/* Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License.
#include <assert.h>
#include <stdlib.h>
#include <apr_lib.h>
#include <apr_strings.h>
#include <apr_buckets.h>
#include <apr_hash.h>
#include <apr_uri.h>
#include "md.h"
#include "md_crypt.h"
#include "md_json.h"
#include "md_jws.h"
#include "md_http.h"
#include "md_log.h"
#include "md_store.h"
#include "md_result.h"
#include "md_util.h"
#include "md_version.h"
#include "md_acme.h"
#include "md_acme_acct.h"
static const char *base_product=
"-" ;
typedef struct acme_problem_status_t acme_problem_status_t;
struct acme_problem_status_t {
const char *type;
/* the ACME error string */
apr_status_t rv;
/* what Apache status code we give it */
int input_related;
/* if error indicates wrong input value */
};
static acme_problem_status_t Problems[] = {
{
"acme:error:badCSR" , APR_EINVAL, 1 },
{
"acme:error:badNonce" , APR_EAGAIN, 0 },
{
"acme:error:badSignatureAlgorithm" , APR_EINVAL, 1 },
{
"acme:error:externalAccountRequired" , APR_EINVAL, 1 },
{
"acme:error:invalidContact" , APR_BADARG, 1 },
{
"acme:error:unsupportedContact" , APR_EGENERAL, 1 },
{
"acme:error:malformed" , APR_EINVAL, 1 },
{
"acme:error:rateLimited" , APR_BADARG, 0 },
{
"acme:error:rejectedIdentifier" , APR_BADARG, 1 },
{
"acme:error:serverInternal" , APR_EGENERAL, 0 },
{
"acme:error:unauthorized" , APR_EACCES, 0 },
{
"acme:error:unsupportedIdentifier" , APR_BADARG, 1 },
{
"acme:error:userActionRequired" , APR_EAGAIN, 0 },
{
"acme:error:badRevocationReason" , APR_EINVAL, 1 },
{
"acme:error:caa" , APR_EGENERAL, 0 },
{
"acme:error:dns" , APR_EGENERAL, 0 },
{
"acme:error:connection" , APR_EGENERAL, 0 },
{
"acme:error:tls" , APR_EGENERAL, 0 },
{
"acme:error:incorrectResponse" , APR_EGENERAL, 0 },
};
static apr_status_t problem_status_get(
const char *type) {
size_t i;
if (strstr(type,
"urn:ietf:params:" ) == type) {
type += strlen(
"urn:ietf:params:" );
}
else if (strstr(type,
"urn:" ) == type) {
type += strlen(
"urn:" );
}
for (i = 0; i < (
sizeof (Problems)/
sizeof (Problems[0])); ++i) {
if (!apr_strnatcasecmp(type, Problems[i].type)) {
return Problems[i].rv;
}
}
return APR_EGENERAL;
}
int md_acme_problem_is_input_related(
const char *problem) {
size_t i;
if (!problem)
return 0;
if (strstr(problem,
"urn:ietf:params:" ) == problem) {
problem += strlen(
"urn:ietf:params:" );
}
else if (strstr(problem,
"urn:" ) == problem) {
problem += strlen(
"urn:" );
}
for (i = 0; i < (
sizeof (Problems)/
sizeof (Problems[0])); ++i) {
if (!apr_strnatcasecmp(problem, Problems[i].type)) {
return Problems[i].input_related;
}
}
return 0;
}
/**************************************************************************************************/
/* acme requests */
static void req_update_nonce(md_acme_t *acme, apr_table_t *hdrs)
{
if (hdrs) {
const char *nonce = apr_table_get(hdrs,
"Replay-Nonce" );
if (nonce) {
acme->nonce = apr_pstrdup(acme->p, nonce);
}
}
}
static apr_status_t http_update_nonce(
const md_http_response_t *res,
void *data)
{
req_update_nonce(data, res->headers);
return APR_SUCCESS;
}
static md_acme_req_t *md_acme_req_create(md_acme_t *acme,
const char *method,
const char *url)if (rv != APR_SUCCESS) {return NULL;"md_acme_req" );sizeof (*req));if (!req) {return NULL;return req;static apr_status_t acmev2_new_nonce(md_acme_t *acme)return md_http_HEAD_perform(acme->http, acme->api.v2.new_nonce, NULL, http_update_nonce, acme);const char *base, int init_ssl)return init_ssl? md_crypt_init(p) : APR_SUCCESS;static apr_status_t inspect_problem(md_acme_req_t *req, const md_http_response_t *res)const char *ctype;"content-type" );if (ctype && !strcmp(ctype, "application/problem+json" )) {/* RFC 7807 */ if (rv == APR_SUCCESS && problem) {const char *ptype, *pdetail;if (APR_STATUS_IS_EAGAIN(req->rv)) {"acme reports %s: %s" , ptype, pdetail);else {"acme problem %s: %s" , ptype, pdetail);return req->rv;switch (res->status) {case 400:return APR_EINVAL;case 401: /* sectigo returns this instead of 403 */ case 403:return APR_EACCES;case 404:return APR_ENOENT;default :"acme problem unknown: http status %d" , res->status);"unexpected http status: %d" ,return req->result->status;return APR_SUCCESS;/**************************************************************************************************/ /* ACME