Merge pull request #11 from bwesterb/lvalenta/mtcd

Add http module and mtcd server

Author: bwesterb

README.md

@@ -42,7 +42,7 @@ for improvement.
 To play around with MTC, you can install the `mtc` commandline tool:
 
 ```
-$ go install github.com/bwesterb/mtc/cmd/mtc@v0.1.1
+$ go install github.com/bwesterb/mtc/cmd/mtc@v0.1.2
 ```
 
 ### Assertions
@@ -386,3 +386,54 @@ authentication path
 
 This is indeed the root of the `0`th batch, and so this certificate is valid.
 
+### Spin up an HTTP server with `mtcd`
+
+Run an HTTP server in the background to serve static files, accept queue
+requests, periodically issue new batches of certificate, and serve issued
+certificates.
+
+```
+$ go install github.com/bwesterb/mtc/cmd/mtcd@v0.1.2
+```
+
+Start the server.
+```
+$ mtcd --listen-addr 8080 --ca-path .
+```
+
+Get and inspect CA parameters.
+```
+$ curl -X GET "http://localhost:8080/static/mtc/v1/ca-params" -o ca-params
+$ mtc inspect ca-params ca-params
+issuer         123.4.5
+start_time       1739593848 2025-02-14 23:30:48 -0500 EST
+batch_duration     300    5m0s
+life_time       3600    1h0m0s
+storage_window_size  24     2h0m0s
+validity_window_size  12
+http_server      localhost:8080
+public_key fingerprint ml-dsa-87:be1903a366b462b7b4e0010120d4b38279bbf4e350559b95e93671dbc4b821fc
+```
+
+Queue up the assertion created in above.
+```
+$ curl -X POST "http://localhost:8080/ca/queue" --data-binary "@my-assertion" -w "%{http_code}"
+200
+```
+
+Wait 5 minutes for the next batch and retrieve the certificate from the CA server.
+```
+$ curl -X POST "http://localhost:8080/ca/cert" --data-binary "@my-assertion" -o my-cert
+$ mtc inspect -ca-params ca-params cert my-cert
+subject_type   TLS
+signature_scheme p256
+public_key_hash f3ee2efd8bc3dd01ab924d12ee0bc5661866a4b147fcdc6881b5455c9084c973
+dns       [example.com]
+ip4       [198.51.100.60]
+proof_type   merkle_tree_sha256
+CA OID     123.4.5
+Batch number  991
+index      0
+recomputed root 27a893fa1f864f97b2c2073f784bfd6bbcd1b2deb3d8aafbdd18b09ac10bc430
+authentication path
+```

ca/ca.go

@@ -946,7 +946,7 @@ func (h *Handle) issueBatchTo(dir string, batch mtc.Batch, empty bool) error {
 
 	defer treeW.Close()
 
-	err = tree.WriteTo(treeW)
+	_, err = tree.WriteTo(treeW)
 	if err != nil {
 		return fmt.Errorf("writing out %s: %w", treePath, err)
 	}

cmd/mtc/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"errors"
+
 	"github.com/bwesterb/mtc"
 	"github.com/bwesterb/mtc/ca"
 	"github.com/urfave/cli/v2"
@@ -126,7 +127,7 @@ func assertionFromFlagsUnchecked(cc *cli.Context) (*ca.QueuedAssertion, error) {
 	if cc.String("checksum") != "" {
 		checksum, err = hex.DecodeString(cc.String("checksum"))
 		if err != nil {
-			fmt.Errorf("Parsing checksum: %w", err)
+			return nil, fmt.Errorf("parsing checksum: %w", err)
 		}
 	}
 

