version bump

add documentation explaining the requirement for the timestamp signer
certificate

.travis.yml

@@ -1,9 +1,6 @@
-matrix:
+os: linux
-  include:
+dist: trusty
-    - os: linux
+
-      dist: trusty
-    - os: linux
-      dist: precise
 
 sudo: false
 

CMakeLists.txt

@@ -2,13 +2,67 @@ cmake_minimum_required (VERSION 2.6)
 project (uts-server)
 include(ExternalProject)
 
+if (CMAKE_VERSION VERSION_LESS "3.1")
+  if (CMAKE_C_COMPILER_ID STREQUAL "GNU")
+    set (CMAKE_C_FLAGS "--std=gnu99 ${CMAKE_C_FLAGS}")
+  endif ()
+else ()
+  set (CMAKE_C_STANDARD 99)
+endif ()
 
-set(VERSION 0.1.4)
+set(VERSION 0.2.1)
 
-option(DEBUG     "compile with debug symbol"    OFF)
+option(DEBUG              "compile with debug symbol"    OFF)
-option(BUNDLE_CIVETWEB     "bundle civetweb with uts-server"    OFF)
+option(BUNDLE_CIVETWEB    "bundle civetweb with uts-server"    OFF)
+option(STATIC             "static linked binary" OFF)
+option(LINK_DL            "link dl" OFF)
+option(LINK_GCC_S         "link gcc_s" OFF)
+option(CIVETWEB_CUST_ARGS "Custom args for civetweb (if civetweb is bundled)" "")
+option(LINK_PTHREAD       "link pthread" OFF)
 
-set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c99 -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=700")
+IF("$ENV{CIVETWEB_GITURL}" STREQUAL "")
+    set(CIVETWEB_GITURL    "https://github.com/civetweb/civetweb")
+ELSE()
+    set(CIVETWEB_GITURL    "$ENV{CIVETWEB_GITURL}")
+ENDIF()
+
+IF("$ENV{CIVETWEB_GITTAG}" STREQUAL "")
+    set(CIVETWEB_GITTAG    "v1.11")
+ELSE()
+    set(CIVETWEB_GITTAG    "$ENV{CIVETWEB_GITTAG}")
+ENDIF()
+
+
+
+IF(STATIC)
+    set(CMAKE_FIND_LIBRARY_SUFFIXES ".a")
+    set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -static")
+    set(OPENSSL_USE_STATIC_LIBS ON)
+    set(ARGP_USE_STATIC_LIBS ON)
+    set(CIVETWEB_USE_STATIC_LIBS ON)
+ENDIF(STATIC)
+
+IF(BUNDLE_CIVETWEB)
+    IF(${CMAKE_SYSTEM_NAME} MATCHES "Linux")
+        set(DL_LIBRARIES 'dl')
+    ENDIF(${CMAKE_SYSTEM_NAME} MATCHES "Linux")
+ENDIF(BUNDLE_CIVETWEB)
+
+IF(LINK_DL)
+    set(DL_LIBRARIES 'dl')
+ENDIF(LINK_DL)
+
+IF(LINK_GCC_S)
+    set(GCC_S_LIBRARIES 'gcc_s')
+ENDIF(LINK_GCC_S)
+
+IF(LINK_PTHREAD)
+    set(PTHREAD_LIBRARIES 'pthread')
+ENDIF(LINK_PTHREAD)
+
+set (CMAKE_C_STANDARD 11)
+
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=700")
 
 if(DEBUG)
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -O0 -g")
@@ -26,29 +80,46 @@ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DUTS_VERSION='\"${VERSION}\"'")
 set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${CMAKE_CURRENT_SOURCE_DIR}/cmake/")
 
 find_package(OpenSSL REQUIRED)
+find_package(LibreSSL)
+
 MESSAGE(STATUS "OpenSSL include dir: ${OPENSSL_INCLUDE_DIR}")
 MESSAGE(STATUS "OpenSSL libraries: ${OPENSSL_LIBRARIES}")
 MESSAGE(STATUS "OpenSSL version: ${OPENSSL_VERSION}")
+MESSAGE(STATUS "LibreSSL Detected: ${IS_LIBRESSL}")
+MESSAGE(STATUS "OS Detected: ${CMAKE_SYSTEM_NAME}")
 
-if(${OPENSSL_VERSION} VERSION_GREATER 1.0.99)
+
-    set(OPENSSL_API_1_1 ON)
+if(NOT(DEFINED OPENSSL_API_1_1))
-else()
+    if(${OPENSSL_VERSION} VERSION_GREATER 1.0.99 AND NOT(IS_LIBRESSL))
-    set(OPENSSL_API_1_1 OFF)
+        set(OPENSSL_API_1_1 ON)
+    else()
+        set(OPENSSL_API_1_1 OFF)
+    endif()
 endif()
 
+
 IF(${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
     set(SED_FREEBSD "*.c.bak")
     find_package(argp REQUIRED)
     add_definitions(-DBSD)
 ENDIF(${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
 
+IF(${CMAKE_SYSTEM_NAME} MATCHES "OpenBSD")
+    find_package(argp REQUIRED)
+    add_definitions(-DBSD)
+ENDIF(${CMAKE_SYSTEM_NAME} MATCHES "OpenBSD")
+
+
 if(BUNDLE_CIVETWEB)
+    MESSAGE(STATUS "Building Civetweb From: ${CIVETWEB_GITURL}")
     ExternalProject_Add( civetweb
-       GIT_REPOSITORY https://github.com/kakwa/civetweb
+       GIT_REPOSITORY ${CIVETWEB_GITURL}
+       GIT_TAG ${CIVETWEB_GITTAG}
        PATCH_COMMAND sed -i ${SED_FREEBSD} s/__DATE__/"110973"/ src/main.c src/civetweb.c
        INSTALL_DIR /usr/local
        CMAKE_ARGS .. -DCMAKE_INSTALL_PREFIX=/usr
-        -DCIVETWEB_DISABLE_CGI=ON
+        -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
+        -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}
         -DCIVETWEB_ENABLE_CXX=OFF
         -DBUILD_SHARED_LIBS=OFF
         -DCIVETWEB_DISABLE_CGI=ON
@@ -56,13 +127,21 @@ if(BUNDLE_CIVETWEB)
         -DCIVETWEB_ENABLE_IPV6=ON
         -DCIVETWEB_DISABLE_CACHING=ON
         -DBUILD_TESTING=OFF
+        -DCIVETWEB_BUILD_TESTING=OFF
         -DCIVETWEB_SSL_OPENSSL_API_1_1=${OPENSSL_API_1_1}
-        -DCIVETWEB_ENABLE_SSL_DYNAMIC_LOADING=OFF
+        -DOPENSSL_USE_STATIC_LIBS=${OPENSSL_USE_STATIC_LIBS}
+        -DCIVETWEB_ENABLE_SSL_DYNAMIC_LOADING=ON
+        -DCIVETWEB_ALLOW_WARNINGS=ON
+        ${CIVETWEB_CUST_ARGS}
        INSTALL_COMMAND make install DESTDIR=${CMAKE_CURRENT_SOURCE_DIR}/vendor/
     )
     set(LIBCIVETWEB_INCLUDE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/vendor/usr/include")
     set(LIBCIVETWEB_LIBRARIES "${CMAKE_CURRENT_SOURCE_DIR}/vendor/usr/lib/libcivetweb.a")
-    set (CMAKE_C_LINK_EXECUTABLE "${CMAKE_CXX_LINK_EXECUTABLE} -lpthread -lrt")
+    IF(${CMAKE_SYSTEM_NAME} MATCHES "OpenBSD")
+        set (CMAKE_C_LINK_EXECUTABLE "${CMAKE_CXX_LINK_EXECUTABLE} -lpthread")
+    ELSE(${CMAKE_SYSTEM_NAME} MATCHES "OpenBSD")
+        set (CMAKE_C_LINK_EXECUTABLE "${CMAKE_CXX_LINK_EXECUTABLE} -lpthread -lrt")
+    ENDIF(${CMAKE_SYSTEM_NAME} MATCHES "OpenBSD")
 else(BUNDLE_CIVETWEB)
     find_package(libcivetweb REQUIRED)
 endif(BUNDLE_CIVETWEB)
@@ -87,13 +166,15 @@ target_link_libraries(uts-server
     ${OPENSSL_LIBRARIES}
     ${LIBCIVETWEB_LIBRARIES}
     ${ARGP_LIBRARIES}
+    ${DL_LIBRARIES}
+    ${GCC_S_LIBRARIES}
+    ${PTHREAD_LIBRARIES}
 )
 
 INSTALL(TARGETS uts-server
     RUNTIME DESTINATION bin
 )
 
-
 if(BUNDLE_CIVETWEB)
     add_dependencies(uts-server civetweb)
 endif(BUNDLE_CIVETWEB)

