1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef mod_md_md_acme_acct_h
#define mod_md_md_acme_acct_h
struct md_acme_req;
struct md_json_t;
struct md_pkey_t;
#include "md_store.h"
/**
* An ACME account at an ACME server.
*/
typedef struct md_acme_acct_t md_acme_acct_t;
typedef enum {
MD_ACME_ACCT_ST_UNKNOWN,
MD_ACME_ACCT_ST_VALID,
MD_ACME_ACCT_ST_DEACTIVATED,
MD_ACME_ACCT_ST_REVOKED,
} md_acme_acct_st;
struct md_acme_acct_t {
const char *id; /* short, unique id for the account */
const char *url; /* url of the account, once registered */
const char *ca_url; /* url of the ACME protocol endpoint */
md_acme_acct_st status; /* status of this account */
apr_array_header_t *contacts; /* list of contact uris, e.g. mailto:xxx */
const char *tos_required; /* terms of service asked for by CA */
const char *agreement; /* terms of service agreed to by user */
const char *orders; /* URL where certificate orders are found (ACMEv2) */
const char *eab_kid; /* external account binding keyid used or NULL */
const char *eab_hmac; /* external account binding hmac used or NULL */
struct md_json_t *registration; /* data from server registration */
};
#define MD_FN_ACCOUNT "account.json"
#define MD_FN_ACCT_KEY "account.pem"
/* ACME account private keys are always RSA and have that many bits. Since accounts
* are expected to live long, better err on the safe side. */
#define MD_ACME_ACCT_PKEY_BITS 3072
#define MD_ACME_ACCT_STAGED "staged"
/**
* Convert an ACME account form/to JSON.
*/
struct md_json_t *md_acme_acct_to_json(md_acme_acct_t *acct, apr_pool_t *p);
apr_status_t md_acme_acct_from_json(md_acme_acct_t **pacct, struct md_json_t *json, apr_pool_t *p);
/**
* Update the account from the ACME server.
* - Will update acme->acct structure from server on success
* - Will return error status when request failed or account is not known.
*/
apr_status_t md_acme_acct_update(md_acme_t *acme);
/**
* Update the account and persist changes in the store, if given (and not NULL).
*/
apr_status_t md_acme_acct_validate(md_acme_t *acme, md_store_t *store, apr_pool_t *p);
/**
* Agree to the given Terms-of-Service url for the current account.
*/
apr_status_t md_acme_agree(md_acme_t *acme, apr_pool_t *p, const char *tos);
/**
* Confirm with the server that the current account agrees to the Terms-of-Service
* given in the agreement url.
* If the known agreement is equal to this, nothing is done.
* If it differs, the account is re-validated in the hope that the server
* announces the Tos URL it wants. If this is equal to the agreement specified,
* the server is notified of this. If the server requires a ToS that the account
* thinks it has already given, it is resend.
*
* If an agreement is required, different from the current one, APR_INCOMPLETE is
* returned and the agreement url is returned in the parameter.
*/
apr_status_t md_acme_check_agreement(md_acme_t *acme, apr_pool_t *p,
const char *agreement, const char **prequired);
/**
* Get the ToS agreement for current account.
*/
const char *md_acme_get_agreement(md_acme_t *acme);
/**
* Find an existing account in the local store. On APR_SUCCESS, the acme
* instance will have a current, validated account to use.
*/
apr_status_t md_acme_find_acct_for_md(md_acme_t *acme, md_store_t *store, const md_t *md);
/**
* Find the account id for a given md.
*/
apr_status_t md_acme_acct_id_for_md(const char **pid, md_store_t *store,
md_store_group_t group, const md_t *md, apr_pool_t *p);
/**
* Create a new account at the ACME server for an MD. The
* new account is the one used by the acme instance afterwards, on success.
*/
apr_status_t md_acme_acct_register(md_acme_t *acme, md_store_t *store,
const md_t *md, apr_pool_t *p);
apr_status_t md_acme_acct_save(md_store_t *store, apr_pool_t *p, md_acme_t *acme,
const char **pid, struct md_acme_acct_t *acct,
struct md_pkey_t *acct_key);
/**
* Deactivate the current account at the ACME server.
*/
apr_status_t md_acme_acct_deactivate(md_acme_t *acme, apr_pool_t *p);
apr_status_t md_acme_acct_load(struct md_acme_acct_t **pacct, struct md_pkey_t **ppkey,
md_store_t *store, md_store_group_t group,
const char *name, apr_pool_t *p);
/*
* Return != 0 iff the account can be used for the ACME url.
*/
int md_acme_acct_matches_url(md_acme_acct_t *acct, const char *url);
/*
* Return != 0 iff the account can be used for the MD, including
* its CA url and EAB settings.
*/
int md_acme_acct_matches_md(md_acme_acct_t *acct, const md_t *md);
#endif /* md_acme_acct_h */
|
