···7070 match X509.Certificate.decode_der cert with
7171 | Ok cert -> cert :: acc
7272 | Error (`Msg msg) ->
7373- Log.warn (fun m -> m "Failed to decode a trust anchor: %s" msg);
7373+ Log.warn (fun m -> m "Ignoring undecodable trust anchor: %s." msg);
7474 Log.debug (fun m ->
7575 m "Full certificate:@.%a" (Ohex.pp_hexdump ()) cert);
7676 acc)
···107107 Bos.OS.Cmd.(run_out cmd |> out_string |> success)
108108 | s -> Error (`Msg ("ca-certs: unknown system " ^ s ^ ".\n" ^ issue)))
109109110110+let decode_pem_multiple data =
111111+ X509.Certificate.fold_decode_pem_multiple
112112+ (fun acc -> function
113113+ | Ok t -> t :: acc
114114+ | Error (`Msg msg) ->
115115+ Log.warn (fun m -> m "Ignoring undecodable trust anchor: %s." msg);
116116+ acc)
117117+ [] data
118118+110119let authenticator ?crls ?allowed_hashes () =
111120 let* data = trust_anchors () in
112121 let time () = Some (Ptime_clock.now ()) in
113113- (* we cannot use decode_pem_multiple since this fails on the first
114114- undecodable certificate - while we'd like to stay operational, and ignore
115115- some certificates *)
116116- let d = "-----" in
117117- let new_cert = d ^ "BEGIN CERTIFICATE" ^ d
118118- and end_of_cert = d ^ "END CERTIFICATE" ^ d in
119119- let len_new = String.length new_cert
120120- and len_end = String.length end_of_cert in
121121- let lines = String.split_on_char '\n' data in
122122- let it, cas =
123123- List.fold_left
124124- (fun (acc, cas) line ->
125125- match acc with
126126- | None
127127- when String.length line >= len_new
128128- && String.(equal (sub line 0 len_new) new_cert) ->
129129- (Some [ line ], cas)
130130- | None ->
131131- Log.debug (fun m -> m "ignoring line %s" line);
132132- (None, cas)
133133- | Some lines
134134- when String.length line >= len_end
135135- && String.(equal (sub line 0 len_end) end_of_cert) -> (
136136- let data = String.concat "\n" (List.rev (line :: lines)) in
137137- match X509.Certificate.decode_pem data with
138138- | Ok ca -> (None, ca :: cas)
139139- | Error (`Msg msg) ->
140140- Log.warn (fun m -> m "Failed to decode a trust anchor %s." msg);
141141- Log.debug (fun m -> m "Full certificate:@.%s" data);
142142- (None, cas))
143143- | Some lines -> (Some (line :: lines), cas))
144144- (None, []) lines
145145- in
146146- (match it with
147147- | None -> ()
148148- | Some lines ->
149149- Log.debug (fun m ->
150150- m "ignoring leftover data: %s" (String.concat "\n" (List.rev lines))));
151151- let cas = List.rev cas in
122122+ let cas = decode_pem_multiple data in
152123 match cas with
153124 | [] -> Error (`Msg ("ca-certs: empty trust anchors.\n" ^ issue))
154125 | _ -> Ok (X509.Authenticator.chain_of_trust ?crls ?allowed_hashes ~time cas)