requests with nonce handling */ static apr_status_t acmev2_req_init(md_acme_req_t *req, md_json_t *jpayload)if (!req->acme->acct) {return APR_EINVAL;if (jpayload) {if (!payload.data) {return APR_EINVAL;else {"" ;"acme payload(len=%" APR_SIZE_T_FMT "): %s" , payload.len, payload.data);return md_jws_sign(&req->req_json, req->p, &payload,return req->acme->req_init_fn(req, payload);static apr_status_t md_acme_req_done(md_acme_req_t *req, apr_status_t rv)if (req->result->status != APR_SUCCESS) {if (req->on_err) {/* An error in rv superceeds the result->status */ if (APR_SUCCESS != rv) req->result->status = rv;/* transfer results into the acme's central result for longer life and later inspection */ if (req->p) {return rv;static apr_status_t on_response(const md_http_response_t *res, void *data)"response: %d" , res->status);if (res->status >= 200 && res->status < 300) {int processed = 0;if (req->on_json) {if (APR_SUCCESS == rv) {if (md_log_is_level(req->p, MD_LOG_TRACE2)) {const char *s;"response: %s" ,"" );else if (APR_STATUS_IS_ENOENT(rv)) {/* not JSON content, fall through */ else {"parsing JSON body" );if (!processed && req->on_res) {if (!processed) {"unable to process the response: " "http-status=%d, content-type=%s" , "Content-Type" ));else if (APR_EAGAIN == (rv = inspect_problem(req, res))) {/* leave req alive */ return rv;return rv;static apr_status_t acmev2_GET_as_POST_init(md_acme_req_t *req, void *baton)void )baton;return md_acme_req_body_init(req, NULL);static apr_status_t md_acme_req_send(md_acme_req_t *req)"sending req: %s %s" , req->method, req->url);/* Whom are we talking to? */ if (acme->version == MD_ACME_VERSION_UNKNOWN) {if (APR_SUCCESS != rv) goto leave;if (!strcmp("GET" , req->method) && !req->on_init && !req->req_json) {/* See <https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#rfc.section.6.3 > * and <https://mailarchive.ietf.org/arch/msg/acme/sotffSQ0OWV-qQJodLwWYWcEVKI > * and <https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380 > * We implement this change in ACMEv2 and higher as keeping the md_acme_GET() methods, * but switching them to POSTs with a empty, JWS signed, body when we call "POST" ;/*req->max_retries = 0; don't do retries on these "GET"s */ /* Besides GET/HEAD, we always need a fresh nonce */ if (strcmp("GET" , req->method) && strcmp("HEAD" , req->method)) {if (acme->version == MD_ACME_VERSION_UNKNOWN) {if (APR_SUCCESS != rv) goto leave;if (!acme->nonce && (APR_SUCCESS != (rv = acme->new_nonce_fn(acme)))) {"error retrieving new nonce from ACME server" );goto leave;"nonce" , NULL);"url" , NULL);if (APR_SUCCESS != rv) goto leave;if (req->req_json) {sizeof (*body));"sending JSON body: %s" , body->data);if (body && md_log_is_level(req->p, MD_LOG_TRACE4)) {"req: %s %s, body:\n%s" , req->method, req->url, body->data);else {"req: %s %s" , req->method, req->url);if (!strcmp("GET" , req->method)) {else if (!strcmp("POST" , req->method)) {"application/jose+json" , else if (!strcmp("HEAD" , req->method)) {else {"HTTP method %s against: %s" , req->method, req->url);"req sent" );if (APR_EAGAIN == rv && req->max_retries > 0) {if (req) md_acme_req_done(req, rv);return rv;const char *url,void *baton)"add acme POST: %s" , url);"POST" , url);return md_acme_req_send(req);const char *url,void *baton)"add acme GET: %s" , url);"GET" , url);return md_acme_req_send(req);void md_acme_report_result(md_acme_t *acme, apr_status_t rv, struct md_result_t *result)if (acme->last->status == APR_SUCCESS) {else {/**************************************************************************************************/ /* GET JSON */ typedef struct {static apr_status_t on_got_json(md_acme_t *acme, apr_pool_t *p, const apr_table_t *headers, void *baton)void )acme;void )p;void )headers;return APR_SUCCESS;struct md_json_t **pjson, md_acme_t *acme, const char *url, apr_pool_t *p)return rv;/**************************************************************************************************/ /* Generic ACME operations */ void md_acme_clear_acct(md_acme_t *acme)const char *md_acme_acct_id_get(md_acme_t *acme)return acme->acct_id;const char *md_acme_acct_url_get(md_acme_t *acme)return acme->acct? acme->acct->url : NULL;const char *acct_id)if (APR_SUCCESS == (rv = md_acme_acct_load(&acct, &pkey,if (md_acme_acct_matches_url(acct, acme->url)) {else {/* account is from another server or, more likely, from another return rv;struct md_store_t *store,const char *acct_id,const md_t *md)if (APR_SUCCESS == (rv = md_acme_acct_load(&acct, &pkey,if (md_acme_acct_matches_md(acct, md)) {else {/* account is from another server or, more likely, from another return rv;return md_acme_acct_save(store, p, acme, &acme->acct_id, acme->acct, acme->acct_key);static apr_status_t acmev2_POST_new_account(md_acme_t *acme,void *baton)return md_acme_POST(acme, acme->api.v2.new_account, on_init, on_json, on_res, on_err, baton);void *baton)return acme->post_new_account_fn(acme, on_init, on_json, on_res, on_err, baton);/**************************************************************************************************/ /* ACME setup */ const char *url,const char *proxy_url, const char *ca_file)const char *err = NULL;if (!url) {"create ACME without url" );return APR_EINVAL;if (APR_SUCCESS != (rv = md_util_abs_uri_check(p, url, &err))) {"invalid ACME uri (%s): %s" , err, url);return rv;sizeof (*acme));"%s mod_md/%s" , if (APR_SUCCESS != (rv = apr_uri_parse(p, url, &uri_parsed))) {"parsing ACME uri: %s" , url);return APR_EINVAL;);return rv;typedef struct {static int collect_profiles(void *baton, const char * key, md_json_t *json)void )json;const char *) =return 1;static apr_status_t update_directory(const md_http_response_t *res, void *data)const char *s;"directory lookup response: %d" , res->status);if (res->status == 503) {"The ACME server at <%s> reports that Service is Unavailable (503). This " "may happen during maintenance for short periods of time." , acme->url); goto leave;else if (res->status < 200 || res->status >= 300) {"The ACME server at <%s> responded with HTTP status %d. This " "is unusual. Please verify that the URL is correct and that you can indeed " "make request from the server to it by other means, e.g. invoking curl/wget." , goto leave;if (APR_SUCCESS != rv) {"reading JSON body" );goto leave;if (md_log_is_level(acme->p, MD_LOG_TRACE2)) {"response: %s" , s ? s : "" );/* What have we got? */ if ((s = md_json_dups(acme->p, json, "newAccount" , NULL))) {"newOrder" , NULL);"revokeCert" , NULL);"keyChange" , NULL);"newNonce" , NULL);/* RFC 8555 only requires "directory" and "newNonce" resources. * mod_md uses "newAccount" and "newOrder" so check for them. * But mod_md does not use the "revokeCert" or "keyChange" * resources, so tolerate the absence of those keys. In the * future if mod_md implements revocation or key rollover then * the use of those features should be predicated on the if (acme->api.v2.new_account"meta" , MD_KEY_TOS, NULL);"meta" , MD_KEY_EAB_REQUIRED, NULL);if (md_json_has_key(json, "meta" , "profiles" , NULL)) {sizeof (const char *));"meta" , "profiles" , NULL);"found %d profiles in ACME directory meta" ,else {"no profiles in ACME directory meta" );else if ((s = md_json_dups(acme->p, json, "new-authz" , NULL))) {"new-cert" , NULL);"new-reg" , NULL);"revoke-cert" , NULL);if (acme->api.v1.new_authz && acme->api.v1.new_cert"meta" , "terms-of-service" , NULL);/* we init that far, but will not use the v1 api */ if (MD_ACME_VERSION_UNKNOWN == acme->version) {"Unable to understand ACME server response from <%s>. " "Wrong ACME protocol version or link?" , acme->url); return rv;if (!acme->http && APR_SUCCESS != (rv = md_http_create(&acme->http, acme->p,return rv;/* TODO: maybe this should be configurable. Let's take some reasonable "get directory from %s" , acme->url);if (APR_SUCCESS != rv && APR_SUCCESS == result->status) {/* If the result reports no error, we never got a response from the server */ "Unsuccessful in contacting ACME server at <%s>. If this problem persists, " "please check your network connectivity from your Apache server to the " "ACME server. Also, older servers might have trouble verifying the certificates " "of the ACME server. You can check if you are able to contact it manually via the " "curl command. Sometimes, the ACME server might be down for maintenance, " "so failing to contact it is not an immediate problem. Apache will " "continue retrying this." , acme->url);return rv; Messung V0.5 C=94 H=98 G=95
¤ Dauer der Verarbeitung: 0.8 Sekunden
¤ *© Formatika GbR, Deutschland
