source: mod_gnutls/src/gnutls_ocsp.h @ 47a909e

debian/masterdebian/stretch-backportsupstream
Last change on this file since 47a909e was a372379, checked in by Thomas Klute <thomas2.klute@…>, 3 years ago

Store server certificate fingerprint in OCSP config

It's not like it's going to change without a server reload, so just
calculate the fingerprint once instead of for every connection that
uses OCSP stapling.

  • Property mode set to 100644
File size: 2.9 KB
Line 
1/**
2 *  Copyright 2016 Thomas Klute
3 *
4 *  Licensed under the Apache License, Version 2.0 (the "License");
5 *  you may not use this file except in compliance with the License.
6 *  You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 *  Unless required by applicable law or agreed to in writing, software
11 *  distributed under the License is distributed on an "AS IS" BASIS,
12 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 *  See the License for the specific language governing permissions and
14 *  limitations under the License.
15 */
16
17#ifndef __MOD_GNUTLS_OCSP_H__
18#define __MOD_GNUTLS_OCSP_H__
19
20#include "gnutls/gnutls.h"
21#include "gnutls/x509.h"
22#include "httpd.h"
23#include "http_config.h"
24
25#define MGS_OCSP_MUTEX_NAME "gnutls-ocsp"
26
27/**
28 * Vhost specific OCSP data structure
29 */
30struct mgs_ocsp_data {
31    /* OCSP URI extracted from the server certificate. NULL if
32     * unset. */
33    apr_uri_t *uri;
34    /* Trust list to verify OCSP responses for stapling. Should
35     * usually only contain the CA that signed the server
36     * certificate. */
37    gnutls_x509_trust_list_t *trust;
38    /* Server certificate fingerprint, used as cache key for the OCSP
39     * response */
40    gnutls_datum_t fingerprint;
41};
42
43const char *mgs_store_ocsp_response_path(cmd_parms * parms,
44                                         void *dummy __attribute__((unused)),
45                                         const char *arg);
46
47/*
48 * Create a trust list from a certificate chain (one or more
49 * certificates).
50 *
51 * tl: This trust list will be initialized and filled with the
52 * specified certificate(s)
53 *
54 * chain: certificate chain, must contain at least num certifictes
55 *
56 * num: number of certificates to load from chain
57 *
58 * Chain is supposed to be static (the trust chain of the server
59 * certificate), so when gnutls_x509_trust_list_deinit() is called on
60 * tl later, the "all" parameter should be zero.
61 *
62 * Returns GNUTLS_E_SUCCESS or a GnuTLS error code. In case of error
63 * tl will be uninitialized.
64 */
65int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl,
66                               const gnutls_x509_crt_t *chain,
67                               const int num);
68
69/**
70 * Pool cleanup function that deinits the trust list without
71 * deinitializing certificates.
72 */
73apr_status_t mgs_cleanup_trust_list(void *data);
74
75/**
76 * Initialize server config for OCSP, supposed to be called in the
77 * post_config hook for each server where OCSP stapling is enabled,
78 * after certificates have been loaded.
79 *
80 * @return OK or DECLINED on success, any other value on error (like
81 * the post_config hook itself)
82 */
83int mgs_ocsp_post_config_server(apr_pool_t *pconf, apr_pool_t *ptemp,
84                                server_rec *server);
85
86int mgs_get_ocsp_response(gnutls_session_t session, void *ptr,
87                          gnutls_datum_t *ocsp_response);
88
89#endif /* __MOD_GNUTLS_OCSP_H__ */
Note: See TracBrowser for help on using the repository browser.