modules/md/md.h - httpd - Git at Google

 /* Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #ifndef mod_md_md_h
 #define mod_md_md_h

 #include <apr_time.h>

 #include "md_time.h"
 #include "md_version.h"

 struct apr_array_header_t;
 struct apr_hash_t;
 struct md_json_t;
 struct md_cert_t;
 struct md_job_t;
 struct md_pkey_t;
 struct md_result_t;
 struct md_store_t;
 struct md_srv_conf_t;
 struct md_pkey_spec_t;

 #define MD_PKEY_RSA_BITS_MIN       2048
 #define MD_PKEY_RSA_BITS_DEF       2048

 /* Minimum age for the HSTS header (RFC 6797), considered appropriate by Mozilla Security */
 #define MD_HSTS_HEADER             "Strict-Transport-Security"
 #define MD_HSTS_MAX_AGE_DEFAULT    15768000

 #define PROTO_ACME_TLS_1        "acme-tls/1"

 #define MD_TIME_LIFE_NORM           (apr_time_from_sec(100 * MD_SECS_PER_DAY))
 #define MD_TIME_RENEW_WINDOW_DEF    (apr_time_from_sec(33 * MD_SECS_PER_DAY))
 #define MD_TIME_WARN_WINDOW_DEF     (apr_time_from_sec(10 * MD_SECS_PER_DAY))
 #define MD_TIME_OCSP_KEEP_NORM      (apr_time_from_sec(7 * MD_SECS_PER_DAY))

 #define MD_OTHER                "other"

 typedef enum {
     MD_S_UNKNOWN = 0,               /* MD has not been analysed yet */
     MD_S_INCOMPLETE = 1,            /* MD is missing necessary information, cannot go live */
     MD_S_COMPLETE = 2,              /* MD has all necessary information, can go live */
     MD_S_EXPIRED_DEPRECATED = 3,    /* deprecated */
     MD_S_ERROR = 4,                 /* MD data is flawed, unable to be processed as is */
     MD_S_MISSING_INFORMATION = 5,     /* User has not agreed to ToS */
 } md_state_t;

 typedef enum {
     MD_REQUIRE_UNSET = -1,
     MD_REQUIRE_OFF,
     MD_REQUIRE_TEMPORARY,
     MD_REQUIRE_PERMANENT,
 } md_require_t;

 typedef enum {
     MD_RENEW_DEFAULT = -1,          /* default value */
     MD_RENEW_MANUAL,                /* manually triggered renewal of certificate */
     MD_RENEW_AUTO,                  /* automatic process performed by httpd */
     MD_RENEW_ALWAYS,                /* always renewed by httpd, even if not necessary */
 } md_renew_mode_t;

 typedef struct md_t md_t;
 struct md_t {
     const char *name;               /* unique name of this MD */
     struct apr_array_header_t *domains; /* all DNS names this MD includes */
     struct apr_array_header_t *contacts;   /* list of contact uris, e.g. mailto:xxx */

     int transitive;                 /* != 0 iff VirtualHost names/aliases are auto-added */
     md_require_t require_https;     /* Iff https: is required for this MD */

     int renew_mode;                 /* mode of obtaining credentials */
     struct md_pkeys_spec_t *pks;    /* specification for generating private keys */
     int must_staple;                /* certificates should set the OCSP Must Staple extension */
     md_timeslice_t *renew_window;   /* time before expiration that starts renewal */
     md_timeslice_t *warn_window;    /* time before expiration that warnings are sent out */

     const char *ca_proto;           /* protocol used vs CA (e.g. ACME) */
     struct apr_array_header_t *ca_urls; /* urls of CAs */
     const char *ca_effective;       /* url of CA used */
     const char *ca_account;         /* account used at CA */
     const char *ca_agreement;       /* accepted agreement uri between CA and user */
     struct apr_array_header_t *ca_challenges; /* challenge types configured for this MD */
     struct apr_array_header_t *cert_files; /* != NULL iff pubcerts explicitly configured */
     struct apr_array_header_t *pkey_files; /* != NULL iff privkeys explicitly configured */
     const char *ca_eab_kid;         /* optional KEYID for external account binding */
     const char *ca_eab_hmac;        /* optional HMAC for external account binding */