cmd/mtcd/main.go

@@ -0,0 +1,121 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"log/slog"
+	"os"
+	"os/signal"
+	gopath "path"
+	"syscall"
+	"time"
+
+	"github.com/bwesterb/mtc"
+	"github.com/bwesterb/mtc/ca"
+	"github.com/bwesterb/mtc/http"
+	"golang.org/x/sync/errgroup"
+)
+
+func main() {
+	var path, listenAddr string
+
+	flag.StringVar(&path, "ca-path", ".", "the path to the CA state. Defaults to the current directory.")
+	flag.StringVar(&listenAddr, "listen-addr", "", "the TCP address for the server to listen on, in the form 'host:port'.")
+	flag.Parse()
+
+	if listenAddr == "" {
+		var p mtc.CAParams
+		buf, err := os.ReadFile(gopath.Join(path, "www", "mtc", "v1", "ca-params"))
+		if err != nil {
+			slog.Error("failed to read ca-params", slog.Any("err", err))
+			os.Exit(1)
+		}
+		if err := p.UnmarshalBinary(buf); err != nil {
+			slog.Error("failed to unmarshal ca-params", slog.Any("err", err))
+			os.Exit(1)
+		}
+		listenAddr = p.HttpServer
+	}
+
+	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, os.Kill, syscall.SIGQUIT, syscall.SIGTERM)
+	defer cancel()
+
+	srv := http.NewServer(path, listenAddr)
+
+	slog.Info("starting mtcd")
+
+	g, ctx := errgroup.WithContext(ctx)
+
+	g.Go(func() error {
+		<-ctx.Done()
+		slog.Info("context done, preparing to exit")
+		if err := srv.Shutdown(ctx); err != nil {
+			slog.Error("could not gracefully close server", slog.Any("err", err))
+		}
+		return nil
+	})
+
+	g.Go(func() error {
+		if err := srv.ListenAndServe(); err != nil {
+			return fmt.Errorf("could not start server: %w", err)
+		}
+		return nil
+	})
+
+	g.Go(func() error {
+		h, err := ca.Open(path)
+		if err != nil {
+			slog.Error("could not start issuance loop", slog.Any("err", err))
+			return nil
+		}
+		h.Close()
+		if err := issue(path, ctx); err != nil {
+			return fmt.Errorf("could not start issuance loop: %w", err)
+		}
+		return nil
+	})
+
+	if err := g.Wait(); err != nil {
+		slog.Info("unexpected errgroup error, exiting", slog.Any("err", err))
+		os.Exit(1)
+	}
+}
+
+func issue(path string, ctx context.Context) error {
+	h, err := ca.Open(path)
+	if err != nil {
+		return err
+	}
+	params := h.Params()
+	err = h.Issue()
+	if err != nil {
+		return err
+	}
+	h.Close()
+	for {
+		batchTime := params.NextBatchAt(time.Now())
+		now := time.Now()
+		if batchTime.After(now) {
+			slog.Info("Sleeping until next batch", slog.Any("at", batchTime.UTC()))
+			select {
+			case <-ctx.Done():
+				return nil
+			case <-time.After(time.Until(batchTime)):
+			}
+		}
+
+		if err = issueOnce(path); err != nil {
+			return err
+		}
+	}
+}
+
+func issueOnce(path string) error {
+	h, err := ca.Open(path)
+	if err != nil {
+		return err
+	}
+	defer h.Close()
+	return h.Issue()
+}

go.mod

@@ -14,5 +14,6 @@ require (
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
+	golang.org/x/sync v0.11.0
 	golang.org/x/sys v0.30.0 // indirect
 )

go.sum

@@ -1,7 +1,3 @@
-github.com/cloudflare/circl v1.3.9 h1:QFrlgFYf2Qpi8bSpVPK1HBvWpx16v/1TZivyo7pGuBE=
-github.com/cloudflare/circl v1.3.9/go.mod h1:PDRU+oXvdD7KCtgKxW95M5Z8BpSCJXQORiZFnBQS5QU=
-github.com/cloudflare/circl v1.5.0 h1:hxIWksrX6XN5a1L2TI/h53AGPhNHoUBo+TD1ms9+pys=
-github.com/cloudflare/circl v1.5.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk=
 github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
@@ -14,13 +10,11 @@ github.com/urfave/cli/v2 v2.27.1 h1:8xSQ6szndafKVRmfyeUMxkNUJQMjL1F2zmsZ+qHpfho=
 github.com/urfave/cli/v2 v2.27.1/go.mod h1:8qnjx1vcq5s2/wpsqoZFndg2CE5tNFyrTvS6SinrnYQ=
 github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 h1:bAn7/zixMGCfxrRTfdpNzjtPYqr8smhKouy9mxVdGPU=
 github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8=
-golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
-golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
 golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
 golang.org/x/exp v0.0.0-20240119083558-1b970713d09a h1:Q8/wZp0KX97QFTc2ywcOE0YRjZPVIx+MXInMzdvQqcA=
 golang.org/x/exp v0.0.0-20240119083558-1b970713d09a/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08=
-golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
-golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
 golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

