X509 Certificate

Public Key Operations X509 CRL

Index

x509-cert/allowed-ext-usage x509-cert/allowed-usage x509-cert/authority-key-id x509-cert/create-self-signed x509-cert/dup x509-cert/fingerprint x509-cert/hostname-match x509-cert/is-ca x509-cert/issue x509-cert/issuer-dn x509-cert/load x509-cert/load-file x509-cert/not-after x509-cert/not-before x509-cert/san x509-cert/serial-number x509-cert/subject-dn x509-cert/subject-key-id x509-cert/subject-public-key x509-cert/subject-public-key-bits x509-cert/to-der x509-cert/to-pem x509-cert/to-string x509-cert/validation-status x509-cert/verify

Reference

x509-cert/allowed-ext-usagecfunction
(x509-cert/allowed-ext-usage cert-obj oid)

Check if the certificate allows the specified extended usage OID. The `oid` parameter can be either a canonical OID string or identifiers like "PKIX.ServerAuth", "PKIX.ClientAuth", "PKIX.CodeSigning", "PKIX.OCSPSigning". Returns true if the certificate allows the usage.

x509-cert/allowed-usagecfunction
(x509-cert/allowed-usage cert-obj cert-usage)

Test if the certificate is allowed for a particular usage. The cert-usage argument should be one of the following keywords:

  • :NO-CONSTRAINTS
  • :DIGITAL-SIGNATURE
  • :NON-REPUDIATION
  • :KEY-ENCIPHERMENT
  • :DATA-ENCIPHERMENT
  • :KEY-AGREEMENT
  • :KEY-CERT-SIGN
  • :CRL-SIGN
  • :ENCIPHER-ONLY
  • :DECIPHER-ONLY
    • Returns true if the given X.509 certificate `cert-obj` is allowed for the specified cert-usage.

    x509-cert/authority-key-idcfunction
    (x509-cert/authority-key-id cert-obj)

    Return the authority key ID set in the certificate, which may be empty.

    x509-cert/create-self-signedcfunction
    (x509-cert/create-self-signed key &keys {:rng rng :hash hash :expire-time expire-time :is-ca is-ca :CN cn :C c :O o :OU ou :ST st :L l :email email :dns dns :ip ip :uri uri :serial-number serial-number :key-usage key-usage :ext-key-usage ext-key-usage})

    Create a self-signed X.509 certificate.

  • `key` - A private key object.
  • `:rng` - A random number generator object. Default is system RNG.
  • `:hash` - Hash algorithm name, e.g. "SHA-256". Default is "SHA-256".
  • `:expire-time` - Expiration time in seconds from now. Default is 365 days.
  • `:is-ca` - If true, mark certificate as a CA certificate. Default is false.
  • `:CN` - Common Name.
  • `:C` - Country.
  • `:O` - Organization.
  • `:OU` - Organizational Unit. Can be a tuple/array of strings for multiple values.
  • `:ST` - State or Province.
  • `:L` - Locality.
  • `:email` - Email address.
  • `:dns` - DNS name for Subject Alternative Name. Can be a tuple/array of strings for multiple values.
  • `:ip` - IP address for Subject Alternative Name.
  • `:uri` - URI for Subject Alternative Name.
  • `:serial-number` - Serial number field of the DN.
  • `:key-usage` - KeyUsage constraint. A keyword or tuple/array of keywords. Possible values: :DIGITAL-SIGNATURE, :NON-REPUDIATION, :KEY-ENCIPHERMENT, :DATA-ENCIPHERMENT, :KEY-AGREEMENT, :KEY-CERT-SIGN, :CRL-SIGN, :ENCIPHER-ONLY, :DECIPHER-ONLY.
  • `:ext-key-usage` - ExtendedKeyUsage constraint. A string or tuple/array of strings. e.g. "PKIX.ServerAuth", "PKIX.ClientAuth", "PKIX.CodeSigning", "PKIX.EmailProtection", "PKIX.TimeStamping", "PKIX.OCSPSigning".

    • x509-cert/dupcfunction
    (x509-cert/dup cert-obj)

    Create a new object that refers to the same certificate.

    x509-cert/fingerprintcfunction
    (x509-cert/fingerprint cert-obj &opt hash-algo)

    Return a fingerprint for the certificate, which is basically just a hash of the binary contents. Normally "SHA-1" or "SHA-256" is used, but any hash function is allowed. If omitted, "SHA-256" is used.

    x509-cert/hostname-matchcfunction
    (x509-cert/hostname-match cert-obj hostname)

    Return true if the certificate matches a given `hostname`. If SAN DNS entries are present, only those are checked. Otherwise falls back to Common Name (CN). Supports wildcard matching.

    x509-cert/is-cacfunction
    (x509-cert/is-ca cert-obj)

    Return true if the certificate is a CA certificate.

    x509-cert/issuecfunction
    (x509-cert/issue subject-key ca-cert ca-key not-before not-after &keys {:rng rng :hash hash :is-ca is-ca :CN cn :C c :O o :OU ou :ST st :L l :email email :dns dns :ip ip :uri uri :serial-number serial-number :key-usage key-usage :ext-key-usage ext-key-usage})

    Issue a new X.509 certificate signed by a CA.

