Inputs: [keystore :- KeyStore alias :- schema/Str cert :- X509Certificate]
Returns: KeyStore

Add a certificate to a keystore.  Arguments:

`keystore`: the `KeyStore` to add the certificate to
`alias`:    a String alias to associate with the certificate
`cert`:     an `X509Certificate` to add to the keystore

Alias for `assoc-certs-from-reader!` for backwards compatibility.

Inputs: [keystore :- KeyStore prefix :- schema/Str pem :- Readerable]
Returns: KeyStore

Add all certificates from a PEM file to a keystore.  Arguments:

`keystore`: the `KeyStore` to add certificates to
`prefix`:   an alias to associate with the certificates. each
            certificate will have a numeric index appended to
            its alias, starting with '-0'
`pem`:      the path to a PEM file containing the certificate
            (or some other object supported by clojure's `reader`)

Inputs: [keystore :- KeyStore alias :- schema/Str private-key :- PrivateKey pw :- schema/Str certs :- (schema/maybe (schema/cond-pre [X509Certificate] X509Certificate))]
Returns: KeyStore

Add a private key to a keystore.  Arguments:

`keystore`:    the `KeyStore` to add the private key to
`alias`:       a String alias to associate with the private key
`private-key`: the `PrivateKey` to add to the keystore
`pw`:          a password to use to protect the key in the keystore
`certs`:       the `X509Certificate` or a list of `X509Certificate`s for the
               private key; a private key cannot be added to a keystore
               without at least one signed certificate.

Alias for `assoc-private-key-from-reader!` for backwards compatibility.

Inputs: [keystore :- KeyStore alias :- schema/Str pem-private-key :- Readerable pw :- schema/Str pem-cert :- Readerable]
Returns: KeyStore

Add a private key to a keystore.  Arguments:

`keystore`:        the `KeyStore` to add the private key to
`alias`:           a String alias to associate with the private key
`pem-private-key`: the path to a PEM file containing the private key to add to
                   the keystore (or some other object supported by clojure's `reader`)
`pw`:              a password to use to protect the key in the keystore
`pem-cert`:        the path to a PEM file (or some other object supported by clojure's `reader`)
                   containing the certificate for the private key; a private key cannot be added
                   to a keystore without a signed certificate.

AuthorityKeyIdentifier OID 2.5.29.35

Inputs: ([cert] [public-key critical] [issuer-dn serial critical] [public-key :- PublicKey issuer-dn :- ValidX500Name serial :- schema/Int critical :- Object])
Returns: SSLExtension

Create an `Authority Key Identifier` extension from a `PublicKey` object or
 copy the existing `SubjectKeyIdentifier` from a certificate. This function is
 intended to be passed into `sign-certificate` and `generate-certificate-request`.

 PublicKey details:
 A type 1 identifier will be computed from the public key.

 Certificate details:
 An `X509Certificate` can be used instead of a `PublicKey`. The
 `SubjectKeyIdentifier`of the certificate is copied and used for the
 `AuthorityKeyIdentifier` for the certificate about to be signed. When a
 certificate is used, no hash computation takes place.

Inputs: ([] [max-path-len :- schema/Int])
Returns: SSLExtension

Create a `Basic Constraints` extension for a CA certificate.  `max-path-len`
refers to the maximum number of non-self-issued intermediate certificates that
may follow the CA certificate in a valid certification path.  If `max-path-len`
is not specified, no limit will be imposed.

Inputs: [critical :- Object]
Returns: SSLExtension

Create a `Basic Constraints` extension for a non-CA certificate.

Inputs: [ca-cert :- Readerable crls :- Readerable]
Returns: SSLContext

Given a pem for a CA certificate and one or more CRLs, creates an in-memory
SSLContext initialized with a TrustStore generated from the input CA cert
and enabled for revocation checking against the CRLs.

`ca-cert` must be an object suitable for use with clojure's `reader` and
reference a PEM that contains the CA cert.

`crls` must be an object suitable for use with clojure's `reader` and
reference a PEM that contains one or more CRLs.

