Apache2
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
md.h
Go to the documentation of this file.
1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2  * contributor license agreements. See the NOTICE file distributed with
3  * this work for additional information regarding copyright ownership.
4  * The ASF licenses this file to You under the Apache License, Version 2.0
5  * (the "License"); you may not use this file except in compliance with
6  * the License. You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef mod_md_md_h
18 #define mod_md_md_h
19 
20 #include "md_time.h"
21 #include "md_version.h"
22 
23 struct apr_array_header_t;
24 struct apr_hash_t;
25 struct md_json_t;
26 struct md_cert_t;
27 struct md_job_t;
28 struct md_pkey_t;
29 struct md_result_t;
30 struct md_store_t;
31 struct md_srv_conf_t;
32 struct md_pkey_spec_t;
33 
34 #define MD_PKEY_RSA_BITS_MIN 2048
35 #define MD_PKEY_RSA_BITS_DEF 2048
36 
37 /* Minimum age for the HSTS header (RFC 6797), considered appropriate by Mozilla Security */
38 #define MD_HSTS_HEADER "Strict-Transport-Security"
39 #define MD_HSTS_MAX_AGE_DEFAULT 15768000
40 
41 #define PROTO_ACME_TLS_1 "acme-tls/1"
42 
43 #define MD_TIME_LIFE_NORM (apr_time_from_sec(100 * MD_SECS_PER_DAY))
44 #define MD_TIME_RENEW_WINDOW_DEF (apr_time_from_sec(33 * MD_SECS_PER_DAY))
45 #define MD_TIME_WARN_WINDOW_DEF (apr_time_from_sec(10 * MD_SECS_PER_DAY))
46 #define MD_TIME_OCSP_KEEP_NORM (apr_time_from_sec(7 * MD_SECS_PER_DAY))
47 
48 #define MD_OTHER "other"
49 
50 typedef enum {
51  MD_S_UNKNOWN = 0, /* MD has not been analysed yet */
52  MD_S_INCOMPLETE = 1, /* MD is missing necessary information, cannot go live */
53  MD_S_COMPLETE = 2, /* MD has all necessary information, can go live */
54  MD_S_EXPIRED_DEPRECATED = 3, /* deprecated */
55  MD_S_ERROR = 4, /* MD data is flawed, unable to be processed as is */
56  MD_S_MISSING_INFORMATION = 5, /* User has not agreed to ToS */
57 } md_state_t;
58 
59 typedef enum {
64 } md_require_t;
65 
66 typedef enum {
67  MD_RENEW_DEFAULT = -1, /* default value */
68  MD_RENEW_MANUAL, /* manually triggered renewal of certificate */
69  MD_RENEW_AUTO, /* automatic process performed by httpd */
70  MD_RENEW_ALWAYS, /* always renewed by httpd, even if not necessary */
72 
73 typedef struct md_t md_t;
74 struct md_t {
75  const char *name; /* unique name of this MD */
76  struct apr_array_header_t *domains; /* all DNS names this MD includes */
77  struct apr_array_header_t *contacts; /* list of contact uris, e.g. mailto:xxx */
78 
79  int transitive; /* != 0 iff VirtualHost names/aliases are auto-added */
80  md_require_t require_https; /* Iff https: is required for this MD */
81 
82  int renew_mode; /* mode of obtaining credentials */
83  struct md_pkey_spec_t *pkey_spec;/* specification for generating new private keys */
84  int must_staple; /* certificates should set the OCSP Must Staple extension */
85  md_timeslice_t *renew_window; /* time before expiration that starts renewal */
86  md_timeslice_t *warn_window; /* time before expiration that warnings are sent out */
87 
88  const char *ca_url; /* url of CA certificate service */
89  const char *ca_proto; /* protocol used vs CA (e.g. ACME) */
90  const char *ca_account; /* account used at CA */
91  const char *ca_agreement; /* accepted agreement uri between CA and user */
92  struct apr_array_header_t *ca_challenges; /* challenge types configured for this MD */
