X509.Authenticator
Certificate chain authenticators
type t =
?ip:Ipaddr.t ->
host:[ `host ] Domain_name.t option ->
Certificate.t list ->
Validation.r
An authenticator t
is a function type which takes optionally an IP address, a hostname and a certificate stack to an authentication decision Validation.r
. If ip
is specified, it needs to be present in the SubjectAlternativeName extension of the server certificate.
val chain_of_trust :
time:(unit -> Ptime.t option) ->
?crls:CRL.t list ->
?allowed_hashes:Digestif.hash' list ->
Certificate.t list ->
t
chain_of_trust ~time ~crls ~allowed_hashes trust_anchors
is authenticator
, which uses the given time
and list of trust_anchors
to verify the certificate chain. All signatures must use a hash algorithm specified in allowed_hashes
, defaults to SHA-2. Signatures on revocation lists crls
must also use a hash algorithm in allowed_hashes
. This is an implementation of the algorithm described in RFC 5280, using Validation.verify_chain_of_trust
. The given trust anchors are not validated, you can filter them with Validation.valid_cas
if desired.
val key_fingerprint :
time:(unit -> Ptime.t option) ->
hash:Digestif.hash' ->
fingerprint:string ->
t
key_fingerprint ~time hash fingerprint
is an authenticator
that uses the given time
and fingerprint
to verify that the fingerprint of the first element of the certificate chain matches the given fingerprint, using Validation.trust_key_fingerprint
.
val cert_fingerprint :
time:(unit -> Ptime.t option) ->
hash:Digestif.hash' ->
fingerprint:string ->
t
cert_fingerprint ~time hash fingerprint
is an authenticator
that uses the given time
and fingerprint
to verify the first element of the certificate chain, using Validation.trust_cert_fingerprint
. Note that public key pinning has advantages over certificate pinning.
val of_string :
string ->
((unit -> Ptime.t option) -> t, [> `Msg of string ]) Stdlib.result
of_string str
tries to parse the given str
to an Authenticator.t
. The format of it is:
none
no authentication,key-fp(:<hash>?):<base64-encoded fingerprint>
to authenticate a peer via its key fingerprint (hash is optional and defaults to SHA256),cert-fp(:<hash>?):<base64-encoded fingerprint>
to authenticate a peer via its certificate fingerprint (hash is optional and defaults to SHA256),trust-anchor(:<base64-encoded DER certificate>)+
to authenticate a peer from a list of certificates (certificate must be in PEM format without header and footer (----BEGIN CERTIFICATE-----) and without newlines).If decoding is successful, the returned value expects a function which outputs the current timestamp (unit -> Ptime.t option
) and is then an authenticator. If decoding fails, and error is returned.