From 0549b425cb46bc85ee05aedd10a45c0b1afff436 Mon Sep 17 00:00:00 2001
From: Basil Hess <bhe@zurich.ibm.com>
Date: Wed, 17 Jan 2024 14:15:35 +0100
Subject: [PATCH] - Update test server generation scripts to libOQS 0.9.2 &
 nginx 1.25.3 - Dockerfile provides option to re-use root CA if it already
 exists, adds note in README about this - Adds HSTS to server config - Adds
 note about * designator in test server html

---
 nginx/fulltest/Dockerfile      | 16 ++++++++++++++--
 nginx/fulltest/README.md       |  1 +
 nginx/fulltest/build_ubuntu.sh |  7 +++++--
 nginx/fulltest/genconfig.py    |  4 ++--
 nginx/fulltest/index-template  |  2 ++
 5 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/nginx/fulltest/Dockerfile b/nginx/fulltest/Dockerfile
index a4fc5f3a..3258ebce 100644
--- a/nginx/fulltest/Dockerfile
+++ b/nginx/fulltest/Dockerfile
@@ -3,7 +3,7 @@
 # First: global build arguments:
 
 # liboqs build type variant; maximum portability of image:
-ARG LIBOQS_VERSION=0.9.0
+ARG LIBOQS_VERSION=0.9.2
 
 ARG OPENSSL_VERSION=master
 
@@ -26,15 +26,19 @@ ARG SIG_ALG="dilithium3"
 ARG DEFAULT_GROUPS=x25519:x448:prime256v1:secp384r1:secp521r1:kyber512:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024
 
 # define the nginx version to include
-ARG NGINX_VERSION=1.25.2
+ARG NGINX_VERSION=1.25.3
 
 # Define the degree of parallelism when building the image; leave the number away only if you know what you are doing
 ARG MAKE_DEFINES="-j"
 
+# Root CA directory
+ARG CAROOTDIR="/rootca"
+
 FROM ubuntu:focal-20230412 as intermediate
 # Take in global args
 ARG BASEDIR
 ARG CONFIGDIR
+ARG CAROOTDIR
 ARG LIBOQS_VERSION
 ARG OPENSSL_VERSION
 ARG OQS_PROVIDER_VERSION
@@ -100,6 +104,8 @@ COPY index-template ${CONFIGDIR}
 #COPY chromium-template ${CONFIGDIR}
 COPY success.htm ${CONFIGDIR}
 COPY OsslAlgParser.scala ${CONFIGDIR}
+# copy existing rootca directory if it exists
+COPY rootc[a] ${CAROOTDIR} 
 
 RUN for i in 128 192 256; do echo "seclevel:$i"; OPENSSL_MODULES=${OSSLDIR}/lib64/ossl-modules /opt/openssl/apps/openssl list -provider oqsprovider -propquery oqsprovider.security_bits=$i -kem-algorithms; done | scala -nobootcp -nc OsslAlgParser.scala key_exchanges >> oqsprovider_alglist.py
 RUN for i in 128 192 256; do echo "seclevel:$i"; OPENSSL_MODULES=${OSSLDIR}/lib64/ossl-modules /opt/openssl/apps/openssl list -provider oqsprovider -propquery oqsprovider.security_bits=$i -signature-algorithms; done | scala -nobootcp -nc OsslAlgParser.scala signatures >> oqsprovider_alglist.py
@@ -130,6 +136,7 @@ FROM ubuntu:focal-20230412
 ARG LIBOQS_BUILD_DEFINES
 ARG LIBOQS_VERSION
 ARG INSTALLDIR
+ARG CAROOTDIR
 ARG SIG_ALG
 ARG BASEDIR
 ARG OSSLDIR=${BASEDIR}/openssl/.openssl
@@ -143,5 +150,10 @@ RUN apt update && apt install -y libpcre3 libpcre3-dev
 # Only retain the ${*_PATH} contents in the final image
 COPY --from=intermediate ${INSTALLDIR} ${INSTALLDIR}
 COPY --from=intermediate ${OSSLDIR} ${OSSLDIR}
+COPY --from=intermediate ${CAROOTDIR} ${CAROOTDIR}
 
