security-and-privacy/uts-server
security-and-privacy
/
uts-server
mirror of https://github.com/kakwa/uts-server
1
0
Fork 0
Code Issues Releases Wiki Activity

switching to rst 

* rename README
* more cleaning in the configuration
* build real tables for configuration parameters
This commit is contained in:
kakwa 2016-09-10 03:10:21 +02:00
parent f09c4fc034
commit e6d637f7ea
4 changed files with 293 additions and 157 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

134
README.md
View File

@ -1,134 +0,0 @@
# uts-server
[![Build Status](https://travis-ci.org/kakwa/uts-server.svg?branch=master)](https://travis-ci.org/kakwa/uts-server)
Micro timestamp server (RFC 3161) written in C
## Status
Alpha
## Dependencies
* OpenSSL (https://github.com/openssl/openssl)
* civetweb (https://github.com/civetweb/civetweb)
## License
Released under the MIT Public License
## Usage
```bash
$ ./uts-server --help
Usage: uts-server [OPTION...] -c CONFFILE [-d] [-D] [-p <pidfile>]
UTS micro timestamp server (RFC 3161)
-c, --conffile=CONFFILE Path to configuration file
-d, --daemonize Launch as a daemon
-D, --debug STDOUT debugging
-p, --pidfile=PIDFILE Path to pid file
-?, --help Give this help list
--usage Give a short usage message
-V, --version Print program version
Mandatory or optional arguments to long options are also mandatory or optional
for any corresponding short options.
Report bugs to Pierre-Francois Carpentier <carpentier.pf@gmail.com>.
```
## Configuration
### tsa
Section defining which TSA section to use.
* ```default_tsa```: Name of the TSA section to use as default.
### main
Main configuration section (mostly http configuration).
* ```enable_keep_alive```: Allows clients to reuse TCP connection for subsequent
HTTP requests, which improves performance.
* ```num_threads```: Number of worker threads.
* ```ssl_ca_path```: Name of a directory containing trusted CA certificates.
* ```throttle```: Limit download speed for clients. throttle is a comma-separated list of key=value pairs:
- * -> limit speed for all connections
- x.x.x.x/mask -> limit speed for specified subnet
The value is a floating-point number of bytes per second, optionally followed by a k or m character
meaning kilobytes and megabytes respectively. A limit of 0 means unlimited rate.
Ex: throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0
* ```ssl_verify_peer```: Enable client's certificate verification by the server.
* ```ssl_certificate```: Path to the SSL certificate file (PEM format containing private key and certificate).
* ```tcp_nodelay```: Enable TCP_NODELAY socket option on client connections.
* ```ssl_verify_depth```: Sets maximum depth of certificate chain.
If client's certificate chain is longer than the depth set here connection is refused.
* ```ssl_short_trust```: Enables the use of short lived certificates
* ```request_timeout_ms```: Timeout for network read and network write operations, in milliseconds.
* ```ssl_protocol_version```: Sets the minimal accepted version of SSL/TLS protocol according to the table:
SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 0
SSL3+TLS1.0+TLS1.1+TLS1.2 1
TLS1.0+TLS1.1+TLS1.2 2
TLS1.1+TLS1.2 3
TLS1.2 4
* ```ssl_ca_file```: Path to a .pem file containing trusted certificates. The file may contain more than one certificate.
* ```ssl_default_verify_paths```: Loads default trusted certificates locations set at openssl compile time.
* ```access_control_allow_origin```: Comma separated list of IP subnets to accept/deny
Ex: -0.0.0.0/0,+192.168.0.0/16 (deny all accesses, only allow 192.168.0.0/16 subnet)
* ```log_level```: Loglevel (debug, info, notice, warn, err, emerg, crit)
* ```ssl_cipher_list```: See https://www.openssl.org/docs/manmaster/apps/ciphers.html for more detailed
* ```listening_ports```: Comma-separated list of ips:ports to listen on.
If the port is SSL, a letter s must be appended.
Ex: listening_ports = 80,443s
* ```run_as_user```: Switch to given user credentials after startup.
Required to run on privileged ports and not be run as root.
### tsa_config1
Example of timestamp section configuration.
* ```clock_precision_digits```: Number of decimals for timestamp. (optional)
* ```tsa_name```: Must the TSA name be included in the reply? (optional, default: no)
* ```signer_key```: The TSA private key. (optional)
* ```signer_cert```: The TSA signing certificat. (optional)
* ```ordering```: Is ordering defined for timestamps? (optional, default: no)
* ```certs```: Certificate chain to include in reply. (optional)
* ```default_policy```: Policy if request did not specify it. (optional)
* ```other_policies```: Acceptable policies. (optional)
* ```crypto_device```: OpenSSL engine to use for signing.
* ```ess_cert_id_chain```: Must the ESS cert id chain be included? (optional, default: no)
* ```digests```: Acceptable message digests. (mandatory)
* ```dir```: TSA root directory.
* ```accuracy```: Timestamp accuracy. (optional)
### oids
Section for declaring OID mapping. Just add <name> = <OID> pairs.
## Building
```bash
$ cmake .
$ make -j 2
```
## Playing with it
```bash
# building with civetweb embedded (will recover civetweb from github)
$ cmake . -DBUNDLE_CIVETWEB=ON
$ make
# create some test certificates
$ ./tests/cfg/pki/create_tsa_certs
# launching the timestamp server with test configuration in debug mode
$ ./uts-server -c tests/cfg/uts-server.cnf -D
# in another shell, launching a timestamp script on the README.md file
$ ./goodies/timestamp-file.sh -i README.md -u http://localhost:2020 -r -O "-cert";
```

