1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <assert.h>
#include <apr_lib.h>
#include <apr_strings.h>
#include <httpd.h>
#include <http_connection.h>
#include <http_core.h>
#include <http_log.h>
#include <http_ssl.h>
#include <rustls.h>
#include "tls_cert.h"
#include "tls_conf.h"
#include "tls_core.h"
#include "tls_proto.h"
#include "tls_ocsp.h"
extern module AP_MODULE_DECLARE_DATA tls_module;
APLOG_USE_MODULE(tls);
static int prime_cert(
void *userdata, server_rec *s, const char *cert_id, const char *cert_pem,
const rustls_certified_key *certified_key)
{
apr_pool_t *p = userdata;
apr_status_t rv;
(void)certified_key;
rv = ap_ssl_ocsp_prime(s, p, cert_id, strlen(cert_id), cert_pem);
ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, s, "ocsp prime of cert [%s] from %s",
cert_id, s->server_hostname);
return 1;
}
apr_status_t tls_ocsp_prime_certs(tls_conf_global_t *gc, apr_pool_t *p, server_rec *s)
{
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, "ocsp priming of %d certs",
(int)tls_cert_reg_count(gc->cert_reg));
tls_cert_reg_do(prime_cert, p, gc->cert_reg);
return APR_SUCCESS;
}
typedef struct {
conn_rec *c;
const rustls_certified_key *key_in;
const rustls_certified_key *key_out;
} ocsp_copy_ctx_t;
static void ocsp_clone_key(const unsigned char *der, apr_size_t der_len, void *userdata)
{
ocsp_copy_ctx_t *ctx = userdata;
rustls_slice_bytes rslice;
rustls_result rr;
rslice.data = der;
rslice.len = der_len;
rr = rustls_certified_key_clone_with_ocsp(ctx->key_in, der_len? &rslice : NULL, &ctx->key_out);
if (RUSTLS_RESULT_OK != rr) {
const char *err_descr = NULL;
apr_status_t rv = tls_util_rustls_error(ctx->c->pool, rr, &err_descr);
ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, ctx->c, APLOGNO(10362)
"Failed add OCSP data to certificate: [%d] %s", (int)rr, err_descr);
}
else {
ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, ctx->c,
"provided %ld bytes of ocsp response DER data to key.", (long)der_len);
}
}
apr_status_t tls_ocsp_update_key(
conn_rec *c, const rustls_certified_key *certified_key,
const rustls_certified_key **pkey_out)
{
tls_conf_conn_t *cc = tls_conf_conn_get(c);
tls_conf_server_t *sc;
const char *key_id;
apr_status_t rv = APR_SUCCESS;
ocsp_copy_ctx_t ctx;
assert(cc);
assert(cc->server);
sc = tls_conf_server_get(cc->server);
key_id = tls_cert_reg_get_id(sc->global->cert_reg, certified_key);
if (!key_id) {
rv = APR_ENOENT;
ap_log_cerror(APLOG_MARK, APLOG_TRACE1, rv, c, "certified key not registered");
goto cleanup;
}
ctx.c = c;
ctx.key_in = certified_key;
ctx.key_out = NULL;
rv = ap_ssl_ocsp_get_resp(cc->server, c, key_id, strlen(key_id), ocsp_clone_key, &ctx);
if (APR_SUCCESS != rv) {
ap_log_cerror(APLOG_MARK, APLOG_TRACE1, rv, c,
"ocsp response not available for cert %s", key_id);
}
cleanup:
*pkey_out = (APR_SUCCESS == rv)? ctx.key_out : NULL;
return rv;
}
|