From dd19915c91e753d660b780d0f6161f76be2968c3 Mon Sep 17 00:00:00 2001 From: Pierre-Francois Carpentier Date: Fri, 12 Apr 2019 14:26:21 +0200 Subject: [PATCH] dl for the signer cert + fix example + css tweaks * add a DL button + serve the signer certificate file (the one used to timestamp) * fix the verification instruction (add -untrusted tsa_cert.pem) * few CSS tweaks to improve page layout --- goodies/index.html | 43 ++++++++++++++++++++--------------- inc/context.h | 1 + inc/http.h | 56 ++++++++++++++++++++++++++-------------------- src/lib/http.c | 42 +++++++++++++++++++++++++++++++--- src/lib/utils.c | 5 +++++ 5 files changed, 102 insertions(+), 45 deletions(-) diff --git a/goodies/index.html b/goodies/index.html index fef0ab8..d80fa52 100644 --- a/goodies/index.html +++ b/goodies/index.html @@ -1,7 +1,7 @@ - + uts-server @@ -71,20 +75,23 @@ body { uts-server, a simple RFC 3161 timestamp server
- For timestamping a file with OpenSSL and curl, run the following commands - (setting the $UTS_SERVER_URL, $FILE and $FILE_TIMESTAMP variables): -
- openssl ts -query -data "$FILE" -out "ts_req.ts";
- curl "$UTS_SERVER_URL" -H "Content-Type: application/timestamp-query" \
- -f -g --data-binary "@ts_req.ts" -o "$FILE_TIMESTAMP" -
- For verifying the timestamp with OpenSSL, download the CA, and run the following command: -
- openssl ts -verify -in "$FILE_TIMESTAMP" -data "$FILE" -CAfile ca.pem -
-
- -
+ For timestamping a file with OpenSSL and curl, run the following commands + (setting the $UTS_SERVER_URL, $FILE and $FILE_TIMESTAMP variables): +
+ openssl ts -query -data "$FILE" -out "ts_req.ts";
+ curl "$UTS_SERVER_URL" \
+      -H "Content-Type: application/timestamp-query" \
+      -f -g --data-binary "@ts_req.ts" -o "$FILE_TIMESTAMP" +
+ For verifying the timestamp with OpenSSL, download the CA and the signer cert, and run the following command: +
+ openssl ts -verify -in "$FILE_TIMESTAMP" \
+      -data "$FILE" -CAfile ca.pem -untrusted tsa_cert.pem +
+
+ + +
diff --git a/inc/context.h b/inc/context.h index aee62c0..b189ca2 100644 --- a/inc/context.h +++ b/inc/context.h @@ -47,6 +47,7 @@ typedef struct { CONF *conf; char *cust_conf[20]; char *ca_file; + char *cert_file; } rfc3161_context; // definition of structure to describe diff --git a/inc/http.h b/inc/http.h index 4221f35..ed2c7bd 100644 --- a/inc/http.h +++ b/inc/http.h @@ -10,12 +10,12 @@ int http_server_start(char *conffile, char *conf_wd, bool stdout_dbg); #define STATIC_PAGE \ "HTTP/1.1 200 OK\r\n" \ "Content-Type: text/html\r\n" \ - "Content-Length: 2509\r\n" \ + "Content-Length: 2774\r\n" \ "\r\n" \ "" \ "" \ " " \ - " " \ + " uts-server" \ " " \ " " \ "" \ "" \ "" \ @@ -87,28 +91,32 @@ int http_server_start(char *conffile, char *conf_wd, bool stdout_dbg); " uts-server, a simple RFC 3161 timestamp server" \ "
" \ "
" \ - " For timestamping a file with OpenSSL and curl, run the following " \ + " For timestamping a file with OpenSSL and curl, run the following " \ "commands" \ - " (setting the $UTS_SERVER_URL, $FILE and $FILE_TIMESTAMP variables):" \ - "
" \ - " openssl ts -query -data \"$FILE\" -out " \ + " (setting the $UTS_SERVER_URL, $FILE and $FILE_TIMESTAMP variables):" \ + "
" \ + " openssl ts -query -data \"$FILE\" -out " \ "\"ts_req.ts\";
" \ - " curl \"$UTS_SERVER_URL\" -H " \ - "\"Content-Type: application/timestamp-query\" \\
" \ - " -f -g --data-binary \"@ts_req.ts\" -o \"$FILE_TIMESTAMP\"" \ - "
" \ - " For verifying the timestamp with OpenSSL, download the CA, and run " \ - "the following command:" \ - "
" \ - " openssl ts -verify -in \"$FILE_TIMESTAMP\" -data \"$FILE\" -CAfile ca.pem" \ - "
" \ - "
" \ - "
