-
Notifications
You must be signed in to change notification settings - Fork 44
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
99 changed files
with
1,348 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| <!DOCTYPE html> | ||
| <html xmlns="http://www.w3.org/1999/xhtml"><head><title>Dns_certify (dns-certify.Dns_certify)</title><meta charset="utf-8"/><link rel="stylesheet" href="../../odoc.support/odoc.css"/><meta name="generator" content="odoc 2.4.2"/><meta name="viewport" content="width=device-width,initial-scale=1.0"/><script src="../../odoc.support/highlight.pack.js"></script><script>hljs.initHighlightingOnLoad();</script></head><body class="odoc"><nav class="odoc-nav"><a href="../index.html">Up</a> – <a href="../index.html">dns-certify</a> » Dns_certify</nav><header class="odoc-preamble"><h1>Module <code><span>Dns_certify</span></code></h1></header><div class="odoc-content"><div class="odoc-spec"><div class="spec value anchored" id="val-signing_request"><a href="#val-signing_request" class="anchor"></a><code><span><span class="keyword">val</span> signing_request : | ||
| <span><span><span>[ `host ]</span> <span class="xref-unresolved">Domain_name</span>.t</span> <span class="arrow">-></span></span> | ||
| <span><span class="optlabel">?more_hostnames</span>:<span><span><span>[ `raw ]</span> <span class="xref-unresolved">Domain_name</span>.t</span> list</span> <span class="arrow">-></span></span> | ||
| <span><span class="xref-unresolved">X509</span>.Private_key.t <span class="arrow">-></span></span> | ||
| <span><span>(<span class="xref-unresolved">X509</span>.Signing_request.t, <span>[> <span>`Msg of string</span> ]</span>)</span> <span class="xref-unresolved">Stdlib</span>.result</span></span></code></div><div class="spec-doc"><p><code>signing_request name ~more_hostnames key</code> creates a X509 signing request where <code>name</code> will be the common name in its subject, and if <code>more_hostnames</code> is provided and non-empty, <code>name :: more_hostnames</code> will be the value of a subjectAlternativeName extension.</p></div></div><div class="odoc-spec"><div class="spec value anchored" id="val-letsencrypt_name"><a href="#val-letsencrypt_name" class="anchor"></a><code><span><span class="keyword">val</span> letsencrypt_name : | ||
| <span><span><span class="type-var">'a</span> <span class="xref-unresolved">Domain_name</span>.t</span> <span class="arrow">-></span></span> | ||
| <span><span>(<span><span>[ `raw ]</span> <span class="xref-unresolved">Domain_name</span>.t</span>, <span>[> <span>`Msg of string</span> ]</span>)</span> <span class="xref-unresolved">Stdlib</span>.result</span></span></code></div><div class="spec-doc"><p><code>letsencrypt_name host</code> is the service name at which we store let's encrypt certificates for the <code>host</code>.</p></div></div><div class="odoc-spec"><div class="spec value anchored" id="val-is_csr"><a href="#val-is_csr" class="anchor"></a><code><span><span class="keyword">val</span> is_csr : <span><a href="../../dns/Dns/Tlsa/index.html#type-t">Dns.Tlsa.t</a> <span class="arrow">-></span></span> bool</span></code></div><div class="spec-doc"><p><code>is_csr tlsa</code> is true if <code>tlsa</code> is a certificate signing request (cert_usage is Domain_issued_certificate, selector is Private, and matching_type is No_hash).</p></div></div><div class="odoc-spec"><div class="spec value anchored" id="val-csr"><a href="#val-csr" class="anchor"></a><code><span><span class="keyword">val</span> csr : <span><span class="xref-unresolved">X509</span>.Signing_request.t <span class="arrow">-></span></span> <a href="../../dns/Dns/Tlsa/index.html#type-t">Dns.Tlsa.t</a></span></code></div><div class="spec-doc"><p><code>csr req</code> is the signing request <code>req</code> encoded as TLSA record.