diff --git a/.gitignore b/.gitignore index 32972c8..8fe7d07 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ src/main_*.rs config.toml cache/ src/test.py +Rocket.toml diff --git a/Cargo.lock b/Cargo.lock index 1fd2752..1024104 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4,9 +4,9 @@ version = 3 [[package]] name = "addr2line" -version = "0.24.1" +version = "0.24.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f5fb1d8e4442bd405fdfd1dacb42792696b0cf9cb15882e5d097b742a676d375" +checksum = "dfbe277e56a376000877090da837660b4427aad530e3028d44e0bffe4f89a1c1" dependencies = [ "gimli", ] @@ -100,9 +100,9 @@ checksum = "155a5a185e42c6b77ac7b88a15143d930a9e9727a5b7b77eed417404ab15c247" [[package]] name = "async-stream" -version = "0.3.5" +version = "0.3.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cd56dd203fef61ac097dd65721a419ddccb106b2d2b70ba60a6b529f03961a51" +checksum = "0b5a71a6f37880a80d1d7f19efd781e4b5de42c88f0722cc13bcb6cc2cfe8476" dependencies = [ "async-stream-impl", "futures-core", @@ -111,9 +111,9 @@ dependencies = [ [[package]] name = "async-stream-impl" -version = "0.3.5" +version = "0.3.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "16e62a023e7c117e27523144c5d2459f4397fcc3cab0085af8e2224f643a0193" +checksum = "c7c24de15d275a1ecfd47a380fb4d5ec9bfe0933f309ed5e705b775596a3574d" dependencies = [ "proc-macro2", "quote", @@ -122,9 +122,9 @@ dependencies = [ [[package]] name = "async-trait" -version = "0.1.82" +version = "0.1.83" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a27b8a3a6e1a44fa4c8baf1f653e4172e81486d4941f2237e20dc2d0cf4ddff1" +checksum = "721cae7de5c34fbb2acd27e21e6d2cf7b886dce0c27388d46c4e6c47ea4318dd" dependencies = [ "proc-macro2", "quote", @@ -148,9 +148,9 @@ dependencies = [ [[package]] name = "autocfg" -version = "1.3.0" +version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0" +checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26" [[package]] name = "backtrace" @@ -238,9 +238,9 @@ checksum = "79296716171880943b8470b5f8d03aa55eb2e645a4874bdbb28adb49162e012c" [[package]] name = "bytemuck" -version = "1.18.0" +version = "1.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "94bbb0ad554ad961ddc5da507a12a29b14e4ae5bda06b19f575a3e6079d2e2ae" +checksum = "8334215b81e418a0a7bdb8ef0849474f40bb10c8b71f1c4ed315cff49f32494d" [[package]] name = "byteorder" @@ -250,15 +250,15 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b" [[package]] name = "bytes" -version = "1.7.2" +version = "1.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "428d9aa8fbc0670b7b8d6030a7fadd0f86151cae55e4dbbece15f3780a3dfaf3" +checksum = "9ac0150caa2ae65ca5bd83f25c7de183dea78d4d366469f148435e2acfbad0da" [[package]] name = "cc" -version = "1.1.21" +version = "1.1.34" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "07b1695e2c7e8fc85310cde85aeaab7e3097f593c91d209d3f9df76c928100f0" +checksum = "67b9470d453346108f93a59222a9a1a5724db32d0a4727b7ab7ace4b4d822dc9" dependencies = [ "shlex", ] @@ -526,9 +526,9 @@ checksum = "60b1af1c220855b6ceac025d3f6ecdd2b7c4894bfe9cd9bda4fbb4bc7c0d4cf0" [[package]] name = "encoding_rs" -version = "0.8.34" +version = "0.8.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b45de904aa0b010bce2ab45264d0631681847fa7b6f2eaa7dab7619943bc4f59" +checksum = "75030f3c4f45dafd7586dd6780965a8c7e8e285a5ecb86713e63a79c5b2766f3" dependencies = [ "cfg-if", ] @@ -571,9 +571,9 @@ dependencies = [ [[package]] name = "flate2" -version = "1.0.33" +version = "1.0.34" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "324a1be68054ef05ad64b861cc9eaf1d623d2d8cb25b4bf2cb9cdd902b4bf253" +checksum = "a1b589b4dc103969ad3cf85c950899926ec64300a1a46d76c03a6072957036f0" dependencies = [ "crc32fast", "libz-sys", @@ -603,9 +603,9 @@ checksum = "e6d5a32815ae3f33302d95fdcb2ce17862f8c65363dcfd29360480ba1001fc9c" [[package]] name = "futures" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "645c6916888f6cb6350d2550b80fb63e734897a8498abe35cfb732b6487804b0" +checksum = "65bc07b1a8bc7c85c5f2e110c476c7389b4554ba72af57d8445ea63a576b0876" dependencies = [ "futures-channel", "futures-core", @@ -617,9 +617,9 @@ dependencies = [ [[package]] name = "futures-channel" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eac8f7d7865dcb88bd4373ab671c8cf4508703796caa2b1985a9ca867b3fcb78" +checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10" dependencies = [ "futures-core", "futures-sink", @@ -627,33 +627,33 @@ dependencies = [ [[package]] name = "futures-core" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dfc6580bb841c5a68e9ef15c77ccc837b40a7504914d52e47b8b0e9bbda25a1d" +checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e" [[package]] name = "futures-io" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a44623e20b9681a318efdd71c299b6b222ed6f231972bfe2f224ebad6311f0c1" +checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6" [[package]] name = "futures-sink" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9fb8e00e87438d937621c1c6269e53f536c14d3fbd6a042bb24879e57d474fb5" +checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7" [[package]] name = "futures-task" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "38d84fa142264698cdce1a9f9172cf383a0c82de1bddcf3092901442c4097004" +checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988" [[package]] name = "futures-util" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d6401deb83407ab3da39eba7e33987a73c3df0c82b4bb5813ee871c19c41d48" +checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81" dependencies = [ "futures-channel", "futures-core", @@ -702,9 +702,9 @@ dependencies = [ [[package]] name = "gimli" -version = "0.31.0" +version = "0.31.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "32085ea23f3234fc7846555e85283ba4de91e21016dc0455a16286d87a292d64" +checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f" [[package]] name = "glob" @@ -742,9 +742,9 @@ dependencies = [ [[package]] name = "hashbrown" -version = "0.14.5" +version = "0.