feat: improve certificate fingerprint support for WebTransport

- Add automatic generation of WebTransport-compatible certificates
  - ECDSA algorithm, 14-day validity, self-signed
  - Generated when no cert files are provided
- Add certificate validation to warn if requirements not met
- Change default listening address to 0.0.0.0:4443
- Disable fingerprint server by default (port 0)
- Add generate-webtransport-cert.sh script for manual cert generation
- Update documentation with simplified fingerprint usage

This makes it easier to use WebTransport fingerprints for development
without needing to manually generate certificates with specific properties.

Author: tobbee

CHANGELOG.md

@@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Configuration options for `audiobatch` and `videobatch` to control how many frames should be sent in every MoQ object/CMAF chunk
 - systemd service script and helpers for mlmpub
 - fingerprint endpoint of mlmpub to be used with WebTransport browser clients like [warp-player[wp]
+- Certificate validation and auto-generation for WebTransport-compatible certificates (ECDSA, 14-day validity)
 
 ## [0.2.0] - 2025-04-28
 

README.md

@@ -114,22 +114,42 @@ One way to do that is with mkcert:
 ```sh
 > mkcert -key-file key.pem -cert-file cert.pem localhost 127.0.0.1 ::1
 > mkcert -install
-> go run . -cert cert.pem -key key.pem -addr localhost:4443
+> go run . -cert cert.pem -key key.pem
 ```
 
 #### Using certificate fingerprint
 
-Alternatively, you can use the certificate fingerprint feature for self-signed certificates without installing them in the browser:
+For browsers that support WebTransport certificate fingerprints (e.g., Chrome), you can use self-signed certificates without installing them:
 
+**Run mlmpub with fingerprint support**:
 ```sh
-> go run . -cert cert.pem -key key.pem -addr 0.0.0.0:4443 -fingerprintport 8081
+> go run . -fingerprintport 8081
+```
+
+This will automatically generate a WebTransport-compatible certificate with:
+- ECDSA algorithm (not RSA)
+- 14-day validity (WebTransport maximum)
+- Self-signed
+
+Alternatively, you can use your own certificate (e.g., generated with the included `generate-webtransport-cert.sh` script):
+```sh
+cd cmd/mlmpub
+./generate-webtransport-cert.sh
+go run . -cert cert-fp.pem -key key-fp.pem -fingerprintport 8081
 ```
 
 This will:
-- Start the MoQ server on port 4443 (listening on all interfaces)
+- Start the MoQ server on port 4443 (default address is `0.0.0.0:4443`, listening on all interfaces)
 - Start an HTTP server on port 8081 that serves the certificate's SHA-256 fingerprint
+- Validate that the certificate meets WebTransport requirements
+
+The warp-player (fingerprint branch) can then connect using:
+- Server URL: `https://localhost:4443/moq` or `https://127.0.0.1:4443/moq`
+- Fingerprint URL: `http://localhost:8081/fingerprint` or `http://127.0.0.1:8081/fingerprint`
 
-The warp-player can then connect using the fingerprint URL to authenticate the self-signed certificate. Use `-fingerprintport 0` to disable the fingerprint server.
+**Notes**: 
+- The fingerprint server is disabled by default (`-fingerprintport 0`). Only enable it when using certificates that meet WebTransport's strict requirements.
+- If no certificate files are provided, mlmpub will generate WebTransport-compatible certificates automatically.
 
