diff --git a/client_test.go b/client_test.go index d29eb6e84d..dac8d86657 100644 --- a/client_test.go +++ b/client_test.go @@ -449,12 +449,16 @@ func testClientRedirectListener(t *testing.T, isTLS bool) net.Listener { var tlsConfig *tls.Config if isTLS { - certFile := "./ssl-cert-snakeoil.pem" - keyFile := "./ssl-cert-snakeoil.key" - cert, err1 := tls.LoadX509KeyPair(certFile, keyFile) - if err1 != nil { - t.Fatalf("Cannot load TLS certificate: %s", err1) + certData, keyData, err := GenerateTestCertificate("localhost") + if err != nil { + t.Fatal(err) } + + cert, kerr := tls.X509KeyPair(certData, keyData) + if kerr != nil { + t.Fatal(kerr) + } + tlsConfig = &tls.Config{ Certificates: []tls.Certificate{cert}, } @@ -2251,12 +2255,16 @@ func startEchoServerExt(t *testing.T, network, addr string, isTLS bool) *testEch var ln net.Listener var err error if isTLS { - certFile := "./ssl-cert-snakeoil.pem" - keyFile := "./ssl-cert-snakeoil.key" - cert, err1 := tls.LoadX509KeyPair(certFile, keyFile) - if err1 != nil { - t.Fatalf("Cannot load TLS certificate: %s", err1) + certData, keyData, err := GenerateTestCertificate("localhost") + if err != nil { + t.Fatal(err) } + + cert, kerr := tls.X509KeyPair(certData, keyData) + if kerr != nil { + t.Fatal(kerr) + } + tlsConfig := &tls.Config{ Certificates: []tls.Certificate{cert}, } diff --git a/examples/fileserver/fileserver.go b/examples/fileserver/fileserver.go index 729c3a6b2f..f6fbd4c80f 100644 --- a/examples/fileserver/fileserver.go +++ b/examples/fileserver/fileserver.go @@ -17,11 +17,11 @@ var ( addr = flag.String("addr", "localhost:8080", "TCP address to listen to") addrTLS = flag.String("addrTLS", "", "TCP address to listen to TLS (aka SSL or HTTPS) requests. Leave empty for disabling TLS") byteRange = flag.Bool("byteRange", false, "Enables byte range requests if set to true") - certFile = flag.String("certFile", "./ssl-cert-snakeoil.pem", "Path to TLS certificate file") + certFile = flag.String("certFile", "./ssl-cert.pem", "Path to TLS certificate file") compress = flag.Bool("compress", false, "Enables transparent response compression if set to true") dir = flag.String("dir", "/usr/share/nginx/html", "Directory to serve static files from") generateIndexPages = flag.Bool("generateIndexPages", true, "Whether to generate directory index pages") - keyFile = flag.String("keyFile", "./ssl-cert-snakeoil.key", "Path to TLS key file") + keyFile = flag.String("keyFile", "./ssl-cert.key", "Path to TLS key file") vhost = flag.Bool("vhost", false, "Enables virtual hosting by prepending the requested path with the requested hostname") ) diff --git a/examples/multidomain/multidomain.go b/examples/multidomain/multidomain.go index 862f9c90f9..c714ca008a 