t***@apache.org
2014-10-10 00:16:05 UTC
Author: trawick
Date: Fri Oct 10 00:16:05 2014
New Revision: 1630624
URL: http://svn.apache.org/r1630624
Log:
mod_ssl_ct: Work with current Certificate Transparency tools
(e.g., as of certificate-transparency commit
3f03188fe89974d45345fddee64a8227bd2ec26a)
The interface to the "ct" tool now requires the log's URL and
public key, resulting in a bit of refactoring in the module.
Modified:
httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c
httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.c
httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.h
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c?rev=1630624&r1=1630623&r2=1630624&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c Fri Oct 10 00:16:05 2014
@@ -491,8 +491,8 @@ static const char *url_to_fn(apr_pool_t
}
static apr_status_t submission(server_rec *s, apr_pool_t *p, const char *ct_exe,
- const apr_uri_t *log_url, const char *cert_file,
- const char *sct_fn)
+ const ct_log_config *log_cfg,
+ const char *cert_file, const char *sct_fn)
{
apr_status_t rv;
const char *args[8];
@@ -500,11 +500,11 @@ static apr_status_t submission(server_re
i = 0;
args[i++] = ct_exe;
- args[i++] = apr_pstrcat(p, "--ct_server=", log_url->hostinfo, NULL);
- args[i++] = "--http_log";
- args[i++] = "--logtostderr";
+ args[i++] = apr_pstrcat(p, "--ct_server=", log_cfg->url, NULL);
+ args[i++] = "--logtostderr=true";
args[i++] = apr_pstrcat(p, "--ct_server_submission=", cert_file, NULL);
args[i++] = apr_pstrcat(p, "--ct_server_response_out=", sct_fn, NULL);
+ args[i++] = apr_pstrcat(p, "--ct_server_public_key=", log_cfg->public_key_pem, NULL);
args[i++] = "upload";
args[i++] = NULL;
ap_assert(i == sizeof args / sizeof args[0]);
@@ -517,7 +517,7 @@ static apr_status_t submission(server_re
static apr_status_t fetch_sct(server_rec *s, apr_pool_t *p,
const char *cert_file,
const char *cert_sct_dir,
- const apr_uri_t *log_url,
+ const ct_log_config *log_cfg,
const char *ct_exe, apr_time_t max_sct_age)
{
apr_status_t rv;
@@ -525,7 +525,7 @@ static apr_status_t fetch_sct(server_rec
apr_finfo_t finfo;
const char *log_url_basename;
- log_url_basename = url_to_fn(p, log_url);
+ log_url_basename = url_to_fn(p, &log_cfg->uri);
rv = ctutil_path_join(&sct_fn, cert_sct_dir, log_url_basename, p, s);
if (rv != APR_SUCCESS) {
@@ -558,7 +558,7 @@ static apr_status_t fetch_sct(server_rec
cert_file, sct_fn);
}
- rv = submission(s, p, ct_exe, log_url, cert_file, sct_fn);
+ rv = submission(s, p, ct_exe, log_cfg, cert_file, sct_fn);
return rv;
}
@@ -584,7 +584,7 @@ static apr_status_t record_log_urls(serv
config_elts = (ct_log_config **)log_config->elts;
for (i = 0; i < log_config->nelts; i++) {
- if (!config_elts[i]->uri_str) {
+ if (!log_configured_for_fetching_sct(config_elts[i])) {
continue;
}
if (!log_valid_for_sent_sct(config_elts[i])) {
@@ -620,7 +620,7 @@ static int uri_in_config(const char *nee
elts = (ct_log_config **)haystack->elts;
for (i = 0; i < haystack->nelts; i++) {
- if (!elts[i]->uri_str) {
+ if (!log_configured_for_fetching_sct(elts[i])) {
continue;
}
if (!log_valid_for_sent_sct(elts[i])) {
@@ -778,7 +778,7 @@ static apr_status_t refresh_scts_for_cer
}
for (i = 0; i < log_config->nelts; i++) {
- if (!config_elts[i]->url) {
+ if (!log_configured_for_fetching_sct(config_elts[i])) {
continue;
}
if (!log_valid_for_sent_sct(config_elts[i])) {
@@ -786,7 +786,7 @@ static apr_status_t refresh_scts_for_cer
}
rv = fetch_sct(s, p, cert_fn,
cert_sct_dir,
- &config_elts[i]->uri,
+ config_elts[i],
ct_exe,
max_sct_age);
if (rv != APR_SUCCESS) {
Modified: httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.c?rev=1630624&r1=1630623&r2=1630624&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.c Fri Oct 10 00:16:05 2014
@@ -422,3 +422,11 @@ int log_valid_for_sent_sct(const ct_log_
*/
return log_valid_for_received_sct(l, apr_time_now());
}
+
+int log_configured_for_fetching_sct(const ct_log_config *l)
+{
+ /* must have a url and a public key configured in order to obtain
+ * an SCT from the log
+ */
+ return l->url != NULL && l->public_key != NULL;
+}
Modified: httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.h?rev=1630624&r1=1630623&r2=1630624&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.h Fri Oct 10 00:16:05 2014
@@ -54,4 +54,6 @@ int log_valid_for_sent_sct(const ct_log_
int log_valid_for_received_sct(const ct_log_config *l, apr_time_t to_check);
+int log_configured_for_fetching_sct(const ct_log_config *l);
+
#endif /* SSL_CT_LOG_CONFIG_H */
Date: Fri Oct 10 00:16:05 2014
New Revision: 1630624
URL: http://svn.apache.org/r1630624
Log:
mod_ssl_ct: Work with current Certificate Transparency tools
(e.g., as of certificate-transparency commit
3f03188fe89974d45345fddee64a8227bd2ec26a)
The interface to the "ct" tool now requires the log's URL and
public key, resulting in a bit of refactoring in the module.
