automatically create TLS certs if they don't exist

kost · kost · commit 26027ab81aaf · 2023-05-11T20:37:41.000+02:00
diff --git a/rserver.go b/rserver.go
@@ -10,6 +10,7 @@ import (
 
 	"bufio"
 	"github.com/hashicorp/yamux"
+	"github.com/kost/tty2web/tlshelp"
 	"strconv"
 	"strings"
 	"time"
@@ -29,7 +30,7 @@ func listenForAgents(verbose bool, tlslisten bool, address string, clients strin
 	if tlslisten {
 		log.Printf("Listening for agents on %s using TLS", address)
 		if certificate == "" {
-			cer, err = getRandomTLS(2048)
+			cer, err = tlshelp.GetRandomTLS(2048)
 			log.Println("No TLS certificate. Generated random one.")
 		} else {
 			cer, err = tls.LoadX509KeyPair(certificate+".crt", certificate+".key")
diff --git a/server/server.go b/server/server.go
@@ -23,6 +23,7 @@ import (
 	"github.com/kost/tty2web/pkg/homedir"
 	"github.com/kost/tty2web/pkg/randomstring"
 	"github.com/kost/tty2web/webtty"
+	"github.com/kost/tty2web/tlshelp"
 	"github.com/kost/httpexecute"
 	"github.com/kost/regeorgo"
 )
@@ -126,6 +127,23 @@ func (server *Server) Run(ctx context.Context, options ...RunOption) error {
 
 	srvErr := make(chan error, 1)
 
+	if server.options.EnableTLS {
+		crtFile := homedir.Expand(server.options.TLSCrtFile)
+		keyFile := homedir.Expand(server.options.TLSKeyFile)
+		log.Printf("TLS crt file: " + crtFile)
+		log.Printf("TLS key file: " + keyFile)
+		cer, err := tls.LoadX509KeyPair(crtFile,keyFile)
+		if err != nil {
+			log.Printf("Error loading TLS key and crt file %s and %s: %v. Generating random one!", crtFile, keyFile, err)
+
+			cer, err = tlshelp.GetRandomTLS(2048)
+			if err != nil {
+				return errors.Wrapf(err, "error generating and failed to load tls cert and key `%s` and `%s`", crtFile, keyFile)
+			}
+		}
+		config := &tls.Config{Certificates: []tls.Certificate{cer}}
+		srv.TLSConfig=config
+	}
 	if server.options.Dns != "" {
 		go func() {
 			session, err = DnsConnectSocks(server.options.Dns, server.options.DnsKey, server.options.DnsDelay)
@@ -134,7 +152,11 @@ func (server *Server) Run(ctx context.Context, options ...RunOption) error {
 				srvErr <- err
 				return
 			}
-			err = srv.Serve(session)
+			if server.options.EnableTLS {
+				err = srv.ServeTLS(session, "", "")
+			} else {
+				err = srv.Serve(session)
+			}
 			if err != nil {
 				srvErr <- err
 			}
@@ -160,12 +182,7 @@ func (server *Server) Run(ctx context.Context, options ...RunOption) error {
 			}
 			go func() {
 				if server.options.EnableTLS {
-					crtFile := homedir.Expand(server.options.TLSCrtFile)
-					keyFile := homedir.Expand(server.options.TLSKeyFile)
-					log.Printf("TLS crt file: " + crtFile)
-					log.Printf("TLS key file: " + keyFile)
-
-					err = srv.ServeTLS(listener, crtFile, keyFile)
+					err = srv.ServeTLS(listener, "", "")
 				} else {
 					err = srv.Serve(listener)
 				}
@@ -181,7 +198,11 @@ func (server *Server) Run(ctx context.Context, options ...RunOption) error {
 					srvErr <- err
 					return
 				}
-				err = srv.Serve(session)
+				if server.options.EnableTLS {
+					err = srv.ServeTLS(session, "", "")
+				} else {
+					err = srv.Serve(session)
+				}
 				if err != nil {
 					srvErr <- err
 				}
diff --git a/tlshelp/tlshelp.go b/tlshelp/tlshelp.go
@@ -1,4 +1,4 @@
-package main
+package tlshelp
 
 import (
 	"crypto/rand"
@@ -49,7 +49,7 @@ func RandBigInt(max *big.Int) *big.Int {
 	return r
 }
 
-func genPair(keysize int) (cacert []byte, cakey []byte, cert []byte, certkey []byte) {
+func GenPair(keysize int) (cacert []byte, cakey []byte, cert []byte, certkey []byte) {
 
 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
 
@@ -105,7 +105,7 @@ func genPair(keysize int) (cacert []byte, cakey []byte, cert []byte, certkey []b
 
 }
 
-func verifyCert(cacert []byte, cert []byte) bool {
+func VerifyCert(cacert []byte, cert []byte) bool {
 	caBin, _ := x509.ParseCertificate(cacert)
 	cert2Bin, _ := x509.ParseCertificate(cert)
 	err3 := cert2Bin.CheckSignatureFrom(caBin)
@@ -115,7 +115,7 @@ func verifyCert(cacert []byte, cert []byte) bool {
 	return true
 }
 
-func getPEMs(cert []byte, key []byte) (pemcert []byte, pemkey []byte) {
+func GetPEMs(cert []byte, key []byte) (pemcert []byte, pemkey []byte) {
 	certPem := pem.EncodeToMemory(&pem.Block{
 		Type:  "CERTIFICATE",
 		Bytes: cert,
@@ -129,17 +129,17 @@ func getPEMs(cert []byte, key []byte) (pemcert []byte, pemkey []byte) {
 	return certPem, keyPem
 }
 
-func getTLSPair(certPem []byte, keyPem []byte) (tls.Certificate, error) {
+func GetTLSPair(certPem []byte, keyPem []byte) (tls.Certificate, error) {
 	tlspair, errt := tls.X509KeyPair(certPem, keyPem)
 	if errt != nil {
 		return tlspair, errt
 	}
 	return tlspair, nil
 }
 
-func getRandomTLS(keysize int) (tls.Certificate, error) {
-	_, _, cert, certkey := genPair(keysize)
-	certPem, keyPem := getPEMs(cert, certkey)
-	tlspair, err := getTLSPair(certPem, keyPem)
+func GetRandomTLS(keysize int) (tls.Certificate, error) {
+	_, _, cert, certkey := GenPair(keysize)
+	certPem, keyPem := GetPEMs(cert, certkey)
+	tlspair, err := GetTLSPair(certPem, keyPem)
 	return tlspair, err
 }
