_key_info() =
           {key_oid_name(),
            rsa_public_key() | #'ECPoint'{} | dss_public_key(),
            public_key_params()}

       ed_public_key() = {#'ECPoint'{}, ed_params()}

       ed_params() = {namedCurve, ed_oid_name()}

       private_key() =
           rsa_private_key() |
           rsa_pss_private_key() |
           dsa_private_key() |
           ec_private_key() |
           ed_private_key()

       rsa_private_key() = #'RSAPrivateKey'{}

       rsa_pss_private_key() =
           {#'RSAPrivateKey'{}, #'RSASSA-PSS-params'{}}

       dsa_private_key() = #'DSAPrivateKey'{}

       ec_private_key() = #'ECPrivateKey'{}

       ed_private_key() = #'ECPrivateKey'{parameters = ed_params()}

       ed_oid_name() = 'id-Ed25519' | 'id-Ed448'

              Macro names for object identifiers for EDDSA curves used by prefixing with ?

       key_params() =
           #'DHParameter'{} |
           {namedCurve, oid()} |
           #'ECParameters'{} |
           {rsa, Size :: integer(), PubExp :: integer()}

       digest_type() =
           none | sha1 |
           crypto:rsa_digest_type() |
           crypto:dss_digest_type() |
           crypto:ecdsa_digest_type()

       issuer_name() = {rdnSequence, [[#'AttributeTypeAndValue'{}]]}

       referenceIDs() = [referenceID()]

       referenceID() =
           {uri_id | dns_id | ip | srv_id | atom() | oid(), string()} |
           {ip, inet:ip_address() | string()}

       cert_id() = {SerialNr :: integer(), issuer_name()}

       cert() = der_cert() | otp_cert()

       otp_cert() = #'OTPCertificate'{}

       der_cert() = der_encoded()

       combined_cert() =
           #cert{der = public_key:der_encoded(),
                 otp = #'OTPCertificate'{}}

       bad_cert_reason() =
           cert_expired | invalid_issuer | invalid_signature |
           name_not_permitted | missing_basic_constraint |
           invalid_key_usage |
           {revoked, crl_reason()} |
           atom()

       crl_reason() =
           unspecified | keyCompromise | cACompromise |
           affiliationChanged | superseded | cessationOfOperation |
           certificateHold | privilegeWithdrawn | aACompromise

       chain_opts() =
           #{chain_end() := [cert_opt()],
             intermediates => [[cert_opt()]]}

       chain_end() = root | peer

       cert_opt() =
           {digest, public_key:digest_type()} |
           {key, public_key:key_params() | public_key:private_key()} |
           {validity,
            {From :: erlang:timestamp(), To :: erlang:timestamp()}} |
           {extensions, [#'Extension'{}]}

       test_root_cert() =
           #{cert := der_encoded(), key := public_key:private_key()}

       test_config() =
           #{server_config := [conf_opt()],
             client_config := [conf_opt()]}

       conf_opt() =
           {cert, public_key:der_encoded()} |
           {key, public_key:private_key()} |
           {cacerts, [public_key:der_encoded()]}

EXPORTS

       cacerts_clear() -> boolean()

              Clears any loaded CA certificates, returns true if any was loaded.

       cacerts_get() -> [combined_cert()]

              Returns   the   trusted   CA   certificates  if  any  are  loaded,  otherwise  uses
              cacerts_load/0 to load them. The function fails if no cacerts could be loaded.

       cacerts_load() -> ok | {error, Reason :: term()}

              Loads the OS supplied trusted CA certificates.

       cacerts_load(File :: file:filename_all()) ->
                       ok | {error, Reason :: term()}

              Loads the trusted CA certificates from a file.

       compute_key(OthersECDHkey, MyECDHkey) -> SharedSecret

              Types:

                 OthersECDHkey = #'ECPoint'{}
                 MyECDHkey = #'ECPrivateKey'{}
                 SharedSecret = binary()