+# Package for deployment
 RUN tar czvf oqs-nginx-${LIBOQS_VERSION}.tgz ${BASEDIR}
+
+# Package for root CA cert and key
+RUN tar czvf oqs-testserver-rootca-${LIBOQS_VERSION}.tgz ${CAROOTDIR}
\ No newline at end of file
diff --git a/nginx/fulltest/README.md b/nginx/fulltest/README.md
index 9b824436..6366bc5a 100644
--- a/nginx/fulltest/README.md
+++ b/nginx/fulltest/README.md
@@ -7,6 +7,7 @@ This folder contains all scripts to [build a QSC-enabled nginx server running on
 - presence of oqs-openssl common definitions file `common.py` (as stored at https://raw.githubusercontent.com/open-quantum-safe/oqs-provider/main/scripts/common.py).
 - presence of Docker on the build machine to run the build process, the guest OS needs to be able to mount host directories for Docker (i.e. on Linux, SELinux permissions might be needed).
 - presence on the target deploy server (i.e., at the machine designated at TESTFQDN) of a properly deployed [LetsEncrypt server certificate](https://letsencrypt.org/getting-started).
+- (optional) presence of a root CA certificate and key in `rootca/CA.crt` and `rootca/CA.key`, respectively. If the directory `rootca` is not present on the build machine, a new root CA will be generated by the build script.
 
 By default, the server is built to a specific set of versions of `liboqs`, `openssl`, `oqs-provider` and `nginx`. These versions are encoded in `build-ubuntu.sh` and may be changed/upgraded there.
 
diff --git a/nginx/fulltest/build_ubuntu.sh b/nginx/fulltest/build_ubuntu.sh
index 5a7585fb..07b106ce 100755
--- a/nginx/fulltest/build_ubuntu.sh
+++ b/nginx/fulltest/build_ubuntu.sh
@@ -8,5 +8,8 @@
 # Build package
 docker build --no-cache -t oqs-nginx-fulltest-provider .
 
-# Copy tar from image
-docker cp $(docker create oqs-nginx-fulltest-provider:latest):oqs-nginx-0.9.0.tgz .
+# Copy deployment tar from image
+docker cp $(docker create oqs-nginx-fulltest-provider:latest):oqs-nginx-0.9.2.tgz .
+
+# Copy root ca tar from image
+docker cp $(docker create oqs-nginx-fulltest-provider:latest):oqs-testserver-rootca-0.9.2.tgz .
\ No newline at end of file
diff --git a/nginx/fulltest/genconfig.py b/nginx/fulltest/genconfig.py
index 200edb91..a91ea446 100644
--- a/nginx/fulltest/genconfig.py
+++ b/nginx/fulltest/genconfig.py
@@ -182,12 +182,12 @@ def gen_conf(filename, indexbasefilename, chromiumfilename):
      f.write("    access_log  /opt/nginx/logs/80-access.log;\n")
      f.write("    error_log   /opt/nginx/logs/80-error.log;\n\n")
      f.write("    location / {\n")
-     f.write("            root   html;\n")
-     f.write("            index  "+indexbasefilename+";\n")
+     f.write("            return 301 https://$host$request_uri;\n")
      f.write("    }\n")
      f.write("}\n")
      f.write("server {\n")
      f.write("    listen      443 ssl;\n")
+     f.write("    add_header  Strict-Transport-Security \"max-age=2592000\" always;\n")
      f.write("    server_name "+TESTFQDN+";\n")
      f.write("    access_log  /opt/nginx/logs/443-access.log;\n")
      f.write("    error_log   /opt/nginx/logs/443-error.log;\n\n")
diff --git a/nginx/fulltest/index-template b/nginx/fulltest/index-template
index 1a61e65c..a357c049 100644
--- a/nginx/fulltest/index-template
+++ b/nginx/fulltest/index-template
@@ -82,6 +82,8 @@ tr:nth-child(even) {
 
 <p>For automated testing, a JSON file encoding all available SIG/KEM combinations and the respective ports where they can be found is <a href="assignments.json">available for download here</a>. <i>We explicitly want to warn that algorithm/port combinations are subject to change. Be sure to download the most current JSON file before testing.</i></p>
 
+<p>Note: The designator "*" below for key exchange algorithms should not be understood that the port referenced supports any possible KEM, but only all those KEMs configured into the underlying nginx server as default groups. This can be set when building the server via the <a href="https://github.com/open-quantum-safe/oqs-demos/blob/main/nginx/fulltest/Dockerfile#L25-L26">DEFAULT_GROUPS</a> configuration option. The default algorithm list is: <pre>x25519:x448:prime256v1:secp384r1:secp521r1:kyber512:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024.</pre></p>
+
 
 <table>
   <tr>