diff options
Diffstat (limited to 'modules/md/md_core.c')
-rw-r--r-- | modules/md/md_core.c | 462 |
1 files changed, 462 insertions, 0 deletions
diff --git a/modules/md/md_core.c b/modules/md/md_core.c new file mode 100644 index 0000000..7aacff0 --- /dev/null +++ b/modules/md/md_core.c @@ -0,0 +1,462 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <assert.h> +#include <stdlib.h> + +#include <apr_lib.h> +#include <apr_strings.h> +#include <apr_uri.h> +#include <apr_tables.h> +#include <apr_time.h> +#include <apr_date.h> + +#include "md_json.h" +#include "md.h" +#include "md_crypt.h" +#include "md_log.h" +#include "md_store.h" +#include "md_util.h" + + +int md_contains(const md_t *md, const char *domain, int case_sensitive) +{ + if (md_array_str_index(md->domains, domain, 0, case_sensitive) >= 0) { + return 1; + } + return md_dns_domains_match(md->domains, domain); +} + +const char *md_common_name(const md_t *md1, const md_t *md2) +{ + int i; + + if (md1 == NULL || md1->domains == NULL + || md2 == NULL || md2->domains == NULL) { + return NULL; + } + + for (i = 0; i < md1->domains->nelts; ++i) { + const char *name1 = APR_ARRAY_IDX(md1->domains, i, const char*); + if (md_contains(md2, name1, 0)) { + return name1; + } + } + return NULL; +} + +int md_domains_overlap(const md_t *md1, const md_t *md2) +{ + return md_common_name(md1, md2) != NULL; +} + +apr_size_t md_common_name_count(const md_t *md1, const md_t *md2) +{ + int i; + apr_size_t hits; + + if (md1 == NULL || md1->domains == NULL + || md2 == NULL || md2->domains == NULL) { + return 0; + } + + hits = 0; + for (i = 0; i < md1->domains->nelts; ++i) { + const char *name1 = APR_ARRAY_IDX(md1->domains, i, const char*); + if (md_contains(md2, name1, 0)) { + ++hits; + } + } + return hits; +} + +int md_is_covered_by_alt_names(const md_t *md, const struct apr_array_header_t* alt_names) +{ + const char *name; + int i; + + if (alt_names) { + for (i = 0; i < md->domains->nelts; ++i) { + name = APR_ARRAY_IDX(md->domains, i, const char *); + if (!md_dns_domains_match(alt_names, name)) { + return 0; + } + } + return 1; + } + return 0; +} + +md_t *md_create_empty(apr_pool_t *p) +{ + md_t *md = apr_pcalloc(p, sizeof(*md)); + if (md) { + md->domains = apr_array_make(p, 5, sizeof(const char *)); + md->contacts = apr_array_make(p, 5, sizeof(const char *)); + md->renew_mode = MD_RENEW_DEFAULT; + md->require_https = MD_REQUIRE_UNSET; + md->must_staple = -1; + md->transitive = -1; + md->acme_tls_1_domains = apr_array_make(p, 5, sizeof(const char *)); + md->stapling = -1; + md->defn_name = "unknown"; + md->defn_line_number = 0; + } + return md; +} + +int md_equal_domains(const md_t *md1, const md_t *md2, int case_sensitive) +{ + int i; + if (md1->domains->nelts == md2->domains->nelts) { + for (i = 0; i < md1->domains->nelts; ++i) { + const char *name1 = APR_ARRAY_IDX(md1->domains, i, const char*); + if (!md_contains(md2, name1, case_sensitive)) { + return 0; + } + } + return 1; + } + return 0; +} + +int md_contains_domains(const md_t *md1, const md_t *md2) +{ + int i; + if (md1->domains->nelts >= md2->domains->nelts) { + for (i = 0; i < md2->domains->nelts; ++i) { + const char *name2 = APR_ARRAY_IDX(md2->domains, i, const char*); + if (!md_contains(md1, name2, 0)) { + return 0; + } + } + return 1; + } + return 0; +} + +md_t *md_get_by_name(struct apr_array_header_t *mds, const char *name) +{ + int i; + for (i = 0; i < mds->nelts; ++i) { + md_t *md = APR_ARRAY_IDX(mds, i, md_t *); + if (!strcmp(name, md->name)) { + return md; + } + } + return NULL; +} + +md_t *md_get_by_domain(struct apr_array_header_t *mds, const char *domain) +{ + int i; + for (i = 0; i < mds->nelts; ++i) { + md_t *md = APR_ARRAY_IDX(mds, i, md_t *); + if (md_contains(md, domain, 0)) { + return md; + } + } + return NULL; +} + +md_t *md_get_by_dns_overlap(struct apr_array_header_t *mds, const md_t *md) +{ + int i; + for (i = 0; i < mds->nelts; ++i) { + md_t *o = APR_ARRAY_IDX(mds, i, md_t *); + if (strcmp(o->name, md->name) && md_common_name(o, md)) { + return o; + } + } + return NULL; +} + +int md_cert_count(const md_t *md) +{ + /* cert are defined as a list of static files or a list of private key specs */ + if (md->cert_files && md->cert_files->nelts) { + return md->cert_files->nelts; + } + return md_pkeys_spec_count(md->pks); +} + +md_t *md_create(apr_pool_t *p, apr_array_header_t *domains) +{ + md_t *md; + + md = md_create_empty(p); + md->domains = md_array_str_compact(p, domains, 0); + md->name = APR_ARRAY_IDX(md->domains, 0, const char *); + + return md; +} + +/**************************************************************************************************/ +/* lifetime */ + +md_t *md_copy(apr_pool_t *p, const md_t *src) +{ + md_t *md; + + md = apr_pcalloc(p, sizeof(*md)); + if (md) { + memcpy(md, src, sizeof(*md)); + md->domains = apr_array_copy(p, src->domains); + md->contacts = apr_array_copy(p, src->contacts); + if (src->ca_challenges) { + md->ca_challenges = apr_array_copy(p, src->ca_challenges); + } + md->acme_tls_1_domains = apr_array_copy(p, src->acme_tls_1_domains); + md->pks = md_pkeys_spec_clone(p, src->pks); + } + return md; +} + +md_t *md_clone(apr_pool_t *p, const md_t *src) +{ + md_t *md; + + md = apr_pcalloc(p, sizeof(*md)); + if (md) { + md->state = src->state; + md->name = apr_pstrdup(p, src->name); + md->require_https = src->require_https; + md->must_staple = src->must_staple; + md->renew_mode = src->renew_mode; + md->domains = md_array_str_compact(p, src->domains, 0); + md->pks = md_pkeys_spec_clone(p, src->pks); + md->renew_window = src->renew_window; + md->warn_window = src->warn_window; + md->contacts = md_array_str_clone(p, src->contacts); + if (src->ca_proto) md->ca_proto = apr_pstrdup(p, src->ca_proto); + if (src->ca_urls) { + md->ca_urls = md_array_str_clone(p, src->ca_urls); + } + if (src->ca_effective) md->ca_effective = apr_pstrdup(p, src->ca_effective); + if (src->ca_account) md->ca_account = apr_pstrdup(p, src->ca_account); + if (src->ca_agreement) md->ca_agreement = apr_pstrdup(p, src->ca_agreement); + if (src->defn_name) md->defn_name = apr_pstrdup(p, src->defn_name); + md->defn_line_number = src->defn_line_number; + if (src->ca_challenges) { + md->ca_challenges = md_array_str_clone(p, src->ca_challenges); + } + md->acme_tls_1_domains = md_array_str_compact(p, src->acme_tls_1_domains, 0); + md->stapling = src->stapling; + if (src->dns01_cmd) md->dns01_cmd = apr_pstrdup(p, src->dns01_cmd); + if (src->cert_files) md->cert_files = md_array_str_clone(p, src->cert_files); + if (src->pkey_files) md->pkey_files = md_array_str_clone(p, src->pkey_files); + } + return md; +} + +/**************************************************************************************************/ +/* format conversion */ + +md_json_t *md_to_json(const md_t *md, apr_pool_t *p) +{ + md_json_t *json = md_json_create(p); + if (json) { + apr_array_header_t *domains = md_array_str_compact(p, md->domains, 0); + md_json_sets(md->name, json, MD_KEY_NAME, NULL); + md_json_setsa(domains, json, MD_KEY_DOMAINS, NULL); + md_json_setsa(md->contacts, json, MD_KEY_CONTACTS, NULL); + md_json_setl(md->transitive, json, MD_KEY_TRANSITIVE, NULL); + md_json_sets(md->ca_account, json, MD_KEY_CA, MD_KEY_ACCOUNT, NULL); + md_json_sets(md->ca_proto, json, MD_KEY_CA, MD_KEY_PROTO, NULL); + md_json_sets(md->ca_effective, json, MD_KEY_CA, MD_KEY_URL, NULL); + if (md->ca_urls && !apr_is_empty_array(md->ca_urls)) { + md_json_setsa(md->ca_urls, json, MD_KEY_CA, MD_KEY_URLS, NULL); + } + md_json_sets(md->ca_agreement, json, MD_KEY_CA, MD_KEY_AGREEMENT, NULL); + if (!md_pkeys_spec_is_empty(md->pks)) { + md_json_setj(md_pkeys_spec_to_json(md->pks, p), json, MD_KEY_PKEY, NULL); + } + md_json_setl(md->state, json, MD_KEY_STATE, NULL); + if (md->state_descr) + md_json_sets(md->state_descr, json, MD_KEY_STATE_DESCR, NULL); + md_json_setl(md->renew_mode, json, MD_KEY_RENEW_MODE, NULL); + if (md->renew_window) + md_json_sets(md_timeslice_format(md->renew_window, p), json, MD_KEY_RENEW_WINDOW, NULL); + if (md->warn_window) + md_json_sets(md_timeslice_format(md->warn_window, p), json, MD_KEY_WARN_WINDOW, NULL); + if (md->ca_challenges && md->ca_challenges->nelts > 0) { + apr_array_header_t *na; + na = md_array_str_compact(p, md->ca_challenges, 0); + md_json_setsa(na, json, MD_KEY_CA, MD_KEY_CHALLENGES, NULL); + } + switch (md->require_https) { + case MD_REQUIRE_TEMPORARY: + md_json_sets(MD_KEY_TEMPORARY, json, MD_KEY_REQUIRE_HTTPS, NULL); + break; + case MD_REQUIRE_PERMANENT: + md_json_sets(MD_KEY_PERMANENT, json, MD_KEY_REQUIRE_HTTPS, NULL); + break; + default: + break; + } + md_json_setb(md->must_staple > 