packages feed

tls-extra 0.4.2 → 0.4.2.1

raw patch · 2 files changed

+30/−21 lines, 2 files

Files

Network/TLS/Extra/Certificate.hs view
@@ -50,30 +50,16 @@  {- on windows and OSX, the trusted certificates are not yet accessible,  - for now, print a big fat warning (better than nothing) and returns true  -}-certificateVerifyChain :: [X509] -> IO TLSCertificateUsage-certificateVerifyChain _ = do+certificateVerifyChain_ :: [X509] -> IO TLSCertificateUsage+certificateVerifyChain_ _ = do 	putStrLn "****************** certificate verify chain doesn't yet work on your platform **********************" 	putStrLn "please consider contributing to the certificate package to fix this issue" 	return CertificateUsageAccept  #else--- | verify a certificates chain using the system certificates available.------ each certificate of the list is verified against the next certificate, until--- it can be verified against a system certificate (system certificates are assumed as trusted)------ This helper only check that the chain of certificate is valid, which means that each items--- received are signed by the next one, or by a system certificate. Some extra checks need to--- be done at the user level so that the certificate chain received make sense in the context.------ for example for HTTP, the user should typically verify the certificate subject match the URL--- of connection.------ TODO: verify validity, check revocation list if any, add optional user output to know--- the rejection reason.-certificateVerifyChain :: [X509] -> IO TLSCertificateUsage-certificateVerifyChain []     = return $ CertificateUsageReject (CertificateRejectOther "empty chain / no certificates")-certificateVerifyChain (x:xs) = do+certificateVerifyChain_ :: [X509] -> IO TLSCertificateUsage+certificateVerifyChain_ []     = return $ CertificateUsageReject (CertificateRejectOther "empty chain / no certificates")+certificateVerifyChain_ (x:xs) = do 	-- find a matching certificate that we trust (== installed on the system) 	foundCert <- SysCert.findCertificate (certMatchDN x) 	case foundCert of@@ -87,9 +73,32 @@ 			_  -> do 				validChain <- certificateVerifyAgainst x (head xs) 				if validChain-					then certificateVerifyChain xs+					then certificateVerifyChain_ xs 					else return $ CertificateUsageReject (CertificateRejectOther "chain doesn't match each other") #endif++-- | verify a certificates chain using the system certificates available.+--+-- each certificate of the list is verified against the next certificate, until+-- it can be verified against a system certificate (system certificates are assumed as trusted)+--+-- This helper only check that the chain of certificate is valid, which means that each items+-- received are signed by the next one, or by a system certificate. Some extra checks need to+-- be done at the user level so that the certificate chain received make sense in the context.+--+-- for example for HTTP, the user should typically verify the certificate subject match the URL+-- of connection.+--+-- TODO: verify validity, check revocation list if any, add optional user output to know+-- the rejection reason.+certificateVerifyChain :: [X509] -> IO TLSCertificateUsage+certificateVerifyChain = certificateVerifyChain_ . reorderList+	where+		reorderList []     = []+		reorderList (x:xs) =+			case find (certMatchDN x) xs of+				Nothing    -> x : reorderList xs+				Just found -> x : found : reorderList (filter (/= found) xs)  -- | verify a certificate against another one. -- the first certificate need to be signed by the second one for this function to succeed.
tls-extra.cabal view
@@ -1,5 +1,5 @@ Name:                tls-extra-Version:             0.4.2+Version:             0.4.2.1 Description:    a set of extra definitions, default values and helpers for tls. License:             BSD3