93  const char *cert_file; /* != NULL iff pubcert file explicitly configured */
94  const char *pkey_file; /* != NULL iff privkey file explicitly configured */
95 
96  md_state_t state; /* state of this MD */
97 
98  struct apr_array_header_t *acme_tls_1_domains; /* domains supporting "acme-tls/1" protocol */
99  int stapling; /* if OCSP stapling is enabled */
100 
101  int watched; /* if certificate is supervised (renew or expiration warning) */
102  const struct md_srv_conf_t *sc; /* server config where it was defined or NULL */
103  const char *defn_name; /* config file this MD was defined */
104  unsigned defn_line_number; /* line number of definition */
105 
106  const char *configured_name; /* name this MD was configured with, if different */
107 };
108 
109 #define MD_KEY_ACCOUNT "account"
110 #define MD_KEY_ACME_TLS_1 "acme-tls/1"
111 #define MD_KEY_ACTIVATION_DELAY "activation-delay"
112 #define MD_KEY_ACTIVITY "activity"
113 #define MD_KEY_AGREEMENT "agreement"
114 #define MD_KEY_AUTHORIZATIONS "authorizations"
115 #define MD_KEY_BITS "bits"
116 #define MD_KEY_CA "ca"
117 #define MD_KEY_CA_URL "ca-url"
118 #define MD_KEY_CERT "cert"
119 #define MD_KEY_CERT_FILE "cert-file"
120 #define MD_KEY_CERTIFICATE "certificate"
121 #define MD_KEY_CHALLENGE "challenge"
122 #define MD_KEY_CHALLENGES "challenges"
123 #define MD_KEY_CMD_DNS01 "cmd-dns-01"
124 #define MD_KEY_COMPLETE "complete"
125 #define MD_KEY_CONTACT "contact"
126 #define MD_KEY_CONTACTS "contacts"
127 #define MD_KEY_CSR "csr"
128 #define MD_KEY_DETAIL "detail"
129 #define MD_KEY_DISABLED "disabled"
130 #define MD_KEY_DIR "dir"
131 #define MD_KEY_DOMAIN "domain"
132 #define MD_KEY_DOMAINS "domains"
133 #define MD_KEY_ENTRIES "entries"
134 #define MD_KEY_ERRORED "errored"
135 #define MD_KEY_ERROR "error"
136 #define MD_KEY_ERRORS "errors"
137 #define MD_KEY_EXPIRES "expires"
138 #define MD_KEY_FINALIZE "finalize"
139 #define MD_KEY_FINISHED "finished"
140 #define MD_KEY_FROM "from"
141 #define MD_KEY_GOOD "good"
142 #define MD_KEY_HTTP "http"
143 #define MD_KEY_HTTPS "https"
144 #define MD_KEY_ID "id"
145 #define MD_KEY_IDENTIFIER "identifier"
146 #define MD_KEY_KEY "key"
147 #define MD_KEY_KEYAUTHZ "keyAuthorization"
148 #define MD_KEY_LAST "last"
149 #define MD_KEY_LAST_RUN "last-run"
150 #define MD_KEY_LOCATION "location"
151 #define MD_KEY_LOG "log"
152 #define MD_KEY_MDS "managed-domains"
153 #define MD_KEY_MESSAGE "message"
154 #define MD_KEY_MUST_STAPLE "must-staple"
155 #define MD_KEY_NAME "name"
156 #define MD_KEY_NEXT_RUN "next-run"
157 #define MD_KEY_NOTIFIED "notified"
158 #define MD_KEY_OCSP "ocsp"
159 #define MD_KEY_OCSPS "ocsps"
160 #define MD_KEY_ORDERS "orders"
161 #define MD_KEY_PERMANENT "permanent"
162 #define MD_KEY_PKEY "privkey"
163 #define MD_KEY_PKEY_FILE "pkey-file"
164 #define MD_KEY_PROBLEM "problem"
165 #define MD_KEY_PROTO "proto"
166 #define MD_KEY_READY "ready"
167 #define MD_KEY_REGISTRATION "registration"
168 #define MD_KEY_RENEW "renew"
169 #define MD_KEY_RENEW_AT "renew-at"
170 #define MD_KEY_RENEW_MODE "renew-mode"
171 #define MD_KEY_RENEWAL "renewal"
172 #define MD_KEY_RENEWING "renewing"
173 #define MD_KEY_RENEW_WINDOW "renew-window"
174 #define MD_KEY_REQUIRE_HTTPS "require-https"
175 #define MD_KEY_RESOURCE "resource"
176 #define MD_KEY_RESPONSE "response"
177 #define MD_KEY_REVOKED "revoked"
178 #define MD_KEY_SERIAL "serial"
179 #define MD_KEY_SHA256_FINGERPRINT "sha256-fingerprint"