Modified:
httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c
httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.c
httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.h
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c?rev=1630624&r1=1630623&r2=1630624&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c Fri Oct 10 00:16:05 2014
@@ -491,8 +491,8 @@ static const char *url_to_fn(apr_pool_t
}
static apr_status_t submission(server_rec *s, apr_pool_t *p, const char *ct_exe,
- const apr_uri_t *log_url, const char *cert_file,
- const char *sct_fn)
+ const ct_log_config *log_cfg,
+ const char *cert_file, const char *sct_fn)
{
apr_status_t rv;
const char *args[8];
@@ -500,11 +500,11 @@ static apr_status_t submission(server_re
i = 0;
args[i++] = ct_exe;
- args[i++] = apr_pstrcat(p, "--ct_server=", log_url->hostinfo, NULL);
- args[i++] = "--http_log";
- args[i++] = "--logtostderr";
+ args[i++] = apr_pstrcat(p, "--ct_server=", log_cfg->url, NULL);
+ args[i++] = "--logtostderr=true";
args[i++] = apr_pstrcat(p, "--ct_server_submission=", cert_file, NULL);
args[i++] = apr_pstrcat(p, "--ct_server_response_out=", sct_fn, NULL);
+ args[i++] = apr_pstrcat(p, "--ct_server_public_key=", log_cfg->public_key_pem, NULL);
args[i++] = "upload";
args[i++] = NULL;
ap_assert(i == sizeof args / sizeof args[0]);
@@ -517,7 +517,7 @@ static apr_status_t submission(server_re
static apr_status_t fetch_sct(server_rec *s, apr_pool_t *p,
const char *cert_file,
const char *cert_sct_dir,
- const apr_uri_t *log_url,
+ const ct_log_config *log_cfg,
const char *ct_exe, apr_time_t max_sct_age)
{
apr_status_t rv;
@@ -525,7 +525,7 @@ static apr_status_t fetch_sct(server_rec
apr_finfo_t finfo;
const char *log_url_basename;
- log_url_basename = url_to_fn(p, log_url);
+ log_url_basename = url_to_fn(p, &log_cfg->uri);
rv = ctutil_path_join(&sct_fn, cert_sct_dir, log_url_basename, p, s);
if (rv != APR_SUCCESS) {
@@ -558,7 +558,7 @@ static apr_status_t fetch_sct(server_rec
cert_file, sct_fn);
}
- rv = submission(s, p, ct_exe, log_url, cert_file, sct_fn);
+ rv = submission(s, p, ct_exe, log_cfg, cert_file, sct_fn);
return rv;
}
@@ -584,7 +584,7 @@ static apr_status_t record_log_urls(serv
config_elts = (ct_log_config **)log_config->elts;
for (i = 0; i < log_config->nelts; i++) {
- if (!config_elts[i]->uri_str) {
+ if (!log_configured_for_fetching_sct(config_elts[i])) {
continue;
}
if (!log_valid_for_sent_sct(config_elts[i])) {
@@ -620,7 +620,7 @@ static int uri_in_config(const char *nee
elts = (ct_log_config **)haystack->elts;
for (i = 0; i < haystack->nelts; i++) {
- if (!elts[i]->uri_str) {
+ if (!log_configured_for_fetching_sct(elts[i])) {
continue;
}
if (!log_valid_for_sent_sct(elts[i])) {
@@ -778,7 +778,7 @@ static apr_status_t refresh_scts_for_cer
}
for (i = 0; i < log_config->nelts; i++) {
- if (!config_elts[i]->url) {
+ if (!log_configured_for_fetching_sct(config_elts[i])) {
continue;
}
if (!log_valid_for_sent_sct(config_elts[i])) {
@@ -786,7 +786,7 @@ static apr_status_t refresh_scts_for_cer
}
rv = fetch_sct(s, p, cert_fn,
cert_sct_dir,
- &config_elts[i]->uri,
+ config_elts[i],
ct_exe,
max_sct_age);
if (rv != APR_SUCCESS) {
Modified: httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.c?rev=1630624&r1=1630623&r2=1630624&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.c Fri Oct 10 00:16:05 2014
@@ -422,3 +422,11 @@ int log_valid_for_sent_sct(const ct_log_
*/
return log_valid_for_received_sct(l, apr_time_now());
}
+
+int log_configured_for_fetching_sct(const ct_log_config *l)
+{
+ /* must have a url and a public key configured in order to obtain
+ * an SCT from the log
+ */
+ return l->url != NULL && l->public_key != NULL;
+}
Modified: httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.h?rev=1630624&r1=1630623&r2=1630624&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_ct_log_config.h Fri Oct 10 00:16:05 2014
@@ -54,4 +54,6 @@ int log_valid_for_sent_sct(const ct_log_
int log_valid_for_received_sct(const ct_log_config *l, apr_time_t to_check);
+int log_configured_for_fetching_sct(const ct_log_config *l);
+
#endif /* SSL_CT_LOG_CONFIG_H */