From a33cb04b5d79feef4b1e66981cbb7f9a6005ec89 Mon Sep 17 00:00:00 2001
From: Chris Hager <chris@linuxuser.at>
Date: Wed, 20 Nov 2024 14:24:09 +0100
Subject: [PATCH] tls.GenerateTLS (#34)

---
 tls/tls_generate.go | 84 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 84 insertions(+)
 create mode 100644 tls/tls_generate.go

diff --git a/tls/tls_generate.go b/tls/tls_generate.go
new file mode 100644
index 0000000..88550b4
--- /dev/null
+++ b/tls/tls_generate.go
@@ -0,0 +1,84 @@
+// Package tls provides utilities for generating self-signed TLS certificates.
+package tls
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"net"
+	"time"
+)
+
+// GenerateTLS generated a TLS certificate and key.
+// based on https://go.dev/src/crypto/tls/generate_cert.go
+// - `hosts`: a list of ip / dns names to include in the certificate
+func GenerateTLS(validFor time.Duration, hosts []string) (cert, key []byte, err error) {
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+	keyUsage := x509.KeyUsageDigitalSignature
+
+	notBefore := time.Now()
+	notAfter := notBefore.Add(validFor)
+
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			Organization: []string{"Acme"},
+		},
+		NotBefore: notBefore,
+		NotAfter:  notAfter,
+
+		KeyUsage:              keyUsage,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+
+	for _, h := range hosts {
+		if ip := net.ParseIP(h); ip != nil {
+			template.IPAddresses = append(template.IPAddresses, ip)
+		} else {
+			template.DNSNames = append(template.DNSNames, h)
+		}
+	}
+
+	// certificate is its own CA
+	template.IsCA = true
+	template.KeyUsage |= x509.KeyUsageCertSign
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	var certOut bytes.Buffer
+	if err = pem.Encode(&certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
+		return nil, nil, err
+	}
+	cert = certOut.Bytes()
+
+	privBytes, err := x509.MarshalPKCS8PrivateKey(priv)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	var keyOut bytes.Buffer
+	err = pem.Encode(&keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes})
+	if err != nil {
+		return nil, nil, err
+	}
+	key = keyOut.Bytes()
+	return cert, key, nil
+}