              Computes shared secret.

       compute_key(OthersDHkey, MyDHkey, DHparms) -> SharedSecret

              Types:

                 OthersDHkey = crypto:dh_public()
                 MyDHkey = crypto:dh_private()
                 DHparms = #'DHParameter'{}
                 SharedSecret = binary()

              Computes shared secret.

       decrypt_private(CipherText, Key) -> PlainText

       decrypt_private(CipherText, Key, Options) -> PlainText

              Types:

                 CipherText = binary()
                 Key = rsa_private_key()
                 Options = crypto:pk_encrypt_decrypt_opts()
                 PlainText = binary()

              Public-key decryption using the private key. See also crypto:private_decrypt/4

       decrypt_public(CipherText, Key) -> PlainText

       decrypt_public(CipherText, Key, Options) -> PlainText

              Types:

                 CipherText = binary()
                 Key = rsa_public_key()
                 Options = crypto:pk_encrypt_decrypt_opts()
                 PlainText = binary()

              Public-key decryption using the public key. See also crypto:public_decrypt/4

       der_decode(Asn1Type, Der) -> Entity

              Types:

                 Asn1Type = asn1_type()
                 Der = der_encoded()
                 Entity = term()

              Decodes a public-key ASN.1 DER encoded entity.

       der_encode(Asn1Type, Entity) -> Der

              Types:

                 Asn1Type = asn1_type()
                 Entity = term()
                 Der = binary()

              Encodes a public-key entity with ASN.1 DER encoding.

       dh_gex_group(MinSize, SuggestedSize, MaxSize, Groups) ->
                       {ok, {Size, Group}} | {error, term()}

              Types:

                 MinSize = SuggestedSize = MaxSize = integer() >= 1
                 Groups = undefined | [{Size, [Group]}]
                 Size = integer() >= 1
                 Group = {G, P}
                 G = P = integer() >= 1

              Selects a group for Diffie-Hellman key exchange with the  key  size  in  the  range
              MinSize...MaxSize and as close to SuggestedSize as possible. If Groups == undefined
              a default set will be used, otherwise the group is selected from Groups.

              First a size, as close as possible to SuggestedSize, is selected.  Then  one  group
              with  that  key  size  is randomly selected from the specified set of groups. If no
              size within the limits of MinSize and MaxSize is available,  {error,no_group_found}
              is returned.

              The default set of groups is listed in lib/public_key/priv/moduli. This file may be
              regenerated like this:

                   $> cd $ERL_TOP/lib/public_key/priv/
                   $> generate
                       ---- wait until all background jobs has finished. It may take several days !
                   $> cat moduli-* > moduli
                   $> cd ..; make

       encrypt_private(PlainText, Key) -> CipherText

       encrypt_private(PlainText, Key, Options) -> CipherText

              Types:

                 PlainText = binary()
                 Key = rsa_private_key()
                 Options = crypto:pk_encrypt_decrypt_opts()
                 CipherText = binary()

              Public-key encryption using the private key. See also crypto:private_encrypt/4.

       encrypt_public(PlainText, Key) -> CipherText

       encrypt_public(PlainText, Key, Options) -> CipherText

              Types:

                 PlainText = binary()
                 Key = rsa_public_key()
                 Options = crypto:pk_encrypt_decrypt_opts()
                 CipherText = binary()

              Public-key encryption using the public key. See also crypto:public_encrypt/4.

       generate_key(Params :: DHparams | ECparams | RSAparams) ->
                       DHkeys | ECkey | RSAkey

              Types:

                 DHparams = #'DHParameter'{}
                 DHkeys = {PublicDH :: binary(), PrivateDH :: binary()}
                 ECparams = ecpk_parameters_api()
                 ECkey = #'ECPrivateKey'{}
                 RSAparams = {rsa, Size, PubExp}
                 Size = PubExp = integer() >= 1
                 RSAkey = #'RSAPrivateKey'{}

              Generates a new key pair. Note that except for Diffie-Hellman  the  public  key  is
              included in the private key structure. See also crypto:generate_key/2

       pem_decode(PemBin :: binary()) -> [pem_entry()]

              Decodes PEM binary data and returns entries as ASN.1 DER encoded entities.

