Ability to choose ECDSA/EdDSA algorithms

diff --git a/cmd/certgen/main.go b/cmd/certgen/main.go
index e9a5cb1367c75f93e12a5a191b69489d309d56a9..e8ce618048cf89ab2c879bf26e0bff66c7d6dd13 100644 (file)
--- a/cmd/certgen/main.go
+++ b/cmd/certgen/main.go
@@ -19,7 +19,6 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 package main
 
 import (
-       "crypto/ed25519"
        "crypto/rand"
        "crypto/x509"
        "crypto/x509/pkix"
@@ -30,22 +29,22 @@ import (
        "math/big"
        "os"
        "time"
+
+       "go.stargrave.org/tofuproxy"
 )
 
 func main() {
        cn := flag.String("cn", "tofuproxy.localhost", "CommonName")
+       ai := flag.String("ai", "eddsa", "ecdsa|eddsa (ECDSA-256 or EdDSA algorithm)")
        flag.Parse()
        log.SetFlags(log.Lshortfile)
 
-       pub, prv, err := ed25519.GenerateKey(rand.Reader)
-       if err != nil {
-               log.Fatalln(err)
-       }
+       pub, prv := tofuproxy.NewKeypair(*ai)
        notBefore := time.Now()
        notAfter := notBefore.Add(365 * 24 * time.Hour)
 
        serialRaw := make([]byte, 16)
-       if _, err = io.ReadFull(rand.Reader, serialRaw); err != nil {
+       if _, err := io.ReadFull(rand.Reader, serialRaw); err != nil {
                log.Fatalln(err)
        }
        serial := big.NewInt(0)

diff --git a/cmd/tofuproxy/main.go b/cmd/tofuproxy/main.go
index 5d40e49a360f70677919af28b5685ac197c1943f..babc8b7e34c34f3cfbe76d7ad9601e4d4edce9d6 100644 (file)
--- a/cmd/tofuproxy/main.go
+++ b/cmd/tofuproxy/main.go
@@ -32,6 +32,7 @@ import (
 )
 
 func main() {
+       ai := flag.String("ai", "eddsa", "ecdsa|eddsa (ECDSA-256 or EdDSA algorithm)")
        crtPath := flag.String("cert", "cert.pem", "Path to server X.509 certificate")
        prvPath := flag.String("key", "cert.pem", "Path to server PKCS#8 private key")
        bind := flag.String("bind", "[::1]:8080", "Bind address")
@@ -61,6 +62,7 @@ func main() {
        ttls.DNSSrv = *dnsSrv
        tofuproxy.CACert = caCert
        tofuproxy.CAPrv = caPrv
+       tofuproxy.X509Algo = *ai
        rounds.WARCOnly = *warcOnly
 
        ln, err := net.Listen("tcp", *bind)

diff --git a/go.mod b/go.mod
index bb8d19107fd80bc80ed98e3ab21e318bc0d0d28d..d02536353ecf9d29f20b464a6476efe3c4683852 100644 (file)
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module go.stargrave.org/tofuproxy
 
-go 1.17
+go 1.18
 
 require (
        github.com/dustin/go-humanize v1.0.1

diff --git a/tls.go b/tls.go
index ef43964c83eb4b475c90b3602e1b775ab00142a4..b73d42eebfd29f5242135d3927b5d30c14e7caf5 100644 (file)
--- a/tls.go
+++ b/tls.go
@@ -61,7 +61,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
        hostCertsM.Lock()
        keypair, ok := hostCerts[host]
        if !ok || !keypair.cert.NotAfter.After(time.Now().Add(time.Hour)) {
-               keypair = newKeypair(host, CACert, CAPrv)
+               keypair = newX509Keypair(host, CACert, CAPrv)
                hostCerts[host] = keypair
        }
        hostCertsM.Unlock()

diff --git a/x509.go b/x509.go
index 4dafb908383eb894ef68348c8804c77da4363756..f18b2195dbd9c4acffefb1a356aebe7a6027f6b2 100644 (file)
--- a/x509.go
+++ b/x509.go
@@ -20,7 +20,9 @@ package tofuproxy
 
 import (
        "crypto"
+       "crypto/ecdsa"
        "crypto/ed25519"
+       "crypto/elliptic"
        "crypto/rand"
        "crypto/x509"
        "crypto/x509/pkix"
@@ -30,15 +32,16 @@ import (
        "time"
 )
 
-type Keypair struct {
+type X509Keypair struct {
        cert *x509.Certificate
        prv  crypto.PrivateKey
 }
 
 var (
-       hostCerts  = make(map[string]*Keypair)
+       hostCerts  = make(map[string]*X509Keypair)
        hostCertsM sync.Mutex
        Serial     *big.Int
+       X509Algo   string
 )
 
 func init() {
@@ -51,15 +54,33 @@ func init() {
        }
 }
 
-func newKeypair(
+func NewKeypair(ai string) (pub, prv any) {
+       switch ai {
+       case "ecdsa":
+               prvEcdsa, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+               if err != nil {
+                       log.Fatalln(err)
+               }
+               prv = prvEcdsa
+               pub = prvEcdsa.Public()
+       case "eddsa":
+               var err error
+               pub, prv, err = ed25519.GenerateKey(rand.Reader)
+               if err != nil {
+                       log.Fatalln(err)
+               }
+       default:
+               log.Fatalln("unknown algorithm specified")
+       }
+       return
+}
+
+func newX509Keypair(
        host string,
        caCert *x509.Certificate,
        caPrv crypto.PrivateKey,
-) *Keypair {
-       pub, prv, err := ed25519.GenerateKey(rand.Reader)
-       if err != nil {
-               log.Fatalln(err)
-       }
+) *X509Keypair {
+       pub, prv := NewKeypair(X509Algo)
        notBefore := time.Now()
        notAfter := notBefore.Add(24 * time.Hour)
        Serial = Serial.Add(Serial, big.NewInt(1))
@@ -80,5 +101,5 @@ func newKeypair(
        if err != nil {
                log.Fatalln(err)
        }
-       return &Keypair{cert, prv}
+       return &X509Keypair{cert, prv}
 }