security-and-privacy/uts-server
security-and-privacy/uts-server
1
0
Fork 0
mirror of https://github.com/kakwa/uts-server synced 2024-12-04 23:15:54 +01:00
Code Issues Releases Wiki Activity
138 Commits 2 Branches 15 Tags 500 KiB
C 76.4%
Shell 12.4%
CMake 6.5%
HTML 3.7%
Python 1%
916d51e315
Go to file
kakwa 916d51e315 adding documentation for each conf file parameters
2016-09-10 00:55:19 +02:00
cmake use civetweb 2016-08-19 00:04:13 +02:00
conf reformat configuration file 2016-09-10 00:50:24 +02:00
docs init project skeleton 2015-12-16 23:11:08 +01:00
goodies python script to gen doc from conf file comments 2016-09-10 00:48:24 +02:00
inc enabling multi-threads support 2016-09-08 23:21:53 +02:00
src more consistent log messages 2016-09-09 08:26:31 +02:00
tests displaying the timer every 1000 requests instead of every 10000 2016-09-09 00:03:42 +02:00
.gitignore adding vim swap files in the git ignore 2016-09-09 08:28:21 +02:00
.gitmodules remove submodule for civetweb 2016-09-07 20:56:02 +02:00
.travis.yml adding a small external test 2016-09-07 21:41:21 +02:00
CMakeLists.txt switch version to 0.0.1 2016-09-09 22:19:02 +02:00
LICENSE Initial commit 2015-12-16 22:13:06 +01:00
README.md adding documentation for each conf file parameters 2016-09-10 00:55:19 +02:00

README.md

uts-server

Build Status

Micro timestamp server (RFC 3161) written in C

Status

Alpha

Dependencies

License

Released under the MIT Public License

Usage

$ ./uts-server --help
Usage: uts-server [OPTION...] -c CONFFILE [-d] [-D] [-p <pidfile>]

UTS micro timestamp server (RFC 3161)

  -c, --conffile=CONFFILE    Path to configuration file
  -d, --daemonize            Launch as a daemon
  -D, --debug                STDOUT debugging
  -p, --pidfile=PIDFILE      Path to pid file
  -?, --help                 Give this help list
      --usage                Give a short usage message
  -V, --version              Print program version

Mandatory or optional arguments to long options are also mandatory or optional
for any corresponding short options.

Report bugs to Pierre-Francois Carpentier <carpentier.pf@gmail.com>.

Configuration

tsa

Section defining which TSA section to use.

  • default_tsa: Name of the TSA section to use as default.

main

Main configuration section (mostly http configuration).

  • enable_keep_alive: Allows clients to reuse TCP connection for subsequent HTTP requests, which improves performance.
  • num_threads: Number of worker threads.
  • ssl_ca_path: Name of a directory containing trusted CA certificates.
  • throttle: Limit download speed for clients. throttle is a comma-separated list of key=value pairs: 
      •        -> limit speed for all connections
    • x.x.x.x/mask -> limit speed for specified subnet The value is a floating-point number of bytes per second, optionally followed by a k or m character meaning kilobytes and megabytes respectively. A limit of 0 means unlimited rate. Ex: throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0
  • ssl_verify_peer: Enable client's certificate verification by the server.
  • ssl_certificate: Path to the SSL certificate file (PEM format containing private key and certificate).
  • tcp_nodelay: Enable TCP_NODELAY socket option on client connections.
  • ssl_verify_depth: Sets maximum depth of certificate chain. If client's certificate chain is longer than the depth set here connection is refused.
  • ssl_short_trust: Enables the use of short lived certificates
  • request_timeout_ms: Timeout for network read and network write operations, in milliseconds.
  • ssl_protocol_version: Sets the minimal accepted version of SSL/TLS protocol according to the table: SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 0 SSL3+TLS1.0+TLS1.1+TLS1.2 1 TLS1.0+TLS1.1+TLS1.2 2 TLS1.1+TLS1.2 3 TLS1.2 4
  • ssl_ca_file: Path to a .pem file containing trusted certificates. The file may contain more than one certificate.
  • ssl_default_verify_paths: Loads default trusted certificates locations set at openssl compile time.
  • access_control_allow_origin: Comma separated list of IP subnets to accept/deny Ex: -0.0.0.0/0,+192.168.0.0/16 (deny all accesses, only allow 192.168.0.0/16 subnet)
  • log_level: Loglevel (debug, info, notice, warn, err, emerg, crit)
  • ssl_cipher_list: See https://www.openssl.org/docs/manmaster/apps/ciphers.html for more detailed
  • listening_ports: Comma-separated list of ips:ports to listen on. If the port is SSL, a letter s must be appended. Ex: listening_ports = 80,443s
  • run_as_user: Switch to given user credentials after startup. Required to run on privileged ports and not be run as root.

tsa_config1

Example of timestamp section configuration.

  • clock_precision_digits: Number of decimals for timestamp. (optional)
  • tsa_name: Must the TSA name be included in the reply? (optional, default: no)
  • signer_key: The TSA private key. (optional)
  • signer_cert: The TSA signing certificat. (optional)
  • ordering: Is ordering defined for timestamps? (optional, default: no)
  • certs: Certificate chain to include in reply. (optional)
  • default_policy: Policy if request did not specify it. (optional)
  • other_policies: Acceptable policies. (optional)
  • crypto_device: OpenSSL engine to use for signing.
  • ess_cert_id_chain: Must the ESS cert id chain be included? (optional, default: no)
  • digests: Acceptable message digests. (mandatory)
  • dir: TSA root directory.
  • accuracy: Timestamp accuracy. (optional)

oids

Section for declaring OID mapping. Just add = pairs.

Building

$ cmake .
$ make -j 2

Playing with it

# building with civetweb embedded (will recover civetweb from github)
$ cmake . -DBUNDLE_CIVETWEB=ON
$ make

# create some test certificates
$ ./tests/cfg/pki/create_tsa_certs

# launching the timestamp server with test configuration in debug mode
$ ./uts-server -c tests/cfg/uts-server.cnf -D

# in another shell, launching a timestamp script on the README.md file
$ ./goodies/timestamp-file.sh -i README.md -u http://localhost:2020 -r -O "-cert";