| /* Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #ifndef mod_md_md_crypt_h |
| #define mod_md_md_crypt_h |
| |
| #include <apr_file_io.h> |
| |
| struct apr_array_header_t; |
| struct md_t; |
| struct md_http_response_t; |
| struct md_cert_t; |
| struct md_pkey_t; |
| struct md_data_t; |
| |
| |
| /**************************************************************************************************/ |
| /* random */ |
| |
| apr_status_t md_rand_bytes(unsigned char *buf, apr_size_t len, apr_pool_t *p); |
| |
| apr_time_t md_asn1_generalized_time_get(void *ASN1_GENERALIZEDTIME); |
| |
| /**************************************************************************************************/ |
| /* digests */ |
| apr_status_t md_crypt_sha256_digest64(const char **pdigest64, apr_pool_t *p, |
| const struct md_data_t *data); |
| apr_status_t md_crypt_sha256_digest_hex(const char **pdigesthex, apr_pool_t *p, |
| const struct md_data_t *data); |
| |
| #define MD_DATA_SET_STR(d, s) do { (d)->data = (s); (d)->len = strlen(s); } while(0) |
| |
| /**************************************************************************************************/ |
| /* private keys */ |
| |
| typedef struct md_pkey_t md_pkey_t; |
| |
| typedef enum { |
| MD_PKEY_TYPE_DEFAULT, |
| MD_PKEY_TYPE_RSA, |
| } md_pkey_type_t; |
| |
| typedef struct md_pkey_rsa_spec_t { |
| apr_uint32_t bits; |
| } md_pkey_rsa_spec_t; |
| |
| typedef struct md_pkey_spec_t { |
| md_pkey_type_t type; |
| union { |
| md_pkey_rsa_spec_t rsa; |
| } params; |
| } md_pkey_spec_t; |
| |
| apr_status_t md_crypt_init(apr_pool_t *pool); |
| |
| apr_status_t md_pkey_gen(md_pkey_t **ppkey, apr_pool_t *p, md_pkey_spec_t *spec); |
| void md_pkey_free(md_pkey_t *pkey); |
| |
| const char *md_pkey_get_rsa_e64(md_pkey_t *pkey, apr_pool_t *p); |
| const char *md_pkey_get_rsa_n64(md_pkey_t *pkey, apr_pool_t *p); |
| |
| apr_status_t md_pkey_fload(md_pkey_t **ppkey, apr_pool_t *p, |
| const char *pass_phrase, apr_size_t pass_len, |
| const char *fname); |
| apr_status_t md_pkey_fsave(md_pkey_t *pkey, apr_pool_t *p, |
| const char *pass_phrase, apr_size_t pass_len, |
| const char *fname, apr_fileperms_t perms); |
| |
| apr_status_t md_crypt_sign64(const char **psign64, md_pkey_t *pkey, apr_pool_t *p, |
| const char *d, size_t dlen); |
| |
| void *md_pkey_get_EVP_PKEY(struct md_pkey_t *pkey); |
| |
| struct md_json_t *md_pkey_spec_to_json(const md_pkey_spec_t *spec, apr_pool_t *p); |
| md_pkey_spec_t *md_pkey_spec_from_json(struct md_json_t *json, apr_pool_t *p); |
| int md_pkey_spec_eq(md_pkey_spec_t *spec1, md_pkey_spec_t *spec2); |
| |
| /**************************************************************************************************/ |
| /* X509 certificates */ |
| |
| typedef struct md_cert_t md_cert_t; |
| |
| typedef enum { |
| MD_CERT_UNKNOWN, |
| MD_CERT_VALID, |
| MD_CERT_EXPIRED |
| } md_cert_state_t; |
| |
| /** |
| * Create a holder of the certificate that will free its memory when the |
| * pool is destroyed. |
| */ |
| md_cert_t *md_cert_make(apr_pool_t *p, void *x509); |
| |
| /** |
| * Wrap a x509 certificate into our own structure, without taking ownership |
| * of its memory. The caller remains responsible. |
| */ |
| md_cert_t *md_cert_wrap(apr_pool_t *p, void *x509); |
| |
| void *md_cert_get_X509(const md_cert_t *cert); |
| |
| apr_status_t md_cert_fload(md_cert_t **pcert, apr_pool_t *p, const char *fname); |
| apr_status_t md_cert_fsave(md_cert_t *cert, apr_pool_t *p, |
| const char *fname, apr_fileperms_t perms); |
| |
| /** |
| * Read a x509 certificate from a http response. |
