hans/racket-self-signed-cert
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
70d6c49b63ca47daf3c16fa3c21d30a08b3503c4
racket-self-signed-cert/scribblings/self-signed-cert.scrbl
Hans Dijkema 0985a85d5b -
2026-03-07 01:50:03 +01:00

204 lines
4.9 KiB
Racket
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#lang scribble/manual
@(require scribble/example
(for-label racket/base
racket/contract
openssl))
@title{Self-Signed Certificate Utilities}
@author[@author+email["Hans Dijkema" "hans@dijkewijk.nl"]]
@defmodule[racket-self-signed-cert]
This module provides utilities for generating a self-signed X.509 certificate
together with a corresponding private key.
The implementation uses the @racketmodname[openssl] bindings that are
distributed with Racket. In other words, the module relies on the
OpenSSL library that ships with Racket and accesses it via Rackets
FFI interface.
The generated certificate and key are returned in PEM format and can
be used directly with Racket networking libraries such as
@racketmodname[openssl] or TLS-enabled servers.
@section{OpenSSL Integration}
The module dynamically integrates with the OpenSSL library that is
present in the running Racket installation.
During initialization the module performs the following steps:
@itemlist[
@item{
It detects the major version of the OpenSSL library available through
Rackets @racketmodname[openssl] bindings.
}
@item{
If OpenSSL version 3 is detected, the module raises an error because
the required FFI bindings currently support only the OpenSSL 1.x API.
}
@item{
The module determines which native OpenSSL library must be loaded for
FFI access. This allows the implementation to bind directly to the
required cryptographic primitives.
}
@item{
Platform-specific loading of the native OpenSSL library is performed
at runtime.
}
]
The implementation has been tested on the following platforms:
@itemlist[
@item{Windows}
@item{Linux}
]
Other platforms may work provided that a compatible OpenSSL library is
available through Racket.
@section{Data Structures}
@defstruct[self-signed-cert ([private-key string?]
[certificate string?])]{
Represents a generated self-signed certificate together with its
private key.
Both fields contain PEM encoded text.
@itemlist[
@item{@racket[private-key] the RSA private key in PEM format.}
@item{@racket[certificate] the X.509 certificate in PEM format.}
]
Instances of this structure are returned by
@racket[generate-self-signed-cert].
}
@defproc[(self-signed-cert? [v any/c]) boolean?]{
Returns @racket[#t] if @racket[v] is a
@racket[self-signed-cert] structure.
}
@section{Accessors}
@defproc[(private-key [ssc self-signed-cert?]) string?]{
Returns the private key stored in @racket[ssc].
The value is a PEM encoded RSA private key suitable for use with
TLS libraries or for writing to disk.
}
@defproc[(certificate [ssc self-signed-cert?]) string?]{
Returns the X.509 certificate stored in @racket[ssc].
The value is a PEM encoded certificate.
}
@defthing[x509-cert (-> self-signed-cert? string?)]{
Alias for @racket[certificate].
This name is provided for situations where the API user prefers the
term “X.509 certificate”.
}
@section{Certificate Generation}
@defproc[(generate-self-signed-cert
[bits integer?]
[duration-in-days integer?]
[hosts (or/c is-ip? is-dns? list-of-hosts?)]
[country string?]
[company string?])
self-signed-cert?]{
Generates a new self-signed RSA certificate and private key.
The implementation uses the OpenSSL functionality provided through
Rackets @racketmodname[openssl] library.
@subsection{Arguments}
@itemlist[
@item{@racket[bits] size of the RSA key in bits (for example
@racket[2048] or @racket[4096]).}
@item{@racket[duration-in-days] number of days for which the
certificate remains valid.}
@item{@racket[hosts] a host name, IP address, or a list of such
values. These values are written into the certificates
@italic{Subject Alternative Name} extension.}
@item{@racket[country] value for the certificate subjects
@tt{C} (country) attribute.}
@item{@racket[company] value for the certificate subjects
@tt{O} (organization) attribute.}
]
The first host in the list is used as the certificates
Common Name (CN).
@subsection{Result}
Returns a @racket[self-signed-cert] structure containing:
@itemlist[
@item{the private RSA key}
@item{the corresponding self-signed X.509 certificate}
]
Both values are returned as PEM encoded strings.
@subsection{Example}
@#reader scribble/comment-reader
[racketblock
(define cert
(generate-self-signed-cert
2048
365
'("localhost" "127.0.0.1")
"NL"
"Example Company"))
(private-key cert)
(certificate cert)
]
The returned values can be written to files or supplied directly
to TLS-enabled servers.
}
@section{Notes}
@itemlist[
@item{
This module relies on the OpenSSL library distributed with Racket and
accessed through the @racketmodname[openssl] package.
}
@item{
Certificates are generated entirely in memory and returned as PEM
strings.
}
@item{
The Subject Alternative Name (SAN) extension is automatically populated
from the provided host names and IP addresses.
}
]
Reference in New Issue View Git Blame Copy Permalink