package main
import (
- "crypto/ed25519"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"math/big"
"os"
"time"
+
+ "go.stargrave.org/tofuproxy"
)
func main() {
cn := flag.String("cn", "tofuproxy.localhost", "CommonName")
+ ai := flag.String("ai", "eddsa", "ecdsa|eddsa (ECDSA-256 or EdDSA algorithm)")
flag.Parse()
log.SetFlags(log.Lshortfile)
- pub, prv, err := ed25519.GenerateKey(rand.Reader)
- if err != nil {
- log.Fatalln(err)
- }
+ pub, prv := tofuproxy.NewKeypair(*ai)
notBefore := time.Now()
notAfter := notBefore.Add(365 * 24 * time.Hour)
serialRaw := make([]byte, 16)
- if _, err = io.ReadFull(rand.Reader, serialRaw); err != nil {
+ if _, err := io.ReadFull(rand.Reader, serialRaw); err != nil {
log.Fatalln(err)
}
serial := big.NewInt(0)
)
func main() {
+ ai := flag.String("ai", "eddsa", "ecdsa|eddsa (ECDSA-256 or EdDSA algorithm)")
crtPath := flag.String("cert", "cert.pem", "Path to server X.509 certificate")
prvPath := flag.String("key", "cert.pem", "Path to server PKCS#8 private key")
bind := flag.String("bind", "[::1]:8080", "Bind address")
ttls.DNSSrv = *dnsSrv
tofuproxy.CACert = caCert
tofuproxy.CAPrv = caPrv
+ tofuproxy.X509Algo = *ai
rounds.WARCOnly = *warcOnly
ln, err := net.Listen("tcp", *bind)
module go.stargrave.org/tofuproxy
-go 1.17
+go 1.18
require (
github.com/dustin/go-humanize v1.0.1
hostCertsM.Lock()
keypair, ok := hostCerts[host]
if !ok || !keypair.cert.NotAfter.After(time.Now().Add(time.Hour)) {
- keypair = newKeypair(host, CACert, CAPrv)
+ keypair = newX509Keypair(host, CACert, CAPrv)
hostCerts[host] = keypair
}
hostCertsM.Unlock()
import (
"crypto"
+ "crypto/ecdsa"
"crypto/ed25519"
+ "crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"time"
)
-type Keypair struct {
+type X509Keypair struct {
cert *x509.Certificate
prv crypto.PrivateKey
}
var (
- hostCerts = make(map[string]*Keypair)
+ hostCerts = make(map[string]*X509Keypair)
hostCertsM sync.Mutex
Serial *big.Int
+ X509Algo string
)
func init() {
}
}
-func newKeypair(
+func NewKeypair(ai string) (pub, prv any) {
+ switch ai {
+ case "ecdsa":
+ prvEcdsa, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+ if err != nil {
+ log.Fatalln(err)
+ }
+ prv = prvEcdsa
+ pub = prvEcdsa.Public()
+ case "eddsa":
+ var err error
+ pub, prv, err = ed25519.GenerateKey(rand.Reader)
+ if err != nil {
+ log.Fatalln(err)
+ }
+ default:
+ log.Fatalln("unknown algorithm specified")
+ }
+ return
+}
+
+func newX509Keypair(
host string,
caCert *x509.Certificate,
caPrv crypto.PrivateKey,
-) *Keypair {
- pub, prv, err := ed25519.GenerateKey(rand.Reader)
- if err != nil {
- log.Fatalln(err)
- }
+) *X509Keypair {
+ pub, prv := NewKeypair(X509Algo)
notBefore := time.Now()
notAfter := notBefore.Add(24 * time.Hour)
Serial = Serial.Add(Serial, big.NewInt(1))
if err != nil {
log.Fatalln(err)
}
- return &Keypair{cert, prv}
+ return &X509Keypair{cert, prv}
}