|
| 1 | +# Copyright The Notary Project Authors. |
| 2 | +# Licensed under the Apache License, Version 2.0 (the "License"); |
| 3 | +# you may not use this file except in compliance with the License. |
| 4 | +# You may obtain a copy of the License at |
| 5 | +# |
| 6 | +# http://www.apache.org/licenses/LICENSE-2.0 |
| 7 | +# |
| 8 | +# Unless required by applicable law or agreed to in writing, software |
| 9 | +# distributed under the License is distributed on an "AS IS" BASIS, |
| 10 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 11 | +# See the License for the specific language governing permissions and |
| 12 | +# limitations under the License. |
| 13 | + |
| 14 | +import os |
| 15 | +import argparse |
| 16 | +import subprocess |
| 17 | +import threading |
| 18 | +from http.server import BaseHTTPRequestHandler |
| 19 | +from socketserver import TCPServer |
| 20 | + |
| 21 | +# Global variable to hold the OCSP server process |
| 22 | +ocsp_process = None |
| 23 | +ocsp_lock = threading.Lock() |
| 24 | + |
| 25 | +def start_ocsp_server(config_dir): |
| 26 | + global ocsp_process |
| 27 | + # Start OCSP server in background in config_dir |
| 28 | + cmd = [ |
| 29 | + "openssl", "ocsp", |
| 30 | + "-port", "10087", |
| 31 | + "-index", "demoCA/index.txt", |
| 32 | + "-CA", "root.crt", |
| 33 | + "-rkey", "ocsp.key", |
| 34 | + "-rsigner", "ocsp.crt", |
| 35 | + "-nmin", "5", |
| 36 | + "-text", |
| 37 | + ] |
| 38 | + ocsp_process = subprocess.Popen(cmd, cwd=config_dir) |
| 39 | + print("OCSP server started with PID:", ocsp_process.pid) |
| 40 | + |
| 41 | +def stop_ocsp_server(): |
| 42 | + global ocsp_process |
| 43 | + if ocsp_process: |
| 44 | + ocsp_process.terminate() |
| 45 | + ocsp_process.wait() |
| 46 | + print("OCSP server with PID", ocsp_process.pid, "terminated") |
| 47 | + ocsp_process = None |
| 48 | + |
| 49 | +def restart_ocsp_server(config_dir): |
| 50 | + with ocsp_lock: |
| 51 | + stop_ocsp_server() |
| 52 | + start_ocsp_server(config_dir) |
| 53 | + |
| 54 | +def update_index_file(config_dir, new_content): |
| 55 | + index_path = os.path.join(config_dir, "demoCA", "index.txt") |
| 56 | + with open(index_path, "w") as f: |
| 57 | + f.write(new_content + "\n") |
| 58 | + print("Updated", index_path) |
| 59 | + |
| 60 | +class OCSPRequestHandler(BaseHTTPRequestHandler): |
| 61 | + def do_POST(self): |
| 62 | + response = "" |
| 63 | + # Ensure path is processed without query parameters. |
| 64 | + path = self.path.split("?")[0] |
| 65 | + if path == "/revoke": |
| 66 | + # Revoke: update index.txt with revoked entry |
| 67 | + revoke_content = ("R 21250121012109Z 250214013720Z 520D9B1364D98367711DA2B6A0A0F34B23E3D02A unknown /C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=LeafCert") |
| 68 | + update_index_file(self.server.config_dir, revoke_content) |
| 69 | + restart_ocsp_server(self.server.config_dir) |
| 70 | + response = "OCSP server restarted with index updated (revoke)." |
| 71 | + elif path == "/unrevoke": |
| 72 | + # Unrevoke: update index.txt with valid entry |
| 73 | + unrevoke_content = ("V 21250121012109Z 250214013720Z 520D9B1364D98367711DA2B6A0A0F34B23E3D02A unknown /C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=LeafCert") |
| 74 | + update_index_file(self.server.config_dir, unrevoke_content) |
| 75 | + restart_ocsp_server(self.server.config_dir) |
| 76 | + response = "OCSP server restarted with index updated (unrevoke)." |
| 77 | + elif path == "/unknown": |
| 78 | + # Unknown endpoint |
| 79 | + empty_content = "" |
| 80 | + update_index_file(self.server.config_dir, empty_content) |
| 81 | + restart_ocsp_server(self.server.config_dir) |
| 82 | + response = "OCSP server restarted with empty index." |
| 83 | + else: |
| 84 | + response = "Invalid endpoint. Use /revoke or /unrevoke." |
| 85 | + |
| 86 | + self.send_response(200) |
| 87 | + self.send_header("Content-type", "text/plain") |
| 88 | + self.end_headers() |
| 89 | + self.wfile.write(response.encode("utf-8")) |
| 90 | + |
| 91 | +class ReusableTCPServer(TCPServer): |
| 92 | + allow_reuse_address = True |
| 93 | + |
| 94 | +def run_server(config_dir, host="localhost", port=10088): |
| 95 | + server_address = (host, port) |
| 96 | + httpd = ReusableTCPServer(server_address, OCSPRequestHandler) |
| 97 | + httpd.config_dir = config_dir # attach config directory to server instance |
| 98 | + print(f"HTTP control server running on {host}:{port}") |
| 99 | + httpd.serve_forever() |
| 100 | + |
| 101 | +if __name__ == "__main__": |
| 102 | + parser = argparse.ArgumentParser( |
| 103 | + description="Start OCSP server control HTTP server." |
| 104 | + ) |
| 105 | + parser.add_argument( |
| 106 | + "--config-dir", |
| 107 | + required=True, |
| 108 | + help="Path to OCSP configuration folder." |
| 109 | + ) |
| 110 | + args = parser.parse_args() |
| 111 | + config_dir = os.path.abspath(args.config_dir) |
| 112 | + # Change to config_dir to ensure all commands run there (optional) |
| 113 | + os.chdir(config_dir) |
| 114 | + # Start the OCSP server in background |
| 115 | + start_ocsp_server(config_dir) |
| 116 | + # Run HTTP control server on port 10088 |
| 117 | + run_server(config_dir) |
0 commit comments