| * Will return APR_ENOENT if content-type is not recognized (currently |
| * only "application/pkix-cert" is supported). |
| */ |
| apr_status_t md_cert_read_http(md_cert_t **pcert, apr_pool_t *pool, |
| const struct md_http_response_t *res); |
| |
| /** |
| * Read one or even a chain of certificates from a http response. |
| * Will return APR_ENOENT if content-type is not recognized (currently |
| * supports only "application/pem-certificate-chain" and "application/pkix-cert"). |
| * @param chain must be non-NULL, retrieved certificates will be added. |
| */ |
| apr_status_t md_cert_chain_read_http(struct apr_array_header_t *chain, |
| apr_pool_t *pool, const struct md_http_response_t *res); |
| |
| md_cert_state_t md_cert_state_get(const md_cert_t *cert); |
| int md_cert_is_valid_now(const md_cert_t *cert); |
| int md_cert_has_expired(const md_cert_t *cert); |
| int md_cert_covers_domain(md_cert_t *cert, const char *domain_name); |
| int md_cert_covers_md(md_cert_t *cert, const struct md_t *md); |
| int md_cert_must_staple(const md_cert_t *cert); |
| apr_time_t md_cert_get_not_after(const md_cert_t *cert); |
| apr_time_t md_cert_get_not_before(const md_cert_t *cert); |
| |
| apr_status_t md_cert_get_issuers_uri(const char **puri, const md_cert_t *cert, apr_pool_t *p); |
| apr_status_t md_cert_get_alt_names(apr_array_header_t **pnames, const md_cert_t *cert, apr_pool_t *p); |
| |
| apr_status_t md_cert_to_base64url(const char **ps64, const md_cert_t *cert, apr_pool_t *p); |
| apr_status_t md_cert_from_base64url(md_cert_t **pcert, const char *s64, apr_pool_t *p); |
| |
| apr_status_t md_cert_to_sha256_digest(struct md_data_t **pdigest, const md_cert_t *cert, apr_pool_t *p); |
| apr_status_t md_cert_to_sha256_fingerprint(const char **pfinger, const md_cert_t *cert, apr_pool_t *p); |
| |
| const char *md_cert_get_serial_number(const md_cert_t *cert, apr_pool_t *p); |
| |
| apr_status_t md_chain_fload(struct apr_array_header_t **pcerts, |
| apr_pool_t *p, const char *fname); |
| apr_status_t md_chain_fsave(struct apr_array_header_t *certs, |
| apr_pool_t *p, const char *fname, apr_fileperms_t perms); |
| apr_status_t md_chain_fappend(struct apr_array_header_t *certs, |
| apr_pool_t *p, const char *fname); |
| |
| apr_status_t md_cert_req_create(const char **pcsr_der_64, const char *name, |
| apr_array_header_t *domains, int must_staple, |
| md_pkey_t *pkey, apr_pool_t *p); |
| |
| /** |
| * Create a self-signed cerftificate with the given cn, key and list |
| * of alternate domain names. |
| */ |
| apr_status_t md_cert_self_sign(md_cert_t **pcert, const char *cn, |
| struct apr_array_header_t *domains, md_pkey_t *pkey, |
| apr_interval_time_t valid_for, apr_pool_t *p); |
| |
| /** |
| * Create a certificate for answering "tls-alpn-01" ACME challenges |
| * (see <https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-01>). |
| */ |
| apr_status_t md_cert_make_tls_alpn_01(md_cert_t **pcert, const char *domain, |
| const char *acme_id, md_pkey_t *pkey, |
| apr_interval_time_t valid_for, apr_pool_t *p); |
| |
| apr_status_t md_cert_get_ct_scts(apr_array_header_t *scts, apr_pool_t *p, const md_cert_t *cert); |
| |
| |
| /**************************************************************************************************/ |
| /* X509 certificate transparency */ |
| |
| const char *md_nid_get_sname(int nid); |
| const char *md_nid_get_lname(int nid); |
| |
| typedef struct md_sct md_sct; |
| struct md_sct { |
| int version; |
| apr_time_t timestamp; |
| struct md_data_t *logid; |
| int signature_type_nid; |
| struct md_data_t *signature; |
| }; |
| |
| #endif /* md_crypt_h */ |