VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZDDC/zddc/internal/tlsutil/selfsigned.go
ZDDC ea385b5366 Initial commit 
ZDDC — Zero Day Document Control. A file-naming convention plus five
single-file HTML tools (archive, transmittal, classifier, mdedit,
landing) and an optional Go HTTP server (zddc-server) with ACL and a
virtual archive index. Self-contained, offline-capable, dependency-free.

See README.md for an overview, AGENTS.md and ARCHITECTURE.md for the
build/release/architecture detail, bootstrap/README.md for the
two-level deployment install pattern, and zddc/README.md for the
HTTP server.
2026-04-27 11:05:47 -05:00

86 lines
2.3 KiB
Go
Raw Blame History

package tlsutil
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"math/big"
"net"
"time"
"codeberg.org/VARASYS/ZDDC/zddc/internal/config"
)
// TLSConfig returns a *tls.Config and a flag indicating whether to use TLS.
// If cfg.TLSMode is "none", returns (nil, false, nil) for plain HTTP.
// If cfg.TLSMode is "selfsigned" or "provided", returns a TLS config and true.
func TLSConfig(cfg config.Config) (*tls.Config, bool, error) {
if cfg.TLSMode == "none" {
return nil, false, nil
}
var cert tls.Certificate
var err error
if cfg.TLSCert != "" && cfg.TLSKey != "" {
cert, err = tls.LoadX509KeyPair(cfg.TLSCert, cfg.TLSKey)
} else {
cert, err = selfSigned()
}
if err != nil {
return nil, false, err
}
return &tls.Config{
Certificates: []tls.Certificate{cert},
MinVersion: tls.VersionTLS12,
}, true, nil
}
// selfSigned generates an in-memory ECDSA P-256 self-signed certificate
// valid for 10 years. The certificate is never written to disk.
func selfSigned() (tls.Certificate, error) {
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return tls.Certificate{}, err
}
serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
if err != nil {
return tls.Certificate{}, err
}
template := &x509.Certificate{
SerialNumber: serial,
Subject: pkix.Name{
CommonName: "zddc-server",
Organization: []string{"ZDDC"},
},
NotBefore: time.Now().Add(-time.Minute),
NotAfter: time.Now().Add(10 * 365 * 24 * time.Hour),
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
IPAddresses: []net.IP{net.ParseIP("127.0.0.1"), net.IPv6loopback},
DNSNames: []string{"localhost"},
}
certDER, err := x509.CreateCertificate(rand.Reader, template, template, &priv.PublicKey, priv)
if err != nil {
return tls.Certificate{}, err
}
privDER, err := x509.MarshalECPrivateKey(priv)
if err != nil {
return tls.Certificate{}, err
}
certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: privDER})
return tls.X509KeyPair(certPEM, keyPEM)
}
Reference in a new issue View git blame Copy permalink