" \ + " For verifying the timestamp with OpenSSL, download the CA and the " \ + "signer cert, and run the following command:" \ + "
" \ + " openssl ts -verify -in \"$FILE_TIMESTAMP\" \\
" \ + "      -data \"$FILE\" " \ + "-CAfile ca.pem -untrusted tsa_cert.pem" \ + "
" \ + "
" \ + " " \ - "
" \ + " " \ + "
" \ "
" \ "
" \ "
" \ diff --git a/src/lib/http.c b/src/lib/http.c index 88786bf..60c2915 100644 --- a/src/lib/http.c +++ b/src/lib/http.c @@ -217,13 +217,14 @@ int ca_serve_handler(struct mg_connection *conn, void *context) { clock_t start = clock(), diff; rfc3161_context *ct = (rfc3161_context *)context; const char *filename = ct->ca_file; - if (strlen(filename) == 0){ - uts_logger(context, LOG_NOTICE, "'certs' param in '[ tsa ]' section not filed"); + if (strlen(filename) == 0) { + uts_logger(context, LOG_NOTICE, + "'certs' param in '[ tsa ]' section not filed"); mg_send_http_error(conn, 404, "CA file not available"); diff = clock() - start; log_request(request_info, "CA_DL ", ct, 404, (diff * 1000000 / CLOCKS_PER_SEC)); - return 1; + return 1; } if (access(filename, F_OK) != -1) { mg_send_file(conn, filename); @@ -242,6 +243,39 @@ int ca_serve_handler(struct mg_connection *conn, void *context) { return 1; } +int cert_serve_handler(struct mg_connection *conn, void *context) { + /* In this handler, we ignore the req_info and send the file "filename". */ + const struct mg_request_info *request_info = mg_get_request_info(conn); + clock_t start = clock(), diff; + rfc3161_context *ct = (rfc3161_context *)context; + const char *filename = ct->cert_file; + if (strlen(filename) == 0) { + uts_logger(context, LOG_NOTICE, + "'signer_cert' param in '[ tsa ]' section not filed"); + mg_send_http_error(conn, 404, "CA file not available"); + diff = clock() - start; + log_request(request_info, "CERT_DL", ct, 404, + (diff * 1000000 / CLOCKS_PER_SEC)); + return 1; + } + if (access(filename, F_OK) != -1) { + mg_send_file(conn, filename); + const struct mg_response_info *ri = mg_get_response_info(conn); + diff = clock() - start; + log_request(request_info, "CERT_DL", ct, 200, + (diff * 1000000 / CLOCKS_PER_SEC)); + + } else { + uts_logger(context, LOG_NOTICE, + "signer certificate file '%s' not available", filename); + mg_send_http_error(conn, 404, "CA file not available"); + diff = clock() - start; + log_request(request_info, "CERT_DL", ct, 404, + (diff * 1000000 / CLOCKS_PER_SEC)); + } + return 1; +} + int http_server_start(char *conffile, char *conf_wd, bool stdout_dbg) { struct mg_context *ctx; struct mg_callbacks callbacks; @@ -269,6 +303,8 @@ int http_server_start(char *conffile, char *conf_wd, bool stdout_dbg) { if (ctx != NULL) { mg_set_request_handler(ctx, "/", rfc3161_handler, (void *)ct); mg_set_request_handler(ctx, "/ca.pem", ca_serve_handler, (void *)ct); + mg_set_request_handler(ctx, "/tsa_cert.pem", cert_serve_handler, + (void *)ct); // Wait until some signals are received while (g_uts_sig == 0) { diff --git a/src/lib/utils.c b/src/lib/utils.c index d7c5c93..cb18d66 100644 --- a/src/lib/utils.c +++ b/src/lib/utils.c @@ -390,6 +390,10 @@ int set_params(rfc3161_context *ct, char *conf_file, char *conf_wd) { ct->ca_file = calloc(PATH_MAX, sizeof(char)); realpath(NCONF_get_string(ct->conf, TSA_SECTION, "certs"), ct->ca_file); + ct->cert_file = calloc(PATH_MAX, sizeof(char)); + realpath(NCONF_get_string(ct->conf, TSA_SECTION, "signer_cert"), + ct->cert_file); + // like any good daemon, return to '/' once the configuration is loaded chdir("/"); return ret; @@ -409,6 +413,7 @@ void free_uts_context(rfc3161_context *ct) { } free(ct->ts_ctx_pool); free(ct->ca_file); + free(ct->cert_file); NCONF_free(ct->conf); free(ct); }