     md_state_t state;               /* state of this MD */
     const char *state_descr;        /* description of state of NULL */

     struct apr_array_header_t *acme_tls_1_domains; /* domains supporting "acme-tls/1" protocol */
     int stapling;                   /* if OCSP stapling is enabled */

     int watched;               /* if certificate is supervised (renew or expiration warning) */
     const struct md_srv_conf_t *sc; /* server config where it was defined or NULL */
     const char *defn_name;          /* config file this MD was defined */
     unsigned defn_line_number;      /* line number of definition */

     const char *configured_name;    /* name this MD was configured with, if different */
 };

 #define MD_KEY_ACCOUNT          "account"
 #define MD_KEY_ACME_TLS_1       "acme-tls/1"
 #define MD_KEY_ACTIVATION_DELAY "activation-delay"
 #define MD_KEY_ACTIVITY         "activity"
 #define MD_KEY_AGREEMENT        "agreement"
 #define MD_KEY_AUTHORIZATIONS   "authorizations"
 #define MD_KEY_BITS             "bits"
 #define MD_KEY_CA               "ca"
 #define MD_KEY_CA_URL           "ca-url"
 #define MD_KEY_CERT             "cert"
 #define MD_KEY_CERT_FILES       "cert-files"
 #define MD_KEY_CERTIFICATE      "certificate"
 #define MD_KEY_CHALLENGE        "challenge"
 #define MD_KEY_CHALLENGES       "challenges"
 #define MD_KEY_CMD_DNS01        "cmd-dns-01"
 #define MD_KEY_COMPLETE         "complete"
 #define MD_KEY_CONTACT          "contact"
 #define MD_KEY_CONTACTS         "contacts"
 #define MD_KEY_CSR              "csr"
 #define MD_KEY_CURVE            "curve"
 #define MD_KEY_DETAIL           "detail"
 #define MD_KEY_DISABLED         "disabled"
 #define MD_KEY_DIR              "dir"
 #define MD_KEY_DOMAIN           "domain"
 #define MD_KEY_DOMAINS          "domains"
 #define MD_KEY_EAB              "eab"
 #define MD_KEY_EAB_REQUIRED     "externalAccountRequired"
 #define MD_KEY_ENTRIES          "entries"
 #define MD_KEY_ERRORED          "errored"
 #define MD_KEY_ERROR            "error"
 #define MD_KEY_ERRORS           "errors"
 #define MD_KEY_EXPIRES          "expires"
 #define MD_KEY_FINALIZE         "finalize"
 #define MD_KEY_FINISHED         "finished"
 #define MD_KEY_FROM             "from"
 #define MD_KEY_GOOD             "good"
 #define MD_KEY_HMAC             "hmac"
 #define MD_KEY_HTTP             "http"
 #define MD_KEY_HTTPS            "https"
 #define MD_KEY_ID               "id"
 #define MD_KEY_IDENTIFIER       "identifier"
 #define MD_KEY_KEY              "key"
 #define MD_KEY_KID              "kid"
 #define MD_KEY_KEYAUTHZ         "keyAuthorization"
 #define MD_KEY_LAST             "last"
 #define MD_KEY_LAST_RUN         "last-run"
 #define MD_KEY_LOCATION         "location"
 #define MD_KEY_LOG              "log"
 #define MD_KEY_MDS              "managed-domains"
 #define MD_KEY_MESSAGE          "message"
 #define MD_KEY_MUST_STAPLE      "must-staple"
 #define MD_KEY_NAME             "name"
 #define MD_KEY_NEXT_RUN         "next-run"
 #define MD_KEY_NOTIFIED         "notified"
 #define MD_KEY_NOTIFIED_RENEWED "notified-renewed"
 #define MD_KEY_OCSP             "ocsp"
 #define MD_KEY_OCSPS            "ocsps"
 #define MD_KEY_ORDERS           "orders"
 #define MD_KEY_PERMANENT        "permanent"
 #define MD_KEY_PKEY             "privkey"
 #define MD_KEY_PKEY_FILES       "pkey-files"
 #define MD_KEY_PROBLEM          "problem"
 #define MD_KEY_PROTO            "proto"
 #define MD_KEY_READY            "ready"
 #define MD_KEY_REGISTRATION     "registration"
 #define MD_KEY_RENEW            "renew"
 #define MD_KEY_RENEW_AT         "renew-at"
 #define MD_KEY_RENEW_MODE       "renew-mode"
 #define MD_KEY_RENEWAL          "renewal"
 #define MD_KEY_RENEWING         "renewing"
 #define MD_KEY_RENEW_WINDOW     "renew-window"
 #define MD_KEY_REQUIRE_HTTPS    "require-https"
 #define MD_KEY_RESOURCE         "resource"
 #define MD_KEY_RESPONSE         "response"
 #define MD_KEY_REVOKED          "revoked"
 #define MD_KEY_SERIAL           "serial"
 #define MD_KEY_SHA256_FINGERPRINT  "sha256-fingerprint"
 #define MD_KEY_STAPLING         "stapling"
 #define MD_KEY_STATE            "state"
 #define MD_KEY_STATE_DESCR      "state-descr"
 #define MD_KEY_STATUS           "status"
 #define MD_KEY_STORE            "store"
 #define MD_KEY_SUBPROBLEMS      "subproblems"
 #define MD_KEY_TEMPORARY        "temporary"
 #define MD_KEY_TOS              "termsOfService"
 #define MD_KEY_TOKEN            "token"
 #define MD_KEY_TOTAL            "total"
 #define MD_KEY_TRANSITIVE       "transitive"
 #define MD_KEY_TYPE             "type"
 #define MD_KEY_UNKNOWN          "unknown"
 #define MD_KEY_UNTIL            "until"
 #define MD_KEY_URL              "url"
 #define MD_KEY_URLS             "urls"
 #define MD_KEY_URI              "uri"
 #define MD_KEY_VALID            "valid"
 #define MD_KEY_VALID_FROM       "valid-from"
 #define MD_KEY_VALUE            "value"
 #define MD_KEY_VERSION          "version"
 #define MD_KEY_WATCHED          "watched"
 #define MD_KEY_WHEN             "when"
 #define MD_KEY_WARN_WINDOW      "warn-window"

