Sign upLogin

kodflow/kitsune

View on GitHub
Star
src/internal/core/certs/self.go

Summary

Maintainability
A
0 mins
Test Coverage
package certs

import (
    "crypto/ecdsa"
    "crypto/elliptic"
    "crypto/rand"
    "crypto/tls"
    "crypto/x509"
    "crypto/x509/pkix"
    "math/big"
    "time"

    "github.com/kodflow/kitsune/src/internal/kernel/observability/logger"
)

// generateSelfSignedCert generates a self-signed certificate and returns a tls.Config.
// This function creates an ECDSA private key, generates a unique serial number, and
// then creates an X.509 certificate with this information. The certificate is valid for
// the provided host names and for a duration of one year. The returned tls.Config is configured
// with the generated certificate and security settings.
//
// Parameters:
// - hosts: []string The host names for which the certificate is valid.
//
// Returns:
// - *tls.Config: TLS configuration containing the self-signed certificate.
func generateSelfSignedCert(hosts []string) *tls.Config {
    // Generate an ECDSA private key
    priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
    if logger.Fatal(err) {
        return nil
    }

    // Generate a serial number for the certificate
    serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
    if logger.Fatal(err) {
        return nil
    }

    // Define the X.509 certificate template
    template := x509.Certificate{
        SerialNumber: serialNumber,
        Subject: pkix.Name{
            Organization: []string{"Kitsune"},
        },
        NotBefore:             time.Now(),
        NotAfter:              time.Now().Add(365 * 24 * time.Hour),
        KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
        ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
        BasicConstraintsValid: true,
        DNSNames:              hosts,
    }

    // Create the certificate from the template and private key
    derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
    if logger.Fatal(err) {
        return nil
    }

    // Create a tls.Certificate object with the generated certificate
    cert := tls.Certificate{
        Certificate: [][]byte{derBytes},
        PrivateKey:  priv,
    }

    // Configure tls.Config with the certificate and security settings
    tlsConfig := &tls.Config{
        MinVersion: tls.VersionTLS12,
        CipherSuites: []uint16{
            tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
        },
        InsecureSkipVerify: true,
        Certificates:       []tls.Certificate{cert},
    }

    return tlsConfig
}