Returns the SSLContext instance.

Inputs: [ca-cert :- Readerable]
Returns: SSLContext

Given a pem for a CA certificate, creates an in-memory SSLContext initialized
with a TrustStore generated from the input CA cert.

`ca-cert` must be an object suitable for use with clojure's `reader`, and
reference a PEM that contains the CA cert.

Returns the SSLContext instance.

Inputs: [cert :- X509Certificate pem :- Writerable]

Encodes a certificate to PEM format, and writes it to a file (or other stream).
 Arguments:

 `cert`: the `X509Certificate` to encode and write
 `pem`: the file path to write the PEM output to
        (or some other object supported by clojure's `writer`)

Returns true if the given data structure is a list that contains
certificates.

Returns true if x is an instance of `PKCS10CertificationRequest` (see `generate-certificate-request`).

Returns true if x is an instance of `X509CRL` (see `generate-crl`).

Returns true if x is an instance of `X509Certificate` (see `sign-certificate-request`).

Convert a Java data structure returned from a Java utility method into a
Clojure data structure.

Inputs: [common-name :- schema/Str]
Returns: ValidX500Name

Given a common name, generate an X.500 RDN from it

Inputs: ([issuer-public-key :- (schema/pred public-key?) ca-public-key :- (schema/pred public-key?)] [ca-name :- (schema/pred valid-x500-name?) ca-serial :- (schema/pred number?) ca-public-key :- (schema/pred public-key?)])
Returns: (schema/pred extension-list?)

Create a list of extensions to be added to the CA certificate.

Inputs: [crl :- X509CRL pem :- Writerable]

Encodes a CRL to PEM format, and writes it to a file (or other stream).
 Arguments:

 `crl`: the `X509CRL` to encode
 `pem`: the file path to write the PEM output to
        (or some other object supported by clojure's `writer`)

Inputs: [crl :- X509CRL cert :- X509Certificate]
Returns: schema/Bool

Given a CRL and a certificate, determine whether the CRL was issued by the
certificate.

Inputs: [number :- schema/Int]
Returns: SSLExtension

Create a `CRL Number` extension

CRLNumber OID 2.5.29.20

The default key length to use when generating a keypair.

Inputs: [base-crl-number :- BigInteger]
Returns: SSLExtension

Create a `Delta CRL Indicator` extension.

DeltaCRLIndicator OID 2.5.29.27

Inputs: [crl :- X509CRL]
Returns: schema/Bool

Inputs: [rdns :- (schema/pred (fn* [p1__4820#] (and (sequential? p1__4820#) (even? (count p1__4820#)) (not-empty p1__4820#))))]
Returns: ValidX500Name

Given a sequence of attribute names and value pairs, generate an X.500 DN
string. For example, [:cn "common" :o "org"] would return
"CN=common,O=org"

Inputs: [oid-list :- [schema/Str] critical :- Object]
Returns: SSLExtension

Create an `Extended Key Usages` extensions from a list of OIDs.

Returns true if the given data structure is a list that contains extensions.

Returns true if the given map contains all the fields required to define an
extension.

A schema for all the things that can hold an SSL extension.

Inputs: [c :- CertOrCSR digest :- schema/Str]
Returns: schema/Str

Given a certificate or CSR, hash the object using the digest algorithm and
 return it as a hex string. The digest algorithm is expected to be one of
 SHA-1, SHA-256, or SHA-512.

Inputs: ([keypair subject-dn] [keypair :- KeyPair subject-dn :- ValidX500Name extensions :- SSLExtensionList])
Returns: PKCS10CertificationRequest

Given the subject's keypair and name, create and return a certificate signing request (CSR).
Arguments:

`keypair`:      subject's public & private keys
`subject-name`: subject's X500 distinguished name
`extensions`: an optional collection of `Extension` objects to add to the certificate request

See `sign-certificate-request`, `obj->pem!`, and `pem->csr` to sign & read/write CSRs.