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1" +checksum = "1e087f84d4f86bf4b218b927129862374b72199ae7d8657835f1e89000eea4fb" [[package]] name = "hermit-abi" @@ -799,9 +799,9 @@ dependencies = [ [[package]] name = "httparse" -version = "1.9.4" +version = "1.9.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0fcc0b4a115bf80b728eb8ea024ad5bd707b615bfed49e0665b6e0f86fd082d9" +checksum = "7d71d3574edd2771538b901e6549113b4006ece66150fb69c0fb6d9a2adae946" [[package]] name = "httpdate" @@ -811,9 +811,9 @@ checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9" [[package]] name = "hyper" -version = "0.14.30" +version = "0.14.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a152ddd61dfaec7273fe8419ab357f33aee0d914c5f4efbf0d96fa749eea5ec9" +checksum = "8c08302e8fa335b151b788c775ff56e7a03ae64ff85c548ee820fecb70356e85" dependencies = [ "bytes", "futures-channel", @@ -856,24 +856,153 @@ dependencies = [ "cc", ] +[[package]] +name = "icu_collections" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "db2fa452206ebee18c4b5c2274dbf1de17008e874b4dc4f0aea9d01ca79e4526" +dependencies = [ + "displaydoc", + "yoke", + "zerofrom", + "zerovec", +] + +[[package]] +name = "icu_locid" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "13acbb8371917fc971be86fc8057c41a64b521c184808a698c02acc242dbf637" +dependencies = [ + "displaydoc", + "litemap", + "tinystr", + "writeable", + "zerovec", +] + +[[package]] +name = "icu_locid_transform" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "01d11ac35de8e40fdeda00d9e1e9d92525f3f9d887cdd7aa81d727596788b54e" +dependencies = [ + "displaydoc", + "icu_locid", + "icu_locid_transform_data", + "icu_provider", + "tinystr", + "zerovec", +] + +[[package]] +name = "icu_locid_transform_data" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fdc8ff3388f852bede6b579ad4e978ab004f139284d7b28715f773507b946f6e" + +[[package]] +name = "icu_normalizer" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "19ce3e0da2ec68599d193c93d088142efd7f9c5d6fc9b803774855747dc6a84f" +dependencies = [ + "displaydoc", + "icu_collections", + "icu_normalizer_data", + "icu_properties", + "icu_provider", + "smallvec", + "utf16_iter", + "utf8_iter", + "write16", + "zerovec", +] + +[[package]] +name = "icu_normalizer_data" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8cafbf7aa791e9b22bec55a167906f9e1215fd475cd22adfcf660e03e989516" + +[[package]] +name = "icu_properties" +version = "1.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "93d6020766cfc6302c15dbbc9c8778c37e62c14427cb7f6e601d849e092aeef5" +dependencies = [ + "displaydoc", + "icu_collections", + "icu_locid_transform", + "icu_properties_data", + "icu_provider", + "tinystr", + "zerovec", +] + +[[package]] +name = "icu_properties_data" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "67a8effbc3dd3e4ba1afa8ad918d5684b8868b3b26500753effea8d2eed19569" + +[[package]] +name = "icu_provider" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6ed421c8a8ef78d3e2dbc98a973be2f3770cb42b606e3ab18d6237c4dfde68d9" +dependencies = [ + "displaydoc", + "icu_locid", + "icu_provider_macros", + "stable_deref_trait", + "tinystr", + "writeable", + "yoke", + "zerofrom", + "zerovec", +] + +[[package]] +name = "icu_provider_macros" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ec89e9337638ecdc08744df490b221a7399bf8d164eb52a665454e60e075ad6" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "idna" -version = "0.5.0" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "634d9b1461af396cad843f47fdba5597a4f9e6ddd4bfb6ff5d85028c25cb12f6" +checksum = "686f825264d630750a544639377bae737628043f20d38bbc029e8f29ea968a7e" dependencies = [ - "unicode-bidi", - "unicode-normalization", + "idna_adapter", + "smallvec", + "utf8_iter", +] + +[[package]] +name = "idna_adapter" +version = "1.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "daca1df1c957320b2cf139ac61e7bd64fed304c5040df000a745aa1de3b4ef71" +dependencies = [ + "icu_normalizer", + "icu_properties", ] [[package]] name = "indexmap" -version = "2.5.0" +version = "2.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "68b900aa2f7301e21c36462b170ee99994de34dff39a4a6a528e80e7376d07e5" +checksum = "707907fe3c25f5424cce2cb7e1cbcafee6bdbe735ca90ef77c29e84591e5b9da" dependencies = [ "equivalent", - "hashbrown 0.14.5", + "hashbrown 0.15.0", "serde", ] @@ -920,9 +1049,9 @@ checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b" [[package]] name = "js-sys" -version = "0.3.70" +version = "0.3.72" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1868808506b929d7b0cfa8f75951347aa71bb21144b7791bae35d9bccfcfe37a" +checksum = "6a88f1bda2bd75b0452a14784937d796722fdebfe50df998aeb3f0b7603019a9" dependencies = [ "wasm-bindgen", ] @@ -1008,9 +1137,9 @@ dependencies = [ [[package]] name = "libc" -version = "0.2.158" +version = "0.2.161" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8adc4bb1803a324070e64a98ae98f38934d91957a99cfb3a43dcbc01bc56439" +checksum = "8e9489c2807c139ffd9c1794f4af0ebe86a828db53ecdc7fea2111d0fed085d1" [[package]] name = "libloading" @@ -1039,6 +1168,12 @@ version = "0.4.14" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "78b3ae25bc7c8c38cec158d1f2757ee79e9b3740fbc7ccf0e59e4b08d793fa89" +[[package]] +name = "litemap" +version = "0.7.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "643cb0b8d4fcc284004d5fd0d67ccf61dfffadb7f75e1e71bc420f4688a3a704" + [[package]] name = "lock_api" version = "0.4.12" @@ -1279,9 +1414,9 @@ dependencies = [ [[package]] name = "object" -version = "0.36.4" +version = "0.36.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "084f1a5821ac4c651660a94a7153d27ac9d8a53736203f58b31945ded098070a" +checksum = "aedf0a2d09c573ed1d8d85b30c119153926a2b36dce0ab28322c09a117a4683e" dependencies = [ "memchr", ] @@ -1289,8 +1424,7 @@ dependencies = [ [[package]] name = "ocsp" version = "0.4.