1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 #ifndef mod_md_md_crypt_h
18 #define mod_md_md_crypt_h
20 #include <apr_file_io.h>
22 struct apr_array_header_t;
24 struct md_http_response_t;
30 /**************************************************************************************************/
33 apr_status_t md_rand_bytes(unsigned char *buf, apr_size_t len, apr_pool_t *p);
35 /**************************************************************************************************/
37 apr_status_t md_crypt_sha256_digest64(const char **pdigest64, apr_pool_t *p,
38 const struct md_data *data);
39 apr_status_t md_crypt_sha256_digest_hex(const char **pdigesthex, apr_pool_t *p,
40 const struct md_data *data);
42 #define MD_DATA_SET_STR(d, s) do { (d)->data = (s); (d)->len = strlen(s); } while(0)
44 /**************************************************************************************************/
47 typedef struct md_pkey_t md_pkey_t;
54 typedef struct md_pkey_rsa_spec_t {
58 typedef struct md_pkey_spec_t {
61 md_pkey_rsa_spec_t rsa;
65 apr_status_t md_crypt_init(apr_pool_t *pool);
67 apr_status_t md_pkey_gen(md_pkey_t **ppkey, apr_pool_t *p, md_pkey_spec_t *spec);
68 void md_pkey_free(md_pkey_t *pkey);
70 const char *md_pkey_get_rsa_e64(md_pkey_t *pkey, apr_pool_t *p);
71 const char *md_pkey_get_rsa_n64(md_pkey_t *pkey, apr_pool_t *p);
73 apr_status_t md_pkey_fload(md_pkey_t **ppkey, apr_pool_t *p,
74 const char *pass_phrase, apr_size_t pass_len,
76 apr_status_t md_pkey_fsave(md_pkey_t *pkey, apr_pool_t *p,
77 const char *pass_phrase, apr_size_t pass_len,
78 const char *fname, apr_fileperms_t perms);
80 apr_status_t md_crypt_sign64(const char **psign64, md_pkey_t *pkey, apr_pool_t *p,
81 const char *d, size_t dlen);
83 void *md_pkey_get_EVP_PKEY(struct md_pkey_t *pkey);
85 struct md_json_t *md_pkey_spec_to_json(const md_pkey_spec_t *spec, apr_pool_t *p);
86 md_pkey_spec_t *md_pkey_spec_from_json(struct md_json_t *json, apr_pool_t *p);
87 int md_pkey_spec_eq(md_pkey_spec_t *spec1, md_pkey_spec_t *spec2);
89 /**************************************************************************************************/
90 /* X509 certificates */
92 typedef struct md_cert_t md_cert_t;
100 void md_cert_free(md_cert_t *cert);
101 void *md_cert_get_X509(const md_cert_t *cert);
103 apr_status_t md_cert_fload(md_cert_t **pcert, apr_pool_t *p, const char *fname);
104 apr_status_t md_cert_fsave(md_cert_t *cert, apr_pool_t *p,
105 const char *fname, apr_fileperms_t perms);
108 * Read a x509 certificate from a http response.
109 * Will return APR_ENOENT if content-type is not recognized (currently
110 * only "application/pkix-cert" is supported).
112 apr_status_t md_cert_read_http(md_cert_t **pcert, apr_pool_t *pool,
113 const struct md_http_response_t *res);
116 * Read one or even a chain of certificates from a http response.
117 * Will return APR_ENOENT if content-type is not recognized (currently
118 * supports only "application/pem-certificate-chain" and "application/pkix-cert").
119 * @param chain must be non-NULL, retrieved certificates will be added.
121 apr_status_t md_cert_chain_read_http(struct apr_array_header_t *chain,
122 apr_pool_t *pool, const struct md_http_response_t *res);
124 md_cert_state_t md_cert_state_get(const md_cert_t *cert);
125 int md_cert_is_valid_now(const md_cert_t *cert);
126 int md_cert_has_expired(const md_cert_t *cert);
127 int md_cert_covers_domain(md_cert_t *cert, const char *domain_name);
128 int md_cert_covers_md(md_cert_t *cert, const struct md_t *md);
129 int md_cert_must_staple(const md_cert_t *cert);
130 apr_time_t md_cert_get_not_after(const md_cert_t *cert);
131 apr_time_t md_cert_get_not_before(const md_cert_t *cert);
133 apr_status_t md_cert_get_issuers_uri(const char **puri, const md_cert_t *cert, apr_pool_t *p);
134 apr_status_t md_cert_get_alt_names(apr_array_header_t **pnames, const md_cert_t *cert, apr_pool_t *p);
136 apr_status_t md_cert_to_base64url(const char **ps64, const md_cert_t *cert, apr_pool_t *p);
137 apr_status_t md_cert_from_base64url(md_cert_t **pcert, const char *s64, apr_pool_t *p);
139 apr_status_t md_cert_to_sha256_digest(struct md_data **pdigest, const md_cert_t *cert, apr_pool_t *p);
140 apr_status_t md_cert_to_sha256_fingerprint(const char **pfinger, const md_cert_t *cert, apr_pool_t *p);
142 const char *md_cert_get_serial_number(const md_cert_t *cert, apr_pool_t *p);
144 apr_status_t md_chain_fload(struct apr_array_header_t **pcerts,
145 apr_pool_t *p, const char *fname);
146 apr_status_t md_chain_fsave(struct apr_array_header_t *certs,
147 apr_pool_t *p, const char *fname, apr_fileperms_t perms);
148 apr_status_t md_chain_fappend(struct apr_array_header_t *certs,
149 apr_pool_t *p, const char *fname);
151 apr_status_t md_cert_req_create(const char **pcsr_der_64, const char *name,
152 apr_array_header_t *domains, int must_staple,
153 md_pkey_t *pkey, apr_pool_t *p);
156 * Create a self-signed cerftificate with the given cn, key and list
157 * of alternate domain names.
159 apr_status_t md_cert_self_sign(md_cert_t **pcert, const char *cn,
160 struct apr_array_header_t *domains, md_pkey_t *pkey,
161 apr_interval_time_t valid_for, apr_pool_t *p);
164 * Create a certificate for answering "tls-alpn-01" ACME challenges
165 * (see <https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-01>).
167 apr_status_t md_cert_make_tls_alpn_01(md_cert_t **pcert, const char *domain,
168 const char *acme_id, md_pkey_t *pkey,
169 apr_interval_time_t valid_for, apr_pool_t *p);
171 apr_status_t md_cert_get_ct_scts(apr_array_header_t *scts, apr_pool_t *p, const md_cert_t *cert);
174 /**************************************************************************************************/
175 /* X509 certificate transparency */
177 const char *md_nid_get_sname(int nid);
178 const char *md_nid_get_lname(int nid);
180 typedef struct md_sct md_sct;
183 apr_time_t timestamp;
184 struct md_data *logid;
185 int signature_type_nid;
186 struct md_data *signature;
189 #endif /* md_crypt_h */