Inputs: ([issuer :- X500Principal issuer-private-key :- PrivateKey issuer-public-key :- PublicKey] [issuer :- X500Principal issuer-private-key :- PrivateKey issuer-public-key :- PublicKey this-update :- Date next-update :- Date crl-number :- BigInteger extensions :- SSLExtensionList])
Returns: X509CRL

Given the certificate authority's principal identifier and private & public
 keys, create and return a `X509CRL` certificate revocation list (CRL).
 The CRL will have an AuthorityKeyIdentifier and CRLNumber extensions. Typical
 usage of this will be with the 3 argument arity; the fuller arity is exposed
 here for testing purposes.

 Arguments:
 `issuer`:             the issuer's `X500Principal`
 `issuer-private-key`: the issuer's `PrivateKey`
 `issuer-public-key`:  the issuer's `PublicKey`
 `this-update`:        date for when this crl is created
 `next-update`:        when to fetch the rcl next
 `crl-number`:         number to start revocation count at
 `extensions`:         any extensions to sign onto the crl

Inputs: ([] [key-length :- schema/Int])
Returns: KeyPair

Given a key length (defaults to 4096), generate a new public & private key pair.

Inputs: [options :- SSLContextOptions]
Returns: (schema/maybe SSLContext)

Given a map of options, extracts the SSL Options and attempts to create an SSLContext.

 This function grabs five keys from a map, all of which are optional: :ssl-context, :ssl-key,
 :ssl-ca-cert, :ssl-cert, and :ssl-ca-crl. The value stored at :ssl-context, if present, should
 be an instance of an SSLContext object. The other keys should be objects suitable for use with
 clojure's `reader` and reference PEMs that contain the proper cert/key/crl list.

 If the :ssl-context key is present, returns the value stored at that key.

 Otherwise, if the :ssl-cert, :ssl-key, and :ssl-ca-cert keys are all present, returns an
 SSLContext constructed from those pems.

 Otherwise, if the :ssl-ca-cert and :ssl-ca-crl keys are present, returns an SSLContext
 constructed from those pems.

 Otherwise, if the :ssl-ca-cert key is present, returns an SSLContext constructed from the
 ca-cert pem.

 If none of the :ssl-cert, :ssl-key, :ssl-ca-cert, :ssl-ca-crl, or :ssl-context keys are present,
 returns nil.

 If the :ssl-context and :ssl-ca-cert keys are both missing, an exception will be thrown.

Inputs: [x500-principal :- X500Principal]
Returns: schema/Str

Given an X500Principal object, retrieve the common name (CN).

Inputs: [x509-certificate :- X509Certificate]
Returns: schema/Str

Given an X509Certificate object, retrieve its common name (CN).

Inputs: [crl :- X509CRL]
Returns: (schema/maybe BigInteger)

Given a CRL, return the value of the CRL Number extension, or nil if the
extension is not present.

Inputs: [ext-container :- ExtensionContainer oid :- schema/Str]
Returns: SSLExtension

Given a X509 certificate object, CRL, CSR, or a list of extensions
returned by `get-extensions`, return a map describing the value and
criticality of the extension described by its OID.

Inputs: [ext-container :- ExtensionContainer oid :- schema/Str]
Returns: schema/Any

Given a X509 certificate object, CRL, CSR or a list of extensions returned by
`get-extensions`, return the value of an extension by its OID. If the OID
doesn't exist on the provided object, then nil is returned.

Inputs: [ext-container :- (schema/cond-pre X509Certificate PKCS10CertificationRequest X509CRL)]
Returns: SSLExtensionList

Given an object containing X509 extensions, retrieve a list of maps of all
extensions. Each map in the list contains the following keys:

`oid`      : The OID of the extension
`value`    : The value of the extensions
`critical` : True if this is a critical extensions, false if it is not.

Inputs: [{:keys [keystore keystore-pw]} :- {:keystore KeyStore, :keystore-pw schema/Str}]
Returns: KeyManagerFactory

Given a map containing a KeyStore and keystore password (e.g. as generated by
pems->key-and-trust-stores), return a KeyManagerFactory that contains the
KeyStore.

