From 24f3a6dcafaeb1123134a6733846e93e39c63ea3 Mon Sep 17 00:00:00 2001
From: Luke Curley <kixelated@gmail.com>
Date: Tue, 28 Mar 2023 14:36:30 +0900
Subject: [PATCH] Generate a proper certificate for WebTransport.

---
 README.md     |  2 +-
 cert/generate | 14 ++++++--------
 cert/go.mod   | 14 ++++++++++++++
 cert/go.sum   | 22 ++++++++++++++++++++++
 4 files changed, 43 insertions(+), 9 deletions(-)
 create mode 100644 cert/go.mod
 create mode 100644 cert/go.sum

diff --git a/README.md b/README.md
index 779289c..22e9373 100644
--- a/README.md
+++ b/README.md
@@ -60,7 +60,7 @@ Unfortunately, QUIC mandates TLS and makes local development difficult.
 
 If you have a valid certificate you can use it instead of self-signing. The go binaries take a `-tls-cert` and `-tls-key` argument. Skip the remaining steps in this section and use your hostname instead.
 
-Otherwise, use [mkcert](https://github.com/FiloSottile/mkcert) to install a self-signed CA:
+Otherwise, we use [mkcert](https://github.com/FiloSottile/mkcert) to install a self-signed CA:
 ```
 ./generate/cert
 ```
diff --git a/cert/generate b/cert/generate
index 5103f25..9f891c6 100755
--- a/cert/generate
+++ b/cert/generate
@@ -1,5 +1,5 @@
 #!/bin/bash
-set -euxo pipefail
+set -euo pipefail
 
 cd "$(dirname "${BASH_SOURCE[0]}")"
 
@@ -9,14 +9,12 @@ CRT="$HOST.crt"
 KEY="$HOST.key"
 
 # Install the system certificate if it's not already
-mkcert -install
+# NOTE: The ecdsa flag does nothing but I wish it did
+go run filippo.io/mkcert -ecdsa -install
 
 # Generate a new certificate for localhost
-mkcert -ecdsa -cert-file "$CRT" -key-file "$KEY" localhost 127.0.0.1 ::1
-
-# Reduce the expiration time of the certificate to 14 days; the WebTransport maximum.
-# TODO https://github.com/FiloSottile/mkcert/pull/513
-openssl x509 -days 14 -in "$CRT" -signkey "$KEY" -out "$CRT"
+# This fork of mkcert supports the -days flag.
+go run filippo.io/mkcert -ecdsa -days 10 -cert-file "$CRT" -key-file "$KEY" localhost 127.0.0.1 ::1
 
 # Compute the sha256 fingerprint of the certificate for WebTransport
-# openssl x509 -in "$CRT" -outform der | openssl dgst -sha256
+openssl x509 -in "$CRT" -outform der | openssl dgst -sha256
diff --git a/cert/go.mod b/cert/go.mod
new file mode 100644
index 0000000..ac3c3d0
--- /dev/null
+++ b/cert/go.mod
@@ -0,0 +1,14 @@
+module github.com/kixelated/warp/cert
+
+go 1.18
+
+require (
+	filippo.io/mkcert v1.4.4 // indirect
+	golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 // indirect
+	golang.org/x/net v0.0.0-20220421235706-1d1ef9303861 // indirect
+	golang.org/x/text v0.3.7 // indirect
+	howett.net/plist v1.0.0 // indirect
+	software.sslmate.com/src/go-pkcs12 v0.2.0 // indirect
+)
+
+replace filippo.io/mkcert => github.com/kixelated/mkcert v1.4.4-days
diff --git a/cert/go.sum b/cert/go.sum
new file mode 100644
index 0000000..94fb636
--- /dev/null
+++ b/cert/go.sum
@@ -0,0 +1,22 @@
+github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
+github.com/kixelated/mkcert v1.4.4-days h1:T2P9W4ruEfgLHOl5UljPwh0d79FbFWkSe2IONcUBxG8=
+github.com/kixelated/mkcert v1.4.4-days/go.mod h1:VyvOchVuAye3BoUsPUOOofKygVwLV2KQMVFJNRq+1dA=
+golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 h1:tkVvjkPTB7pnW3jnid7kNyAMPVWllTNOf/qKDze4p9o=
+golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220421235706-1d1ef9303861 h1:yssD99+7tqHWO5Gwh81phT+67hg+KttniBr6UnEXOY8=
+golang.org/x/net v0.0.0-20220421235706-1d1ef9303861/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
+howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
+howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
+software.sslmate.com/src/go-pkcs12 v0.2.0 h1:nlFkj7bTysH6VkC4fGphtjXRbezREPgrHuJG20hBGPE=
+software.sslmate.com/src/go-pkcs12 v0.2.0/go.mod h1:23rNcYsMabIc1otwLpTkCCPwUq6kQsTyowttG/as0kQ=