Merge pull request #185 from tlhackque/master

[WIP] Fixes & issues for 2.3.0
icing · Mar 7, 2020 · 406c13c · 406c13c
2 parents a394ccc + 09bd5a1
commit 406c13c
Show file tree

Hide file tree

Showing 7 changed files with 276 additions and 194 deletions.
diff --git a/.gitignore b/.gitignore
@@ -38,6 +38,7 @@ mod_md-*.tar.gz
 m4
 .cache
 src/a2md
+a2md.1
 
 # Automake test-suite artifacts
 /test-driver

diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,10 @@
+V2.3.next
+----------------------------------------------------------------------------------------------------
+ * Fix lowercasing of filenames
+ * Improved format of Managed Certificate Status
+ * Provide fallback certificates for all key types requested in MDPrivateKeys
+ * Update /.httpd/certificate-status to correctly handle multiple keys
+
 v2.3.0 (BETA)
 ----------------------------------------------------------------------------------------------------
  * MDPrivateKeys checks for duplicate key specifications. There can only be one RSA key

diff --git a/README.md b/README.md
@@ -934,10 +934,17 @@ upcoming certificates on a domain. You invoke it like this:
 ```
 > curl https://eissing.org/.httpd/certificate-status
 {
-  "valid-from": "Mon, 01 Apr 2019 06:47:43 GMT",
-  "valid-until": "Sun, 30 Jun 2019 06:47:43 GMT",
+  "rsa": {
+    "valid": {
+      "from": "Mon, 01 Apr 2019 06:47:43 GMT",
+      "until": "Sun, 30 Jun 2019 06:47:43 GMT"
+  },
   "serial": "03D02EDA041CB95BF23B030C308FDE0B35B7",
   "sha256-fingerprint" : "xx:yy:zz:..."
+  },
+  "P-256": {
+    ...
+  }
 }
 ```
 
@@ -949,16 +956,29 @@ When a new certificate has been obtained, but is not activated yet, this will sh
 
 ```
 {
-  "valid-from": "Mon, 01 Apr 2019 06:47:43 GMT",
-  "valid-until": "Sun, 30 Jun 2019 06:47:43 GMT",
-  "serial": "03D02EDA041CB95BF23B030C308FDE0B35B7"
+  "rsa": {
+    "valid": {
+      "from": "Mon, 01 Apr 2019 06:47:43 GMT",
+      "until": "Sun, 30 Jun 2019 06:47:43 GMT"
+  },
+  "serial": "03D02EDA041CB95BF23B030C308FDE0B35B7",
   "sha256-fingerprint" : "xx:yy:zz:..."
   "renewal": {
-    "valid-from": "Tue, 21 May 2019 11:53:59 GMT",
-    "valid-until": "Mon, 19 Aug 2019 11:53:59 GMT",
-    "serial": "FFC16E5FEFBE90805AC153D70EF9E8D3873A",
-    "sha256-fingerprint" : "aa:bb:cc:..."
+	"name": "example.net",
+        "finished": true,
+        "notified": false,
+        "last-run": "Thu, 02 May 2019 21:54:22 GMT",
+        "errors": 0,
+        "last": {
+          "status": 0,
+          "detail": "certificate status is GOOD, status valid Mon, 01 Apr 2019 06:47:43 GMT - Sun, 30 Jun 2019 06:47:43 GMT",
+          "activity": "status of certid xxyyzzqq, reading response"
+    }
+  },
+  "P-256": {
+    ...
   }
+}
 ```
 with `renewal` giving the properties of the new certificate, once it has been obtained. This can
 be exposed publicly as well, since - once the server is reloaded, it is part of every TLS connection.

diff --git a/src/md_store.c b/src/md_store.c
@@ -256,14 +256,15 @@ typedef struct {
 
 static const char *pk_filename(const char *keyname, const char *base, apr_pool_t *p)
 {
-    char *s;
+    char *s, *t;
     /* We also run on various filesystems with difference upper/lower preserve matching
      * rules. Normalize the names we use, since private key specifications are basically
      * user input. */
     s = (keyname && apr_strnatcasecmp("rsa", keyname))?
         apr_pstrcat(p, base, ".", keyname, ".pem", NULL)
         : apr_pstrcat(p, base, ".pem", NULL);
-    apr_tolower(s);
+    for (t = s; *t; t++ )
+        *t = apr_tolower(*t);
     return s;
 }
 

diff --git a/src/md_store.h b/src/md_store.h
@@ -78,8 +78,8 @@ typedef enum {
 #define MD_FN_CERT              "cert.pem"
 #define MD_FN_HTTPD_JSON        "httpd.json"
 
-#define MD_FN_FALLBACK_PKEY     "fallback-privkey.pem"
-#define MD_FN_FALLBACK_CERT     "fallback-cert.pem"
+#define MD_FN_FALLBACK_PKEY     "fallback-%s"
+#define MD_FN_FALLBACK_CERT     "fallback-%s"
 
 /**
  * Load the JSON value at key "group/name/aspect", allocated from pool p.