Example #1
0
func (*App) generateTLSConfig(signPub *[ed25519.PublicKeySize]byte, signPriv *[ed25519.PrivateKeySize]byte) (*tls.Config, error) {
	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		return nil, err
	}

	// generate a self-signed cert
	now := time.Now()
	expiry := now.Add(tlsExpiry)
	srvKeyID := sha1.Sum(key.D.Bytes())
	hostname := hex.EncodeToString(srvKeyID[:]) + ".peer.bazil.org"
	srvTemplate := &x509.Certificate{
		SerialNumber: new(big.Int),
		Subject: pkix.Name{
			CommonName:   hostname,
			Organization: []string{"bazil.org#peer"},
		},
		NotBefore: now.UTC().AddDate(0, 0, -7),
		NotAfter:  expiry.UTC(),

		SubjectKeyId: srvKeyID[:],
		DNSNames:     []string{hostname},
		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageKeyAgreement,
	}

	if err := edtls.Vouch(signPub, signPriv, srvTemplate, &key.PublicKey); err != nil {
		return nil, err
	}

	certDER, err := x509.CreateCertificate(rand.Reader, srvTemplate, srvTemplate, &key.PublicKey, key)
	if err != nil {
		return nil, err
	}

	// parse it back because CreateCertificate API seems to insist on
	// just giving us the DER form
	x509Cert, err := x509.ParseCertificate(certDER)
	if err != nil {
		return nil, err
	}

	var cert = tls.Certificate{
		Certificate: [][]byte{certDER},
		PrivateKey:  key,
		// populated primarily to neatly expose NotAfter to
		// getTLSConfig, but might help performance too
		Leaf: x509Cert,
	}

	var conf = &tls.Config{
		Certificates: []tls.Certificate{cert},
		RootCAs:      x509.NewCertPool(),
		ClientAuth:   tls.RequestClientCert,
		MinVersion:   tls.VersionTLS12,
	}

	return conf, nil
}
Example #2
0
func TestVouch(t *testing.T) {
	signPub, signPriv, err := ed25519.GenerateKey(fakeRand{})
	if err != nil {
		t.Fatalf("unexpected error from ed25519.GenerateKey: %v", err)
	}
	tlsPriv, err := ecdsa.GenerateKey(elliptic.P256(), fakeRand{})
	if err != nil {
		t.Fatalf("unexpected error from ecdsa.GenerateKey: %v", err)
	}
	cert := x509.Certificate{
		// most fields don't matter

		NotAfter: time.Date(2014, 12, 13, 14, 15, 16, 17, time.UTC),
		ExtraExtensions: []pkix.Extension{
			{Id: asn1.ObjectIdentifier{42}, Value: []byte("filler")},
		},
	}
	if err := edtls.Vouch(signPub, signPriv, &cert, &tlsPriv.PublicKey); err != nil {
		t.Fatalf("unexpected error from Vouch: %v", err)
	}
	if ext := cert.ExtraExtensions; len(ext) != 2 {
		t.Fatalf("unexpected ExtraExtensions: %#v", ext)
	}
	vouch := cert.ExtraExtensions[1]
	if g, e := vouch.Id.String(), "1.2.840.113556.1.8000.2554.31830.5190.18203.20240.41147.7688498.2373901"; g != e {
		t.Errorf("unexpected oid for vouch: %q != %q", g, e)
	}
	if g, e := vouch.Critical, false; g != e {
		t.Errorf("unexpected critical flag: %v != %v", g, e)
	}
	if g, e := len(vouch.Value), ed25519.PublicKeySize+ed25519.SignatureSize; g != e {
		t.Errorf("unexpected signature length: %v != %v", g, e)
	}
	if g, e := vouch.Value, []byte{
		// pubkey
		0x21, 0x52, 0xf8, 0xd1, 0x9b, 0x79, 0x1d, 0x24,
		0x45, 0x32, 0x42, 0xe1, 0x5f, 0x2e, 0xab, 0x6c,
		0xb7, 0xcf, 0xfa, 0x7b, 0x6a, 0x5e, 0xd3, 0x00,
		0x97, 0x96, 0x0e, 0x06, 0x98, 0x81, 0xdb, 0x12,
		// sig
		0x81, 0x1b, 0xf8, 0xef, 0x30, 0xf3, 0x2b, 0x6d,
		0x5f, 0x41, 0xa2, 0x04, 0xff, 0x5a, 0xb5, 0xd0,
		0xb1, 0xfc, 0x60, 0xf0, 0x79, 0x10, 0x57, 0xa8,
		0x42, 0x0f, 0x16, 0xe4, 0x57, 0xc3, 0xe4, 0x60,
		0x28, 0x29, 0xf2, 0xfd, 0x06, 0x67, 0x7c, 0x3a,
		0xc0, 0xcd, 0x85, 0xda, 0x0e, 0xf4, 0x8c, 0x1b,
		0xc0, 0xed, 0xf8, 0xd3, 0x10, 0xa7, 0xa0, 0x4e,
		0x34, 0xed, 0x83, 0x57, 0x41, 0x49, 0xbe, 0x06,
	}; !bytes.Equal(g, e) {
		t.Errorf("unexpected signature packet: %x != %x", g, e)
	}
}
Example #3
0
func mustGenerateTLSConfig(t *testing.T, signPub *[ed25519.PublicKeySize]byte, signPriv *[ed25519.PrivateKeySize]byte) *tls.Config {
	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		t.Fatal(err)
	}

	// generate a self-signed cert
	now := time.Now()
	expiry := now.Add(1 * time.Hour)
	srvKeyID := sha1.Sum(key.D.Bytes())
	hostname := hex.EncodeToString(srvKeyID[:]) + ".peer.bazil.org"
	srvTemplate := &x509.Certificate{
		SerialNumber: new(big.Int),
		Subject: pkix.Name{
			CommonName:   hostname,
			Organization: []string{"bazil.org#peer"},
		},
		NotBefore: now.UTC().AddDate(0, 0, -7),
		NotAfter:  expiry.UTC(),

		SubjectKeyId: srvKeyID[:],
		DNSNames:     []string{hostname},
		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageKeyAgreement,
	}

	if signPub != nil {
		if err := edtls.Vouch(signPub, signPriv, srvTemplate, &key.PublicKey); err != nil {
			t.Fatal(err)
		}
	}

	certDER, err := x509.CreateCertificate(rand.Reader, srvTemplate, srvTemplate, &key.PublicKey, key)
	if err != nil {
		t.Fatal(err)
	}

	var cert = tls.Certificate{
		Certificate: [][]byte{certDER},
		PrivateKey:  key,
	}

	var conf = &tls.Config{
		Certificates: []tls.Certificate{cert},
		RootCAs:      x509.NewCertPool(),
		ClientAuth:   tls.RequestClientCert,
		MinVersion:   tls.VersionTLS12,
	}
	return conf
}