              Example     {ok,     PemBin}    =    file:read_file("cert.pem").    PemEntries    =
              public_key:pem_decode(PemBin).

       pem_encode(PemEntries :: [pem_entry()]) -> binary()

              Creates a PEM binary.

       pem_entry_decode(PemEntry) -> term()

       pem_entry_decode(PemEntry, Password) -> term()

              Types:

                 PemEntry = pem_entry()
                 Password = iodata() | fun(() -> iodata())

              Decodes a PEM entry. pem_decode/1 returns a list of PEM entries. Notice that if the
              PEM  entry  is  of  type  'SubjectPublickeyInfo',  it  is  further  decoded  to  an
              rsa_public_key() or dsa_public_key().

              Password can be either an octet string or function which returns same type.

       pem_entry_encode(Asn1Type, Entity) -> pem_entry()

       pem_entry_encode(Asn1Type, Entity, InfoPwd) -> pem_entry()

              Types:

                 Asn1Type = pki_asn1_type()
                 Entity = term()
                 InfoPwd = {CipherInfo, Password}
                 CipherInfo = cipher_info()
                 Password = iodata()

              Creates a PEM entry that can be feed to pem_encode/1.

              If Asn1Type is 'SubjectPublicKeyInfo', Entity must be either  an  rsa_public_key(),
              dsa_public_key()  or  an  ec_public_key() and this function creates the appropriate
              'SubjectPublicKeyInfo' entry.

       pkix_decode_cert(Cert, Type) -> #'Certificate'{} | otp_cert()

              Types:

                 Cert = der_cert()
                 Type = plain | otp

              Decodes an ASN.1 DER-encoded PKIX certificate. Option otp uses the customized ASN.1
              specification  OTP-PKIX.asn1  for  decoding and also recursively decode most of the
              standard parts.

       pkix_encode(Asn1Type, Entity, Type) -> Der

              Types:

                 Asn1Type = asn1_type()
                 Entity = term()
                 Type = otp | plain
                 Der = der_encoded()

              DER encodes a PKIX x509 certificate or part of such a  certificate.  This  function
              must  be  used  for  encoding  certificates  or  parts  of  certificates  that  are
              decoded/created in the otp format, whereas  for  the  plain  format  this  function
              directly calls der_encode/2.

          Note:
              Subtle  ASN-1  encoding  errors in certificates may be worked around when decoding,
              this may have the affect that the encoding a certificate back to DER  may  generate
              different bytes then the supplied original.

       pkix_is_issuer(CertorCRL, IssuerCert) -> boolean()

              Types:

                 CertorCRL = cert() | #'CertificateList'{}
                 IssuerCert = cert()

              Checks if IssuerCert issued Cert.

       pkix_is_fixed_dh_cert(Cert) -> boolean()

              Types:

                 Cert = cert()

              Checks if a certificate is a fixed Diffie-Hellman certificate.

       pkix_is_self_signed(Cert) -> boolean()

              Types:

                 Cert = cert()

              Checks if a certificate is self-signed.

       pkix_issuer_id(Cert, IssuedBy) ->
                         {ok, ID :: cert_id()} | {error, Reason}

              Types:

                 Cert = cert()
                 IssuedBy = self | other
                 Reason = term()

              Returns the x509 certificate issuer id, if it can be determined.

       pkix_normalize_name(Issuer) -> Normalized

              Types:

                 Issuer = issuer_name() | der_encoded()
                 Normalized = issuer_name()

              Normalizes an issuer name so that it can be easily compared to another issuer name.

