Skip to content
This repository
tree: f33b7cc043
Fetching contributors…

Cannot retrieve contributors at this time

file 163 lines (141 sloc) 6.072 kb
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163
(*
Copyright © 2011 MLstate

This file is part of OPA.

OPA is free software: you can redistribute it and/or modify it under the
terms of the GNU Affero General Public License, version 3, as published by
the Free Software Foundation.

OPA is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for
more details.

You should have received a copy of the GNU Affero General Public License
along with OPA. If not, see <http://www.gnu.org/licenses/>.
*)

exception InvalidCertificate
(** Exception raised when the certificate provided is invalid *)

(** Certificate to provide.
When an entity (client or server) asks for a certificate,
provide this certificate.
@see <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html> for certificate
The password field is only used if the private key file is password protected,
and if it's not an empty string
If it asks for intermediate CAs, give those in certfile then in certpath
@see <http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html> for CA *)
type ssl_certificate

(** Certificates verifications rules.
When an entity (client or server) provides a certificate,
verify the certificate is valid :
- cafile checks if the certificate is signed by this ca
- capath checks if the certificate is signed by one of the ca in the ca path
- certpath checks if the certificate is contained in the cert path
- accept_fun the function to call if the certificate is unknown/invalid
The verifications are made in this order :
- ca check (see http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html and http://www.openssl.org/docs/ssl/SSL_load_client_CA_file.html)
- cert check, if it's in the cert path directory
- accept_fun if a cert path is defined and the certificate is not in this directory *)
type ssl_verify_params

type secure_type = ssl_certificate option * ssl_verify_params option

type is_valid_cert = bool

type secure_response =
  | UnsecuredRes
  | SecuredRes of is_valid_cert * (Ssl.certificate option * ssl_verify_params option)

(**
Construct a SSL certificate, i.e. something that will be sent to
a third party to ensure confidence.

@param cafile The name of the file containing the server CA certificate
@param capath The name of a directory containing more CAs
@param certfile Complete path to the certificate file, in PEM format
@param privkey The name of the file containing the private key
@param password The password to use if private key protected
*)
val make_ssl_certificate :
  ?cafile:string ->
  ?capath:string ->
  string -> string -> string ->
  ssl_certificate

(**
Construct a SSL verifier, i.e. something that will decide whether
to accept a third-party certificate

@param client_ca_file A list of CAs sent to the client when requesting a client certificate
@param accept_fun A fallback function, called when a certificate cannot be checked automatically (e.g. to prompt the user to check the certificate manually)
@param always Always verify the presence of a certificate
@param cafile A file containing CA certificates in PEM format, used for verification
@param capath A directory containing CA certificates in PEM format, used for verification
@param certpath A directory containing client certificates in PEM format
*)
val make_ssl_verify_params:
  ?client_ca_file:string ->
  ?accept_fun:(Ssl.certificate -> bool) ->
  ?always:bool ->
  string -> string -> string ->
  ssl_verify_params

val get_listen_callback :
  Scheduler.t ->
  secure_type ->
  (secure_response -> Scheduler.connection_info -> unit) ->
  (Scheduler.connection_info -> unit)
(**
@return a callback to handle a new client over a secure connection.
*)

val connect :
  Scheduler.t ->
  Scheduler.connection_info ->
  ssl_certificate option * ssl_verify_params option ->
  ?err_cont:(exn -> unit) ->
  (Scheduler.connection_info -> unit) ->
  unit
(**
Secured connect on a socket. Once it is done, your callback is called with a [Scheduler.connection_info] containing a secured socket.
The default error handler continuation logs any exception as a warning and returns.
*)


(** Renegotiate a connection from the server side,
basically it does two handshakes again with the client.
If you need to change the connection options, first call set_verify for example *)
val renegotiate :
  Scheduler.t ->
  Scheduler.connection_info ->
  ?timeout:Time.t ->
  ?retry:int ->
  Ssl.socket ->
  ?err_cont:(exn -> unit) ->
  (unit -> unit) ->
  unit

(** Renegotiate a connection from the client side,
basically it does one handshake with the server.
If you need to change the connection options, first call set_verify for example *)
val renegotiate_client :
  Scheduler.t ->
  Scheduler.connection_info ->
  ?timeout:Time.t ->
  ?retry:int ->
  Ssl.socket ->
  ?err_cont:(exn -> unit) ->
  (unit -> unit) ->
  unit

(** Try to get a valid certificate and verify its validity
If there are no certificate available, try to renegotiate with the client
to get one.
The certificate's validity (boolean) is then passed to the continuation *)
val get_valid_certificate :
  Scheduler.t ->
  Scheduler.connection_info ->
  ?timeout:Time.t ->
  ?retry:int ->
  Ssl.socket ->
  ssl_verify_params ->
  ?err_cont:(exn -> unit) ->
  (bool -> unit) ->
  unit

(** Reload all authorized certificates into the certs ref stringmap.
By default, only read ".pem" files.
The certificates must be in PEM format.
Does not invalidate current connections.
@return true if everything went OK
(the failure of some certificate reading is not considered as real errors) *)
val reload_certs :
  ?extensions:string list ->
  ssl_verify_params ->
  bool

(** Compute the fingerprint of a certificate (SHA256) *)
val compute_fingerprint :
  Ssl.certificate -> string
Something went wrong with that request. Please try again.