ChangeLog.rst

@@ -1,14 +1,65 @@
 Changelogs
 ==========
 
-dev
+0.2.1
----
+-----
 
-* [impr] add support for FreeBSD
+* [fix ] fix compilation for newer GCC (>10.2) (global variable definition issue 
+
+0.2.0
+-----
+
+* [fix ] disable buffering when logging to stdout (it was causing issues when running in docker)
+* [impr] make the stdout logger an official logger (previously, it was only for debugging)
+* [impr] the 'log_to_syslog' and 'log_to_stdout' parameters to enable/disable logging to syslog/stdout
+* [impr] serve the CA and the signer certificate
+* [impr] better landing page with download links for the previous 2 files and some instructions
+
+0.1.10
+------
+
+* [fix ] point to upstream civetweb (forked civetweb now removed)
+* [fix ] using dynamic openssl loading for civetweb when bundling 
+* [impr] add possibility to specify which tag used for civetweb bundling
+* [impr] use same compiler for uts-server and civetweb when bundling
+
+0.1.9
+-----
+
+* [fix ] add explicit C standard (C99), fixes compilation with olders gcc/cmake
+
+0.1.8
+-----
+
+* [impr] add OpenBSD support
+* [impr] add LibreSSL support
+
+0.1.7
+-----
+
+* [doc ] add warnings to explicitely state the BUNDLE_CIVETWEB option as test/dev only
+* [impr] add option for easily linking lib pthread (mainly for static linking)
+
+0.1.6
+-----
+
+* [fix ] option declaration for LINK_GCC_S
+
+0.1.5
+-----
+
+* [impr] add support for a static build
+
+0.1.4
+-----
+
+* [impr] more portable code
 
 0.1.3
 -----
 
+* [impr] add support for FreeBSD
+
 0.1.2
 -----
 

Jenkinsfile

@@ -0,0 +1,67 @@
+pipeline {
+  agent none
+  stages {
+    stage('Compile') {
+      steps {
+        parallel(
+          "OpenBSD 6.1": {
+            node(label: 'openbsd-6.1') {
+              sh 'git config --global user.name "jenkins@kakwa.fr"'
+              sh 'git config --global user.email "jenkins@kakwa.fr"'
+              git(url: 'https://github.com/kakwa/uts-server', poll: true, changelog: true)
+              sh 'git clean -fdx'
+              sh 'export GIT_SSL_NO_VERIFY=true; CIVETWEB_GITURL=https://gogs.kakwa.fr/kakwa/civetweb/; export CC=/usr/local/bin/egcc;export CXX=/usr/local/bin/ec++; cmake . -DBUNDLE_CIVETWEB=ON'
+              sh 'export GIT_SSL_NO_VERIFY=true; CIVETWEB_GITURL=https://gogs.kakwa.fr/kakwa/civetweb/; export CC=/usr/local/bin/egcc;export CXX=/usr/local/bin/ec++; make -j4'
+              sh './tests/cfg/pki/create_tsa_certs'
+              sh './tests/external_test.sh'
+            }
+            
+            
+          },
+          "FreeBSD 11": {
+            node(label: 'freebsd-11') {
+              sh 'git config --global user.email "jenkins@kakwa.fr"'
+              sh 'git config --global user.name "jenkins@kakwa.fr"'
+              git(url: 'https://github.com/kakwa/uts-server', poll: true, changelog: true)
+              sh 'export GIT_SSL_NO_VERIFY=true; CIVETWEB_GITURL=https://gogs.kakwa.fr/kakwa/civetweb/;git clean -fdx'
+              sh 'export GIT_SSL_NO_VERIFY=true; CIVETWEB_GITURL=https://gogs.kakwa.fr/kakwa/civetweb/;cmake . -DBUNDLE_CIVETWEB=ON'
+              sh 'make -j4'
+              sh './tests/cfg/pki/create_tsa_certs'
+              sh './tests/external_test.sh'
+            }
+            
+            
+          },
+          "CentOS 7": {
+            node(label: 'centos-7') {
+              sh 'git config --global user.email "jenkins@kakwa.fr"'
+              sh 'git config --global user.name "jenkins@kakwa.fr"'
+              git(url: 'https://github.com/kakwa/uts-server', poll: true, changelog: true)
+              sh 'git clean -fdx'
+              sh 'export GIT_SSL_NO_VERIFY=true; CIVETWEB_GITURL=https://gogs.kakwa.fr/kakwa/civetweb/; export CXX=/usr/bin/clang++; export CC=/usr/bin/clang; cmake . -DBUNDLE_CIVETWEB=ON'
+              sh 'export GIT_SSL_NO_VERIFY=true; CIVETWEB_GITURL=https://gogs.kakwa.fr/kakwa/civetweb/; export CXX=/usr/bin/clang++; export CC=/usr/bin/clang; make -j4'
+              sh './tests/cfg/pki/create_tsa_certs'
+              sh './tests/external_test.sh'
+            }
+            
+            
+          },
+          "Debian 8": {
+            node(label: 'debian-8') {
+              sh 'git config --global user.email "jenkins@kakwa.fr"'
+              sh 'git config --global user.name "jenkins@kakwa.fr"'
+              git(url: 'https://github.com/kakwa/uts-server', poll: true, changelog: true)
+              sh 'git clean -fdx'
+              sh 'export GIT_SSL_NO_VERIFY=true; CIVETWEB_GITURL=https://gogs.kakwa.fr/kakwa/civetweb/; cmake . -DBUNDLE_CIVETWEB=ON'
+              sh 'export GIT_SSL_NO_VERIFY=true; CIVETWEB_GITURL=https://gogs.kakwa.fr/kakwa/civetweb/; make -j4'
+              sh './tests/cfg/pki/create_tsa_certs'
+              sh './tests/external_test.sh'
+            }
+            
+            
+          }
+        )
+      }
+    }
+  }
+}

README.rst

@@ -12,6 +12,10 @@ uts-server
     :target: http://uts-server.readthedocs.org/en/latest/?badge=latest
     :alt: Documentation Status
 
+.. image:: https://jenkins.kakwalab.ovh/buildStatus/icon?job=kakwa/uts-server/master
+    :target: https://jenkins.kakwalab.ovh/blue/organizations/jenkins/kakwa%2Futs-server/branches/
+    :alt: Jenkins Status
+
 Micro `RFC 3161 Time-Stamp <https://www.ietf.org/rfc/rfc3161.txt>`_ server written in C.
 
 ----
@@ -19,10 +23,15 @@ Micro `RFC 3161 Time-Stamp <https://www.ietf.org/rfc/rfc3161.txt>`_ server writt
 :Doc:    `Uts-Server documentation on ReadTheDoc <http://uts-server.readthedocs.org/en/latest/>`_
 :Dev:    `Uts-Server source code on GitHub <https://github.com/kakwa/uts-server>`_
 :License: MIT
-:Author:  Pierre-Francois Carpentier - copyright © 2016
+:Author:  Pierre-Francois Carpentier - copyright © 2019
 
 ----
 
+Demo
+----
+
+A demo is accessible here: https://uts-server.kakwalab.ovh/
+
 License
 -------
 
@@ -41,19 +50,24 @@ Roughly, it works as follow:
 
 Then a client can verify the piece of data with the time-stamp using the Certificate Authority of the time-stamp key pair (X509 certificates).
 
-It gives a cryptographic proof of a piece of data content, like a file, at a given time.
+It gives a cryptographic proof of a piece of data content, for example a file, at a given time.
 
 Some use cases:
 
 * time-stamp log files at rotation time.
 * time-stamp file at upload to prove it was delivered in due time or not.
 
-Quick Start
+Quick (and dirty) Testing
------------
+-------------------------
+
+Here a few steps to quickly try out uts-server, for production setup, please compile civetweb externally and create proper CA and certificates:
 
 .. sourcecode:: bash
 
     # Building with civetweb embedded (will recover civetweb from github).
+    # Note: the BUNDLE_CIVETWEB option is only here for fast testing purpose
+    # The recommended way to deploy uts-server in production is to build civetweb
+    # separatly and to link against it.
     $ cmake . -DBUNDLE_CIVETWEB=ON
     $ make
     

