This file is indexed.

/usr/lib/ocaml/netstring/netx509.mli is in libocamlnet-ocaml-dev 4.1.2-3.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
(* $Id$ *)

(** X.509 certificates *)

(** This module defines a parser for X.509 certificates in Internet
    context (RFC 5280). The basic structure is implemented, and there
    are also parsers for the most needed extensions.

    There are several involved formats:
     - [ASN.1] is the language in which the certificate format is described.
       When we refer here to ASN.1 we mean tagged values as defined by
       {!Netasn1.Value.value}.
     - [DER] is the common binary encoding for ASN.1 values in this context.
       [DER] is a subset of [BER] (which is implemented by
       {!Netasn1.decode_ber}). The encoding of ASN.1 values in [BER] is
       ambiguous, and [DER] specifies the variant to use in order to get
       a "distinguished" encoding (that's what the "D" stands for), which
       is needed to get unique digital signatures.
     - [PEM] is a set of standards for "privacy enhanced mail". The
       "PEM encoding" of certificates is simply BASE-64 of [DER].
 *)

type oid = Netoid.t
  (** OIDs are just integer sequences *)

(** Directory names are also known as distinguished names. These are
    the o=foo,ou=foounit,c=country strings that are used to name
    certificates.
 *)
class type directory_name =
object
  method name : (oid * Netasn1.Value.value) list list
    (** This is the raw version of the DN: a sequence of relative DNs,
        and a relative DN is a set of (type,value) pairs. The types are
        things like cn, country, organization, ...
     *)
  method eq_name : (oid * Netasn1.Value.value) list list
    (** The name normalized for equality comparisons. In particular,
        PrintableString values are converted to uppercase, as well
        as emailAddress attributes. Also, the inner list is sorted by
        [oid].
     *)
  method string : string
    (** The DN as string (RFC 4514) *)
  method eq_string : string
    (** The [eq_name] converted to string *)
end


(** An X.509 certificate in decoded form. The is only the public part, i.e.
    it includes only the various descriptive fields, the public key, and
    the signature by the issuer.
 *)
class type x509_certificate =
object
  method subject : directory_name
    (** The DN of the subject *)
  method subject_unique_id : Netasn1.Value.bitstring_value option
    (** The unique ID of the subject *)
  method issuer : directory_name
    (** The DN of the issuer *)
  method issuer_unique_id : Netasn1.Value.bitstring_value option
    (** The unique ID of the issuer *)
  method version : int
    (** The "version" field, 1 to 3 *)
  method serial_number : string
    (** The "serialNumber" field *)
  method valid_not_before : float
    (** Activation time as seconds since the epoch ("notBefore" field) *)
  method valid_not_after : float
    (** Expiration time as seconds since the epoch ("notAfter" field) *)
  method signature : Netasn1.Value.bitstring_value
    (** The signature *)
  method signature_algorithm : oid * Netasn1.Value.value option
    (** The algorithm of the signature (OID, and algorithm-specific parameters)
     *)
  method public_key : Netasn1.Value.bitstring_value
    (** The subject's public key *)
  method public_key_algorithm : oid  * Netasn1.Value.value option
    (** The algorithm of the public key (OID, and algorithm-specific
         parameters)
     *)
  method extensions : (oid * string * bool) list
    (** Extensions (version 3 certificates) as triples [(oid, data, critical)].
        OIDs can occur several times.
     *)
end

(** {2 OIDs for DN attribute types} *)

module DN_attributes : sig
  (** Object identifiers used in distinguished names *)

  (** This module is an implementation of {!Netdn.AT_LOOKUP}, and can be
      used with the parser/printer in {!Netdn}.
   *)

  (** Attibute types *)

  val at_name : oid
  val at_surname : oid
  val at_givenName : oid
  val at_initials : oid
  val at_generationQualifier : oid
  val at_commonName : oid
  val at_localityName : oid
  val at_stateOrProvinceName : oid
  val at_organizationName : oid
  val at_organizationalUnitName : oid
  val at_title : oid
  val at_dnQualifier : oid
  val at_countryName : oid
  val at_serialNumber : oid
  val at_pseudonym : oid
  val at_domainComponent : oid
  val at_emailAddress : oid
  val at_uid : oid

  val attribute_types : (oid * string * string list) list
    (** The above types in the format [(oid, full_name, short_names)] *)

  val lookup_attribute_type_by_oid : oid -> string * string list
    (** Looks the OID up, and returns [(full_name, short_names)].
        May raise [Not_found].
     *)

  val lookup_attribute_type_by_name : string -> oid * string * string list
    (** Looks the name up, which can either be a full name or a short name.
        Returns the whole triple [(oid, full_name, short_names)], or
        raises [Not_found].
     *)
end


