68 lines
1.7 KiB
Go
68 lines
1.7 KiB
Go
package mediaserver
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/pem"
|
|
"math/big"
|
|
"time"
|
|
|
|
"git.netflux.io/rob/octoplex/internal/domain"
|
|
)
|
|
|
|
// generateTLSCert generates a self-signed TLS certificate and private key.
|
|
func generateTLSCert(dnsNames ...string) (domain.KeyPair, error) {
|
|
privKey, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
|
|
if err != nil {
|
|
return domain.KeyPair{}, err
|
|
}
|
|
|
|
serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
|
|
if err != nil {
|
|
return domain.KeyPair{}, err
|
|
}
|
|
|
|
now := time.Now()
|
|
template := x509.Certificate{
|
|
SerialNumber: serialNumber,
|
|
Subject: pkix.Name{
|
|
Organization: []string{"octoplex.netflux.io"},
|
|
},
|
|
NotBefore: now,
|
|
NotAfter: now.Add(5 * 365 * 24 * time.Hour),
|
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
|
|
BasicConstraintsValid: true,
|
|
DNSNames: dnsNames,
|
|
}
|
|
|
|
certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey)
|
|
if err != nil {
|
|
return domain.KeyPair{}, err
|
|
}
|
|
|
|
var certPEM, keyPEM bytes.Buffer
|
|
|
|
if err = pem.Encode(&certPEM, &pem.Block{Type: "CERTIFICATE", Bytes: certDER}); err != nil {
|
|
return domain.KeyPair{}, err
|
|
}
|
|
|
|
privKeyDER, err := x509.MarshalECPrivateKey(privKey)
|
|
if err != nil {
|
|
return domain.KeyPair{}, err
|
|
}
|
|
|
|
if err := pem.Encode(&keyPEM, &pem.Block{Type: "EC PRIVATE KEY", Bytes: privKeyDER}); err != nil {
|
|
return domain.KeyPair{}, err
|
|
}
|
|
|
|
return domain.KeyPair{
|
|
Cert: certPEM.Bytes(),
|
|
Key: keyPEM.Bytes(),
|
|
}, nil
|
|
}
|