_config.yml

@@ -0,0 +1 @@
+theme: jekyll-theme-hacker

cmake/FindLibreSSL.cmake

@@ -0,0 +1,57 @@
+#.rst
+# FindLibreSSL
+# ------------
+#
+# Detect if OpenSSL is in fact LibreSSL, and recovers LibreSSL version.
+# 
+# Requires running FindOpenSSL previously
+#
+# Result Variables
+# ^^^^^^^^^^^^^^^^
+#
+# ``LIBRESSL_VERSION``
+# This is set to ``$major.$minor.$revision$patch`` (e.g. ``2.3.1f``).
+#
+# ``IS_LIBRESSL``
+# Boolean, set to TRUE if LibreSSL, FALSE otherwise
+#
+
+# just copy/pasted from OpenSSL module with a few substitutions
+if(OPENSSL_INCLUDE_DIR AND EXISTS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h")
+  file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" libressl_version_str
+       REGEX "^#[\t ]*define[\t ]+LIBRESSL_VERSION_NUMBER[\t ]+0x([0-9a-fA-F])+.*")
+
+  if(libressl_version_str)
+    # The version number is encoded as 0xMNNFFPPS: major minor fix patch status
+    # The status gives if this is a developer or prerelease and is ignored here.
+    # Major, minor, and fix directly translate into the version numbers shown in
+    # the string. The patch field translates to the single character suffix that
+    # indicates the bug fix state, which 00 -> nothing, 01 -> a, 02 -> b and so
+    # on.
+
+    string(REGEX REPLACE "^.*LIBRESSL_VERSION_NUMBER[\t ]+0x([0-9a-fA-F])([0-9a-fA-F][0-9a-fA-F])([0-9a-fA-F][0-9a-fA-F])([0-9a-fA-F][0-9a-fA-F])([0-9a-fA-F]).*$"
+           "\\1;\\2;\\3;\\4;\\5" LIBRESSL_VERSION_LIST "${libressl_version_str}")
+    list(GET LIBRESSL_VERSION_LIST 0 LIBRESSL_VERSION_MAJOR)
+    list(GET LIBRESSL_VERSION_LIST 1 LIBRESSL_VERSION_MINOR)
+    from_hex("${LIBRESSL_VERSION_MINOR}" LIBRESSL_VERSION_MINOR)
+    list(GET LIBRESSL_VERSION_LIST 2 LIBRESSL_VERSION_FIX)
+    from_hex("${LIBRESSL_VERSION_FIX}" LIBRESSL_VERSION_FIX)
+    list(GET LIBRESSL_VERSION_LIST 3 LIBRESSL_VERSION_PATCH)
+
+    if (NOT LIBRESSL_VERSION_PATCH STREQUAL "00")
+      from_hex("${LIBRESSL_VERSION_PATCH}" _tmp)
+      # 96 is the ASCII code of 'a' minus 1
+      math(EXPR LIBRESSL_VERSION_PATCH_ASCII "${_tmp} + 96")
+      unset(_tmp)
+      # Once anyone knows how OpenSSL would call the patch versions beyond 'z'
+      # this should be updated to handle that, too. This has not happened yet
+      # so it is simply ignored here for now.
+      string(ASCII "${LIBRESSL_VERSION_PATCH_ASCII}" LIBRESSL_VERSION_PATCH_STRING)
+    endif ()
+
+    set(LIBRESSL_VERSION "${LIBRESSL_VERSION_MAJOR}.${LIBRESSL_VERSION_MINOR}.${LIBRESSL_VERSION_FIX}${LIBRESSL_VERSION_PATCH_STRING}")
+    set(IS_LIBRESSL TRUE)
+  else ()
+    set(IS_LIBRESSL FALSE)
+  endif ()
+endif ()

cmake/Findargp.cmake

@@ -34,7 +34,11 @@ if (ARGP_IN_LIBC)
 elseif (NOT ARGP_IN_LIBC)
 	unset(ARGP_IN_LIBC CACHE)
 
-	find_library(ARGP_LIB "argp")
+	if(ARGP_USE_STATIC_LIBS)
+	  find_library(ARGP_LIB "libargp.a")
+	else(ARGP_USE_STATIC_LIBS)
+	  find_library(ARGP_LIB "argp")
+	endif(ARGP_USE_STATIC_LIBS)
 	find_path(ARGP_INCLUDE_DIR argp.h PATH_SUFFIXES include)
 	mark_as_advanced(ARGP_LIB)
 	if (ARGP_LIB)

cmake/Findlibcivetweb.cmake

@@ -2,6 +2,10 @@ if (NOT LIBCIVETWEB_LIBRARIES)
     find_path(LIBCIVETWEB_INCLUDE_DIR civetweb.h ${_LIBCIVETWEB_PATHS} PATH_SUFFIXES include include/civetweb/)
 endif ()
 
-if (NOT LIBCIVETWEB_LIBRARIES)
+if (NOT LIBCIVETWE[DB_LIBRARIES)
-    find_library(LIBCIVETWEB_LIBRARIES NAMES civetweb ${_LIBCIVETWEB_PATHS} PATH_SUFFIXES lib)
+    if(LIBCIVETWEB_USE_STATIC_LIBS)
+        find_library(LIBCIVETWEB_LIBRARIES NAMES libcivetweb.a ${_LIBCIVETWEB_PATHS} PATH_SUFFIXES lib)
+    else(LIBCIVETWEB_USE_STATIC_LIBS)
+        find_library(LIBCIVETWEB_LIBRARIES NAMES civetweb ${_LIBCIVETWEB_PATHS} PATH_SUFFIXES lib)
+    endif(LIBCIVETWEB_USE_STATIC_LIBS)
 endif ()

conf/uts-server.cnf

@@ -103,6 +103,12 @@ tcp_nodelay = 0
 # Loglevel (debug, info, notice, warn, err, emerg, crit)
 log_level = info
 
+# Enable logging to syslog (default: yes)
+log_to_syslog = yes
+
+# Enable logging to stdout (default: no)
+#log_to_stdout = no
+
 # TSA configuration parameters.
 [ tsa ]
 

docs/conf.py

@@ -185,6 +185,31 @@ Configuration Parameters
 """
 
     foot = """
+.. warning::
+
+  The TSA signing certificate must have exactly one extended key usage assigned to it: **timeStamping**.
+
+  The extended key usage must also be **critical**, otherwise the certificate is going to be refused.
+
+  Here is a sample openssl.cfg configuration for creating such certificate:
+
+  .. sourcecode:: ini
+
+    [ tsa_cert ]
+
+    # TSA server cert is not a CA cert, disabling CA role
+    basicConstraints=CA:FALSE
+
+    # The following key usage flags are mandatory for TSA server certificates.
+    # This parameters set the main specificities of a TSA certificate
+    keyUsage = nonRepudiation, digitalSignature
+    extendedKeyUsage = critical,timeStamping
+
+    # PKIX recommendations harmless if included in all certificates.
+    subjectKeyIdentifier=hash
+    authorityKeyIdentifier=keyid,issuer:always
+
+
 Full Configuration File
 =======================
 

docs/install.rst

@@ -8,14 +8,15 @@ List of dependencies uts-server relies on to run:
 
 * `OpenSSL <https://github.com/openssl/openssl>`_.
 * `civetweb <https://github.com/civetweb/civetweb>`_.
+* on none GNU LibC, `argp-standalone <https://www.lysator.liu.se/~nisse/misc/argp-standalone-1.3.tar.gz>`_
 
 Build dependencies
 ------------------
 
-List of dependencies needed to build civetweb:
+List of dependencies needed to build uts-server:
 
-* cmake
+* `CMake <https://cmake.org/>`_
-* either gcc or clang
+* either `gcc <https://gcc.gnu.org/>`_ or `clang <https://clang.llvm.org/>`_
 
 Compilation
 ===========
@@ -28,11 +29,90 @@ uts-server is compiled using cmake:
     $ cmake .
     $ make
 
-    # If civetweb is not present
+    # If civetweb is not present.
-    # this will get the proper tag of civetweb from upstream and compile it
+    # this will get the master branch of civetweb from upstream and compile it.
+    # Only for developpment/testing purposes
     $ cmake . -DBUNDLE_CIVETWEB=ON
     $ make
 
     # Compile with debug flags
+    # Only for developpment/testing purposes
     $ cmake . -DDEBUG=ON
     $ make
+
+    # Compile statically
+    # (in some cases, it might be necessary to still
+    # link some libraries like dl or gcc_s or pthread, if necessary,
+    # add -DLINK_DL=ON and/or -DLINK_GCC_S=ON and/or -DLINK_PTHREAD=ON)
+    $ cmake . -DSTATIC=ON  # -DLINK_DL=ON -DLINK_GCC_S=ON -DLINK_PTHREAD=ON
+    $ make
+
+.. warning::
+
+    The BUNDLE_CIVETWEB exists only for developpment/testing purposes.
+
+    Please compile civetweb externally for building a production binary.
+
+    Using this option outside of developpment/testing is a bad idea for the
+    following reasons:
+
+    * having an external download in a build process is a bad idea
+    * recovering the master branch ensures that the build may break randomly
+    * a build proccess should be reproductible which is not the case with this option
+
+OS specific tips
+================
+
+Debian
+------
+
+The installation requires installing the following packages:
+
+.. sourcecode:: bash
+
+    # build dependencies
+    $ apt-get install libssl-dev cmake clang
+
+CentOS/RHEL
+-----------
+
+The installation requires installing the following packages:
+
+.. sourcecode:: bash
+
+    # build dependencies
+    $ yum insall cmake gcc gcc-c++ openssl-devel
+
+FreeBSD
+-------
+
+The installation requires installing the following packages:
+
+.. sourcecode:: bash
+
+    # build dependencies
+    $ pkg add argp-standalone cmake
+
+OpenBSD
+-------
+
+The installation requires installing the following packages:
+
+.. sourcecode:: bash
+
+    # build dependencies
+    $ pkg_add gcc g++ argp-standalone cmake
+
+    # for the test scripts
+    $ pkg_add python curl
+
+To build you must egcc and eg++ (not the old 4.2 gcc in the base system)
+
+.. sourcecode:: bash
+
+    # set compilers
+    $ export CC=/usr/local/bin/egcc
+    $ export CXX=/usr/local/bin/ec++
+
+    # then build normally
+    $ cmake . -DBUNDLE_CIVETWEB=ON && make