http/server.go

@@ -0,0 +1,154 @@
+package http
+
+import (
+	"context"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"path"
+	"time"
+
+	"github.com/bwesterb/mtc"
+	"github.com/bwesterb/mtc/ca"
+)
+
+type Server struct {
+	server *http.Server
+}
+
+func NewServer(caPath string, listenAddr string) *Server {
+
+	mux := http.NewServeMux()
+	mux.Handle("/static/", http.StripPrefix("/static/", http.FileServer(http.Dir(path.Join(caPath, "www")))))
+	mux.HandleFunc("/ca/queue", handleCaQueue(caPath))
+	mux.HandleFunc("/ca/cert", handleCaCert(caPath))
+
+	return &Server{
+		server: &http.Server{
+			Handler:      mux,
+			Addr:         listenAddr,
+			WriteTimeout: 15 * time.Second,
+			ReadTimeout:  15 * time.Second,
+		}}
+}
+
+func (s *Server) ListenAndServe() error {
+	if err := s.server.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
+		return err
+	}
+	return nil
+}
+
+func (s *Server) Shutdown(ctx context.Context) error {
+	return s.server.Shutdown(ctx)
+}
+
+func assertionFromRequestUnchecked(r *http.Request) (*ca.QueuedAssertion, error) {
+
+	var (
+		checksum []byte
+		err      error
+	)
+
+	checksumParam := r.URL.Query().Get("checksum")
+	if checksumParam != "" {
+		checksum, err = hex.DecodeString(checksumParam)
+		if err != nil {
+			return nil, err
+		}
+	}
+	var a mtc.Assertion
+	switch r.Method {
+	case http.MethodPost:
+		body, err := io.ReadAll(r.Body)
+		if err != nil {
+			return nil, err
+		}
+		defer r.Body.Close()
+
+		err = a.UnmarshalBinary(body)
+		if err != nil {
+			return nil, err
+		}
+	default:
+		return nil, fmt.Errorf("unsupported HTTP method: %v", r.Method)
+	}
+
+	return &ca.QueuedAssertion{
+		Assertion: a,
+		Checksum:  checksum,
+	}, nil
+}
+
+func assertionFromRequest(r *http.Request) (*ca.QueuedAssertion, error) {
+	qa, err := assertionFromRequestUnchecked(r)
+	if err != nil {
+		return nil, err
+	}
+
+	err = qa.Check()
+	if err != nil {
+		return nil, err
+	}
+
+	return qa, nil
+}
+
+func handleCaQueue(path string) func(w http.ResponseWriter, r *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		h, err := ca.Open(path)
+		if err != nil {
+			http.Error(w, "failed to open CA", http.StatusInternalServerError)
+			return
+		}
+		defer h.Close()
+		qa, err := assertionFromRequest(r)
+		if err != nil {
+			http.Error(w, "invalid assertion", http.StatusBadRequest)
+			return
+		}
+
+		err = h.Queue(qa.Assertion, qa.Checksum)
+		if err != nil {
+			http.Error(w, "failed to queue assertion", http.StatusInternalServerError)
+			return
+		}
+		w.WriteHeader(http.StatusOK)
+	}
+}
+
+func handleCaCert(path string) func(w http.ResponseWriter, r *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		h, err := ca.Open(path)
+		if err != nil {
+			http.Error(w, "failed to open CA", http.StatusInternalServerError)
+			return
+		}
+		defer h.Close()
+		qa, err := assertionFromRequest(r)
+		if err != nil {
+			http.Error(w, "invalid assertion", http.StatusBadRequest)
+			return
+		}
+
+		cert, err := h.CertificateFor(qa.Assertion)
+		if err != nil {
+			http.Error(w, "failed to get certificate for assertion", http.StatusBadRequest)
+			return
+		}
+
+		buf, err := cert.MarshalBinary()
+		if err != nil {
+			http.Error(w, "failed to marshal certificate", http.StatusInternalServerError)
+			return
+		}
+
+		_, err = w.Write(buf)
+		if err != nil {
+			http.Error(w, "failed to write response", http.StatusInternalServerError)
+			return
+		}
+	}
+}