1 // tofuproxy -- flexible HTTP/HTTPS proxy, TLS terminator, X.509 TOFU
2 // manager, WARC/geminispace browser
3 // Copyright (C) 2021-2024 Sergey Matveev <stargrave@stargrave.org>
5 // This program is free software: you can redistribute it and/or modify
6 // it under the terms of the GNU General Public License as published by
7 // the Free Software Foundation, version 3 of the License.
9 // This program is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
14 // You should have received a copy of the GNU General Public License
15 // along with this program. If not, see <http://www.gnu.org/licenses/>.
33 type X509Keypair struct {
34 cert *x509.Certificate
39 hostCerts = make(map[string]*X509Keypair)
47 max = max.SetBit(max, 128, 1)
49 Serial, err = rand.Int(rand.Reader, max)
55 func NewKeypair(ai string) (pub, prv any) {
58 prvEcdsa, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
63 pub = prvEcdsa.Public()
66 pub, prv, err = ed25519.GenerateKey(rand.Reader)
71 log.Fatalln("unknown algorithm specified")
78 caCert *x509.Certificate,
79 caPrv crypto.PrivateKey,
81 pub, prv := NewKeypair(X509Algo)
82 notBefore := time.Now()
83 notAfter := notBefore.Add(24 * time.Hour)
84 Serial = Serial.Add(Serial, big.NewInt(1))
85 template := x509.Certificate{
87 Subject: pkix.Name{CommonName: host},
88 DNSNames: []string{host},
92 certRaw, err := x509.CreateCertificate(
93 rand.Reader, &template, caCert, pub, caPrv,
98 cert, err := x509.ParseCertificate(certRaw)
102 return &X509Keypair{cert, prv}