</p></div></div><div class="odoc-spec"><div class="spec value anchored" id="val-is_certificate"><a href="#val-is_certificate" class="anchor"></a><code><span><span class="keyword">val</span> is_certificate : <span><a href="../../dns/Dns/Tlsa/index.html#type-t">Dns.Tlsa.t</a> <span class="arrow">-></span></span> bool</span></code></div><div class="spec-doc"><p><code>is_certificate tlsa</code> is true if <code>tlsa</code> is a certificate (cert_usage is Domain_issued_certificate, selector is Full_certificate, and matching_type is No_hash).</p></div></div><div class="odoc-spec"><div class="spec value anchored" id="val-certificate"><a href="#val-certificate" class="anchor"></a><code><span><span class="keyword">val</span> certificate : <span><span class="xref-unresolved">X509</span>.Certificate.t <span class="arrow">-></span></span> <a href="../../dns/Dns/Tlsa/index.html#type-t">Dns.Tlsa.t</a></span></code></div><div class="spec-doc"><p><code>certificate crt</code> is the certificate <code>crt</code> encoded as TLSA record.</p></div></div><div class="odoc-spec"><div class="spec value anchored" id="val-is_ca_certificate"><a href="#val-is_ca_certificate" class="anchor"></a><code><span><span class="keyword">val</span> is_ca_certificate : <span><a href="../../dns/Dns/Tlsa/index.html#type-t">Dns.Tlsa.t</a> <span class="arrow">-></span></span> bool</span></code></div><div class="spec-doc"><p><code>is_ca_certificate tlsa</code> is true if <code>tlsa</code> is a CA certificate (cert_usage is CA_constraint, selector is Full_certificate, and matching_type is No_hash).</p></div></div><div class="odoc-spec"><div class="spec value anchored" id="val-ca_certificate"><a href="#val-ca_certificate" class="anchor"></a><code><span><span class="keyword">val</span> ca_certificate : <span>string <span class="arrow">-></span></span> <a href="../../dns/Dns/Tlsa/index.html#type-t">Dns.Tlsa.t</a></span></code></div><div class="spec-doc"><p><code>ca_certificate data</code> is the CA certificate <code>data</code> encoded as TLSA record.</p></div></div><div class="odoc-spec"><div class="spec value anchored" id="val-is_name"><a href="#val-is_name" class="anchor"></a><code><span><span class="keyword">val</span> is_name : <span><span><span class="type-var">'a</span> <span class="xref-unresolved">Domain_name</span>.t</span> <span class="arrow">-></span></span> bool</span></code></div><div class="spec-doc"><p><code>is_name domain_name</code> is true if it contains the prefix used in this library ("_letsencrypt._tcp").</p></div></div><div class="odoc-spec"><div class="spec type anchored" id="type-u_err"><a href="#type-u_err" class="anchor"></a><code><span><span class="keyword">type</span> u_err</span><span> = </span><span>[ </span></code><ol><li id="type-u_err.Tsig" class="def variant constructor anchored"><a href="#type-u_err.Tsig" class="anchor"></a><code><span>| </span><span>`Tsig <span class="keyword">of</span> <a href="../../dns-tsig/Dns_tsig/index.html#type-e">Dns_tsig.e</a></span></code></li><li id="type-u_err.Bad_reply" class="def variant constructor anchored"><a href="#type-u_err.Bad_reply" class="anchor"></a><code><span>| </span><span>`Bad_reply <span class="keyword">of</span> <a href="../../dns/Dns/Packet/index.html#type-mismatch">Dns.Packet.mismatch</a> * <a href="../../dns/Dns/Packet/index.html#type-t">Dns.Packet.t</a></span></code></li><li id="type-u_err.Unexpected_reply" class="def variant constructor anchored"><a href="#type-u_err.Unexpected_reply" class="anchor"></a><code><span>| </span><span>`Unexpected_reply <span class="keyword">of</span> <a href="../../dns/Dns/Packet/index.html#type-reply">Dns.Packet.reply</a></span></code></li></ol><code><span> ]</span></code></div><div class="spec-doc"><p>The type of update errors.</p></div></div><div class="odoc-spec"><div class="spec value anchored" id="val-pp_u_err"><a href="#val-pp_u_err" class="anchor"></a><code><span><span class="keyword">val</span> pp_u_err : <span><a href="#type-u_err">u_err</a> <span class="xref-unresolved">Fmt</span>.t</span></span></code></div><div class="spec-doc"><p><code>pp_u_err ppf u</code> pretty-prints <code>u</code> on <code>ppf</code>.</p></div></div><div class="odoc-spec"><div class="spec value anchored" id="val-nsupdate"><a href="#val-nsupdate" class="anchor"></a><code><span><span class="keyword">val</span> nsupdate : | ||