goodies/index.html

@@ -0,0 +1,103 @@
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>uts-server</title>
+  <meta name="author" content="Pierre-Francois Carpentier">
+  <meta name="description" content="uts-server">
+<style>
+.rcorners {
+  border-radius: 10px;
+  border: 2px solid #0080ff;
+  margin: 20px;
+  padding: 10px;
+  box-shadow: 0 4px 8px 0 rgba(0, 0, 0, 0.2), 0 6px 20px 0 rgba(0, 0, 0, 0.19);
+  margin-left: auto;
+  margin-right: auto;
+  width: 40%;
+}
+body {
+  margin: 0px;
+}
+.code {
+  border-radius: 3px;
+  border: 2px solid #000000;
+  margin: 20px;
+  padding: 10px;
+  width: 90%;
+  background: #404040;
+  color: #e6e6e6;
+  margin-left: auto;
+  margin-right: auto;
+}
+.button {
+  background-color: #3366ff;
+  border: none;
+  color: white;
+  text-align: center;
+  text-decoration: none;
+  display: inline-block;
+  font-size: 14px;
+  margin: 4px 2px;
+  cursor: pointer;
+  border-radius: 2px;
+  padding: 10px 24px;
+  margin: 0 auto;
+  display: inline;
+  box-shadow: 0 4px 8px 0 rgba(0, 0, 0, 0.2), 0 6px 20px 0 rgba(0, 0, 0, 0.19);
+  margin: 0 auto;
+}
+.desc {
+  text-decoration: underline;
+  text-align: center;
+  font-size: 20px;
+  margin-top: 20px
+}
+.center {
+  text-align: center;
+}
+.footer {
+  position: fixed;
+  bottom: 0px;
+  padding-top: 5px;
+  border-top: 1px solid gray;
+  width: 100%;
+  background-color: #f5f5f5;
+  font-size: 14px;
+  text-align: center;
+}
+.var {
+  color: #99ccff;
+}
+</style>
+</head>
+<body>
+<div class="desc">
+  uts-server, a simple RFC 3161 timestamp server
+</div>
+<div class="rcorners">
+  For timestamping a file with OpenSSL and curl, run the following commands
+  (setting the $UTS_SERVER_URL, $FILE and $FILE_TIMESTAMP variables):
+  <div class="code">
+   openssl ts -query -data "<span class="var">$FILE</span>" -out "ts_req.ts";<br/>
+   curl "<span class="var">$UTS_SERVER_URL</span>" \<br/>
+   &nbsp;&nbsp;&nbsp;&nbsp; -H "Content-Type: application/timestamp-query" \<br/>
+   &nbsp;&nbsp;&nbsp;&nbsp; -f -g --data-binary "@ts_req.ts" -o "<span class="var">$FILE_TIMESTAMP</span>"
+  </div>
+  For verifying the timestamp with OpenSSL, download the CA and the signer cert, and run the following command:
+  <div class="code">
+    openssl ts -verify -in "<span class="var">$FILE_TIMESTAMP</span>" \<br/>
+    &nbsp;&nbsp;&nbsp;&nbsp; -data "<span class="var">$FILE</span>" -CAfile ca.pem -untrusted tsa_cert.pem
+  </div>
+  <div class="center">
+    <a href="./ca.pem" download><button class="button">Dowload CA file</button></a>
+    <a href="./tsa_cert.pem" download><button class="button">Dowload tsa cert file</button></a>
+  </div>
+</div>
+<div class="footer">
+  <div class="container">
+    <a href="http://uts-server.readthedocs.org" target="_blank">uts-server</a>
+    • © 2019 • Pierre-François Carpentier • Released under the MIT License
+  </div>
+</div>
+</body>
+</html>

goodies/rhel/uts-server.conf

@@ -1 +1 @@
-d /run/ldapcherryd 0755 ldapcherry ldapcherry -
+d /run/uts-server 0755 uts-server uts-server -

inc/context.h

@@ -9,9 +9,14 @@
 
 #define HTTP_OPTIONS 1
 #define LOGLEVEL_OPTIONS 2
-#define TSA_OPTIONS 3
+#define LOGHANDLER_OPTIONS 3
-#define PATH_HTTP_OPTIONS 4
+#define TSA_OPTIONS 4
+#define PATH_HTTP_OPTIONS 5
+
+/* name of the configuration file section */
 #define MAIN_CONF_SECTION "main"
+#define OID_SECTION "oids"
+#define TSA_SECTION "tsa"
 
 #define RFC3161_OPTIONS_LEN                                                    \
     sizeof(rfc3161_options) / sizeof(struct rfc3161_option)
@@ -26,6 +31,10 @@ typedef struct {
     uint64_t query_counter;
     // flag for debugging
     bool stdout_dbg;
+    // flag for logging to stdout
+    bool stdout_logging;
+    // flag for logging to stdout
+    bool syslog_logging;
     // log level
     int loglevel;
     // number of threads
@@ -37,6 +46,8 @@ typedef struct {
     // just to track for freeing later
     CONF *conf;
     char *cust_conf[20];
+    char *ca_file;
+    char *cert_file;
 } rfc3161_context;
 
 // definition of structure to describe
@@ -64,6 +75,8 @@ static struct rfc3161_option rfc3161_options[] = {
     {"access_control_allow_origin", HTTP_OPTIONS, "*"},
     {"tcp_nodelay", HTTP_OPTIONS, "0"},
     {"log_level", LOGLEVEL_OPTIONS, "info"},
+    {"log_to_syslog", LOGHANDLER_OPTIONS, "yes"},
+    {"log_to_stdout", LOGHANDLER_OPTIONS, "no"},
     {"ssl_certificate", PATH_HTTP_OPTIONS, NULL},
     {"ssl_ca_path", PATH_HTTP_OPTIONS, NULL},
     {"ssl_ca_file", PATH_HTTP_OPTIONS, NULL},

inc/http.h

@@ -6,3 +6,125 @@ struct tuser_data {
 };
 