 
 ## Development

cmd/mlmpub/generate-webtransport-cert.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Generate WebTransport-compatible certificate with fingerprint
+# Requirements: ECDSA, ≤14 days validity, self-signed
+
+echo "Generating WebTransport-compatible certificate..."
+
+# Generate ECDSA private key
+openssl ecparam -genkey -name prime256v1 -out key-fp.pem
+
+# Generate self-signed certificate valid for 14 days
+openssl req -new -x509 -key key-fp.pem -out cert-fp.pem -days 14 \
+  -subj "/CN=localhost" \
+  -addext "subjectAltName=DNS:localhost,DNS:127.0.0.1,IP:127.0.0.1,IP:::1"
+
+echo "Certificate generated: cert-fp.pem"
+echo "Private key generated: key-fp.pem"
+echo ""
+
+# Verify the certificate
+echo "Certificate details:"
+openssl x509 -in cert-fp.pem -text -noout | grep -E "Signature Algorithm:|Not Before:|Not After:|Subject Alternative Name" -A1
+
+echo ""
+echo "Certificate fingerprint (SHA-256):"
+# Get the fingerprint
+openssl x509 -in cert-fp.pem -noout -fingerprint -sha256 | sed 's/://g' | cut -d'=' -f2 | tr '[:upper:]' '[:lower:]'

cmd/mlmpub/handler.go

@@ -83,6 +83,12 @@ func (h *moqHandler) runServer(ctx context.Context) error {
 }
 
 func (h *moqHandler) startFingerprintServer() {
+	// Validate certificate for WebTransport requirements
+	if err := h.validateCertificateForWebTransport(); err != nil {
+		slog.Warn("Certificate does not meet WebTransport fingerprint requirements", "error", err)
+		slog.Warn("Fingerprint server may not work properly with WebTransport")
+	}
+
 	fingerprint := h.getCertificateFingerprint()
 	if fingerprint == "" {
 		slog.Error("failed to get certificate fingerprint")
@@ -135,6 +141,50 @@ func (h *moqHandler) getCertificateFingerprint() string {
 	return hex.EncodeToString(fingerprint[:])
 }
 
+func (h *moqHandler) validateCertificateForWebTransport() error {
+	if len(h.tlsConfig.Certificates) == 0 {
+		return fmt.Errorf("no certificates found")
+	}
+
+	cert := h.tlsConfig.Certificates[0]
+	if len(cert.Certificate) == 0 {
+		return fmt.Errorf("certificate is empty")
+	}
+
+	// Parse the certificate
+	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
+	if err != nil {
+		return fmt.Errorf("failed to parse certificate: %w", err)
+	}
+
+	// Check 1: Must be self-signed (issuer == subject)
+	if x509Cert.Issuer.String() != x509Cert.Subject.String() {
+		return fmt.Errorf("certificate is not self-signed (issuer: %s, subject: %s)", 
+			x509Cert.Issuer.String(), x509Cert.Subject.String())
+	}
+
+	// Check 2: Must use ECDSA algorithm
+	if x509Cert.PublicKeyAlgorithm != x509.ECDSA {
+		return fmt.Errorf("certificate must use ECDSA algorithm, but uses %s", 
+			x509Cert.PublicKeyAlgorithm.String())
+	}
+
+	// Check 3: Must be valid for 14 days or less
+	validityDuration := x509Cert.NotAfter.Sub(x509Cert.NotBefore)
+	maxDuration := 14 * 24 * time.Hour
+	if validityDuration > maxDuration {
+		validityDays := validityDuration.Hours() / 24
+		return fmt.Errorf("certificate validity exceeds 14 days (valid for %.1f days)", validityDays)
+	}
+
+	slog.Info("Certificate meets WebTransport fingerprint requirements",
+		"algorithm", x509Cert.PublicKeyAlgorithm.String(),
+		"validity_days", validityDuration.Hours()/24,
+		"self_signed", true)
+
+	return nil
+}
+
 func serveQUICConn(wt *webtransport.Server, conn quic.Connection) {
 	err := wt.ServeQUICConn(conn)
 	if err != nil {

cmd/mlmpub/main.go

@@ -2,18 +2,24 @@ package main
 
 import (
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/rsa"
+	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/hex"
 	"encoding/pem"
 	"errors"
 	"flag"
 	"fmt"
 	"io"
 	"log/slog"
 	"math/big"
+	"net"
 	"os"
+	"time"
 
