mirror of
https://github.com/tobychui/zoraxy.git
synced 2025-08-05 20:58:28 +02:00
4d3d1b25cb
- Moved certification related functions into tlscert module - Added specific host TLS behavior logic - Added support for disabling SNI and manually overwrite preferred certificate to serve - Fixed SSO requestHeaders null bug
94 lines
3.1 KiB
Go
94 lines
3.1 KiB
Go
package tlscert
|
|
|
|
import (
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/pem"
|
|
"math/big"
|
|
"os"
|
|
"path/filepath"
|
|
"time"
|
|
)
|
|
|
|
// GenerateSelfSignedCertificate generates a self-signed ECDSA certificate and saves it to the specified files.
|
|
func (m *Manager) GenerateSelfSignedCertificate(cn string, sans []string, certFile string, keyFile string) error {
|
|
// Generate private key (ECDSA P-256)
|
|
privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
if err != nil {
|
|
m.Logger.PrintAndLog("tls-router", "Failed to generate private key", err)
|
|
return err
|
|
}
|
|
|
|
// Create certificate template
|
|
template := x509.Certificate{
|
|
SerialNumber: big.NewInt(time.Now().UnixNano()),
|
|
Subject: pkix.Name{
|
|
CommonName: cn, // Common Name for the certificate
|
|
Organization: []string{"aroz.org"}, // Organization name
|
|
OrganizationalUnit: []string{"Zoraxy"}, // Organizational Unit
|
|
Country: []string{"US"}, // Country code
|
|
},
|
|
NotBefore: time.Now(),
|
|
NotAfter: time.Now().Add(365 * 24 * time.Hour), // valid for 1 year
|
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
|
|
BasicConstraintsValid: true,
|
|
DNSNames: sans, // Subject Alternative Names
|
|
}
|
|
|
|
// Create self-signed certificate
|
|
certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey)
|
|
if err != nil {
|
|
m.Logger.PrintAndLog("tls-router", "Failed to create certificate", err)
|
|
return err
|
|
}
|
|
|
|
// Remove old certificate file if it exists
|
|
certPath := filepath.Join(m.CertStore, certFile)
|
|
if _, err := os.Stat(certPath); err == nil {
|
|
os.Remove(certPath)
|
|
}
|
|
|
|
// Remove old key file if it exists
|
|
keyPath := filepath.Join(m.CertStore, keyFile)
|
|
if _, err := os.Stat(keyPath); err == nil {
|
|
os.Remove(keyPath)
|
|
}
|
|
|
|
// Write certificate to file
|
|
certOut, err := os.Create(filepath.Join(m.CertStore, certFile))
|
|
if err != nil {
|
|
m.Logger.PrintAndLog("tls-router", "Failed to open cert file for writing: "+certFile, err)
|
|
return err
|
|
}
|
|
defer certOut.Close()
|
|
err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: certDER})
|
|
if err != nil {
|
|
m.Logger.PrintAndLog("tls-router", "Failed to write certificate to file: "+certFile, err)
|
|
return err
|
|
}
|
|
|
|
// Encode private key to PEM
|
|
privBytes, err := x509.MarshalECPrivateKey(privKey)
|
|
if err != nil {
|
|
m.Logger.PrintAndLog("tls-router", "Unable to marshal ECDSA private key", err)
|
|
return err
|
|
}
|
|
keyOut, err := os.Create(filepath.Join(m.CertStore, keyFile))
|
|
if err != nil {
|
|
m.Logger.PrintAndLog("tls-router", "Failed to open key file for writing: "+keyFile, err)
|
|
return err
|
|
}
|
|
defer keyOut.Close()
|
|
err = pem.Encode(keyOut, &pem.Block{Type: "EC PRIVATE KEY", Bytes: privBytes})
|
|
if err != nil {
|
|
m.Logger.PrintAndLog("tls-router", "Failed to write private key to file: "+keyFile, err)
|
|
return err
|
|
}
|
|
m.Logger.PrintAndLog("tls-router", "Certificate and key generated: "+certFile+", "+keyFile, nil)
|
|
return nil
|
|
}
|