       pkix_path_validation(Cert, CertChain, Options) ->
                               {ok, {PublicKeyInfo, PolicyTree}} |
                               {error,
                                {bad_cert, Reason :: bad_cert_reason()}}

              Types:

                 Cert = cert() | atom()
                 CertChain = [cert() | combined_cert()]
                 Options =
                     [{max_path_length, integer()} |
                      {verify_fun, {function(), term()}}]
                 PublicKeyInfo = public_key_info()
                 PolicyTree = list()

              Performs  a basic path validation according to RFC 5280. However, CRL validation is
              done separately by pkix_crls_validate/3  and is to  be  called  from  the  supplied
              verify_fun.  The  optional  policy  tree  check is currently not implemented but an
              empty place holder list is returned instead.

              Available options:

                {verify_fun, {fun(), InitialUserState::term()}:
                  The fun must be defined as:

                fun(OtpCert :: #'OTPCertificate'{},
                    Event :: {bad_cert, Reason :: atom() | {revoked, atom()}} |
                             {extension, #'Extension'{}},
                    InitialUserState :: term()) ->
                     {valid, UserState :: term()} |
                     {valid_peer, UserState :: term()} |
                     {fail, Reason :: term()} |
                     {unknown, UserState :: term()}.

                  If the verify callback fun returns {fail, Reason}, the verification process  is
                  immediately stopped. If the verify callback fun returns {valid, UserState}, the
                  verification process is continued. This can be used  to  accept  specific  path
                  validation  errors,  such as selfsigned_peer, as well as verifying application-
                  specific  extensions.  If  called  with  an  extension  unknown  to  the   user
                  application, the return value {unknown, UserState} is to be used.

            Warning:
                Note that user defined custom verify_fun may alter original path validation error
                (e.g selfsigned_peer). Use with caution.

                {max_path_length, integer()}:
                   The max_path_length is the  maximum  number  of  non-self-issued  intermediate
                  certificates  that  can  follow  the  peer certificate in a valid certification
                  path. So, if max_path_length is 0, the PEER must be signed by the trusted ROOT-
                  CA  directly,  if  it  is 1, the path can be PEER, CA, ROOT-CA, if it is 2, the
                  path can be PEER, CA, CA, ROOT-CA, and so on.

              Explanations of reasons for a bad certificate:

                cert_expired:
                  Certificate is no longer valid as its expiration date has passed.

                invalid_issuer:
                  Certificate issuer name does not match the name of the  issuer  certificate  in
                  the chain.

                invalid_signature:
                  Certificate was not signed by its issuer certificate in the chain.

                name_not_permitted:
                  Invalid Subject Alternative Name extension.

                missing_basic_constraint:
                  Certificate,  required to have the basic constraints extension, does not have a
                  basic constraints extension.

                invalid_key_usage:
                  Certificate key is used in an invalid way according to the key-usage extension.

                {revoked, crl_reason()}:
                  Certificate has been revoked.

                atom():
                  Application-specific error reason that is to be checked by the verify_fun.

       pkix_crl_issuer(CRL) -> Issuer

              Types:

                 CRL = der_encoded() | #'CertificateList'{}
                 Issuer = issuer_name()

              Returns the issuer of the CRL.

       pkix_crls_validate(OTPcertificate, DPandCRLs, Options) ->
                             CRLstatus

              Types:

                 OTPcertificate = #'OTPCertificate'{}
                 DPandCRLs = [DPandCRL]
                 DPandCRL = {DP, {DerCRL, CRL}}
                 DP = #'DistributionPoint'{}
                 DerCRL = der_encoded()
                 CRL = #'CertificateList'{}
                 Options = [{atom(), term()}]
                 CRLstatus = valid | {bad_cert, BadCertReason}
                 BadCertReason =
                     revocation_status_undetermined |
                     {revocation_status_undetermined, Reason :: term()} |
                     {revoked, crl_reason()}

              Performs CRL validation. It is intended  to  be  called  from  the  verify  fun  of
              pkix_path_validation/3 .

