Initial commit

Author: Zach Brown

.gitignore

@@ -0,0 +1,2 @@
+.vscode
+

LICENSE.md

@@ -0,0 +1,9 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 Zach Brown <zach@prozach.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,26 @@
+# CertTools
+
+[![GoDoc Widget]][GoDoc]
+
+CertTools is a set of settings and tools for TLS Certificates.
+
+It includes parsers for taking strings/config options and enabling minimum TLS versions and Cipher Suites.
+It also includes some decent static defaults which can be used when creating a server.
+```
+server := &http.Server{
+    Addr: ":8443",
+    Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+        w.Header().Set("Content-Type", "text/plain")
+        w.Write([]byte("This is an example server.\n"))
+    }),
+    TLSConfig: &tls.Config{
+        Certificates: []tls.Certificate{cert},
+        MinVersion:   autocert.SecureTLSMinVersion(),
+        CipherSuites: autocert.SecureTLSCipherSuites(),
+    },
+}
+```
+
+CertTools can be used to programatically generate POTENTIALLY INSECURE certificates that can be used for your web server.
+It's horribly insecure and is designed basically for the situation where you don't want to mess with cert files, you want 
+to use tls/https and you don't want to have the cert be different every time you load your app.

autocert.go

@@ -0,0 +1,128 @@
+package certtools
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"math/big"
+	"time"
+)
+
+// InsecureGlobalStatic is a non-random byte reader that can be used to generaate an insecure private key
+// This will generate the same bytes on every box (all zeros). It is horribly insecure.
+type InsecureGlobalStatic struct{}
+
+func InsecureGlobalStaticReader() InsecureGlobalStatic {
+	return InsecureGlobalStatic{}
+}
+
+func (r InsecureGlobalStatic) Read(s []byte) (int, error) {
+	// Set it to all zeros
+	l := len(s)
+	for x := 0; x < l; x++ {
+		s[x] = 0
+	}
+	return l, nil
+}
+
+// InsecureString is a non-random bytes reader that can be used to generate an insecure private key based on a provided string
+// The upside of this is that the same string input should yield the same bytes so you can send in something like the hostname
+// and it will generate the same output everytime you run your program.
+// The downside is that it is very insecure and should only be used for testing
+type InsecureString struct {
+	seed   []byte
+	pos    int
+	length int
+}
+
+func InsecureStringReader(seed string) *InsecureString {
+	// Ensure there is at least one character in seed
+	if len(seed) == 0 {
+		seed = " "
+	}
+	return &InsecureString{
+		seed:   []byte(seed),
+		pos:    0,
+		length: len(seed),
+	}
+}
+func (r *InsecureString) Read(s []byte) (int, error) {
+	// Just repead the string over and over
+	l := len(s)
+	for x := 0; x < l; x++ {
+		s[x] = r.seed[r.pos%r.length]
+		r.pos++
+	}
+	return l, nil
+}
+
+// AutoCert generates a self-signed cert using the specified private key mechanism
+func AutoCert(commonName string, orgName string, orgUnitName string, dnsNames []string, notBefore time.Time, notAfter time.Time, keyReader io.Reader) (tls.Certificate, error) {
+
+	if commonName == "" {
+		return tls.Certificate{}, fmt.Errorf("commonName must not be blank")
+	}
+
+	// Generate the key
+	privKey, err := ecdsa.GenerateKey(elliptic.P256(), keyReader)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("Could not generate private key: %v\n", err)
+	}
+
+	// Build Cert
+	cert := x509.Certificate{
+		SerialNumber: big.NewInt(0),
+		Subject: pkix.Name{
+			CommonName: commonName,
+		},
+		NotBefore: notBefore,
+		NotAfter:  notAfter,
+
+		IsCA: true,
+
+		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		KeyUsage:    x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+
+		BasicConstraintsValid: true,
+	}
+
+	// If dnsNames is nil, use common name
+	if dnsNames == nil {
+		cert.DNSNames = []string{commonName}
+	} else {
+		cert.DNSNames = dnsNames
+	}
+
+	if orgName != "" {
+		cert.Subject.Organization = []string{orgName}
+	}
+	if orgUnitName != "" {
+		cert.Subject.OrganizationalUnit = []string{orgUnitName}
+	}
+
+	// Create Cert
+	derBytes, err := x509.CreateCertificate(keyReader, &cert, &cert, &privKey.PublicKey, privKey)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("Failed to create certificate: %s", err)
+	}
+
+	pKeyBytes, err := x509.MarshalECPrivateKey(privKey)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("Failed to marshal private key: %s", err)
+	}
+
+	certBytes := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	privBytes := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: pKeyBytes})
+
+	tlsCert, err := tls.X509KeyPair(certBytes, privBytes)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("Failed to load key-pair: %s", err)
+	}
+
+	return tlsCert, nil
+}

