From 23fdfee6963c8065c30b9e5bab35475fbb382e4c Mon Sep 17 00:00:00 2001 From: Josh Rickmar Date: Thu, 6 Jun 2019 23:55:24 -0400 Subject: [PATCH 1/2] certgen: Support Ed25519 cert generation on Go 1.13 This adds the function NewEd25519TLSCertPair which uses Ed25519 keys rather than ECDSA keys as required by NewTLSCertPair. Conditional compilation is used to provide the function only on Go 1.13. --- certgen/certgen.go | 6 +- certgen/certgen_ed25519.go | 146 +++++++++++++++++++++++++++++++++++++ 2 files changed, 149 insertions(+), 3 deletions(-) create mode 100644 certgen/certgen_ed25519.go diff --git a/certgen/certgen.go b/certgen/certgen.go index 0e3e05a7f6..d90e461822 100644 --- a/certgen/certgen.go +++ b/certgen/certgen.go @@ -22,9 +22,9 @@ import ( "time" ) -// NewTLSCertPair returns a new PEM-encoded x.509 certificate pair. The -// machine's local interface addresses and all variants of IPv4 and IPv6 -// localhost are included as valid IP addresses. +// NewTLSCertPair returns a new PEM-encoded x.509 certificate pair with new +// ECDSA keys. The machine's local interface addresses and all variants of IPv4 +// and IPv6 localhost are included as valid IP addresses. func NewTLSCertPair(curve elliptic.Curve, organization string, validUntil time.Time, extraHosts []string) (cert, key []byte, err error) { now := time.Now() if validUntil.Before(now) { diff --git a/certgen/certgen_ed25519.go b/certgen/certgen_ed25519.go new file mode 100644 index 0000000000..795a8a08dd --- /dev/null +++ b/certgen/certgen_ed25519.go @@ -0,0 +1,146 @@ +// Copyright (c) 2013-2015 The btcsuite developers +// Copyright (c) 2015-2019 The Decred developers +// Use of this source code is governed by an ISC +// license that can be found in the LICENSE file. + +//+build go1.13 + +package certgen + +import ( + "bytes" + "crypto/ed25519" + "crypto/rand" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "errors" + "fmt" + "math/big" + "net" + "os" + "time" +) + +// NewEd25519TLSCertPair returns a new PEM-encoded x.509 certificate pair with +// new Ed25519 keys. The machine's local interface addresses and all variants +// of IPv4 and IPv6 localhost are included as valid IP addresses. +func NewEd25519TLSCertPair(organization string, validUntil time.Time, extraHosts []string) (cert, key []byte, err error) { + now := time.Now() + if validUntil.Before(now) { + return nil, nil, errors.New("validUntil would create an already-expired certificate") + } + + seed := make([]byte, ed25519.SeedSize) + _, err = rand.Read(seed) + if err != nil { + return nil, nil, err + } + priv := ed25519.NewKeyFromSeed(seed) + + // end of ASN.1 time + endOfTime := time.Date(2049, 12, 31, 23, 59, 59, 0, time.UTC) + if validUntil.After(endOfTime) { + validUntil = endOfTime + } + + serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) + serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) + if err != nil { + return nil, nil, fmt.Errorf("failed to generate serial number: %s", err) + } + + host, err := os.Hostname() + if err != nil { + return nil, nil, err + } + + ipAddresses := []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")} + dnsNames := []string{host} + if host != "localhost" { + dnsNames = append(dnsNames, "localhost") + } + + addIP := func(ipAddr net.IP) { + for _, ip := range ipAddresses { + if bytes.Equal(ip, ipAddr) { + return + } + } + ipAddresses = append(ipAddresses, ipAddr) + } + addHost := func(host string) { + for _, dnsName := range dnsNames { + if host == dnsName { + return + } + } + dnsNames = append(dnsNames, host) + } + + addrs, err := interfaceAddrs() + if err != nil { + return nil, nil, err + } + for _, a := range addrs { + ipAddr, _, err := net.ParseCIDR(a.String()) + if err == nil { + addIP(ipAddr) + } + } + + for _, hostStr := range extraHosts { + host, _, err := net.SplitHostPort(hostStr) + if err != nil { + host = hostStr + } + if ip := net.ParseIP(host); ip != nil { + addIP(ip) + } else { + addHost(host) + } + } + + template := x509.Certificate{ + SerialNumber: serialNumber, + Subject: pkix.Name{ + Organization: []string{organization}, + CommonName: host, + }, + NotBefore: now.Add(-time.Hour * 24), + NotAfter: validUntil, + + KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | + x509.KeyUsageCertSign, + IsCA: true, // so can sign self. + BasicConstraintsValid: true, + + DNSNames: dnsNames, + IPAddresses: ipAddresses, + } + + derBytes, err := x509.CreateCertificate(rand.Reader, &template, + &template, priv.Public(), priv) + if err != nil { + return nil, nil, fmt.Errorf("failed to create certificate: %v", err) + } + + certBuf := &bytes.Buffer{} + err = pem.Encode(certBuf, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) + if err != nil { + return nil, nil, fmt.Errorf("failed to encode certificate: %v", err) + } + + keybytes, err := x509.MarshalPKCS8PrivateKey(priv) + if err != nil { + return nil, nil, fmt.Errorf("failed to marshal private key: %v", err) + } + + keyBuf := &bytes.Buffer{} + err = pem.Encode(keyBuf, &pem.Block{Type: "PRIVATE KEY", Bytes: keybytes}) + if err != nil { + return nil, nil, fmt.Errorf("failed to encode private key: %v", err) + } + + return certBuf.Bytes(), keyBuf.Bytes(), nil +} From 1039eb2f8b81f729a486122024f4a58153b8ad5b Mon Sep 17 00:00:00 2001 From: Josh Rickmar Date: Fri, 7 Jun 2019 00:18:27 -0400 Subject: [PATCH 2/2] Update doco --- certgen/README.md | 9 ++++++--- certgen/doc.go | 8 +++++--- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/certgen/README.md b/certgen/README.md index 2c5a2ebcd3..3b470d2306 100644 --- a/certgen/README.md +++ b/certgen/README.md @@ -7,9 +7,12 @@ Certgen ## Overview -This package currently contains a single function for creating -a new TLS certificate key pair, typically used for encrypting -RPC and websocket communications. +This package contains functions for creating self-signed TLS certificate from +random new key pairs, typically used for encrypting RPC and websocket +communications. + +ECDSA certificates are supported on all Go versions. Beginning with Go 1.13, +this package additionally includes support for Ed25519 certificates. ## Installation and Updating diff --git a/certgen/doc.go b/certgen/doc.go index f1ede5c5d4..cf6bed90e4 100644 --- a/certgen/doc.go +++ b/certgen/doc.go @@ -8,9 +8,11 @@ new TLS certificate key pair. Overview -This package currently contains a single function for creating -a new TLS certificate key pair, typically used for encrypting -RPC and websocket communications. +This package contains functions for creating self-signed TLS certificate from +random new key pairs, typically used for encrypting RPC and websocket +communications. +ECDSA certificates are supported on all Go versions. Beginning with Go 1.13, +this package additionally includes support for Ed25519 certificates. */ package certgen