diff --git a/README.md b/README.md deleted file mode 100644 index c4b629e..0000000 --- a/README.md +++ /dev/null @@ -1,134 +0,0 @@ -# uts-server - -[![Build Status](https://travis-ci.org/kakwa/uts-server.svg?branch=master)](https://travis-ci.org/kakwa/uts-server) - -Micro timestamp server (RFC 3161) written in C - -## Status - -Alpha - -## Dependencies - -* OpenSSL (https://github.com/openssl/openssl) -* civetweb (https://github.com/civetweb/civetweb) - -## License - -Released under the MIT Public License - -## Usage - -```bash -$ ./uts-server --help -Usage: uts-server [OPTION...] -c CONFFILE [-d] [-D] [-p ] - -UTS micro timestamp server (RFC 3161) - - -c, --conffile=CONFFILE Path to configuration file - -d, --daemonize Launch as a daemon - -D, --debug STDOUT debugging - -p, --pidfile=PIDFILE Path to pid file - -?, --help Give this help list - --usage Give a short usage message - -V, --version Print program version - -Mandatory or optional arguments to long options are also mandatory or optional -for any corresponding short options. - -Report bugs to Pierre-Francois Carpentier . -``` - -## Configuration - -### tsa - -Section defining which TSA section to use. - -* ```default_tsa```: Name of the TSA section to use as default. - -### main - -Main configuration section (mostly http configuration). - -* ```enable_keep_alive```: Allows clients to reuse TCP connection for subsequent - HTTP requests, which improves performance. -* ```num_threads```: Number of worker threads. -* ```ssl_ca_path```: Name of a directory containing trusted CA certificates. -* ```throttle```: Limit download speed for clients. throttle is a comma-separated list of key=value pairs: - - * -> limit speed for all connections - - x.x.x.x/mask -> limit speed for specified subnet - The value is a floating-point number of bytes per second, optionally followed by a k or m character - meaning kilobytes and megabytes respectively. A limit of 0 means unlimited rate. - Ex: throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0 -* ```ssl_verify_peer```: Enable client's certificate verification by the server. -* ```ssl_certificate```: Path to the SSL certificate file (PEM format containing private key and certificate). -* ```tcp_nodelay```: Enable TCP_NODELAY socket option on client connections. -* ```ssl_verify_depth```: Sets maximum depth of certificate chain. - If client's certificate chain is longer than the depth set here connection is refused. -* ```ssl_short_trust```: Enables the use of short lived certificates -* ```request_timeout_ms```: Timeout for network read and network write operations, in milliseconds. -* ```ssl_protocol_version```: Sets the minimal accepted version of SSL/TLS protocol according to the table: - SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 0 - SSL3+TLS1.0+TLS1.1+TLS1.2 1 - TLS1.0+TLS1.1+TLS1.2 2 - TLS1.1+TLS1.2 3 - TLS1.2 4 -* ```ssl_ca_file```: Path to a .pem file containing trusted certificates. The file may contain more than one certificate. -* ```ssl_default_verify_paths```: Loads default trusted certificates locations set at openssl compile time. -* ```access_control_allow_origin```: Comma separated list of IP subnets to accept/deny - Ex: -0.0.0.0/0,+192.168.0.0/16 (deny all accesses, only allow 192.168.0.0/16 subnet) -* ```log_level```: Loglevel (debug, info, notice, warn, err, emerg, crit) -* ```ssl_cipher_list```: See https://www.openssl.org/docs/manmaster/apps/ciphers.html for more detailed -* ```listening_ports```: Comma-separated list of ips:ports to listen on. - If the port is SSL, a letter s must be appended. - Ex: listening_ports = 80,443s -* ```run_as_user```: Switch to given user credentials after startup. - Required to run on privileged ports and not be run as root. - -### tsa_config1 - -Example of timestamp section configuration. - -* ```clock_precision_digits```: Number of decimals for timestamp. (optional) -* ```tsa_name```: Must the TSA name be included in the reply? (optional, default: no) -* ```signer_key```: The TSA private key. (optional) -* ```signer_cert```: The TSA signing certificat. (optional) -* ```ordering```: Is ordering defined for timestamps? (optional, default: no) -* ```certs```: Certificate chain to include in reply. (optional) -* ```default_policy```: Policy if request did not specify it. (optional) -* ```other_policies```: Acceptable policies. (optional) -* ```crypto_device```: OpenSSL engine to use for signing. -* ```ess_cert_id_chain```: Must the ESS cert id chain be included? (optional, default: no) -* ```digests```: Acceptable message digests. (mandatory) -* ```dir```: TSA root directory. -* ```accuracy```: Timestamp accuracy. (optional) - -### oids - -Section for declaring OID mapping. Just add = pairs. - - -## Building - -```bash -$ cmake . -$ make -j 2 -``` - -## Playing with it - -```bash -# building with civetweb embedded (will recover civetweb from github) -$ cmake . -DBUNDLE_CIVETWEB=ON -$ make - -# create some test certificates -$ ./tests/cfg/pki/create_tsa_certs - -# launching the timestamp server