upstream: github.com/mirage/ca-certs
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Use fold decode pem (#34)

* use X509.Certificate.fold_decode_pem_multiple

---------

Co-authored-by: ArthurW <arthur@tarides.com>

authored by

Hannes Mehnert
ArthurW
and committed by
GitHub
6ac7ef85 193cd2d1

+11 -40
+11 -40
lib/ca_certs.ml
··· 70 70 match X509.Certificate.decode_der cert with 71 71 | Ok cert -> cert :: acc 72 72 | Error (`Msg msg) -> 73 - Log.warn (fun m -> m "Failed to decode a trust anchor: %s" msg); 73 + Log.warn (fun m -> m "Ignoring undecodable trust anchor: %s." msg); 74 74 Log.debug (fun m -> 75 75 m "Full certificate:@.%a" (Ohex.pp_hexdump ()) cert); 76 76 acc) ··· 107 107 Bos.OS.Cmd.(run_out cmd |> out_string |> success) 108 108 | s -> Error (`Msg ("ca-certs: unknown system " ^ s ^ ".\n" ^ issue))) 109 109 110 + let decode_pem_multiple data = 111 + X509.Certificate.fold_decode_pem_multiple 112 + (fun acc -> function 113 + | Ok t -> t :: acc 114 + | Error (`Msg msg) -> 115 + Log.warn (fun m -> m "Ignoring undecodable trust anchor: %s." msg); 116 + acc) 117 + [] data 118 + 110 119 let authenticator ?crls ?allowed_hashes () = 111 120 let* data = trust_anchors () in 112 121 let time () = Some (Ptime_clock.now ()) in 113 - (* we cannot use decode_pem_multiple since this fails on the first 114 - undecodable certificate - while we'd like to stay operational, and ignore 115 - some certificates *) 116 - let d = "-----" in 117 - let new_cert = d ^ "BEGIN CERTIFICATE" ^ d 118 - and end_of_cert = d ^ "END CERTIFICATE" ^ d in 119 - let len_new = String.length new_cert 120 - and len_end = String.length end_of_cert in 121 - let lines = String.split_on_char '\n' data in 122 - let it, cas = 123 - List.fold_left 124 - (fun (acc, cas) line -> 125 - match acc with 126 - | None 127 - when String.length line >= len_new 128 - && String.(equal (sub line 0 len_new) new_cert) -> 129 - (Some [ line ], cas) 130 - | None -> 131 - Log.debug (fun m -> m "ignoring line %s" line); 132 - (None, cas) 133 - | Some lines 134 - when String.length line >= len_end 135 - && String.(equal (sub line 0 len_end) end_of_cert) -> ( 136 - let data = String.concat "\n" (List.rev (line :: lines)) in 137 - match X509.Certificate.decode_pem data with 138 - | Ok ca -> (None, ca :: cas) 139 - | Error (`Msg msg) -> 140 - Log.warn (fun m -> m "Failed to decode a trust anchor %s." msg); 141 - Log.debug (fun m -> m "Full certificate:@.%s" data); 142 - (None, cas)) 143 - | Some lines -> (Some (line :: lines), cas)) 144 - (None, []) lines 145 - in 146 - (match it with 147 - | None -> () 148 - | Some lines -> 149 - Log.debug (fun m -> 150 - m "ignoring leftover data: %s" (String.concat "\n" (List.rev lines)))); 151 - let cas = List.rev cas in 122 + let cas = decode_pem_multiple data in 152 123 match cas with 153 124 | [] -> Error (`Msg ("ca-certs: empty trust anchors.\n" ^ issue)) 154 125 | _ -> Ok (X509.Authenticator.chain_of_trust ?crls ?allowed_hashes ~time cas)