package conex

  1. Overview
  2. Docs
Establishing trust in community repositories

Install

Dune Dependency

github.com Readme Changelog BSD-2-Clause License Edit opam file Versions (5)

Authors

  1. H
    Hannes Mehnert <hannes@mehnert.org>

Maintainers

  1. H
    Hannes Mehnert <hannes@mehnert.org>

Sources

conex-v0.11.0.tbz
sha256=9b64ab189a68ebb37daed618ce0c201f082469f4b4efa8cc9099442a169d924b
sha512=30caad9a0a8d45d24933652733349e251c0e8decb6ac4c7de18fc4ae8a621865f8af5b2d02a5c9fcca0cc122e6a443ba91f2f7a350f729633923f9c1b5cf913d

doc/src/conex/conex_verify.ml.html

Source file conex_verify.ml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
open Conex_utils
open Conex_resource

type error = [
  | `UnknownKey of identifier
  | `InvalidBase64Encoding of identifier
  | `InvalidSignature of identifier
  | `InvalidPublicKey of identifier
]

(*BISECT-IGNORE-BEGIN*)
let pp_error ppf = function
  | `UnknownKey id -> Format.fprintf ppf "unknown public key %a" pp_id id
  | `InvalidBase64Encoding id -> Format.fprintf ppf "signature %a: no valid base64 encoding" pp_id id
  | `InvalidSignature id -> Format.fprintf ppf "invalid signature %a" pp_id id
  | `InvalidPublicKey id -> Format.fprintf ppf "invalid public key %a" pp_id id
(*BISECT-IGNORE-END*)

module type S_RSA_BACK = sig
  val verify_rsa_pss : key:string -> data:string -> signature:string -> identifier -> (unit, [> error ]) result

  val sha256 : string -> string
end

module type S = sig
  val raw_digest : string -> Digest.t

  val digest : Wire.t -> Digest.t

  val verify : Wire.t -> Key.t M.t -> Signature.t M.t ->
    identifier Digest_map.t * error list
end

(** Instantiation. *)
module Make (C : S_RSA_BACK) = struct

  let raw_digest data = `SHA256, C.sha256 data

  let digest data = raw_digest (Wire.to_string data)

  let verify_signature data key (id, created, alg, signature) =
    match alg, key with
    | `RSA_PSS_SHA256, (_, _, `RSA, key) ->
      let data = Wire.to_string (to_be_signed data created id alg) in
      C.verify_rsa_pss ~key ~data ~signature id

  (* using a digest map here to uniquify the public keys! *)
  let verify data keys sigs =
    M.fold (fun _ (id, created, alg, s) (ok, err) ->
        match M.find id keys with
        | None -> (ok, `UnknownKey id :: err)
        | Some key ->
          match verify_signature data key (id, created, alg, s) with
          | Ok () ->
            let dgst = Key.keyid raw_digest key in
            (Digest_map.add dgst id ok, err)
          | Error e -> (ok, e :: err))
      sigs (Digest_map.empty, [])
end
OCaml

Innovation. Community. Security.

GitHub Discord Twitter Peertube RSS
About
Changelog Releases Industrial Users Academic Users Why OCaml
Ecosystem
Packages Community Events OCaml Planet Jobs
Resources
Install OCaml Get Started Platform Tools Language Manual Standard Library API Books Exercises Papers OCaml Playground Logo
Policies
Carbon Footprint Governance Privacy Code of Conduct