(** {2 Distinguished names} *)

module X509_DN_string : Netdn.DN_string
  (** Parser/printer for distnguished names as they may occur in X.509
      certificates
   *)
 
val lookup_dn_ava : directory_name -> oid -> Netasn1.Value.value
  (** Find the first relative DN setting this OID (or [Not_found]) *)

val lookup_dn_ava_utf8 : directory_name -> oid -> string
  (** Same as [lookup_dn_ava], but additionally converts the value to UTF-8 *)


(** {2 Parsers} *)

class x509_dn_from_ASN1 : Netasn1.Value.value -> directory_name
  (** Returns the DN object for a [Name] entity *)

class x509_dn_from_string : string -> directory_name
  (** Returns the DN object for an RFC 4514-encoded string *)

class x509_certificate_from_ASN1 : Netasn1.Value.value -> x509_certificate
  (** Parses the passed ASN.1 value and returns the certificate object *)

class x509_certificate_from_DER : string -> x509_certificate
  (** Parses the passed DER string and returns the certificate object *)


(** {2 Extensions} *)

(** Extensions are identified by an OID (found in the following [CE]
    module), and the value is a DER-encoded ASN.1 value. The parse_*
    functions take this DER-encoded value and decode them. E.g. get
    the "authority key identifier":

 {[
  let _, aki_der, _ = 
    List.find
      (fun (oid,_,_) -> oid = CE.ce_authority_key_identifier) 
      cert#extensions in
  let aki =
    parse_authority_key_identifier aki_der
 ]}

   Or use [find_extension], as defined below.

   Note that we don't have parsers for all extensions.
 *)

module CE : sig
  (** The OIDs of the extensions in RFC 5280 *)

  val ce_authority_key_identifier : oid
  val ce_subject_key_identifier : oid
  val ce_key_usage : oid
  val ce_certificate_policies : oid
  val ce_any_policy : oid
  val ce_policy_mappings : oid
  val ce_subject_alt_name : oid
  val ce_issuer_alt_name : oid
  val ce_subject_directory_attributes : oid
  val ce_basic_constraints : oid
  val ce_name_constraints : oid
  val ce_policy_constraints : oid
  val ce_ext_key_usage : oid
  val ce_crl_distribution_points : oid
  val ce_inhibit_any_policy : oid
  val ce_freshest_crl : oid
  val ce_authority_info_access : oid
  val ce_subject_info_access : oid

  val certificate_extensions : (oid * string) list
   (** All the above listed OIDs with their string names (useful for
       displaying extension types)
    *)
 end


exception Extension_not_found of oid


val find_extension :
       oid ->
       (oid * string * bool) list ->
         string * bool
  (** [find_extension] is designed to be applied to the result of the
      [extensions] method of {!Netx509.x509_certificate}:

      {[
  let (data, critical) =
    find_extension CE.ce:authority_key_identifier cert#extensions
      ]}

      It returns the undecoded data string, and the critical flag.

      Raises [Extension_not_found] if there is no such extension.
   *)

val check_critical_exts :
      oid list ->
      (oid * string * bool) list ->
        bool
  (** [check_critical_exts list exts]: When an extension is flagged
      as critical, it must be processed by the communication endpoint.
      If there is a critical extension that cannot be processed, this is
      an error. This function checks whether there are any critical
      extensions in [exts] beyond those in [list], and returns [true]
      in this case.