Inputs: [key-object :- KeyPair]
Returns: PrivateKey

Given an object which contains a private key, extract and return it.

Inputs: [key-object :- (schema/cond-pre KeyPair PKCS10CertificationRequest)]
Returns: PublicKey

Given an object which contains a public key, extract the public key
and return it.

Inputs: [cert :- X509Certificate]
Returns: BigInteger

Given an X509 certificate, return the serial number from it.

Inputs: [cert-or-csr :- CertOrCSR]
Returns: (schema/maybe [schema/Str])

Given a certificate or CSR, return the list of DNS alternative names on the
 Subject Alternative Names extension, or nil if the extension is not present.

Inputs: [x509-certificate :- X509Certificate]
Returns: schema/Str

Given an X509Certificate object, retrieve its subject.

Inputs: [cert-or-csr :- CertOrCSR]
Returns: (schema/maybe [schema/Str])

Given a certificate or CSR, return the list of IP alternative names on the
Subject Alternative Names extension, or nil if the extension is not present.

Inputs: [{:keys [truststore]} :- {:truststore KeyStore}]
Returns: TrustManagerFactory

Given a map containing a trust store (e.g. as generated by
pems->key-and-trust-stores), return a TrustManagerFactory that contains the
trust store.

Convert a Clojure data structure passed into a function by a user into a Java
data structure suitable for passing into a Java utility method.

Inputs: [key :- Key pem :- Writerable]

Encodes a public or private key to PEM format, and writes it to a file (or other
stream).  Arguments:

`key`: the key to encode and write; usually an instance of `PrivateKey` or `PublicKey`
`pem`: the file path to write the PEM output to (or some other object supported by clojure's `writer`)

Inputs: [flag-set :- #{Object} critical :- Object]
Returns: SSLExtension

Create a `Key Usage` extension from a set of flags to enable. See the
README.md for the keys supported.

Inputs: [key :- PublicOrPrivateKey]
Returns: schema/Int

Given a key, return the length key length that was used when generating it.

Returns true if x is a keypair (see `generate-key-pair`).

Inputs: []
Returns: KeyStore

Create an empty in-memory Java KeyStore object.

Inputs: [comment :- schema/Str]
Returns: SSLExtension

Create a `Netscape Certificate Comment` extension.

Inputs: [obj :- Object pem :- Writerable]

Encodes an object in PEM format, and writes it to a file (or other stream).  Arguments:

`obj`: the object to encode and write.  Must be of a type that can be encoded
       to PEM; usually this is limited to certain types from the `java.security`
       packages.

`pem`: the file path to write the PEM output to (or some other object supported by clojure's `writer`)

Inputs: [obj :- Object]
Returns: PrivateKey

Decodes the given object (read from a .pem via `pem->objs`) into an instance of `PrivateKey`.

Inputs: [objs :- [Object] buf :- Writerable]

Adds one or more cert related objects, PEM encoded, to the supplied writer

Inputs: [cert-chain-pem :- Readerable key-or-keypair-pem :- Readerable]
Returns: X509Certificate

Given a CA certificate chain and key pair, extract and verify the certificate
matching the key pair.

Inputs: [crl-chain :- Readerable ca-cert :- X509Certificate]
Returns: X509CRL

Given a CRL chain and CA certificate, extract the CRL issued by the
certificate

Inputs: [pem :- Readerable]
Returns: X509Certificate

Given the path to a PEM file (or some other object supported by clojure's `reader`),
decodes the contents into an `X509Certificate`.

Inputs: [pem :- Readerable]
Returns: [X509Certificate]

Given the path to a PEM file (or some other object supported by clojure's `reader`),
decodes the contents into a collection of `X509Certificate` instances.

Inputs: [pem :- Readerable]
Returns: X509CRL

Given the path to a PEM file (or some other object supported by clojure's `reader`),
 decode the contents into a `X509CRL`.

 See `crl->pem!` to PEM-encode a certificate revocation list.

Inputs: [pem :- Readerable]
Returns: [X509CRL]

Given the path to a PEM file (or some other object supported by clojure's
`reader`), decode the contents into a collection of `X509CRL` instances.

