compatibility with x509 0.9.0

This commit is contained in:
Hannes Mehnert 2020-02-16 16:33:19 +01:00
parent 56aa5545f8
commit ff59f05660
3 changed files with 30 additions and 30 deletions

View file

@ -20,7 +20,7 @@ depends: [
"fmt" "fmt"
"astring" "astring"
"jsonm" "jsonm"
"x509" {>= "0.8.0"} "x509" {>= "0.9.0"}
"tls" {>= "0.9.0"} "tls" {>= "0.9.0"}
"nocrypto" "nocrypto"
"asn1-combinators" {>= "0.2.0"} "asn1-combinators" {>= "0.2.0"}

View file

@ -63,35 +63,35 @@ let handle (host, port) cert key ca id (cmd : Vmm_commands.t) =
let extensions = Signing_request.Ext.(singleton Extensions extensions) in let extensions = Signing_request.Ext.(singleton Extensions extensions) in
Signing_request.create name ~extensions (`RSA tmpkey) Signing_request.create name ~extensions (`RSA tmpkey)
in in
let mycert = let valid_from, valid_until = timestamps 300 in
let valid_from, valid_until = timestamps 300 in let extensions =
let extensions = let capub = match key with `RSA key -> Nocrypto.Rsa.pub_of_priv key in
let capub = match key with `RSA key -> Nocrypto.Rsa.pub_of_priv key in key_ids extensions Signing_request.((info csr).public_key) (`RSA capub)
key_ids extensions Signing_request.((info csr).public_key) (`RSA capub)
in
let issuer = Certificate.subject cert in
Signing_request.sign csr ~valid_from ~valid_until ~extensions key issuer
in in
let certificates = `Single ([ mycert ; cert ], tmpkey) in let issuer = Certificate.subject cert in
X509_lwt.authenticator (`Ca_file ca) >>= fun authenticator -> match Signing_request.sign csr ~valid_from ~valid_until ~extensions key issuer with
Lwt_unix.gethostbyname host >>= fun host_entry -> | Error _ as e -> Lwt.return e
let host_inet_addr = Array.get host_entry.Lwt_unix.h_addr_list 0 in | Ok mycert ->
let sockaddr = Lwt_unix.ADDR_INET (host_inet_addr, port) in let certificates = `Single ([ mycert ; cert ], tmpkey) in
Vmm_lwt.connect host_entry.h_addrtype sockaddr >>= function X509_lwt.authenticator (`Ca_file ca) >>= fun authenticator ->
| None -> Lwt_unix.gethostbyname host >>= fun host_entry ->
let err = let host_inet_addr = Array.get host_entry.Lwt_unix.h_addr_list 0 in
Rresult.R.error_msgf "connection failed to %a" Vmm_lwt.pp_sockaddr sockaddr let sockaddr = Lwt_unix.ADDR_INET (host_inet_addr, port) in
in Vmm_lwt.connect host_entry.h_addrtype sockaddr >>= function
Lwt.return err | None ->
| Some fd -> let err =
Logs.debug (fun m -> m "connecting to remote host") ; Rresult.R.error_msgf "connection failed to %a" Vmm_lwt.pp_sockaddr sockaddr
(* reneg true to allow re-negotiation over the server-authenticated TLS in
channel (to transport client certificate encrypted), once TLS 1.3 is in Lwt.return err
(and required) be removed! *) | Some fd ->
let client = Tls.Config.client ~reneg:true ~certificates ~authenticator () in Logs.debug (fun m -> m "connecting to remote host") ;
Tls_lwt.Unix.client_of_fd client (* TODO ~host *) fd >>= fun t -> (* reneg true to allow re-negotiation over the server-authenticated TLS
Logs.debug (fun m -> m "finished tls handshake") ; channel (to transport client certificate encrypted), once TLS 1.3 is in
read t (and required) be removed! *)
let client = Tls.Config.client ~reneg:true ~certificates ~authenticator () in
Tls_lwt.Unix.client_of_fd client (* TODO ~host *) fd >>= fun t ->
Logs.debug (fun m -> m "finished tls handshake") ;
read t
let jump endp cert key ca name cmd = let jump endp cert key ca name cmd =
Lwt_main.run (handle endp cert key ca name cmd) Lwt_main.run (handle endp cert key ca name cmd)

View file

@ -52,7 +52,7 @@ let sign ?dbname ?certname extensions issuer key csr delta =
let capub = `RSA (Nocrypto.Rsa.pub_of_priv priv) in let capub = `RSA (Nocrypto.Rsa.pub_of_priv priv) in
key_ids extensions X509.Signing_request.((info csr).public_key) capub key_ids extensions X509.Signing_request.((info csr).public_key) capub
in in
let cert = X509.Signing_request.sign csr ~valid_from ~valid_until ~extensions key issuer in X509.Signing_request.sign csr ~valid_from ~valid_until ~extensions key issuer >>= fun cert ->
(match dbname with (match dbname with
| None -> Ok () (* no DB! *) | None -> Ok () (* no DB! *)
| Some dbname -> | Some dbname ->