diff options
Diffstat (limited to '')
-rw-r--r-- | modules/tls/tls_cert.h | 211 |
1 files changed, 211 insertions, 0 deletions
diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h new file mode 100644 index 0000000..6ab3f48 --- /dev/null +++ b/modules/tls/tls_cert.h @@ -0,0 +1,211 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef tls_cert_h +#define tls_cert_h + +#include "tls_util.h" + +/** + * The PEM data of a certificate and its key. + */ +typedef struct { + tls_data_t cert_pem; + tls_data_t pkey_pem; +} tls_cert_pem_t; + +/** + * Specify a certificate via files or PEM data. + */ +typedef struct { + const char *cert_file; /* file path, relative to ap_root */ + const char *pkey_file; /* file path, relative to ap_root */ + const char *cert_pem; /* NUL-terminated PEM string */ + const char *pkey_pem; /* NUL-terminated PEM string */ +} tls_cert_spec_t; + +/** + * Load the PEM data for a certificate file and key file as given in `cert`. + */ +apr_status_t tls_cert_load_pem( + apr_pool_t *p, const tls_cert_spec_t *cert, tls_cert_pem_t **ppem); + +apr_status_t tls_cert_to_pem(const char **ppem, apr_pool_t *p, const rustls_certificate *cert); + +/** + * Load a rustls certified key from a certificate specification. + * The returned `rustls_certified_key` is owned by the caller. + * @param p the memory pool to use + * @param spec the specification for the certificate (file or PEM data) + * @param cert_pem return the PEM data used for loading the certificates, optional + * @param pckey the loaded certified key on return + */ +apr_status_t tls_cert_load_cert_key( + apr_pool_t *p, const tls_cert_spec_t *spec, + const char **pcert_pem, const rustls_certified_key **pckey); + +/** + * A registry of rustls_certified_key* by identifier. + */ +typedef struct tls_cert_reg_t tls_cert_reg_t; +struct tls_cert_reg_t{ + apr_pool_t *pool; + apr_hash_t *id2entry; + apr_hash_t *key2entry; +}; + +/** + * Create a new registry with lifetime based on the memory pool. + * The registry will take care of its memory and allocated keys when + * the pool is destroyed. + */ +tls_cert_reg_t *tls_cert_reg_make(apr_pool_t *p); + +/** + * Return the number of certified keys in the registry. + */ +apr_size_t tls_cert_reg_count(tls_cert_reg_t *reg); + +/** + * Get a the `rustls_certified_key` identified by `spec` from the registry. + * This will load the key the first time it is requested. + * The returned `rustls_certified_key` is owned by the registry. + * @param reg the certified key registry + * @param s the server_rec this is loaded into, useful for error logging + * @param spec the specification of the certified key + * @param pckey the certified key instance on return + */ +apr_status_t tls_cert_reg_get_certified_key( + tls_cert_reg_t *reg, server_rec *s, const tls_cert_spec_t *spec, const rustls_certified_key **pckey); + +/** + * Visit all certified keys in the registry. + * The callback may return 0 to abort the iteration. + * @param userdata supplied by the visit invocation + * @param s the server_rec the certified was load into first + * @param id internal identifier of the certified key + * @param cert_pem the PEM data of the certificate and its chain + * @param certified_key the key instance itself + */ +typedef int tls_cert_reg_visitor( + void *userdata, server_rec *s, + const char *id, const char *cert_pem, const rustls_certified_key *certified_key); + +/** + * Visit all certified_key entries in the registry. + * @param visitor callback invoked on each entry until it returns 0. + * @param userdata passed to callback + * @param reg the registry to iterate over + */ +void tls_cert_reg_do( + tls_cert_reg_visitor *visitor, void *userdata, tls_cert_reg_t *reg); + +/** + * Get the identity assigned to a loaded, certified key. Returns NULL, if the + * key is not part of the registry. The returned bytes are owned by the registry + * entry. + * @param reg the registry to look in. + * @param certified_key the key to get the identifier for + */ +const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key *certified_key); + +/** + * Load all root certificates from a PEM file into a rustls_root_cert_store. + * @param p the memory pool to use + * @param store_file the (server relative) path of the PEM file + * @param pstore the loaded root store on success + */ +apr_status_t tls_cert_load_root_store( + apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore); + +typedef struct tls_cert_root_stores_t tls_cert_root_stores_t; +struct tls_cert_root_stores_t { + apr_pool_t *pool; + apr_hash_t *file2store; +}; + +/** + * Create a new root stores registry with lifetime based on the memory pool. + * The registry will take care of its memory and allocated stores when + * the pool is destroyed. + */ +tls_cert_root_stores_t *tls_cert_root_stores_make(apr_pool_t *p); + +/** + * Clear the root stores registry, freeing all stores. + */ +void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores); + +/** + * Load all root certificates from a PEM file into a rustls_root_cert_store. + * @param p the memory pool to use + * @param store_file the (server relative) path of the PEM file + * @param pstore the loaded root store on success + */ +apr_status_t tls_cert_root_stores_get( + tls_cert_root_stores_t *stores, + const char *store_file, + rustls_root_cert_store **pstore); + +typedef struct tls_cert_verifiers_t tls_cert_verifiers_t; +struct tls_cert_verifiers_t { + apr_pool_t *pool; + tls_cert_root_stores_t *stores; + apr_hash_t *file2verifier; +}; + +/** + * Create a new registry for certificate verifiers with lifetime based on the memory pool. + * The registry will take care of its memory and allocated verifiers when + * the pool is destroyed. + * @param p the memory pool to use + * @param stores the store registry for lookups + */ +tls_cert_verifiers_t *tls_cert_verifiers_make( + apr_pool_t *p, tls_cert_root_stores_t *stores); + +/** + * Clear the verifiers registry, freeing all verifiers. + */ +void tls_cert_verifiers_clear( + tls_cert_verifiers_t *verifiers); + +/** + * Get the mandatory client certificate verifier for the + * root certificate store in `store_file`. Will create + * the verifier if not already known. + * @param verifiers the registry of certificate verifiers + * @param store_file the (server relative) path of the PEM file with certificates + * @param pverifiers the verifier on success + */ +apr_status_t tls_cert_client_verifiers_get( + tls_cert_verifiers_t *verifiers, + const char *store_file, + const rustls_client_cert_verifier **pverifier); + +/** + * Get the optional client certificate verifier for the + * root certificate store in `store_file`. Will create + * the verifier if not already known. + * @param verifiers the registry of certificate verifiers + * @param store_file the (server relative) path of the PEM file with certificates + * @param pverifiers the verifier on success + */ +apr_status_t tls_cert_client_verifiers_get_optional( + tls_cert_verifiers_t *verifiers, + const char *store_file, + const rustls_client_cert_verifier_optional **pverifier); + +#endif /* tls_cert_h */
\ No newline at end of file |