Module X509.Authenticator

module Authenticator: sig .. end

Authenticators of certificate chains


Authenticators

type a = ?host:X509.host -> X509.t list -> X509.Validation.result 

An authenticator a is a function type which takes a hostname and a certificate stack to an authentication decision X509.Validation.result.

val chain_of_trust : ?time:Ptime.t -> ?crls:X509.CRL.c list -> X509.t list -> a

chain_of_trust ?time trust_anchors is authenticator, which uses the given time and list of trust_anchors to verify the certificate chain. This is an implementation of the algorithm described in RFC 5280, using X509.Validation.verify_chain_of_trust. The given trust anchors are not checked to be valid trust anchors any further (you have to do this manually with X509.Validation.valid_ca or X509.Validation.valid_cas)!

val server_key_fingerprint : ?time:Ptime.t ->
hash:Nocrypto.Hash.hash ->
fingerprints:(string * Cstruct.t) list -> a

server_key_fingerprint ~time hash fingerprints is an authenticator which uses the given time and list of fingerprints to verify that the fingerprint of the first element of the certificate chain matches the given fingerprint, using X509.Validation.trust_key_fingerprint.

val server_cert_fingerprint : ?time:Ptime.t ->
hash:Nocrypto.Hash.hash ->
fingerprints:(string * Cstruct.t) list -> a
Deprecated."Pin public keys, not certificates (use X509.Authenticator.server_key_fingerprint instead)."

server_cert_fingerprint ~time hash fingerprints is an authenticator which uses the given time and list of fingerprints to verify the first element of the certificate chain, using X509.Validation.trust_cert_fingerprint.

val null : a

null is authenticator, which always returns `Ok. (Useful for testing purposes only.)

val a_of_sexp : Sexplib.Sexp.t -> a

a_of_sexp sexp is authenticator, the unmarshalled sexp. Note: only X509.Authenticator.null is supported.

val sexp_of_a : a -> Sexplib.Sexp.t

sexp_of_a authenticator is sexp, the marshalled authenticator. Note: always emits X509.Authenticator.null.