···11+build: [
22+ ["dune" "subst"] {pinned}
33+ [
44+ "dune"
55+ "build"
66+ "-p"
77+ name
88+ "-j"
99+ jobs
1010+ "@install"
1111+ "@runtest" {with-test & os != "macos"} # the opam sandbox on macos leads to test failures (ocaml/opam#4389)
1212+ "@doc" {with-doc}
1313+ ]
1414+]
115tags: ["org:mirage"]
216depexts: [
317 ["ca_root_nss"] {os = "freebsd"}
+7-14
lib/ca_certs.ml
···88let detect_one path =
99 let path' = Fpath.v path in
1010 match Bos.OS.Path.exists path' with
1111- | Ok true -> Ok path'
1111+ | Ok true -> Bos.OS.File.read path'
1212 | _ ->
1313 Error
1414 (`Msg
···2323 ( "ca-certs: no trust anchor file found, looked into "
2424 ^ String.concat ", " paths ^ ".\n" ^ issue ))
2525 | path :: paths -> (
2626- match detect_one path with Ok path -> Ok path | Error _ -> one paths )
2626+ match detect_one path with Ok data -> Ok data | Error _ -> one paths )
2727 in
2828 one paths
2929···4646let macos_keychain_location =
4747 "/System/Library/Keychains/SystemRootCertificates.keychain"
48484949-let ta_file_raw () =
4949+let trust_anchors () =
5050 let open Rresult.R.Infix in
5151 if Sys.win32 then
5252 Error (`Msg "ca-certs: windows is not supported at the moment")
···6262 v "security" % "find-certificate" % "-a" % "-p"
6363 % macos_keychain_location)
6464 in
6565- let tmpfile = Fpath.v (Filename.temp_file "cacert" "pem") in
6666- Bos.OS.Cmd.(run_out cmd |> out_file tmpfile |> success) >>| fun () ->
6767- tmpfile
6565+ Bos.OS.Cmd.(run_out cmd |> out_string |> success)
6866 | s -> Error (`Msg ("ca-certs: unknown system " ^ s ^ ".\n" ^ issue))
69677070-let trust_anchor_filename () =
7171- let open Rresult.R.Infix in
7272- ta_file_raw () >>| Fpath.to_string
7373-7474-let trust_anchor ?crls ?hash_whitelist () =
6868+let authenticator ?crls ?hash_whitelist () =
7569 let open Rresult.R.Infix in
7676- ta_file_raw () >>= fun file ->
7777- Bos.OS.File.read file >>= fun data ->
7070+ trust_anchors () >>= fun data ->
7171+ let time () = Some (Ptime_clock.now ()) in
7872 X509.Certificate.decode_pem_multiple (Cstruct.of_string data) >>| fun cas ->
7979- let time () = Some (Ptime_clock.now ()) in
8073 X509.Authenticator.chain_of_trust ?crls ?hash_whitelist ~time cas
+11-5
lib/ca_certs.mli
···11-val trust_anchor_filename : unit -> (string, [> `Msg of string ]) result
22-(** Attempts to discover the trust anchor file on this host system. *)
33-44-val trust_anchor :
11+val authenticator :
52 ?crls:X509.CRL.t list ->
63 ?hash_whitelist:Mirage_crypto.Hash.hash list ->
74 unit ->
85 (X509.Authenticator.t, [> `Msg of string ]) result
99-(** Detects root CAs in the operating system's trust store.
66+(** [authenticator ~crls ~hash_whitelist ()] detects the root CAs (trust
77+ anchors) in the operating system's trust store using {!trust_anchors}. It
88+ constructs an authenticator with the current timestamp {!Ptime_clock.now},
99+ and the provided [~crls] and [~hash_whitelist] arguments, to be used for
1010+ {!Tls.Config.client}.
1011 Returns [Error `Msg msg] if detection did not succeed. *)
1212+1313+val trust_anchors : unit -> (string, [> `Msg of string ]) result
1414+(** [trust_anchors ()] detects the root CAs (trust anchors) in the operating
1515+ system's trust store.
1616+ The successful result is a list of pem-encoded X509 certificates. *)
+1-2
test/tests.ml
···957957958958let ta () =
959959 let open Rresult.R.Infix in
960960- Ca_certs.trust_anchor_filename () >>= fun file ->
961961- Bos.OS.File.read (Fpath.v file) >>= fun data ->
960960+ Ca_certs.trust_anchors () >>= fun data ->
962961 X509.Certificate.decode_pem_multiple (Cstruct.of_string data)
963962964963let () =