| <span><span>(<span>int <span class="arrow">-></span></span> string)</span> <span class="arrow">-></span></span> | ||
| <span><span>(<span>unit <span class="arrow">-></span></span> <span class="xref-unresolved">Ptime</span>.t)</span> <span class="arrow">-></span></span> | ||
| <span><span class="label">host</span>:<span><span>[ `host ]</span> <span class="xref-unresolved">Domain_name</span>.t</span> <span class="arrow">-></span></span> | ||
| <span><span class="label">keyname</span>:<span><span class="type-var">'b</span> <span class="xref-unresolved">Domain_name</span>.t</span> <span class="arrow">-></span></span> | ||
| <span><span class="label">zone</span>:<span><span>[ `host ]</span> <span class="xref-unresolved">Domain_name</span>.t</span> <span class="arrow">-></span></span> | ||
| <span><a href="../../dns/Dns/Dnskey/index.html#type-t">Dns.Dnskey.t</a> <span class="arrow">-></span></span> | ||
| <span><span class="xref-unresolved">X509</span>.Signing_request.t <span class="arrow">-></span></span> | ||
| <span><span>(string * <span>(<span>string <span class="arrow">-></span></span> <span><span>(unit, <span>[> <a href="#type-u_err">u_err</a> ]</span>)</span> <span class="xref-unresolved">Stdlib</span>.result</span>)</span>, <span>[> <span>`Msg of string</span> ]</span>)</span> | ||
| <span class="xref-unresolved">Stdlib</span>.result</span></span></code></div><div class="spec-doc"><p><code>nsupdate rng now ~host ~keyname ~zone dnskey csr</code> is a buffer with a DNS update that removes all TLSA records from the given <code>host</code>, and adds a single TLSA record containing the certificate signing request. It also returns a function which decodes a given answer, checks it to be a valid reply, and returns either unit or an error. The outgoing packet is signed with the provided <code>dnskey</code>, the answer is checked to be signed by the same key. If the sign operation fails, <code>nsupdate</code> returns an error.</p></div></div><div class="odoc-spec"><div class="spec type anchored" id="type-q_err"><a href="#type-q_err" class="anchor"></a><code><span><span class="keyword">type</span> q_err</span><span> = </span><span>[ </span></code><ol><li id="type-q_err.Decode" class="def variant constructor anchored"><a href="#type-q_err.Decode" class="anchor"></a><code><span>| </span><span>`Decode <span class="keyword">of</span> <a href="../../dns/Dns/Packet/index.html#type-err">Dns.Packet.err</a></span></code></li><li id="type-q_err.Bad_reply" class="def variant constructor anchored"><a href="#type-q_err.Bad_reply" class="anchor"></a><code><span>| </span><span>`Bad_reply <span class="keyword">of</span> <a href="../../dns/Dns/Packet/index.html#type-mismatch">Dns.Packet.mismatch</a> * <a href="../../dns/Dns/Packet/index.html#type-t">Dns.Packet.t</a></span></code></li><li id="type-q_err.Unexpected_reply" class="def variant constructor anchored"><a href="#type-q_err.Unexpected_reply" class="anchor"></a><code><span>| </span><span>`Unexpected_reply <span class="keyword">of</span> <a href="../../dns/Dns/Packet/index.html#type-reply">Dns.Packet.reply</a></span></code></li><li id="type-q_err.No_tlsa" class="def variant constructor anchored"><a href="#type-q_err.No_tlsa" class="anchor"></a><code><span>| </span><span>`No_tlsa</span></code></li></ol><code><span> ]</span></code></div><div class="spec-doc"><p>The type for query errors.</p></div></div><div class="odoc-spec"><div class="spec value anchored" id="val-pp_q_err"><a href="#val-pp_q_err" class="anchor"></a><code><span><span class="keyword">val</span> pp_q_err : <span><a href="#type-q_err">q_err</a> <span class="xref-unresolved">Fmt</span>.t</span></span></code></div><div class="spec-doc"><p><code>pp_q_err ppf q</code> pretty-prints <code>q</code> on <code>ppf</code>.</p></div></div><div class="odoc-spec"><div class="spec value anchored" id="val-cert_matches_csr"><a href="#val-cert_matches_csr" class="anchor"></a><code><span><span class="keyword">val</span> cert_matches_csr : | ||