 int http_server_start(char *conffile, char *conf_wd, bool stdout_dbg);
+
+#define STATIC_PAGE                                                               \
+    "HTTP/1.1 200 OK\r\n"                                                         \
+    "Content-Type: text/html\r\n"                                                 \
+    "Content-Length: 2774\r\n"                                                    \
+    "\r\n"                                                                        \
+    "<html>"                                                                      \
+    "<head>"                                                                      \
+    "  <meta charset=\"utf-8\">"                                                  \
+    "  <title>uts-server</title>"                                                 \
+    "  <meta name=\"author\" content=\"Pierre-Francois Carpentier\">"             \
+    "  <meta name=\"description\" content=\"uts-server\">"                        \
+    "<style>"                                                                     \
+    ".rcorners {"                                                                 \
+    "  border-radius: 10px;"                                                      \
+    "  border: 2px solid #0080ff;"                                                \
+    "  margin: 20px;"                                                             \
+    "  padding: 10px;"                                                            \
+    "  box-shadow: 0 4px 8px 0 rgba(0, 0, 0, 0.2), 0 6px 20px 0 rgba(0, 0, "      \
+    "0, 0.19);"                                                                   \
+    "  margin-left: auto;"                                                        \
+    "  margin-right: auto;"                                                       \
+    "  width: 40%;"                                                               \
+    "}"                                                                           \
+    "body {"                                                                      \
+    "  margin: 0px;"                                                              \
+    "}"                                                                           \
+    ".code {"                                                                     \
+    "  border-radius: 3px;"                                                       \
+    "  border: 2px solid #000000;"                                                \
+    "  margin: 20px;"                                                             \
+    "  padding: 10px;"                                                            \
+    "  width: 90%;"                                                               \
+    "  background: #404040;"                                                      \
+    "  color: #e6e6e6;"                                                           \
+    "  margin-left: auto;"                                                        \
+    "  margin-right: auto;"                                                       \
+    "}"                                                                           \
+    ".button {"                                                                   \
+    "  background-color: #3366ff;"                                                \
+    "  border: none;"                                                             \
+    "  color: white;"                                                             \
+    "  text-align: center;"                                                       \
+    "  text-decoration: none;"                                                    \
+    "  display: inline-block;"                                                    \
+    "  font-size: 14px;"                                                          \
+    "  margin: 4px 2px;"                                                          \
+    "  cursor: pointer;"                                                          \
+    "  border-radius: 2px;"                                                       \
+    "  padding: 10px 24px;"                                                       \
+    "  margin: 0 auto;"                                                           \
+    "  display: inline;"                                                          \
+    "  box-shadow: 0 4px 8px 0 rgba(0, 0, 0, 0.2), 0 6px 20px 0 rgba(0, 0, "      \
+    "0, 0.19);"                                                                   \
+    "  margin: 0 auto;"                                                           \
+    "}"                                                                           \
+    ".desc {"                                                                     \
+    "  text-decoration: underline;"                                               \
+    "  text-align: center;"                                                       \
+    "  font-size: 20px;"                                                          \
+    "  margin-top: 20px"                                                          \
+    "}"                                                                           \
+    ".center {"                                                                   \
+    "  text-align: center;"                                                       \
+    "}"                                                                           \
+    ".footer {"                                                                   \
+    "  position: fixed;"                                                          \
+    "  bottom: 0px;"                                                              \
+    "  padding-top: 5px;"                                                         \
+    "  border-top: 1px solid gray;"                                               \
+    "  width: 100%;"                                                              \
+    "  background-color: #f5f5f5;"                                                \
+    "  font-size: 14px;"                                                          \
+    "  text-align: center;"                                                       \
+    "}"                                                                           \
+    ".var {"                                                                      \
+    "  color: #99ccff;"                                                           \
+    "}"                                                                           \
+    "</style>"                                                                    \
+    "</head>"                                                                     \
+    "<body>"                                                                      \
+    "<div class=\"desc\">"                                                        \
+    "  uts-server, a simple RFC 3161 timestamp server"                            \
+    "</div>"                                                                      \
+    "<div class=\"rcorners\">"                                                    \
+    "  For timestamping a file with OpenSSL and curl, run the following "         \
+    "commands"                                                                    \
+    "  (setting the $UTS_SERVER_URL, $FILE and $FILE_TIMESTAMP variables):"       \
+    "  <div class=\"code\">"                                                      \
+    "   openssl ts -query -data \"<span class=\"var\">$FILE</span>\" -out "       \
+    "\"ts_req.ts\";<br/>"                                                         \
+    "   curl \"<span class=\"var\">$UTS_SERVER_URL</span>\" \\<br/>"              \
+    "   &nbsp;&nbsp;&nbsp;&nbsp; -H \"Content-Type: "                             \
+    "application/timestamp-query\" \\<br/>"                                       \
+    "   &nbsp;&nbsp;&nbsp;&nbsp; -f -g --data-binary \"@ts_req.ts\" -o "          \
+    "\"<span class=\"var\">$FILE_TIMESTAMP</span>\""                              \
+    "  </div>"                                                                    \
+    "  For verifying the timestamp with OpenSSL, download the CA and the "        \
+    "signer cert, and run the following command:"                                 \
+    "  <div class=\"code\">"                                                      \
+    "    openssl ts -verify -in \"<span "                                         \
+    "class=\"var\">$FILE_TIMESTAMP</span>\" \\<br/>"                              \
+    "    &nbsp;&nbsp;&nbsp;&nbsp; -data \"<span class=\"var\">$FILE</span>\" "    \
+    "-CAfile ca.pem -untrusted tsa_cert.pem"                                      \
+    "  </div>"                                                                    \
+    "  <div class=\"center\">"                                                    \
+    "    <a href=\"./ca.pem\" download><button class=\"button\">Dowload CA "      \
+    "file</button></a>"                                                           \
+    "    <a href=\"./tsa_cert.pem\" download><button "                            \
+    "class=\"button\">Dowload tsa cert file</button></a>"                         \
+    "  </div>"                                                                    \
+    "</div>"                                                                      \
+    "<div class=\"footer\">"                                                      \
+    "  <div class=\"container\">"                                                 \
+    "    <a href=\"http://uts-server.readthedocs.org\" "                          \
+    "target=\"_blank\">uts-server</a>"                                            \
+    "    • © 2019 • Pierre-François Carpentier • Released under the MIT " \
+    "License"                                                                     \
+    "  </div>"                                                                    \
+    "</div>"                                                                      \
+    "</body>"                                                                     \
+    "</html>"

inc/rfc3161.h

@@ -16,6 +16,20 @@
 #if OPENSSL_VERSION_NUMBER < 0x10000000L
 #error OpenSSL version too old
 #endif
+
+/* LibreSSL is really annoying
+ * the OPENSSL_VERSION_NUMBER #define in opensslv.h
+ * is 0x20000000L but the API is that of openssl 1.0.
+ * That breaks version matching to determine which API
+ * to use.
+ * So, special case here for LibreSSL...
+ * (why didn't you just keep 0x100000L LibreSSL?)
+ */
+#ifdef LIBRESSL_VERSION_NUMBER
+// for now, LibreSSL is 1.0 API only
+#define OPENSSL_API_1_0
+#else
+// for OpenSSL, we must differenciate between 1.0 and 1.1
 #if OPENSSL_VERSION_NUMBER < 0x10100000L &&                                    \
     OPENSSL_VERSION_NUMBER >= 0x10000000L
 #define OPENSSL_API_1_0
@@ -23,10 +37,7 @@
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 #define OPENSSL_API_1_1
 #endif
-
+#endif
-/* Name of config entry that defines the OID file. */
-#define OID_SECTION "oids"
-#define TSA_SECTION "tsa"
 
 // number of char we get to log for the serial
 #define SERIAL_ID_SIZE 8

inc/utils.h

@@ -7,6 +7,7 @@ typedef struct _code {
 
 static void signal_handler_general(int sig_num);
 static void signal_handler_up(int sig_num);
+void set_sig_handler();
 void skeleton_daemon();
 int init_pid(char *pidfile_path);
 int write_pid(char *pidfile_path);
@@ -16,7 +17,4 @@ void log_hex(rfc3161_context *ct, int priority, char *id,
 int set_params(rfc3161_context *ct, char *conf_file, char *conf_wd);
 static char *rand_string(char *str, size_t size);
 void free_uts_context(rfc3161_context *ct);
-
+const char *null_undef(const char *in);
-// some global variable to handle signals
-int g_uts_sig_up;
-int g_uts_sig;

src/cmd/uts-server.c

@@ -101,6 +101,8 @@ int main(int argc, char **argv) {
 
     if (args.daemonize)
         skeleton_daemon();
+    else
+        set_sig_handler();
 
     syslog(LOG_NOTICE,
            "uts-server daemon starting with conf '%s' from working dir '%s'",
@@ -119,7 +121,6 @@ int main(int argc, char **argv) {
     }
 
     syslog(LOG_NOTICE, "uts-server daemon terminated.");
-    free(conf_wd);
     free(tmp_wd);
     closelog();
 

src/lib/http.c

@@ -2,15 +2,16 @@
 #include <civetweb.h>
 #include <stdbool.h>
 #include <stdio.h>
-#include <stdio.h>
-#include <stdlib.h>
 #include <stdlib.h>
 #include <string.h>
-#include <string.h>
+#include <strings.h>
 #include <sys/syslog.h>
 #include <time.h>
 #include <unistd.h>
 
+extern int g_uts_sig_up;
+extern int g_uts_sig;
+
 static char *rand_string(char *str, size_t size) {
     const char charset[] = "1234567890ABCDEF";
     if (size) {
@@ -54,20 +55,20 @@ void log_request_debug(const struct mg_request_info *request_info,
     for (int i = 0; i < request_info->num_headers; i++) {
         uts_logger(context, LOG_DEBUG, "Request[%s], Header[%s]: %s",
                    request_id, request_info->http_headers[i].name,
-                   request_info->http_headers[i].value);
+                   null_undef(request_info->http_headers[i].value));
     }
     uts_logger(context, LOG_DEBUG, "Request[%s], request_method: %s",
-               request_id, request_info->request_method);
+               request_id, null_undef(request_info->request_method));
     uts_logger(context, LOG_DEBUG, "Request[%s], request_uri: %s", request_id,
-               request_info->request_uri);
+               null_undef(request_info->request_uri));
     uts_logger(context, LOG_DEBUG, "Request[%s], local_uri: %s", request_id,
-               request_info->local_uri);
+               null_undef(request_info->local_uri));
     uts_logger(context, LOG_DEBUG, "Request[%s], http_version: %s", request_id,
-               request_info->http_version);
+               null_undef(request_info->http_version));
     uts_logger(context, LOG_DEBUG, "Request[%s], query_string: %s", request_id,
-               request_info->query_string);
+               null_undef(request_info->query_string));
     uts_logger(context, LOG_DEBUG, "Request[%s], remote_addr: %s", request_id,
-               request_info->remote_addr);
+               null_undef(request_info->remote_addr));
     uts_logger(context, LOG_DEBUG, "Request[%s], is_ssl: %d", request_id,
                request_info->is_ssl);
     uts_logger(context, LOG_DEBUG, "Request[%s], content_length: %d",
@@ -94,28 +95,14 @@ void log_request(const struct mg_request_info *request_info, char *request_id,
         }
     }
 
