1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
|
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef mod_md_md_h
#define mod_md_md_h
#include "md_version.h"
struct apr_array_header_t;
struct apr_hash_t;
struct md_json_t;
struct md_cert_t;
struct md_pkey_t;
struct md_store_t;
struct md_srv_conf_t;
struct md_pkey_spec_t;
#define MD_TLSSNI01_DNS_SUFFIX ".acme.invalid"
#define MD_PKEY_RSA_BITS_MIN 2048
#define MD_PKEY_RSA_BITS_DEF 2048
/* Minimum age for the HSTS header (RFC 6797), considered appropriate by Mozilla Security */
#define MD_HSTS_HEADER "Strict-Transport-Security"
#define MD_HSTS_MAX_AGE_DEFAULT 15768000
typedef enum {
MD_S_UNKNOWN, /* MD has not been analysed yet */
MD_S_INCOMPLETE, /* MD is missing necessary information, cannot go live */
MD_S_COMPLETE, /* MD has all necessary information, can go live */
MD_S_EXPIRED, /* MD is complete, but credentials have expired */
MD_S_ERROR, /* MD data is flawed, unable to be processed as is */
MD_S_MISSING, /* MD is missing config information, cannot proceed */
} md_state_t;
typedef enum {
MD_REQUIRE_UNSET = -1,
MD_REQUIRE_OFF,
MD_REQUIRE_TEMPORARY,
MD_REQUIRE_PERMANENT,
} md_require_t;
typedef enum {
MD_SV_TEXT,
MD_SV_JSON,
MD_SV_CERT,
MD_SV_PKEY,
MD_SV_CHAIN,
} md_store_vtype_t;
typedef enum {
MD_SG_NONE,
MD_SG_ACCOUNTS,
MD_SG_CHALLENGES,
MD_SG_DOMAINS,
MD_SG_STAGING,
MD_SG_ARCHIVE,
MD_SG_TMP,
MD_SG_COUNT,
} md_store_group_t;
typedef enum {
MD_DRIVE_DEFAULT = -1, /* default value */
MD_DRIVE_MANUAL, /* manually triggered transmission of credentials */
MD_DRIVE_AUTO, /* automatic process performed by httpd */
MD_DRIVE_ALWAYS, /* always driven by httpd, even if not used in any vhost */
} md_drive_mode_t;
typedef struct md_t md_t;
struct md_t {
const char *name; /* unique name of this MD */
struct apr_array_header_t *domains; /* all DNS names this MD includes */
struct apr_array_header_t *contacts; /* list of contact uris, e.g. mailto:xxx */
int transitive; /* != 0 iff VirtualHost names/aliases are auto-added */
md_require_t require_https; /* Iff https: is required for this MD */
int drive_mode; /* mode of obtaining credentials */
struct md_pkey_spec_t *pkey_spec;/* specification for generating new private keys */
int must_staple; /* certificates should set the OCSP Must Staple extension */
apr_interval_time_t renew_norm; /* if > 0, normalized cert lifetime */
apr_interval_time_t renew_window;/* time before expiration that starts renewal */
const char *ca_url; /* url of CA certificate service */
const char *ca_proto; /* protocol used vs CA (e.g. ACME) */
const char *ca_account; /* account used at CA */
const char *ca_agreement; /* accepted agreement uri between CA and user */
struct apr_array_header_t *ca_challenges; /* challenge types configured for this MD */
md_state_t state; /* state of this MD */
apr_time_t valid_from; /* When the credentials start to be valid. 0 if unknown */
apr_time_t expires; /* When the credentials expire. 0 if unknown */
const char *cert_url; /* url where cert has been created, remember during drive */
const struct md_srv_conf_t *sc; /* server config where it was defined or NULL */
const char *defn_name; /* config file this MD was defined */
unsigned defn_line_number; /* line number of definition */
};
#define MD_KEY_ACCOUNT "account"
#define MD_KEY_AGREEMENT "agreement"
#define MD_KEY_BITS "bits"
#define MD_KEY_CA "ca"
#define MD_KEY_CA_URL "ca-url"
#define MD_KEY_CERT "cert"
#define MD_KEY_CHALLENGES "challenges"
#define MD_KEY_CONTACT "contact"
#define MD_KEY_CONTACTS "contacts"
#define MD_KEY_CSR "csr"
#define MD_KEY_DETAIL "detail"
#define MD_KEY_DISABLED "disabled"
#define MD_KEY_DIR "dir"
#define MD_KEY_DOMAIN "domain"
#define MD_KEY_DOMAINS "domains"
#define MD_KEY_DRIVE_MODE "drive-mode"
#define MD_KEY_ERRORS "errors"
#define MD_KEY_EXPIRES "expires"
#define MD_KEY_HTTP "http"
#define MD_KEY_HTTPS "https"
#define MD_KEY_ID "id"
#define MD_KEY_IDENTIFIER "identifier"
#define MD_KEY_KEY "key"
#define MD_KEY_KEYAUTHZ "keyAuthorization"
#define MD_KEY_LOCATION "location"
#define MD_KEY_MUST_STAPLE "must-staple"
#define MD_KEY_NAME "name"
#define MD_KEY_PERMANENT "permanent"
#define MD_KEY_PKEY "privkey"
#define MD_KEY_PROCESSED "processed"
#define MD_KEY_PROTO "proto"
#define MD_KEY_REGISTRATION "registration"
