211 lines
7.3 KiB
C
211 lines
7.3 KiB
C
/* Licensed to the Apache Software Foundation (ASF) under one or more
|
|
* contributor license agreements. See the NOTICE file distributed with
|
|
* this work for additional information regarding copyright ownership.
|
|
* The ASF licenses this file to You under the Apache License, Version 2.0
|
|
* (the "License"); you may not use this file except in compliance with
|
|
* the License. You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
#ifndef tls_cert_h
|
|
#define tls_cert_h
|
|
|
|
#include "tls_util.h"
|
|
|
|
/**
|
|
* The PEM data of a certificate and its key.
|
|
*/
|
|
typedef struct {
|
|
tls_data_t cert_pem;
|
|
tls_data_t pkey_pem;
|
|
} tls_cert_pem_t;
|
|
|
|
/**
|
|
* Specify a certificate via files or PEM data.
|
|
*/
|
|
typedef struct {
|
|
const char *cert_file; /* file path, relative to ap_root */
|
|
const char *pkey_file; /* file path, relative to ap_root */
|
|
const char *cert_pem; /* NUL-terminated PEM string */
|
|
const char *pkey_pem; /* NUL-terminated PEM string */
|
|
} tls_cert_spec_t;
|
|
|
|
/**
|
|
* Load the PEM data for a certificate file and key file as given in `cert`.
|
|
*/
|
|
apr_status_t tls_cert_load_pem(
|
|
apr_pool_t *p, const tls_cert_spec_t *cert, tls_cert_pem_t **ppem);
|
|
|
|
apr_status_t tls_cert_to_pem(const char **ppem, apr_pool_t *p, const rustls_certificate *cert);
|
|
|
|
/**
|
|
* Load a rustls certified key from a certificate specification.
|
|
* The returned `rustls_certified_key` is owned by the caller.
|
|
* @param p the memory pool to use
|
|
* @param spec the specification for the certificate (file or PEM data)
|
|
* @param cert_pem return the PEM data used for loading the certificates, optional
|
|
* @param pckey the loaded certified key on return
|
|
*/
|
|
apr_status_t tls_cert_load_cert_key(
|
|
apr_pool_t *p, const tls_cert_spec_t *spec,
|
|
const char **pcert_pem, const rustls_certified_key **pckey);
|
|
|
|
/**
|
|
* A registry of rustls_certified_key* by identifier.
|
|
*/
|
|
typedef struct tls_cert_reg_t tls_cert_reg_t;
|
|
struct tls_cert_reg_t{
|
|
apr_pool_t *pool;
|
|
apr_hash_t *id2entry;
|
|
apr_hash_t *key2entry;
|
|
};
|
|
|
|
/**
|
|
* Create a new registry with lifetime based on the memory pool.
|
|
* The registry will take care of its memory and allocated keys when
|
|
* the pool is destroyed.
|
|
*/
|
|
tls_cert_reg_t *tls_cert_reg_make(apr_pool_t *p);
|
|
|
|
/**
|
|
* Return the number of certified keys in the registry.
|
|
*/
|
|
apr_size_t tls_cert_reg_count(tls_cert_reg_t *reg);
|
|
|
|
/**
|
|
* Get a the `rustls_certified_key` identified by `spec` from the registry.
|
|
* This will load the key the first time it is requested.
|
|
* The returned `rustls_certified_key` is owned by the registry.
|
|
* @param reg the certified key registry
|
|
* @param s the server_rec this is loaded into, useful for error logging
|
|
* @param spec the specification of the certified key
|
|
* @param pckey the certified key instance on return
|
|
*/
|
|
apr_status_t tls_cert_reg_get_certified_key(
|
|
tls_cert_reg_t *reg, server_rec *s, const tls_cert_spec_t *spec, const rustls_certified_key **pckey);
|
|
|
|
/**
|
|
* Visit all certified keys in the registry.
|
|
* The callback may return 0 to abort the iteration.
|
|
* @param userdata supplied by the visit invocation
|
|
* @param s the server_rec the certified was load into first
|
|
* @param id internal identifier of the certified key
|
|
* @param cert_pem the PEM data of the certificate and its chain
|
|
* @param certified_key the key instance itself
|
|
*/
|
|
typedef int tls_cert_reg_visitor(
|
|
void *userdata, server_rec *s,
|
|
const char *id, const char *cert_pem, const rustls_certified_key *certified_key);
|
|
|
|
/**
|
|
* Visit all certified_key entries in the registry.