-    uts_logger(context, LOG_INFO, "Request[%s], remote_addr[%s] ssl[%d] "
+    uts_logger(context, LOG_INFO,
-                                  "uri[%s] http_resp_code[%d] duration[%d us] "
+               "Request[%s], remote_addr[%s] ssl[%d] "
-                                  "user-agent[%s] content-type[%s]",
+               "uri[%s] http_resp_code[%d] duration[%d us] "
-               request_id, request_info->remote_addr, request_info->is_ssl,
+               "user-agent[%s] content-type[%s]",
-               request_info->local_uri, response_code, timer, user_agent,
+               request_id, null_undef(request_info->remote_addr),
-               content_type);
+               request_info->is_ssl, null_undef(request_info->local_uri),
-}
+               response_code, timer, null_undef(user_agent),
-
+               null_undef(content_type));
-// This function will be called by civetweb on every new request.
-static int begin_request_handler(struct mg_connection *conn) {
-    const struct mg_request_info *request_info = mg_get_request_info(conn);
-
-    mg_printf(conn,
-              "HTTP/1.1 200 OK\r\n"
-              "Content-Type: text/plain\r\n"
-              "Content-Length: 46\r\n" // Always set Content-Length
-              "\r\n"
-              "uts-server, a simple RFC 3161 timestamp server");
-
-    // Returning non-zero tells civetweb that our function has replied to
-    // the client, and civetweb should not send client any more data.
-    return 1;
 }
 
 int rfc3161_handler(struct mg_connection *conn, void *context) {
@@ -179,10 +166,11 @@ int rfc3161_handler(struct mg_connection *conn, void *context) {
         // respond according to create_response return code
         switch (resp_code) {
         case 200:
-            mg_printf(conn, "HTTP/1.1 200 OK\r\n"
+            mg_printf(conn,
-                            "Content-Type: application/timestamp-reply\r\n"
+                      "HTTP/1.1 200 OK\r\n"
-                            "Content-Length: %d\r\n"
+                      "Content-Type: application/timestamp-reply\r\n"
-                            "\r\n",
+                      "Content-Length: %d\r\n"
+                      "\r\n",
                       (int)content_length);
             mg_write(conn, content, content_length);
             log_hex(ct, LOG_DEBUG, "response hexdump content", content,
@@ -207,11 +195,7 @@ int rfc3161_handler(struct mg_connection *conn, void *context) {
     } else {
         // default reply if we don't have a time-stamp request
         resp_code = 200;
-        mg_printf(conn, "HTTP/1.1 200 OK\r\n"
+        mg_printf(conn, STATIC_PAGE);
-                        "Content-Type: text/plain\r\n"
-                        "Content-Length: 46\r\n"
-                        "\r\n"
-                        "uts-server, a simple RFC 3161 timestamp server");
     }
     // initialize a serial_id if not created by create_response
     if (serial_id == NULL) {
@@ -230,6 +214,71 @@ int rfc3161_handler(struct mg_connection *conn, void *context) {
     return 1;
 }
 
+int ca_serve_handler(struct mg_connection *conn, void *context) {
+    /* In this handler, we ignore the req_info and send the file "filename". */
+    const struct mg_request_info *request_info = mg_get_request_info(conn);
+    clock_t start = clock(), diff;
+    rfc3161_context *ct = (rfc3161_context *)context;
+    const char *filename = ct->ca_file;
+    if (strlen(filename) == 0) {
+        uts_logger(context, LOG_NOTICE,
+                   "'certs' param in '[ tsa ]' section not filed");
+        mg_send_http_error(conn, 404, "CA file not available");
+        diff = clock() - start;
+        log_request(request_info, "CA_DL  ", ct, 404,
+                    (diff * 1000000 / CLOCKS_PER_SEC));
+        return 1;
+    }
+    if (access(filename, F_OK) != -1) {
+        mg_send_file(conn, filename);
+        const struct mg_response_info *ri = mg_get_response_info(conn);
+        diff = clock() - start;
+        log_request(request_info, "CA_DL  ", ct, 200,
+                    (diff * 1000000 / CLOCKS_PER_SEC));
+
+    } else {
+        uts_logger(context, LOG_NOTICE, "CA file '%s' not available", filename);
+        mg_send_http_error(conn, 404, "CA file not available");
+        diff = clock() - start;
+        log_request(request_info, "CA_DL  ", ct, 404,
+                    (diff * 1000000 / CLOCKS_PER_SEC));
+    }
+    return 1;
+}
+
+int cert_serve_handler(struct mg_connection *conn, void *context) {
+    /* In this handler, we ignore the req_info and send the file "filename". */
+    const struct mg_request_info *request_info = mg_get_request_info(conn);
+    clock_t start = clock(), diff;
+    rfc3161_context *ct = (rfc3161_context *)context;
+    const char *filename = ct->cert_file;
+    if (strlen(filename) == 0) {
+        uts_logger(context, LOG_NOTICE,
+                   "'signer_cert' param in '[ tsa ]' section not filed");
+        mg_send_http_error(conn, 404, "CA file not available");
+        diff = clock() - start;
+        log_request(request_info, "CERT_DL", ct, 404,
+                    (diff * 1000000 / CLOCKS_PER_SEC));
+        return 1;
+    }
+    if (access(filename, F_OK) != -1) {
+        mg_send_file(conn, filename);
+        const struct mg_response_info *ri = mg_get_response_info(conn);
+        diff = clock() - start;
+        log_request(request_info, "CERT_DL", ct, 200,
+                    (diff * 1000000 / CLOCKS_PER_SEC));
+
+    } else {
+        uts_logger(context, LOG_NOTICE,
+                   "signer certificate file '%s' not available", filename);
+        mg_send_http_error(conn, 404, "CA file not available");
+        diff = clock() - start;
+        log_request(request_info, "CERT_DL", ct, 404,
+                    (diff * 1000000 / CLOCKS_PER_SEC));
+    }
+    return 1;
+}
+
 int http_server_start(char *conffile, char *conf_wd, bool stdout_dbg) {
     struct mg_context *ctx;
     struct mg_callbacks callbacks;
@@ -242,10 +291,13 @@ int http_server_start(char *conffile, char *conf_wd, bool stdout_dbg) {
     if (!set_params(ct, conffile, conf_wd))
         return EXIT_FAILURE;
 
+    // Disable stdout buffering if logging to stdout
+    if (ct->stdout_logging || ct->stdout_dbg)
+        setbuf(stdout, NULL);
+
     // Prepare callbacks structure. We have only one callback, the rest are
     // NULL.
     memset(&callbacks, 0, sizeof(callbacks));
-
     memset(&user_data, 0, sizeof(user_data));
     callbacks.log_message = &log_civetweb;
 
@@ -253,12 +305,14 @@ int http_server_start(char *conffile, char *conf_wd, bool stdout_dbg) {
     ctx = mg_start(&callbacks, &user_data, ct->http_options);
     if (ctx != NULL) {
         mg_set_request_handler(ctx, "/", rfc3161_handler, (void *)ct);
+        mg_set_request_handler(ctx, "/ca.pem", ca_serve_handler, (void *)ct);
+        mg_set_request_handler(ctx, "/tsa_cert.pem", cert_serve_handler,
+                               (void *)ct);
 
         // Wait until some signals are received
         while (g_uts_sig == 0) {
             sleep(1);
         }
-        // getchar();
     } else {
         uts_logger(ct, LOG_ERR, "Failed to start uts-server: %s",
                    ((user_data.first_message == NULL)

src/lib/rfc3161.c

@@ -15,10 +15,7 @@
 #include <openssl/ts.h>
 #include <stdbool.h>
 #include <stdio.h>
-#include <stdio.h>
 #include <stdlib.h>
-#include <stdlib.h>
-#include <string.h>
 #include <string.h>
 #include <sys/syslog.h>
 #include <syslog.h>
@@ -272,7 +269,7 @@ end:
         BN_free(serial_bn);
     } else {
         serial_hex = calloc(SERIAL_ID_SIZE, sizeof(char));
-        strncpy(serial_hex, " NO ID   ", SERIAL_ID_SIZE + 2);
+        strncpy(serial_hex, " NO ID   ", SERIAL_ID_SIZE + 4);
     }
 #endif
 #ifdef OPENSSL_API_1_0
@@ -322,8 +319,9 @@ end:
         ret = 200;
         break;
     case TS_STATUS_GRANTED_WITH_MODS:
-        uts_logger(ct, LOG_NOTICE, "timestamp request granted with "
+        uts_logger(ct, LOG_NOTICE,
-                                   "modification",
+                   "timestamp request granted with "
+                   "modification",
                    *serial_id);
         ret = 200;
         break;

src/lib/utils.c

@@ -8,12 +8,14 @@
 #include <stdlib.h>
 #include <string.h>
 #include <sys/stat.h>
-#include <sys/stat.h>
 #include <sys/types.h>
 #include <syslog.h>
-#include <syslog.h>
 #include <unistd.h>
 