180 #define MD_KEY_STAPLING "stapling"
181 #define MD_KEY_STATE "state"
182 #define MD_KEY_STATUS "status"
183 #define MD_KEY_STORE "store"
184 #define MD_KEY_SUBPROBLEMS "subproblems"
185 #define MD_KEY_TEMPORARY "temporary"
186 #define MD_KEY_TOKEN "token"
187 #define MD_KEY_TOTAL "total"
188 #define MD_KEY_TRANSITIVE "transitive"
189 #define MD_KEY_TYPE "type"
190 #define MD_KEY_UNKNOWN "unknown"
191 #define MD_KEY_UNTIL "until"
192 #define MD_KEY_URL "url"
193 #define MD_KEY_URI "uri"
194 #define MD_KEY_VALID "valid"
195 #define MD_KEY_VALID_FROM "valid-from"
196 #define MD_KEY_VALUE "value"
197 #define MD_KEY_VERSION "version"
198 #define MD_KEY_WATCHED "watched"
199 #define MD_KEY_WHEN "when"
200 #define MD_KEY_WARN_WINDOW "warn-window"
201 
202 /* Check if a string member of a new MD (n) has
203  * a value and if it differs from the old MD o
204  */
205 #define MD_VAL_UPDATE(n,o,s) ((n)->s != (o)->s)
206 #define MD_SVAL_UPDATE(n,o,s) ((n)->s && (!(o)->s || strcmp((n)->s, (o)->s)))
207 
211 int md_contains(const md_t *md, const char *domain, int case_sensitive);
212 
216 int md_domains_overlap(const md_t *md1, const md_t *md2);
217 
221 int md_equal_domains(const md_t *md1, const md_t *md2, int case_sensitive);
222 
226 int md_contains_domains(const md_t *md1, const md_t *md2);
227 
231 const char *md_common_name(const md_t *md1, const md_t *md2);
232 
236 apr_size_t md_common_name_count(const md_t *md1, const md_t *md2);
237 
241 md_t *md_get_by_name(struct apr_array_header_t *mds, const char *name);
242 
246 md_t *md_get_by_domain(struct apr_array_header_t *mds, const char *domain);
247 
252 md_t *md_get_by_dns_overlap(struct apr_array_header_t *mds, const md_t *md);
253 
258 
262 md_t *md_create(apr_pool_t *p, struct apr_array_header_t *domains);
263 
267 md_t *md_clone(apr_pool_t *p, const md_t *src);
268 
272 md_t *md_copy(apr_pool_t *p, const md_t *src);
273 
279 struct md_json_t *md_to_json (const md_t *md, apr_pool_t *p);
280 md_t *md_from_json(struct md_json_t *json, apr_pool_t *p);
281 
282 int md_is_covered_by_alt_names(const md_t *md, const struct apr_array_header_t* alt_names);
283 
284 #define LE_ACMEv1_PROD "https://acme-v01.api.letsencrypt.org/directory"
285 #define LE_ACMEv1_STAGING "https://acme-staging.api.letsencrypt.org/directory"
286 
287 #define LE_ACMEv2_PROD "https://acme-v02.api.letsencrypt.org/directory"
288 #define LE_ACMEv2_STAGING "https://acme-staging-v02.api.letsencrypt.org/directory"
289 
290 
291 /**************************************************************************************************/
292 /* notifications */
293 
294 typedef apr_status_t md_job_notify_cb(struct md_job_t *job, const char *reason,
295  struct md_result_t *result, apr_pool_t *p, void *baton);
296 
297 /**************************************************************************************************/
298 /* domain credentials */
299 
300 typedef struct md_pubcert_t md_pubcert_t;
301 struct md_pubcert_t {
302  struct apr_array_header_t *certs; /* chain of const md_cert*, leaf cert first */
303  struct apr_array_header_t *alt_names; /* alt-names of leaf cert */
304  const char *cert_file; /* file path of chain */
305  const char *key_file; /* file path of key for leaf cert */
306 };
307 
308 #define MD_OK(c) (APR_SUCCESS == (rv = c))
309 
310 #endif /* mod_md_md_h */
Definition: mod_md_config.h:75
size_t apr_size_t
Definition: apr.h:397
Definition: md.h:52
struct md_cert_t md_cert_t
