Apache2
md_crypt.h
Go to the documentation of this file.
1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2  * contributor license agreements. See the NOTICE file distributed with
3  * this work for additional information regarding copyright ownership.
4  * The ASF licenses this file to You under the Apache License, Version 2.0
5  * (the "License"); you may not use this file except in compliance with
6  * the License. You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef mod_md_md_crypt_h
18 #define mod_md_md_crypt_h
19 
20 #include <apr_file_io.h>
21 
22 struct apr_array_header_t;
23 struct md_t;
24 struct md_http_response_t;
25 struct md_cert_t;
26 struct md_pkey_t;
27 struct md_data_t;
28 struct md_timeperiod_t;
29 
30 /**************************************************************************************************/
31 /* random */
32 
33 apr_status_t md_rand_bytes(unsigned char *buf, apr_size_t len, apr_pool_t *p);
34 
35 apr_time_t md_asn1_generalized_time_get(void *ASN1_GENERALIZEDTIME);
36 
37 /**************************************************************************************************/
38 /* digests */
39 apr_status_t md_crypt_sha256_digest64(const char **pdigest64, apr_pool_t *p,
40  const struct md_data_t *data);
41 apr_status_t md_crypt_sha256_digest_hex(const char **pdigesthex, apr_pool_t *p,
42  const struct md_data_t *data);
43 
44 /**************************************************************************************************/
45 /* private keys */
46 
47 typedef struct md_pkey_t md_pkey_t;
48 
49 typedef enum {
50  MD_PKEY_TYPE_DEFAULT,
51  MD_PKEY_TYPE_RSA,
52  MD_PKEY_TYPE_EC,
53 } md_pkey_type_t;
54 
55 typedef struct md_pkey_rsa_params_t {
56  apr_uint32_t bits;
57 } md_pkey_rsa_params_t;
58 
59 typedef struct md_pkey_ec_params_t {
60  const char *curve;
61 } md_pkey_ec_params_t;
62 
63 typedef struct md_pkey_spec_t {
64  md_pkey_type_t type;
65  union {
66  md_pkey_rsa_params_t rsa;
67  md_pkey_ec_params_t ec;
68  } params;
69 } md_pkey_spec_t;
70 
71 typedef struct md_pkeys_spec_t {
72  apr_pool_t *p;
73  struct apr_array_header_t *specs;
74 } md_pkeys_spec_t;
75 
76 apr_status_t md_crypt_init(apr_pool_t *pool);
77 
78 const char *md_pkey_spec_name(const md_pkey_spec_t *spec);
79 
80 md_pkeys_spec_t *md_pkeys_spec_make(apr_pool_t *p);
81 void md_pkeys_spec_add_default(md_pkeys_spec_t *pks);
82 int md_pkeys_spec_contains_rsa(md_pkeys_spec_t *pks);
83 void md_pkeys_spec_add_rsa(md_pkeys_spec_t *pks, unsigned int bits);
84 int md_pkeys_spec_contains_ec(md_pkeys_spec_t *pks, const char *curve);
85 void md_pkeys_spec_add_ec(md_pkeys_spec_t *pks, const char *curve);
86 int md_pkeys_spec_eq(md_pkeys_spec_t *pks1, md_pkeys_spec_t *pks2);
87 md_pkeys_spec_t *md_pkeys_spec_clone(apr_pool_t *p, const md_pkeys_spec_t *pks);
88 int md_pkeys_spec_is_empty(const md_pkeys_spec_t *pks);
89 md_pkey_spec_t *md_pkeys_spec_get(const md_pkeys_spec_t *pks, int index);
90 int md_pkeys_spec_count(const md_pkeys_spec_t *pks);
91 void md_pkeys_spec_add(md_pkeys_spec_t *pks, md_pkey_spec_t *spec);
