From 24f3a6dcafaeb1123134a6733846e93e39c63ea3 Mon Sep 17 00:00:00 2001 From: Luke Curley Date: Tue, 28 Mar 2023 14:36:30 +0900 Subject: [PATCH] Generate a proper certificate for WebTransport. --- README.md | 2 +- cert/generate | 14 ++++++-------- cert/go.mod | 14 ++++++++++++++ cert/go.sum | 22 ++++++++++++++++++++++ 4 files changed, 43 insertions(+), 9 deletions(-) create mode 100644 cert/go.mod create mode 100644 cert/go.sum diff --git a/README.md b/README.md index 779289c..22e9373 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,7 @@ Unfortunately, QUIC mandates TLS and makes local development difficult. If you have a valid certificate you can use it instead of self-signing. The go binaries take a `-tls-cert` and `-tls-key` argument. Skip the remaining steps in this section and use your hostname instead. -Otherwise, use [mkcert](https://github.com/FiloSottile/mkcert) to install a self-signed CA: +Otherwise, we use [mkcert](https://github.com/FiloSottile/mkcert) to install a self-signed CA: ``` ./generate/cert ``` diff --git a/cert/generate b/cert/generate index 5103f25..9f891c6 100755 --- a/cert/generate +++ b/cert/generate @@ -1,5 +1,5 @@ #!/bin/bash -set -euxo pipefail +set -euo pipefail cd "$(dirname "${BASH_SOURCE[0]}")" @@ -9,14 +9,12 @@ CRT="$HOST.crt" KEY="$HOST.key" # Install the system certificate if it's not already -mkcert -install +# NOTE: The ecdsa flag does nothing but I wish it did +go run filippo.io/mkcert -ecdsa -install # Generate a new certificate for localhost -mkcert -ecdsa -cert-file "$CRT" -key-file "$KEY" localhost 127.0.0.1 ::1 - -# Reduce the expiration time of the certificate to 14 days; the WebTransport maximum. -# TODO https://github.com/FiloSottile/mkcert/pull/513 -openssl x509 -days 14 -in "$CRT" -signkey "$KEY" -out "$CRT" +# This fork of mkcert supports the -days flag. +go run filippo.io/mkcert -ecdsa -days 10 -cert-file "$CRT" -key-file "$KEY" localhost 127.0.0.1 ::1 # Compute the sha256 fingerprint of the certificate for WebTransport -# openssl x509 -in "$CRT" -outform der | openssl dgst -sha256 +openssl x509 -in "$CRT" -outform der | openssl dgst -sha256 diff --git a/cert/go.mod b/cert/go.mod new file mode 100644 index 0000000..ac3c3d0 --- /dev/null +++ b/cert/go.mod @@ -0,0 +1,14 @@ +module github.com/kixelated/warp/cert + +go 1.18 + +require ( + filippo.io/mkcert v1.4.4 // indirect + golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 // indirect + golang.org/x/net v0.0.0-20220421235706-1d1ef9303861 // indirect + golang.org/x/text v0.3.7 // indirect + howett.net/plist v1.0.0 // indirect + software.sslmate.com/src/go-pkcs12 v0.2.0 // indirect +) + +replace filippo.io/mkcert => github.com/kixelated/mkcert v1.4.4-days diff --git a/cert/go.sum b/cert/go.sum new file mode 100644 index 0000000..94fb636 --- /dev/null +++ b/cert/go.sum @@ -0,0 +1,22 @@ +github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/kixelated/mkcert v1.4.4-days h1:T2P9W4ruEfgLHOl5UljPwh0d79FbFWkSe2IONcUBxG8= +github.com/kixelated/mkcert v1.4.4-days/go.mod h1:VyvOchVuAye3BoUsPUOOofKygVwLV2KQMVFJNRq+1dA= +golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 h1:tkVvjkPTB7pnW3jnid7kNyAMPVWllTNOf/qKDze4p9o= +golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220421235706-1d1ef9303861 h1:yssD99+7tqHWO5Gwh81phT+67hg+KttniBr6UnEXOY8= +golang.org/x/net v0.0.0-20220421235706-1d1ef9303861/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg= +howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM= +howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g= +software.sslmate.com/src/go-pkcs12 v0.2.0 h1:nlFkj7bTysH6VkC4fGphtjXRbezREPgrHuJG20hBGPE= +software.sslmate.com/src/go-pkcs12 v0.2.0/go.mod h1:23rNcYsMabIc1otwLpTkCCPwUq6kQsTyowttG/as0kQ=