implemented CaSigner with cache

Author: orkunkaraduman

ca.go

@@ -10,6 +10,7 @@ import (
 	mrand "math/rand"
 	"net"
 	"sort"
+	"sync"
 	"time"
 )
 
@@ -100,6 +101,74 @@ s39uFDUnxsMb2Nl3JcNJHYBTm9ubjAZSo/3NuB0z/Gm+ssOcExTD//vW7BxxSAcs
 /xlPPTPbY5qoMAT7kK71kd4Ypnqbcs3UPpAHtcPkjWpuWOlebK0J7UYToj4f
 -----END RSA PRIVATE KEY-----`)
 
+type CaSigner struct {
+	Ca        *tls.Certificate
+	mu        sync.RWMutex
+	certMap   map[string]*tls.Certificate
+	certList  []string
+	certIndex int
+	certMax   int
+}
+
+func NewCaSigner() *CaSigner {
+	return NewCaSignerCache(0)
+}
+
+func NewCaSignerCache(max int) *CaSigner {
+	if max < 0 {
+		max = 0
+	}
+	return &CaSigner{
+		certMap:   make(map[string]*tls.Certificate),
+		certList:  make([]string, max),
+		certIndex: 0,
+		certMax:   max,
+	}
+}
+
+func (c *CaSigner) SignHost(host string) (cert *tls.Certificate) {
+	if host == "" {
+		return
+	}
+	if c.certMax <= 0 {
+		crt, err := signHosts(*c.Ca, []string{host})
+		if err != nil {
+			return nil
+		}
+		cert = &crt
+		return
+	}
+	func() {
+		c.mu.RLock()
+		defer c.mu.RUnlock()
+		cert = c.certMap[host]
+	}()
+	if cert != nil {
+		return
+	}
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	cert = c.certMap[host]
+	if cert != nil {
+		return
+	}
+	crt, err := signHosts(*c.Ca, []string{host})
+	if err != nil {
+		return nil
+	}
+	cert = &crt
+	if len(c.certMap) >= c.certMax {
+		delete(c.certMap, c.certList[c.certIndex])
+	}
+	c.certMap[host] = cert
+	c.certList[c.certIndex] = host
+	c.certIndex++
+	if c.certIndex >= c.certMax {
+		c.certIndex = 0
+	}
+	return
+}
+
 func signHosts(ca tls.Certificate, hosts []string) (cert tls.Certificate, error error) {
 	var x509ca *x509.Certificate
 	if x509ca, error = x509.ParseCertificate(ca.Certificate[0]); error != nil {

doing.go

@@ -153,13 +153,13 @@ func doConnect(ctx *Context, w http.ResponseWriter, r *http.Request) (w2 http.Re
 		remoteConn.Close()
 	case ConnectMitm:
 		tlsConfig := &tls.Config{}
-		cert, err := signHosts(ctx.Prx.Ca, []string{stripPort(host)})
-		if err != nil {
+		cert := ctx.Prx.signer.SignHost(stripPort(host))
+		if cert == nil {
 			hijConn.Close()
 			doError(ctx, "Connect", ErrTLSSignHost, err)
 			return
 		}
-		tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
+		tlsConfig.Certificates = append(tlsConfig.Certificates, *cert)
 		if _, err := hijConn.Write([]byte("HTTP/1.1 200 OK\r\n\r\n")); err != nil {
 			hijConn.Close()
 			if !isConnectionClosed(err) {

httpproxy.go

@@ -78,6 +78,8 @@ type Proxy struct {
 	MitmChunked bool
 
 	AuthType string
+
+	signer *CaSigner
 }
 
 // NewProxy returns a new Proxy has default CA certificate and key.
@@ -89,8 +91,11 @@ func NewProxy() (*Proxy, error) {
 func NewProxyCert(caCert, caKey []byte) (result *Proxy, error error) {
 	result = &Proxy{
 		Rt: &http.Transport{TLSClientConfig: &tls.Config{},
-			Proxy: http.ProxyFromEnvironment}, MitmChunked: true,
+			Proxy: http.ProxyFromEnvironment},
+		MitmChunked: true,
+		signer:      NewCaSignerCache(1024),
 	}
+	result.signer.Ca = &result.Ca
 	if caCert == nil {
 		caCert = DefaultCaCert
 	}