uts-server/README.md

# uts-server

[![Build Status](https://travis-ci.org/kakwa/uts-server.svg?branch=master)](https://travis-ci.org/kakwa/uts-server)

Micro timestamp server (RFC 3161) written in C

## Status

Alpha

## Dependencies

* OpenSSL (https://github.com/openssl/openssl)
* civetweb (https://github.com/civetweb/civetweb)

## License

Released under the MIT Public License

## Usage

```bash
$ ./uts-server --help
Usage: uts-server [OPTION...] -c CONFFILE [-d] [-D] [-p <pidfile>]

UTS micro timestamp server (RFC 3161)

  -c, --conffile=CONFFILE    Path to configuration file
  -d, --daemonize            Launch as a daemon
  -D, --debug                STDOUT debugging
  -p, --pidfile=PIDFILE      Path to pid file
  -?, --help                 Give this help list
      --usage                Give a short usage message
  -V, --version              Print program version

Mandatory or optional arguments to long options are also mandatory or optional
for any corresponding short options.

Report bugs to Pierre-Francois Carpentier <carpentier.pf@gmail.com>.
```

## Configuration

### tsa

Section defining which TSA section to use.

* ```default_tsa```: Name of the TSA section to use as default.

### main

Main configuration section (mostly http configuration).

* ```enable_keep_alive```: Allows clients to reuse TCP connection for subsequent
  HTTP requests, which improves performance.
* ```num_threads```: Number of worker threads.
* ```ssl_ca_path```: Name of a directory containing trusted CA certificates.
* ```throttle```: Limit download speed for clients. throttle is a comma-separated list of key=value pairs:
  - *            -> limit speed for all connections
  - x.x.x.x/mask ->  limit speed for specified subnet
  The value is a floating-point number of bytes per second, optionally followed by a k or m character
  meaning kilobytes and megabytes respectively. A limit of 0 means unlimited rate.
  Ex: throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0
* ```ssl_verify_peer```: Enable client's certificate verification by the server.
* ```ssl_certificate```: Path to the SSL certificate file (PEM format containing private key and certificate).
* ```tcp_nodelay```: Enable TCP_NODELAY socket option on client connections.
* ```ssl_verify_depth```: Sets maximum depth of certificate chain.
  If client's certificate chain is longer than the depth set here connection is refused.
* ```ssl_short_trust```: Enables the use of short lived certificates
* ```request_timeout_ms```: Timeout for network read and network write operations, in milliseconds.
* ```ssl_protocol_version```: Sets the minimal accepted version of SSL/TLS protocol according to the table:
  SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2  0
  SSL3+TLS1.0+TLS1.1+TLS1.2       1
  TLS1.0+TLS1.1+TLS1.2            2
  TLS1.1+TLS1.2                   3
  TLS1.2                          4
* ```ssl_ca_file```: Path to a .pem file containing trusted certificates. The file may contain more than one certificate.
* ```ssl_default_verify_paths```: Loads default trusted certificates locations set at openssl compile time.
* ```access_control_allow_origin```: Comma separated list of IP subnets to accept/deny
  Ex: -0.0.0.0/0,+192.168.0.0/16 (deny all accesses, only allow 192.168.0.0/16 subnet)
* ```log_level```: Loglevel (debug, info, notice, warn, err, emerg, crit)
* ```ssl_cipher_list```: See https://www.openssl.org/docs/manmaster/apps/ciphers.html for more detailed
* ```listening_ports```: Comma-separated list of ips:ports to listen on.
  If the port is SSL, a letter s must be appended.
  Ex: listening_ports = 80,443s
* ```run_as_user```: Switch to given user credentials after startup.
  Required to run on privileged ports and not be run as root.

### tsa_config1

Example of timestamp section configuration.

* ```clock_precision_digits```: Number of decimals for timestamp. (optional)
* ```tsa_name```: Must the TSA name be included in the reply? (optional, default: no)
* ```signer_key```: The TSA private key. (optional)
* ```signer_cert```: The TSA signing certificat. (optional)
* ```ordering```: Is ordering defined for timestamps? (optional, default: no)
* ```certs```: Certificate chain to include in reply. (optional)
* ```default_policy```: Policy if request did not specify it. (optional)
* ```other_policies```: Acceptable policies. (optional)
* ```crypto_device```: OpenSSL engine to use for signing.
* ```ess_cert_id_chain```: Must the ESS cert id chain be included? (optional, default: no)
* ```digests```: Acceptable message digests. (mandatory)
* ```dir```: TSA root directory.
* ```accuracy```: Timestamp accuracy. (optional)

### oids

Section for declaring OID mapping. Just add <name> = <OID> pairs.


## Building

```bash
$ cmake .
$ make -j 2
```

## Playing with it

```bash
# building with civetweb embedded (will recover civetweb from github)
$ cmake . -DBUNDLE_CIVETWEB=ON
$ make

# create some test certificates
$ ./tests/cfg/pki/create_tsa_certs

# launching the timestamp server with test configuration in debug mode
$ ./uts-server -c tests/cfg/uts-server.cnf -D

# in another shell, launching a timestamp script on the README.md file
$ ./goodies/timestamp-file.sh -i README.md -u http://localhost:2020 -r -O "-cert";
```
Initial commit 2015-12-16 22:13:06 +01:00			`# uts-server`
better README file 2016-09-06 09:02:50 +02:00
adding travis badge 2016-09-07 21:19:27 +02:00			`[![Build Status](https://travis-ci.org/kakwa/uts-server.svg?branch=master)](https://travis-ci.org/kakwa/uts-server)`

better README file 2016-09-06 09:02:50 +02:00			`Micro timestamp server (RFC 3161) written in C`