100644 --- a/examples/multidomain/multidomain.go +++ b/examples/multidomain/multidomain.go @@ -1,14 +1,7 @@ package main import ( - "crypto/rand" - "crypto/rsa" - "crypto/x509" - "crypto/x509/pkix" - "encoding/pem" "fmt" - "math/big" - "time" "github.com/valyala/fasthttp" ) @@ -39,7 +32,7 @@ func main() { } // preparing first host - cert, priv, err := GenerateCert("localhost:8080") + cert, priv, err := fasthttp.GenerateTestCertificate("localhost:8080") if err != nil { panic(err) } @@ -53,7 +46,7 @@ func main() { } // preparing second host - cert, priv, err = GenerateCert("127.0.0.1") + cert, priv, err = fasthttp.GenerateTestCertificate("127.0.0.1") if err != nil { panic(err) } @@ -68,52 +61,3 @@ func main() { fmt.Println(server.ListenAndServeTLS(":8080", "", "")) } - -// GenerateCert generates certificate and private key based on the given host. -func GenerateCert(host string) ([]byte, []byte, error) { - priv, err := rsa.GenerateKey(rand.Reader, 2048) - if err != nil { - return nil, nil, err - } - - serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) - serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) - if err != nil { - return nil, nil, err - } - - cert := &x509.Certificate{ - SerialNumber: serialNumber, - Subject: pkix.Name{ - Organization: []string{"I have your data"}, - }, - NotBefore: time.Now(), - NotAfter: time.Now().Add(365 * 24 * time.Hour), - KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageDigitalSignature, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, - SignatureAlgorithm: x509.SHA256WithRSA, - DNSNames: []string{host}, - BasicConstraintsValid: true, - IsCA: true, - } - - certBytes, err := x509.CreateCertificate( - rand.Reader, cert, cert, &priv.PublicKey, priv, - ) - - p := pem.EncodeToMemory( - &pem.Block{ - Type: "PRIVATE KEY", - Bytes: x509.MarshalPKCS1PrivateKey(priv), - }, - ) - - b := pem.EncodeToMemory( - &pem.Block{ - Type: "CERTIFICATE", - Bytes: certBytes, - }, - ) - - return b, p, err -} diff --git a/server_test.go b/server_test.go index be1763cf80..ecf161a56b 100644 --- a/server_test.go +++ b/server_test.go @@ -898,16 +898,18 @@ func TestServerTLS(t *testing.T) { text := []byte("Make fasthttp great again") ln := fasthttputil.NewInmemoryListener() - certFile := "./ssl-cert-snakeoil.pem" - keyFile := "./ssl-cert-snakeoil.key" - s := &Server{ Handler: func(ctx *RequestCtx) { ctx.Write(text) //nolint:errcheck }, } - err := s.AppendCert(certFile, keyFile) + certData, keyData, err := GenerateTestCertificate("localhost") + if err != nil { + t.Fatal(err) + } + + err = s.AppendCertEmbed(certData, keyData) if err != nil { t.Fatal(err) } @@ -945,9 +947,6 @@ func TestServerTLSReadTimeout(t *testing.T) { ln := fasthttputil.NewInmemoryListener() - certFile := "./ssl-cert-snakeoil.pem" - keyFile := "./ssl-cert-snakeoil.key" - s := &Server{ ReadTimeout: time.Millisecond * 100, Logger: &testLogger{}, // Ignore log output. @@ -955,7 +954,12 @@ func TestServerTLSReadTimeout(t *testing.T) { }, } - err := s.AppendCert(certFile, keyFile) + certData, keyData, err := GenerateTestCertificate("localhost") + if err != nil { + t.Fatal(err) + } + + err = s.AppendCertEmbed(certData, keyData) if err != nil { t.Fatal(err) } @@ -995,16 +999,9 @@ func TestServerServeTLSEmbed(t *testing.T) { ln := fasthttputil.NewInmemoryListener() - certFile := "./ssl-cert-snakeoil.pem" - keyFile := "./ssl-cert-snakeoil.key" - - certData, err := ioutil.ReadFile(certFile) + certData, keyData, err := GenerateTestCertificate("localhost") if err != nil { - t.Fatalf("unexpected error when reading %q: %s", certFile, err) - } - keyData, err := ioutil.ReadFile(keyFile) - if err != nil { - t.Fatalf("unexpected error when reading %q: %s", keyFile, err) + t.Fatal(err) } // start the server diff --git a/ssl-cert-snakeoil.key b/ssl-cert-snakeoil.key deleted file mode 100644 index 00a79a3b57..0000000000 --- a/ssl-cert-snakeoil.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD4IQusAs8PJdnG -3mURt/AXtgC+ceqLOatJ49JJE1VPTkMAy+oE1f1XvkMrYsHqmDf6GWVzgVXryL4U -wq2/nJSm56ddhN55nI8oSN3dtywUB8/ShelEN73nlN77PeD9tl6NksPwWaKrqxq0 -FlabRPZSQCfmgZbhDV8Sa8mfCkFU0G0lit6kLGceCKMvmW+9Bz7ebsYmVdmVMxmf -IJStFD44lWFTdUc65WISKEdW2ELcUefb0zOLw+0PCbXFGJH5x5ktksW8+BBk2Hkg -GeQRL/qPCccthbScO0VgNj3zJ3ZZL0ObSDAbvNDG85joeNjDNq5DT/BAZ0bOSbEF -sh+f9BAzAgMBAAECggEBAJWv2cq7Jw6MVwSRxYca38xuD6TUNBopgBvjREixURW2 -sNUaLuMb9Omp7fuOaE2N5rcJ+xnjPGIxh/oeN5MQctz9gwn3zf6vY+15h97pUb4D -uGvYPRDaT8YVGS+X9NMZ4ZCmqW2lpWzKnCFoGHcy8yZLbcaxBsRdvKzwOYGoPiFb -K2QuhXZ/1UPmqK9i2DFKtj40X6vBszTNboFxOVpXrPu0FJwLVSDf2hSZ4fMM0DH3 -YqwKcYf5te+hxGKgrqRA3tn0NCWii0in6QIwXMC+kMw1ebg/tZKqyDLMNptAK8J+ -DVw9m5X1seUHS5ehU/g2jrQrtK5WYn7MrFK4lBzlRwECgYEA/d1TeANYECDWRRDk -B0aaRZs87Rwl/J9PsvbsKvtU/bX+OfSOUjOa9iQBqn0LmU8GqusEET/QVUfocVwV -Bggf/5qDLxz100Rj0ags/yE/kNr0Bb31kkkKHFMnCT06YasR7qKllwrAlPJvQv9x -IzBKq+T/Dx08Wep9bCRSFhzRCnsCgYEA+jdeZXTDr/Vz+D2B3nAw1frqYFfGnEVY -wqmoK3VXMDkGuxsloO2rN+SyiUo3JNiQNPDub/t7175GH5pmKtZOlftePANsUjBj -wZ1D0rI5Bxu/71ibIUYIRVmXsTEQkh/ozoh3jXCZ9+bLgYiYx7789IUZZSokFQ3D -FICUT9KJ36kCgYAGoq9Y1rWJjmIrYfqj2guUQC+CfxbbGIrrwZqAsRsSmpwvhZ3m -tiSZxG0quKQB+NfSxdvQW5ulbwC7Xc3K35F+i9pb8+TVBdeaFkw+yu6vaZmxQLrX -fQM/pEjD7A7HmMIaO7QaU5SfEAsqdCTP56Y8AftMuNXn/8IRfo2KuGwaWwKBgFpU -ILzJoVdlad9E/Rw7LjYhZfkv1uBVXIyxyKcfrkEXZSmozDXDdxsvcZCEfVHM6Ipk -K/+7LuMcqp4AFEAEq8wTOdq6daFaHLkpt/FZK6M4TlruhtpFOPkoNc3e45eM83OT -6mziKINJC1CQ6m65sQHpBtjxlKMRG8rL/D6wx9s5AoGBAMRlqNPMwglT3hvDmsAt -9Lf9pdmhERUlHhD8bj8mDaBj2Aqv7f6VRJaYZqP403pKKQexuqcn80mtjkSAPFkN -Cj7BVt/RXm5uoxDTnfi26RF9F6yNDEJ7UU9+peBr99aazF/fTgW/1GcMkQnum8uV -c257YgaWmjK9uB0Y2r2VxS0G ------END PRIVATE KEY----- diff --git a/ssl-cert-snakeoil.pem b/ssl-cert-snakeoil.pem deleted file mode 100644 index 93e77cd956..0000000000 --- a/ssl-cert-snakeoil.