221
README.rst Normal file
View File

@ -0,0 +1,221 @@
uts-server
==========
.. image:: https://travis-ci.org/kakwa/uts-server.svg?branch=master
:target: https://travis-ci.org/kakwa/uts-server
Micro timestamp server (RFC 3161) written in C
Status
------
Alpha
Dependencies
------------
Runtime dependencies
~~~~~~~~~~~~~~~~~~~~
* OpenSSL (https://github.com/openssl/openssl)
* civetweb (https://github.com/civetweb/civetweb)
Build dependencies
~~~~~~~~~~~~~~~~~~
* cmake
* either gcc or clang
License
-------
Released under the MIT Public License
Usage
-----
.. sourcecode:: bash
$ ./uts-server --help
Usage: uts-server [OPTION...] -c CONFFILE [-d] [-D] [-p <pidfile>]
UTS micro timestamp server (RFC 3161)
-c, --conffile=CONFFILE Path to configuration file
-d, --daemonize Launch as a daemon
-D, --debug STDOUT debugging
-p, --pidfile=PIDFILE Path to pid file
-?, --help Give this help list
--usage Give a short usage message
-V, --version Print program version
Mandatory or optional arguments to long options are also mandatory or optional
for any corresponding short options.
Report bugs to Pierre-Francois Carpentier <carpentier.pf@gmail.com>.
Configuration
-------------
main
~~~~
Main configuration section (mostly http configuration).
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| param | description | example value |
+=============================+=====================================================================+======================================+
| access_control_allow_origin | Comma separated list of IP subnets to accept/deny | -0.0.0.0/0,+192.168/16 |
| | | |
| | Ex: -0.0.0.0/0,+192.168.0.0/16 | |
| | (deny all accesses, only allow 192.168.0.0/16 subnet) | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| enable_keep_alive | Allows clients to reuse TCP connection for subsequent | no |
| | HTTP requests, which improves performance. | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| listening_ports | Comma-separated list of ips:ports to listen on. | 127.0.0.1:2020 |
| | If the port is SSL, a letter s must be appended. | |
| | Ex: listening_ports = 80,443s | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| log_level | Loglevel (debug, info, notice, warn, err, emerg, crit) | info |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| num_threads | Number of worker threads. | 50 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| request_timeout_ms | Timeout for network read and network write operations. | 30000 |
| | In milliseconds. | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| run_as_user | Switch to given user credentials after startup. | uts-server |
| | Required to run on privileged ports as non root user. | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| ssl_ca_file | Path to a .pem file containing trusted certificates. | /etc/uts-server/ca.pem |
| | The file may contain more than one certificate. | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| ssl_ca_path | Name of a directory containing trusted CA certificates. | /etc/ssl/ca/ |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| ssl_certificate | Path to the SSL certificate file . | /etc/uts-server/cert.pem |
| | PEM format must contain private key and certificate. | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| ssl_cipher_list | See https://www.openssl.org/docs/manmaster/apps/ciphers.html | ALL:!eNULL |
| | for more detailed | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| ssl_default_verify_paths | Loads default trusted certificates | yes |
| | locations set at openssl compile time. | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| ssl_protocol_version | Sets the minimal accepted version of SSL/TLS protocol | 3 |
| | according to the table: | |
| | | |
| | SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 -> 0 | |
| | SSL3+TLS1.0+TLS1.1+TLS1.2 -> 1 | |
| | TLS1.0+TLS1.1+TLS1.2 -> 2 | |
| | TLS1.1+TLS1.2 -> 3 | |
| | TLS1.2 -> 4 | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| ssl_short_trust | Enables the use of short lived certificates | no |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| ssl_verify_depth | Sets maximum depth of certificate chain. | 9 |
| | If client's certificate chain is longer | |
