idk/reseed-tools
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases Wiki Activity

TLS certificate: rsa4096 --> ECDSAWithSHA512 384bit secp384r1

Browse Source 
elliptic curves in ECDHE handshake: only CurveP384 + CurveP521, default CurveP256 removed
RebuildInterval: 24h --> 72h
certificate valid: 2y --> 5y
throttled.PerDay(4) --> PerHour(4), to enable limited testing
This commit is contained in:
martin61
2016-01-29 19:36:41 +01:00
parent 350dfa9587
commit e66b97b460
6 changed files with 39 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
README.md
View File

@@ -5,24 +5,28 @@ This tool provides a secure and efficient reseed server for the I2P network. The
## Installation ## Installation
If you have Go installed you can download, build, and install this tool with `go get` If you have go installed you can download, build, and install this tool with `go get`
``` ```
$ export GOPATH=$HOME/go
$ cd $GOPATH
$ go get github.com/martin61/i2p-tools $ go get github.com/martin61/i2p-tools
... $ bin/i2p-tools -h
$ i2p-tools -h
...
``` ```
Otherwise, a binary for your OS can be downloaded from http://matt.i2p/
## Usage ## Usage
If this is your first time running a reseed server (ie. you don't have any existing keys). You can simply run the following command and follow the prompts to create the appropriate keys and certificates. ### Locally behind a webserver (reverse proxy setup), preferred:
``` ```
$ i2p-tools reseed --signer=you@mail.i2p --tlsHost=your-domain.tld --netdb=/var/lib/i2p/i2p-config/netDb $ GOPATH=$HOME/go; cd $GOPATH; bin/i2p-tools reseed --signer=you@mail.i2p --key=you_at_mail.i2p.pem --netdb=/home/i2p/.i2p/netDb --port=8443 --ip=127.0.0.1 --trustProxy
...
``` ```
This will start an HTTPS reseed server on the default port and generate 4 files in your current directory (a TLS key and certificate, and a signing key and certificate). Both of the certificates (*.crt) will need to be sent to the I2P developers in order for your reseed server to be included in the standard I2P package. ### Without webserver, standalone with tls support
```
$ GOPATH=$HOME/go; cd $GOPATH; bin/i2p-tools reseed --signer=you@mail.i2p --key=you_at_mail.i2p.pem --netdb=/home/i2p/.i2p/netDb --tlsHost=your-domain.tld
```
If this is your first time running a reseed server (ie. you don't have any existing keys), you can simply run the command and follow the prompts to create the appropriate keys and certificates.
Afterwards an HTTPS reseed server will start on the default port and generate 4 files in your current directory (a TLS key and certificate, and a signing key and certificate).

14
cmd/utils.go
View File

@@ -5,6 +5,9 @@ import (
"crypto/rand" "crypto/rand"
"crypto/rsa" "crypto/rsa"
"crypto/x509" "crypto/x509"
"crypto/elliptic"
"crypto/ecdsa"
"encoding/asn1"
"encoding/pem" "encoding/pem"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
@@ -122,7 +125,8 @@ func createSigningCertificate(signerId string) error {
func createTLSCertificate(host string) error { func createTLSCertificate(host string) error {
fmt.Println("Generating TLS keys. This may take a minute...") fmt.Println("Generating TLS keys. This may take a minute...")
priv, err := rsa.GenerateKey(rand.Reader, 4096) // priv, err := rsa.GenerateKey(rand.Reader, 4096)
priv, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
if err != nil { if err != nil {
return err return err
} }
@@ -147,7 +151,13 @@ func createTLSCertificate(host string) error {
if err != nil { if err != nil {
return fmt.Errorf("failed to open %s for writing: %s\n", privFile, err) return fmt.Errorf("failed to open %s for writing: %s\n", privFile, err)
} }
pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}) // pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
secp384r1, err := asn1.Marshal(asn1.ObjectIdentifier{1, 3, 132, 0, 34}) // http://www.ietf.org/rfc/rfc5480.txt
pem.Encode(keyOut, &pem.Block{Type: "EC PARAMETERS", Bytes: secp384r1})
ecder, err := x509.MarshalECPrivateKey(priv)
pem.Encode(keyOut, &pem.Block{Type: "EC PRIVATE KEY", Bytes: ecder})
pem.Encode(keyOut, &pem.Block{Type: "CERTIFICATE", Bytes: tlsCert})
keyOut.Close() keyOut.Close()
fmt.Printf("TLS private key saved to: %s\n", privFile) fmt.Printf("TLS private key saved to: %s\n", privFile)