              Available options:

                {update_crl, fun()}:
                  The fun has the following type specification:

                 fun(#'DistributionPoint'{}, #'CertificateList'{}) ->
                        #'CertificateList'{}

                  The  fun  uses  the  information in the distribution point to access the latest
                  possible version of the CRL. If this fun is not specified, Public Key uses  the
                  default implementation:

                 fun(_DP, CRL) -> CRL end

                {issuer_fun, fun()}:
                  The fun has the following type specification:

                fun(#'DistributionPoint'{}, #'CertificateList'{},
                    {rdnSequence,[#'AttributeTypeAndValue'{}]}, term()) ->
                     {ok, #'OTPCertificate'{}, [der_encoded]}

                  The  fun returns the root certificate and certificate chain that has signed the
                  CRL.

                 fun(DP, CRL, Issuer, UserState) -> {ok, RootCert, CertChain}

                {undetermined_details, boolean()}:
                  Defaults to false. When revocation status cannot be determined, and this option
                  is  set  to  true,  details  of  why no CRLs where accepted are included in the
                  return value.

       pkix_crl_verify(CRL, Cert) -> boolean()

              Types:

                 CRL = der_encoded() | #'CertificateList'{}
                 Cert = cert()

              Verify that Cert is the CRL signer.

       pkix_dist_point(Cert) -> DistPoint

              Types:

                 Cert = cert()
                 DistPoint = #'DistributionPoint'{}

              Creates a distribution point for CRLs issued by the same issuer  as  Cert.  Can  be
              used as input to pkix_crls_validate/3

       pkix_dist_points(Cert) -> DistPoints

              Types:

                 Cert = cert()
                 DistPoints = [#'DistributionPoint'{}]

              Extracts distribution points from the certificates extensions.

       pkix_hash_type(HashOid :: oid()) ->
                         DigestType ::
                             md5 | crypto:sha1() | crypto:sha2()

              Translates OID to Erlang digest type

       pkix_match_dist_point(CRL, DistPoint) -> boolean()

              Types:

                 CRL = der_encoded() | #'CertificateList'{}
                 DistPoint = #'DistributionPoint'{}

              Checks  whether the given distribution point matches the Issuing Distribution Point
              of the CRL, as  described  in  RFC  5280.  If  the  CRL  doesn't  have  an  Issuing
              Distribution Point extension, the distribution point always matches.

       pkix_sign(Cert, Key) -> Der

              Types:

                 Cert = #'OTPTBSCertificate'{}
                 Key = private_key()
                 Der = der_encoded()

              Signs an 'OTPTBSCertificate'. Returns the corresponding DER-encoded certificate.

       pkix_sign_types(AlgorithmId) -> {DigestType, SignatureType}

              Types:

                 AlgorithmId = oid()
                 DigestType = crypto:rsa_digest_type() | none
                 SignatureType = rsa | dsa | ecdsa | eddsa

              Translates signature algorithm OID to Erlang digest and signature types.

              The AlgorithmId is the signature OID from a certificate or a certificate revocation
              list.

       pkix_test_data(ChainConf) -> TestConf

              Types:

                 ChainConf =
                     #{server_chain := chain_opts(), client_chain := chain_opts()} |
                     chain_opts()
                 TestConf = test_config() | [conf_opt()]

              Creates certificate configuration(s) consisting of certificate and its private  key
              plus  CA  certificate  bundle,  for  a  client and a server, intended to facilitate
              automated testing of applications using X509-certificates, often  through  SSL/TLS.
              The test data can be used when you have control over both the client and the server
              in a test scenario.