| <span><span class="optlabel">?until</span>:<span class="xref-unresolved">Ptime</span>.t <span class="arrow">-></span></span> | ||
| <span><span class="xref-unresolved">Ptime</span>.t <span class="arrow">-></span></span> | ||
| <span><span class="xref-unresolved">X509</span>.Signing_request.t <span class="arrow">-></span></span> | ||
| <span><span class="xref-unresolved">X509</span>.Certificate.t <span class="arrow">-></span></span> | ||
| bool</span></code></div><div class="spec-doc"><p><code>cert_matches_csr ~until now csr cert</code> is <code>true</code> if <code>cert</code> matches the signing request <code>csr</code>, and is valid from <code>now</code> until <code>until</code> (defaults to <code>now</code>). The matching is <code>true</code> if the public key matches, and the set of hostnames in <code>csr</code> and <code>cert</code> are equal. A log message on the info level is emitted if the return value if <code>false</code>.</p></div></div><div class="odoc-spec"><div class="spec value anchored" id="val-query"><a href="#val-query" class="anchor"></a><code><span><span class="keyword">val</span> query : | ||
| <span><span>(<span>int <span class="arrow">-></span></span> string)</span> <span class="arrow">-></span></span> | ||
| <span><span class="xref-unresolved">Ptime</span>.t <span class="arrow">-></span></span> | ||
| <span><span><span>[ `host ]</span> <span class="xref-unresolved">Domain_name</span>.t</span> <span class="arrow">-></span></span> | ||
| <span><span class="xref-unresolved">X509</span>.Signing_request.t <span class="arrow">-></span></span> | ||
| <span><span>(string | ||
| * <span>(<span>string <span class="arrow">-></span></span> | ||
| <span><span>(<span class="xref-unresolved">X509</span>.Certificate.t * <span><span class="xref-unresolved">X509</span>.Certificate.t list</span>, <span>[> <a href="#type-q_err">q_err</a> ]</span>)</span> <span class="xref-unresolved">Stdlib</span>.result</span>)</span>, | ||
| <span>[> <span>`Msg of string</span> ]</span>)</span> | ||
| <span class="xref-unresolved">Stdlib</span>.result</span></span></code></div><div class="spec-doc"><p><code>query rng now csr</code> is a <code>buffer</code> with a DNS TLSA query for the name of <code>csr</code>, and a function that decodes a given answer, either returning a X.509 certificate valid <code>now</code> and matching <code>csr</code>, and a CA chain, or an error.</p></div></div></div></body></html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| <!DOCTYPE html> | ||
| <html xmlns="http://www.w3.org/1999/xhtml"><head><title>Make (dns-certify.Dns_certify_mirage.Make)</title><meta charset="utf-8"/><link rel="stylesheet" href="../../../odoc.support/odoc.css"/><meta name="generator" content="odoc 2.4.2"/><meta name="viewport" content="width=device-width,initial-scale=1.0"/><script src="../../../odoc.support/highlight.pack.js"></script><script>hljs.initHighlightingOnLoad();</script></head><body class="odoc"><nav class="odoc-nav"><a href="../index.html">Up</a> – <a href="../../index.html">dns-certify</a> » <a href="../index.html">Dns_certify_mirage</a> » Make</nav><header class="odoc-preamble"><h1>Module <code><span>Dns_certify_mirage.Make</span></code></h1></header><nav class="odoc-toc"><ul><li><a href="#parameters">Parameters</a></li><li><a href="#signature">Signature</a></li></ul></nav><div class="odoc-content"><h2 id="parameters"><a href="#parameters" class="anchor"></a>Parameters</h2><div class="odoc-spec"><div class="spec parameter anchored" id="argument-1-R"><a href="#argument-1-R" class="anchor"></a><code><span><span