package x509

  1. Overview
  2. Docs

Certificate chain authenticators

type t = ?host:Certificate.host -> Certificate.t list -> Validation.r

An authenticator a is a function type which takes a hostname and a certificate stack to an authentication decision Validation.r.

val chain_of_trust : ?time:Ptime.t -> ?crls:CRL.t list -> Certificate.t list -> t

chain_of_trust ?time trust_anchors is authenticator, which uses the given time and list of trust_anchors to verify the certificate chain. This is an implementation of the algorithm described in RFC 5280, using Validation.verify_chain_of_trust. The given trust anchors are not checked to be valid trust anchors any further (you have to do this manually with Validation.valid_ca or Validation.valid_cas)!

val server_key_fingerprint : ?time:Ptime.t -> hash:Nocrypto.Hash.hash -> fingerprints:('a Domain_name.t * Cstruct.t) list -> t

server_key_fingerprint ~time hash fingerprints is an authenticator that uses the given time and list of fingerprints to verify that the fingerprint of the first element of the certificate chain matches the given fingerprint, using Validation.trust_key_fingerprint.

val server_cert_fingerprint : ?time:Ptime.t -> hash:Nocrypto.Hash.hash -> fingerprints:('a Domain_name.t * Cstruct.t) list -> t

server_cert_fingerprint ~time hash fingerprints is an authenticator that uses the given time and list of fingerprints to verify the first element of the certificate chain, using Validation.trust_cert_fingerprint.

  • deprecated Pin public keys (use server_key_fingerprint) instead of certificates.
val null : t

null is authenticator, which always returns Ok (). (Useful for testing purposes only.)

OCaml

Innovation. Community. Security.