package x509

  1. Overview
  2. Docs

Module for encoding and decoding OCSP responses.

type status = [
  1. | `InternalError
  2. | `MalformedRequest
  3. | `SigRequired
  4. | `Successful
  5. | `TryLater
  6. | `Unauthorized
]

type for OCSPResponseStatus

val pp_status : status Fmt.t

pp_status ppf status pretty prints status

type cert_status = [
  1. | `Good
  2. | `Revoked of Ptime.t * Extension.reason option
  3. | `Unknown
]

type for CertStatus

val pp_cert_status : cert_status Fmt.t

pp_cert_status ppf status pretty prints cert status

type single_response

type for SingleResponse

val create_single_response : ?next_update:Ptime.t -> ?single_extensions:Extension.t -> cert_id -> cert_status -> Ptime.t -> single_response

create_single_response ~next_update ~single_extension cert_id cert_status this_update creates response info for one cert, this_update should be current time.

val pp_single_response : single_response Fmt.t

pp_single_response ppf response pretty prints single response

val single_response_cert_id : single_response -> cert_id

single_response_cert_id response is cert_id in this single response

val single_response_status : single_response -> cert_status

single_response_cert_id response is cert_status in this single response

type responder_id = [
  1. | `ByKey of Cstruct.t
  2. | `ByName of Distinguished_name.t
]

type for ResponderID

val create_responder_id : Public_key.t -> responder_id

create_responder_id pubkey creates responderID identified by this key. Note: Cstruct here contains SHA1 hash of public key, not itself.

val pp_responder_id : responder_id Fmt.t

pp_responder_id ppf responderID pretty prints responderID

type t

type for OCSPResponse

val create_success : ?digest:Mirage_crypto.Hash.hash -> ?certs:Certificate.t list -> ?response_extensions:Extension.t -> Private_key.t -> responder_id -> Ptime.t -> single_response list -> (t, [> `Msg of string ]) Stdlib.result

create_success ~digest ~certs ~response_extensions priv_key responderID producedAt responses creates response and signs it with priv_key. producedAt should be current timestamp.

val create : [ `MalformedRequest | `InternalError | `TryLater | `SigRequired | `Unauthorized ] -> t

create status creates error response. Successful status is not allowed here because it requires responseBytes.

val pp : t Fmt.t

pp ppf response pretty prints response

val status : t -> status

status response is response status

val responder_id : t -> (responder_id, [> `Msg of string ]) Stdlib.result

responder_id request is responder id from response

val responses : t -> (single_response list, [> `Msg of string ]) Stdlib.result

responses response is a list of responses (status per certificate).

val decode_der : Cstruct.t -> (t, Asn.error) Stdlib.result

decode_der buffer decodes response in buffer

val encode_der : t -> Cstruct.t

encode_der request encodes response into buffer

val validate : t -> ?allowed_hashes:Mirage_crypto.Hash.hash list -> ?now:Ptime.t -> Public_key.t -> (unit, [> Validation.signature_error | `No_signature | `Time_invalid ]) Stdlib.result

validate response key validates the signature of response with the pulic key.

OCaml

Innovation. Community. Security.