class="keyword">module</span> </span><span>R</span><span> : <span class="xref-unresolved">Mirage_crypto_rng_mirage</span>.S</span></code></div></div><div class="odoc-spec"><div class="spec parameter anchored" id="argument-2-P"><a href="#argument-2-P" class="anchor"></a><code><span><span class="keyword">module</span> </span><span>P</span><span> : <span class="xref-unresolved">Mirage_clock</span>.PCLOCK</span></code></div></div><div class="odoc-spec"><div class="spec parameter anchored" id="argument-3-T"><a href="#argument-3-T" class="anchor"></a><code><span><span class="keyword">module</span> </span><span>T</span><span> : <span class="xref-unresolved">Mirage_time</span>.S</span></code></div></div><div class="odoc-spec"><div class="spec parameter anchored" id="argument-4-S"><a href="#argument-4-S" class="anchor"></a><code><span><span class="keyword">module</span> </span><span>S</span><span> : <span class="xref-unresolved">Tcpip</span>.Stack.V4V6</span></code></div></div><h2 id="signature"><a href="#signature" class="anchor"></a>Signature</h2><div class="odoc-spec"><div class="spec value anchored" id="val-retrieve_certificate"><a href="#val-retrieve_certificate" class="anchor"></a><code><span><span class="keyword">val</span> retrieve_certificate : | ||
| <span><span class="xref-unresolved">S</span>.t <span class="arrow">-></span></span> | ||
| <span><span class="label">dns_key_name</span>:<span><span>[ `raw ]</span> <span class="xref-unresolved">Domain_name</span>.t</span> <span class="arrow">-></span></span> | ||
| <span><a href="../../../dns/Dns/Dnskey/index.html#type-t">Dns.Dnskey.t</a> <span class="arrow">-></span></span> | ||
| <span><span class="label">hostname</span>:<span><span>[ `host ]</span> <span class="xref-unresolved">Domain_name</span>.t</span> <span class="arrow">-></span></span> | ||
| <span><span class="optlabel">?additional_hostnames</span>:<span><span><span>[ `raw ]</span> <span class="xref-unresolved">Domain_name</span>.t</span> list</span> <span class="arrow">-></span></span> | ||
| <span><span class="optlabel">?key_type</span>:<span class="xref-unresolved">X509</span>.Key_type.t <span class="arrow">-></span></span> | ||
| <span><span class="optlabel">?key_data</span>:string <span class="arrow">-></span></span> | ||
| <span><span class="optlabel">?key_seed</span>:string <span class="arrow">-></span></span> | ||
| <span><span class="optlabel">?bits</span>:int <span class="arrow">-></span></span> | ||
| <span><span class="xref-unresolved">S</span>.TCP.ipaddr <span class="arrow">-></span></span> | ||
| <span>int <span class="arrow">-></span></span> | ||
| <span><span><span>(<span><span class="xref-unresolved">X509</span>.Certificate.t list</span> * <span class="xref-unresolved">X509</span>.Private_key.t, <span>[ <span>`Msg of string</span> ]</span>)</span> | ||
| <span class="xref-unresolved">Stdlib</span>.result</span> | ||
| <span class="xref-unresolved">Lwt</span>.t</span></span></code></div><div class="spec-doc"><p><code>retrieve_certificate stack ~dns_key_name dns_key ~hostname ~key_type ~key_data ~key_seed ~bits server_ip port</code> generates a private key (using <code>key_type</code>, <code>key_data</code>, <code>key_seed</code>, and <code>bits</code>), a certificate signing request for the given <code>hostname</code> and <code>additional_hostnames</code>, and sends <code>server_ip</code> an nsupdate (DNS-TSIG with <code>dns_key_name</code> and <code>dns_key</code>) with the csr as TLSA record, awaiting for a matching certificate as TLSA record. Requires a service that interacts with let's encrypt to transform the CSR into a signed certificate. If something fails, an exception (via <code>Lwt.fail</code>) is raised. This is meant for unikernels that require a valid TLS certificate before they can start their service (i.e. most web servers, mail servers).</p></div></div></div></body></html> |
Oops, something went wrong.