 /* Check if a string member of a new MD (n) has
  * a value and if it differs from the old MD o
  */
 #define MD_VAL_UPDATE(n,o,s)    ((n)->s != (o)->s)
 #define MD_SVAL_UPDATE(n,o,s)   ((n)->s && (!(o)->s || strcmp((n)->s, (o)->s)))

 /**
  * Determine if the Managed Domain contains a specific domain name.
  */
 int md_contains(const md_t *md, const char *domain, int case_sensitive);

 /**
  * Determine if the names of the two managed domains overlap.
  */
 int md_domains_overlap(const md_t *md1, const md_t *md2);

 /**
  * Determine if the domain names are equal.
  */
 int md_equal_domains(const md_t *md1, const md_t *md2, int case_sensitive);

 /**
  * Determine if the domains in md1 contain all domains of md2.
  */
 int md_contains_domains(const md_t *md1, const md_t *md2);

 /**
  * Get one common domain name of the two managed domains or NULL.
  */
 const char *md_common_name(const md_t *md1, const md_t *md2);

 /**
  * Get the number of common domains.
  */
 apr_size_t md_common_name_count(const md_t *md1, const md_t *md2);

 /**
  * Look up a managed domain by its name.
  */
 md_t *md_get_by_name(struct apr_array_header_t *mds, const char *name);

 /**
  * Look up a managed domain by a DNS name it contains.
  */
 md_t *md_get_by_domain(struct apr_array_header_t *mds, const char *domain);