#define MD_KEY_RENEW "renew"
#define MD_KEY_RENEW_WINDOW "renew-window"
#define MD_KEY_REQUIRE_HTTPS "require-https"
#define MD_KEY_RESOURCE "resource"
#define MD_KEY_STATE "state"
#define MD_KEY_STATUS "status"
#define MD_KEY_STORE "store"
#define MD_KEY_TEMPORARY "temporary"
#define MD_KEY_TOKEN "token"
#define MD_KEY_TRANSITIVE "transitive"
#define MD_KEY_TYPE "type"
#define MD_KEY_URL "url"
#define MD_KEY_URI "uri"
#define MD_KEY_VALID_FROM "validFrom"
#define MD_KEY_VALUE "value"
#define MD_KEY_VERSION "version"
#define MD_FN_MD "md.json"
#define MD_FN_JOB "job.json"
#define MD_FN_PRIVKEY "privkey.pem"
#define MD_FN_PUBCERT "pubcert.pem"
#define MD_FN_CERT "cert.pem"
#define MD_FN_CHAIN "chain.pem"
#define MD_FN_HTTPD_JSON "httpd.json"
#define MD_FN_FALLBACK_PKEY "fallback-privkey.pem"
#define MD_FN_FALLBACK_CERT "fallback-cert.pem"
/* Check if a string member of a new MD (n) has
* a value and if it differs from the old MD o
*/
#define MD_VAL_UPDATE(n,o,s) ((n)->s != (o)->s)
#define MD_SVAL_UPDATE(n,o,s) ((n)->s && (!(o)->s || strcmp((n)->s, (o)->s)))
/**
* Determine if the Managed Domain contains a specific domain name.
*/
int md_contains(const md_t *md, const char *domain, int case_sensitive);
/**
* Determine if the names of the two managed domains overlap.
*/
int md_domains_overlap(const md_t *md1, const md_t *md2);
/**
* Determine if the domain names are equal.
*/
int md_equal_domains(const md_t *md1, const md_t *md2, int case_sensitive);
/**
* Determine if the domains in md1 contain all domains of md2.
*/
int md_contains_domains(const md_t *md1, const md_t *md2);
/**
* Get one common domain name of the two managed domains or NULL.
*/
const char *md_common_name(const md_t *md1, const md_t *md2);
/**
* Get the number of common domains.
*/
apr_size_t md_common_name_count(const md_t *md1, const md_t *md2);
/**
* Look up a managed domain by its name.
*/
md_t *md_get_by_name(struct apr_array_header_t *mds, const char *name);
/**
* Look up a managed domain by a DNS name it contains.
*/
md_t *md_get_by_domain(struct apr_array_header_t *mds, const char *domain);
/**
* Find a managed domain, different from the given one, that has overlaps
* in the domain list.
*/
md_t *md_get_by_dns_overlap(struct apr_array_header_t *mds, const md_t *md);
/**
* Find the managed domain in the list that, for the given md,
* has the same name, or the most number of overlaps in domains
*/
md_t *md_find_closest_match(apr_array_header_t *mds, const md_t *md);
/**
* Create and empty md record, structures initialized.
*/
md_t *md_create_empty(apr_pool_t *p);
/**
* Create a managed domain, given a list of domain names.
*/
md_t *md_create(apr_pool_t *p, struct apr_array_header_t *domains);
/**
* Deep copy an md record into another pool.
*/
md_t *md_clone(apr_pool_t *p, const md_t *src);
/**
* Shallow copy an md record into another pool.
*/
md_t *md_copy(apr_pool_t *p, const md_t *src);
/**
* Create a merged md with the settings of add overlaying the ones from base.
*/
md_t *md_merge(apr_pool_t *p, const md_t *add, const md_t *base);
/**
* Convert the managed domain into a JSON representation and vice versa.
*
* This reads and writes the following information: name, domains, ca_url, ca_proto and state.
*/
struct md_json_t *md_to_json (const md_t *md, apr_pool_t *p);
md_t *md_from_json(struct md_json_t *json, apr_pool_t *p);
/**
* Determine if MD should renew its cert (if it has one)
*/
int md_should_renew(const md_t *md);
/**************************************************************************************************/
/* domain credentials */
typedef struct md_creds_t md_creds_t;
struct md_creds_t {
struct md_pkey_t *privkey;
struct apr_array_header_t *pubcert; /* complete md_cert* chain */
struct md_cert_t *cert;
int expired;
};
/* TODO: not sure this is a good idea, testing some readability and debuggabiltiy of
* cascaded apr_status_t checks. */
#define MD_CHK_VARS const char *md_chk_
#define MD_LAST_CHK md_chk_
#define MD_CHK_STEP(c, status, s) (md_chk_ = s, (void)md_chk_, status == (rv = (c)))
#define MD_CHK(c, status) MD_CHK_STEP(c, status, #c)
#define MD_IS_ERR(c, err) (md_chk_ = #c, APR_STATUS_IS_##err((rv = (c))))
#define MD_CHK_SUCCESS(c) MD_CHK(c, APR_SUCCESS)
#define MD_OK(c) MD_CHK_SUCCESS(c)
#endif /* mod_md_md_h */
|