2
main.go
View File

@@ -17,7 +17,7 @@ func main() {
app.Version = "0.1.1" app.Version = "0.1.1"
app.Usage = "I2P tools and reseed server" app.Usage = "I2P tools and reseed server"
app.Author = "martin61" app.Author = "martin61"
app.Email = "-" app.Email = "na"
app.Flags = []cli.Flag{} app.Flags = []cli.Flag{}
app.Commands = []cli.Command{ app.Commands = []cli.Command{
cmd.NewReseedCommand(), cmd.NewReseedCommand(),

4
reseed/server.go
View File

@@ -82,11 +82,13 @@ func NewServer(prefix string, trustProxy bool) *Server {
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
}, },
CurvePreferences: []tls.CurveID{tls.CurveP384, tls.CurveP521}, // default CurveP256 removed
} }
h := &http.Server{TLSConfig: config} h := &http.Server{TLSConfig: config}
server := Server{Server: h, Reseeder: nil} server := Server{Server: h, Reseeder: nil}
th := throttled.RateLimit(throttled.PerDay(4), &throttled.VaryBy{RemoteAddr: true}, store.NewMemStore(200000)) // th := throttled.RateLimit(throttled.PerDay(4), &throttled.VaryBy{RemoteAddr: true}, store.NewMemStore(200000))
th := throttled.RateLimit(throttled.PerHour(4), &throttled.VaryBy{RemoteAddr: true}, store.NewMemStore(200000))
middlewareChain := alice.New() middlewareChain := alice.New()
if trustProxy { if trustProxy {

3
reseed/service.go
View File

@@ -54,7 +54,8 @@ func NewReseeder(netdb NetDbProvider) *ReseederImpl {
netdb: netdb, netdb: netdb,
su3s: make(chan [][]byte), su3s: make(chan [][]byte),
NumRi: 75, NumRi: 75,
RebuildInterval: 24 * time.Hour, // RebuildInterval: 24 * time.Hour,
RebuildInterval: 72 * time.Hour,
} }
} }

11
reseed/utils.go
View File

@@ -2,7 +2,8 @@ package reseed
import ( import (
"crypto/rand" "crypto/rand"
"crypto/rsa" // "crypto/rsa"
"crypto/ecdsa"
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/pem" "encoding/pem"
@@ -33,9 +34,10 @@ func SignerFilename(signer string) string {
return strings.Replace(signer, "@", "_at_", 1) + ".crt" return strings.Replace(signer, "@", "_at_", 1) + ".crt"
} }
func NewTLSCertificate(host string, priv *rsa.PrivateKey) ([]byte, error) { //func NewTLSCertificate(host string, priv *rsa.PrivateKey) ([]byte, error) {
func NewTLSCertificate(host string, priv *ecdsa.PrivateKey) ([]byte, error) {
notBefore := time.Now() notBefore := time.Now()
notAfter := notBefore.Add(2 * 365 * 24 * time.Hour) notAfter := notBefore.Add(5 * 365 * 24 * time.Hour)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
@@ -55,7 +57,8 @@ func NewTLSCertificate(host string, priv *rsa.PrivateKey) ([]byte, error) {
}, },
NotBefore: notBefore, NotBefore: notBefore,
NotAfter: notAfter, NotAfter: notAfter,
SignatureAlgorithm: x509.SHA256WithRSA, // SignatureAlgorithm: x509.SHA256WithRSA,
SignatureAlgorithm: x509.ECDSAWithSHA512,
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},