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aef2010711f55f8ed2627630936202af42741336bc1ceaf1b0b256e02e821f18" +source = "git+https://github.com/DorianCoding/ocsp-rs.git?tag=1.0.0#04c47f3dc91eebd4655e7c78ff21d1f18aeadcaf" dependencies = [ "asn1_der", "chrono", @@ -1299,17 +1433,19 @@ dependencies = [ "thiserror", "tracing", "tracing-futures", + "yasna", ] [[package]] name = "ocsp-server" -version = "0.2.0" +version = "0.3.0" dependencies = [ "chrono", "config-file", "hex", "mysql", "ocsp", + "pem-parser", "ring", "rocket", "serde", @@ -1328,9 +1464,9 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.19.0" +version = "1.20.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" +checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775" [[package]] name = "overload" @@ -1394,6 +1530,15 @@ dependencies = [ "serde", ] +[[package]] +name = "pem-parser" +version = "0.1.0" +source = "git+https://github.com/yberreby/pem-parser-rs.git#5a3c3d840631e7a61605c2ed151e3fee759928df" +dependencies = [ + "regex", + "rustc-serialize", +] + [[package]] name = "percent-encoding" version = "2.3.1" @@ -1402,18 +1547,18 @@ checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e" [[package]] name = "pin-project" -version = "1.1.5" +version = "1.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b6bf43b791c5b9e34c3d182969b4abb522f9343702850a2e57f460d00d09b4b3" +checksum = "be57f64e946e500c8ee36ef6331845d40a93055567ec57e8fae13efd33759b95" dependencies = [ "pin-project-internal", ] [[package]] name = "pin-project-internal" -version = "1.1.5" +version = "1.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2f38a4412a78282e09a2cf38d195ea5420d15ba0602cb375210efbc877243965" +checksum = "3c0f5fad0874fc7abcd4d750e76917eaebbecaa2c20bde22e1dbeeba8beb758c" dependencies = [ "proc-macro2", "quote", @@ -1422,9 +1567,9 @@ dependencies = [ [[package]] name = "pin-project-lite" -version = "0.2.14" +version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bda66fc9667c18cb2758a2ac84d1167245054bcf85d5d1aaa6923f45801bdd02" +checksum = "915a1e146535de9163f3987b8944ed8cf49a18bb0056bcebcdcece385cece4ff" [[package]] name = "pin-utils" @@ -1434,9 +1579,9 @@ checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" [[package]] name = "pkg-config" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d231b230927b5e4ad203db57bbcbee2802f6bce620b1e4a9024a07d94e2907ec" +checksum = "953ec861398dccce10c670dfeaf3ec4911ca479e9c02154b3a215178c5f566f2" [[package]] name = "powerfmt" @@ -1455,9 +1600,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.86" +version = "1.0.89" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77" +checksum = "f139b0662de085916d1fb67d2b4169d1addddda1919e696f3252b740b629986e" dependencies = [ "unicode-ident", ] @@ -1522,9 +1667,9 @@ dependencies = [ [[package]] name = "redox_syscall" -version = "0.5.4" +version = "0.5.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0884ad60e090bf1345b93da0a5de8923c93884cd03f40dfcfddd3b4bee661853" +checksum = "9b6dfecf2c74bce2466cabf93f6664d6998a69eb21e39f4207930065b27b771f" dependencies = [ "bitflags", ] @@ -1551,14 +1696,14 @@ dependencies = [ [[package]] name = "regex" -version = "1.10.6" +version = "1.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4219d74c6b67a3654a9fbebc4b419e22126d13d2f3c4a07ee0cb61ff79a79619" +checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191" dependencies = [ "aho-corasick", "memchr", - "regex-automata 0.4.7", - "regex-syntax 0.8.4", + "regex-automata 0.4.8", + "regex-syntax 0.8.5", ] [[package]] @@ -1572,13 +1717,13 @@ dependencies = [ [[package]] name = "regex-automata" -version = "0.4.7" +version = "0.4.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "38caf58cc5ef2fed281f89292ef23f6365465ed9a41b7a7754eb4e26496c92df" +checksum = "368758f23274712b504848e9d5a6f010445cc8b87a7cdb4d7cbee666c1288da3" dependencies = [ "aho-corasick", "memchr", - "regex-syntax 0.8.4", + "regex-syntax 0.8.5", ] [[package]] @@ -1589,9 +1734,9 @@ checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1" [[package]] name = "regex-syntax" -version = "0.8.4" +version = "0.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a66a03ae7c801facd77a29370b4faec201768915ac14a721ba36f20bc9c209b" +checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c" [[package]] name = "ring" @@ -1701,6 +1846,12 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2" +[[package]] +name = "rustc-serialize" +version = "0.3.25" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fe834bc780604f4674073badbad26d7219cadfb4a2275802db12cbae17498401" + [[package]] name = "rusticata-macros" version = "4.1.0" @@ -1712,9 +1863,9 @@ dependencies = [ [[package]] name = "rustix" -version = "0.38.37" +version = "0.38.38" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8acb788b847c24f28525660c4d7758620a7210875711f79e7f663cc152726811" +checksum = "aa260229e6538e52293eeb577aabd09945a09d6d9cc0fc550ed7529056c2e32a" dependencies = [ "bitflags", "errno", @@ -1725,9 +1876,9 @@ dependencies = [ [[package]] name = "rustversion" -version = "1.0.17" +version = "1.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "955d28af4278de8121b7ebeb796b6a45735dc01436d898801014aced2773a3d6" +checksum = "0e819f2bc632f285be6d7cd36e25940d45b2391dd6d9b939e79de557f7014248" [[package]] name = "ryu" @@ -1755,18 +1906,18 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" [[package]] name = "serde" -version = "1.0.210" +version = "1.0.214" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a" +checksum = "f55c3193aca71c12ad7890f1785d2b73e1b9f63a0bbc353c08ef26fe03fc56b5" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.210" +version = "1.0.214" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f" +checksum = "de523f781f095e28fa605cdce0f8307e451cc0fd14e2eb4cd2e98a355b147766" dependencies = [ "proc-macro2", "quote", @@ -1775,9 +1926,9 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.128" +version = "1.0.132" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6ff5456707a1de34e7e37f2a6fd3d3f808c318259cbd01ab6377795054b483d8" +checksum = "d726bfaff4b320266d395898905d0eba0345aae23b54aee3a737e260fd46db03" dependencies = [ "itoa", "memchr", @@ -1787,9 +1938,9 @@ dependencies = [ [[package]] name = "serde_spanned" -version = "0.6.7" +version = "0.6.