Definition: md_crypt.h:94
struct md_json_t * md_to_json(const md_t *md, apr_pool_t *p)
Definition: md.h:74
Definition: md_store.h:278
struct md_json_t md_json_t
Definition: md_json.h:29
Definition: md.h:60
Definition: md.h:51
md_state_t state
Definition: md.h:96
Definition: apr_tables.h:62
struct apr_array_header_t * acme_tls_1_domains
Definition: md.h:98
Definition: md.h:56
int must_staple
Definition: md.h:84
Definition: md.h:68
apr_size_t md_common_name_count(const md_t *md1, const md_t *md2)
int renew_mode
Definition: md.h:82
md_t * md_clone(apr_pool_t *p, const md_t *src)
Definition: md.h:62
const struct md_srv_conf_t * sc
Definition: md.h:102
int transitive
Definition: md.h:79
unsigned defn_line_number
Definition: md.h:104
struct apr_array_header_t * ca_challenges
Definition: md.h:92
md_require_t
Definition: md.h:59
const char * key_file
Definition: md.h:305
int md_equal_domains(const md_t *md1, const md_t *md2, int case_sensitive)
const char * configured_name
Definition: md.h:106
md_t * md_copy(apr_pool_t *p, const md_t *src)
apr_status_t md_job_notify_cb(struct md_job_t *job, const char *reason, struct md_result_t *result, apr_pool_t *p, void *baton)
Definition: md.h:294
Definition: md.h:63
md_require_t require_https
Definition: md.h:80
md_state_t
Definition: md.h:50
Definition: md_status.h:52
struct apr_array_header_t * contacts
Definition: md.h:77
int md_domains_overlap(const md_t *md1, const md_t *md2)
int md_contains_domains(const md_t *md1, const md_t *md2)
md_t * md_create(apr_pool_t *p, struct apr_array_header_t *domains)
md_t * md_get_by_dns_overlap(struct apr_array_header_t *mds, const md_t *md)
const char * cert_file
Definition: md.h:93
const char * ca_proto
Definition: md.h:89
const char * cert_file
Definition: md.h:304
struct apr_array_header_t * certs
Definition: md.h:302
dav_error * src
Definition: mod_dav.h:186
md_t * md_get_by_name(struct apr_array_header_t *mds, const char *name)
const char * defn_name
Definition: md.h:103
int watched
Definition: md.h:101
md_t * md_get_by_domain(struct apr_array_header_t *mds, const char *domain)
md_timeslice_t * warn_window
Definition: md.h:86
Definition: md.h:55
struct apr_hash_t apr_hash_t
Definition: apr_hash.h:52
Definition: md_time.h:55
int stapling
Definition: md.h:99
Definition: md_result.h:27
const char * ca_account
Definition: md.h:90
apr_pool_t * p
Definition: md.h:69
md_renew_mode_t
Definition: md.h:66
const char * pkey_file
Definition: md.h:94
struct apr_array_header_t * alt_names
Definition: md.h:303
Definition: md.h:301
Definition: md.h:70
md_t * md_create_empty(apr_pool_t *p)
struct apr_array_header_t * domains
Definition: md.h:76
md_t * md_from_json(struct md_json_t *json, apr_pool_t *p)
const char * name
Definition: mod_dav.h:805
struct apr_pool_t apr_pool_t
Definition: apr_pools.h:60
const char * md_common_name(const md_t *md1, const md_t *md2)
Definition: md.h:53
int apr_status_t
Definition: apr_errno.h:44
Definition: md.h:54
const char * name
Definition: md.h:75
int md_contains(const md_t *md, const char *domain, int case_sensitive)
Definition: md.h:61
const char * ca_agreement
Definition: md.h:91
const char * ca_url
Definition: md.h:88
struct md_pkey_t md_pkey_t
Definition: md_crypt.h:49
int md_is_covered_by_alt_names(const md_t *md, const struct apr_array_header_t *alt_names)
Definition: md.h:67
Definition: md_crypt.h:60
md_timeslice_t * renew_window
Definition: md.h:85
struct md_pkey_spec_t * pkey_spec
Definition: md.h:83