Inputs: [pem :- Readerable]
Returns: PKCS10CertificationRequest

Given the path to a PEM file (or some other object supported by clojure's `reader`),
decode the contents into a `PKCS10CertificationRequest`.

See `obj->pem!` to PEM-encode a certificate signing request.

Inputs: [pem :- Readerable]
Returns: [Object]

Given a file path (or some other object supported by clojure's `reader`), reads
PEM-encoded objects and returns a collection of objects of the corresponding
type from `java.security`.

Inputs: [pem :- Readerable]
Returns: PrivateKey

Given the path to a PEM file (or some other object supported by clojure's `reader`),
decode the contents into a `PrivateKey` instance. Throws an exception if multiple keys
are found in the PEM.
See `key->pem!` and `pem->private-keys` to write/read keys.

Inputs: [pem :- Readerable]
Returns: [PrivateKey]

Given the path to a PEM file (or some other object supported by clojure's `reader`),
decodes the contents into a collection of `PrivateKey` instances.

Inputs: [pem :- Readerable]
Returns: PublicKey

Given the path to a PEM file (or some other object supported by clojure's `reader`),
 decode the contents into a `PublicKey` instance. Throws an exception if multiple
 keys are found in the PEM.
 See `key->pem!` to write public keys.

Inputs: [cert :- Readerable private-key :- Readerable ca-cert :- Readerable]
Returns: KeyAndTrustStore

Given pems for a certificate, private key, and CA certificate, creates an
in-memory KeyStore and TrustStore.

Argument should be a map containing the keys `:cert`, `:key`, and `:ca-cert`.
Each value must be an object suitable for use with clojure's `reader`, and
reference a PEM that contains the appropriate cert/key.

Returns a map containing the following keys:

`:keystore`    - an instance of KeyStore initialized with the cert and private key
`:keystore-pw` - a string containing a dynamically generated password for the KeyStore
`:truststore`  - an instance of KeyStore containing the CA cert.

Inputs: ([cert private-key ca-cert] [cert :- Readerable private-key :- Readerable ca-cert :- Readerable crls :- (schema/maybe Readerable)])
Returns: SSLContext

Given pems for a certificate, private key, and CA certificate, creates an
in-memory SSLContext initialized with a KeyStore/TrustStore generated from
the input certs/key.  If an optional argument containing CRLs is provided,
the SSLContext is also enabled for revocation checking against the CRLs.

Each argument must be an object suitable for use with clojure's `reader`, and
reference a PEM that contains the appropriate cert/key/crl list.

Returns the SSLContext instance.

Returns true if x is a private key (see `generate-key-pair`).

Returns true if x is a public key (see `generate-key-pair`).

Inputs: [name :- schema/Str critical :- Object]
Returns: SSLExtension

Create a `Puppet Node Image Name` extension.

Inputs: [id :- schema/Str critical :- Object]
Returns: SSLExtension

Create a `Puppet Node Instance ID` extension.

Inputs: [key :- schema/Str critical :- Object]
Returns: SSLExtension

Create a `Puppet Node Preshared Key` extension.

Inputs: [uid :- schema/Str critical :- Object]
Returns: SSLExtension

Create a `Puppet Node UID` extension.

Schema for anything that can be handed off to clojure's reader function.

Inputs: [crl :- X509CRL issuer-private-key :- PrivateKey issuer-public-key :- PublicKey cert-serial :- schema/Int]
Returns: X509CRL

Given a certificate revocation list and certificate serial number,
 revoke the certificate by adding its serial number to the list and
 return the updated CRL. The issuer keys should be the same ones
 that were used when generating the CRL.

 The CRLNumber extension on the CRL will be incremented by 1,
 or the extension will be added if it doesn't already exist.

 The AuthorityKeyIdentifier extension will be added to the CRL
 if it doesn't already exist.