92 
93 struct md_json_t *md_pkey_spec_to_json(const md_pkey_spec_t *spec, apr_pool_t *p);
94 md_pkey_spec_t *md_pkey_spec_from_json(struct md_json_t *json, apr_pool_t *p);
95 struct md_json_t *md_pkeys_spec_to_json(const md_pkeys_spec_t *pks, apr_pool_t *p);
96 md_pkeys_spec_t *md_pkeys_spec_from_json(struct md_json_t *json, apr_pool_t *p);
97 
98 
99 apr_status_t md_pkey_gen(md_pkey_t **ppkey, apr_pool_t *p, md_pkey_spec_t *key_props);
100 void md_pkey_free(md_pkey_t *pkey);
101 
102 const char *md_pkey_get_rsa_e64(md_pkey_t *pkey, apr_pool_t *p);
103 const char *md_pkey_get_rsa_n64(md_pkey_t *pkey, apr_pool_t *p);
104 
105 apr_status_t md_pkey_fload(md_pkey_t **ppkey, apr_pool_t *p,
106  const char *pass_phrase, apr_size_t pass_len,
107  const char *fname);
108 apr_status_t md_pkey_fsave(md_pkey_t *pkey, apr_pool_t *p,
109  const char *pass_phrase, apr_size_t pass_len,
110  const char *fname, apr_fileperms_t perms);
111 
112 apr_status_t md_crypt_sign64(const char **psign64, md_pkey_t *pkey, apr_pool_t *p,
113  const char *d, size_t dlen);
114 
115 void *md_pkey_get_EVP_PKEY(struct md_pkey_t *pkey);
116 
117 apr_status_t md_crypt_hmac64(const char **pmac64, const struct md_data_t *hmac_key,
118  apr_pool_t *p, const char *d, size_t dlen);
119 
123 apr_status_t md_pkey_read_http(md_pkey_t **ppkey, apr_pool_t *pool,
124  const struct md_http_response_t *res);
125 
126 /**************************************************************************************************/
127 /* X509 certificates */
128 
129 typedef struct md_cert_t md_cert_t;
130 
131 typedef enum {
132  MD_CERT_UNKNOWN,
133  MD_CERT_VALID,
134  MD_CERT_EXPIRED
135 } md_cert_state_t;
136 
141 md_cert_t *md_cert_make(apr_pool_t *p, void *x509);
142 
147 md_cert_t *md_cert_wrap(apr_pool_t *p, void *x509);
148 
149 void *md_cert_get_X509(const md_cert_t *cert);
150 
151 apr_status_t md_cert_fload(md_cert_t **pcert, apr_pool_t *p, const char *fname);
152 apr_status_t md_cert_fsave(md_cert_t *cert, apr_pool_t *p,
153  const char *fname, apr_fileperms_t perms);
154 
160 apr_status_t md_cert_read_http(md_cert_t **pcert, apr_pool_t *pool,
161  const struct md_http_response_t *res);
162 
166 apr_status_t md_cert_read_chain(apr_array_header_t *chain, apr_pool_t *p,
167  const char *pem, apr_size_t pem_len);
168 
175 apr_status_t md_cert_chain_read_http(struct apr_array_header_t *chain,
176  apr_pool_t *pool, const struct md_http_response_t *res);
177 
178 md_cert_state_t md_cert_state_get(const md_cert_t *cert);
179 int md_cert_is_valid_now(const md_cert_t *cert);
180 int md_cert_has_expired(const md_cert_t *cert);
181 int md_cert_covers_domain(md_cert_t *cert, const char *domain_name);
182 int md_cert_covers_md(md_cert_t *cert, const struct md_t *md);
183 int md_cert_must_staple(const md_cert_t *cert);
184 apr_time_t md_cert_get_not_after(const md_cert_t *cert);
185 apr_time_t md_cert_get_not_before(const md_cert_t *cert);
186 struct md_timeperiod_t md_cert_get_valid(const md_cert_t *cert);
187 
191 int md_certs_are_equal(const md_cert_t *a, const md_cert_t *b);
