Skip to content

Instantly share code, notes, and snippets.

@crhntr

crhntr/selfSigningHttpsServer.go

Last active October 29, 2017 20:38
Show Gist options
  • Save crhntr/0edce736fc42391914307dbd9924ca83 to your computer and use it in GitHub Desktop.
Save crhntr/0edce736fc42391914307dbd9924ca83 to your computer and use it in GitHub Desktop.
Download ZIP
An HTTPS server that generates it's own cert in memory.
Raw
selfSigningHttpsServer.go
package main
import (
"bytes"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt"
"log"
"math/big"
"net"
"net/http"
"os"
"strings"
"time"
)
func main() {
certPem, keyPem, err := generateCert("127.0.0.1", "testing", time.Now(), time.Minute)
if err != nil {
panic(err)
}
cert, err := tls.X509KeyPair(keyPem, certPem)
if err != nil {
panic(err)
}
mux := http.NewServeMux()
mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello, world!")
})
server := &http.Server{
Addr: ":8443",
TLSConfig: &tls.Config{
GetCertificate: func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
return &cert, nil
},
},
Handler: mux,
}
server.ListenAndServeTLS("", "")
}
func generateCert(host, organization string, notBefore time.Time, validFor time.Duration) (certPEMBlock, keyPEMBlock []byte, err error) {
if len(host) == 0 || len(organization) == 0 {
return certPEMBlock, keyPEMBlock, fmt.Errorf("Missing required --host parameter")
}
const rsaBits = 2048
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return certPEMBlock, keyPEMBlock, err
}
notAfter := notBefore.Add(validFor)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
return certPEMBlock, keyPEMBlock, err
}
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{organization},
},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
hosts := strings.Split(host, ",")
for _, h := range hosts {
if ip := net.ParseIP(h); ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
} else {
template.DNSNames = append(template.DNSNames, h)
}
}
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv)
if err != nil {
return certPEMBlock, keyPEMBlock, err
}
pemBlocks := pemBlockForKey(priv)
certOutBytes := bytes.NewBuffer(make([]byte, 0, len(derBytes)))
keyOutBytes := bytes.NewBuffer(make([]byte, 0, len(pemBlocks.Bytes)))
pem.Encode(certOutBytes, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
log.Print("written certOutBytes\n")
// keyOut, err := os.OpenFile("key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
// if err != nil {
// log.Print("failed to open key.pem for writing:", err)
// return
// }
pem.Encode(keyOutBytes, pemBlocks)
// keyOut.Close()
log.Print("written keyOutBytes\n")
return keyOutBytes.Bytes(), certOutBytes.Bytes(), nil
}
func publicKey(priv interface{}) interface{} {
switch k := priv.(type) {
case *rsa.PrivateKey:
return &k.PublicKey
case *ecdsa.PrivateKey:
return &k.PublicKey
default:
return nil
}
}
func pemBlockForKey(priv interface{}) *pem.Block {
switch k := priv.(type) {
case *rsa.PrivateKey:
return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)}
case *ecdsa.PrivateKey:
b, err := x509.MarshalECPrivateKey(k)
if err != nil {
fmt.Fprintf(os.Stderr, "Unable to marshal ECDSA private key: %v", err)
os.Exit(2)
}
return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}
default:
return nil
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment