handle failures creating csrs

src/csr.ml

@@ -17,12 +17,14 @@ let csr org cn bits certfile keyfile =
       Relative_distinguished_name.(singleton (O org)) ;
     ]
   in
-  let csr = X509.Signing_request.create dn privkey in
-  let csr_pem = X509.Signing_request.encode_pem csr in
-  let key_pem = X509.Private_key.encode_pem privkey in
-  match (write_pem certfile csr_pem, write_pem keyfile key_pem) with
-  | Ok (), Ok () -> Ok ()
-  | Error str, _ | _, Error str -> Error str
+  match X509.Signing_request.create dn privkey with
+  | Error _ as e -> e
+  | Ok csr ->
+    let csr_pem = X509.Signing_request.encode_pem csr in
+    let key_pem = X509.Private_key.encode_pem privkey in
+    match (write_pem certfile csr_pem, write_pem keyfile key_pem) with
+    | Ok (), Ok () -> Ok ()
+    | Error str, _ | _, Error str -> Error str
 
 let csr_t = Term.(term_result (pure csr $ org $ common_name $ length $ certfile $ keyfile))
 

src/selfsign.ml

@@ -7,17 +7,19 @@ let selfsign name bits days is_ca certfile keyfile =
   and issuer =
     [ X509.Distinguished_name.(Relative_distinguished_name.singleton (CN name)) ]
   in
-  let csr = X509.Signing_request.create issuer (`RSA privkey) in
-  let ent = if is_ca then `CA else `Server in
-  match Common.sign days (`RSA privkey) (`RSA (Mirage_crypto_pk.Rsa.pub_of_priv privkey)) issuer csr [] ent with
-  | Ok cert ->
-     let cert_pem = X509.Certificate.encode_pem cert in
-     let key_pem = X509.Private_key.encode_pem (`RSA privkey) in
-     (match write_pem certfile cert_pem, write_pem keyfile key_pem with
-      | Ok (), Ok () -> Ok ()
-      | Error str, _
-      | _, Error str -> Error str)
-  | Error str -> Error str
+  match X509.Signing_request.create issuer (`RSA privkey) with
+  | Error _ as e -> e
+  | Ok csr ->
+    let ent = if is_ca then `CA else `Server in
+    match Common.sign days (`RSA privkey) (`RSA (Mirage_crypto_pk.Rsa.pub_of_priv privkey)) issuer csr [] ent with
+    | Error _ as e -> e
+    | Ok cert ->
+      let cert_pem = X509.Certificate.encode_pem cert in
+      let key_pem = X509.Private_key.encode_pem (`RSA privkey) in
+      (match write_pem certfile cert_pem, write_pem keyfile key_pem with
+       | Ok (), Ok () -> Ok ()
+       | Error str, _
+       | _, Error str -> Error str)
 
 let certfile =
   let doc = "Filename to which to save the completed certificate." in