tweak TLS configuration options
This commit is contained in:
idk
2
.gitignore
vendored
2
.gitignore
vendored
@ -5,3 +5,5 @@ bin/*
|
||||
*/*.i2pkeys
|
||||
README.md.asc
|
||||
samcatd
|
||||
*/*.pem
|
||||
*.pem
|
||||
|
||||
@ -2,7 +2,9 @@ package i2ptunconf
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"log"
|
||||
"strings"
|
||||
|
||||
"github.com/eyedeekay/sam-forwarder/tls"
|
||||
)
|
||||
|
||||
// GetPort443 takes an argument and a default. If the argument differs from the
|
||||
@ -62,7 +64,7 @@ func (c *Conf) GetTLSConfig(arg, def string, label ...string) string {
|
||||
if c.Config == nil {
|
||||
return arg
|
||||
}
|
||||
if x, o := c.Get("cert", label...); o {
|
||||
if x, o := c.Get("cert.pem", label...); o {
|
||||
return x
|
||||
}
|
||||
return arg
|
||||
@ -70,7 +72,7 @@ func (c *Conf) GetTLSConfig(arg, def string, label ...string) string {
|
||||
|
||||
// SetClientDest sets the key name from the config file
|
||||
func (c *Conf) SetTLSConfig(label ...string) {
|
||||
if v, ok := c.Get("cert", label...); ok {
|
||||
if v, ok := c.Get("cert.pem", label...); ok {
|
||||
c.Cert = v
|
||||
} else {
|
||||
c.Cert = ""
|
||||
@ -85,7 +87,7 @@ func (c *Conf) GetTLSConfigPem(arg, def string, label ...string) string {
|
||||
if c.Config == nil {
|
||||
return arg
|
||||
}
|
||||
if x, o := c.Get("pem", label...); o {
|
||||
if x, o := c.Get("key.pem", label...); o {
|
||||
return x
|
||||
}
|
||||
return arg
|
||||
@ -93,17 +95,17 @@ func (c *Conf) GetTLSConfigPem(arg, def string, label ...string) string {
|
||||
|
||||
// SetClientDest sets the key name from the config file
|
||||
func (c *Conf) SetTLSConfigPem(label ...string) {
|
||||
if v, ok := c.Get("pem", label...); ok {
|
||||
if v, ok := c.Get("key.pem", label...); ok {
|
||||
c.Pem = v
|
||||
} else {
|
||||
c.Pem = ""
|
||||
}
|
||||
}
|
||||
|
||||
func (c *Conf) TLSConfig() *tls.Config {
|
||||
cert, err := tls.LoadX509KeyPair(c.Cert, c.Pem)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
func (c *Conf) TLSConfig() (*tls.Config, error) {
|
||||
names := []string{c.Base32()}
|
||||
if c.HostName != "" && strings.HasSuffix(c.HostName, ".i2p") {
|
||||
names = append(names, c.HostName)
|
||||
}
|
||||
return &tls.Config{Certificates: []tls.Certificate{cert}}
|
||||
return i2ptls.TLSConfig(c.Cert, c.Pem, names)
|
||||
}
|
||||
|
||||
@ -70,6 +70,7 @@ type Conf struct {
|
||||
UseTLS bool `default:false`
|
||||
Cert string `default:""`
|
||||
Pem string `default:""`
|
||||
HostName string `default:""`
|
||||
//TLSConf *tls.Config
|
||||
LoadedKeys i2pkeys.I2PKeys
|
||||
}
|
||||
|
||||
@ -361,7 +361,11 @@ func (f *SAMForwarder) Serve() error {
|
||||
log.Println("SAM Listener created,", f.Base32())
|
||||
log.Println("Human-readable hash:\n ", f.Base32Readable())
|
||||
if f.Conf.UseTLS {
|
||||
f.publishListen = tls.NewListener(publishListen, f.Conf.TLSConfig())
|
||||
tlsconf, err := f.Conf.TLSConfig()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
f.publishListen = tls.NewListener(publishListen, tlsconf)
|
||||
} else {
|
||||
f.publishListen = publishListen
|
||||
}
|
||||
|
||||
56
tls/tls.go
56
tls/tls.go
@ -8,6 +8,7 @@ import (
|
||||
"crypto/x509/pkix"
|
||||
"encoding/pem"
|
||||
"log"
|
||||
"math/big"
|
||||
"os"
|
||||
)
|
||||
|
||||
@ -18,9 +19,15 @@ func CheckFile(path string) bool {
|
||||
return true
|
||||
}
|
||||
|
||||
func Certificate(Cert, Pem string, names []string, priv *ed25519.PrivateKey) (*tls.Certificate, error) {
|
||||
func CertPemificate(CertPem, KeyPem string, names []string, priv ed25519.PrivateKey) (tls.Certificate, error) {
|
||||
|
||||
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
|
||||
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
||||
if err != nil {
|
||||
log.Fatalf("Failed to generate serial number: %v", err)
|
||||
}
|
||||
template := x509.Certificate{
|
||||
// SerialNumber: serialNumber,
|
||||
SerialNumber: serialNumber,
|
||||
Subject: pkix.Name{
|
||||
Organization: []string{"Acme Co"},
|
||||
},
|
||||
@ -30,27 +37,28 @@ func Certificate(Cert, Pem string, names []string, priv *ed25519.PrivateKey) (*t
|
||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
||||
BasicConstraintsValid: true,
|
||||
}
|
||||
if len(names) > 0 {
|
||||
template.DNSNames = append(template.DNSNames, names...)