| | than the depth set here connection is refused. | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| ssl_verify_peer | Enable client's certificate verification by the server. | yes |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| tcp_nodelay | Enable TCP_NODELAY socket option on client connections. | 0 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| throttle | Limit download speed for clients. | \*=0 |
| | | |
| | throttle is a comma-separated list of key=value pairs: | |
| | - * -> limit speed for all connections | |
| | - x.x.x.x/mask -> limit speed for specified subnet | |
| | | |
| | The value is a floating-point number of bytes per second, | |
| | optionally followed by a k or m character | |
| | meaning kilobytes and megabytes respectively. | |
| | A limit of 0 means unlimited rate. | |
| | Ex: throttle = \*=1k,10.10.0.0/16=10m,10.20.0.0/16=0 | |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
oids
~~~~
Section for declarinG OID mapping. Just add <name> = <OID> pairs.
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| param | description | example value |
+=============================+=====================================================================+======================================+
| tsa_policy1 | | 1.2.3.4.1 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| tsa_policy2 | | 1.2.3.4.5.6 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| tsa_policy3 | | 1.2.3.4.5.7 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
tsa
~~~
Section defining which TSA section to use.
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| param | description | example value |
+=============================+=====================================================================+======================================+
| default_tsa | Name of the TSA section to use as default. | tsa_config1 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
tsa_config1
~~~~~~~~~~~
Example of timestamp section configuration.
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| param | description | example value |
+=============================+=====================================================================+======================================+
| accuracy | Timestamp accuracy. (optional) | secs:1, millisecs:500, microsecs:100 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| certs | Certificate chain to include in reply. (optional) | $dir/cacert.pem |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| clock_precision_digits | Number of decimals for timestamp. (optional) | 0 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| crypto_device | OpenSSL engine to use for signing. | builtin |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| default_policy | Policy if request did not specify it. (optional) | tsa_policy1 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| digests | Acceptable message digests. (mandatory) | md5, sha1 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| dir | TSA root directory. | /etc/uts-server/pki |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| ess_cert_id_chain | Must the ESS cert id chain be included? (optional, default: no) | no |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| ordering | Is ordering defined for timestamps? (optional, default: no) | yes |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| other_policies | Acceptable policies. (optional) | tsa_policy2, tsa_policy3 |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| signer_cert | The TSA signing certificat. (optional) | $dir/tsacert.pem |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| signer_key | The TSA private key. (optional) | $dir/private/tsakey.pem |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
| tsa_name | Must the TSA name be included in the reply? (optional, default: no) | yes |
+-----------------------------+---------------------------------------------------------------------+--------------------------------------+
Building
--------
.. sourcecode:: bash
$ cmake .
$ make -j 2
Playing with it
---------------
.. sourcecode:: bash
# building with civetweb embedded (will recover civetweb from github)
$ cmake . -DBUNDLE_CIVETWEB=ON
$ make
# create some test certificates
$ ./tests/cfg/pki/create_tsa_certs
# launching the timestamp server with test configuration in debug mode
$ ./uts-server -c tests/cfg/uts-server.cnf -D
# in another shell, launching a timestamp script on the README.md file
$ ./goodies/timestamp-file.sh -i README.md -u http://localhost:2020 -r -O "-cert";