0, json, MD_KEY_MUST_STAPLE, NULL); + md_json_setsa(md->acme_tls_1_domains, json, MD_KEY_PROTO, MD_KEY_ACME_TLS_1, NULL); + if (md->cert_files) md_json_setsa(md->cert_files, json, MD_KEY_CERT_FILES, NULL); + if (md->pkey_files) md_json_setsa(md->pkey_files, json, MD_KEY_PKEY_FILES, NULL); + md_json_setb(md->stapling > 0, json, MD_KEY_STAPLING, NULL); + if (md->dns01_cmd) md_json_sets(md->dns01_cmd, json, MD_KEY_CMD_DNS01, NULL); + if (md->ca_eab_kid && strcmp("none", md->ca_eab_kid)) { + md_json_sets(md->ca_eab_kid, json, MD_KEY_EAB, MD_KEY_KID, NULL); + if (md->ca_eab_hmac) md_json_sets(md->ca_eab_hmac, json, MD_KEY_EAB, MD_KEY_HMAC, NULL); + } + return json; + } + return NULL; +} + +md_t *md_from_json(md_json_t *json, apr_pool_t *p) +{ + const char *s; + md_t *md = md_create_empty(p); + if (md) { + md->name = md_json_dups(p, json, MD_KEY_NAME, NULL); + md_json_dupsa(md->domains, p, json, MD_KEY_DOMAINS, NULL); + md_json_dupsa(md->contacts, p, json, MD_KEY_CONTACTS, NULL); + md->ca_account = md_json_dups(p, json, MD_KEY_CA, MD_KEY_ACCOUNT, NULL); + md->ca_proto = md_json_dups(p, json, MD_KEY_CA, MD_KEY_PROTO, NULL); + md->ca_effective = md_json_dups(p, json, MD_KEY_CA, MD_KEY_URL, NULL); + if (md_json_has_key(json, MD_KEY_CA, MD_KEY_URLS, NULL)) { + md->ca_urls = apr_array_make(p, 5, sizeof(const char*)); + md_json_dupsa(md->ca_urls, p, json, MD_KEY_CA, MD_KEY_URLS, NULL); + } + else if (md->ca_effective) { + /* compat for old format where we had only a single url */ + md->ca_urls = apr_array_make(p, 5, sizeof(const char*)); + APR_ARRAY_PUSH(md->ca_urls, const char*) = md->ca_effective; + } + md->ca_agreement = md_json_dups(p, json, MD_KEY_CA, MD_KEY_AGREEMENT, NULL); + if (md_json_has_key(json, MD_KEY_PKEY, NULL)) { + md->pks = md_pkeys_spec_from_json(md_json_getj(json, MD_KEY_PKEY, NULL), p); + } + md->state = (md_state_t)md_json_getl(json, MD_KEY_STATE, NULL); + md->state_descr = md_json_dups(p, json, MD_KEY_STATE_DESCR, NULL); + if (MD_S_EXPIRED_DEPRECATED == md->state) md->state = MD_S_COMPLETE; + md->renew_mode = (int)md_json_getl(json, MD_KEY_RENEW_MODE, NULL); + md->domains = md_array_str_compact(p, md->domains, 0); + md->transitive = (int)md_json_getl(json, MD_KEY_TRANSITIVE, NULL); + s = md_json_gets(json, MD_KEY_RENEW_WINDOW, NULL); + md_timeslice_parse(&md->renew_window, p, s, MD_TIME_LIFE_NORM); + s = md_json_gets(json, MD_KEY_WARN_WINDOW, NULL); + md_timeslice_parse(&md->warn_window, p, s, MD_TIME_LIFE_NORM); + if (md_json_has_key(json, MD_KEY_CA, MD_KEY_CHALLENGES, NULL)) { + md->ca_challenges = apr_array_make(p, 5, sizeof(const char*)); + md_json_dupsa(md->ca_challenges, p, json, MD_KEY_CA, MD_KEY_CHALLENGES, NULL); + } + md->require_https = MD_REQUIRE_OFF; + s = md_json_gets(json, MD_KEY_REQUIRE_HTTPS, NULL); + if (s && !strcmp(MD_KEY_TEMPORARY, s)) { + md->require_https = MD_REQUIRE_TEMPORARY; + } + else if (s && !strcmp(MD_KEY_PERMANENT, s)) { + md->require_https = MD_REQUIRE_PERMANENT; + } + md->must_staple = (int)md_json_getb(json, MD_KEY_MUST_STAPLE, NULL); + md_json_dupsa(md->acme_tls_1_domains, p, json, MD_KEY_PROTO, MD_KEY_ACME_TLS_1, NULL); + + if (md_json_has_key(json, MD_KEY_CERT_FILES, NULL)) { + md->cert_files = apr_array_make(p, 3, sizeof(char*)); + md->pkey_files = apr_array_make(p, 3, sizeof(char*)); + md_json_dupsa(md->cert_files, p, json, MD_KEY_CERT_FILES, NULL); + md_json_dupsa(md->pkey_files, p, json, MD_KEY_PKEY_FILES, NULL); + } + md->stapling = (int)md_json_getb(json, MD_KEY_STAPLING, NULL); + md->dns01_cmd = md_json_dups(p, json, MD_KEY_CMD_DNS01, NULL); + if (md_json_has_key(json, MD_KEY_EAB, NULL)) { + md->ca_eab_kid = md_json_dups(p, json, MD_KEY_EAB, MD_KEY_KID, NULL); + md->ca_eab_hmac = md_json_dups(p, json, MD_KEY_EAB, MD_KEY_HMAC, NULL); + } + return md; + } + return NULL; +} + +md_json_t *md_to_public_json(const md_t *md, apr_pool_t *p) +{ + md_json_t *json = md_to_json(md, p); + if (md_json_has_key(json, MD_KEY_EAB, MD_KEY_HMAC, NULL)) { + md_json_sets("***", json, MD_KEY_EAB, MD_KEY_HMAC, NULL); + } + return json; +} + +typedef struct { + const char *name; + const char *url; +} md_ca_t; + +#define LE_ACMEv2_PROD "https://acme-v02.api.letsencrypt.org/directory" +#define LE_ACMEv2_STAGING "https://acme-staging-v02.api.letsencrypt.org/directory" +#define BUYPASS_ACME "https://api.buypass.com/acme/directory" +#define BUYPASS_ACME_TEST "https://api.test4.buypass.no/acme/directory" + +static md_ca_t KNOWN_CAs[] = { + { "LetsEncrypt", LE_ACMEv2_PROD }, + { "LetsEncrypt-Test", LE_ACMEv2_STAGING }, + { "Buypass", BUYPASS_ACME }, + { "Buypass-Test", BUYPASS_ACME_TEST }, +}; + +const char *md_get_ca_name_from_url(apr_pool_t *p, const char *url) +{ + apr_uri_t uri_parsed; + unsigned int i; + + for (i = 0; i < sizeof(KNOWN_CAs)/sizeof(KNOWN_CAs[0]); ++i) { + if (!apr_strnatcasecmp(KNOWN_CAs[i].url, url)) { + return KNOWN_CAs[i].name; + } + } + if (APR_SUCCESS == apr_uri_parse(p, url, &uri_parsed)) { + return uri_parsed.hostname; + } + return apr_pstrdup(p, url); +} + +apr_status_t md_get_ca_url_from_name(const char **purl, apr_pool_t *p, const char *name) +{ + const char *err; + unsigned int i; + apr_status_t rv = APR_SUCCESS; + + *purl = NULL; + for (i = 0; i < sizeof(KNOWN_CAs)/sizeof(KNOWN_CAs[0]); ++i) { + if (!apr_strnatcasecmp(KNOWN_CAs[i].name, name)) { + *purl = KNOWN_CAs[i].url; + goto leave; + } + } + *purl = name; + rv = md_util_abs_uri_check(p, name, &err); + if (APR_SUCCESS != rv) { + apr_array_header_t *names; + + names = apr_array_make(p, 10, sizeof(const char*)); + for (i = 0; i < sizeof(KNOWN_CAs)/sizeof(KNOWN_CAs[0]); ++i) { + APR_ARRAY_PUSH(names, const char *) = KNOWN_CAs[i].name; + } + *purl = apr_psprintf(p, + "The CA name '%s' is not known and it is not a URL either (%s). " + "Known CA names are: %s.", + name, err, apr_array_pstrcat(p, names, ' ')); + } +leave: + return rv; +} |