Merge pull request #10 from hannesm/no-temp-file

avoid temporary file creation on macos, revise interface
mirage · Oct 12, 2020 · e53e8f1 · e53e8f1
2 parents d4ae3e9 + cb60f7c
commit e53e8f1
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 23 deletions.
diff --git a/ca-certs.opam b/ca-certs.opam
@@ -23,6 +23,7 @@ depends: [
   "ocaml" {>= "4.07.0"}
   "alcotest" {with-test}
 ]
+dev-repo: "git+https://github.com/mirage/ca-certs.git"
 build: [
   ["dune" "subst"] {pinned}
   [
@@ -33,11 +34,10 @@ build: [
     "-j"
     jobs
     "@install"
-    "@runtest" {with-test}
+    "@runtest" {with-test & os != "macos"} # the opam sandbox on macos leads to test failures (ocaml/opam#4389)
     "@doc" {with-doc}
   ]
 ]
-dev-repo: "git+https://github.com/mirage/ca-certs.git"
 tags: ["org:mirage"]
 depexts: [
   ["ca_root_nss"] {os = "freebsd"}

diff --git a/ca-certs.opam.template b/ca-certs.opam.template
@@ -1,3 +1,17 @@
+build: [
+  ["dune" "subst"] {pinned}
+  [
+    "dune"
+    "build"
+    "-p"
+    name
+    "-j"
+    jobs
+    "@install"
+    "@runtest" {with-test & os != "macos"} # the opam sandbox on macos leads to test failures (ocaml/opam#4389)
+    "@doc" {with-doc}
+  ]
+]
 tags: ["org:mirage"]
 depexts: [
   ["ca_root_nss"] {os = "freebsd"}

diff --git a/lib/ca_certs.ml b/lib/ca_certs.ml
@@ -8,7 +8,7 @@ let issue =
 let detect_one path =
   let path' = Fpath.v path in
   match Bos.OS.Path.exists path' with
-  | Ok true -> Ok path'
+  | Ok true -> Bos.OS.File.read path'
   | _ ->
       Error
         (`Msg
@@ -23,7 +23,7 @@ let detect_list paths =
             ( "ca-certs: no trust anchor file found, looked into "
             ^ String.concat ", " paths ^ ".\n" ^ issue ))
     | path :: paths -> (
-        match detect_one path with Ok path -> Ok path | Error _ -> one paths )
+        match detect_one path with Ok data -> Ok data | Error _ -> one paths )
   in
   one paths
 
@@ -46,7 +46,7 @@ let freebsd_location = "/usr/local/share/certs/ca-root-nss.crt"
 let macos_keychain_location =
   "/System/Library/Keychains/SystemRootCertificates.keychain"
 
-let ta_file_raw () =
+let trust_anchors () =
   let open Rresult.R.Infix in
   if Sys.win32 then
     Error (`Msg "ca-certs: windows is not supported at the moment")
@@ -62,19 +62,12 @@ let ta_file_raw () =
             v "security" % "find-certificate" % "-a" % "-p"
             % macos_keychain_location)
         in
-        let tmpfile = Fpath.v (Filename.temp_file "cacert" "pem") in
-        Bos.OS.Cmd.(run_out cmd |> out_file tmpfile |> success) >>| fun () ->
-        tmpfile
+        Bos.OS.Cmd.(run_out cmd |> out_string |> success)
     | s -> Error (`Msg ("ca-certs: unknown system " ^ s ^ ".\n" ^ issue))
 
-let trust_anchor_filename () =
+let authenticator ?crls ?hash_whitelist () =
   let open Rresult.R.Infix in
-  ta_file_raw () >>| Fpath.to_string
-
-let trust_anchor ?crls ?hash_whitelist () =
-  let open Rresult.R.Infix in
-  ta_file_raw () >>= fun file ->
-  Bos.OS.File.read file >>= fun data ->
-  X509.Certificate.decode_pem_multiple (Cstruct.of_string data) >>| fun cas ->
+  trust_anchors () >>= fun data ->
   let time () = Some (Ptime_clock.now ()) in
+  X509.Certificate.decode_pem_multiple (Cstruct.of_string data) >>| fun cas ->
   X509.Authenticator.chain_of_trust ?crls ?hash_whitelist ~time cas
diff --git a/lib/ca_certs.mli b/lib/ca_certs.mli
@@ -1,10 +1,16 @@
-val trust_anchor_filename : unit -> (string, [> `Msg of string ]) result
-(** Attempts to discover the trust anchor file on this host system. *)
-
-val trust_anchor :
+val authenticator :
   ?crls:X509.CRL.t list ->
   ?hash_whitelist:Mirage_crypto.Hash.hash list ->
   unit ->
   (X509.Authenticator.t, [> `Msg of string ]) result
-(** Detects root CAs in the operating system's trust store.
+(** [authenticator ~crls ~hash_whitelist ()] detects the root CAs (trust
+    anchors) in the operating system's trust store using {!trust_anchors}. It
+    constructs an authenticator with the current timestamp {!Ptime_clock.now},
+    and the provided [~crls] and [~hash_whitelist] arguments, to be used for
+    {!Tls.Config.client}.
     Returns [Error `Msg msg] if detection did not succeed. *)
+
+val trust_anchors : unit -> (string, [> `Msg of string ]) result
+(** [trust_anchors ()] detects the root CAs (trust anchors) in the operating
+    system's trust store.
+    The successful result is a list of pem-encoded X509 certificates. *)
diff --git a/test/tests.ml b/test/tests.ml
@@ -957,8 +957,7 @@ let tests tas =
 
 let ta () =
   let open Rresult.R.Infix in
-  Ca_certs.trust_anchor_filename () >>= fun file ->
-  Bos.OS.File.read (Fpath.v file) >>= fun data ->
+  Ca_certs.trust_anchors () >>= fun data ->
   X509.Certificate.decode_pem_multiple (Cstruct.of_string data)
 
 let () =