 /**
  * Find a managed domain, different from the given one, that has overlaps
  * in the domain list.
  */
 md_t *md_get_by_dns_overlap(struct apr_array_header_t *mds, const md_t *md);

 /**
  * Create and empty md record, structures initialized.
  */
 md_t *md_create_empty(apr_pool_t *p);

 /**
  * Create a managed domain, given a list of domain names.
  */
 md_t *md_create(apr_pool_t *p, struct apr_array_header_t *domains);

 /**
  * Deep copy an md record into another pool.
  */
 md_t *md_clone(apr_pool_t *p, const md_t *src);

 /**
  * Shallow copy an md record into another pool.
  */
 md_t *md_copy(apr_pool_t *p, const md_t *src);

 /**
  * Convert the managed domain into a JSON representation and vice versa.
  *
  * This reads and writes the following information: name, domains, ca_url, ca_proto and state.
  */
 struct md_json_t *md_to_json(const md_t *md, apr_pool_t *p);
 md_t *md_from_json(struct md_json_t *json, apr_pool_t *p);

 /**
  * Same as md_to_json(), but with sensitive fields stripped.
  */
 struct md_json_t *md_to_public_json(const md_t *md, apr_pool_t *p);

 int md_is_covered_by_alt_names(const md_t *md, const struct apr_array_header_t* alt_names);

 /* how many certificates this domain has/will eventually have. */
 int md_cert_count(const md_t *md);

 const char *md_get_ca_name_from_url(apr_pool_t *p, const char *url);
 apr_status_t md_get_ca_url_from_name(const char **purl, apr_pool_t *p, const char *name);

 /**************************************************************************************************/
 /* notifications */

 typedef apr_status_t md_job_notify_cb(struct md_job_t *job, const char *reason,
                                       struct md_result_t *result, apr_pool_t *p, void *baton);

 /**************************************************************************************************/
 /* domain credentials */

 typedef struct md_pubcert_t md_pubcert_t;
 struct md_pubcert_t {
     struct apr_array_header_t *certs;     /* chain of const md_cert*, leaf cert first */
     struct apr_array_header_t *alt_names; /* alt-names of leaf cert */
     const char *cert_file;                /* file path of chain */
     const char *key_file;                 /* file path of key for leaf cert */
 };

 #define MD_OK(c)                    (APR_SUCCESS == (rv = c))

 #endif /* mod_md_md_h */
	/* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#ifndef mod_md_md_h
	#define mod_md_md_h

	#include <apr_time.h>

	#include "md_time.h"
	#include "md_version.h"

	struct apr_array_header_t;
	struct apr_hash_t;
	struct md_json_t;
	struct md_cert_t;
	struct md_job_t;
	struct md_pkey_t;
	struct md_result_t;
	struct md_store_t;
	struct md_srv_conf_t;
	struct md_pkey_spec_t;

	#define MD_PKEY_RSA_BITS_MIN 2048
	#define MD_PKEY_RSA_BITS_DEF 2048

	/* Minimum age for the HSTS header (RFC 6797), considered appropriate by Mozilla Security */
	#define MD_HSTS_HEADER "Strict-Transport-Security"
	#define MD_HSTS_MAX_AGE_DEFAULT 15768000

	#define PROTO_ACME_TLS_1 "acme-tls/1"

	#define MD_TIME_LIFE_NORM (apr_time_from_sec(100 * MD_SECS_PER_DAY))
	#define MD_TIME_RENEW_WINDOW_DEF (apr_time_from_sec(33 * MD_SECS_PER_DAY))
	#define MD_TIME_WARN_WINDOW_DEF (apr_time_from_sec(10 * MD_SECS_PER_DAY))
	#define MD_TIME_OCSP_KEEP_NORM (apr_time_from_sec(7 * MD_SECS_PER_DAY))

