No cstruct (#32) · gazagnaire.org/ca-certs@193cd2d

+1 -1

.github/workflows/test.yml

··· 9 9 fail-fast: false 10 10 matrix: 11 11 os: [macos-latest, ubuntu-latest, windows-latest] 12 - ocaml-compiler: ["4.14", "4.13", "4.12", "4.11"] 12 + ocaml-compiler: ["4.14", "4.13"] 13 13 exclude: 14 14 - os: macos-latest 15 15 ocaml-compiler: "4.11"

+1 -1

.ocamlformat

··· 1 - version = 0.25.1 1 + version = 0.26.2 2 2 profile=conventional

+4 -2

ca-certs.opam

··· 20 20 "fpath" 21 21 "ptime" 22 22 "logs" 23 - "mirage-crypto" {< "1.0.0"} 24 - "x509" {>= "0.13.0" & < "1.0.0"} 23 + "digestif" {>= "1.2.0"} 24 + "mirage-crypto" {>= "1.0.0"} 25 + "x509" {>= "1.0.0"} 25 26 "ocaml" {>= "4.08.0"} 27 + "ohex" {>= "0.2.0"} 26 28 "alcotest" {with-test} 27 29 "fmt" {with-test & >= "0.8.7"} 28 30 ]

+4 -2

dune-project

··· 12 12 (name ca-certs) 13 13 (depends 14 14 bos fpath ptime logs 15 - (mirage-crypto (< 1.0.0)) 16 - (x509 (and (>= 0.13.0) (< 1.0.0))) 15 + (digestif (>= 1.2.0)) 16 + (mirage-crypto (>= 1.0.0)) 17 + (x509 (>= 1.0.0)) 17 18 (ocaml (>= 4.08.0)) 19 + (ohex (>= 0.2.0)) 18 20 (alcotest :with-test) 19 21 (fmt (and :with-test (>= 0.8.7)))) 20 22 (conflicts (result (< 1.5)))

+15 -15

lib/ca_certs.ml

··· 53 53 54 54 let get_anchors () = 55 55 let der_list = ref [] in 56 - match 57 - iter_on_anchors (fun der_cert -> 58 - der_list := Cstruct.of_string der_cert :: !der_list) 59 - with 56 + match iter_on_anchors (fun der_cert -> der_list := der_cert :: !der_list) with 60 57 | () -> Ok !der_list 61 58 | exception Failure msg -> Error (`Msg msg) 62 59 63 60 let ( let* ) = Result.bind 64 61 65 - let rec map_m f l = 66 - match l with 67 - | [] -> Ok [] 68 - | x :: xs -> 69 - let* y = f x in 70 - let* ys = map_m f xs in 71 - Ok (y :: ys) 72 - 73 62 (** Load certificates from Windows' ["ROOT"] system certificate store. 74 63 The C API returns a list of DER-encoded certificates. These are decoded and 75 64 reencoded as a single PEM certificate. *) 76 65 let windows_trust_anchors () = 77 66 let* anchors = get_anchors () in 78 - let* cert_list = map_m X509.Certificate.decode_der anchors in 79 - Ok (X509.Certificate.encode_pem_multiple cert_list |> Cstruct.to_string) 67 + let cert_list = 68 + List.fold_left 69 + (fun acc cert -> 70 + match X509.Certificate.decode_der cert with 71 + | Ok cert -> cert :: acc 72 + | Error (`Msg msg) -> 73 + Log.warn (fun m -> m "Failed to decode a trust anchor: %s" msg); 74 + Log.debug (fun m -> 75 + m "Full certificate:@.%a" (Ohex.pp_hexdump ()) cert); 76 + acc) 77 + [] anchors 78 + in 79 + Ok (X509.Certificate.encode_pem_multiple cert_list) 80 80 81 81 let trust_anchors () = 82 82 if Sys.win32 then windows_trust_anchors () ··· 134 134 when String.length line >= len_end 135 135 && String.(equal (sub line 0 len_end) end_of_cert) -> ( 136 136 let data = String.concat "\n" (List.rev (line :: lines)) in 137 - match X509.Certificate.decode_pem (Cstruct.of_string data) with 137 + match X509.Certificate.decode_pem data with 138 138 | Ok ca -> (None, ca :: cas) 139 139 | Error (`Msg msg) -> 140 140 Log.warn (fun m -> m "Failed to decode a trust anchor %s." msg);

