Restructure TLS options

- Moved certification related functions into tlscert module
- Added specific host TLS behavior logic
- Added support for disabling SNI and manually overwrite preferred certificate to serve
- Fixed SSO requestHeaders null bug

src/mod/tlscert/certgen.go

@@ -0,0 +1,93 @@
+package tlscert
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"os"
+	"path/filepath"
+	"time"
+)
+
+// GenerateSelfSignedCertificate generates a self-signed ECDSA certificate and saves it to the specified files.
+func (m *Manager) GenerateSelfSignedCertificate(cn string, sans []string, certFile string, keyFile string) error {
+	// Generate private key (ECDSA P-256)
+	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		m.Logger.PrintAndLog("tls-router", "Failed to generate private key", err)
+		return err
+	}
+
+	// Create certificate template
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(time.Now().UnixNano()),
+		Subject: pkix.Name{
+			CommonName:         cn,                   // Common Name for the certificate
+			Organization:       []string{"aroz.org"}, // Organization name
+			OrganizationalUnit: []string{"Zoraxy"},   // Organizational Unit
+			Country:            []string{"US"},       // Country code
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(365 * 24 * time.Hour), // valid for 1 year
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		DNSNames:              sans, // Subject Alternative Names
+	}
+
+	// Create self-signed certificate
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey)
+	if err != nil {
+		m.Logger.PrintAndLog("tls-router", "Failed to create certificate", err)
+		return err
+	}
+
+	// Remove old certificate file if it exists
+	certPath := filepath.Join(m.CertStore, certFile)
+	if _, err := os.Stat(certPath); err == nil {
+		os.Remove(certPath)
+	}
+
+	// Remove old key file if it exists
+	keyPath := filepath.Join(m.CertStore, keyFile)
+	if _, err := os.Stat(keyPath); err == nil {
+		os.Remove(keyPath)
+	}
+
+	// Write certificate to file
+	certOut, err := os.Create(filepath.Join(m.CertStore, certFile))
+	if err != nil {
+		m.Logger.PrintAndLog("tls-router", "Failed to open cert file for writing: "+certFile, err)
+		return err
+	}
+	defer certOut.Close()
+	err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: certDER})
+	if err != nil {
+		m.Logger.PrintAndLog("tls-router", "Failed to write certificate to file: "+certFile, err)
+		return err
+	}
+
+	// Encode private key to PEM
+	privBytes, err := x509.MarshalECPrivateKey(privKey)
+	if err != nil {
+		m.Logger.PrintAndLog("tls-router", "Unable to marshal ECDSA private key", err)
+		return err
+	}
+	keyOut, err := os.Create(filepath.Join(m.CertStore, keyFile))
+	if err != nil {
+		m.Logger.PrintAndLog("tls-router", "Failed to open key file for writing: "+keyFile, err)
+		return err
+	}
+	defer keyOut.Close()
+	err = pem.Encode(keyOut, &pem.Block{Type: "EC PRIVATE KEY", Bytes: privBytes})
+	if err != nil {
+		m.Logger.PrintAndLog("tls-router", "Failed to write private key to file: "+keyFile, err)
+		return err
+	}
+	m.Logger.PrintAndLog("tls-router", "Certificate and key generated: "+certFile+", "+keyFile, nil)
+	return nil
+}