	#define MD_OTHER "other"

	typedef enum {
	MD_S_UNKNOWN = 0, /* MD has not been analysed yet */
	MD_S_INCOMPLETE = 1, /* MD is missing necessary information, cannot go live */
	MD_S_COMPLETE = 2, /* MD has all necessary information, can go live */
	MD_S_EXPIRED_DEPRECATED = 3, /* deprecated */
	MD_S_ERROR = 4, /* MD data is flawed, unable to be processed as is */
	MD_S_MISSING_INFORMATION = 5, /* User has not agreed to ToS */
	} md_state_t;

	typedef enum {
	MD_REQUIRE_UNSET = -1,
	MD_REQUIRE_OFF,
	MD_REQUIRE_TEMPORARY,
	MD_REQUIRE_PERMANENT,
	} md_require_t;

	typedef enum {
	MD_RENEW_DEFAULT = -1, /* default value */
	MD_RENEW_MANUAL, /* manually triggered renewal of certificate */
	MD_RENEW_AUTO, /* automatic process performed by httpd */
	MD_RENEW_ALWAYS, /* always renewed by httpd, even if not necessary */
	} md_renew_mode_t;

	typedef struct md_t md_t;
	struct md_t {
	const char name; / unique name of this MD */
	struct apr_array_header_t domains; / all DNS names this MD includes */
	struct apr_array_header_t contacts; / list of contact uris, e.g. mailto:xxx */

	int transitive; /* != 0 iff VirtualHost names/aliases are auto-added */
	md_require_t require_https; /* Iff https: is required for this MD */

	int renew_mode; /* mode of obtaining credentials */
	struct md_pkeys_spec_t pks; / specification for generating private keys */
	int must_staple; /* certificates should set the OCSP Must Staple extension */
	md_timeslice_t renew_window; / time before expiration that starts renewal */
	md_timeslice_t warn_window; / time before expiration that warnings are sent out */

	const char ca_proto; / protocol used vs CA (e.g. ACME) */
	struct apr_array_header_t ca_urls; / urls of CAs */
	const char ca_effective; / url of CA used */
	const char ca_account; / account used at CA */
	const char ca_agreement; / accepted agreement uri between CA and user */
	struct apr_array_header_t ca_challenges; / challenge types configured for this MD */
	struct apr_array_header_t cert_files; / != NULL iff pubcerts explicitly configured */
	struct apr_array_header_t pkey_files; / != NULL iff privkeys explicitly configured */
	const char ca_eab_kid; / optional KEYID for external account binding */
	const char ca_eab_hmac; / optional HMAC for external account binding */

	md_state_t state; /* state of this MD */
	const char state_descr; / description of state of NULL */

	struct apr_array_header_t acme_tls_1_domains; / domains supporting "acme-tls/1" protocol */
	int stapling; /* if OCSP stapling is enabled */

	int watched; /* if certificate is supervised (renew or expiration warning) */
	const struct md_srv_conf_t sc; / server config where it was defined or NULL */
	const char defn_name; / config file this MD was defined */
	unsigned defn_line_number; /* line number of definition */

	const char configured_name; / name this MD was configured with, if different */
	};

