+3

.gitignore

reviewed

··· 1 1 + _build 2 2 + _opam 3 3 + .merlin

+1

.ocamlformat

reviewed

··· 1 1 + profile=conventional

+15

LICENSE.md

reviewed

··· 1 1 + ## ISC License 2 2 + 3 3 + Copyright (c) 2019, The MirageOS contributors 4 4 + 5 5 + Permission to use, copy, modify, and/or distribute this software for any 6 6 + purpose with or without fee is hereby granted, provided that the above 7 7 + copyright notice and this permission notice appear in all copies. 8 8 + 9 9 + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 10 + WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 11 + MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 12 + ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 13 + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 14 + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 15 + OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

+7

README.md

reviewed

··· 1 1 + ## ca-certs - detect root CA certificates from the operating system 2 2 + 3 3 + TLS requires a set of root anchors (Certificate Authorities) to authenticate 4 4 + servers. This library exposes this list so that it can be registered with 5 5 + [ocaml-tls]. 6 6 + 7 7 + [ocaml-tls]: https://github.com/mirleft/ocaml-tls

+33

ca-certs.opam

reviewed

··· 1 1 + # This file is generated by dune, edit dune-project instead 2 2 + opam-version: "2.0" 3 3 + synopsis: "Detect root CA certificates from the operating system" 4 4 + description: """ 5 5 + TLS requires a set of root anchors (Certificate Authorities) to 6 6 + authenticate servers. This library exposes this list so that it can be 7 7 + registered with ocaml-tls. 8 8 + """ 9 9 + maintainer: ["Etienne Millon <me@emillon.org>"] 10 10 + authors: ["Etienne Millon <me@emillon.org>"] 11 11 + license: "ISC" 12 12 + homepage: "https://github.com/mirage/ca-certs" 13 13 + doc: "https://mirage.github.io/ca-certs/doc" 14 14 + bug-reports: "https://github.com/mirage/ca-certs/issues" 15 15 + depends: [ 16 16 + "dune" {>= "1.11"} 17 17 + ] 18 18 + build: [ 19 19 + ["dune" "subst"] {pinned} 20 20 + [ 21 21 + "dune" 22 22 + "build" 23 23 + "-p" 24 24 + name 25 25 + "-j" 26 26 + jobs 27 27 + "@install" 28 28 + "@runtest" {with-test} 29 29 + "@doc" {with-doc} 30 30 + ] 31 31 + ] 32 32 + dev-repo: "git+https://github.com/mirage/ca-certs.git" 33 33 + tags: ["org:mirage"]

+1

ca-certs.opam.template

reviewed

··· 1 1 + tags: ["org:mirage"]

+22

dune-project

reviewed

··· 1 1 + (lang dune 1.11) 2 2 + (name ca-certs) 3 3 + 4 4 + (generate_opam_files true) 5 5 + (source (github mirage/ca-certs)) 6 6 + (documentation "https://mirage.github.io/ca-certs/doc") 7 7 + (license ISC) 8 8 + (maintainers "Etienne Millon <me@emillon.org>") 9 9 + (authors "Etienne Millon <me@emillon.org>") 10 10 + 11 11 + (package 12 12 + (name ca-certs) 13 13 + (depends) 14 14 + (synopsis "Detect root CA certificates from the operating system") 15 15 + (description 16 16 + "\> TLS requires a set of root anchors (Certificate Authorities) to 17 17 + "\> authenticate servers. This library exposes this list so that it can be 18 18 + "\> registered with ocaml-tls. 19 19 + ) 20 20 + ; tags are not included before (lang dune 2.0) 21 21 + ; so an opam template is necessary until then 22 22 + (tags (org:mirage)))

+24

lib/ca_certs.ml

reviewed

··· 1 1 + (* 2 2 + "/etc/ssl/certs/ca-certificates.crt" (* Debian/Ubuntu/Gentoo etc.*); 3 3 + (* "/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL 6*) 4 4 + (* "/etc/ssl/ca-bundle.pem", // OpenSUSE*) 5 5 + (* "/etc/pki/tls/cacert.pem", // OpenELEC*) 6 6 + "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" (* CentOS/RHEL 7*); 7 7 + (* "/etc/ssl/cert.pem", // Alpine Linux*) 8 8 + *) 9 9 + 10 10 + let rec detect_list = 11 11 + let open Lwt in 12 12 + function 13 13 + | [] -> return_none 14 14 + | path :: paths -> 15 15 + Lwt_unix.file_exists path >>= fun exists -> 16 16 + if exists then return_some (`Ca_file path) else detect_list paths 17 17 + 18 18 + let locations = 19 19 + [ 20 20 + "/etc/ssl/certs/ca-certificates.crt"; 21 21 + "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"; 22 22 + ] 23 23 + 24 24 + let detect () = detect_list locations

