From b1a1c1d95059e2fefd7b5671eb110ab690409a84 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 25 May 2024 06:41:28 +0200 Subject: Merging upstream version 2.4.59. Signed-off-by: Daniel Baumann --- modules/md/md_acme_acct.h | 103 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 101 insertions(+), 2 deletions(-) (limited to 'modules/md/md_acme_acct.h') diff --git a/modules/md/md_acme_acct.h b/modules/md/md_acme_acct.h index e200da3..b5bba63 100644 --- a/modules/md/md_acme_acct.h +++ b/modules/md/md_acme_acct.h @@ -21,22 +21,32 @@ struct md_acme_req; struct md_json_t; struct md_pkey_t; +#include "md_store.h" /** * An ACME account at an ACME server. */ typedef struct md_acme_acct_t md_acme_acct_t; +typedef enum { + MD_ACME_ACCT_ST_UNKNOWN, + MD_ACME_ACCT_ST_VALID, + MD_ACME_ACCT_ST_DEACTIVATED, + MD_ACME_ACCT_ST_REVOKED, +} md_acme_acct_st; + struct md_acme_acct_t { const char *id; /* short, unique id for the account */ const char *url; /* url of the account, once registered */ const char *ca_url; /* url of the ACME protocol endpoint */ + md_acme_acct_st status; /* status of this account */ apr_array_header_t *contacts; /* list of contact uris, e.g. mailto:xxx */ const char *tos_required; /* terms of service asked for by CA */ const char *agreement; /* terms of service agreed to by user */ - + const char *orders; /* URL where certificate orders are found (ACMEv2) */ + const char *eab_kid; /* external account binding keyid used or NULL */ + const char *eab_hmac; /* external account binding hmac used or NULL */ struct md_json_t *registration; /* data from server registration */ - int disabled; }; #define MD_FN_ACCOUNT "account.json" @@ -46,4 +56,93 @@ struct md_acme_acct_t { * are expected to live long, better err on the safe side. */ #define MD_ACME_ACCT_PKEY_BITS 3072 +#define MD_ACME_ACCT_STAGED "staged" + +/** + * Convert an ACME account form/to JSON. + */ +struct md_json_t *md_acme_acct_to_json(md_acme_acct_t *acct, apr_pool_t *p); +apr_status_t md_acme_acct_from_json(md_acme_acct_t **pacct, struct md_json_t *json, apr_pool_t *p); + +/** + * Update the account from the ACME server. + * - Will update acme->acct structure from server on success + * - Will return error status when request failed or account is not known. + */ +apr_status_t md_acme_acct_update(md_acme_t *acme); + +/** + * Update the account and persist changes in the store, if given (and not NULL). + */ +apr_status_t md_acme_acct_validate(md_acme_t *acme, md_store_t *store, apr_pool_t *p); + +/** + * Agree to the given Terms-of-Service url for the current account. + */ +apr_status_t md_acme_agree(md_acme_t *acme, apr_pool_t *p, const char *tos); + +/** + * Confirm with the server that the current account agrees to the Terms-of-Service + * given in the agreement url. + * If the known agreement is equal to this, nothing is done. + * If it differs, the account is re-validated in the hope that the server + * announces the Tos URL it wants. If this is equal to the agreement specified, + * the server is notified of this. If the server requires a ToS that the account + * thinks it has already given, it is resend. + * + * If an agreement is required, different from the current one, APR_INCOMPLETE is + * returned and the agreement url is returned in the parameter. + */ +apr_status_t md_acme_check_agreement(md_acme_t *acme, apr_pool_t *p, + const char *agreement, const char **prequired); + +/** + * Get the ToS agreement for current account. + */ +const char *md_acme_get_agreement(md_acme_t *acme); + + +/** + * Find an existing account in the local store. On APR_SUCCESS, the acme + * instance will have a current, validated account to use. + */ +apr_status_t md_acme_find_acct_for_md(md_acme_t *acme, md_store_t *store, const md_t *md); + +/** + * Find the account id for a given md. + */ +apr_status_t md_acme_acct_id_for_md(const char **pid, md_store_t *store, + md_store_group_t group, const md_t *md, apr_pool_t *p); + +/** + * Create a new account at the ACME server for an MD. The + * new account is the one used by the acme instance afterwards, on success. + */ +apr_status_t md_acme_acct_register(md_acme_t *acme, md_store_t *store, + const md_t *md, apr_pool_t *p); + +apr_status_t md_acme_acct_save(md_store_t *store, apr_pool_t *p, md_acme_t *acme, + const char **pid, struct md_acme_acct_t *acct, + struct md_pkey_t *acct_key); + +/** + * Deactivate the current account at the ACME server. + */ +apr_status_t md_acme_acct_deactivate(md_acme_t *acme, apr_pool_t *p); + +apr_status_t md_acme_acct_load(struct md_acme_acct_t **pacct, struct md_pkey_t **ppkey, + md_store_t *store, md_store_group_t group, + const char *name, apr_pool_t *p); + +/* + * Return != 0 iff the account can be used for the ACME url. + */ +int md_acme_acct_matches_url(md_acme_acct_t *acct, const char *url); + +/* + * Return != 0 iff the account can be used for the MD, including + * its CA url and EAB settings. + */ +int md_acme_acct_matches_md(md_acme_acct_t *acct, const md_t *md); + #endif /* md_acme_acct_h */ -- cgit v1.2.3