  • `subject-key` - The subject's private key object.
  • `ca-cert` - The CA's certificate object.
  • `ca-key` - The CA's private key object.
  • `not-before` - Certificate validity start time, as seconds since epoch.
  • `not-after` - Certificate validity end time, as seconds since epoch.
  • `:rng` - A random number generator object. Default is system RNG.
  • `:hash` - Hash algorithm name, e.g. "SHA-256". Default is "SHA-256".
  • `:is-ca` - If true, mark certificate as a CA certificate. Default is false.
  • `:CN` - Common Name.
  • `:C` - Country.
  • `:O` - Organization.
  • `:OU` - Organizational Unit. Can be a tuple/array of strings for multiple values.
  • `:ST` - State or Province.
  • `:L` - Locality.
  • `:email` - Email address.
  • `:dns` - DNS name for Subject Alternative Name. Can be a tuple/array of strings for multiple values.
  • `:ip` - IP address for Subject Alternative Name.
  • `:uri` - URI for Subject Alternative Name.
  • `:serial-number` - Serial number field of the DN.
  • `:key-usage` - KeyUsage constraint. A keyword or tuple/array of keywords. Possible values: :DIGITAL-SIGNATURE, :NON-REPUDIATION, :KEY-ENCIPHERMENT, :DATA-ENCIPHERMENT, :KEY-AGREEMENT, :KEY-CERT-SIGN, :CRL-SIGN, :ENCIPHER-ONLY, :DECIPHER-ONLY.
  • `:ext-key-usage` - ExtendedKeyUsage constraint. A string or tuple/array of strings. e.g. "PKIX.ServerAuth", "PKIX.ClientAuth", "PKIX.CodeSigning", "PKIX.EmailProtection", "PKIX.TimeStamping", "PKIX.OCSPSigning".

    • x509-cert/issuer-dncfunction
    (x509-cert/issuer-dn cert-obj key &opt index)

    Get a value from the issuer DN field. `key` is one of :CN, :C, :O, :OU, :ST, :L, :serial-number. If `index` is given, returns the value at that zero-based index. If omitted, returns a tuple of all values for that field.

    x509-cert/loadcfunction
    (x509-cert/load cert)

    Load a X.509 certificate from DER or PEM representation.

    x509-cert/load-filecfunction
    (x509-cert/load-file file-name)

    Load an X.509 certificate from a file.

    x509-cert/not-aftercfunction
    (x509-cert/not-after cert-obj)

    Return the time the certificate expires, as seconds since epoch.

    x509-cert/not-beforecfunction
    (x509-cert/not-before cert-obj)

    Return the time the certificate becomes valid, as seconds since epoch.

    x509-cert/sancfunction
    (x509-cert/san cert-obj type &opt index)

    Get a value from the Subject Alternative Name extension. `type` is one of :dns, :email, :uri, :ip. If `index` is given, returns the value at that zero-based index (nil if not found). If omitted, returns a tuple of all values for that type.

    x509-cert/serial-numbercfunction
    (x509-cert/serial-number cert-obj)

    Return the serial number of the certificate.

    x509-cert/subject-dncfunction
    (x509-cert/subject-dn cert-obj key &opt index)

    Get a value from the subject DN field. `key` is one of :CN, :C, :O, :OU, :ST, :L, :serial-number. If `index` is given, returns the value at that zero-based index. If omitted, returns a tuple of all values for that field.

    x509-cert/subject-key-idcfunction
    (x509-cert/subject-key-id cert-obj)

    Return the subject key ID set in the certificate, which may be empty.

    x509-cert/subject-public-keycfunction
    (x509-cert/subject-public-key cert-obj)

    Get the public key included in this certificate as an object of `pubkey`.

    x509-cert/subject-public-key-bitscfunction
    (x509-cert/subject-public-key-bits cert-obj)

    Get the serialized representation of the public key included in this certificate.

    x509-cert/to-dercfunction
    (x509-cert/to-der cert)

    Encode the certificate as DER binary data.

    x509-cert/to-pemcfunction
    (x509-cert/to-pem cert)

    Encode the certificate as a PEM string.

    x509-cert/to-stringcfunction
    (x509-cert/to-string cert-obj)

    Return a free-form string representation of this certificate

    x509-cert/validation-statuscfunction
    (x509-cert/validation-status error-code)

    Return an informative string explaining the verification return code.

    x509-cert/verifycfunction
    (x509-cert/verify cert-obj &keys {:intermediates intermediates :trusted trusted :truste trusted-path :required-strength required-strength :hostname hostname :reference-time reference-time :crl crls})

    Verify a certificate. Returns 0 if validation was successful, returns a positive error code if the validation was unsuccesful.

  • :intermediates - A tuple of untrusted subauthorities.
  • :trusted - A tuple of trusted root CAs.
  • :trusted-path - A path refers to a directory where one or more trusted CA certificates are stored.
  • :required-strength - Indicates the minimum key and hash strength that is allowed. For instance setting to 80 allows 1024-bit RSA and SHA-1. Setting to 110 requires 2048-bit RSA and SHA-256 or higher. Set to zero to accept a default. Default value is 0, if omitted.
  • :hostname - Check against the certificates CN field.
  • :reference-time - Time value which the certificate chain is validated against. Use zero(default) to use the current system clock.
  • `crls` - A tuple of CRLs issued by either trusted or untrusted authorities.

    • Public Key Operations X509 CRL