package x509

You can search for identifiers within the package.

in-package search v0.2.0

Public Key Infrastructure (RFC 5280, PKCS) purely in OCaml

Install

sha256=237c2a5e6d7490f5d14510188c6f47b257e6368d91516580931c7994d3108e12

sha512=b8cabf3b0a6d4f6e6c6b22e401207fe12666d01a266132c0929453c11bbd6a82d4726b809ef8c3a5b47cb8da54e8e74942e33872a6e09df01ea35f4c868b238b

major restructuring, it is unlikely any pre-0.7.0 users will work with 0.7.0+
remove sexp de&encoders
provide pretty-printers for validation errors (and types) instead of to_string functions
use result type and Rresult instead of custom result types and control monad
use a GADT map for certificate & csr extensions, distinguished names, general names (avoiding multiple extensions with the same OID, uses the gmap library)
use domain-name library for hostname validation (instead of custom string matching)
use ipaddr library for IPs in SubjectAlternativeName extension
remove Encoding module, provide {en,de}code_{der,pem} in the respective modules (which decoders return (_, [> `Msg of string ]) result, no exceptions raised)
fix DistributionPoint extension: the CRLissuer is a GeneralName, not a DistinguishedName
remove Extension.reason_code (Extension.reason was there before, and is now used)
remove bindings from toplevel, t is now Certificate.t, public_key is now Public_key.t
use alcotest instead of oUnit

provide X509.Encoding.distinguished_name_of_cs -- similar to #87 which provided distinguished_name_to_cs
provide X509.Encoding.{public_key_of_cstruct,public_key_to_cstruct}, as requested by @dinosaure
support of cstruct 4.0.0, which split up the sexp de&encoders
removes result dependency (now requires >= 4.04.2)
upgrades opam file to version 2.0
build system is now dune

avoid dependency on sexplib.syntax (#55)
document how to combine extensions and a CSR into a certificate (@reynir, #63 #64)
expose fingerprint : t -> hash -> Cstruct.t, the hash of the certificate (@cfcs, #66)
trust_fingerprint / server_fingerprint are renamed to trust_cert_fingerprint / server_cert_fingerprint (now deprecated!)
fingerprint public keys (rather than certificates): trust_key_fingerprint / server_key_fingerprint
build certificate paths from the received set (RFC 4158) instead of requiring a strict chain (#74)
the given trust anchors to Authenticator.chain_of_trust are not validated (to contain KeyUsage / BasicConstraint extensions) anymore, users can use valid_ca and valid_cas to filter CAs upfront

certificate signing request support (PKCS10)
basic CA functionality (in CA module): create and sign certificate signing requests
PEM encoding of X.509 certificates, RSA public and private keys, and certificate signing requests
new module Extension contains X509v3 extensions as polymorphic variants
expose distinguished_name as polymorphic variant
type pubkey is now public_key
function cert_pubkey is now public_key
functions supports_usage, supports_extended_usage are now in Extension module
types key_usage, extended_key_usage are now in Extension module
Encoding.Pem.Cert has been renamed to Encoding.Pem.Certificate
Encoding.Pem.PK has been renamed to Encoding.Pem.Private_key (now uses type private_key instead of Nocrypto.Rsa.priv)

more detailed error messages (type certificate_failure modified)
no longer Printf.printf debug messages
error reporting: Ok of certificate option | Fail of certificate_failure
fingerprint verification can work with None as host (useful for client authentication where host is not known upfront)
API reshape: X509 is the only public module, X509.t is the abstract certificate

server_fingerprint authenticator which validates the server certificate based on a hash algorithm and (server_name * fingerprint) list instead of a set of trust anchors
whitelist CAcert certificates (which do not include mandatory X.509v3 KeyUsage extension)

expose Certificate.cert_hostnames, wildcard_matches
Certificate.verify_chain_of_trust and X509.authenticate both return now [ Ok of certificate | Fail of certificate_failure ], where [certificate] is the trust anchor