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb5b1b31579f3811bf615c144393417496f152e12ac8b7663bf664f4a815306d" +checksum = "87607cb1398ed59d48732e575a4c28a7a8ebf2454b964fe3f224f2afc07909e1" dependencies = [ "serde", ] @@ -1880,6 +2031,12 @@ dependencies = [ "memchr", ] +[[package]] +name = "stable_deref_trait" +version = "1.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3" + [[package]] name = "state" version = "0.6.0" @@ -1907,9 +2064,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.77" +version = "2.0.87" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9f35bcdf61fd8e7be6caf75f429fdca8beb3ed76584befb503b1569faee373ed" +checksum = "25aa4ce346d03a6dcd68dd8b4010bcb74e54e62c90c573f394c46eae99aba32d" dependencies = [ "proc-macro2", "quote", @@ -1935,9 +2092,9 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369" [[package]] name = "tempfile" -version = "3.12.0" +version = "3.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "04cbcdd0c794ebb0d4cf35e88edd2f7d2c4c3e9a5a6dab322839b321c6a87a64" +checksum = "f0f2c9fc62d0beef6951ccffd757e241266a2c833136efbe35af6cd2567dca5b" dependencies = [ "cfg-if", "fastrand", @@ -1948,18 +2105,18 @@ dependencies = [ [[package]] name = "thiserror" -version = "1.0.63" +version = "1.0.68" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c0342370b38b6a11b6cc11d6a805569958d54cfa061a29969c3b5ce2ea405724" +checksum = "02dd99dc800bbb97186339685293e1cc5d9df1f8fae2d0aecd9ff1c77efea892" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.63" +version = "1.0.68" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a4558b58466b9ad7ca0f102865eccc95938dca1a74a856f2b57b6629050da261" +checksum = "a7c61ec9a6f64d2793d8a45faba21efbe3ced62a886d44c36a009b2b519b4c7e" dependencies = [ "proc-macro2", "quote", @@ -2008,25 +2165,20 @@ dependencies = [ ] [[package]] -name = "tinyvec" -version = "1.8.0" +name = "tinystr" +version = "0.7.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "445e881f4f6d382d5f27c034e25eb92edd7c784ceab92a0937db7f2e9471b938" +checksum = "9117f5d4db391c1cf6927e7bea3db74b9a1c1add8f7eda9ffd5364f40f57b82f" dependencies = [ - "tinyvec_macros", + "displaydoc", + "zerovec", ] -[[package]] -name = "tinyvec_macros" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" - [[package]] name = "tokio" -version = "1.40.0" +version = "1.41.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2b070231665d27ad9ec9b8df639893f46727666c6767db40317fbe920a5d998" +checksum = "145f3413504347a2be84393cc8a7d2fb4d863b375909ea59f2158261aa258bbb" dependencies = [ "backtrace", "bytes", @@ -2106,9 +2258,9 @@ dependencies = [ [[package]] name = "toml_edit" -version = "0.22.21" +version = "0.22.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3b072cee73c449a636ffd6f32bd8de3a9f7119139aff882f44943ce2986dc5cf" +checksum = "4ae48d6208a266e853d946088ed816055e556cc6028c5e8e2b84d9fa5dd7c7f5" dependencies = [ "indexmap", "serde", @@ -2236,27 +2388,12 @@ dependencies = [ "version_check", ] -[[package]] -name = "unicode-bidi" -version = "0.3.15" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08f95100a766bf4f8f28f90d77e0a5461bbdb219042e7679bebe79004fed8d75" - [[package]] name = "unicode-ident" version = "1.0.13" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e91b56cd4cadaeb79bbf1a5645f6b4f8dc5bde8834ad5894a8db35fda9efa1fe" -[[package]] -name = "unicode-normalization" -version = "0.1.24" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5033c97c4262335cded6d6fc3e5c18ab755e1a3dc96376350f3d8e9f009ad956" -dependencies = [ - "tinyvec", -] - [[package]] name = "unicode-xid" version = "0.2.6" @@ -2271,20 +2408,32 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" [[package]] name = "url" -version = "2.5.2" +version = "2.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22784dbdf76fdde8af1aeda5622b546b422b6fc585325248a2bf9f5e41e94d6c" +checksum = "8d157f1b96d14500ffdc1f10ba712e780825526c03d9a49b4d0324b0d9113ada" dependencies = [ "form_urlencoded", "idna", "percent-encoding", ] +[[package]] +name = "utf16_iter" +version = "1.0.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c8232dd3cdaed5356e0f716d285e4b40b932ac434100fe9b7e0e8e935b9e6246" + +[[package]] +name = "utf8_iter" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be" + [[package]] name = "uuid" -version = "1.10.0" +version = "1.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "81dfa00651efa65069b0b6b651f4aaa31ba9e3c3ce0137aaad053604ee7e0314" +checksum = "f8c5f0a0af699448548ad1a2fbf920fb4bee257eae39953ba95cb84891a0446a" [[package]] name = "valuable" @@ -2321,9 +2470,9 @@ checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" [[package]] name = "wasm-bindgen" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a82edfc16a6c469f5f44dc7b571814045d60404b55a0ee849f9bcfa2e63dd9b5" +checksum = "128d1e363af62632b8eb57219c8fd7877144af57558fb2ef0368d0087bddeb2e" dependencies = [ "cfg-if", "once_cell", @@ -2332,9 +2481,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-backend" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9de396da306523044d3302746f1208fa71d7532227f15e347e2d93e4145dd77b" +checksum = "cb6dd4d3ca0ddffd1dd1c9c04f94b868c37ff5fac97c30b97cff2d74fce3a358" dependencies = [ "bumpalo", "log", @@ -2347,9 +2496,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "585c4c91a46b072c92e908d99cb1dcdf95c5218eeb6f3bf1efa991ee7a68cccf" +checksum = "e79384be7f8f5a9dd5d7167216f022090cf1f9ec128e6e6a482a2cb5c5422c56" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -2357,9 +2506,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "afc340c74d9005395cf9dd098506f7f44e38f2b4a21c6aaacf9a105ea5e1e836" +checksum = "26c6ab57572f7a24a4985830b120de1594465e5d500f24afe89e16b4e833ef68" dependencies = [ "proc-macro2", "quote", @@ -2370,9 +2519,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-shared" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c62a0a307cb4a311d3a07867860911ca130c3494e8c2719593806c08bc5d0484" +checksum = "65fc09f10666a9f147042251e0dda9c18f166ff7de300607007e96bdebc1068d" [[package]] name = "winapi" @@ -2555,13 +2704,25 @@ checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" [[package]] name = "winnow" -version = "0.6.18" +version = "0.6.