Skip to content

Commit

Permalink
tls.GenerateTLS
Browse files Browse the repository at this point in the history
  • Loading branch information
@metachris
metachris committed Nov 20, 2024
1 parent 4f09e55 commit 8a61408
Showing 1 changed file with 83 additions and 0 deletions.
83 changes: 83 additions & 0 deletions tls/tls_generate.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
package proxy

Check failure on line 1 in tls/tls_generate.go

View workflow job for this annotation

GitHub Actions / Lint 

at least one file in a package should have a package comment (ST1000)

import (
"bytes"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"math/big"
"net"
"time"
)

// GenerateTLS generated a TLS certificate and key.
// based on https://go.dev/src/crypto/tls/generate_cert.go
// - `hosts`: a list of ip / dns names to include in the certificate
func GenerateTLS(validFor time.Duration, hosts []string) (cert, key []byte, err error) {
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return nil, nil, err
}
keyUsage := x509.KeyUsageDigitalSignature

notBefore := time.Now()
notAfter := notBefore.Add(validFor)

serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
return nil, nil, err
}

template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"Acme"},
},
NotBefore: notBefore,
NotAfter: notAfter,

KeyUsage: keyUsage,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}

for _, h := range hosts {
if ip := net.ParseIP(h); ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
} else {
template.DNSNames = append(template.DNSNames, h)
}
}

// certificate is its own CA
template.IsCA = true
template.KeyUsage |= x509.KeyUsageCertSign

derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
return nil, nil, err
}

var certOut bytes.Buffer
if err = pem.Encode(&certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
return nil, nil, err
}
cert = certOut.Bytes()

privBytes, err := x509.MarshalPKCS8PrivateKey(priv)
if err != nil {
return nil, nil, err
}

var keyOut bytes.Buffer
err = pem.Encode(&keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes})
if err != nil {
return nil, nil, err
}
key = keyOut.Bytes()
return cert, key, nil
}

0 comments on commit 8a61408

Please sign in to comment.