ZDDC
460d5fdada
The TLS configuration was using Go stdlib defaults — secure for typical
commercial use, but federal evaluators need an explicit cipher
allowlist they can map to a FIPS-validated implementation. Pin the
cipher and curve lists to NIST SP 800-52 Rev. 2 § 3.3 conformant
values:
Ciphers (TLS 1.2):
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
Curves: X25519, P-256, P-384
MinVersion: TLS 1.2 (already set; 1.3 used when negotiated)
TLS 1.3 cipher selection is not operator-controllable in Go stdlib
(the runtime picks from a fixed AEAD-only set); all of those
already meet the federal bar so no change needed there.
Also adds HSTSMiddleware emitting `Strict-Transport-Security:
max-age=31536000; includeSubDomains` when zddc-server is itself
terminating TLS (ZDDC_TLS_CERT != none). Behind an upstream proxy
terminating TLS the proxy is responsible for HSTS, so the middleware
only wraps the chain when useTLS=true.
Test coverage:
* TLSConfig(none) returns nil + useTLS=false
* TLSConfig(selfsigned) sets the exact NIST allowlist
* Negative test asserting weak ciphers (CBC, RC4, 3DES, RSA-key-
exchange) are NOT in the list — guardrail against regressions
Federal-readiness gap analysis updated: this control is now partially
complete. OCSP stapling and CT-log inclusion remain on the list for
full DoD STIG conformance.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
112 lines
3.5 KiB
Go
112 lines
3.5 KiB
Go
package tlsutil
|
|
|
|
import (
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/pem"
|
|
"math/big"
|
|
"net"
|
|
"time"
|
|
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/config"
|
|
)
|
|
|
|
// TLSConfig returns a *tls.Config and a flag indicating whether to use TLS.
|
|
// If cfg.TLSMode is "none", returns (nil, false, nil) for plain HTTP.
|
|
// If cfg.TLSMode is "selfsigned" or "provided", returns a TLS config and true.
|
|
func TLSConfig(cfg config.Config) (*tls.Config, bool, error) {
|
|
if cfg.TLSMode == "none" {
|
|
return nil, false, nil
|
|
}
|
|
|
|
var cert tls.Certificate
|
|
var err error
|
|
|
|
if cfg.TLSCert != "" && cfg.TLSKey != "" {
|
|
cert, err = tls.LoadX509KeyPair(cfg.TLSCert, cfg.TLSKey)
|
|
} else {
|
|
cert, err = selfSigned()
|
|
}
|
|
if err != nil {
|
|
return nil, false, err
|
|
}
|
|
|
|
return &tls.Config{
|
|
Certificates: []tls.Certificate{cert},
|
|
MinVersion: tls.VersionTLS12,
|
|
// NIST SP 800-52 Rev. 2 conformant cipher allowlist for TLS 1.2.
|
|
// (TLS 1.3 ciphers are not operator-selectable in Go's stdlib —
|
|
// the runtime picks from a fixed set of AEAD suites; that's fine
|
|
// because all of them meet the federal bar.) Order matters when
|
|
// preferServerCipherSuites was respected by clients; modern Go
|
|
// uses the runtime's own preference, but the explicit list still
|
|
// drops every weak suite a client might offer.
|
|
// AES-128-GCM is listed before AES-256-GCM because hardware
|
|
// AES-NI makes the 128-bit suite measurably faster with no
|
|
// security-margin compromise (NIST allows both).
|
|
CipherSuites: []uint16{
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
|
},
|
|
// NIST SP 800-52 Rev. 2 § 3.3.2: X25519, P-256, P-384.
|
|
// X25519 first — fastest modern curve, no known weaknesses;
|
|
// the NIST P-curves follow for clients that don't support it.
|
|
CurvePreferences: []tls.CurveID{
|
|
tls.X25519,
|
|
tls.CurveP256,
|
|
tls.CurveP384,
|
|
},
|
|
}, true, nil
|
|
}
|
|
|
|
// selfSigned generates an in-memory ECDSA P-256 self-signed certificate
|
|
// valid for 10 years. The certificate is never written to disk.
|
|
func selfSigned() (tls.Certificate, error) {
|
|
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
if err != nil {
|
|
return tls.Certificate{}, err
|
|
}
|
|
|
|
serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
|
|
if err != nil {
|
|
return tls.Certificate{}, err
|
|
}
|
|
|
|
template := &x509.Certificate{
|
|
SerialNumber: serial,
|
|
Subject: pkix.Name{
|
|
CommonName: "zddc-server",
|
|
Organization: []string{"ZDDC"},
|
|
},
|
|
NotBefore: time.Now().Add(-time.Minute),
|
|
NotAfter: time.Now().Add(10 * 365 * 24 * time.Hour),
|
|
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
|
BasicConstraintsValid: true,
|
|
IPAddresses: []net.IP{net.ParseIP("127.0.0.1"), net.IPv6loopback},
|
|
DNSNames: []string{"localhost"},
|
|
}
|
|
|
|
certDER, err := x509.CreateCertificate(rand.Reader, template, template, &priv.PublicKey, priv)
|
|
if err != nil {
|
|
return tls.Certificate{}, err
|
|
}
|
|
|
|
privDER, err := x509.MarshalECPrivateKey(priv)
|
|
if err != nil {
|
|
return tls.Certificate{}, err
|
|
}
|
|
|
|
certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
|
|
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: privDER})
|
|
|
|
return tls.X509KeyPair(certPEM, keyPEM)
|
|
}
|