Legend:
Library
Module
Module type
Parameter
Class
Class type
Library
Module
Module type
Parameter
Class
Class type
Certificate chain authenticators
type t =
?ip:Ipaddr.t ->
host:[ `host ] Domain_name.t option ->
Certificate.t list ->
Validation.r
An authenticator t
is a function type which takes optionally an IP address, a hostname and a certificate stack to an authentication decision Validation.r
. If ip
is specified, it needs to be present in the SubjectAlternativeName extension of the server certificate.
val chain_of_trust :
time:(unit -> Ptime.t option) ->
?crls:CRL.t list ->
?allowed_hashes:Mirage_crypto.Hash.hash list ->
Certificate.t list ->
t
chain_of_trust ~time ~crls ~allowed_hashes trust_anchors
is authenticator
, which uses the given time
and list of trust_anchors
to verify the certificate chain. All signatures must use a hash algorithm specified in allowed_hashes
, defaults to SHA-2. Signatures on revocation lists crls
must also use a hash algorithm in allowed_hashes
. This is an implementation of the algorithm described in RFC 5280, using Validation.verify_chain_of_trust
. The given trust anchors are not validated, you can filter them with Validation.valid_cas
if desired.
val server_key_fingerprint :
time:(unit -> Ptime.t option) ->
hash:Mirage_crypto.Hash.hash ->
fingerprint:Cstruct.t ->
t
server_key_fingerprint ~time hash fingerprint
is an authenticator
that uses the given time
and fingerprint
to verify that the fingerprint of the first element of the certificate chain matches the given fingerprint, using Validation.trust_key_fingerprint
.
val server_cert_fingerprint :
time:(unit -> Ptime.t option) ->
hash:Mirage_crypto.Hash.hash ->
fingerprint:Cstruct.t ->
t
server_cert_fingerprint ~time hash fingerprint
is an authenticator
that uses the given time
and fingerprint
to verify the first element of the certificate chain, using Validation.trust_cert_fingerprint
. Note that public key pinning has advantages over certificate pinning.