 	"github.com/Eyevinn/moqlivemock/internal"
 )
@@ -55,14 +61,14 @@ func parseOptions(fs *flag.FlagSet, args []string) (*options, error) {
 	}
 
 	opts := options{}
-	fs.StringVar(&opts.certFile, "cert", "localhost.pem", "TLS certificate file (only used for server)")
-	fs.StringVar(&opts.keyFile, "key", "localhost-key.pem", "TLS key file (only used for server)")
-	fs.StringVar(&opts.addr, "addr", "localhost:8080", "listen or connect address")
+	fs.StringVar(&opts.certFile, "cert", "cert.pem", "TLS certificate file (only used for server)")
+	fs.StringVar(&opts.keyFile, "key", "key.pem", "TLS key file (only used for server)")
+	fs.StringVar(&opts.addr, "addr", "0.0.0.0:4443", "listen or connect address")
 	fs.StringVar(&opts.asset, "asset", "../../content", "Asset to serve")
 	fs.StringVar(&opts.qlogfile, "qlog", defaultQlogFileName, "qlog file to write to. Use '-' for stderr")
 	fs.IntVar(&opts.audioSampleBatch, "audiobatch", 2, "Nr audio samples per MoQ object/CMAF chunk")
 	fs.IntVar(&opts.videoSampleBatch, "videobatch", 1, "Nr video samples per MoQ object/CMAF chunk")
-	fs.IntVar(&opts.fingerprintPort, "fingerprintport", 8081, "Port for HTTP fingerprint server (0 to disable)")
+	fs.IntVar(&opts.fingerprintPort, "fingerprintport", 0, "Port for HTTP fingerprint server (0 to disable)")
 	fs.BoolVar(&opts.version, "version", false, fmt.Sprintf("Get %s version", appName))
 	err := fs.Parse(args[1:])
 	return &opts, err
@@ -153,23 +159,70 @@ func generateTLSConfigWithCertAndKey(certFile, keyFile string) (*tls.Config, err
 }
 
 // Setup a bare-bones TLS config for the server
+// Generates a certificate that meets WebTransport fingerprint requirements
 func generateTLSConfig() (*tls.Config, error) {
-	key, err := rsa.GenerateKey(rand.Reader, 1024)
+	// Generate ECDSA key (required for WebTransport fingerprints)
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return nil, err
 	}
-	template := x509.Certificate{SerialNumber: big.NewInt(1)}
+
+	// Create certificate template with WebTransport-compatible settings
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName: "localhost",
+		},
+		Issuer: pkix.Name{
+			CommonName: "localhost", // Explicitly set issuer = subject for self-signed
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(14 * 24 * time.Hour), // 14 days max for WebTransport
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IsCA:                  true, // Self-signed CA
+		IPAddresses:           []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
+		DNSNames:              []string{"localhost", "127.0.0.1"}, // Include IP as DNS too
+	}
+
+	// Create self-signed certificate
 	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &key.PublicKey, key)
 	if err != nil {
 		return nil, err
 	}
-	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})
+
+	// Encode key and certificate to PEM
+	keyBytes, err := x509.MarshalECPrivateKey(key)
+	if err != nil {
+		return nil, err
+	}
+	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyBytes})
 	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
 
 	tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
 	if err != nil {
 		return nil, err
 	}
+
+	// Parse the generated certificate to get fingerprint
+	parsedCert, err := x509.ParseCertificate(tlsCert.Certificate[0])
+	if err == nil {
+		fingerprint := sha256.Sum256(parsedCert.Raw)
+		slog.Info("Generated WebTransport-compatible certificate",
+			"algorithm", "ECDSA",
+			"validity_days", 14,
+			"self_signed", true,
+			"fingerprint", hex.EncodeToString(fingerprint[:]),
+			"subject", parsedCert.Subject.String(),
+			"issuer", parsedCert.Issuer.String())
+	} else {
+		slog.Info("Generated WebTransport-compatible certificate",
+			"algorithm", "ECDSA",
+			"validity_days", 14,
+			"self_signed", true)
+	}
+
 	return &tls.Config{
 		Certificates: []tls.Certificate{tlsCert},
 		NextProtos:   []string{"moq-00", "h3"},