Google Git
Sign in
apache / serf / 89fd64fb15adbf5af2d7c1a21fbe04f8fe727499 / . / buckets / bucket_private.h
blob: b77608da4cbd8f493fea5d05cfea8f91d7346069 [file] [log] [blame]
/* Copyright 2013 Justin Erenkrantz and Greg Stein
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef _BUCKET_PRIVATE_H_
#define _BUCKET_PRIVATE_H_
typedef struct serf_ssl_bucket_type_t serf_ssl_bucket_type_t;
struct serf_ssl_bucket_type_t {
void * (*decrypt_create)(serf_bucket_t *bucket,
serf_bucket_t *stream,
void *impl_ctx,
serf_bucket_alloc_t *allocator);
void * (*decrypt_context_get)(serf_bucket_t *bucket);
void * (*encrypt_create)(serf_bucket_t *bucket,
serf_bucket_t *stream,
void *impl_ctx,
serf_bucket_alloc_t *allocator);
void * (*encrypt_context_get)(serf_bucket_t *bucket);
/**
* Allow SNI indicators to be sent to the server.
*/
apr_status_t (*set_hostname)(void *impl_ctx, const char *hostname);
void (*client_cert_provider_set)(void *impl_ctx,
serf_ssl_need_client_cert_t callback,
void *data,
void *cache_pool);
void (*identity_provider_set)(void *impl_ctx,
serf_ssl_need_identity_t callback,
void *data,
void *cache_pool);
void (*client_cert_password_set)(void *impl_ctx,
serf_ssl_need_cert_password_t callback,
void *data,
void *cache_pool);
/**
* Set a callback to override the default SSL server certificate validation
* algorithm.
*/
void (*server_cert_callback_set)(void *impl_ctx,
serf_ssl_need_server_cert_t callback,
void *data);
/**
* Set callbacks to override the default SSL server certificate validation
* algorithm for the current certificate or the entire certificate chain.
*/
void (*server_cert_chain_callback_set)(void *impl_ctx,
serf_ssl_need_server_cert_t cert_callback,
serf_ssl_server_cert_chain_cb_t cert_chain_callback,
void *data);
/**
* Use the default root CA certificates as included with the OpenSSL library.
* TODO: fix comment!
*/
apr_status_t (*use_default_certificates)(void *impl_ctx);
/**
* Load a CA certificate file from a path @a file_path. If the file was
* loaded and parsed correctly, a certificate @a cert will be created and
* returned.
* This certificate object will be alloced in @a pool.
*/
apr_status_t (*load_CA_cert_from_file)(serf_ssl_certificate_t **cert,
const char *file_path,
apr_pool_t *pool);
apr_status_t (*load_identity_from_file)(void *impl_ctx,
const serf_ssl_identity_t **identity,
const char *file_path,
apr_pool_t *pool);
/**
* Adds the certificate @a cert to the list of trusted certificates in
* @a ssl_ctx that will be used for verification.
* See also @a serf_ssl_load_cert_file.
*/
apr_status_t (*trust_cert)(void *impl_ctx,
serf_ssl_certificate_t *cert);
/**
* Extract the fields of the issuer in a table with keys (E, CN, OU, O, L,
* ST and C). The returned table will be allocated in @a pool.
*/
apr_hash_t * (*cert_issuer)(const serf_ssl_certificate_t *cert,
apr_pool_t *pool);
/**
* Extract the fields of the subject in a table with keys (E, CN, OU, O, L,
* ST and C). The returned table will be allocated in @a pool.
*/
apr_hash_t * (*cert_subject)(const serf_ssl_certificate_t *cert,
apr_pool_t *pool);
/**
* Extract the fields of the certificate in a table with keys (sha1,
* notBefore, notAfter, array of subjectAltName's). The returned table will
* be allocated in @a pool.
*/
apr_hash_t * (*cert_certificate)(const serf_ssl_certificate_t *cert,
apr_pool_t *pool);
/**
* Export a certificate to base64-encoded, zero-terminated string.
* The returned string is allocated in @a pool. Returns NULL on failure.
*/
const char * (*cert_export)(const serf_ssl_certificate_t *cert,
apr_pool_t *pool);
/**
* Enable or disable SSL compression on a SSL session.