              When this function is  called  with  a  map  containing  client  and  server  chain
              specifications; it generates both a client and a server certificate chain where the
              cacerts returned for the server contains the root cert the server should trust  and
              the  intermediate certificates the server should present to connecting clients. The
              root cert the server should trust is the one used as root of the client certificate
              chain.  Vice versa applies to the cacerts returned for the client. The root cert(s)
              can either be  pre-generated  with   pkix_test_root_cert/2  ,  or  if  options  are
              specified; it is (they are) generated.

              When  this  function  is  called with a list of certificate options; it generates a
              configuration with just one node certificate where cacerts contains the  root  cert
              and  the  intermediate  certs  that should be presented to a peer. In this case the
              same root cert must be used for all peers. This is useful in for example an  Erlang
              distributed  cluster  where any node, towards another node, acts either as a server
              or as a client depending  on  who  connects  to  whom.  The  generated  certificate
              contains  a subject altname, which is not needed in a client certificate, but makes
              the certificate useful for both roles.

              Explanation of the options used to customize certificates in the generated chains:

                 {digest, digest_type()}:
                  Hash algorithm to be used for signing the certificate  together  with  the  key
                  option. Defaults to sha that is sha1.

                 {key, key_params() | private_key()}:
                  Parameters  to be used to call public_key:generate_key/1, to generate a key, or
                  an existing key. Defaults to generating an ECDSA key. Note this could  fail  if
                  Erlang/OTP is compiled with a very old cryptolib.

                 {validity, {From::erlang:timestamp(), To::erlang:timestamp()}} :
                  The validity period of the certificate.

                 {extensions, [#'Extension'{}]}:
                  Extensions to include in the certificate.

                  Default extensions included in CA certificates if not otherwise specified are:

                [#'Extension'{extnID = ?'id-ce-keyUsage',
                              extnValue = [keyCertSign, cRLSign],
                              critical = false},
                #'Extension'{extnID = ?'id-ce-basicConstraints',
                             extnValue = #'BasicConstraints'{cA = true},
                             critical = true}]

                  Default  extensions included in the server peer cert if not otherwise specified
                  are:

                [#'Extension'{extnID = ?'id-ce-keyUsage',
                              extnValue = [digitalSignature, keyAgreement],
                              critical = false},
                #'Extension'{extnID = ?'id-ce-subjectAltName',
                             extnValue = [{dNSName, Hostname}],
                             critical = false}]

                  Hostname is the result of calling net_adm:localhost() in the Erlang node  where
                  this function is called.

          Note:
              Note  that  the generated certificates and keys does not provide a formally correct
              PKIX-trust-chain and they cannot be used to achieve real security. This function is
              provided for testing purposes only.

       pkix_test_root_cert(Name, Options) -> RootCert

              Types:

                 Name = string()
                 Options = [cert_opt()]
                 RootCert = test_root_cert()

              Generates a root certificate that can be used in multiple calls to pkix_test_data/1
              when you want the same root certificate for several generated certificates.

       pkix_subject_id(Cert) -> ID

              Types:

                 Cert = cert()
                 ID = cert_id()

              Returns the X509 certificate subject id.

       pkix_verify(Cert, Key) -> boolean()

              Types:

                 Cert = der_cert()
                 Key = public_key()

              Verifies PKIX x.509 certificate signature.

       pkix_verify_hostname(Cert, ReferenceIDs) -> boolean()

       pkix_verify_hostname(Cert, ReferenceIDs, Options) -> boolean()

              Types:

                 Cert = cert()
                 ReferenceIDs = referenceIDs()
                 Options = [{match_fun | fail_callback | fqdn_fun, function()}]

              This function checks that the  Presented  Identifier   (e.g  hostname)  in  a  peer
              certificate is in agreement with at least one of the Reference Identifier  that the
              client expects to be connected to. The function is intended to be added as an extra
              client      check      of      the     peer     certificate     when     performing
              public_key:pkix_path_validation/3

              See RFC 6125 for detailed information about hostname verification. The User's Guide
              and code examples describes this function more detailed.

