From ac0e57015ad6f2cc18e9a60d4fc7d9887d4f4b04 Mon Sep 17 00:00:00 2001 From: Sergey Matveev Date: Mon, 20 Mar 2023 12:53:25 +0300 Subject: [PATCH] Ability to choose ECDSA/EdDSA algorithms --- cmd/certgen/main.go | 11 +++++------ cmd/tofuproxy/main.go | 2 ++ go.mod | 2 +- tls.go | 2 +- x509.go | 39 ++++++++++++++++++++++++++++++--------- 5 files changed, 39 insertions(+), 17 deletions(-) diff --git a/cmd/certgen/main.go b/cmd/certgen/main.go index e9a5cb1..e8ce618 100644 --- a/cmd/certgen/main.go +++ b/cmd/certgen/main.go @@ -19,7 +19,6 @@ along with this program. If not, see . package main import ( - "crypto/ed25519" "crypto/rand" "crypto/x509" "crypto/x509/pkix" @@ -30,22 +29,22 @@ import ( "math/big" "os" "time" + + "go.stargrave.org/tofuproxy" ) func main() { cn := flag.String("cn", "tofuproxy.localhost", "CommonName") + ai := flag.String("ai", "eddsa", "ecdsa|eddsa (ECDSA-256 or EdDSA algorithm)") flag.Parse() log.SetFlags(log.Lshortfile) - pub, prv, err := ed25519.GenerateKey(rand.Reader) - if err != nil { - log.Fatalln(err) - } + pub, prv := tofuproxy.NewKeypair(*ai) notBefore := time.Now() notAfter := notBefore.Add(365 * 24 * time.Hour) serialRaw := make([]byte, 16) - if _, err = io.ReadFull(rand.Reader, serialRaw); err != nil { + if _, err := io.ReadFull(rand.Reader, serialRaw); err != nil { log.Fatalln(err) } serial := big.NewInt(0) diff --git a/cmd/tofuproxy/main.go b/cmd/tofuproxy/main.go index 5d40e49..babc8b7 100644 --- a/cmd/tofuproxy/main.go +++ b/cmd/tofuproxy/main.go @@ -32,6 +32,7 @@ import ( ) func main() { + ai := flag.String("ai", "eddsa", "ecdsa|eddsa (ECDSA-256 or EdDSA algorithm)") crtPath := flag.String("cert", "cert.pem", "Path to server X.509 certificate") prvPath := flag.String("key", "cert.pem", "Path to server PKCS#8 private key") bind := flag.String("bind", "[::1]:8080", "Bind address") @@ -61,6 +62,7 @@ func main() { ttls.DNSSrv = *dnsSrv tofuproxy.CACert = caCert tofuproxy.CAPrv = caPrv + tofuproxy.X509Algo = *ai rounds.WARCOnly = *warcOnly ln, err := net.Listen("tcp", *bind) diff --git a/go.mod b/go.mod index bb8d191..d025363 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module go.stargrave.org/tofuproxy -go 1.17 +go 1.18 require ( github.com/dustin/go-humanize v1.0.1 diff --git a/tls.go b/tls.go index ef43964..b73d42e 100644 --- a/tls.go +++ b/tls.go @@ -61,7 +61,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request) { hostCertsM.Lock() keypair, ok := hostCerts[host] if !ok || !keypair.cert.NotAfter.After(time.Now().Add(time.Hour)) { - keypair = newKeypair(host, CACert, CAPrv) + keypair = newX509Keypair(host, CACert, CAPrv) hostCerts[host] = keypair } hostCertsM.Unlock() diff --git a/x509.go b/x509.go index 4dafb90..f18b219 100644 --- a/x509.go +++ b/x509.go @@ -20,7 +20,9 @@ package tofuproxy import ( "crypto" + "crypto/ecdsa" "crypto/ed25519" + "crypto/elliptic" "crypto/rand" "crypto/x509" "crypto/x509/pkix" @@ -30,15 +32,16 @@ import ( "time" ) -type Keypair struct { +type X509Keypair struct { cert *x509.Certificate prv crypto.PrivateKey } var ( - hostCerts = make(map[string]*Keypair) + hostCerts = make(map[string]*X509Keypair) hostCertsM sync.Mutex Serial *big.Int + X509Algo string ) func init() { @@ -51,15 +54,33 @@ func init() { } } -func newKeypair( +func NewKeypair(ai string) (pub, prv any) { + switch ai { + case "ecdsa": + prvEcdsa, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + log.Fatalln(err) + } + prv = prvEcdsa + pub = prvEcdsa.Public() + case "eddsa": + var err error + pub, prv, err = ed25519.GenerateKey(rand.Reader) + if err != nil { + log.Fatalln(err) + } + default: + log.Fatalln("unknown algorithm specified") + } + return +} + +func newX509Keypair( host string, caCert *x509.Certificate, caPrv crypto.PrivateKey, -) *Keypair { - pub, prv, err := ed25519.GenerateKey(rand.Reader) - if err != nil { - log.Fatalln(err) - } +) *X509Keypair { + pub, prv := NewKeypair(X509Algo) notBefore := time.Now() notAfter := notBefore.Add(24 * time.Hour) Serial = Serial.Add(Serial, big.NewInt(1)) @@ -80,5 +101,5 @@ func newKeypair( if err != nil { log.Fatalln(err) } - return &Keypair{cert, prv} + return &X509Keypair{cert, prv} } -- 2.44.0