|
||||
|
||||
}
|
||||
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, priv.Public().(ed25519.PublicKey), priv)
|
||||
if err != nil {
|
||||
log.Fatalf("Failed to create certificate: %v", err)
|
||||
}
|
||||
certOut, err := os.Create(Cert)
|
||||
certOut, err := os.Create(CertPem)
|
||||
if err != nil {
|
||||
log.Fatalf("Failed to open "+Cert+" for writing: %v", err)
|
||||
log.Fatalf("Failed to open "+CertPem+" for writing: %v", err)
|
||||
}
|
||||
if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
|
||||
log.Fatalf("Failed to write data to "+Cert+": %v", err)
|
||||
log.Fatalf("Failed to write data to "+CertPem+": %v", err)
|
||||
}
|
||||
if err := certOut.Close(); err != nil {
|
||||
log.Fatalf("Error closing "+Cert+": %v", err)
|
||||
log.Fatalf("Error closing "+CertPem+": %v", err)
|
||||
}
|
||||
log.Print("wrote " + Cert + "\n")
|
||||
log.Print("wrote " + CertPem + "\n")
|
||||
|
||||
keyOut, err := os.OpenFile(Pem, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
||||
keyOut, err := os.OpenFile(KeyPem, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
||||
if err != nil {
|
||||
log.Fatalf("Failed to open "+Pem+" for writing: %v", err)
|
||||
log.Fatalf("Failed to open "+KeyPem+" for writing: %v", err)
|
||||
}
|
||||
privBytes, err := x509.MarshalPKCS8PrivateKey(priv)
|
||||
if err != nil {
|
||||
@ -62,25 +70,31 @@ func Certificate(Cert, Pem string, names []string, priv *ed25519.PrivateKey) (*t
|
||||
if err := keyOut.Close(); err != nil {
|
||||
log.Fatalf("Error closing key.pem: %v", err)
|
||||
}
|
||||
return tls.LoadX509KeyPair(Cert, Pem)
|
||||
return tls.LoadX509KeyPair(CertPem, KeyPem)
|
||||
}
|
||||
|
||||
func TLSConfig(Cert, Pem string, names []string) *tls.Config {
|
||||
if CheckFile(Cert) && CheckFile(Pem) {
|
||||
cert, err := tls.LoadX509KeyPair(Cert, Pem)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
func TLSConfig(CertPem, KeyPem string, names []string) (*tls.Config, error) {
|
||||
var ServerName string
|
||||
if len(names) > 0 {
|
||||
ServerName = names[0]
|
||||
}
|
||||
return &tls.Config{Certificates: []tls.Certificate{cert}}
|
||||
|
||||
if CheckFile(CertPem) && CheckFile(KeyPem) {
|
||||
cert, err := tls.LoadX509KeyPair(CertPem, KeyPem)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &tls.Config{Certificates: []tls.Certificate{cert}, ServerName: ServerName}, nil
|
||||
} else {
|
||||
_, priv, err := ed25519.GenerateKey(rand.Reader)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
return nil, err
|
||||
}
|
||||
cert, err := Certificate(Cert, Pem, names, priv)
|
||||
cert, err := CertPemificate(CertPem, KeyPem, names, priv)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
return nil, err
|
||||
}
|
||||
return &tls.Config{Certificates: []tls.Certificate{cert}}
|
||||
return &tls.Config{Certificates: []tls.Certificate{cert}, ServerName: ServerName}, nil
|
||||
}
|
||||
}
|
||||
|
||||
11
tls/tls_test.go
Normal file
11
tls/tls_test.go
Normal file
@ -0,0 +1,11 @@
|
||||
package i2ptls
|
||||
|
||||
import "testing"
|
||||
|
||||
func TestTLSGenerate(t *testing.T) {
|
||||
config, err := TLSConfig("cert.pem", "key.pem", []string{"idk.i2p"})
|
||||
if err != nil {
|
||||
t.Fatal(err.Error())
|
||||
}
|
||||
t.Log(config.ServerName)
|
||||
}
|
||||
Reference in New Issue
Block a user