summaryrefslogtreecommitdiffstats
path: root/modules/tls/tls_cert.h
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/tls/tls_cert.h211
1 files changed, 211 insertions, 0 deletions
diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h
new file mode 100644
index 0000000..6ab3f48
--- /dev/null
+++ b/modules/tls/tls_cert.h
@@ -0,0 +1,211 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef tls_cert_h
+#define tls_cert_h
+
+#include "tls_util.h"
+
+/**
+ * The PEM data of a certificate and its key.
+ */
+typedef struct {
+ tls_data_t cert_pem;
+ tls_data_t pkey_pem;
+} tls_cert_pem_t;
+
+/**
+ * Specify a certificate via files or PEM data.
+ */
+typedef struct {
+ const char *cert_file; /* file path, relative to ap_root */
+ const char *pkey_file; /* file path, relative to ap_root */
+ const char *cert_pem; /* NUL-terminated PEM string */
+ const char *pkey_pem; /* NUL-terminated PEM string */
+} tls_cert_spec_t;
+
+/**
+ * Load the PEM data for a certificate file and key file as given in `cert`.
+ */
+apr_status_t tls_cert_load_pem(
+ apr_pool_t *p, const tls_cert_spec_t *cert, tls_cert_pem_t **ppem);
+
+apr_status_t tls_cert_to_pem(const char **ppem, apr_pool_t *p, const rustls_certificate *cert);
+
+/**
+ * Load a rustls certified key from a certificate specification.
+ * The returned `rustls_certified_key` is owned by the caller.
+ * @param p the memory pool to use
+ * @param spec the specification for the certificate (file or PEM data)
+ * @param cert_pem return the PEM data used for loading the certificates, optional
+ * @param pckey the loaded certified key on return
+ */
+apr_status_t tls_cert_load_cert_key(
+ apr_pool_t *p, const tls_cert_spec_t *spec,
+ const char **pcert_pem, const rustls_certified_key **pckey);
+
+/**
+ * A registry of rustls_certified_key* by identifier.
+ */
+typedef struct tls_cert_reg_t tls_cert_reg_t;
+struct tls_cert_reg_t{
+ apr_pool_t *pool;
+ apr_hash_t *id2entry;
+ apr_hash_t *key2entry;
+};
+
+/**
+ * Create a new registry with lifetime based on the memory pool.
+ * The registry will take care of its memory and allocated keys when
+ * the pool is destroyed.
+ */
+tls_cert_reg_t *tls_cert_reg_make(apr_pool_t *p);
+
+/**
+ * Return the number of certified keys in the registry.
+ */
+apr_size_t tls_cert_reg_count(tls_cert_reg_t *reg);
+
+/**
+ * Get a the `rustls_certified_key` identified by `spec` from the registry.
+ * This will load the key the first time it is requested.
+ * The returned `rustls_certified_key` is owned by the registry.
+ * @param reg the certified key registry
+ * @param s the server_rec this is loaded into, useful for error logging
+ * @param spec the specification of the certified key
+ * @param pckey the certified key instance on return
+ */
+apr_status_t tls_cert_reg_get_certified_key(
+ tls_cert_reg_t *reg, server_rec *s, const tls_cert_spec_t *spec, const rustls_certified_key **pckey);
+
+/**
+ * Visit all certified keys in the registry.
+ * The callback may return 0 to abort the iteration.
+ * @param userdata supplied by the visit invocation
+ * @param s the server_rec the certified was load into first
+ * @param id internal identifier of the certified key
+ * @param cert_pem the PEM data of the certificate and its chain
+ * @param certified_key the key instance itself
+ */
+typedef int tls_cert_reg_visitor(
+ void *userdata, server_rec *s,
+ const char *id, const char *cert_pem, const rustls_certified_key *certified_key);
+
+/**
+ * Visit all certified_key entries in the registry.
+ * @param visitor callback invoked on each entry until it returns 0.
+ * @param userdata passed to callback
+ * @param reg the registry to iterate over
+ */
+void tls_cert_reg_do(
+ tls_cert_reg_visitor *visitor, void *userdata, tls_cert_reg_t *reg);
+
+/**
+ * Get the identity assigned to a loaded, certified key. Returns NULL, if the
+ * key is not part of the registry. The returned bytes are owned by the registry
+ * entry.
+ * @param reg the registry to look in.
+ * @param certified_key the key to get the identifier for
+ */
+const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key *certified_key);
+
+/**
+ * Load all root certificates from a PEM file into a rustls_root_cert_store.
+ * @param p the memory pool to use
+ * @param store_file the (server relative) path of the PEM file
+ * @param pstore the loaded root store on success
+ */
+apr_status_t tls_cert_load_root_store(
+ apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore);
+
+typedef struct tls_cert_root_stores_t tls_cert_root_stores_t;
+struct tls_cert_root_stores_t {
+ apr_pool_t *pool;
+ apr_hash_t *file2store;
+};
+
+/**
+ * Create a new root stores registry with lifetime based on the memory pool.
+ * The registry will take care of its memory and allocated stores when
+ * the pool is destroyed.
+ */
+tls_cert_root_stores_t *tls_cert_root_stores_make(apr_pool_t *p);
+
+/**
+ * Clear the root stores registry, freeing all stores.
+ */
+void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores);
+
+/**
+ * Load all root certificates from a PEM file into a rustls_root_cert_store.
+ * @param p the memory pool to use
+ * @param store_file the (server relative) path of the PEM file
+ * @param pstore the loaded root store on success
+ */
+apr_status_t tls_cert_root_stores_get(
+ tls_cert_root_stores_t *stores,
+ const char *store_file,
+ rustls_root_cert_store **pstore);
+
+typedef struct tls_cert_verifiers_t tls_cert_verifiers_t;
+struct tls_cert_verifiers_t {
+ apr_pool_t *pool;
+ tls_cert_root_stores_t *stores;
+ apr_hash_t *file2verifier;
+};
+
+/**
+ * Create a new registry for certificate verifiers with lifetime based on the memory pool.
+ * The registry will take care of its memory and allocated verifiers when
+ * the pool is destroyed.
+ * @param p the memory pool to use
+ * @param stores the store registry for lookups
+ */
+tls_cert_verifiers_t *tls_cert_verifiers_make(
+ apr_pool_t *p, tls_cert_root_stores_t *stores);
+
+/**
+ * Clear the verifiers registry, freeing all verifiers.
+ */
+void tls_cert_verifiers_clear(
+ tls_cert_verifiers_t *verifiers);
+
+/**
+ * Get the mandatory client certificate verifier for the
+ * root certificate store in `store_file`. Will create
+ * the verifier if not already known.
+ * @param verifiers the registry of certificate verifiers
+ * @param store_file the (server relative) path of the PEM file with certificates
+ * @param pverifiers the verifier on success
+ */
+apr_status_t tls_cert_client_verifiers_get(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+ const rustls_client_cert_verifier **pverifier);
+
+/**
+ * Get the optional client certificate verifier for the
+ * root certificate store in `store_file`. Will create
+ * the verifier if not already known.
+ * @param verifiers the registry of certificate verifiers
+ * @param store_file the (server relative) path of the PEM file with certificates
+ * @param pverifiers the verifier on success
+ */
+apr_status_t tls_cert_client_verifiers_get_optional(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+ const rustls_client_cert_verifier_optional **pverifier);
+
+#endif /* tls_cert_h */ \ No newline at end of file