package x509

  1. Overview
  2. Docs

Certificate chain authenticators

type t = ?ip:Ipaddr.t -> host:[ `host ] Domain_name.t option -> Certificate.t list -> Validation.r

An authenticator t is a function type which takes optionally an IP address, a hostname and a certificate stack to an authentication decision Validation.r. If ip is specified, it needs to be present in the SubjectAlternativeName extension of the server certificate.

val chain_of_trust : time:(unit -> Ptime.t option) -> ?crls:CRL.t list -> ?allowed_hashes:Mirage_crypto.Hash.hash list -> Certificate.t list -> t

chain_of_trust ~time ~crls ~allowed_hashes trust_anchors is authenticator, which uses the given time and list of trust_anchors to verify the certificate chain. All signatures must use a hash algorithm specified in allowed_hashes, defaults to SHA-2. Signatures on revocation lists crls must also use a hash algorithm in allowed_hashes. This is an implementation of the algorithm described in RFC 5280, using Validation.verify_chain_of_trust. The given trust anchors are not validated, you can filter them with Validation.valid_cas if desired.

val server_key_fingerprint : time:(unit -> Ptime.t option) -> hash:Mirage_crypto.Hash.hash -> fingerprint:Cstruct.t -> t

server_key_fingerprint ~time hash fingerprint is an authenticator that uses the given time and fingerprint to verify that the fingerprint of the first element of the certificate chain matches the given fingerprint, using Validation.trust_key_fingerprint.

val server_cert_fingerprint : time:(unit -> Ptime.t option) -> hash:Mirage_crypto.Hash.hash -> fingerprint:Cstruct.t -> t

server_cert_fingerprint ~time hash fingerprint is an authenticator that uses the given time and fingerprint to verify the first element of the certificate chain, using Validation.trust_cert_fingerprint. Note that public key pinning has advantages over certificate pinning.

OCaml

Innovation. Community. Security.