mirrors
/
blocky
mirror of https://github.com/0xERR0R/blocky.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Change self-signed cert to ECDSA (#639) 

Co-authored-by: Dimitri Herzog <dimitri.herzog@gmail.com>
This commit is contained in:
FileGo 2022-09-03 21:24:29 +01:00 committed by GitHub
parent a0769e566c
commit 89927aa929
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
server/server.go
View File

@ -2,12 +2,14 @@ package server
import ( import (
"bytes" "bytes"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand" "crypto/rand"
"crypto/rsa"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"encoding/pem" "encoding/pem"
"fmt" "fmt"
"math"
"math/big" "math/big"
mrand "math/rand" mrand "math/rand"
"net" "net"
@ -36,7 +38,6 @@ const (
maxUDPBufferSize = 65535 maxUDPBufferSize = 65535
caExpiryYears = 10 caExpiryYears = 10
certExpiryYears = 5 certExpiryYears = 5
certRSAsize = 4096
) )
// Server controls the endpoints for DNS and HTTP // Server controls the endpoints for DNS and HTTP
@ -295,7 +296,7 @@ func createUDPServer(address string) (*dns.Server, error) {
func createSelfSignedCert() (tls.Certificate, error) { func createSelfSignedCert() (tls.Certificate, error) {
// Create CA // Create CA
ca := &x509.Certificate{ ca := &x509.Certificate{
SerialNumber: big.NewInt(int64(mrand.Intn(certRSAsize))), //nolint:gosec SerialNumber: big.NewInt(int64(mrand.Intn(math.MaxInt))), //nolint:gosec
NotBefore: time.Now(), NotBefore: time.Now(),
NotAfter: time.Now().AddDate(caExpiryYears, 0, 0), NotAfter: time.Now().AddDate(caExpiryYears, 0, 0),
IsCA: true, IsCA: true,
@ -304,7 +305,7 @@ func createSelfSignedCert() (tls.Certificate, error) {
BasicConstraintsValid: true, BasicConstraintsValid: true,
} }
caPrivKey, err := rsa.GenerateKey(rand.Reader, certRSAsize) caPrivKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil { if err != nil {
return tls.Certificate{}, err return tls.Certificate{}, err
} }
@ -323,16 +324,22 @@ func createSelfSignedCert() (tls.Certificate, error) {
} }
caPrivKeyPEM := new(bytes.Buffer) caPrivKeyPEM := new(bytes.Buffer)
b, err := x509.MarshalECPrivateKey(caPrivKey)
if err != nil {
return tls.Certificate{}, err
}
if err = pem.Encode(caPrivKeyPEM, &pem.Block{ if err = pem.Encode(caPrivKeyPEM, &pem.Block{
Type: "RSA PRIVATE KEY", Type: "EC PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(caPrivKey), Bytes: b,
}); err != nil { }); err != nil {
return tls.Certificate{}, err return tls.Certificate{}, err
} }
// Create certificate // Create certificate
cert := &x509.Certificate{ cert := &x509.Certificate{
SerialNumber: big.NewInt(int64(mrand.Intn(certRSAsize))), //nolint:gosec SerialNumber: big.NewInt(int64(mrand.Intn(math.MaxInt))), //nolint:gosec
DNSNames: []string{"*"}, DNSNames: []string{"*"},
NotBefore: time.Now(), NotBefore: time.Now(),
NotAfter: time.Now().AddDate(certExpiryYears, 0, 0), NotAfter: time.Now().AddDate(certExpiryYears, 0, 0),
@ -341,7 +348,7 @@ func createSelfSignedCert() (tls.Certificate, error) {
KeyUsage: x509.KeyUsageDigitalSignature, KeyUsage: x509.KeyUsageDigitalSignature,
} }
certPrivKey, err := rsa.GenerateKey(rand.Reader, certRSAsize) certPrivKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil { if err != nil {
return tls.Certificate{}, err return tls.Certificate{}, err
} }
@ -360,9 +367,15 @@ func createSelfSignedCert() (tls.Certificate, error) {
} }
certPrivKeyPEM := new(bytes.Buffer) certPrivKeyPEM := new(bytes.Buffer)
b, err = x509.MarshalECPrivateKey(certPrivKey)
if err != nil {
return tls.Certificate{}, err
}
if err = pem.Encode(certPrivKeyPEM, &pem.Block{ if err = pem.Encode(certPrivKeyPEM, &pem.Block{
Type: "RSA PRIVATE KEY", Type: "EC PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey), Bytes: b,
}); err != nil { }); err != nil {
return tls.Certificate{}, err return tls.Certificate{}, err
} }