with test configuration in debug mode -$ ./uts-server -c tests/cfg/uts-server.cnf -D - -# in another shell, launching a timestamp script on the README.md file -$ ./goodies/timestamp-file.sh -i README.md -u http://localhost:2020 -r -O "-cert"; -``` diff --git a/README.rst b/README.rst new file mode 100644 index 0000000..13ec68a --- /dev/null +++ b/README.rst @@ -0,0 +1,221 @@ +uts-server +========== + +.. image:: https://travis-ci.org/kakwa/uts-server.svg?branch=master + :target: https://travis-ci.org/kakwa/uts-server + +Micro timestamp server (RFC 3161) written in C + +Status +------ + +Alpha + +Dependencies +------------ + +Runtime dependencies +~~~~~~~~~~~~~~~~~~~~ + +* OpenSSL (https://github.com/openssl/openssl) +* civetweb (https://github.com/civetweb/civetweb) + +Build dependencies +~~~~~~~~~~~~~~~~~~ + +* cmake +* either gcc or clang + +License +------- + +Released under the MIT Public License + +Usage +----- + +.. sourcecode:: bash + + $ ./uts-server --help + Usage: uts-server [OPTION...] -c CONFFILE [-d] [-D] [-p ] + + UTS micro timestamp server (RFC 3161) + + -c, --conffile=CONFFILE Path to configuration file + -d, --daemonize Launch as a daemon + -D, --debug STDOUT debugging + -p, --pidfile=PIDFILE Path to pid file + -?, --help Give this help list + --usage Give a short usage message + -V, --version Print program version + + Mandatory or optional arguments to long options are also mandatory or optional + for any corresponding short options. + + Report bugs to Pierre-Francois Carpentier . + +Configuration +------------- + +main +~~~~ + +Main configuration section (mostly http configuration). + ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| param | description | example value | ++=============================+=====================================================================+======================================+ +| access_control_allow_origin | Comma separated list of IP subnets to accept/deny | -0.0.0.0/0,+192.168/16 | +| | | | +| | Ex: -0.0.0.0/0,+192.168.0.0/16 | | +| | (deny all accesses, only allow 192.168.0.0/16 subnet) | | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| enable_keep_alive | Allows clients to reuse TCP connection for subsequent | no | +| | HTTP requests, which improves performance. | | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| listening_ports | Comma-separated list of ips:ports to listen on. | 127.0.0.1:2020 | +| | If the port is SSL, a letter s must be appended. | | +| | Ex: listening_ports = 80,443s | | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| log_level | Loglevel (debug, info, notice, warn, err, emerg, crit) | info | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| num_threads | Number of worker threads. | 50 | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| request_timeout_ms | Timeout for network read and network write operations. | 30000 | +| | In milliseconds. | | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| run_as_user | Switch to given user credentials after startup. | uts-server | +| | Required to run on privileged ports as non root user. | | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| ssl_ca_file | Path to a .pem file containing trusted certificates. | /etc/uts-server/ca.pem | +| | The file may contain more than one certificate. | | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| ssl_ca_path | Name of a directory containing trusted CA certificates. | /etc/ssl/ca/ | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| ssl_certificate | Path to the SSL certificate file . | /etc/uts-server/cert.pem | +| | PEM format must contain private key and certificate. | | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| ssl_cipher_list | See https://www.openssl.org/docs/manmaster/apps/ciphers.html | ALL:!eNULL | +| | for more detailed | | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| ssl_default_verify_paths | Loads default trusted certificates | yes | +| | locations set at openssl compile time. | | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| ssl_protocol_version | Sets the minimal accepted version of SSL/TLS protocol | 3 | +| | according to the table: | | +| | | | +| | SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 -> 0 | | +| | SSL3+TLS1.0+TLS1.1+TLS1.2 -> 1 | | +| | TLS1.0+TLS1.1+TLS1.2 -> 2 | | +| | TLS1.1+TLS1.2 -> 3 | | +| | TLS1.2 -> 4 | | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| ssl_short_trust | Enables the use of short lived certificates | no | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| ssl_verify_depth | Sets maximum depth of certificate chain. | 9 | +| | If client's certificate chain is longer | | +| | than the depth set here connection is refused. | | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| ssl_verify_peer | Enable client's certificate verification by the server. | yes | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| tcp_nodelay | Enable TCP_NODELAY socket option on client connections. | 0 | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| throttle | Limit download speed for clients. | \*=0 | +| | | | +| | throttle is a comma-separated list of key=value pairs: | | +| | - * -> limit speed for all connections | | +| | - x.x.x.x/mask -> limit speed for specified subnet | | +| | | | +| | The value is a floating-point number of bytes per second, | | +| | optionally followed by a k or m character | | +| | meaning kilobytes and megabytes respectively. | | +| | A limit of 0 means unlimited rate. | | +| | Ex: throttle = \*=1k,10.10.0.0/16=10m,10.20.0.0/16=0 | | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ + +oids +~~~~ + +Section for declarinG OID mapping. Just add = pairs. + ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| param | description | example value | ++=============================+=====================================================================+======================================+ +| tsa_policy1 | | 1.2.3.4.1 | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| tsa_policy2 | | 1.2.3.4.5.6 | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| tsa_policy3 | | 1.2.3.4.5.7 | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ + +tsa +~~~ + +Section defining which TSA section to use. + ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| param | description | example value | ++=============================+=====================================================================+======================================+ +| default_tsa | Name of the TSA section to use as default. | tsa_config1 | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ + +tsa_config1 +~~~~~~~~~~~ + +Example of timestamp section configuration. + ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| param | description | example value | ++=============================+=====================================================================+======================================+ +| accuracy | Timestamp accuracy. (optional) | secs:1, millisecs:500, microsecs:100 | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| certs | Certificate chain to include in reply. (optional) | $dir/cacert.pem | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| clock_precision_digits | Number of decimals for timestamp. (optional) | 0 | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| crypto_device | OpenSSL engine to use for signing. | builtin | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| default_policy | Policy if request did not specify it. (optional) | tsa_policy1 | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| digests | Acceptable message digests. (mandatory) | md5, sha1 | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| dir | TSA root directory. | /etc/uts-server/pki | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| ess_cert_id_chain | Must the ESS cert id chain be included? (optional, default: no) | no | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| ordering | Is ordering defined for timestamps? (optional, default: no) | yes | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| other_policies | Acceptable policies. (optional) | tsa_policy2, tsa_policy3 | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| signer_cert | The TSA signing certificat. (optional) | $dir/tsacert.pem | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| signer_key | The TSA private key. (optional) | $dir/private/tsakey.pem | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ +| tsa_name | Must the TSA name be included in the reply? (optional, default: no) | yes | ++-----------------------------+---------------------------------------------------------------------+--------------------------------------+ + +Building +-------- + +.. sourcecode:: bash + + $ cmake . + $ make -j 2 + +Playing with it +--------------- + +.. sourcecode:: bash + + # building with civetweb embedded (will recover civetweb from github) + $ cmake . -DBUNDLE_CIVETWEB=ON + $ make + + # create some test certificates + $ ./tests/cfg/pki/create_tsa_certs + + # launching the timestamp server with test configuration in debug mode + $ ./uts-server -c tests/cfg/uts-server.cnf -D + + # in another shell, launching a timestamp script on the README.md file + $ ./goodies/timestamp-file.sh -i README.md -u http://localhost:2020 -r -O "-cert"; diff --git a/conf/uts-server.cnf b/conf/uts-server.cnf index 67f2fdd..ddcb922 100644 --- a/conf/uts-server.cnf +++ b/conf/uts-server.cnf @@ -21,22 +21,28 @@ enable_keep_alive = no num_threads = 50 # Switch to given user credentials after startup. -# Required to run on privileged ports and not be run as root. +# Required to run on privileged ports as non root user. #run_as_user = uts-server -# Limit download speed for clients. throttle is a comma-separated list of key=value pairs: +# Limit download speed for clients. +# +# throttle is a comma-separated list of key=value pairs: # - * -> limit speed for all connections # - x.x.x.x/mask -> limit speed for specified subnet # -# The value is a floating-point number of bytes per second, optionally followed by a k or m character -# meaning kilobytes