	#define MD_KEY_ACCOUNT "account"
	#define MD_KEY_ACME_TLS_1 "acme-tls/1"
	#define MD_KEY_ACTIVATION_DELAY "activation-delay"
	#define MD_KEY_ACTIVITY "activity"
	#define MD_KEY_AGREEMENT "agreement"
	#define MD_KEY_AUTHORIZATIONS "authorizations"
	#define MD_KEY_BITS "bits"
	#define MD_KEY_CA "ca"
	#define MD_KEY_CA_URL "ca-url"
	#define MD_KEY_CERT "cert"
	#define MD_KEY_CERT_FILES "cert-files"
	#define MD_KEY_CERTIFICATE "certificate"
	#define MD_KEY_CHALLENGE "challenge"
	#define MD_KEY_CHALLENGES "challenges"
	#define MD_KEY_CMD_DNS01 "cmd-dns-01"
	#define MD_KEY_COMPLETE "complete"
	#define MD_KEY_CONTACT "contact"
	#define MD_KEY_CONTACTS "contacts"
	#define MD_KEY_CSR "csr"
	#define MD_KEY_CURVE "curve"
	#define MD_KEY_DETAIL "detail"
	#define MD_KEY_DISABLED "disabled"
	#define MD_KEY_DIR "dir"
	#define MD_KEY_DOMAIN "domain"
	#define MD_KEY_DOMAINS "domains"
	#define MD_KEY_EAB "eab"
	#define MD_KEY_EAB_REQUIRED "externalAccountRequired"
	#define MD_KEY_ENTRIES "entries"
	#define MD_KEY_ERRORED "errored"
	#define MD_KEY_ERROR "error"
	#define MD_KEY_ERRORS "errors"
	#define MD_KEY_EXPIRES "expires"
	#define MD_KEY_FINALIZE "finalize"
	#define MD_KEY_FINISHED "finished"
	#define MD_KEY_FROM "from"
	#define MD_KEY_GOOD "good"
	#define MD_KEY_HMAC "hmac"
	#define MD_KEY_HTTP "http"
	#define MD_KEY_HTTPS "https"
	#define MD_KEY_ID "id"
	#define MD_KEY_IDENTIFIER "identifier"
	#define MD_KEY_KEY "key"
	#define MD_KEY_KID "kid"
	#define MD_KEY_KEYAUTHZ "keyAuthorization"
	#define MD_KEY_LAST "last"
	#define MD_KEY_LAST_RUN "last-run"
	#define MD_KEY_LOCATION "location"
	#define MD_KEY_LOG "log"
	#define MD_KEY_MDS "managed-domains"
	#define MD_KEY_MESSAGE "message"
	#define MD_KEY_MUST_STAPLE "must-staple"
	#define MD_KEY_NAME "name"
	#define MD_KEY_NEXT_RUN "next-run"
	#define MD_KEY_NOTIFIED "notified"
	#define MD_KEY_NOTIFIED_RENEWED "notified-renewed"
	#define MD_KEY_OCSP "ocsp"
	#define MD_KEY_OCSPS "ocsps"
	#define MD_KEY_ORDERS "orders"
	#define MD_KEY_PERMANENT "permanent"
	#define MD_KEY_PKEY "privkey"
	#define MD_KEY_PKEY_FILES "pkey-files"
	#define MD_KEY_PROBLEM "problem"
	#define MD_KEY_PROTO "proto"
	#define MD_KEY_READY "ready"
	#define MD_KEY_REGISTRATION "registration"
	#define MD_KEY_RENEW "renew"
	#define MD_KEY_RENEW_AT "renew-at"
	#define MD_KEY_RENEW_MODE "renew-mode"
	#define MD_KEY_RENEWAL "renewal"
	#define MD_KEY_RENEWING "renewing"
	#define MD_KEY_RENEW_WINDOW "renew-window"
	#define MD_KEY_REQUIRE_HTTPS "require-https"
	#define MD_KEY_RESOURCE "resource"
	#define MD_KEY_RESPONSE "response"
	#define MD_KEY_REVOKED "revoked"
	#define MD_KEY_SERIAL "serial"
	#define MD_KEY_SHA256_FINGERPRINT "sha256-fingerprint"
	#define MD_KEY_STAPLING "stapling"
	#define MD_KEY_STATE "state"
	#define MD_KEY_STATE_DESCR "state-descr"
	#define MD_KEY_STATUS "status"
	#define MD_KEY_STORE "store"
	#define MD_KEY_SUBPROBLEMS "subproblems"
	#define MD_KEY_TEMPORARY "temporary"
	#define MD_KEY_TOS "termsOfService"
	#define MD_KEY_TOKEN "token"
	#define MD_KEY_TOTAL "total"
	#define MD_KEY_TRANSITIVE "transitive"
	#define MD_KEY_TYPE "type"
	#define MD_KEY_UNKNOWN "unknown"
	#define MD_KEY_UNTIL "until"
	#define MD_KEY_URL "url"
	#define MD_KEY_URLS "urls"
	#define MD_KEY_URI "uri"
	#define MD_KEY_VALID "valid"
	#define MD_KEY_VALID_FROM "valid-from"
	#define MD_KEY_VALUE "value"
	#define MD_KEY_VERSION "version"
	#define MD_KEY_WATCHED "watched"
	#define MD_KEY_WHEN "when"
	#define MD_KEY_WARN_WINDOW "warn-window"

