-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
common.go
126 lines (112 loc) · 3.21 KB
/
common.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
// Copyright (c) 2022, Roel Schut. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package easytls
import (
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"net"
"time"
"github.com/go-pogo/errors"
)
// DefaultTLSConfig returns a modern preconfigured [tls.Config].
func DefaultTLSConfig() *tls.Config {
return &tls.Config{
MinVersion: tls.VersionTLS12,
CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
},
}
}
// GetCertificate can be used in [tls.Config] to load a certificate when it's
// requested for.
func GetCertificate(cl TLSCertificateLoader) func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
return func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
cert, err := cl.LoadTLSCertificate()
if err != nil {
return nil, errors.WithStack(err)
}
return cert, nil
}
}
// CACertificate returns a basic CA [x509.Certificate] with a validity of 10
// years.
func CACertificate(subj pkix.Name) *x509.Certificate {
var cert x509.Certificate
cert.BasicConstraintsValid = true
cert.IsCA = true
cert.KeyUsage |= x509.KeyUsageCertSign
cert.KeyUsage |= x509.KeyUsageDigitalSignature
cert.NotBefore = time.Now()
cert.NotAfter = cert.NotBefore.AddDate(10, 0, 0)
cert.Subject = subj
return &cert
}
func ServerCertificate(hosts ...string) *x509.Certificate {
var cert x509.Certificate
cert.KeyUsage |= x509.KeyUsageDigitalSignature
cert.ExtKeyUsage = append(cert.ExtKeyUsage, x509.ExtKeyUsageServerAuth)
cert.NotBefore = time.Now()
cert.NotAfter = cert.NotBefore.AddDate(1, 0, 0)
for _, h := range hosts {
if ip := net.ParseIP(h); ip != nil {
cert.IPAddresses = append(cert.IPAddresses, ip)
} else {
cert.DNSNames = append(cert.DNSNames, h)
}
}
return &cert
}
func ClientCertificate() *x509.Certificate {
var cert x509.Certificate
cert.KeyUsage |= x509.KeyUsageDigitalSignature
cert.ExtKeyUsage = append(cert.ExtKeyUsage, x509.ExtKeyUsageClientAuth)
cert.NotBefore = time.Now()
cert.NotAfter = cert.NotBefore.AddDate(1, 0, 0)
return &cert
}
const panicNilDestSubject = "easytls.CopyMissingSubjectFields: dest should not be nil"
func CopyMissingSubjectFields(src pkix.Name, dest *pkix.Name) {
if dest == nil {
panic(panicNilDestSubject)
}
if dest.Country == nil {
dest.Country = src.Country
}
if dest.Organization == nil {
dest.Organization = src.Organization
}
if dest.OrganizationalUnit == nil {
dest.OrganizationalUnit = src.OrganizationalUnit
}
if dest.Locality == nil {
dest.Locality = src.Locality
}
if dest.Province == nil {
dest.Province = src.Province
}
if dest.StreetAddress == nil {
dest.StreetAddress = src.StreetAddress
}
if dest.PostalCode == nil {
dest.PostalCode = src.PostalCode
}
if dest.SerialNumber == "" {
dest.SerialNumber = src.SerialNumber
}
if dest.CommonName == "" {
dest.CommonName = src.CommonName
}
if dest.Names == nil {
dest.Names = src.Names
}
if dest.ExtraNames == nil {
dest.ExtraNames = src.ExtraNames
}
}