      Use this in software as:
  {[
  let unprocessed_critical =
    check_critical_exts
       [ CE.ce_basic_constraints ]
       cert#extensions
  ]}

     and pass the list of all extension OIDs you actually process. 
     You should raise an error if [unprocessed_critical] is true.
   *)


type general_name =
  [ `Other_name of oid * Netasn1.Value.value
  | `Rfc822_name of string
  | `DNS_name of string
  | `X400_address of Netasn1.Value.value
  | `Directory_name of directory_name
  | `Edi_party_name of string option * string
  | `Uniform_resource_identifier of string 
  | `IP_address of Unix.socket_domain * Unix.inet_addr * Unix.inet_addr
  | `Registered_ID of oid
  ]
  (** General names:
      - [`Other_name(oid, value)]: the [oid] determines the extension name
        format
      - [`Rfc822_name n]: an email address [n] (ASCII encoded)
      - [`DNS_name n]: an Internet domain [n] (ASCII encoded - no
        internationalization)
      - [`X400_address v]: an X.400 address, which is not decoded here and
        just given as unparsed ASN.1 value [v]
      - [`Directory_name n]: a directory name [n] (i.e. a name using the
        syntax of distinguished names)
      - [`Edi_party_name(assigner,party)], both names as UTF-8
      - [`Uniform_resource_identifier uri]: this [uri] (ASCII-encoded,
        no internationalization)
      - [`IP_address(dom,addr,mask)]: the address with mask
      - [`Registered oid]: a symbolical pre-registered name known under [oid]
   *)

type authority_key_identifier =
    { aki_key_identifier : string option;
      aki_authority_cert_issuer : general_name list;
      aki_authority_cert_serial_number : string option;
    }

val parse_authority_key_identifier : string -> authority_key_identifier

val parse_subject_key_identifier : string -> string
  (** Returns the key identifier directly *)

type key_usage_flag =
  [ `Digital_signature
  | `Non_repudiation
  | `Key_encipherment
  | `Data_encipherment
  | `Key_agreement
  | `Key_cert_sign
  | `Crl_sign
  | `Encipher_only
  | `Decipher_only
  ]

val parse_key_usage : string -> key_usage_flag list

val parse_subject_alt_name : string -> general_name list

val parse_issuer_alt_name : string -> general_name list

val parse_subject_directory_attributes : string -> 
                                         (oid * Netasn1.Value.value list) list

val parse_basic_constraints : string -> bool * int option

type ext_key_usage_flag =
    [ `Server_auth
    | `Client_auth
    | `Code_signing
    | `Email_protection
    | `Time_stamping
    | `OCSP_signing
    | `Unknown
    ]
val parse_ext_key_usage : string -> (oid * ext_key_usage_flag) list
  (** Returns the OID as array, and as decoded flag *)

(** Key purpose IDs as returned by [parse_ext_key_usage] *)
module KP : sig
  val kp_server_auth : oid
  val kp_client_auth : oid
  val kp_code_signing : oid
  val kp_email_protection : oid
  val kp_time_stamping : oid
  val kp_ocsp_signing : oid

  val ext_key_purposes : (oid * ext_key_usage_flag * string) list
end

type authority_access_description_flag =
  [ `CA_issuers
  | `OCSP
  | `Unknown
  ]

type subject_access_description_flag =
  [ `CA_repository
  | `Time_stamping
  | `Unknown
  ]

type access_description_flag =
  [ authority_access_description_flag | subject_access_description_flag ]

val parse_authority_info_access : string -> 
                (oid * authority_access_description_flag * general_name) list
val parse_subject_info_access : string -> 
                (oid * subject_access_description_flag * general_name) list

module AD : sig
  val ad_ca_issuers : oid
  val ad_ocsp : oid
  val ad_ca_repository : oid
  val ad_time_stamping : oid

  val access_descriptions : (oid * access_description_flag * string) list
end


(** Generic parsers *)

val general_name_from_ASN1 : Netasn1.Value.value -> general_name
  (** Parses the general_name structure *)

val general_names_from_ASN1 : Netasn1.Value.value -> general_name list
  (** Parse a sequence of general names *)

val directory_string_from_ASN1 : Netasn1.Value.value -> string
  (** Returns the directory_string as UTF-8 *)

val attribute_from_ASN1 : Netasn1.Value.value -> oid * Netasn1.Value.value list
  (** Parses an attribute *)

val attributes_from_ASN1 : Netasn1.Value.value -> 
                             (oid * Netasn1.Value.value list) list
  (** Parses a sequence of attributes *)