192 
193 apr_status_t md_cert_get_issuers_uri(const char **puri, const md_cert_t *cert, apr_pool_t *p);
194 apr_status_t md_cert_get_alt_names(apr_array_header_t **pnames, const md_cert_t *cert, apr_pool_t *p);
195 
196 apr_status_t md_cert_to_base64url(const char **ps64, const md_cert_t *cert, apr_pool_t *p);
197 apr_status_t md_cert_from_base64url(md_cert_t **pcert, const char *s64, apr_pool_t *p);
198 
199 apr_status_t md_cert_to_sha256_digest(struct md_data_t **pdigest, const md_cert_t *cert, apr_pool_t *p);
200 apr_status_t md_cert_to_sha256_fingerprint(const char **pfinger, const md_cert_t *cert, apr_pool_t *p);
201 
202 const char *md_cert_get_serial_number(const md_cert_t *cert, apr_pool_t *p);
203 
204 apr_status_t md_chain_fload(struct apr_array_header_t **pcerts,
205  apr_pool_t *p, const char *fname);
206 apr_status_t md_chain_fsave(struct apr_array_header_t *certs,
207  apr_pool_t *p, const char *fname, apr_fileperms_t perms);
208 apr_status_t md_chain_fappend(struct apr_array_header_t *certs,
209  apr_pool_t *p, const char *fname);
210 
211 apr_status_t md_cert_req_create(const char **pcsr_der_64, const char *name,
212  apr_array_header_t *domains, int must_staple,
213  md_pkey_t *pkey, apr_pool_t *p);
214 
219 apr_status_t md_cert_self_sign(md_cert_t **pcert, const char *cn,
220  struct apr_array_header_t *domains, md_pkey_t *pkey,
221  apr_interval_time_t valid_for, apr_pool_t *p);
222 
227 apr_status_t md_cert_make_tls_alpn_01(md_cert_t **pcert, const char *domain,
228  const char *acme_id, md_pkey_t *pkey,
229  apr_interval_time_t valid_for, apr_pool_t *p);
230 
231 apr_status_t md_cert_get_ct_scts(apr_array_header_t *scts, apr_pool_t *p, const md_cert_t *cert);
232 
233 apr_status_t md_cert_get_ocsp_responder_url(const char **purl, apr_pool_t *p, const md_cert_t *cert);
234 
235 apr_status_t md_check_cert_and_pkey(struct apr_array_header_t *certs, md_pkey_t *pkey);
236 
237 
238 /**************************************************************************************************/
239 /* X509 certificate transparency */
240 
241 const char *md_nid_get_sname(int nid);
242 const char *md_nid_get_lname(int nid);
243 
244 typedef struct md_sct md_sct;
245 struct md_sct {
246  int version;
247  apr_time_t timestamp;
248  struct md_data_t *logid;
249  int signature_type_nid;
250  struct md_data_t *signature;
251 };
252 
253 #endif /* md_crypt_h */
apr_file_io.h
APR File I/O Handling.
pool
apr_bucket_brigade request_rec apr_pool_t * pool
Definition: mod_dav.h:557
name
const char * name
Definition: mod_dav.h:805
dlen
const char apr_size_t dlen
Definition: mod_proxy.h:707
apr_status_t
int apr_status_t
Definition: apr_errno.h:44
apr_fileperms_t
apr_int32_t apr_fileperms_t
Definition: apr_file_info.h:125
apr_uint32_t
unsigned int apr_uint32_t
Definition: apr.h:348
apr_size_t
size_t apr_size_t
Definition: apr.h:394
apr_pool_t
struct apr_pool_t apr_pool_t
Definition: apr_pools.h:60
apr_interval_time_t
apr_int64_t apr_interval_time_t
Definition: apr_time.h:55
apr_time_t
