status-go/server/certs.go

120 lines
2.9 KiB
Go

package server
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"math/big"
"net"
"time"
)
var globalMediaCertificate *tls.Certificate = nil
var globalMediaPem string
func makeRandomSerialNumber() (*big.Int, error) {
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
return rand.Int(rand.Reader, serialNumberLimit)
}
func GenerateX509Cert(sn *big.Int, from, to time.Time, hostname string) *x509.Certificate {
c := &x509.Certificate{
SerialNumber: sn,
Subject: pkix.Name{Organization: []string{"Self-signed cert"}},
NotBefore: from,
NotAfter: to,
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
IsCA: true,
}
ip := net.ParseIP(hostname)
if ip != nil {
c.IPAddresses = []net.IP{ip}
} else {
c.DNSNames = []string{hostname}
}
return c
}
func GenerateX509PEMs(cert *x509.Certificate, key *ecdsa.PrivateKey) (certPem, keyPem []byte, err error) {
derBytes, err := x509.CreateCertificate(rand.Reader, cert, cert, &key.PublicKey, key)
if err != nil {
return
}
certPem = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
privBytes, err := x509.MarshalPKCS8PrivateKey(key)
if err != nil {
return
}
keyPem = pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privBytes})
return
}
func GenerateTLSCert(notBefore, notAfter time.Time, hostname string) (*tls.Certificate, []byte, error) {
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return nil, nil, err
}
sn, err := makeRandomSerialNumber()
if err != nil {
return nil, nil, err
}
cert := GenerateX509Cert(sn, notBefore, notAfter, hostname)
certPem, keyPem, err := GenerateX509PEMs(cert, priv)
if err != nil {
return nil, nil, err
}
finalCert, err := tls.X509KeyPair(certPem, keyPem)
return &finalCert, certPem, err
}
func generateMediaTLSCert() error {
if globalMediaCertificate != nil {
return nil
}
notBefore := time.Now()
notAfter := notBefore.Add(365 * 24 * time.Hour)
finalCert, certPem, err := GenerateTLSCert(notBefore, notAfter, Localhost)
if err != nil {
return err
}
globalMediaCertificate = finalCert
globalMediaPem = string(certPem)
return nil
}
func PublicMediaTLSCert() (string, error) {
err := generateMediaTLSCert()
if err != nil {
return "", err
}
return globalMediaPem, nil
}
// ToECDSA takes a []byte of D and uses it to create an ecdsa.PublicKey on the elliptic.P256 curve
// this function is basically a P256 curve version of eth-node/crypto.ToECDSA without all the nice validation
func ToECDSA(d []byte) *ecdsa.PrivateKey {
k := new(ecdsa.PrivateKey)
k.D = new(big.Int).SetBytes(d)
k.PublicKey.Curve = elliptic.P256()
k.PublicKey.X, k.PublicKey.Y = k.PublicKey.Curve.ScalarBaseMult(d)
return k
}