Skip to content

Commit

Permalink
tls.GenerateTLS (#34)
Browse files Browse the repository at this point in the history
  • Loading branch information
metachris authored Nov 20, 2024
1 parent 4f09e55 commit a33cb04
Showing 1 changed file with 84 additions and 0 deletions.
84 changes: 84 additions & 0 deletions tls/tls_generate.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
// Package tls provides utilities for generating self-signed TLS certificates.
package tls

import (
"bytes"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"math/big"
"net"
"time"
)

// GenerateTLS generated a TLS certificate and key.
// based on https://go.dev/src/crypto/tls/generate_cert.go
// - `hosts`: a list of ip / dns names to include in the certificate
func GenerateTLS(validFor time.Duration, hosts []string) (cert, key []byte, err error) {
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return nil, nil, err
}
keyUsage := x509.KeyUsageDigitalSignature

notBefore := time.Now()
notAfter := notBefore.Add(validFor)

serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
return nil, nil, err
}

template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"Acme"},
},
NotBefore: notBefore,
NotAfter: notAfter,

KeyUsage: keyUsage,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}

for _, h := range hosts {
if ip := net.ParseIP(h); ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
} else {
template.DNSNames = append(template.DNSNames, h)
}
}

// certificate is its own CA
template.IsCA = true
template.KeyUsage |= x509.KeyUsageCertSign

derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
return nil, nil, err
}

var certOut bytes.Buffer
if err = pem.Encode(&certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
return nil, nil, err
}
cert = certOut.Bytes()

privBytes, err := x509.MarshalPKCS8PrivateKey(priv)
if err != nil {
return nil, nil, err
}

var keyOut bytes.Buffer
err = pem.Encode(&keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes})
if err != nil {
return nil, nil, err
}
key = keyOut.Bytes()
return cert, key, nil
}

0 comments on commit a33cb04

Please sign in to comment.