|
4 | 4 | **CipherMQ** is a high-performance, secure message broker designed to transmit encrypted messages between senders and receivers using a push-based architecture. It ensures **zero message loss** and **exactly-once delivery** through robust acknowledgment mechanisms, with messages temporarily held in memory (except for logs and receiver output). The system leverages **hybrid encryption** (RSA + AES-GCM) for message confidentiality and authenticity and **Transport Layer Security (TLS)** for secure client-server communication. |
5 | 5 |
|
6 | 6 | This version introduces TLS support, enhancing transport-layer security, as implemented in `connection.rs` and `main.rs`, with configuration via `config.toml`. The project consists of: |
7 | | -- **Server** (`main.rs`): A Rust-based message broker for routing and delivering messages over TLS or TCP. |
| 7 | +- **Server** (`main.rs`): A Rust-based message broker for routing and delivering messages over TLS. |
8 | 8 | - **Sender** (`Sender.py`): A Python script that encrypts and sends messages in batches with retry logic. |
9 | 9 | - **Receiver** (`Receiver.py`): A Python script that receives, decrypts, deduplicates, and stores messages. |
10 | 10 |
|
11 | 11 | This document provides a comprehensive overview of the architecture, covering server, clients, TLS, encryption, and acknowledgment mechanisms. |
12 | 12 |
|
13 | 13 | ## 2. Architecture Overview |
14 | | -CipherMQ operates as a message broker with **queues** and **exchanges**, supporting both TLS and TCP connections via a text-based protocol. Key features include: |
| 14 | +CipherMQ operates as a message broker with **queues** and **exchanges**, supporting both TLS connections via a text-based protocol. Key features include: |
15 | 15 | - **TLS Support**: Secures client-server communication using `tokio-rustls` (server) and Python’s `ssl` module (clients), configurable via `config.toml`. |
16 | 16 | - **Hybrid Encryption**: Combines RSA for session key encryption and AES-GCM for message encryption and authentication. |
17 | 17 | - **Zero Message Loss**: Sender and server retries with acknowledgments ensure reliable delivery. |
@@ -61,32 +61,17 @@ The server is the core of CipherMQ, managing message routing, delivery, and secu |
61 | 61 | - **reset_stats**: Clears `message_status` and `request_times`. |
62 | 62 |
|
63 | 63 | #### 3.1.3. Connection Management (`connection.rs`, `main.rs`) |
64 | | -- **Protocol**: Text-based protocol over TLS or TCP (e.g., `publish <exchange> <routing_key> <message_json>`). |
| 64 | +- **Protocol**: Text-based protocol over TLS (e.g., `publish <exchange> <routing_key> <message_json>`). |
65 | 65 | - **TLS Support**: |
66 | 66 | - Uses `tokio-rustls` for TLS connections via `TlsConnection` and `TlsAcceptor`. |
67 | 67 | - Loads certificates and keys via `load_tls_config` using `rustls-pemfile`. |
68 | 68 | - Configured in `config.toml` with `connection_type`, `cert_path`, and `key_path`. |
69 | | -- **TCP Support**: Fallback for non-TLS connections using `TcpStream`. |
70 | 69 | - **Asynchronous Handling**: Tokio’s `TcpListener` and `tokio::select!` manage concurrent connections. |
71 | 70 | - **Acknowledgment**: |
72 | 71 | - Sends `ACK <message_id>` to sender after queuing. |
73 | 72 | - Sends `ACK_CONFIRMED <message_id>` to receiver after acknowledgment. |
74 | 73 | - **Error Handling**: Logs errors via `tracing` (e.g., `TLS handshake failed`) and sends error messages to clients. |
75 | 74 |
|
76 | | -#### 3.1.4. Architectural Features |
77 | | -- **Reliability**: Retries unacknowledged messages and checks for duplicates. |
78 | | -- **Concurrency**: `DashMap` and `RwLock` ensure thread-safe operations. |
79 | | -- **Flexibility**: Supports TLS or TCP via `config.toml`. |
80 | | -- **Logging**: Detailed logs for connection, message, and ACK events. |
81 | | - |
82 | | -#### 3.1.5. Configuration (`config.rs`) |
83 | | -- **Config Struct**: |
84 | | - - `connection_type: String`: `tls` or `tcp`. |
85 | | - - `address: String`: Listening address (e.g., `127.0.0.1:5672`). |
86 | | - - `cert_path: Option<String>`: Path to `server.crt` (TLS only). |
87 | | - - `key_path: Option<String>`: Path to `server.key` (TLS only). |
88 | | -- **Loading**: Reads `config.toml` using `toml::from_str`. |
89 | | - |
90 | 75 | ### 3.2. Sender (`Sender.py`) |
91 | 76 | The sender encrypts and sends messages in batches with retry logic. |
92 | 77 |
|
@@ -148,19 +133,6 @@ The receiver retrieves, decrypts, and stores messages. |
148 | 133 | 2. Message is encrypted with AES-GCM, producing `ciphertext`, `nonce`, and `tag`. |
149 | 134 | 3. Receiver decrypts session key with private key (`receiver_private.pem`) and message with AES-GCM, verifying `tag`. |
150 | 135 |
|
151 | | -### 3.5. TLS Implementation |
152 | | -- **Server-Side** (`connection.rs`, `main.rs`): |
153 | | - - Uses `tokio-rustls` to establish TLS connections via `TlsAcceptor`. |
154 | | - - Loads `server.crt` and `server.key` with `load_tls_config` using `rustls-pemfile`. |
155 | | - - Configured via `config.toml` (`connection_type="tls"`, `cert_path`, `key_path`). |
156 | | - - Falls back to `TcpStream` for `connection_type="tcp"`. |
157 | | -- **Client-Side** (`Sender.py`, `Receiver.py`): |
158 | | - - Uses `ssl.SSLContext` with `PROTOCOL_TLS_CLIENT` and `verify_mode=ssl.CERT_REQUIRED`. |
159 | | - - Loads `server.crt` from `server_cert_path` in `config.json`. |
160 | | - - Disables hostname verification for self-signed certificates (`check_hostname=False`, `server_hostname="localhost"`). |
161 | | -- **Security**: Encrypts transport layer, complementing hybrid encryption for messages. |
162 | | -- **Configuration**: Dynamic switching between TLS and TCP via `config.toml`. |
163 | | - |
164 | 136 | ## 4. Component Interactions |
165 | 137 | 1. **Key and Certificate Generation**: |
166 | 138 | - `RSA.py` or OpenSSL generates `receiver_public.pem` and `receiver_private.pem` for hybrid encryption. |
|
0 commit comments