cmd/certgen/main.go | 11 +++++------ cmd/tofuproxy/main.go | 2 ++ go.mod | 2 +- tls.go | 2 +- x509.go | 39 ++++++++++++++++++++++++++++++--------- diff --git a/cmd/certgen/main.go b/cmd/certgen/main.go index c21331c67dfd5ad8e50f30f80c1e86dd8504a3e95dfd37c830ee825c528501f5..58d1045680044993c8377c0354259bd81d7f8363dd3cff11a6d3427217e28af3 100644 --- a/cmd/certgen/main.go +++ b/cmd/certgen/main.go @@ -19,7 +19,6 @@ package main import ( - "crypto/ed25519" "crypto/rand" "crypto/x509" "crypto/x509/pkix" @@ -30,22 +29,22 @@ "log" "math/big" "os" "time" + + "go.stargrave.org/tofuproxy" ) func main() { cn := flag.String("cn", "tofuproxy.localhost", "CommonName") + ai := flag.String("ai", "eddsa", "ecdsa|eddsa (ECDSA-256 or EdDSA algorithm)") flag.Parse() log.SetFlags(log.Lshortfile) - pub, prv, err := ed25519.GenerateKey(rand.Reader) - if err != nil { - log.Fatalln(err) - } + pub, prv := tofuproxy.NewKeypair(*ai) notBefore := time.Now() notAfter := notBefore.Add(365 * 24 * time.Hour) serialRaw := make([]byte, 16) - if _, err = io.ReadFull(rand.Reader, serialRaw); err != nil { + if _, err := io.ReadFull(rand.Reader, serialRaw); err != nil { log.Fatalln(err) } serial := big.NewInt(0) diff --git a/cmd/tofuproxy/main.go b/cmd/tofuproxy/main.go index 8da7ea979318ba6c02d5337191646ecefc2206c0a5cded72382d6f5d121a1f26..fa1a38f2bf69e1b35e10f292b3f02a6c387742e3f519f851162fe7c372601cde 100644 --- a/cmd/tofuproxy/main.go +++ b/cmd/tofuproxy/main.go @@ -32,6 +32,7 @@ ttls "go.stargrave.org/tofuproxy/tls" ) func main() { + ai := flag.String("ai", "eddsa", "ecdsa|eddsa (ECDSA-256 or EdDSA algorithm)") crtPath := flag.String("cert", "cert.pem", "Path to server X.509 certificate") prvPath := flag.String("key", "cert.pem", "Path to server PKCS#8 private key") bind := flag.String("bind", "[::1]:8080", "Bind address") @@ -61,6 +62,7 @@ ttls.CCerts = *ccerts ttls.DNSSrv = *dnsSrv tofuproxy.CACert = caCert tofuproxy.CAPrv = caPrv + tofuproxy.X509Algo = *ai rounds.WARCOnly = *warcOnly ln, err := net.Listen("tcp", *bind) diff --git a/go.mod b/go.mod index e0c5e617ca8dcfca93183bd97d9494d57fded98b8c85b3d1c829b99da4df611b..daac4c1608d684ac6d16fd20409f23a7faf33aedccef2937fc88c065d433a8e1 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module go.stargrave.org/tofuproxy -go 1.17 +go 1.18 require ( github.com/dustin/go-humanize v1.0.1 diff --git a/tls.go b/tls.go index 6936eb2e7b3c58a00c57b8daa9947d2168b7040e5ed7d562d759163ecfa4847b..563eedec0baddcff3f0c073b765458ff26ddb786c3ae65bc1ff0fabb1a9e1fc7 100644 --- a/tls.go +++ b/tls.go @@ -61,7 +61,7 @@ host, _, _ := ttls.SplitHostPort(req.Host) hostCertsM.Lock() keypair, ok := hostCerts[host] if !ok || !keypair.cert.NotAfter.After(time.Now().Add(time.Hour)) { - keypair = newKeypair(host, CACert, CAPrv) + keypair = newX509Keypair(host, CACert, CAPrv) hostCerts[host] = keypair } hostCertsM.Unlock() diff --git a/x509.go b/x509.go index a0cc0397a971860372bed3e5b52506ace2958a36b8a4e66228ea426205d2086a..036c397bc00e62c5118c8ea915913c5fe010b80d08b9bfb953fb5af68d2e0127 100644 --- a/x509.go +++ b/x509.go @@ -20,7 +20,9 @@ package tofuproxy import ( "crypto" + "crypto/ecdsa" "crypto/ed25519" + "crypto/elliptic" "crypto/rand" "crypto/x509" "crypto/x509/pkix" @@ -30,15 +32,16 @@ "sync" "time" ) -type Keypair struct { +type X509Keypair struct { cert *x509.Certificate prv crypto.PrivateKey } var ( - hostCerts = make(map[string]*Keypair) + hostCerts = make(map[string]*X509Keypair) hostCertsM sync.Mutex Serial *big.Int + X509Algo string ) func init() { @@ -51,15 +54,33 @@ panic(err) } } -func newKeypair( +func NewKeypair(ai string) (pub, prv any) { + switch ai { + case "ecdsa": + prvEcdsa, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + log.Fatalln(err) + } + prv = prvEcdsa + pub = prvEcdsa.Public() + case "eddsa": + var err error + pub, prv, err = ed25519.GenerateKey(rand.Reader) + if err != nil { + log.Fatalln(err) + } + default: + log.Fatalln("unknown algorithm specified") + } + return +} + +func newX509Keypair( host string, caCert *x509.Certificate, caPrv crypto.PrivateKey, -) *Keypair { - pub, prv, err := ed25519.GenerateKey(rand.Reader) - if err != nil { - log.Fatalln(err) - } +) *X509Keypair { + pub, prv := NewKeypair(X509Algo) notBefore := time.Now() notAfter := notBefore.Add(24 * time.Hour) Serial = Serial.Add(Serial, big.NewInt(1)) @@ -80,5 +101,5 @@ cert, err := x509.ParseCertificate(certRaw) if err != nil { log.Fatalln(err) } - return &Keypair{cert, prv} + return &X509Keypair{cert, prv} }