              The option funs are described here:

                match_fun:

                fun(ReferenceId::ReferenceId() | FQDN::string(),
                    PresentedId::{dNSName,string()} | {uniformResourceIdentifier,string() |
                                 {iPAddress,list(byte())} | {OtherId::atom()|oid(),term()}})

                fun(....) -> true;   % My special case
                   (_, _) -> default % all others falls back to the inherit tests
                end

                See pkix_verify_hostname_match_fun/1 for a function that takes a protocol name as
                argument and returns a fun/2 suitable for this option and Re-defining  the  match
                operation in the User's Guide for an example.

            Note:
                Reference  Id  values  given  as  binaries  will  be converted to strings, and ip
                references may be given in string format that is "10.0.1.1" or  "1234::5678:9012"
                as well as on the format inet:ip_address()

                fail_callback:
                  If  a  matching fails, there could be circumstances when the certificate should
                  be accepted anyway. Think for example of a web  browser  where  you  choose  to
                  accept  an  outdated certificate. This option enables implementation of such an
                  exception but for hostnames. This fun/1 is called when no ReferenceID  matches.
                  The  return value of the fun (a boolean()) decides the outcome. If true the the
                  certificate is accepted otherwise it is rejected. See "Pinning"  a  Certificate
                  in the User's Guide.

                fqdn_fun:
                  This  option  augments  the  host name extraction from URIs and other Reference
                  IDs. It could for example be a very special URI that is not  standardised.  The
                  fun takes a Reference ID as argument and returns one of:

                  * the hostname

                  * the atom default: the default host name extract function will be used

                  * the   atom   undefined:   a   host   name   could   not   be  extracted.  The
                    pkix_verify_hostname/3 will return false.

                For an example, see Hostname extraction in the User's Guide.

       pkix_verify_hostname_match_fun(Protocol) -> Result

              Types:

                 Protocol = https
                 Result = function()

              The return value of calling this function is intended to be used in  the  match_fun
              option in pkix_verify_hostname/3.

              The  returned  fun  augments the verify hostname matching according to the specific
              rules for the protocol in the argument.

          Note:
              Currently supported https fun will allow wildcard certificate matching as specified
              by  the HTTP standard. Note that for instance LDAP have a different set of wildcard
              matching rules. If you do not want to allow wildcard certificates (recommended from
              a security perspective) or otherwise customize the hostname match the default match
              function used by ssl application will be sufficient.

       sign(Msg, DigestType, Key) -> Signature

       sign(Msg, DigestType, Key, Options) -> Signature

              Types:

                 Msg = binary() | {digest, binary()}
                 DigestType = digest_type()
                 Key = private_key()
                 Options = crypto:pk_sign_verify_opts()
                 Signature = binary()

              Creates a digital signature.

              The Msg is either the binary "plain text" data to be signed or  it  is  the  hashed
              value of "plain text", that is, the digest.

       verify(Msg, DigestType, Signature, Key) -> boolean()

       verify(Msg, DigestType, Signature, Key, Options) -> boolean()

              Types:

                 Msg = binary() | {digest, binary()}
                 DigestType = digest_type()
                 Signature = binary()
                 Key = public_key()
                 Options = crypto:pk_sign_verify_opts()

              Verifies a digital signature.

              The  Msg is either the binary "plain text" data or it is the hashed value of "plain
              text", that is, the digest.

       short_name_hash(Name) -> string()

              Types:

                 Name = issuer_name()

              Generates a short hash of an  issuer  name.  The  hash  is  returned  as  a  string
              containing eight hexadecimal digits.

              The return value of this function is the same as the result of the commands openssl
              crl -hash and openssl x509 -issuer_hash, when passed the issuer name of a CRL or  a
              certificate,  respectively.  This  hash  is used by the c_rehash tool to maintain a
              directory of symlinks to CRL files, in order to facilitate looking up a CRL by  its
              issuer name.