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICujCCAaKgAwIBAgIJAMbXnKZ/cikUMA0GCSqGSIb3DQEBCwUAMBUxEzARBgNV -BAMTCnVidW50dS5uYW4wHhcNMTUwMjA0MDgwMTM5WhcNMjUwMjAxMDgwMTM5WjAV -MRMwEQYDVQQDEwp1YnVudHUubmFuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEA+CELrALPDyXZxt5lEbfwF7YAvnHqizmrSePSSRNVT05DAMvqBNX9V75D -K2LB6pg3+hllc4FV68i+FMKtv5yUpuenXYTeeZyPKEjd3bcsFAfP0oXpRDe955Te -+z3g/bZejZLD8Fmiq6satBZWm0T2UkAn5oGW4Q1fEmvJnwpBVNBtJYrepCxnHgij -L5lvvQc+3m7GJlXZlTMZnyCUrRQ+OJVhU3VHOuViEihHVthC3FHn29Mzi8PtDwm1 -xRiR+ceZLZLFvPgQZNh5IBnkES/6jwnHLYW0nDtFYDY98yd2WS9Dm0gwG7zQxvOY -6HjYwzauQ0/wQGdGzkmxBbIfn/QQMwIDAQABow0wCzAJBgNVHRMEAjAAMA0GCSqG -SIb3DQEBCwUAA4IBAQBQjKm/4KN/iTgXbLTL3i7zaxYXFLXsnT1tF+ay4VA8aj98 -L3JwRTciZ3A5iy/W4VSCt3eASwOaPWHKqDBB5RTtL73LoAqsWmO3APOGQAbixcQ2 -45GXi05OKeyiYRi1Nvq7Unv9jUkRDHUYVPZVSAjCpsXzPhFkmZoTRxmx5l0ZF7Li -K91lI5h+eFq0dwZwrmlPambyh1vQUi70VHv8DNToVU29kel7YLbxGbuqETfhrcy6 -X+Mha6RYITkAn5FqsZcKMsc9eYGEF4l3XV+oS7q6xfTxktYJMFTI18J0lQ2Lv/CI -whdMnYGntDQBE/iFCrJEGNsKGc38796GBOb5j+zd ------END CERTIFICATE----- diff --git a/tls.go b/tls.go new file mode 100644 index 0000000000..08b03cec7c --- /dev/null +++ b/tls.go @@ -0,0 +1,60 @@ +package fasthttp + +import ( + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "math/big" + "time" +) + +// GenerateTestCertificate generates a test certificate and private key based on the given host. +func GenerateTestCertificate(host string) ([]byte, []byte, error) { + priv, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + return nil, nil, err + } + + serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) + serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) + if err != nil { + return nil, nil, err + } + + cert := &x509.Certificate{ + SerialNumber: serialNumber, + Subject: pkix.Name{ + Organization: []string{"fasthttp test"}, + }, + NotBefore: time.Now(), + NotAfter: time.Now().Add(365 * 24 * time.Hour), + KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, + SignatureAlgorithm: x509.SHA256WithRSA, + DNSNames: []string{host}, + BasicConstraintsValid: true, + IsCA: true, + } + + certBytes, err := x509.CreateCertificate( + rand.Reader, cert, cert, &priv.PublicKey, priv, + ) + + p := pem.EncodeToMemory( + &pem.Block{ + Type: "PRIVATE KEY", + Bytes: x509.MarshalPKCS1PrivateKey(priv), + }, + ) + + b := pem.EncodeToMemory( + &pem.Block{ + Type: "CERTIFICATE", + Bytes: certBytes, + }, + ) + + return b, p, err +}