idk/reseed-tools
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases Wiki Activity

TLS certificate: rsa4096 --> ECDSAWithSHA512 384bit secp384r1

Browse Source 
elliptic curves in ECDHE handshake: only CurveP384 + CurveP521, default CurveP256 removed
RebuildInterval: 24h --> 72h
certificate valid: 2y --> 5y
throttled.PerDay(4) --> PerHour(4), to enable limited testing
This commit is contained in:
martin61
2016-01-29 19:36:41 +01:00
parent 350dfa9587
commit e66b97b460
6 changed files with 39 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
reseed/utils.go
View File

@@ -2,7 +2,8 @@ package reseed
import (
"crypto/rand"
"crypto/rsa"
// "crypto/rsa"
"crypto/ecdsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
@@ -33,9 +34,10 @@ func SignerFilename(signer string) string {
return strings.Replace(signer, "@", "_at_", 1) + ".crt"
}
func NewTLSCertificate(host string, priv *rsa.PrivateKey) ([]byte, error) {
//func NewTLSCertificate(host string, priv *rsa.PrivateKey) ([]byte, error) {
func NewTLSCertificate(host string, priv *ecdsa.PrivateKey) ([]byte, error) {
notBefore := time.Now()
notAfter := notBefore.Add(2 * 365 * 24 * time.Hour)
notAfter := notBefore.Add(5 * 365 * 24 * time.Hour)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
@@ -55,7 +57,8 @@ func NewTLSCertificate(host string, priv *rsa.PrivateKey) ([]byte, error) {
},
NotBefore: notBefore,
NotAfter: notAfter,
SignatureAlgorithm: x509.SHA256WithRSA,
// SignatureAlgorithm: x509.SHA256WithRSA,
SignatureAlgorithm: x509.ECDSAWithSHA512,
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},