modules/tls/tls_ocsp.c - httpd - Git at Google

 /* Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 #include <assert.h>
 #include <apr_lib.h>
 #include <apr_strings.h>

 #include <httpd.h>
 #include <http_connection.h>
 #include <http_core.h>
 #include <http_log.h>
 #include <http_ssl.h>

 #include <rustls.h>

 #include "tls_cert.h"
 #include "tls_conf.h"
 #include "tls_core.h"
 #include "tls_proto.h"
 #include "tls_ocsp.h"

 extern module AP_MODULE_DECLARE_DATA tls_module;
 APLOG_USE_MODULE(tls);


 static int prime_cert(
     void *userdata, server_rec *s, const char *cert_id, const char *cert_pem,
     const rustls_certified_key *certified_key)
 {
     apr_pool_t *p = userdata;
     apr_status_t rv;

     (void)certified_key;
     rv = ap_ssl_ocsp_prime(s, p, cert_id, strlen(cert_id), cert_pem);
     ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, s, "ocsp prime of cert [%s] from %s",
                  cert_id, s->server_hostname);
     return 1;
 }

 apr_status_t tls_ocsp_prime_certs(tls_conf_global_t *gc, apr_pool_t *p, server_rec *s)
 {
     ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, "ocsp priming of %d certs",
                  (int)tls_cert_reg_count(gc->cert_reg));
     tls_cert_reg_do(prime_cert, p, gc->cert_reg);
     return APR_SUCCESS;
 }

 typedef struct {
     conn_rec *c;
     const rustls_certified_key *key_in;
     const rustls_certified_key *key_out;
 } ocsp_copy_ctx_t;

 static void ocsp_clone_key(const unsigned char *der, apr_size_t der_len, void *userdata)
 {
     ocsp_copy_ctx_t *ctx = userdata;
     rustls_slice_bytes rslice;
     rustls_result rr;

     rslice.data = der;
     rslice.len = der_len;

     rr = rustls_certified_key_clone_with_ocsp(ctx->key_in, der_len? &rslice : NULL, &ctx->key_out);
     if (RUSTLS_RESULT_OK != rr) {
         const char *err_descr = NULL;
         apr_status_t rv = tls_util_rustls_error(ctx->c->pool, rr, &err_descr);
         ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, ctx->c, APLOGNO(10362)
                      "Failed add OCSP data to certificate: [%d] %s", (int)rr, err_descr);
     }
     else {
         ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, ctx->c,
             "provided %ld bytes of ocsp response DER data to key.", (long)der_len);
     }
 }

 apr_status_t tls_ocsp_update_key(
     conn_rec *c, const rustls_certified_key *certified_key,
     const rustls_certified_key **pkey_out)
 {
     tls_conf_conn_t *cc = tls_conf_conn_get(c);
     tls_conf_server_t *sc;
     const char *key_id;
     apr_status_t rv = APR_SUCCESS;
     ocsp_copy_ctx_t ctx;

     assert(cc);
     assert(cc->server);
     sc = tls_conf_server_get(cc->server);
     key_id = tls_cert_reg_get_id(sc->global->cert_reg, certified_key);
     if (!key_id) {
         rv = APR_ENOENT;
         ap_log_cerror(APLOG_MARK, APLOG_TRACE1, rv, c, "certified key not registered");
         goto cleanup;
     }

     ctx.c = c;
     ctx.key_in = certified_key;
     ctx.key_out = NULL;
     rv = ap_ssl_ocsp_get_resp(cc->server, c, key_id, strlen(key_id), ocsp_clone_key, &ctx);
     if (APR_SUCCESS != rv) {
         ap_log_cerror(APLOG_MARK, APLOG_TRACE1, rv, c,
             "ocsp response not available for cert %s", key_id);
     }

 cleanup:
     *pkey_out = (APR_SUCCESS == rv)? ctx.key_out : NULL;
     return rv;
 }
	/* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	#include <assert.h>
	#include <apr_lib.h>
	#include <apr_strings.h>

	#include <httpd.h>
	#include <http_connection.h>
	#include <http_core.h>
	#include <http_log.h>
	#include <http_ssl.h>

	#include <rustls.h>

	#include "tls_cert.h"
	#include "tls_conf.h"
	#include "tls_core.h"
	#include "tls_proto.h"
	#include "tls_ocsp.h"

	extern module AP_MODULE_DECLARE_DATA tls_module;
	APLOG_USE_MODULE(tls);


	static int prime_cert(
	void userdata, server_rec s, const char cert_id, const char cert_pem,
	const rustls_certified_key *certified_key)
	{
	apr_pool_t *p = userdata;
	apr_status_t rv;

	(void)certified_key;
	rv = ap_ssl_ocsp_prime(s, p, cert_id, strlen(cert_id), cert_pem);
	ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, s, "ocsp prime of cert [%s] from %s",
	cert_id, s->server_hostname);
	return 1;
	}

	apr_status_t tls_ocsp_prime_certs(tls_conf_global_t gc, apr_pool_t p, server_rec *s)
	{
	ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, "ocsp priming of %d certs",
	(int)tls_cert_reg_count(gc->cert_reg));
	tls_cert_reg_do(prime_cert, p, gc->cert_reg);
	return APR_SUCCESS;
	}

	typedef struct {
	conn_rec *c;
	const rustls_certified_key *key_in;
	const rustls_certified_key *key_out;
	} ocsp_copy_ctx_t;

	static void ocsp_clone_key(const unsigned char der, apr_size_t der_len, void userdata)
	{
	ocsp_copy_ctx_t *ctx = userdata;
	rustls_slice_bytes rslice;
	rustls_result rr;

	rslice.data = der;
	rslice.len = der_len;

	rr = rustls_certified_key_clone_with_ocsp(ctx->key_in, der_len? &rslice : NULL, &ctx->key_out);
	if (RUSTLS_RESULT_OK != rr) {
	const char *err_descr = NULL;
	apr_status_t rv = tls_util_rustls_error(ctx->c->pool, rr, &err_descr);
	ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, ctx->c, APLOGNO(10362)
	"Failed add OCSP data to certificate: [%d] %s", (int)rr, err_descr);
	}
	else {
	ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, ctx->c,
	"provided %ld bytes of ocsp response DER data to key.", (long)der_len);
	}
	}

	apr_status_t tls_ocsp_update_key(
	conn_rec c, const rustls_certified_key certified_key,
	const rustls_certified_key **pkey_out)
	{
	tls_conf_conn_t *cc = tls_conf_conn_get(c);
	tls_conf_server_t *sc;
	const char *key_id;
	apr_status_t rv = APR_SUCCESS;
	ocsp_copy_ctx_t ctx;

	assert(cc);
	assert(cc->server);
	sc = tls_conf_server_get(cc->server);
	key_id = tls_cert_reg_get_id(sc->global->cert_reg, certified_key);
	if (!key_id) {
	rv = APR_ENOENT;
	ap_log_cerror(APLOG_MARK, APLOG_TRACE1, rv, c, "certified key not registered");
	goto cleanup;
	}

	ctx.c = c;
	ctx.key_in = certified_key;
	ctx.key_out = NULL;
	rv = ap_ssl_ocsp_get_resp(cc->server, c, key_id, strlen(key_id), ocsp_clone_key, &ctx);
	if (APR_SUCCESS != rv) {
	ap_log_cerror(APLOG_MARK, APLOG_TRACE1, rv, c,
	"ocsp response not available for cert %s", key_id);
	}

	cleanup:
	*pkey_out = (APR_SUCCESS == rv)? ctx.key_out : NULL;
	return rv;
	}