apr_int64_t apr_time_t
Definition: apr_time.h:45
md_cert_chain_read_http
apr_status_t md_cert_chain_read_http(struct apr_array_header_t *chain, apr_pool_t *pool, const struct md_http_response_t *res)
md_pkey_get_rsa_n64
const char * md_pkey_get_rsa_n64(md_pkey_t *pkey, apr_pool_t *p)
md_cert_get_valid
struct md_timeperiod_t md_cert_get_valid(const md_cert_t *cert)
md_certs_are_equal
int md_certs_are_equal(const md_cert_t *a, const md_cert_t *b)
md_rand_bytes
apr_status_t md_rand_bytes(unsigned char *buf, apr_size_t len, apr_pool_t *p)
md_pkey_free
void md_pkey_free(md_pkey_t *pkey)
md_pkey_t
struct md_pkey_t md_pkey_t
Definition: md_crypt.h:47
md_chain_fload
apr_status_t md_chain_fload(struct apr_array_header_t **pcerts, apr_pool_t *p, const char *fname)
md_chain_fappend
apr_status_t md_chain_fappend(struct apr_array_header_t *certs, apr_pool_t *p, const char *fname)
md_cert_fload
apr_status_t md_cert_fload(md_cert_t **pcert, apr_pool_t *p, const char *fname)
md_cert_t
struct md_cert_t md_cert_t
Definition: md_crypt.h:129
md_pkey_read_http
apr_status_t md_pkey_read_http(md_pkey_t **ppkey, apr_pool_t *pool, const struct md_http_response_t *res)
md_cert_to_sha256_fingerprint
apr_status_t md_cert_to_sha256_fingerprint(const char **pfinger, const md_cert_t *cert, apr_pool_t *p)
md_pkey_fload
apr_status_t md_pkey_fload(md_pkey_t **ppkey, apr_pool_t *p, const char *pass_phrase, apr_size_t pass_len, const char *fname)
md_cert_read_chain
apr_status_t md_cert_read_chain(apr_array_header_t *chain, apr_pool_t *p, const char *pem, apr_size_t pem_len)
md_cert_make
md_cert_t * md_cert_make(apr_pool_t *p, void *x509)
md_pkeys_spec_t
struct md_pkeys_spec_t md_pkeys_spec_t
md_cert_get_issuers_uri
apr_status_t md_cert_get_issuers_uri(const char **puri, const md_cert_t *cert, apr_pool_t *p)
md_pkey_spec_name
const char * md_pkey_spec_name(const md_pkey_spec_t *spec)
md_pkey_spec_t
struct md_pkey_spec_t md_pkey_spec_t
md_cert_get_ocsp_responder_url
apr_status_t md_cert_get_ocsp_responder_url(const char **purl, apr_pool_t *p, const md_cert_t *cert)
md_cert_must_staple
int md_cert_must_staple(const md_cert_t *cert)
md_pkeys_spec_get
md_pkey_spec_t * md_pkeys_spec_get(const md_pkeys_spec_t *pks, int index)
md_cert_get_X509
void * md_cert_get_X509(const md_cert_t *cert)
md_cert_get_serial_number
const char * md_cert_get_serial_number(const md_cert_t *cert, apr_pool_t *p)
md_pkey_get_EVP_PKEY
void * md_pkey_get_EVP_PKEY(struct md_pkey_t *pkey)
md_asn1_generalized_time_get
apr_time_t md_asn1_generalized_time_get(void *ASN1_GENERALIZEDTIME)
md_pkey_type_t
md_pkey_type_t
Definition: md_crypt.h:49
MD_PKEY_TYPE_RSA
@ MD_PKEY_TYPE_RSA
Definition: md_crypt.h:51
MD_PKEY_TYPE_EC
@ MD_PKEY_TYPE_EC
Definition: md_crypt.h:52
MD_PKEY_TYPE_DEFAULT
@ MD_PKEY_TYPE_DEFAULT
Definition: md_crypt.h:50
md_pkey_get_rsa_e64
const char * md_pkey_get_rsa_e64(md_pkey_t *pkey, apr_pool_t *p)
md_cert_self_sign
apr_status_t md_cert_self_sign(md_cert_t **pcert, const char *cn, struct apr_array_header_t *domains, md_pkey_t *pkey, apr_interval_time_t valid_for, apr_pool_t *p)