+// some global variable to handle signals
+int g_uts_sig_up;
+int g_uts_sig;
+
 static void signal_handler_general(int sig_num) {
     g_uts_sig = sig_num;
 }
@@ -69,6 +71,17 @@ int write_pid(char *pidfile_path) {
     return 1;
 }
 
+void set_sig_handler() {
+    g_uts_sig_up = 0;
+    g_uts_sig = 0;
+    /* Catch, ignore and handle signals */
+    // TODO: Implement a working signal handler */
+    signal(SIGTERM, signal_handler_general);
+    signal(SIGINT, signal_handler_general);
+    signal(SIGHUP, signal_handler_up);
+    signal(SIGCHLD, SIG_IGN);
+}
+
 void skeleton_daemon() {
     pid_t pid;
 
@@ -87,14 +100,7 @@ void skeleton_daemon() {
     if (setsid() < 0)
         exit(EXIT_FAILURE);
 
-    g_uts_sig_up = 0;
+    set_sig_handler();
-    g_uts_sig = 0;
-    /* Catch, ignore and handle signals */
-    // TODO: Implement a working signal handler */
-    signal(SIGTERM, signal_handler_general);
-    signal(SIGINT, signal_handler_general);
-    signal(SIGHUP, signal_handler_up);
-    signal(SIGCHLD, SIG_IGN);
 
     /* Fork off for the second time*/
     pid = fork();
@@ -163,7 +169,7 @@ void uts_logger(rfc3161_context *ct, int priority, char *fmt, ...) {
     fclose(stream);
 
     // if in debugging mode, also log to stdout
-    if (ct->stdout_dbg) {
+    if (ct->stdout_logging || ct->stdout_dbg) {
         switch (priority) {
         case LOG_EMERG:
             printf("LOG_EMER   : %s\n", out);
@@ -198,10 +204,17 @@ void uts_logger(rfc3161_context *ct, int priority, char *fmt, ...) {
             ;
         }
     }
-    syslog(priority, "%s", out);
+    if (ct->syslog_logging)
+        syslog(priority, "%s", out);
     free(out);
 }
 
+const char *null_undef(const char *in) {
+    if (in == NULL)
+        return "<undef>";
+    return in;
+}
+
 // OpenSSL file openner (use for opening the configuration file
 static BIO *bio_open_default(rfc3161_context *ct, const char *filename,
                              int format) {
@@ -281,7 +294,7 @@ int set_params(rfc3161_context *ct, char *conf_file, char *conf_wd) {
         if (value == NULL) {
             uts_logger(ct, LOG_NOTICE,
                        "configuration param['%s'] not set, using default: '%s'",
-                       name, default_value);
+                       name, null_undef(default_value));
             value = default_value;
         }
         switch (type) {
@@ -296,6 +309,21 @@ int set_params(rfc3161_context *ct, char *conf_file, char *conf_wd) {
             }
             break;
             ;
+        case LOGHANDLER_OPTIONS:
+            if (strcmp(name, "log_to_syslog") == 0) {
+                if (strcmp(value, "yes"))
+                    ct->syslog_logging = 0;
+                else
+                    ct->syslog_logging = 1;
+            }
+            if (strcmp(name, "log_to_stdout") == 0) {
+                if (strcmp(value, "yes"))
+                    ct->stdout_logging = 0;
+                else
+                    ct->stdout_logging = 1;
+            }
+            break;
+            ;
         }
     }
     // parse the options to get the civetweb options and a few other things
@@ -307,14 +335,14 @@ int set_params(rfc3161_context *ct, char *conf_file, char *conf_wd) {
         if (value == NULL) {
             uts_logger(ct, LOG_NOTICE,
                        "configuration param['%s'] not set, using default: '%s'",
-                       name, default_value);
+                       name, null_undef(default_value));
             value = default_value;
         }
         uts_logger(ct, LOG_DEBUG, "configuration param['%s'] = '%s'", name,
-                   value);
+                   null_undef(value));
         switch (type) {
-        // if it's an http (civetweb) option, put it in the http_options buffer
+        // if it's an http (civetweb) option, put it in the http_options
-        // like civetweb is expected it.
+        // buffer like civetweb is expected it.
         case HTTP_OPTIONS:
             if (value != NULL) {
                 ct->http_options[http_counter] = name;
@@ -363,6 +391,13 @@ int set_params(rfc3161_context *ct, char *conf_file, char *conf_wd) {
             break;
         }
     }
+
+    ct->ca_file = calloc(PATH_MAX, sizeof(char));
+    realpath(NCONF_get_string(ct->conf, TSA_SECTION, "certs"), ct->ca_file);
+    ct->cert_file = calloc(PATH_MAX, sizeof(char));
+    realpath(NCONF_get_string(ct->conf, TSA_SECTION, "signer_cert"),
+             ct->cert_file);
+
     // like any good daemon, return to '/' once the configuration is loaded
     chdir("/");
     return ret;
@@ -381,6 +416,8 @@ void free_uts_context(rfc3161_context *ct) {
         free(ct->cust_conf[i]);
     }
     free(ct->ts_ctx_pool);
+    free(ct->ca_file);
+    free(ct->cert_file);
     NCONF_free(ct->conf);
     free(ct);
 }

tests/cfg/pki/CAtsa.cnf

@@ -1,86 +1,20 @@
-
-#
-# This config is used by the Time Stamp Authority tests.
-#
-
-RANDFILE		= ./.rnd
-
-# Extra OBJECT IDENTIFIER info:
-oid_section		= new_oids
-
-TSDNSECT		= ts_cert_dn
-INDEX			= 1
-
-[ new_oids ]
-
-# Policies used by the TSA tests.
-tsa_policy1 = 1.2.3.4.1
-tsa_policy2 = 1.2.3.4.5.6
-tsa_policy3 = 1.2.3.4.5.7
-
 #----------------------------------------------------------------------
-[ ca ]
+#
-default_ca	= CA_default		# The default ca section
+# Properties needed for a Time-Stamp Authority (TSA) certificates
-
+#
-[ CA_default ]
-
-dir		= ./demoCA
-certs		= $dir/certs		# Where the issued certs are kept
-database	= $dir/index.txt	# database index file.
-new_certs_dir	= $dir/newcerts		# default place for new certs.
-
-certificate	= $dir/cacert.pem 	# The CA certificate
-serial		= $dir/serial 		# The current serial number
-private_key	= $dir/private/cakey.pem# The private key
-RANDFILE	= $dir/private/.rand	# private random number file
-
-default_days	= 365			# how long to certify for
-default_md	= sha1			# which md to use.
-preserve	= no			# keep passed DN ordering
-
-policy		= policy_match
-
-# For the CA policy
-[ policy_match ]
-countryName		= supplied
-stateOrProvinceName	= supplied
-organizationName	= supplied
-organizationalUnitName	= optional
-commonName		= supplied
-emailAddress		= optional
-
 #----------------------------------------------------------------------
-[ req ]
-default_bits		= 4096
-default_md		= sha1
-distinguished_name	= $ENV::TSDNSECT
-encrypt_rsa_key		= no
-prompt 			= no
-# attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 
-string_mask = nombstr
+DN_SECTION=dn_ca
-
+CN=DEFAULT
-[ ts_ca_dn ]
-countryName			= FR
-stateOrProvinceName		= Paris
-localityName			= Paris
-organizationName		= UTS-SERVER test
-commonName			= ca1
-
-[ ts_cert_dn ]
-countryName			= FR
-stateOrProvinceName		= Paris
-localityName			= Paris
-organizationName		= UTS-SERVER test
-commonName			= tsa$ENV::INDEX
 
+# Extensions required to a TSA certificate
 [ tsa_cert ]
 
-# TSA server cert is not a CA cert.
+# TSA server cert is not a CA cert, disabling CA role
 basicConstraints=CA:FALSE
 
-# The following key usage flags are needed for TSA server certificates.
+# The following key usage flags are mandatory for TSA server certificates.
+# This parameters set the main specificities of a TSA certificate
 keyUsage = nonRepudiation, digitalSignature
 extendedKeyUsage = critical,timeStamping
 
@@ -88,76 +22,43 @@ extendedKeyUsage = critical,timeStamping
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer:always
 
-[ non_tsa_cert ]
 
-# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
+#----------------------------------------------------------------------
-basicConstraints=CA:FALSE
+#
+# Other Properties for the CA and non-tsa certificates
+#
+#----------------------------------------------------------------------
 