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "68a9bda4691f099d435ad181000724da8e5899daa10713c2d432552b9ccd3a6f" +checksum = "36c1fec1a2bb5866f07c25f68c26e565c4c200aebb96d7e55710c19d3e8ac49b" dependencies = [ "memchr", ] +[[package]] +name = "write16" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d1890f4022759daae28ed4fe62859b1236caebfc61ede2f63ed4e695f3f6d936" + +[[package]] +name = "writeable" +version = "0.5.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1e9df38ee2d2c3c5948ea468a8406ff0db0b29ae1ffde1bcf20ef305bcc95c51" + [[package]] name = "wyz" version = "0.5.1" @@ -2597,6 +2758,36 @@ dependencies = [ "is-terminal", ] +[[package]] +name = "yasna" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd" + +[[package]] +name = "yoke" +version = "0.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6c5b1314b079b0930c31e3af543d8ee1757b1951ae1e1565ec704403a7240ca5" +dependencies = [ + "serde", + "stable_deref_trait", + "yoke-derive", + "zerofrom", +] + +[[package]] +name = "yoke-derive" +version = "0.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "28cc31741b18cb6f1d5ff12f5b7523e3d6eb0852bbbad19d73905511d9849b95" +dependencies = [ + "proc-macro2", + "quote", + "syn", + "synstructure", +] + [[package]] name = "zerocopy" version = "0.7.35" @@ -2618,6 +2809,27 @@ dependencies = [ "syn", ] +[[package]] +name = "zerofrom" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "91ec111ce797d0e0784a1116d0ddcdbea84322cd79e5d5ad173daeba4f93ab55" +dependencies = [ + "zerofrom-derive", +] + +[[package]] +name = "zerofrom-derive" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0ea7b4a3637ea8669cedf0f1fd5c286a17f3de97b8dd5a70a6c167a1730e63a5" +dependencies = [ + "proc-macro2", + "quote", + "syn", + "synstructure", +] + [[package]] name = "zeroize" version = "1.7.0" @@ -2637,3 +2849,25 @@ dependencies = [ "quote", "syn", ] + +[[package]] +name = "zerovec" +version = "0.10.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "aa2b893d79df23bfb12d5461018d408ea19dfafe76c2c7ef6d4eba614f8ff079" +dependencies = [ + "yoke", + "zerofrom", + "zerovec-derive", +] + +[[package]] +name = "zerovec-derive" +version = "0.10.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6eafa6dfb17584ea3e2bd6e76e0cc15ad7af12b09abdd1ca55961bed9b1063c6" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] diff --git a/Cargo.toml b/Cargo.toml index af55336..d92b2e2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -2,7 +2,7 @@ name = "ocsp-server" authors = ["DorianCoding"] description = "OCSP server, listening for requests to give responses." -version = "0.2.0" +version = "0.3.0" edition = "2021" license = "GPL-3.0-only" repository = "https://github.com/DorianCoding/OCSP_server" @@ -18,12 +18,14 @@ chrono = { version = "~0.4.31", default-features = false, features = ["std"]} config-file = "~0.2.3" hex = "~0.4.3" mysql = { version = "~24.0.0", default-features = false, features = ["minimal"]} -ocsp = "~0.4.0" +ocsp = {git = "https://github.com/DorianCoding/ocsp-rs.git", tag="1.0.0" } +#ocsp = {git = "https://github.com/maicallist/ocsp-rs.git" } +pem-parser = {git = "https://github.com/yberreby/pem-parser-rs.git" } #openssl-sys = { version = "~0.9.103", features = ["vendored" ]} ring = "0.17.8" rocket = "~0.5.0" serde = "~1.0.193" -x509-parser = "0.16.0" +x509-parser = "~0.16.0" zeroize = { version = "~1.7.0", features = ["std", "zeroize_derive"] } [profile.release] strip = "symbols" diff --git a/README.md b/README.md index 038c961..4cf0931 100644 --- a/README.md +++ b/README.md @@ -35,15 +35,17 @@ port = 9000 #Port to listen to, from 1 to 65535. Cannot use a port already used dbname = "certs" #Name to connect to MySql data dbpassword = "certdata" #Password to connect to cert data cachefolder = "cache/" #Folder to cache data (relative or absolute, will be created if not present) -itcert = "/var/public_files/it_cert.crt" #Path to intermediate certificate -itkey = "/var/private_files/it_privkey.pem" #Path to intermediate private key, keep it secret +itcert = "/var/public_files/it_cert.crt" #Path to intermediate certificate as PEM format +revocextended = true //Optional, if you want to enable EXTENDED_REVOCATION +caching = true //Optional, enable caching or enable nonce response. +itkey = "/var/private_files/it_privkey.pem" #Path to intermediate private key, keep it secret (PKCS#8 format, only RSA keys supported so far) ``` > [!CAUTION] > Config.toml should be read-only for the script and inaccessible for others because it contains dbpassword. -> Intermediate certificate key should be held secret, must be read-only for the script and inaccessible to anyone else. The intermediate certificate should be world-readonly, including to the script. +> Intermediate/Signer certificate key should be held secret, must be read-only for the script and inaccessible to anyone else. The intermediate/Signer certificate should be world-readonly, including to the script. > As a service, the script will use a brand-new user called pycert. This ensures system integrity and protection. All the filesystem is locked by systemd except the cache