Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow custom X509_lwt.authenticator types #229

Closed
cfcs opened this issue Jan 22, 2015 · 6 comments
Closed

Allow custom X509_lwt.authenticator types #229

cfcs opened this issue Jan 22, 2015 · 6 comments

Comments

@cfcs
Copy link
Contributor

cfcs commented Jan 22, 2015

It'd be useful to have the ability to implement custom authenticator types here:
https://github.com/mirleft/ocaml-tls/blame/master/lwt/x509_lwt.ml#L83

For example by allowing a callback to be supplied for "authenticate" here
https://github.com/mirleft/ocaml-x509/blob/master/lib/x509.mli#L47

Alternatively something similar could be accomplished by exposing the Certificate.stack to the client application in the thrown exn so the application can catch the exception and "re-authenticate" using `No_authentication_I'M_STUPID after manually verifying the certificate.
@dsheets
Copy link

dsheets commented Jan 22, 2015

Related: mirleft/ocaml-x509#31.

@hannesm
Copy link
Member

hannesm commented Jan 22, 2015

the actual authenticator implementation is there https://github.com/mirleft/ocaml-x509/blob/master/lib/x509.mli#L39 - and as @dsheets points out in the mentioned issue, currently side effects are not allowed (but should be at a future point in time)..

@cfcs
Copy link
Contributor Author

cfcs commented Jan 22, 2015

What do you think about the alternative suggestion in the bottom of my post? The x509 module already does exactly that in

X509.Authenticator.res:
type res = [ `Ok of Certificate.certificate | `Fail of Certificate.certificate_failure ]

Where most of the Certificate.certificate_failures return the failing certificate:

(** possible failures while validating a certificate chain *)
type certificate_failure =
  | InvalidSignature of certificate * certificate
  | CertificateExpired of certificate
  | InvalidExtensions of certificate
  | InvalidVersion of certificate
  | InvalidPathlen of certificate
  | SelfSigned of certificate
  | NoTrustAnchor
  | InvalidServerExtensions of certificate
  | InvalidServerName of certificate
  | InvalidCA of certificate
  | IssuerSubjectMismatch of certificate * certificate
  | AuthorityKeyIdSubjectKeyIdMismatch of certificate * certificate
  | NoServerName
  | ServerNameNotPresent
  | InvalidFingerprint of certificate

Unfortunately this fine-grained error reporting is eaten by ocaml-tls and turned into an error code. Side-effects in the authenticator are of less immediate interest to me if I can obtain a Certificate.certificate or Certificate.stack from the exception (or before calling the authenticator).

@cfcs
Copy link
Contributor Author

cfcs commented Jan 22, 2015

By the way, for other desperate souls looking to do this: I found a way to accomplish what I wanted to by supplying a ?tracer and grabbing the certificates manually by parsing the Sexp callback arguments, but that doesn't really feel like the cleanest way to do it.

@hannesm
Copy link
Member

hannesm commented Jan 22, 2015

yes, error reporting of tls is not yet finished - working on it

@hannesm
Copy link
Member

hannesm commented Feb 6, 2015

the authenticator type in X.509 has been made available mirleft/ocaml-x509@88c5c16 -- thus implementing your own authenticator is possible (although it may not use side effects)

Error reporting within the TLS library is proposed in a pul request: #246 - please discuss further details there

@hannesm hannesm closed this as completed Feb 6, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dsheets @hannesm @cfcs