From 2e660a233d76cf903b47ac55a24405206ea6c0e0 Mon Sep 17 00:00:00 2001 From: Ian Gulliver Date: Thu, 20 Apr 2023 16:25:33 +0000 Subject: [PATCH] Initial commit --- .gitignore | 2 ++ go.mod | 17 ++++++++++ go.sum | 32 ++++++++++++++++++ justfile | 18 +++++++++++ pkg_test.go | 11 +++++++ selfcert.go | 84 ++++++++++++++++++++++++++++++++++++++++++++++++ selfcert_test.go | 49 ++++++++++++++++++++++++++++ 7 files changed, 213 insertions(+) create mode 100644 .gitignore create mode 100644 go.mod create mode 100644 go.sum create mode 100644 justfile create mode 100644 pkg_test.go create mode 100644 selfcert.go create mode 100644 selfcert_test.go diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6754c7d --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +cover.out +cover.html diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..bffa434 --- /dev/null +++ b/go.mod @@ -0,0 +1,17 @@ +module github.com/gopatchy/selfcert + +go 1.19 + +require ( + github.com/go-resty/resty/v2 v2.7.0 + github.com/stretchr/testify v1.8.2 + go.uber.org/goleak v1.2.1 +) + +require ( + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/kr/text v0.2.0 // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect + golang.org/x/net v0.0.0-20211029224645-99673261e6eb // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..034dd95 --- /dev/null +++ b/go.sum @@ -0,0 +1,32 @@ +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/go-resty/resty/v2 v2.7.0 h1:me+K9p3uhSmXtrBZ4k9jcEAfJmuC8IivWHwaLZwPrFY= +github.com/go-resty/resty/v2 v2.7.0/go.mod h1:9PWDzw47qPphMRFfhsyk0NnSgvluHcljSMVIq3w7q0I= +github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= +github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= +go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4= +golang.org/x/net v0.0.0-20211029224645-99673261e6eb h1:pirldcYWx7rx7kE5r+9WsOXPXK0+WH5+uZ7uPmJ44uM= +golang.org/x/net v0.0.0-20211029224645-99673261e6eb/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/justfile b/justfile new file mode 100644 index 0000000..d607f93 --- /dev/null +++ b/justfile @@ -0,0 +1,18 @@ +go := env_var_or_default('GOCMD', 'go') + +default: tidy test + +tidy: + {{go}} mod tidy + goimports -l -w . + gofumpt -l -w . + {{go}} fmt ./... + +test: + {{go}} vet ./... + golangci-lint run ./... + {{go}} test -race -coverprofile=cover.out -timeout=60s -parallel=10 ./... + {{go}} tool cover -html=cover.out -o=cover.html + +todo: + -git grep -e TODO --and --not -e ignoretodo diff --git a/pkg_test.go b/pkg_test.go new file mode 100644 index 0000000..a5c948d --- /dev/null +++ b/pkg_test.go @@ -0,0 +1,11 @@ +package selfcert_test + +import ( + "testing" + + "go.uber.org/goleak" +) + +func TestMain(m *testing.M) { + goleak.VerifyTestMain(m) +} diff --git a/selfcert.go b/selfcert.go new file mode 100644 index 0000000..934fb0f --- /dev/null +++ b/selfcert.go @@ -0,0 +1,84 @@ +package selfcert + +import ( + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/tls" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "math/big" + "net" + "time" +) + +func NewTLSConfig(hosts []string) (*tls.Config, error) { + priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + return nil, err + } + + serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) + + serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) + if err != nil { + return nil, err + } + + template := x509.Certificate{ + SerialNumber: serialNumber, + Subject: pkix.Name{ + Organization: []string{"Acme Co"}, + }, + NotBefore: time.Now(), + NotAfter: time.Now().Add(10 * 365 * 24 * time.Hour), + KeyUsage: x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + BasicConstraintsValid: true, + } + + for _, h := range hosts { + if ip := net.ParseIP(h); ip != nil { + template.IPAddresses = append(template.IPAddresses, ip) + } else { + template.DNSNames = append(template.DNSNames, h) + } + } + + certBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv) + if err != nil { + return nil, err + } + + certPem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certBytes}) + + keyBytes, err := x509.MarshalPKCS8PrivateKey(priv) + if err != nil { + return nil, err + } + + keyPem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: keyBytes}) + + cert, err := tls.X509KeyPair(certPem, keyPem) + if err != nil { + return nil, err + } + + conf := &tls.Config{ + Certificates: []tls.Certificate{cert}, + MinVersion: tls.VersionTLS13, + NextProtos: []string{"h2"}, + } + + return conf, nil +} + +func NewTLSConfigFromHostPort(hostport string) (*tls.Config, error) { + host, _, err := net.SplitHostPort(hostport) + if err != nil { + return nil, err + } + + return NewTLSConfig([]string{host}) +} diff --git a/selfcert_test.go b/selfcert_test.go new file mode 100644 index 0000000..9590271 --- /dev/null +++ b/selfcert_test.go @@ -0,0 +1,49 @@ +package selfcert_test + +import ( + "context" + "crypto/tls" + "fmt" + "net" + "net/http" + "testing" + "time" + + "github.com/go-resty/resty/v2" + "github.com/gopatchy/selfcert" + "github.com/stretchr/testify/require" +) + +func TestCert(t *testing.T) { + t.Parallel() + + conf, err := selfcert.NewTLSConfigFromHostPort("localhost:0") + require.NoError(t, err) + + listener, err := tls.Listen("tcp", "localhost:0", conf) + require.NoError(t, err) + + baseURL := fmt.Sprintf("https://localhost:%d/", listener.Addr().(*net.TCPAddr).Port) + + srv := &http.Server{ + ReadHeaderTimeout: 1 * time.Second, + } + + go func() { + _ = srv.Serve(listener) + }() + + cli := resty.New() + cli.SetBaseURL(baseURL) + cli.SetTLSClientConfig(&tls.Config{ + InsecureSkipVerify: true, //nolint:gosec + }) + + resp, err := cli.R().Get("/") + require.NoError(t, err) + require.True(t, resp.IsError()) + require.Equal(t, resp.StatusCode(), 404) + + err = srv.Shutdown(context.Background()) + require.NoError(t, err) +}