folder. -> The responder will reply to any certificate that are present in the database, whatever they are currently expired or not. +> The responder will reply to any certificate that are present in the database, *whatever they are currently expired or not*. ## How to implement? @@ -65,12 +67,11 @@ CREATE TABLE `list_certs` ( `cert_num` varchar(50) NOT NULL, `revocation_time` datetime DEFAULT NULL, `revocation_reason` enum('unspecified','key_compromise','ca_compromise','affiliation_changed','superseded','cessation_of_operation','certificate_hold','privilege_withdrawn','aa_compromise') DEFAULT NULL, - `cert` blob NOT NULL, `status` enum('Valid','Revoked') NOT NULL DEFAULT 'Valid', PRIMARY KEY (`cert_num`), ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ``` -- The certificate number **must be unique** and start with 0x (like a hex number). Cert must contain the certificate in PEM format. Revocaition_time must be in UTC timezone. +- The certificate number **must be unique** and start with 0x (like a hex number). Revocation_time must be in UTC timezone. - When the certificate is valid, status must be "Valid" and revocation_time and reason must be NULL. On the opposite, upon revocation, status must be "Revoked" and revocation_time and reason must be set. ## Script test and timeline ### Test integration diff --git a/binaries/linux-x86_64_ocsp_server b/binaries/linux-x86_64_ocsp_server index 0e415d5..2c9f042 100755 Binary files a/binaries/linux-x86_64_ocsp_server and b/binaries/linux-x86_64_ocsp_server differ diff --git a/service.sh b/service.sh index 1b30ee7..5fa0ee8 100755 --- a/service.sh +++ b/service.sh @@ -5,14 +5,19 @@ if [ "$EUID" -ne 0 ] fi if [ ! -f config.toml ]; then echo "Put the config.toml file in the main directory" + exit +fi +if [ ! -f target/release/ocsp-server ]; then + echo "Please execute cargo build --release before." + exit fi echo "Creating pycert user and group" -adduser --system pycert +adduser --system pycert --group if [ $? -ne 0 ] then echo "Error while creating the user, exiting" exit fi -echo -n "Cancel the script now if you did not edit config.toml and change it now, else the script won't work" +echo -n "Cancel the script by Ctrl+C now if you did not edit config.toml and change it now, else the script won't work" read -t 10 echo "Creating cache directory" mkdir -p /var/ocsp/cache @@ -21,14 +26,9 @@ if [ $? -ne 0 ] exit fi echo "Creating binaries" -if [ `getconf LONG_BIT` = "64" ] -then - cp binaries/linux-x86_64_ocsp_server /var/ocsp/ocsp_server && cp config.toml /var/ocsp/ -else - cp binaries/linux-x32_ocsp_server /var/ocsp/ocsp_server && cp config.toml /var/ocsp/ -fi +cp target/release/ocsp-server /var/ocsp/ocsp_server && cp config.toml /var/ocsp/ if [ $? -ne 0 ] - then echo "Error copying files, exiting" + then echo "Error copying files, exiting. Please execute cargo build --release before." exit fi cd /var/ocsp diff --git a/src/main.rs b/src/main.rs index 09d8928..a6b1ca7 100644 --- a/src/main.rs +++ b/src/main.rs @@ -5,6 +5,8 @@ use chrono::{DateTime, Datelike, FixedOffset}; use config_file::FromConfigFile; use mysql::prelude::Queryable; use mysql::*; +use ocsp::common::asn1::Bytes; +use ocsp::common::ocsp::{OcspExt, OcspExtI}; use ocsp::request::OcspRequest; use ocsp::{ common::asn1::{CertId, GeneralizedTime, Oid}, @@ -17,10 +19,7 @@ use ocsp::{ }, }; use ring::digest::SHA1_FOR_LEGACY_USE_ONLY; -use ring::{ - rand, - signature, -}; +use ring::{rand, signature}; use rocket::http::ContentType; use rocket::State; use rocket::{data::ToByteUnit, Data}; @@ -31,16 +30,22 @@ use std::io; use std::net::SocketAddr; use std::path::Path; use std::time::Duration; +use x509_parser::oid_registry::OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER; +use x509_parser::prelude::ParsedExtension; use zeroize::Zeroize; const CACHEFORMAT: &str = "%Y-%m-%d-%H-%M-%S"; // In a real application, this would likely be more complex. #[derive(Debug)] struct Config { - issuer_hash: Vec, + issuer_hash: (Vec, Vec,bool), + cert: Bytes, + revocextended: bool, + time: u8, //issuer_name_hash: u32, rsakey: ring::signature::RsaKeyPair, cachedays: u16, - dbip: String, + caching: bool, + dbip: Option, dbuser: String, dbpassword: String, dbname: String, @@ -57,8 +62,11 @@ impl Drop for Config { #[derive(Deserialize)] struct Fileconfig { cachedays: u16, - dbip: String, + caching: Option, + revocextended: Option, + dbip: Option, port: u32, + timeout: u8, dbuser: String, dbpassword: String, dbname: String, @@ -71,13 +79,12 @@ struct Certinfo { status: String, revocation_time: Option, revocation_reason: Option, - cert: String, } #[test] fn testresponse() { use ring::rand::SecureRandom; - use std::time::Instant; use ring::signature::KeyPair; + use std::time::Instant; println!("Generating key, may take a while..."); let rng = rand::SystemRandom::new(); let pkcs8_bytes = signature::Ed25519KeyPair::generate_pkcs8(&rng).unwrap(); @@ -116,10 +123,12 @@ fn signresponse( issuer_hash: &[u8], private_key: &ring::rsa::KeyPair, response: Vec, + extensions: Option>, + cert: Option> ) -> Result> { let id = ResponderId::new_key_hash(issuer_hash); // responding by id let produce = GeneralizedTime::now(); - let data = ResponseData::new(id, produce, response, None); + let data = ResponseData::new(id, produce, response, extensions); let oid = Oid::new_from_dot(ALGO_SHA256_WITH_RSA_ENCRYPTION_DOT)?; let rng = rand::SystemRandom::new(); let tosign = &data.to_der()?; @@ -128,7 +137,7 @@ fn signresponse( .sign(&signature::RSA_PKCS1_SHA256, &rng, tosign, &mut signature) .unwrap(); assert_ne!(&signature, tosign); - let basic = BasicResponse::new(data, oid, signature, None); + let basic = BasicResponse::new(data, oid, signature, cert); // equivalent to // let resp_type = Oid::new_from_dot("1.3.6.1.5.5.7.48.1.1").await?; let resp_type = Oid::new_from_dot(OCSP_RESPONSE_BASIC_DOT)?; @@ -143,32 +152,38 @@ fn signnonvalidresponse(motif: OcspRespStatus) -> Result, OcspError> { let ocsp = OcspResponse::new_non_success(motif)?; ocsp.to_der() } -fn checkcert(config: &State, certnum: &str) -> Result { +fn checkcert(config: &State, certnum: &str, revoked: bool) -> Result { // Let's select payments from database. Type inference should do the trick here. let opts = OptsBuilder::new() .user(Some(config.dbuser.as_str())) - .prefer_socket(true) - //.socket(Some("/run/mysqld/mysqld.sock")) - .ip_or_hostname(Some(config.dbip.as_str())) - .read_timeout(Some(Duration::new(5, 0))) + .read_timeout(Some(Duration::new(config.time as u64, 0))) .db_name(Some(config.dbname.as_str())) .pass(Some(config.dbpassword.as_str())); + let opts = match &config.dbip { + Some(string) => opts.ip_or_hostname(Some(string)), + None => opts + .prefer_socket(true) + .socket(Some("/run/mysqld/mysqld.sock")), + }; let mut conn = Conn::new(opts)?; - let selected_payments = conn.exec_map( - "SELECT status, revocation_time, revocation_reason, cert FROM list_certs WHERE cert_num=?", + let status = conn.exec_map( + "SELECT status, revocation_time, revocation_reason FROM list_certs WHERE cert_num=?", (String::from(certnum).into_bytes(),), - |(status, revocation_time, revocation_reason, cert)| Certinfo { + |(status, revocation_time, revocation_reason)| Certinfo { status, revocation_time, revocation_reason, - cert, }, )?; - if selected_payments.is_empty() { + if status.is_empty() { warn!("Entry not found for cert {}", certnum); - Ok(OcspCertStatus::new(CertStatusCode::Unknown, None)) + if !revoked { + Ok(OcspCertStatus::new(CertStatusCode::Unknown, None)) + } else { + Ok(OcspCertStatus::new(CertStatusCode::Revoked, Some(RevokedInfo::new(GeneralizedTime::new(1970, 1, 1, 0, 0, 0).unwrap(), Some(CrlReason::OcspRevokeCertHold))))) + } } else { - let statut = selected_payments[0].clone(); + let statut = status[0].clone(); debug!("Entry found for cert {}, status {}", certnum, statut.status); if statut.status == "Revoked" { let time = GeneralizedTime::now(); @@ -253,7 +268,7 @@ fn checkcache(state: &State, certname: &str) -> io::Result = filename.split(&certname).collect(); if elem.len() != 2 { - warn!("Invalid filename to check cache: {}",filename); + warn!("Invalid filename to check cache: {}", filename); continue; } let datetime = NaiveDateTime::parse_from_str(elem[1], CACHEFORMAT); @@ -318,7 +333,10 @@ async fn upload<'a>( let string = stream.into_bytes().await?; let vec = string.into_inner(); let ocsp_request = match OcspRequest::parse(&vec) { - Ok(r) => r, + Ok(r) => { + trace!("Got a request from {}",address.ip()); + r + }, Err(e) => { warn!("Unable to parse ocsp request from {}", address.ip()); debug!("Unable to parse ocsp request, due to {e}."); @@ -328,11 +346,32 @@ async fn upload<'a>( )); } }; + + match ocsp_request.tbs_request.request_ext.clone().and_then(|p| { + p.iter() + .filter_map(|o| match &o.ext { + ocsp::common::ocsp::OcspExt::Nonce { nonce } => Some(nonce.len()), + _ => None, + }) + .last() + }) { + Some(1..128) | None => (), + _ => { + info!("Nonce is invalid on request by {}. Rejected.",address.ip()); + return Ok(( + custom, + signnonvalidresponse(OcspRespStatus::MalformedReq).unwrap(), + )); + } + } // get CertId from request + let tbs = ocsp_request.tbs_request.request_ext.clone(); let cid_list = ocsp_request.extract_certid_owned(); let mut responses: Vec = Vec::new(); let mut num = String::new(); - let possible = cid_list.len() <= 1; + let possible = cid_list.len() <= 1 && state.caching; + let mut extensions = Vec::with_capacity(cid_list.len()); + let mut needthecert = false; for cert in cid_list { num = match hex::encode(&cert.serial_num).starts_with("0x") { true => hex::encode(&cert.serial_num), @@ -347,25 +386,90 @@ async fn upload<'a>( } } } - let mut status = CertStatus::new(CertStatusCode::Unknown, None); - /* let mut opensslshorthash: [u8;4] = [0;4]; - opensslshorthash.clone_from_slice(&cert.issuer_name_hash[..4]); - let opensslshorthash=u32::from_le_bytes(opensslshorthash); TODO: Implement */ - //if opensslshorthash != state.issuer_name_hash - if cert.issuer_key_hash != state.issuer_hash { - warn!("Certificate {} is not known. Hash is not okay. Expected: {}. Got {}", hex::encode(&cert.serial_num), hex::encode(&cert.issuer_key_hash),hex::encode(&state.issuer_hash)); - } else { - status = match checkcert(state, &num) { - Ok(status) => status, - Err(default) => { - error!("Cannot connect to database: {}", default.to_string()); - return Ok(( - custom, - signnonvalidresponse(OcspRespStatus::TryLater).unwrap(), - )); - } - }; + let nonce = match state.caching { + true => None, + false => { + let nonce = tbs.clone().map_or_else( + || None, + |f| { + let mut vec: Vec> = f + .iter() + .filter_map(|p| { + if let OcspExt::Nonce { nonce: d } = p.ext.clone() { + Some(d) + } else { + None + } + }) + .collect(); + if vec.len() != 1 { + None + } else { + Some(vec.pop().unwrap()) + } + }, + ); + nonce.map(|d| { + OcspExtI { + id: 0, + ext: ocsp::common::ocsp::OcspExt::Nonce { nonce: d.to_vec() }, + } + }) + } + }; + if let Some(nonce) = nonce { + extensions.push(nonce); } + if state.revocextended { + let revoked = OcspExtI { + id: 8, + ext: ocsp::common::ocsp::OcspExt::ExtendedRevocation + }; + extensions.push(revoked); + }; + //Compare that signing certificate is signed by the issuer or the issuer itself https://www.rfc-editor.org/rfc/rfc6960 + let status = match (cert.issuer_key_hash == state.issuer_hash.0,state.issuer_hash.1 == cert.issuer_key_hash, state.issuer_hash.2) { + (true,..) | (..,true, true) => { + if state.issuer_hash.1 == cert.issuer_key_hash && state.issuer_hash.2 { + trace!("Certificate is matching issuer. Providing certificate."); + needthecert = true; + } else { + trace!("Certificate is the issuer."); + } + match checkcert(state, &num, state.revocextended) { + Ok(status) => status, + Err(default) => { + error!("Cannot connect to database: {}", default.to_string()); + return Ok(( + custom, + signnonvalidresponse(OcspRespStatus::TryLater).unwrap(), + )); + } + } + }, + (..,true,false) if !state.issuer_hash.2 => { + error!("Certificate used has not OCSP signing extended key usage and cannot sign OCSP!"); + return Ok(( + custom, + signnonvalidresponse(OcspRespStatus::TryLater).unwrap(), + )); + } + _ => { + warn!( + "Certificate {} is not known. Hash is not okay. Got: {}. Expected one of {}/{}", + hex::encode(&cert.serial_num), + hex::encode(&cert.issuer_key_hash), + hex::encode(&state.issuer_hash.0), + hex::encode(&state.issuer_hash.1) + ); + CertStatus::new(CertStatusCode::Unknown, None) + } + }; + /* let mut extension = OcspExtI { + id: i2b_oid(ocsp::common::asn1::Oid::new_from_dot(OCSP_EXT_EXTENDED_REVOKE_DOT)), + ext: ocsp::common::ocsp::OcspExt::CrlRef { url: None, num: Some(OCSP_EXT_EXTENDED_REVOKE_HEX.to_vec()), time: None } + }; + let resp = createocspresponse(cert, status, Some(state.cachedays), None, None, Some(vec![extension])); */ let resp = createocspresponse(cert, status, Some(state.cachedays), None, None, None); if resp.is_err() { error!("Error creating OCSP response."); @@ -382,7 +486,9 @@ async fn upload<'a>( responses.push(resp); } let certnum = num; - let result = signresponse(&state.issuer_hash, &state.rsakey, responses); + let extensions = if extensions.is_empty() { None } else { Some(extensions)}; + let needthecert: Option> = if needthecert { Some(vec!(state.cert.clone())) } else {None}; + let result = signresponse(&state.issuer_hash.0, &state.rsakey, responses, extensions, needthecert); if result.is_err() { warn!( "Unable to parse ocsp request, due to {:?}.", @@ -396,6 +502,7 @@ async fn upload<'a>( let result = result.unwrap(); let response = signvalidresponse(result); if response.is_err() { + error!("Cannot sign the response."); return Ok(( custom, signnonvalidresponse(OcspRespStatus::MalformedReq).unwrap(), @@ -414,41 +521,82 @@ async fn upload<'a>( } } } - info!("Send response for certificate {}",&certnum); + info!("Send response for {} to {}", &certnum,address.ip()); Ok((custom, response)) } -fn getprivatekey(data: T) -> Result where T: AsRef<[u8]> { +fn getprivatekey(data: T) -> Result +where + T: AsRef<[u8]>, +{ ring::rsa::KeyPair::from_pkcs8(data.as_ref()) } #[launch] fn rocket() -> _ { - let config = Fileconfig::from_config_file("config.toml").unwrap(); - let file = fs::read_to_string(config.itcert).unwrap(); - let certpem = x509_parser::pem::parse_x509_pem(file.as_bytes()).unwrap().1; - let certpem = certpem.parse_x509().unwrap(); - /* let parsed = certpem.get_extension_unique(&OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER).unwrap().unwrap().parsed_extension(); + let config = Fileconfig::from_config_file("config.toml").expect("No config file found."); + let file = fs::read_to_string(config.itcert).expect("Intermediate cert is not found"); + let file2 = pem_parser::pem_to_der(&file); + let certpem = x509_parser::pem::parse_x509_pem(file.as_bytes()).expect("Invalid intermediate certificate.").1; + let certpem = certpem.parse_x509().expect("Invalid intermediate certificate."); + /* let parsed = certpem + .get_extension_unique(&OID_X509_EXT_SUBJECT_KEY_IDENTIFIER) + .unwrap() + .unwrap() + .parsed_extension(); let issuerkey = match parsed { - ParsedExtension::AuthorityKeyIdentifier(a) => a, + ParsedExtension::SubjectKeyIdentifier(a) => a, + _ => { + panic!("Error getting key"); + } + }; */ + let isocsp = certpem + .extended_key_usage() + .unwrap() + .map_or(false, |f| f.value.ocsp_signing || f.value.any); + if !isocsp { + eprintln!("Your certificate does not have OCSP signing extended key usage. If it is not the issuer, the application won't sign the response.") + } + //let subjectkey = format!("{:x}", issuerkey).to_uppercase().replace(":", ""); + let parsed = certpem + .get_extension_unique(&OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER) + .unwrap() + .unwrap() + .parsed_extension(); + let issuerkey = match parsed { + ParsedExtension::AuthorityKeyIdentifier(a) => a.key_identifier.as_ref().unwrap(), _ => { panic!("Error getting key"); } }; - //TODO: Marche pas - let issuerkey = &issuerkey.key_identifier; - let issuerkey = issuerkey.as_ref().unwrap().0; - println!("Data is {}/{}",hex::encode(issuerkey), hex::encode(issuerkey)); */ + //For an unknown reason, subject key identifier is not equal to SHA1 hash key so it is used instead. + let authoritykey = format!("{:x}", issuerkey).to_uppercase().replace(":", ""); let certpempublickey = &certpem.public_key().subject_public_key.data; let sha1key = ring::digest::digest(&SHA1_FOR_LEGACY_USE_ONLY, certpempublickey); //let issuer_name_hash = certpem.subject_name_hash(); let mut key = fs::read(config.itkey).unwrap(); let rsakey = getprivatekey(&key).unwrap(); key.zeroize(); - let port: u16 = u16::try_from(config.port).unwrap(); + let port: u16 = match u16::try_from(config.port) { + Ok(n @ 1..=65535) => { + n + }, + _ => { + panic!("Invalid port number.") + } + }; let config = Config { - issuer_hash: sha1key.as_ref().to_vec(), + issuer_hash: ( + sha1key.as_ref().to_vec(), + //hex::decode(subjectkey).unwrap(), + hex::decode(authoritykey).unwrap(), + isocsp + ), + revocextended: config.revocextended.unwrap_or(false), + cert: file2, + time: config.timeout, //issuer_name_hash, rsakey, cachefolder: config.cachefolder, + caching: config.caching.unwrap_or(true), cachedays: config.cachedays, dbip: config.dbip, dbuser: config.dbuser, @@ -457,7 +605,7 @@ fn rocket() -> _ { }; let path = Path::new(config.cachefolder.as_str()); if !path.exists() { - fs::create_dir_all(path).unwrap(); + fs::create_dir_all(path).expect("Cannot create cache folder"); } rocket::build() .configure(rocket::Config::figment().merge(("port", port)))