Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 164 lines (141 sloc) 6.072 kb
fccc685 Initial open-source release
MLstate authored
1 (*
2 Copyright © 2011 MLstate
3
4 This file is part of OPA.
5
6 OPA is free software: you can redistribute it and/or modify it under the
7 terms of the GNU Affero General Public License, version 3, as published by
8 the Free Software Foundation.
9
10 OPA is distributed in the hope that it will be useful, but WITHOUT ANY
11 WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
12 FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for
13 more details.
14
15 You should have received a copy of the GNU Affero General Public License
16 along with OPA. If not, see <http://www.gnu.org/licenses/>.
17 *)
18
19 exception InvalidCertificate
20 (** Exception raised when the certificate provided is invalid *)
21
22 (** Certificate to provide.
23 When an entity (client or server) asks for a certificate,
24 provide this certificate.
25 @see <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html> for certificate
26 The password field is only used if the private key file is password protected,
27 and if it's not an empty string
28 If it asks for intermediate CAs, give those in certfile then in certpath
29 @see <http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html> for CA *)
30 type ssl_certificate
31
32 (** Certificates verifications rules.
33 When an entity (client or server) provides a certificate,
34 verify the certificate is valid :
35 - cafile checks if the certificate is signed by this ca
36 - capath checks if the certificate is signed by one of the ca in the ca path
37 - certpath checks if the certificate is contained in the cert path
38 - accept_fun the function to call if the certificate is unknown/invalid
39 The verifications are made in this order :
40 - ca check (see http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html and http://www.openssl.org/docs/ssl/SSL_load_client_CA_file.html)
41 - cert check, if it's in the cert path directory
42 - accept_fun if a cert path is defined and the certificate is not in this directory *)
43 type ssl_verify_params
44
45 type secure_type = ssl_certificate option * ssl_verify_params option
46
47 type is_valid_cert = bool
48
49 type secure_response =
50 | UnsecuredRes
51 | SecuredRes of is_valid_cert * (Ssl.certificate option * ssl_verify_params option)
52
53 (**
54 Construct a SSL certificate, i.e. something that will be sent to
55 a third party to ensure confidence.
56
57 @param cafile The name of the file containing the server CA certificate
58 @param capath The name of a directory containing more CAs
59 @param certfile Complete path to the certificate file, in PEM format
60 @param privkey The name of the file containing the private key
61 @param password The password to use if private key protected
62 *)
63 val make_ssl_certificate :
64 ?cafile:string ->
65 ?capath:string ->
66 string -> string -> string ->
67 ssl_certificate
68
69 (**
70 Construct a SSL verifier, i.e. something that will decide whether
71 to accept a third-party certificate
72
73 @param client_ca_file A list of CAs sent to the client when requesting a client certificate
74 @param accept_fun A fallback function, called when a certificate cannot be checked automatically (e.g. to prompt the user to check the certificate manually)
75 @param always Always verify the presence of a certificate
76 @param cafile A file containing CA certificates in PEM format, used for verification
77 @param capath A directory containing CA certificates in PEM format, used for verification
78 @param certpath A directory containing client certificates in PEM format
79 *)
80 val make_ssl_verify_params:
81 ?client_ca_file:string ->
82 ?accept_fun:(Ssl.certificate -> bool) ->
83 ?always:bool ->
84 string -> string -> string ->
85 ssl_verify_params
86
87 val get_listen_callback :
88 Scheduler.t ->
89 secure_type ->
90 (secure_response -> Scheduler.connection_info -> unit) ->
91 (Scheduler.connection_info -> unit)
92 (**
93 @return a callback to handle a new client over a secure connection.
94 *)
95
96 val connect :
97 Scheduler.t ->
98 Scheduler.connection_info ->
99 ssl_certificate option * ssl_verify_params option ->
100 ?err_cont:(exn -> unit) ->
101 (Scheduler.connection_info -> unit) ->
102 unit
103 (**
104 Secured connect on a socket. Once it is done, your callback is called with a [Scheduler.connection_info] containing a secured socket.
105 The default error handler continuation logs any exception as a warning and returns.
106 *)
107
108
109 (** Renegotiate a connection from the server side,
110 basically it does two handshakes again with the client.
111 If you need to change the connection options, first call set_verify for example *)
112 val renegotiate :
113 Scheduler.t ->
114 Scheduler.connection_info ->
115 ?timeout:Time.t ->
116 ?retry:int ->
117 Ssl.socket ->
118 ?err_cont:(exn -> unit) ->
119 (unit -> unit) ->
120 unit
121
122 (** Renegotiate a connection from the client side,
123 basically it does one handshake with the server.
124 If you need to change the connection options, first call set_verify for example *)
125 val renegotiate_client :
126 Scheduler.t ->
127 Scheduler.connection_info ->
128 ?timeout:Time.t ->
129 ?retry:int ->
130 Ssl.socket ->
131 ?err_cont:(exn -> unit) ->
132 (unit -> unit) ->
133 unit
134
135 (** Try to get a valid certificate and verify its validity
136 If there are no certificate available, try to renegotiate with the client
137 to get one.
138 The certificate's validity (boolean) is then passed to the continuation *)
139 val get_valid_certificate :
140 Scheduler.t ->
141 Scheduler.connection_info ->
142 ?timeout:Time.t ->
143 ?retry:int ->
144 Ssl.socket ->
145 ssl_verify_params ->
146 ?err_cont:(exn -> unit) ->
147 (bool -> unit) ->
148 unit
149
150 (** Reload all authorized certificates into the certs ref stringmap.
151 By default, only read ".pem" files.
152 The certificates must be in PEM format.
153 Does not invalidate current connections.
154 @return true if everything went OK
155 (the failure of some certificate reading is not considered as real errors) *)
156 val reload_certs :
157 ?extensions:string list ->
158 ssl_verify_params ->
159 bool
160
161 (** Compute the fingerprint of a certificate (SHA256) *)
162 val compute_fingerprint :
163 Ssl.certificate -> string
Something went wrong with that request. Please try again.