example/example.go

@@ -0,0 +1,62 @@
+package main
+
+import (
+	"crypto/tls"
+	"flag"
+	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/snowzach/certtools"
+)
+
+func main() {
+
+	// Get the hostname
+	hostname, err := os.Hostname()
+	if err != nil {
+		hostname = "localhost"
+	}
+
+	address := flag.String("l", ":1234", "What address to listen on")
+	cn := flag.String("cn", hostname, "The common name for the certificate")
+	o := flag.String("o", "", "The org for the certificate")
+	ou := flag.String("ou", "", "The org unit for the certificate")
+
+	// Good starting at unix epoch for 100 years
+	var notBefore time.Time
+	var notAfter time.Time = notBefore.Add(100 * 365 * 24 * time.Hour)
+
+	// This will generate the same certificate every time it is run on the same host
+	cert, err := certtools.AutoCert(*cn, *o, *ou, nil, notBefore, notAfter, certtools.InsecureStringReader(hostname))
+
+	// Build the server and manually specify TLS Config
+	server := &http.Server{
+		Addr: *address,
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			w.Header().Set("Content-Type", "text/plain")
+			w.Write([]byte("This is an example server.\n"))
+		}),
+		TLSConfig: &tls.Config{
+			Certificates: []tls.Certificate{cert},
+			MinVersion:   certtools.SecureTLSMinVersion(),
+			CipherSuites: certtools.SecureTLSCipherSuites(),
+		},
+	}
+
+	// Listen
+	listener, err := net.Listen("tcp", *address)
+	if err != nil {
+		panic(err)
+	}
+
+	fmt.Printf("Listening on %s\n", *address)
+
+	// Serve
+	if err := server.Serve(tls.NewListener(listener, server.TLSConfig)); err != nil {
+		panic(err)
+	}
+
+}

go.mod

@@ -0,0 +1 @@
+module github.com/snowzach/certtools

securecert.go

@@ -0,0 +1,102 @@
+package certtools
+
+import (
+	"crypto/tls"
+	"fmt"
+)
+
+var (
+
+	// tlsVersions is a string array of TLS versions suitable for use by tlsMinVersion
+	tlsVersions = map[string]uint16{
+		`VersionTLS10`: tls.VersionTLS10,
+		`VersionTLS11`: tls.VersionTLS11,
+		`VersionTLS12`: tls.VersionTLS12,
+	}
+
+	defaultTLSMinVersion uint16 = tls.VersionTLS12
+
+	// tlsCipherSuites is a map of TLS CipherSuites from crypto/tls
+	// Available CipherSuites defined at https://golang.org/pkg/crypto/tls/#pkg-constants
+	tlsCipherSuites = map[string]uint16{
+		`TLS_RSA_WITH_RC4_128_SHA`:                tls.TLS_RSA_WITH_RC4_128_SHA,
+		`TLS_RSA_WITH_3DES_EDE_CBC_SHA`:           tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		`TLS_RSA_WITH_AES_128_CBC_SHA`:            tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+		`TLS_RSA_WITH_AES_256_CBC_SHA`:            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		`TLS_RSA_WITH_AES_128_CBC_SHA256`:         tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+		`TLS_RSA_WITH_AES_128_GCM_SHA256`:         tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+		`TLS_RSA_WITH_AES_256_GCM_SHA384`:         tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+		`TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`:        tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+		`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`:    tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`:    tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		`TLS_ECDHE_RSA_WITH_RC4_128_SHA`:          tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+		`TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`:     tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`:      tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`:      tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+		`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`:   tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+		`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`:   tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`:   tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`: tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`:    tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`:  tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+	}
+
+	// defaultTLSCipherSuites is the A+ and A list of suites from: https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet
+	defaultTLSCipherSuites = []uint16{
+		// These are compatible with grpc
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+		// These are compatible with autocert
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+	}
+)
+
+// SecureTLSMinVersion returns a secure TLSMinVersion=defaultTLSMinVersion
+func SecureTLSMinVersion() uint16 {
+	return defaultTLSMinVersion
+}
+
+// This takes a string TLS version and converts it into the go tls version. A blank version will return defaultTLSMinVersion
+func ParseTLSVersion(version string) (uint16, error) {
+	// Blank/Default value is tls.VersionTLS12
+	if version == "" {
+		return defaultTLSMinVersion, nil
+	}
+	// Otherwise parse values
+	if value, ok := tlsVersions[version]; ok {
+		return value, nil
+	}
+	return defaultTLSMinVersion, fmt.Errorf("Unknown tls version: %s", version)
+}
+
+// SecureTLSCipherSuites returns secure TLSCipherSuites=defaultTLSCipherSuites
+func SecureTLSCipherSuites() []uint16 {
+	return defaultTLSCipherSuites
+}
+
+// This parses a list of tlsCipherSuite strings and returns a slice of tls.CypherSuite values. Blank/Default = defaultTLSCipherSuites
+func ParseTLSCipherSuites(suites []string) ([]uint16, error) {
+	ret := make([]uint16, 0)
+
+	// By default (nothing passed) enable all suites
+	if len(suites) == 0 {
+		return defaultTLSCipherSuites, nil
+	} else {
+		for _, suite := range suites {
+			if value, ok := tlsCipherSuites[suite]; ok {
+				ret = append(ret, value)
+			} else {
+				return nil, fmt.Errorf("Unknown tls cipher suite %s", suite)
+			}
+		}
+	}
+
+	return ret, nil
+}