From 5a5e4d2d68601eb9308b4f060a29076aa6852fce Mon Sep 17 00:00:00 2001 From: Linus Nordberg Date: Mon, 13 Apr 2015 20:22:08 +0200 Subject: catlfish-0.6.0. --- NEWS.md | 27 ++++++++++++++------- README.md | 4 ++-- doc/minimalsystem.txt | 43 ++++++++++++++++++---------------- ebin/catlfish.app | 4 ++-- packaging/docker/catlfish-dev/start.sh | 2 +- reltool.config | 8 +------ verifycert.erl | 2 +- 7 files changed, 49 insertions(+), 41 deletions(-) diff --git a/NEWS.md b/NEWS.md index 3faccab..f8373bd 100644 --- a/NEWS.md +++ b/NEWS.md @@ -1,15 +1,26 @@ -# Changes in version 0.6.0-dev +# Changes in version 0.6.0 - 2015-04-13 ## Features -- Implement pre-cert handling and get-entry-and-proof. Now fully +- Pre-cert handling and get-entry-and-proof implemented. Now fully RFC6962 protocol compliant. -- Add tools for merging, submitting certs and verifying - SCT's. Separate code base from catlfish and plop. - -## Bugfixes - -- Deliver valid SCT's. +- Submitted X.509 certificates and their chains are now validated. +- Application split into frontend, storage, signing and merge nodes. + Docker packaging added for running them. +- Tools for merging, submitting certs and verifying SCT's added. This + is a separate code base from catlfish and plop. +- A config compiler was added making it possible to generate Erlang + syntax configuration for a complex system from simpler yaml files. +- SCT caching added, not enabled by default. + +## Internal bigger changes + +- Add Erlang release management and a more controlled start process. +- Use mochiweb for serving httpd (replacing inets) and json encoding + and decoding (replacing jiffy). +- Add system and unit tests. +- catlfish/plop interface clean up. +- Use lager for logging and hackney for http client. # Changes in version 0.1.1 - 2014-09-20 diff --git a/README.md b/README.md index 5d3363f..4aaca34 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ use the rebar from lager by adding "REBAR=../lager/rebar" to the make command line, or install rebar yourself. In order to perform merge operations, the following software packages -are needed: python-ecdsa, python-yaml +are needed: python-ecdsa, python-yaml. # Compile @@ -45,7 +45,7 @@ To submit a test cert and verify the resulting SCT: # Logs and traces -Logs can be found in log/. +Logs can be found in catlfish/log/. The amount of log sent to the console can be adjusted at runtime using diff --git a/doc/minimalsystem.txt b/doc/minimalsystem.txt index 9a097e5..061b6cc 100644 --- a/doc/minimalsystem.txt +++ b/doc/minimalsystem.txt @@ -25,7 +25,7 @@ Setting up the environment This will configure the servers to run on 127.0.0.1 port 8080, 8081, and 8082. If you want to change that, change the configuration files -in `test/config`. +`test/*.cfg`. Starting the servers -------------------- @@ -35,47 +35,50 @@ Starting the servers Submitting certificates ----------------------- - tools/submitcert.py --store tools/testcerts/cert1.txt --check-sct --sct-file=/tmp/cert1-sct https://127.0.0.1:8080/ + tools/submitcert.py --store tools/testcerts/cert1.txt \ + --check-sct --sct-file=/tmp/cert1-sct https://127.0.0.1:8080/ This submits the certificate (in PEM format) in the file -`tools/testcerts/cert1.txt` and appends the SCT to the file +`tools/testcerts/cert1.txt` and appends the resulting SCT to the file `/tmp/cert1-sct`. It also checks the signature of the SCT. -If you want to submit all the files in a -directory, use the directory name with a `/` at the end, for example -`tools/testcerts/`. +If you want to submit all the files in a directory, name directory +with a `/` at the end, for example `tools/testcerts/`. -Running merge -------------- +Running merge once +------------------ - tools/merge.py --baseurl https://127.0.0.1:8080/ \ - --frontend https://127.0.0.1:8082/ \ - --storage https://127.0.0.1:8081/ \ - --mergedb rel/mergedb \ - --keyfile rel/test/eckey.pem \ - --own-keyname merge-1 \ - --own-keyfile rel/privatekeys/merge-1-private.pem + tools/merge.py --config test/catlfish-test.cfg + --localconfig test/catlfish-test-local-merge.cfg This will read the submitted certificates from the storage node, decide the order, and publish the certificates to the frontend server. If you want to run the system continuously, run the merge command in -cron or in a while loop. +cron or in a while loop. See `packaging/docker/catlfish-dev/merge.sh` +for an example of the latter. Verifying SCT:s --------------- - tools/verifysct.py --sct-file /tmp/cert1-sct https://127.0.0.1:8080/ + tools/verifysct.py --sct-file /tmp/cert1-sct \ + --publickey=tests/keys/logkey.pem \ + --cafile tests/httpsca/demoCA/cacert.pem \ + https://127.0.0.1:8080/ -This verifies that all the SCT:s in the file `/tmp/cert1-sct` are -actually in the log. +This verifies that all the certs corresponding to the SCT:s in the +file `/tmp/cert1-sct` are actually present in the log. Running a monitor ----------------- An easy way to run a monitor is: - while true; do ./fetchallcerts.py --store /tmp/testcert1 --write-sth https://127.0.0.1:8080/ ; sleep 10; done + while true; do + ./fetchallcerts.py --store /tmp/testcert1 \ + --write-sth https://127.0.0.1:8080/; + sleep 10 + done This will fetch all the certificates in a log, verify the consistency proof between the old and new versions, and save the new STH. diff --git a/ebin/catlfish.app b/ebin/catlfish.app index 2101a24..2b63b4d 100644 --- a/ebin/catlfish.app +++ b/ebin/catlfish.app @@ -1,11 +1,11 @@ -%%% Copyright (c) 2014, NORDUnet A/S. +%%% Copyright (c) 2014-2015, NORDUnet A/S. %%% See LICENSE for licensing information. %% Application resource file for catlfish. {application, catlfish, [{description, "catlfish -- Certificate Transparency Log Server"}, - {vsn, "0.6.0-dev"}, + {vsn, "0.6.0"}, {modules, [catlfish, catlfish_app, catlfish_sup, catlfish_web, v1, x509]}, {applications, [kernel, stdlib, plop, lager, mochiweb, idna, asn1, crypto]}, {mod, {catlfish_app, []}}]}. diff --git a/packaging/docker/catlfish-dev/start.sh b/packaging/docker/catlfish-dev/start.sh index 8b3697d..d39205c 100755 --- a/packaging/docker/catlfish-dev/start.sh +++ b/packaging/docker/catlfish-dev/start.sh @@ -12,7 +12,7 @@ case $role in "exec $erlbase/bin/erl -config catlfish" ;; merge) - ERL_LIBS=$erlbase/lib/catlfish-0.6.0-dev.ez/catlfish-0.6.0-dev + ERL_LIBS=$erlbase/lib/catlfish-0.6.0.ez/catlfish-0.6.0 ERL_LIBS=$ERL_LIBS:$erlbase/lib/lager-2.1.1.ez/lager-2.1.1 export ERL_LIBS $erlbase/merge.sh 60 3600 $database > merge_log/stdout 2> merge_log/stderr diff --git a/reltool.config b/reltool.config index 07f8ded..97b7444 100644 --- a/reltool.config +++ b/reltool.config @@ -2,13 +2,7 @@ {sys, [ {erts, [{mod_cond, derived}, {app_file, strip}]}, {app_file, strip}, - {rel, "catlfish", "0.6.0-dev", - [ - kernel, - stdlib, - sasl, - catlfish - ]}, + {rel, "catlfish", "0.6.0", [kernel, stdlib, sasl, catlfish]}, {boot_rel, "catlfish"}, {profile, standalone}, {incl_sys_filters, ["^bin/", "^erts-.*/", "^lib"]}, diff --git a/verifycert.erl b/verifycert.erl index d364adf..1aad2a6 100755 --- a/verifycert.erl +++ b/verifycert.erl @@ -1,6 +1,6 @@ #!/usr/bin/env escript %% -*- erlang -*- -%%! -pa lib/catlfish-0.6.0-dev.ez/catlfish-0.6.0-dev/ebin -pa lib/lager-2.1.1.ez/lager-2.1.1/ebin +%%! -pa lib/catlfish-0.6.0.ez/catlfish-0.6.0/ebin -pa lib/lager-2.1.1.ez/lager-2.1.1/ebin write_reply(Bin) -> Length = size(Bin), -- cgit v1.1