upstream: github.com/mirage/ca-certs
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge pull request #10 from hannesm/no-temp-file

avoid temporary file creation on macos, revise interface

authored by

Hannes Mehnert and committed by
GitHub
3d3b54a0 d338049a

+35 -23
+2 -2
ca-certs.opam
··· 23 23 "ocaml" {>= "4.07.0"} 24 24 "alcotest" {with-test} 25 25 ] 26 + dev-repo: "git+https://github.com/mirage/ca-certs.git" 26 27 build: [ 27 28 ["dune" "subst"] {pinned} 28 29 [ ··· 33 34 "-j" 34 35 jobs 35 36 "@install" 36 - "@runtest" {with-test} 37 + "@runtest" {with-test & os != "macos"} # the opam sandbox on macos leads to test failures (ocaml/opam#4389) 37 38 "@doc" {with-doc} 38 39 ] 39 40 ] 40 - dev-repo: "git+https://github.com/mirage/ca-certs.git" 41 41 tags: ["org:mirage"] 42 42 depexts: [ 43 43 ["ca_root_nss"] {os = "freebsd"}
+14
ca-certs.opam.template
··· 1 + build: [ 2 + ["dune" "subst"] {pinned} 3 + [ 4 + "dune" 5 + "build" 6 + "-p" 7 + name 8 + "-j" 9 + jobs 10 + "@install" 11 + "@runtest" {with-test & os != "macos"} # the opam sandbox on macos leads to test failures (ocaml/opam#4389) 12 + "@doc" {with-doc} 13 + ] 14 + ] 1 15 tags: ["org:mirage"] 2 16 depexts: [ 3 17 ["ca_root_nss"] {os = "freebsd"}
+7 -14
lib/ca_certs.ml
··· 8 8 let detect_one path = 9 9 let path' = Fpath.v path in 10 10 match Bos.OS.Path.exists path' with 11 - | Ok true -> Ok path' 11 + | Ok true -> Bos.OS.File.read path' 12 12 | _ -> 13 13 Error 14 14 (`Msg ··· 23 23 ( "ca-certs: no trust anchor file found, looked into " 24 24 ^ String.concat ", " paths ^ ".\n" ^ issue )) 25 25 | path :: paths -> ( 26 - match detect_one path with Ok path -> Ok path | Error _ -> one paths ) 26 + match detect_one path with Ok data -> Ok data | Error _ -> one paths ) 27 27 in 28 28 one paths 29 29 ··· 46 46 let macos_keychain_location = 47 47 "/System/Library/Keychains/SystemRootCertificates.keychain" 48 48 49 - let ta_file_raw () = 49 + let trust_anchors () = 50 50 let open Rresult.R.Infix in 51 51 if Sys.win32 then 52 52 Error (`Msg "ca-certs: windows is not supported at the moment") ··· 62 62 v "security" % "find-certificate" % "-a" % "-p" 63 63 % macos_keychain_location) 64 64 in 65 - let tmpfile = Fpath.v (Filename.temp_file "cacert" "pem") in 66 - Bos.OS.Cmd.(run_out cmd |> out_file tmpfile |> success) >>| fun () -> 67 - tmpfile 65 + Bos.OS.Cmd.(run_out cmd |> out_string |> success) 68 66 | s -> Error (`Msg ("ca-certs: unknown system " ^ s ^ ".\n" ^ issue)) 69 67 70 - let trust_anchor_filename () = 71 - let open Rresult.R.Infix in 72 - ta_file_raw () >>| Fpath.to_string 73 - 74 - let trust_anchor ?crls ?hash_whitelist () = 68 + let authenticator ?crls ?hash_whitelist () = 75 69 let open Rresult.R.Infix in 76 - ta_file_raw () >>= fun file -> 77 - Bos.OS.File.read file >>= fun data -> 70 + trust_anchors () >>= fun data -> 71 + let time () = Some (Ptime_clock.now ()) in 78 72 X509.Certificate.decode_pem_multiple (Cstruct.of_string data) >>| fun cas -> 79 - let time () = Some (Ptime_clock.now ()) in 80 73 X509.Authenticator.chain_of_trust ?crls ?hash_whitelist ~time cas
+11 -5
lib/ca_certs.mli
··· 1 - val trust_anchor_filename : unit -> (string, [> `Msg of string ]) result 2 - (** Attempts to discover the trust anchor file on this host system. *) 3 - 4 - val trust_anchor : 1 + val authenticator : 5 2 ?crls:X509.CRL.t list -> 6 3 ?hash_whitelist:Mirage_crypto.Hash.hash list -> 7 4 unit -> 8 5 (X509.Authenticator.t, [> `Msg of string ]) result 9 - (** Detects root CAs in the operating system's trust store. 6 + (** [authenticator ~crls ~hash_whitelist ()] detects the root CAs (trust 7 + anchors) in the operating system's trust store using {!trust_anchors}. It 8 + constructs an authenticator with the current timestamp {!Ptime_clock.now}, 9 + and the provided [~crls] and [~hash_whitelist] arguments, to be used for 10 + {!Tls.Config.client}. 10 11 Returns [Error `Msg msg] if detection did not succeed. *) 12 + 13 + val trust_anchors : unit -> (string, [> `Msg of string ]) result 14 + (** [trust_anchors ()] detects the root CAs (trust anchors) in the operating 15 + system's trust store. 16 + The successful result is a list of pem-encoded X509 certificates. *)
+1 -2
test/tests.ml
··· 957 957 958 958 let ta () = 959 959 let open Rresult.R.Infix in 960 - Ca_certs.trust_anchor_filename () >>= fun file -> 961 - Bos.OS.File.read (Fpath.v file) >>= fun data -> 960 + Ca_certs.trust_anchors () >>= fun data -> 962 961 X509.Certificate.decode_pem_multiple (Cstruct.of_string data) 963 962 964 963 let () =