md_cert_get_not_before
apr_time_t md_cert_get_not_before(const md_cert_t *cert)
md_cert_covers_md
int md_cert_covers_md(md_cert_t *cert, const struct md_t *md)
md_cert_to_sha256_digest
apr_status_t md_cert_to_sha256_digest(struct md_data_t **pdigest, const md_cert_t *cert, apr_pool_t *p)
md_crypt_sha256_digest64
apr_status_t md_crypt_sha256_digest64(const char **pdigest64, apr_pool_t *p, const struct md_data_t *data)
md_crypt_sign64
apr_status_t md_crypt_sign64(const char **psign64, md_pkey_t *pkey, apr_pool_t *p, const char *d, size_t dlen)
md_cert_req_create
apr_status_t md_cert_req_create(const char **pcsr_der_64, const char *name, apr_array_header_t *domains, int must_staple, md_pkey_t *pkey, apr_pool_t *p)
md_pkeys_spec_count
int md_pkeys_spec_count(const md_pkeys_spec_t *pks)
md_cert_is_valid_now
int md_cert_is_valid_now(const md_cert_t *cert)
md_crypt_init
apr_status_t md_crypt_init(apr_pool_t *pool)
md_pkey_spec_to_json
struct md_json_t * md_pkey_spec_to_json(const md_pkey_spec_t *spec, apr_pool_t *p)
md_pkeys_spec_from_json
md_pkeys_spec_t * md_pkeys_spec_from_json(struct md_json_t *json, apr_pool_t *p)
md_cert_wrap
md_cert_t * md_cert_wrap(apr_pool_t *p, void *x509)
md_pkey_spec_from_json
md_pkey_spec_t * md_pkey_spec_from_json(struct md_json_t *json, apr_pool_t *p)
md_cert_get_alt_names
apr_status_t md_cert_get_alt_names(apr_array_header_t **pnames, const md_cert_t *cert, apr_pool_t *p)
md_pkeys_spec_contains_rsa
int md_pkeys_spec_contains_rsa(md_pkeys_spec_t *pks)
md_cert_from_base64url
apr_status_t md_cert_from_base64url(md_cert_t **pcert, const char *s64, apr_pool_t *p)
md_cert_state_t
md_cert_state_t
Definition: md_crypt.h:131
MD_CERT_VALID
@ MD_CERT_VALID
Definition: md_crypt.h:133
MD_CERT_EXPIRED
@ MD_CERT_EXPIRED
Definition: md_crypt.h:134
MD_CERT_UNKNOWN
@ MD_CERT_UNKNOWN
Definition: md_crypt.h:132
md_pkey_fsave
apr_status_t md_pkey_fsave(md_pkey_t *pkey, apr_pool_t *p, const char *pass_phrase, apr_size_t pass_len, const char *fname, apr_fileperms_t perms)
md_pkeys_spec_clone
md_pkeys_spec_t * md_pkeys_spec_clone(apr_pool_t *p, const md_pkeys_spec_t *pks)
md_cert_has_expired
int md_cert_has_expired(const md_cert_t *cert)
md_cert_make_tls_alpn_01
apr_status_t md_cert_make_tls_alpn_01(md_cert_t **pcert, const char *domain, const char *acme_id, md_pkey_t *pkey, apr_interval_time_t valid_for, apr_pool_t *p)
md_cert_get_ct_scts
apr_status_t md_cert_get_ct_scts(apr_array_header_t *scts, apr_pool_t *p, const md_cert_t *cert)
md_cert_read_http
apr_status_t md_cert_read_http(md_cert_t **pcert, apr_pool_t *pool, const struct md_http_response_t *res)
md_crypt_hmac64
apr_status_t md_crypt_hmac64(const char **pmac64, const struct md_data_t *hmac_key, apr_pool_t *p, const char *d, size_t dlen)
md_pkeys_spec_eq
int md_pkeys_spec_eq(md_pkeys_spec_t *pks1, md_pkeys_spec_t *pks2)
md_pkey_ec_params_t
struct md_pkey_ec_params_t md_pkey_ec_params_t
md_pkeys_spec_make
md_pkeys_spec_t * md_pkeys_spec_make(apr_pool_t *p)
md_pkey_gen
apr_status_t md_pkey_gen(md_pkey_t **ppkey, apr_pool_t *p, md_pkey_spec_t *key_props)