			`## Status`

			`Alpha`

			`## Dependencies`

fix link to openssl project 2016-09-06 09:03:54 +02:00			`* OpenSSL (https://github.com/openssl/openssl)`
better README file 2016-09-06 09:02:50 +02:00			`* civetweb (https://github.com/civetweb/civetweb)`

			`## License`

			`Released under the MIT Public License`

			`## Usage`

			```bash
			`$ ./uts-server --help`
			`Usage: uts-server [OPTION...] -c CONFFILE [-d] [-D] [-p <pidfile>]`

			`UTS micro timestamp server (RFC 3161)`

			`-c, --conffile=CONFFILE Path to configuration file`
			`-d, --daemonize Launch as a daemon`
			`-D, --debug STDOUT debugging`
			`-p, --pidfile=PIDFILE Path to pid file`
			`-?, --help Give this help list`
			`--usage Give a short usage message`
			`-V, --version Print program version`

			`Mandatory or optional arguments to long options are also mandatory or optional`
			`for any corresponding short options.`

			`Report bugs to Pierre-Francois Carpentier <carpentier.pf@gmail.com>.`
			```
adding a few sections 2016-09-06 09:05:55 +02:00
			`## Configuration`

adding documentation for each conf file parameters 2016-09-10 00:55:19 +02:00			`### tsa`

			`Section defining which TSA section to use.`

			* ```default_tsa```: Name of the TSA section to use as default.

			`### main`

			`Main configuration section (mostly http configuration).`

			* ```enable_keep_alive```: Allows clients to reuse TCP connection for subsequent
			`HTTP requests, which improves performance.`
			* ```num_threads```: Number of worker threads.
			* ```ssl_ca_path```: Name of a directory containing trusted CA certificates.
			* ```throttle```: Limit download speed for clients. throttle is a comma-separated list of key=value pairs:
			`- * -> limit speed for all connections`
			`- x.x.x.x/mask -> limit speed for specified subnet`
			`The value is a floating-point number of bytes per second, optionally followed by a k or m character`
			`meaning kilobytes and megabytes respectively. A limit of 0 means unlimited rate.`
			`Ex: throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0`
			* ```ssl_verify_peer```: Enable client's certificate verification by the server.
			* ```ssl_certificate```: Path to the SSL certificate file (PEM format containing private key and certificate).
			* ```tcp_nodelay```: Enable TCP_NODELAY socket option on client connections.
			* ```ssl_verify_depth```: Sets maximum depth of certificate chain.
			`If client's certificate chain is longer than the depth set here connection is refused.`
			* ```ssl_short_trust```: Enables the use of short lived certificates
			* ```request_timeout_ms```: Timeout for network read and network write operations, in milliseconds.
			* ```ssl_protocol_version```: Sets the minimal accepted version of SSL/TLS protocol according to the table:
			`SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 0`
			`SSL3+TLS1.0+TLS1.1+TLS1.2 1`
			`TLS1.0+TLS1.1+TLS1.2 2`
			`TLS1.1+TLS1.2 3`
			`TLS1.2 4`
			* ```ssl_ca_file```: Path to a .pem file containing trusted certificates. The file may contain more than one certificate.
			* ```ssl_default_verify_paths```: Loads default trusted certificates locations set at openssl compile time.
			* ```access_control_allow_origin```: Comma separated list of IP subnets to accept/deny
			`Ex: -0.0.0.0/0,+192.168.0.0/16 (deny all accesses, only allow 192.168.0.0/16 subnet)`
			* ```log_level```: Loglevel (debug, info, notice, warn, err, emerg, crit)
			* ```ssl_cipher_list```: See https://www.openssl.org/docs/manmaster/apps/ciphers.html for more detailed
			* ```listening_ports```: Comma-separated list of ips:ports to listen on.
			`If the port is SSL, a letter s must be appended.`
			`Ex: listening_ports = 80,443s`
			* ```run_as_user```: Switch to given user credentials after startup.
			`Required to run on privileged ports and not be run as root.`

			`### tsa_config1`

			`Example of timestamp section configuration.`

			* ```clock_precision_digits```: Number of decimals for timestamp. (optional)
			* ```tsa_name```: Must the TSA name be included in the reply? (optional, default: no)
			* ```signer_key```: The TSA private key. (optional)
			* ```signer_cert```: The TSA signing certificat. (optional)
			* ```ordering```: Is ordering defined for timestamps? (optional, default: no)
			* ```certs```: Certificate chain to include in reply. (optional)
			* ```default_policy```: Policy if request did not specify it. (optional)
			* ```other_policies```: Acceptable policies. (optional)
			* ```crypto_device```: OpenSSL engine to use for signing.
			* ```ess_cert_id_chain```: Must the ESS cert id chain be included? (optional, default: no)
			* ```digests```: Acceptable message digests. (mandatory)
			* ```dir```: TSA root directory.
			* ```accuracy```: Timestamp accuracy. (optional)

			`### oids`

			`Section for declaring OID mapping. Just add <name> = <OID> pairs.`


adding a few sections 2016-09-06 09:05:55 +02:00			`## Building`

			```bash
			`$ cmake .`
			`$ make -j 2`
			```
documenting the civetweb bundleling 2016-09-07 21:14:12 +02:00
			`## Playing with it`

			```bash
			`# building with civetweb embedded (will recover civetweb from github)`
			`$ cmake . -DBUNDLE_CIVETWEB=ON`
			`$ make`

			`# create some test certificates`
			`$ ./tests/cfg/pki/create_tsa_certs`

			`# launching the timestamp server with test configuration in debug mode`
			`$ ./uts-server -c tests/cfg/uts-server.cnf -D`

			`# in another shell, launching a timestamp script on the README.md file`
			`$ ./goodies/timestamp-file.sh -i README.md -u http://localhost:2020 -r -O "-cert";`
			```