-# The following key usage flags are needed for TSA server certificates.
+# OpenSSL parameters for certificate requests generation
-keyUsage = nonRepudiation, digitalSignature
+[ req ]
-# timeStamping is not supported by this certificate
+default_bits		= 4096
-# extendedKeyUsage = critical,timeStamping
+default_md		= sha512
+distinguished_name	= $ENV::DN_SECTION
+encrypt_rsa_key		= no
+prompt 			= no
+# The extentions to add to the self signed cert
+x509_extensions	= v3_ca
 
-# PKIX recommendations harmless if included in all certificates.
+# Common properties of the CA
-subjectKeyIdentifier=hash
+[ dn_ca ]
-authorityKeyIdentifier=keyid,issuer:always
+countryName			= FR
-
+stateOrProvinceName		= Paris
-[ v3_req ]
+localityName			= Paris
-
+organizationName		= UTS-SERVER CA
-# Extensions to add to a certificate request
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature
-
-[ v3_ca ]
 
 # Extensions for a typical CA
+[ v3_ca ]
 
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer:always
 basicConstraints = critical,CA:true
 keyUsage = cRLSign, keyCertSign
 
-#----------------------------------------------------------------------
+# Common properties of all the certificates (CN, OU, etc...)
-[ tsa ]
+[ dn_cert ]
-
+countryName			= FR
-default_tsa = tsa_config1	# the default TSA section
+stateOrProvinceName		= Paris
-
+localityName			= Paris
-[ tsa_config1 ]
+organizationName		= UTS-SERVER test
-
+# CN is passed through environment variable "CN"
-# These are used by the TSA reply generation only.
+commonName			= $ENV::CN
-dir		= .			# TSA root directory
-serial		= $dir/tsa_serial	# The current serial number (mandatory)
-signer_cert	= $dir/tsa_cert1.pem 	# The TSA signing certificate
-					# (optional)
-certs		= $dir/tsaca.pem	# Certificate chain to include in reply
-					# (optional)
-signer_key	= $dir/tsa_key1.pem	# The TSA private key (optional)
-
-default_policy	= tsa_policy1		# Policy if request did not specify it
-					# (optional)
-other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
-accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
-ordering		= yes	# Is ordering defined for timestamps?
-				# (optional, default: no)
-tsa_name		= yes	# Must the TSA name be included in the reply?
-				# (optional, default: no)
-ess_cert_id_chain	= yes	# Must the ESS cert id chain be included?
-				# (optional, default: no)
-
-[ tsa_config2 ]
-
-# This configuration uses a certificate which doesn't have timeStamping usage.
-# These are used by the TSA reply generation only.
-dir		= .			# TSA root directory
-serial		= $dir/tsa_serial	# The current serial number (mandatory)
-signer_cert	= $dir/tsa_cert2.pem 	# The TSA signing certificate
-					# (optional)
-certs		= $dir/demoCA/cacert.pem# Certificate chain to include in reply
-					# (optional)
-signer_key	= $dir/tsa_key2.pem	# The TSA private key (optional)
-
-default_policy	= tsa_policy1		# Policy if request did not specify it
-					# (optional)
-other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)

tests/cfg/pki/create_tsa_certs

@@ -6,34 +6,33 @@ export OPENSSL_CONF="./CAtsa.cnf"
 cd `dirname $0`
 
 error () {
-
     echo "TSA test failed!" >&2
     exit 1
 }
 
 
 create_ca () {
-
     echo "Creating a new CA for the TSA tests..."
-    TSDNSECT=ts_ca_dn
+    CN="UTS-SERVER CA"
-    export TSDNSECT   
+    DN_SECTION="dn_ca"
+    export CN
+    export DN_SECTION
     openssl req -new -x509 -nodes \
         -out tsaca.pem -keyout tsacakey.pem
     test $? != 0 && error
 }
 
 create_tsa_cert () {
-
+    EXT=$3
-    INDEX=$1
+    INDEX=$2
-    export INDEX
+    CN=$1; export CN
-    EXT=$2
+    DN_SECTION="dn_cert";export DN_SECTION
-    TSDNSECT=ts_cert_dn
-    export TSDNSECT
 
     openssl req -new \
         -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem
     test $? != 0 && error
-echo Using extension $EXT
+
+    echo Using extension $EXT
     openssl x509 -req \
         -in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \
         -CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \
@@ -43,10 +42,9 @@ echo Using extension $EXT
 
 create_cert () {
 
-    INDEX=$1
+    INDEX=$2
     export INDEX
-    TSDNSECT=ts_cert_dn
+    DN_SECTION="dn_cert";export DN_SECTION
-    export TSDNSECT
 
     openssl req -new \
         -out tsa_req${INDEX}.pem -keyout ssl_key${INDEX}.pem
@@ -63,12 +61,12 @@ echo "Creating CA for TSA tests..."
 create_ca
 
 echo "Creating tsa_cert1.pem TSA server cert..."
-create_tsa_cert 1 tsa_cert
+create_tsa_cert "TSA CERT 1" 1 tsa_cert
 
 echo "Creating tsa_cert2.pem TSA server cert..."
-create_tsa_cert 2 tsa_cert
+create_tsa_cert "TSA CERT 2" 2 tsa_cert
 
 echo "Creating ssl_keycerts1.pem for ssl"
-create_cert 1
+create_cert "uts-server.example.org" 1
 
 exit 0

tests/cfg/uts-server-ssl.cnf

@@ -78,6 +78,12 @@ tcp_nodelay = 0
 # debug, info, notice, warn, err, emerg, crit
 log_level = info
 
+# Enable logging to syslog (default: yes)
+log_to_syslog = no
+
+# Enable logging to stdout (default: no)
+#log_to_stdout = yes
+
 ####################################################################
 [ tsa ]
 

tests/cfg/uts-server.cnf

@@ -78,6 +78,12 @@ tcp_nodelay = 0
 # debug, info, notice, warn, err, emerg, crit
 log_level = info
 
+# Enable logging to syslog (default: yes)
+log_to_syslog = no
+
+# Enable logging to stdout (default: no)
+#log_to_stdout = yes
+
 ####################################################################
 [ tsa ]
 

tests/external_test.sh

@@ -1,21 +1,46 @@
 #!/bin/sh
 
-timeout 120 ./uts-server -c tests/cfg/uts-server.cnf -D -p ./uts-server.pid &
+PORT=`awk -v min=10000 -v max=20000 'BEGIN{srand(); print int(min+rand()*(max-min+1))}'`
+
+if which timeout >/dev/null 2>&1
+then
+    TO="timeout 120"
+else
+    TO=""
+fi
+
+export TMPDIR='./tests/cfg/'
+CFG=`mktemp`
+
+clean_exit(){
+    rm -- "$CFG"
+    kill `cat ./uts-server.pid` >/dev/null 2>&1
+    rm -- "./uts-server.pid"
+    exit $1
+}
+
+sed "s/2020/$PORT/" tests/cfg/uts-server.cnf >$CFG
+
+$TO ./uts-server -c $CFG -D -p ./uts-server.pid &
 
 sleep 1
-./goodies/timestamp-file.sh -i README.rst -u http://localhost:2020 -r -O "-cert" || exit 1
+./goodies/timestamp-file.sh -i README.rst -u http://localhost:$PORT -r -O "-cert" || clean_exit 1
-./goodies/timestamp-file.sh -i README.rst -u http://localhost:2020 -r -O "-cert" || exit 1
+./goodies/timestamp-file.sh -i README.rst -u http://localhost:$PORT -r -O "-cert" || clean_exit 1
-./goodies/timestamp-file.sh -i README.rst -u http://localhost:2020 -r -O "-cert" || exit 1
+./goodies/timestamp-file.sh -i README.rst -u http://localhost:$PORT -r -O "-cert" || clean_exit 1
 
 kill `cat ./uts-server.pid`
 
-
+sed "s/2020/$PORT/" tests/cfg/uts-server-ssl.cnf >$CFG
-timeout 120 ./uts-server -c tests/cfg/uts-server-ssl.cnf -D -p ./uts-server.pid &
 
 sleep 1
-./goodies/timestamp-file.sh -i README.rst -u https://localhost:2020 -r -O "-cert" -C '-k' || exit 1
+
-./goodies/timestamp-file.sh -i README.rst -u https://localhost:2020 -r -O "-cert" -C '-k' || exit 1
+$TO ./uts-server -c $CFG -D -p ./uts-server.pid &
-./goodies/timestamp-file.sh -i README.rst -u https://localhost:2020 -r -O "-cert" -C '-k' || exit 1
+
+sleep 1
+./goodies/timestamp-file.sh -i README.rst -u https://localhost:$PORT -r -O "-cert" -C '-k' || clean_exit 1
+./goodies/timestamp-file.sh -i README.rst -u https://localhost:$PORT -r -O "-cert" -C '-k' || clean_exit 1
+./goodies/timestamp-file.sh -i README.rst -u https://localhost:$PORT -r -O "-cert" -C '-k' || clean_exit 1
 
 kill `cat ./uts-server.pid`
 
+clean_exit 0