md_cert_fsave
apr_status_t md_cert_fsave(md_cert_t *cert, apr_pool_t *p, const char *fname, apr_fileperms_t perms)
md_cert_state_get
md_cert_state_t md_cert_state_get(const md_cert_t *cert)
md_check_cert_and_pkey
apr_status_t md_check_cert_and_pkey(struct apr_array_header_t *certs, md_pkey_t *pkey)
md_pkeys_spec_add_default
void md_pkeys_spec_add_default(md_pkeys_spec_t *pks)
md_pkeys_spec_to_json
struct md_json_t * md_pkeys_spec_to_json(const md_pkeys_spec_t *pks, apr_pool_t *p)
md_pkey_rsa_params_t
struct md_pkey_rsa_params_t md_pkey_rsa_params_t
md_pkeys_spec_add
void md_pkeys_spec_add(md_pkeys_spec_t *pks, md_pkey_spec_t *spec)
md_cert_covers_domain
int md_cert_covers_domain(md_cert_t *cert, const char *domain_name)
md_pkeys_spec_add_ec
void md_pkeys_spec_add_ec(md_pkeys_spec_t *pks, const char *curve)
md_pkeys_spec_is_empty
int md_pkeys_spec_is_empty(const md_pkeys_spec_t *pks)
md_cert_get_not_after
apr_time_t md_cert_get_not_after(const md_cert_t *cert)
md_pkeys_spec_add_rsa
void md_pkeys_spec_add_rsa(md_pkeys_spec_t *pks, unsigned int bits)
md_nid_get_lname
const char * md_nid_get_lname(int nid)
md_cert_to_base64url
apr_status_t md_cert_to_base64url(const char **ps64, const md_cert_t *cert, apr_pool_t *p)
md_chain_fsave
apr_status_t md_chain_fsave(struct apr_array_header_t *certs, apr_pool_t *p, const char *fname, apr_fileperms_t perms)
md_nid_get_sname
const char * md_nid_get_sname(int nid)
md_pkeys_spec_contains_ec
int md_pkeys_spec_contains_ec(md_pkeys_spec_t *pks, const char *curve)
md_crypt_sha256_digest_hex
apr_status_t md_crypt_sha256_digest_hex(const char **pdigesthex, apr_pool_t *p, const struct md_data_t *data)
md_json_t
struct md_json_t md_json_t
Definition: md_json.h:29
apr_array_header_t
Definition: apr_tables.h:62
md_data_t
Definition: md_util.h:41
md_http_response_t
Definition: md_http.h:78
md_pkey_ec_params_t
Definition: md_crypt.h:59
md_pkey_ec_params_t::curve
const char * curve
Definition: md_crypt.h:60
md_pkey_rsa_params_t
Definition: md_crypt.h:55
md_pkey_rsa_params_t::bits
apr_uint32_t bits
Definition: md_crypt.h:56
md_pkey_spec_t
Definition: md_crypt.h:63
md_pkey_spec_t::type
md_pkey_type_t type
Definition: md_crypt.h:64
md_pkey_spec_t::params
union md_pkey_spec_t::@7 params
md_pkey_spec_t::ec
md_pkey_ec_params_t ec
Definition: md_crypt.h:67
md_pkey_spec_t::rsa
md_pkey_rsa_params_t rsa
Definition: md_crypt.h:66
md_pkeys_spec_t
Definition: md_crypt.h:71
md_pkeys_spec_t::p
apr_pool_t * p
Definition: md_crypt.h:72
md_pkeys_spec_t::specs
struct apr_array_header_t * specs
Definition: md_crypt.h:73
md_sct
Definition: md_crypt.h:245
md_sct::version
int version
Definition: md_crypt.h:246
md_sct::timestamp
apr_time_t timestamp
Definition: md_crypt.h:247
md_sct::signature_type_nid
int signature_type_nid
Definition: md_crypt.h:249
md_sct::signature
struct md_data_t * signature
Definition: md_crypt.h:250
md_sct::logid
struct md_data_t * logid
Definition: md_crypt.h:248
md_t
Definition: md.h:76
md_timeperiod_t
Definition: md_time.h:27
p
apr_pool_t * p