	/* Check if a string member of a new MD (n) has
	* a value and if it differs from the old MD o
	*/
	#define MD_VAL_UPDATE(n,o,s) ((n)->s != (o)->s)
	#define MD_SVAL_UPDATE(n,o,s) ((n)->s && (!(o)->s \|\| strcmp((n)->s, (o)->s)))

	/**
	* Determine if the Managed Domain contains a specific domain name.
	*/
	int md_contains(const md_t md, const char domain, int case_sensitive);

	/**
	* Determine if the names of the two managed domains overlap.
	*/
	int md_domains_overlap(const md_t md1, const md_t md2);

	/**
	* Determine if the domain names are equal.
	*/
	int md_equal_domains(const md_t md1, const md_t md2, int case_sensitive);

	/**
	* Determine if the domains in md1 contain all domains of md2.
	*/
	int md_contains_domains(const md_t md1, const md_t md2);

	/**
	* Get one common domain name of the two managed domains or NULL.
	*/
	const char md_common_name(const md_t md1, const md_t *md2);

	/**
	* Get the number of common domains.
	*/
	apr_size_t md_common_name_count(const md_t md1, const md_t md2);

	/**
	* Look up a managed domain by its name.
	*/
	md_t md_get_by_name(struct apr_array_header_t mds, const char *name);

	/**
	* Look up a managed domain by a DNS name it contains.
	*/
	md_t md_get_by_domain(struct apr_array_header_t mds, const char *domain);

	/**
	* Find a managed domain, different from the given one, that has overlaps
	* in the domain list.
	*/
	md_t md_get_by_dns_overlap(struct apr_array_header_t mds, const md_t *md);

	/**
	* Create and empty md record, structures initialized.
	*/
	md_t md_create_empty(apr_pool_t p);

	/**
	* Create a managed domain, given a list of domain names.
	*/
	md_t md_create(apr_pool_t p, struct apr_array_header_t *domains);

	/**
	* Deep copy an md record into another pool.
	*/
	md_t md_clone(apr_pool_t p, const md_t *src);

	/**
	* Shallow copy an md record into another pool.
	*/
	md_t md_copy(apr_pool_t p, const md_t *src);

	/**
	* Convert the managed domain into a JSON representation and vice versa.
	*
	* This reads and writes the following information: name, domains, ca_url, ca_proto and state.
	*/
	struct md_json_t md_to_json(const md_t md, apr_pool_t *p);
	md_t md_from_json(struct md_json_t json, apr_pool_t *p);

	/**
	* Same as md_to_json(), but with sensitive fields stripped.
	*/
	struct md_json_t md_to_public_json(const md_t md, apr_pool_t *p);

	int md_is_covered_by_alt_names(const md_t md, const struct apr_array_header_t alt_names);

	/* how many certificates this domain has/will eventually have. */
	int md_cert_count(const md_t *md);

	const char md_get_ca_name_from_url(apr_pool_t p, const char *url);
	apr_status_t md_get_ca_url_from_name(const char *purl, apr_pool_t p, const char *name);

	/**************************************************************************************************/
	/* notifications */

	typedef apr_status_t md_job_notify_cb(struct md_job_t job, const char reason,
	struct md_result_t result, apr_pool_t p, void *baton);

	/**************************************************************************************************/
	/* domain credentials */

	typedef struct md_pubcert_t md_pubcert_t;
	struct md_pubcert_t {
	struct apr_array_header_t certs; / chain of const md_cert, leaf cert first /
	struct apr_array_header_t alt_names; / alt-names of leaf cert */
	const char cert_file; / file path of chain */
	const char key_file; / file path of key for leaf cert */
	};

	#define MD_OK(c) (APR_SUCCESS == (rv = c))

	#endif /* mod_md_md_h */