Inputs: [crl :- X509CRL issuer-private-key :- PrivateKey issuer-public-key :- PublicKey cert-serials :- [schema/Int]]
Returns: X509CRL

Given a certificate revocation list and a list of certificate
 serial numbers, revoke the certificates by adding their serial
 numbers to the list and returning the updated CRL. The issuer
 keys should be the same ones that were used when generating
 the CRL.

 The CRLNumber extension on the CRL will be incremented by 1,
 or the extension will be added if it doesn't already exist.

 The AuthorityKeyIdentifier extension will be added to the CRL
 if it doesn't already exist.

Inputs: [crl :- X509CRL certificate :- X509Certificate]
Returns: schema/Bool

Given a certificate revocation list and certificate, test if the
 certificate has been revoked.

 Note that if the certificate and CRL have different issuers, false
 will be returned even if the certificate's serial number is on the
 CRL (i.e. previously revoked).

Inputs: ([issuer-dn issuer-priv-key serial not-before not-after subject-dn subject-pub-key] [issuer-dn :- ValidX500Name issuer-priv-key :- PrivateKey serial :- schema/Int not-before :- Date not-after :- Date subject-dn :- ValidX500Name subject-pub-key :- PublicKey extensions :- SSLExtensionList])
Returns: X509Certificate

Given a subject, certificate authority information and other certificate info,
return a signed  `X509Certificate` object.

Arguments:

`issuer-dn`:          a string containing the issuer's DN.
`issuer-priv-key`:    the issuer's private key.
`serial`:             an arbitrary serial number integer.
`not-before`:         the certificate's 'not before' date.
`not-after`:          the certificate's 'not after' date.
`subject-dn`:         the subject's DN
`subject-pub-key`:    the subject's public key
`extensions`:         an optional list of X509 extensions, each of which is
                      a map with an `oid`, `value` and `critical` flag. The
                      value format is dependent upon the oid.

Inputs: [csr :- PKCS10CertificationRequest]
Returns: schema/Bool

Does the given CSR have a valid signature on it?  i.e., was it signed by the
private key corresponding to the public key included in the CSR?

Schema for the options map that generate-ssl-context requires.

A map containing all the fields required to define an extension. This is not
the actual SSL Extension itself but the required oid, critical boolean, and
value for the Extension. Use the optional :options to to modify how the
extension is created in ExtensionsUtils.

SubjectAlternativeName OID 2.5.29.17

Inputs: [alt-names-hashmap :- #:schema{Keyword [schema/Str]} critical :- Object]
Returns: SSLExtension

Create a Subject Alternative Names extensions (OID=2.5.29.17) which contains
a list of DNS and/maybe IP names as alternative names. The `critical` argument sets the
criticality flag of this extension.

Inputs: [alt-names-list :- [schema/Str] critical :- Object]
Returns: SSLExtension

Create a Subject Alternative Names extensions (OID=2.5.29.17) which contains
a list of DNS names as alternative names. The `critical` argument sets the
criticality flag of this extension.

Inputs: [public-key :- PublicKey critical :- Object]
Returns: SSLExtension

Create a `Subject Key Identifier` extension from a `PublicKey` object. The
extension created by this function is intended to be passed into
`sign-certificate` and `generate-certificate-request`, at which time the key's
hash will be computed and stored in the resulting object.

SubjectKeyIdentifier OID 2.5.29.14

Inputs: [parent-oid :- schema/Str oid :- schema/Str]
Returns: schema/Bool

Given an OID and a a parent tree OID return true if the OID is within
the subtree of the parent OID.

Returns true if x is a valid X500 name string.

Inputs: [cert-chain :- [X509Certificate] crl-chain :- [X509CRL]]

Given a list of certificates and a list of CRLs, validate the certificate
 chain, i.e. ensure that none of the certs have been revoked by checking the
 appropriate CRL, which must be present and currently valid.
 Returns nil if successful.

Schema for anything that can be handed off to clojure's writer function.

Inputs: [x500-name :- ValidX500Name]
Returns: schema/Str

Given an X500 name, return the common name from it.

Returns true if x is an instance of 'X500Principal'.

Returns true if the given object contains X509 extensions, this generally
refers to `X509Certificate` and `X509CRL` objects.