and megabytes respectively. A limit of 0 means unlimited rate. +# The value is a floating-point number of bytes per second, +# optionally followed by a k or m character +# meaning kilobytes and megabytes respectively. +# A limit of 0 means unlimited rate. # Ex: throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0 throttle = *=0 -# Timeout for network read and network write operations, in milliseconds. +# Timeout for network read and network write operations. +# In milliseconds. request_timeout_ms = 30000 -# Path to the SSL certificate file (PEM format containing private key and certificate). +# Path to the SSL certificate file . +# PEM format must contain private key and certificate. #ssl_certificate = /etc/uts-server/cert.pem # Enable client's certificate verification by the server. @@ -45,25 +51,31 @@ request_timeout_ms = 30000 # Name of a directory containing trusted CA certificates. #ssl_ca_path = /etc/ssl/ca/ -# Path to a .pem file containing trusted certificates. The file may contain more than one certificate. +# Path to a .pem file containing trusted certificates. +# The file may contain more than one certificate. #ssl_ca_file = /etc/uts-server/ca.pem # Sets maximum depth of certificate chain. -# If client's certificate chain is longer than the depth set here connection is refused. +# If client's certificate chain is longer +# than the depth set here connection is refused. #ssl_verify_depth = 9 -# Loads default trusted certificates locations set at openssl compile time. +# Loads default trusted certificates +# locations set at openssl compile time. #ssl_default_verify_paths = yes -# See https://www.openssl.org/docs/manmaster/apps/ciphers.html for more detailed +# See https://www.openssl.org/docs/manmaster/apps/ciphers.html +# for more detailed #ssl_cipher_list = ALL:!eNULL -# Sets the minimal accepted version of SSL/TLS protocol according to the table: -# SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 0 -# SSL3+TLS1.0+TLS1.1+TLS1.2 1 -# TLS1.0+TLS1.1+TLS1.2 2 -# TLS1.1+TLS1.2 3 -# TLS1.2 4 +# Sets the minimal accepted version of SSL/TLS protocol +# according to the table: +# +# SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 -> 0 +# SSL3+TLS1.0+TLS1.1+TLS1.2 -> 1 +# TLS1.0+TLS1.1+TLS1.2 -> 2 +# TLS1.1+TLS1.2 -> 3 +# TLS1.2 -> 4 #ssl_protocol_version = 3 # Enables the use of short lived certificates @@ -71,7 +83,8 @@ request_timeout_ms = 30000 # Comma separated list of IP subnets to accept/deny # -# Ex: -0.0.0.0/0,+192.168.0.0/16 (deny all accesses, only allow 192.168.0.0/16 subnet) +# Ex: -0.0.0.0/0,+192.168.0.0/16 +# (deny all accesses, only allow 192.168.0.0/16 subnet) #access_control_allow_origin = -0.0.0.0/0,+192.168/16 # Enable TCP_NODELAY socket option on client connections. diff --git a/goodies/build_param_table.py b/goodies/build_param_table.py index 3653ac7..f742da2 100755 --- a/goodies/build_param_table.py +++ b/goodies/build_param_table.py @@ -12,6 +12,8 @@ docs = {} text_buf = "" cur_section = "" + + with open(tsq_path) as f: for line in f.readlines(): m = re.search('\[ (\w+) \]', line) @@ -21,26 +23,60 @@ with open(tsq_path) as f: cur_section = section text_buf = "" - m = re.search('^#[\t ](.*)', line) + m = re.search('^#[\s](.*)', line) if m: text = m.group(1) if text_buf: text_buf += '\n ' text_buf += text - m = re.search('^#?([^\s]*)\s*=.*', line) + m = re.search('^#?([^\s]*)\s*=\s*(.*)', line) if m: var = m.group(1) - docs[cur_section]['vars'][var] = text_buf + ex_val = m.group(2) + docs[cur_section]['vars'][var] = {'desc': text_buf, 'val': ex_val} text_buf = "" #print docs +max_var = 0 +max_desc = 0 +max_val = 0 +max_section = 0 + for section in docs: - print('### ' + section) + max_section = max(len(docs[section]['text']), max_section) + for var in docs[section]['vars']: + if docs[section]['vars'][var]: + max_var = max(len(var), max_var) + for line in docs[section]['vars'][var]['desc'].split('\n'): + max_desc = max(len(line), max_desc) + max_val = max(len(docs[section]['vars'][var]['val']), max_val) + +def print_line(var, desc, val): + print(\ + '| ' + var + ' ' * (max_var - len(var)) + \ + ' | ' + desc + ' ' * (max_desc - len(desc)) + \ + ' | ' + val + ' ' * (max_val - len(val)) + \ + ' |') + + +for section in sorted(docs): + print(section) + print('~' * len(section)) print('') print(docs[section]['text']) print('') - for var in docs[section]['vars']: + print('+-' + '-' * max_var + '-+-' + '-' * max_desc + '-+-' + '-' * max_val + '-+') + print_line('param', 'description', 'example value') + print('+=' + '=' * max_var + '=+=' + '=' * max_desc + '=+=' + '=' * max_val + '=+') + for var in sorted(docs[section]['vars']): if docs[section]['vars'][var]: - print('* ```' + var + '```: ' + docs[section]['vars'][var]) + first = True + for line in docs[section]['vars'][var]['desc'].split('\n'): + if first: + first = False + print_line(var, line, docs[section]['vars'][var]['val']) + else: + print_line('', line, '') + print('+-' + '-' * max_var + '-+-' + '-' * max_desc + '-+-' + '-' * max_val + '-+') print('')