|
|
* @param visitor callback invoked on each entry until it returns 0.
|
|
* @param userdata passed to callback
|
|
* @param reg the registry to iterate over
|
|
*/
|
|
void tls_cert_reg_do(
|
|
tls_cert_reg_visitor *visitor, void *userdata, tls_cert_reg_t *reg);
|
|
|
|
/**
|
|
* Get the identity assigned to a loaded, certified key. Returns NULL, if the
|
|
* key is not part of the registry. The returned bytes are owned by the registry
|
|
* entry.
|
|
* @param reg the registry to look in.
|
|
* @param certified_key the key to get the identifier for
|
|
*/
|
|
const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key *certified_key);
|
|
|
|
/**
|
|
* Load all root certificates from a PEM file into a rustls_root_cert_store.
|
|
* @param p the memory pool to use
|
|
* @param store_file the (server relative) path of the PEM file
|
|
* @param pstore the loaded root store on success
|
|
*/
|
|
apr_status_t tls_cert_load_root_store(
|
|
apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore);
|
|
|
|
typedef struct tls_cert_root_stores_t tls_cert_root_stores_t;
|
|
struct tls_cert_root_stores_t {
|
|
apr_pool_t *pool;
|
|
apr_hash_t *file2store;
|
|
};
|
|
|
|
/**
|
|
* Create a new root stores registry with lifetime based on the memory pool.
|
|
* The registry will take care of its memory and allocated stores when
|
|
* the pool is destroyed.
|
|
*/
|
|
tls_cert_root_stores_t *tls_cert_root_stores_make(apr_pool_t *p);
|
|
|
|
/**
|
|
* Clear the root stores registry, freeing all stores.
|
|
*/
|
|
void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores);
|
|
|
|
/**
|
|
* Load all root certificates from a PEM file into a rustls_root_cert_store.
|
|
* @param p the memory pool to use
|
|
* @param store_file the (server relative) path of the PEM file
|
|
* @param pstore the loaded root store on success
|
|
*/
|
|
apr_status_t tls_cert_root_stores_get(
|
|
tls_cert_root_stores_t *stores,
|
|
const char *store_file,
|
|
rustls_root_cert_store **pstore);
|
|
|
|
typedef struct tls_cert_verifiers_t tls_cert_verifiers_t;
|
|
struct tls_cert_verifiers_t {
|
|
apr_pool_t *pool;
|
|
tls_cert_root_stores_t *stores;
|
|
apr_hash_t *file2verifier;
|
|
};
|
|
|
|
/**
|
|
* Create a new registry for certificate verifiers with lifetime based on the memory pool.
|
|
* The registry will take care of its memory and allocated verifiers when
|
|
* the pool is destroyed.
|
|
* @param p the memory pool to use
|
|
* @param stores the store registry for lookups
|
|
*/
|
|
tls_cert_verifiers_t *tls_cert_verifiers_make(
|
|
apr_pool_t *p, tls_cert_root_stores_t *stores);
|
|
|
|
/**
|
|
* Clear the verifiers registry, freeing all verifiers.
|
|
*/
|
|
void tls_cert_verifiers_clear(
|
|
tls_cert_verifiers_t *verifiers);
|
|
|
|
/**
|
|
* Get the mandatory client certificate verifier for the
|
|
* root certificate store in `store_file`. Will create
|
|
* the verifier if not already known.
|
|
* @param verifiers the registry of certificate verifiers
|
|
* @param store_file the (server relative) path of the PEM file with certificates
|
|
* @param pverifiers the verifier on success
|
|
*/
|
|
apr_status_t tls_cert_client_verifiers_get(
|
|
tls_cert_verifiers_t *verifiers,
|
|
const char *store_file,
|
|
const rustls_client_cert_verifier **pverifier);
|
|
|
|
/**
|
|
* Get the optional client certificate verifier for the
|
|
* root certificate store in `store_file`. Will create
|
|
* the verifier if not already known.
|
|
* @param verifiers the registry of certificate verifiers
|
|
* @param store_file the (server relative) path of the PEM file with certificates
|
|
* @param pverifiers the verifier on success
|
|
*/
|
|
apr_status_t tls_cert_client_verifiers_get_optional(
|
|
tls_cert_verifiers_t *verifiers,
|
|
const char *store_file,
|
|
const rustls_client_cert_verifier_optional **pverifier);
|
|
|
|
#endif /* tls_cert_h */ |