+1 -1

lib/ca_certs.mli

··· 1 1 val authenticator : 2 2 ?crls:X509.CRL.t list -> 3 - ?allowed_hashes:Mirage_crypto.Hash.hash list -> 3 + ?allowed_hashes:Digestif.hash' list -> 4 4 unit -> 5 5 (X509.Authenticator.t, [> `Msg of string ]) result 6 6 (** [authenticator ~crls ~allowed_hashes ()] detects the root CAs (trust

+1 -1

lib/dune

··· 1 1 (library 2 2 (name ca_certs) 3 3 (public_name ca-certs) 4 - (libraries mirage-crypto x509 bos fpath logs ptime.clock.os) 4 + (libraries mirage-crypto x509 bos fpath logs ptime.clock.os digestif ohex) 5 5 (foreign_stubs 6 6 (language c) 7 7 (names ca_certs_stubs))

+1 -1

test/dune

··· 1 1 (test 2 2 (name tests) 3 - (libraries ca-certs fmt alcotest)) 3 + (libraries ca-certs fmt alcotest logs.fmt))

+12 -12

test/tests.ml

··· 971 971 List.map 972 972 (fun (name, data, time) -> 973 973 let host = Domain_name.(of_string_exn name |> host_exn) 974 - and chain = 975 - Result.get_ok 976 - (X509.Certificate.decode_pem_multiple (Cstruct.of_string data)) 977 - in 974 + and chain = Result.get_ok (X509.Certificate.decode_pem_multiple data) in 978 975 ( name, 979 976 `Quick, 980 977 test_one ?time tas (Ok (Some (chain, List.hd chain))) host chain )) ··· 982 979 @ List.map 983 980 (fun (name, result, data, time) -> 984 981 let host = Domain_name.(of_string_exn name |> host_exn) 985 - and chain = 986 - Result.get_ok 987 - (X509.Certificate.decode_pem_multiple (Cstruct.of_string data)) 988 - in 982 + and chain = Result.get_ok (X509.Certificate.decode_pem_multiple data) in 989 983 (name, `Quick, test_one ?time tas (Error (result host chain)) host chain)) 990 984 err_tests 991 985 ··· 1013 1007 when String.length line >= len_end 1014 1008 && String.(equal (sub line 0 len_end) end_of_cert) -> ( 1015 1009 let data = String.concat "\n" (List.rev (line :: lines)) in 1016 - match X509.Certificate.decode_pem (Cstruct.of_string data) with 1010 + match X509.Certificate.decode_pem data with 1017 1011 | Ok ca -> (None, ca :: cas) 1018 1012 | Error (`Msg _) -> (None, cas)) 1019 1013 | Some lines -> (Some (line :: lines), cas)) ··· 1022 1016 Ok (List.rev cas)) 1023 1017 1024 1018 let () = 1025 - let tas = Result.get_ok (ta ()) in 1026 - Alcotest.run "verification tests" 1027 - [ ("X509 certificate validation", tests tas) ] 1019 + Logs.set_reporter (Logs_fmt.reporter ()); 1020 + Logs.set_level ~all:true (Some Logs.Debug); 1021 + match ta () with 1022 + | Ok tas -> 1023 + Alcotest.run "verification tests" 1024 + [ ("X509 certificate validation", tests tas) ] 1025 + | Error (`Msg msg) -> 1026 + Logs.err (fun m -> m "error %s in ta()" msg); 1027 + exit 1

Configure Feed

Configure Feed