* @a enabled = 1 to enable compression, 0 to disable compression.
* Default = disabled.
*/
apr_status_t (*use_compression)(void *impl_ctx,
int enabled);
/**
* Exports @a session to continous memory block.
*/
apr_status_t (*session_export)(void **data,
apr_size_t *len,
const serf_ssl_session_t *session,
apr_pool_t *pool);
/**
* Restores previously saved session from continuous memory block @a data
* with @a len length.
*/
apr_status_t (*session_import)(const serf_ssl_session_t **session,
void *data,
apr_size_t len,
apr_pool_t *pool);
/**
* TODO: comment
*/
void (*new_session_callback_set)(void *impl_ctx,
serf_ssl_new_session_t new_session_cb,
void *baton);
/* Configure @a ssl_ctx to attempt resume exisiting @a ssl_session. */
apr_status_t (*resume_session)(void *impl_ctx,
const serf_ssl_session_t *ssl_session,
apr_pool_t *pool);
};
/* Implementation independent certificate object. */
struct serf_ssl_certificate_t {
/** bucket implementation that can parse this certificate. */
const serf_ssl_bucket_type_t *type;
/** implementation specific certificate data */
/* Note: non-const, as required by OpenSSL. */
void *impl_cert;
/** Depth in the chain where an error was found. */
int depth_of_error;
};
/* Loads a certificate from a memory buffer.
Defined here so it can be used by the test suite. */
apr_status_t
load_CA_cert_from_buffer(serf_ssl_certificate_t **cert,
const char *buf,
apr_size_t len,
apr_pool_t *pool);
/* Creates a serf_ssl_certificate_t object, caller takes ownership. */
serf_ssl_certificate_t *
serf__create_certificate(serf_bucket_alloc_t *allocator,
const serf_ssl_bucket_type_t *type,
void *impl_cert,
int depth);
/* Implementation independent identity object. An identity is a combination
of a certificate and a private key, typically stored in a .p12 file. */
struct serf_ssl_identity_t {
/** bucket implementation that can parse this identity. */
const serf_ssl_bucket_type_t *type;
/** implementation specific client certificate */
void *impl_cert;
/** implementation specific private key */
void *impl_pkey;
};
/* Creates a serf_ssl_identity_t object, caller takes ownership. */
serf_ssl_identity_t *
serf__create_identity(const serf_ssl_bucket_type_t *type,
void *impl_cert,
void *impl_pkey,
apr_pool_t *pool);
void *serf__ssl_get_impl_context(serf_ssl_context_t *ssl_ctx);
/* Implementation independent serialized SSL session object */
struct serf_ssl_session_t {
#if 0
/* Not needed as long as each API takes a serf_ssl_context_t. */
/** bucket implementation that can parse this session object. */
const serf_ssl_bucket_type_t *type;
#endif
/** implementation specific serialized SSL session object. */
void *impl_session_obj;
};
/* macosxssl_bucket internal functions */
#ifdef SERF_HAVE_MACOSXSSL
#include <Security/SecCertificate.h>
/* macosxssl_bucket private certificate structure. Wrapper around the
SecCertificateRef ptr, with content the cached parsed information from the
certificate. */
typedef struct macosxssl_certificate_t {
SecCertificateRef certref;
apr_hash_t *content;
} macosxssl_certificate_t;
apr_status_t
serf__macosxssl_read_X509_DER_DN(apr_hash_t **o, CFDataRef ptr,
apr_pool_t *pool);
apr_status_t
serf__macosxssl_read_X509_DER_certificate(apr_hash_t **o,
const macosxssl_certificate_t *cert,
apr_pool_t *pool);
#endif
/* ==================================================================== */
#ifdef SERF_HAVE_OPENSSL
extern const serf_ssl_bucket_type_t serf_ssl_bucket_type_openssl;
#endif /* SERF_HAVE_OPENSSL */
/* ==================================================================== */
#if SERF_HAVE_MACOSXSSL
extern const serf_ssl_bucket_type_t serf_ssl_bucket_type_macosxssl;
#endif /* SERF_HAVE_MACOSXSSL */
/* ==================================================================== */
#endif