mirror of https://github.com/0xERR0R/blocky.git
Change self-signed cert to ECDSA (#639)
Co-authored-by: Dimitri Herzog <dimitri.herzog@gmail.com>
This commit is contained in:
parent
a0769e566c
commit
89927aa929
|
@ -2,12 +2,14 @@ package server
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
|
"crypto/ecdsa"
|
||||||
|
"crypto/elliptic"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"crypto/rsa"
|
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"encoding/pem"
|
"encoding/pem"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"math"
|
||||||
"math/big"
|
"math/big"
|
||||||
mrand "math/rand"
|
mrand "math/rand"
|
||||||
"net"
|
"net"
|
||||||
|
@ -36,7 +38,6 @@ const (
|
||||||
maxUDPBufferSize = 65535
|
maxUDPBufferSize = 65535
|
||||||
caExpiryYears = 10
|
caExpiryYears = 10
|
||||||
certExpiryYears = 5
|
certExpiryYears = 5
|
||||||
certRSAsize = 4096
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// Server controls the endpoints for DNS and HTTP
|
// Server controls the endpoints for DNS and HTTP
|
||||||
|
@ -295,7 +296,7 @@ func createUDPServer(address string) (*dns.Server, error) {
|
||||||
func createSelfSignedCert() (tls.Certificate, error) {
|
func createSelfSignedCert() (tls.Certificate, error) {
|
||||||
// Create CA
|
// Create CA
|
||||||
ca := &x509.Certificate{
|
ca := &x509.Certificate{
|
||||||
SerialNumber: big.NewInt(int64(mrand.Intn(certRSAsize))), //nolint:gosec
|
SerialNumber: big.NewInt(int64(mrand.Intn(math.MaxInt))), //nolint:gosec
|
||||||
NotBefore: time.Now(),
|
NotBefore: time.Now(),
|
||||||
NotAfter: time.Now().AddDate(caExpiryYears, 0, 0),
|
NotAfter: time.Now().AddDate(caExpiryYears, 0, 0),
|
||||||
IsCA: true,
|
IsCA: true,
|
||||||
|
@ -304,7 +305,7 @@ func createSelfSignedCert() (tls.Certificate, error) {
|
||||||
BasicConstraintsValid: true,
|
BasicConstraintsValid: true,
|
||||||
}
|
}
|
||||||
|
|
||||||
caPrivKey, err := rsa.GenerateKey(rand.Reader, certRSAsize)
|
caPrivKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return tls.Certificate{}, err
|
return tls.Certificate{}, err
|
||||||
}
|
}
|
||||||
|
@ -323,16 +324,22 @@ func createSelfSignedCert() (tls.Certificate, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
caPrivKeyPEM := new(bytes.Buffer)
|
caPrivKeyPEM := new(bytes.Buffer)
|
||||||
|
|
||||||
|
b, err := x509.MarshalECPrivateKey(caPrivKey)
|
||||||
|
if err != nil {
|
||||||
|
return tls.Certificate{}, err
|
||||||
|
}
|
||||||
|
|
||||||
if err = pem.Encode(caPrivKeyPEM, &pem.Block{
|
if err = pem.Encode(caPrivKeyPEM, &pem.Block{
|
||||||
Type: "RSA PRIVATE KEY",
|
Type: "EC PRIVATE KEY",
|
||||||
Bytes: x509.MarshalPKCS1PrivateKey(caPrivKey),
|
Bytes: b,
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
return tls.Certificate{}, err
|
return tls.Certificate{}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Create certificate
|
// Create certificate
|
||||||
cert := &x509.Certificate{
|
cert := &x509.Certificate{
|
||||||
SerialNumber: big.NewInt(int64(mrand.Intn(certRSAsize))), //nolint:gosec
|
SerialNumber: big.NewInt(int64(mrand.Intn(math.MaxInt))), //nolint:gosec
|
||||||
DNSNames: []string{"*"},
|
DNSNames: []string{"*"},
|
||||||
NotBefore: time.Now(),
|
NotBefore: time.Now(),
|
||||||
NotAfter: time.Now().AddDate(certExpiryYears, 0, 0),
|
NotAfter: time.Now().AddDate(certExpiryYears, 0, 0),
|
||||||
|
@ -341,7 +348,7 @@ func createSelfSignedCert() (tls.Certificate, error) {
|
||||||
KeyUsage: x509.KeyUsageDigitalSignature,
|
KeyUsage: x509.KeyUsageDigitalSignature,
|
||||||
}
|
}
|
||||||
|
|
||||||
certPrivKey, err := rsa.GenerateKey(rand.Reader, certRSAsize)
|
certPrivKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return tls.Certificate{}, err
|
return tls.Certificate{}, err
|
||||||
}
|
}
|
||||||
|
@ -360,9 +367,15 @@ func createSelfSignedCert() (tls.Certificate, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
certPrivKeyPEM := new(bytes.Buffer)
|
certPrivKeyPEM := new(bytes.Buffer)
|
||||||
|
|
||||||
|
b, err = x509.MarshalECPrivateKey(certPrivKey)
|
||||||
|
if err != nil {
|
||||||
|
return tls.Certificate{}, err
|
||||||
|
}
|
||||||
|
|
||||||
if err = pem.Encode(certPrivKeyPEM, &pem.Block{
|
if err = pem.Encode(certPrivKeyPEM, &pem.Block{
|
||||||
Type: "RSA PRIVATE KEY",
|
Type: "EC PRIVATE KEY",
|
||||||
Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
|
Bytes: b,
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
return tls.Certificate{}, err
|
return tls.Certificate{}, err
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue