Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign up
Fetching contributors…
Cannot retrieve contributors at this time
| package main | |
| import ( | |
| "crypto/rand" | |
| "crypto/rsa" | |
| "crypto/tls" | |
| "crypto/x509" | |
| "crypto/x509/pkix" | |
| "encoding/base64" | |
| "encoding/pem" | |
| "fmt" | |
| "math/big" | |
| "sync" | |
| "time" | |
| ) | |
| type wrappedCertificate struct { | |
| sync.Mutex | |
| certificate *tls.Certificate | |
| } | |
| func (c *wrappedCertificate) getCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) { | |
| c.Lock() | |
| defer c.Unlock() | |
| return c.certificate, nil | |
| } | |
| func (c *wrappedCertificate) loadCertificate(cert, key []byte) error { | |
| c.Lock() | |
| defer c.Unlock() | |
| certAndKey, err := tls.X509KeyPair(cert, key) | |
| if err != nil { | |
| return err | |
| } | |
| c.certificate = &certAndKey | |
| return nil | |
| } | |
| func generateNewCert() ([]byte, []byte, error) { | |
| randOrg := make([]byte, 32) | |
| _, err := rand.Read(randOrg) | |
| template := &x509.Certificate{ | |
| IsCA: true, | |
| BasicConstraintsValid: true, | |
| SubjectKeyId: []byte{1}, | |
| SerialNumber: big.NewInt(1), | |
| Subject: pkix.Name{ | |
| Organization: []string{base64.URLEncoding.EncodeToString(randOrg)}, | |
| }, | |
| NotBefore: time.Now(), | |
| NotAfter: time.Now().AddDate(5, 5, 5), | |
| ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, | |
| KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, | |
| } | |
| privatekey, err := rsa.GenerateKey(rand.Reader, 2048) | |
| if err != nil { | |
| return nil, nil, err | |
| } | |
| publickey := &privatekey.PublicKey | |
| certDER, err := x509.CreateCertificate(rand.Reader, template, template, publickey, privatekey) | |
| return pem.EncodeToMemory(&pem.Block{ | |
| Type: "CERTIFICATE", Bytes: certDER}), | |
| pem.EncodeToMemory(&pem.Block{ | |
| Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privatekey)}), | |
| err | |
| } | |
| func main() { | |
| wrappedCert := &wrappedCertificate{} | |
| config := &tls.Config{ | |
| GetCertificate: wrappedCert.getCertificate, | |
| PreferServerCipherSuites: true, | |
| MinVersion: tls.VersionTLS10, | |
| } | |
| network := "0.0.0.0:8080" | |
| listener, err := tls.Listen("tcp", network, config) | |
| if err != nil { | |
| fmt.Println(err.Error()) | |
| return | |
| } | |
| done := make(chan struct{}) | |
| go func() { | |
| ticker := time.NewTicker(1 * time.Second) | |
| defer ticker.Stop() | |
| for { | |
| select { | |
| case <-ticker.C: | |
| fmt.Printf("Generating new certificates.\n") | |
| cert, key, err := generateNewCert() | |
| if err != nil { | |
| fmt.Printf("error when generating new cert: %v", err) | |
| continue | |
| } | |
| err = wrappedCert.loadCertificate(cert, key) | |
| if err != nil { | |
| fmt.Printf("error when loading cert: %v", err) | |
| } | |
| case <-done: | |
| return | |
| } | |
| } | |
| }() | |
| defer close(done) | |
| for { | |
| conn, err := listener.Accept() | |
| if err != nil { | |
| fmt.Println(err.Error()) | |
| continue | |
| } | |
| fmt.Fprintf(conn, "Hello over TLS\n") | |
| conn.Close() | |
| } | |
| } |