+4

lib/ca_certs.mli

reviewed

··· 1 1 + val detect : unit -> [> `Ca_file of Lwt_io.file_name ] option Lwt.t 2 2 + (** Detect root CAs in the operating system's trust store. 3 3 + Returns [None] if detection did not succeed. The variants correspond to the 4 4 + ones used in [X509_lwt] in [ocaml-tls]. *)

+4

lib/dune

reviewed

··· 1 1 + (library 2 2 + (name ca_certs) 3 3 + (public_name ca-certs) 4 4 + (libraries lwt.unix))

+17

test/e2e/dune

reviewed

··· 1 1 + (executable 2 2 + (name test_e2e) 3 3 + (libraries ca_certs tls.lwt lwt.unix)) 4 4 + 5 5 + (alias 6 6 + (name runtest) 7 7 + (deps ./test_e2e.exe)) 8 8 + 9 9 + (alias 10 10 + (name runtest-e2e) 11 11 + (action 12 12 + (diff test_e2e.expected test_e2e.output))) 13 13 + 14 14 + (rule 15 15 + (with-stdout-to 16 16 + test_e2e.output 17 17 + (run ./test_e2e.exe)))

+6

test/e2e/test_e2e.expected

reviewed

··· 1 1 + google.com -> Accepted 2 2 + self-signed.badssl.com -> Authentication failure: invalid certificate chain 3 3 + expired.badssl.com -> Authentication failure (leaf: expired) 4 4 + untrusted-root.badssl.com -> Authentication failure: invalid certificate chain 5 5 + revoked.badssl.com -> Authentication failure (leaf: expired) 6 6 + extended-validation.badssl.com -> Accepted

+64

test/e2e/test_e2e.ml

reviewed

··· 1 1 + type result = 2 2 + | Accepted 3 3 + | Unknown_exception of exn 4 4 + | Authentication_failure of X509.Validation.validation_error 5 5 + 6 6 + let pp_leaf_validation_error ppf = function 7 7 + | `LeafCertificateExpired _ -> Format.fprintf ppf "expired" 8 8 + | `LeafInvalidName _ -> Format.fprintf ppf "invalid name" 9 9 + | `LeafInvalidVersion _ -> Format.fprintf ppf "invalid version" 10 10 + | `LeafInvalidExtensions _ -> Format.fprintf ppf "invalid extensions" 11 11 + 12 12 + let pp_result ppf = function 13 13 + | Accepted -> Format.pp_print_string ppf "Accepted" 14 14 + | Unknown_exception e -> 15 15 + Format.fprintf ppf "Unknown_exception: %s" (Printexc.to_string e) 16 16 + | Authentication_failure (`Leaf e) -> 17 17 + Format.fprintf ppf "Authentication failure (leaf: %a)" 18 18 + pp_leaf_validation_error e 19 19 + | Authentication_failure e -> 20 20 + Format.fprintf ppf "Authentication failure: %a" 21 21 + X509.Validation.pp_validation_error e 22 22 + 23 23 + let to_authenticator_param = function 24 24 + | Some x -> x 25 25 + | None -> 26 26 + print_endline "defaulting to null auth"; 27 27 + `No_authentication_I'M_STUPID 28 28 + 29 29 + let make_client () = 30 30 + let open Lwt in 31 31 + Ca_certs.detect () >>= fun r -> 32 32 + to_authenticator_param r |> X509_lwt.authenticator >|= fun authenticator -> 33 33 + Tls.Config.client ~authenticator () 34 34 + 35 35 + let connect client host = 36 36 + let open Lwt in 37 37 + let create () = Tls_lwt.Unix.connect client (host, 443) in 38 38 + let act tls = Tls_lwt.Unix.close tls >|= fun () -> Accepted in 39 39 + let on_exn = function 40 40 + | Tls_lwt.Tls_failure (`Error (`AuthenticationFailure f)) -> 41 41 + return (Authentication_failure f) 42 42 + | e -> return (Unknown_exception e) 43 43 + in 44 44 + Lwt.try_bind create act on_exn 45 45 + 46 46 + let test client host = 47 47 + let open Lwt in 48 48 + connect client host >|= fun result -> 49 49 + Format.printf "%s -> %a\n" host pp_result result 50 50 + 51 51 + let main () = 52 52 + let open Lwt in 53 53 + make_client () >>= fun client -> 54 54 + Lwt_list.iter_s (test client) 55 55 + [ 56 56 + "google.com"; 57 57 + "self-signed.badssl.com"; 58 58 + "expired.badssl.com"; 59 59 + "untrusted-root.badssl.com"; 60 60 + "revoked.badssl.com"; 61 61 + "extended-validation.badssl.com"; 62 62 + ] 63 63 + 64 64 + let () = Lwt_main.run (main ())

test/e2e/test_e2e.mli

reviewed

This is a binary file and will not be displayed.