Module `X509.Authenticator`

Authenticators of certificate chains

Authenticators

type a = ?host:host -> t list -> Validation.result

An authenticator a is a function type which takes a hostname and a certificate stack to an authentication decision Validation.result.

val chain_of_trust : ?time:Ptime.t -> ?crls:CRL.c list -> t list -> a

chain_of_trust ?time trust_anchors is authenticator, which uses the given time and list of trust_anchors to verify the certificate chain. This is an implementation of the algorithm described in RFC 5280, using Validation.verify_chain_of_trust. The given trust anchors are not checked to be valid trust anchors any further (you have to do this manually with Validation.valid_ca or Validation.valid_cas)!

val server_key_fingerprint : 
  ?time:Ptime.t ->
  hash:Nocrypto.Hash.hash ->
  fingerprints:(string * Cstruct.t) list ->
  a

server_key_fingerprint ~time hash fingerprints is an authenticator which uses the given time and list of fingerprints to verify that the fingerprint of the first element of the certificate chain matches the given fingerprint, using Validation.trust_key_fingerprint.

val server_cert_fingerprint : 
  ?time:Ptime.t ->
  hash:Nocrypto.Hash.hash ->
  fingerprints:(string * Cstruct.t) list ->
  a

server_cert_fingerprint ~time hash fingerprints is an authenticator which uses the given time and list of fingerprints to verify the first element of the certificate chain, using Validation.trust_cert_fingerprint.

deprecated
"Pin public keys, not certificates (use server_key_fingerprint instead)."

val null : a

null is authenticator, which always returns `Ok. (Useful for testing purposes only.)

val a_of_sexp : Sexplib.Sexp.t -> a

a_of_sexp sexp is authenticator, the unmarshalled sexp. Note: only null is supported.

val sexp_of_a : a -> Sexplib.Sexp.t

sexp_of_a authenticator is sexp, the marshalled authenticator. Note: always emits null.

package x509

Module X509.Authenticator

Authenticators

Module `X509.Authenticator`