mirrors/Xray-core
1
0
Fork 0
mirror of https://github.com/XTLS/Xray-core.git synced 2025-04-30 01:08:33 +00:00
Code Issues Projects Releases Packages Wiki Activity

v1.0.0

Browse source
This commit is contained in:
RPRX 2020-11-25 19:01:53 +08:00
parent 47d23e9972
commit c7f7c08ead
711 changed files with 82154 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
common/protocol/tls/cert/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
*.pem

178
common/protocol/tls/cert/cert.go Normal file
View file

@ -0,0 +1,178 @@
package cert
import (
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"encoding/asn1"
"encoding/pem"
"math/big"
"time"
"github.com/xtls/xray-core/v1/common"
)
//go:generate go run github.com/xtls/xray-core/v1/common/errors/errorgen
type Certificate struct {
// Cerificate in ASN.1 DER format
Certificate []byte
// Private key in ASN.1 DER format
PrivateKey []byte
}
func ParseCertificate(certPEM []byte, keyPEM []byte) (*Certificate, error) {
certBlock, _ := pem.Decode(certPEM)
if certBlock == nil {
return nil, newError("failed to decode certificate")
}
keyBlock, _ := pem.Decode(keyPEM)
if keyBlock == nil {
return nil, newError("failed to decode key")
}
return &Certificate{
Certificate: certBlock.Bytes,
PrivateKey: keyBlock.Bytes,
}, nil
}
func (c *Certificate) ToPEM() ([]byte, []byte) {
return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: c.Certificate}),
pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: c.PrivateKey})
}
type Option func(*x509.Certificate)
func Authority(isCA bool) Option {
return func(cert *x509.Certificate) {
cert.IsCA = isCA
}
}
func NotBefore(t time.Time) Option {
return func(c *x509.Certificate) {
c.NotBefore = t
}
}
func NotAfter(t time.Time) Option {
return func(c *x509.Certificate) {
c.NotAfter = t
}
}
func DNSNames(names ...string) Option {
return func(c *x509.Certificate) {
c.DNSNames = names
}
}
func CommonName(name string) Option {
return func(c *x509.Certificate) {
c.Subject.CommonName = name
}
}
func KeyUsage(usage x509.KeyUsage) Option {
return func(c *x509.Certificate) {
c.KeyUsage = usage
}
}
func Organization(org string) Option {
return func(c *x509.Certificate) {
c.Subject.Organization = []string{org}
}
}
func MustGenerate(parent *Certificate, opts ...Option) *Certificate {
cert, err := Generate(parent, opts...)
common.Must(err)
return cert
}
func publicKey(priv interface{}) interface{} {
switch k := priv.(type) {
case *rsa.PrivateKey:
return &k.PublicKey
case *ecdsa.PrivateKey:
return &k.PublicKey
case ed25519.PrivateKey:
return k.Public().(ed25519.PublicKey)
default:
return nil
}
}
func Generate(parent *Certificate, opts ...Option) (*Certificate, error) {
var (
pKey interface{}
parentKey interface{}
err error
)
// higher signing performance than RSA2048
selfKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return nil, newError("failed to generate self private key").Base(err)
}
parentKey = selfKey
if parent != nil {
if _, e := asn1.Unmarshal(parent.PrivateKey, &ecPrivateKey{}); e == nil {
pKey, err = x509.ParseECPrivateKey(parent.PrivateKey)
} else if _, e := asn1.Unmarshal(parent.PrivateKey, &pkcs8{}); e == nil {
pKey, err = x509.ParsePKCS8PrivateKey(parent.PrivateKey)
} else if _, e := asn1.Unmarshal(parent.PrivateKey, &pkcs1PrivateKey{}); e == nil {
pKey, err = x509.ParsePKCS1PrivateKey(parent.PrivateKey)
}
if err != nil {
return nil, newError("failed to parse parent private key").Base(err)
}
parentKey = pKey
}
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
return nil, newError("failed to generate serial number").Base(err)
}
template := &x509.Certificate{
SerialNumber: serialNumber,
NotBefore: time.Now().Add(time.Hour * -1),
NotAfter: time.Now().Add(time.Hour),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
for _, opt := range opts {
opt(template)
}
parentCert := template
if parent != nil {
pCert, err := x509.ParseCertificate(parent.Certificate)
if err != nil {
return nil, newError("failed to parse parent certificate").Base(err)
}
parentCert = pCert
}
derBytes, err := x509.CreateCertificate(rand.Reader, template, parentCert, publicKey(selfKey), parentKey)
if err != nil {
return nil, newError("failed to create certificate").Base(err)
}
privateKey, err := x509.MarshalPKCS8PrivateKey(selfKey)
if err != nil {
return nil, newError("Unable to marshal private key").Base(err)
}
return &Certificate{
Certificate: derBytes,
PrivateKey: privateKey,
}, nil
}

92
common/protocol/tls/cert/cert_test.go Normal file
View file

@ -0,0 +1,92 @@
package cert
import (
"context"
"crypto/x509"
"encoding/json"
"os"
"strings"
"testing"
"time"
"github.com/xtls/xray-core/v1/common"
"github.com/xtls/xray-core/v1/common/task"
)
func TestGenerate(t *testing.T) {
err := generate(nil, true, true, "ca")
if err != nil {
t.Fatal(err)
}
}
func generate(domainNames []string, isCA bool, jsonOutput bool, fileOutput string) error {
commonName := "Xray Root CA"
organization := "Xray Inc"
expire := time.Hour * 3
var opts []Option
if isCA {
opts = append(opts, Authority(isCA))
opts = append(opts, KeyUsage(x509.KeyUsageCertSign|x509.KeyUsageKeyEncipherment|x509.KeyUsageDigitalSignature))
}
opts = append(opts, NotAfter(time.Now().Add(expire)))
opts = append(opts, CommonName(commonName))
if len(domainNames) > 0 {
opts = append(opts, DNSNames(domainNames...))
}
opts = append(opts, Organization(organization))
cert, err := Generate(nil, opts...)
if err != nil {
return newError("failed to generate TLS certificate").Base(err)
}
if jsonOutput {
printJSON(cert)
}
if len(fileOutput) > 0 {
if err := printFile(cert, fileOutput); err != nil {
return err
}
}
return nil
}
type jsonCert struct {
Certificate []string `json:"certificate"`
Key []string `json:"key"`
}
func printJSON(certificate *Certificate) {
certPEM, keyPEM := certificate.ToPEM()
jCert := &jsonCert{
Certificate: strings.Split(strings.TrimSpace(string(certPEM)), "\n"),
Key: strings.Split(strings.TrimSpace(string(keyPEM)), "\n"),
}
content, err := json.MarshalIndent(jCert, "", " ")
common.Must(err)
os.Stdout.Write(content)
os.Stdout.WriteString("\n")
}
func printFile(certificate *Certificate, name string) error {
certPEM, keyPEM := certificate.ToPEM()
return task.Run(context.Background(), func() error {
return writeFile(certPEM, name+"_cert.pem")
}, func() error {
return writeFile(keyPEM, name+"_key.pem")
})
}
func writeFile(content []byte, name string) error {
f, err := os.Create(name)
if err != nil {
return err
}
defer f.Close()
return common.Error2(f.Write(content))
}

9
common/protocol/tls/cert/errors.generated.go Normal file
View file

@ -0,0 +1,9 @@
package cert
import "github.com/xtls/xray-core/v1/common/errors"
type errPathObjHolder struct{}
func newError(values ...interface{}) *errors.Error {
return errors.New(values...).WithPathObj(errPathObjHolder{})
}

44
common/protocol/tls/cert/privateKey.go Normal file
View file

@ -0,0 +1,44 @@
package cert
import (
"crypto/x509/pkix"
"encoding/asn1"
"math/big"
)
type ecPrivateKey struct {
Version int
PrivateKey []byte
NamedCurveOID asn1.ObjectIdentifier `asn1:"optional,explicit,tag:0"`
PublicKey asn1.BitString `asn1:"optional,explicit,tag:1"`
}
type pkcs8 struct {
Version int
Algo pkix.AlgorithmIdentifier
PrivateKey []byte
// optional attributes omitted.
}
type pkcs1AdditionalRSAPrime struct {
Prime *big.Int
// We ignore these values because rsa will calculate them.
Exp *big.Int
Coeff *big.Int
}
type pkcs1PrivateKey struct {
Version int
N *big.Int
E int
D *big.Int
P *big.Int
Q *big.Int
// We ignore these values, if present, because rsa will calculate them.
Dp *big.Int `asn1:"optional"`
Dq *big.Int `asn1:"optional"`
Qinv *big.Int `asn1:"optional"`
AdditionalPrimes []pkcs1AdditionalRSAPrime `asn1:"optional,omitempty"`
}