| /* Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| #include <assert.h> |
| #include <apr_lib.h> |
| #include <apr_strings.h> |
| |
| #include <httpd.h> |
| #include <http_connection.h> |
| #include <http_core.h> |
| #include <http_log.h> |
| #include <http_ssl.h> |
| |
| #include <rustls.h> |
| |
| #include "tls_cert.h" |
| #include "tls_conf.h" |
| #include "tls_core.h" |
| #include "tls_proto.h" |
| #include "tls_ocsp.h" |
| |
| extern module AP_MODULE_DECLARE_DATA tls_module; |
| APLOG_USE_MODULE(tls); |
| |
| |
| static int prime_cert( |
| void *userdata, server_rec *s, const char *cert_id, const char *cert_pem, |
| const rustls_certified_key *certified_key) |
| { |
| apr_pool_t *p = userdata; |
| apr_status_t rv; |
| |
| (void)certified_key; |
| rv = ap_ssl_ocsp_prime(s, p, cert_id, strlen(cert_id), cert_pem); |
| ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, s, "ocsp prime of cert [%s] from %s", |
| cert_id, s->server_hostname); |
| return 1; |
| } |
| |
| apr_status_t tls_ocsp_prime_certs(tls_conf_global_t *gc, apr_pool_t *p, server_rec *s) |
| { |
| ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, "ocsp priming of %d certs", |
| (int)tls_cert_reg_count(gc->cert_reg)); |
| tls_cert_reg_do(prime_cert, p, gc->cert_reg); |
| return APR_SUCCESS; |
| } |
| |
| typedef struct { |
| conn_rec *c; |
| const rustls_certified_key *key_in; |
| const rustls_certified_key *key_out; |
| } ocsp_copy_ctx_t; |
| |
| static void ocsp_clone_key(const unsigned char *der, apr_size_t der_len, void *userdata) |
| { |
| ocsp_copy_ctx_t *ctx = userdata; |
| rustls_slice_bytes rslice; |
| rustls_result rr; |
| |
| rslice.data = der; |
| rslice.len = der_len; |
| |
| rr = rustls_certified_key_clone_with_ocsp(ctx->key_in, der_len? &rslice : NULL, &ctx->key_out); |
| if (RUSTLS_RESULT_OK != rr) { |
| const char *err_descr = NULL; |
| apr_status_t rv = tls_util_rustls_error(ctx->c->pool, rr, &err_descr); |
| ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, ctx->c, APLOGNO(10362) |
| "Failed add OCSP data to certificate: [%d] %s", (int)rr, err_descr); |
| } |
| else { |
| ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, ctx->c, |
| "provided %ld bytes of ocsp response DER data to key.", (long)der_len); |
| } |
| } |
| |
| apr_status_t tls_ocsp_update_key( |
| conn_rec *c, const rustls_certified_key *certified_key, |
| const rustls_certified_key **pkey_out) |
| { |
| tls_conf_conn_t *cc = tls_conf_conn_get(c); |
| tls_conf_server_t *sc; |
| const char *key_id; |
| apr_status_t rv = APR_SUCCESS; |
| ocsp_copy_ctx_t ctx; |
| |
| assert(cc); |
| assert(cc->server); |
| sc = tls_conf_server_get(cc->server); |
| key_id = tls_cert_reg_get_id(sc->global->cert_reg, certified_key); |
| if (!key_id) { |
| rv = APR_ENOENT; |
| ap_log_cerror(APLOG_MARK, APLOG_TRACE1, rv, c, "certified key not registered"); |
| goto cleanup; |
| } |
| |
| ctx.c = c; |
| ctx.key_in = certified_key; |
| ctx.key_out = NULL; |
| rv = ap_ssl_ocsp_get_resp(cc->server, c, key_id, strlen(key_id), ocsp_clone_key, &ctx); |
| if (APR_SUCCESS != rv) { |
| ap_log_cerror(APLOG_MARK, APLOG_TRACE1, rv, c, |
| "ocsp response not available for cert %s", key_id); |
| } |
| |
| cleanup: |
| *pkey_out = (APR_SUCCESS == rv)? ctx.key_out : NULL; |
| return rv; |
| } |