47
conf/uts-server.cnf
View File

@ -21,22 +21,28 @@ enable_keep_alive = no
num_threads = 50
# Switch to given user credentials after startup.
# Required to run on privileged ports and not be run as root.
# Required to run on privileged ports as non root user.
#run_as_user = uts-server
# Limit download speed for clients. throttle is a comma-separated list of key=value pairs:
# Limit download speed for clients.
#
# throttle is a comma-separated list of key=value pairs:
# - * -> limit speed for all connections
# - x.x.x.x/mask -> limit speed for specified subnet
#
# The value is a floating-point number of bytes per second, optionally followed by a k or m character
# meaning kilobytes and megabytes respectively. A limit of 0 means unlimited rate.
# The value is a floating-point number of bytes per second,
# optionally followed by a k or m character
# meaning kilobytes and megabytes respectively.
# A limit of 0 means unlimited rate.
# Ex: throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0
throttle = *=0
# Timeout for network read and network write operations, in milliseconds.
# Timeout for network read and network write operations.
# In milliseconds.
request_timeout_ms = 30000
# Path to the SSL certificate file (PEM format containing private key and certificate).
# Path to the SSL certificate file .
# PEM format must contain private key and certificate.
#ssl_certificate = /etc/uts-server/cert.pem
# Enable client's certificate verification by the server.
@ -45,25 +51,31 @@ request_timeout_ms = 30000
# Name of a directory containing trusted CA certificates.
#ssl_ca_path = /etc/ssl/ca/
# Path to a .pem file containing trusted certificates. The file may contain more than one certificate.
# Path to a .pem file containing trusted certificates.
# The file may contain more than one certificate.
#ssl_ca_file = /etc/uts-server/ca.pem
# Sets maximum depth of certificate chain.
# If client's certificate chain is longer than the depth set here connection is refused.
# If client's certificate chain is longer
# than the depth set here connection is refused.
#ssl_verify_depth = 9
# Loads default trusted certificates locations set at openssl compile time.
# Loads default trusted certificates
# locations set at openssl compile time.
#ssl_default_verify_paths = yes
# See https://www.openssl.org/docs/manmaster/apps/ciphers.html for more detailed
# See https://www.openssl.org/docs/manmaster/apps/ciphers.html
# for more detailed
#ssl_cipher_list = ALL:!eNULL
# Sets the minimal accepted version of SSL/TLS protocol according to the table:
# SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 0
# SSL3+TLS1.0+TLS1.1+TLS1.2 1
# TLS1.0+TLS1.1+TLS1.2 2
# TLS1.1+TLS1.2 3
# TLS1.2 4
# Sets the minimal accepted version of SSL/TLS protocol
# according to the table:
#
# SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 -> 0
# SSL3+TLS1.0+TLS1.1+TLS1.2 -> 1
# TLS1.0+TLS1.1+TLS1.2 -> 2
# TLS1.1+TLS1.2 -> 3
# TLS1.2 -> 4
#ssl_protocol_version = 3
# Enables the use of short lived certificates
@ -71,7 +83,8 @@ request_timeout_ms = 30000
# Comma separated list of IP subnets to accept/deny
#
# Ex: -0.0.0.0/0,+192.168.0.0/16 (deny all accesses, only allow 192.168.0.0/16 subnet)
# Ex: -0.0.0.0/0,+192.168.0.0/16
# (deny all accesses, only allow 192.168.0.0/16 subnet)
#access_control_allow_origin = -0.0.0.0/0,+192.168/16
# Enable TCP_NODELAY socket option on client connections.

48
goodies/build_param_table.py
View File

@ -12,6 +12,8 @@ docs = {}
text_buf = ""
cur_section = ""
with open(tsq_path) as f:
for line in f.readlines():
m = re.search('\[ (\w+) \]', line)
@ -21,26 +23,60 @@ with open(tsq_path) as f:
cur_section = section
text_buf = ""
m = re.search('^#[\t ](.*)', line)
m = re.search('^#[\s](.*)', line)
if m:
text = m.group(1)
if text_buf:
text_buf += '\n '
text_buf += text
m = re.search('^#?([^\s]*)\s*=.*', line)
m = re.search('^#?([^\s]*)\s*=\s*(.*)', line)
if m:
var = m.group(1)
docs[cur_section]['vars'][var] = text_buf
ex_val = m.group(2)
docs[cur_section]['vars'][var] = {'desc': text_buf, 'val': ex_val}
text_buf = ""
#print docs
max_var = 0
max_desc = 0
max_val = 0
max_section = 0
for section in docs:
print('### ' + section)
max_section = max(len(docs[section]['text']), max_section)
for var in docs[section]['vars']:
if docs[section]['vars'][var]:
max_var = max(len(var), max_var)
for line in docs[section]['vars'][var]['desc'].split('\n'):
max_desc = max(len(line), max_desc)
max_val = max(len(docs[section]['vars'][var]['val']), max_val)
def print_line(var, desc, val):
print(\
'| ' + var + ' ' * (max_var - len(var)) + \
' | ' + desc + ' ' * (max_desc - len(desc)) + \
' | ' + val + ' ' * (max_val - len(val)) + \
' |')
for section in sorted(docs):
print(section)
print('~' * len(section))
print('')
print(docs[section]['text'])
print('')
for var in docs[section]['vars']:
print('+-' + '-' * max_var + '-+-' + '-' * max_desc + '-+-' + '-' * max_val + '-+')
print_line('param', 'description', 'example value')
print('+=' + '=' * max_var + '=+=' + '=' * max_desc + '=+=' + '=' * max_val + '=+')
for var in sorted(docs[section]['vars']):
if docs[section]['vars'][var]:
print('* ```' + var + '```: ' + docs[section]['vars'][var])
first = True
for line in docs[section]['vars'][var]['desc'].split('\n'):
if first:
first = False
print_line(var, line, docs[section]['vars'][var]['val'])
else:
print_line('', line, '')
print('+-' + '-' * max_var + '-+-' + '-' * max_desc + '-+-' + '-' * max_val + '-+')
print('')