TLS certificate: rsa4096 --> ECDSAWithSHA512 384bit secp384r1

elliptic curves in ECDHE handshake: only CurveP384 + CurveP521, default CurveP256 removed RebuildInterval: 24h --> 72h certificate valid: 2y --> 5y throttled.PerDay(4) --> PerHour(4), to enable limited testing
2016-01-29 19:36:41 +01:00
parent 350dfa9587
commit e66b97b460
6 changed files with 39 additions and 19 deletions
--- a/README.md
+++ b/README.md
@@ -5,24 +5,28 @@ This tool provides a secure and efficient reseed server for the I2P network. The

 ## Installation

-If you have Go installed you can download, build, and install this tool with `go get`
+If you have go installed you can download, build, and install this tool with `go get`

 ```
+$ export GOPATH=$HOME/go
+$ cd $GOPATH
 $ go get github.com/martin61/i2p-tools
-...
-$ i2p-tools -h
-...
+$ bin/i2p-tools -h
 ```

-Otherwise, a binary for your OS can be downloaded from http://matt.i2p/
-
 ## Usage

-If this is your first time running a reseed server (ie. you don't have any existing keys). You can simply run the following command and follow the prompts to create the appropriate keys and certificates.
+### Locally behind a webserver (reverse proxy setup), preferred:

 ```
-$ i2p-tools reseed --signer=you@mail.i2p --tlsHost=your-domain.tld --netdb=/var/lib/i2p/i2p-config/netDb
-...
+$ GOPATH=$HOME/go; cd $GOPATH; bin/i2p-tools reseed --signer=you@mail.i2p --key=you_at_mail.i2p.pem --netdb=/home/i2p/.i2p/netDb --port=8443 --ip=127.0.0.1 --trustProxy
 ```

-This will start an HTTPS reseed server on the default port and generate 4 files in your current directory (a TLS key and certificate, and a signing key and certificate). Both of the certificates (*.crt) will need to be sent to the I2P developers in order for your reseed server to be included in the standard I2P package.
+### Without webserver, standalone with tls support
+
+```
+$ GOPATH=$HOME/go; cd $GOPATH; bin/i2p-tools reseed --signer=you@mail.i2p --key=you_at_mail.i2p.pem --netdb=/home/i2p/.i2p/netDb --tlsHost=your-domain.tld
+```
+
+If this is your first time running a reseed server (ie. you don't have any existing keys), you can simply run the command and follow the prompts to create the appropriate keys and certificates.
+Afterwards an HTTPS reseed server will start on the default port and generate 4 files in your current directory (a TLS key and certificate, and a signing key and certificate).
--- a/cmd/utils.go
+++ b/cmd/utils.go
@@ -5,6 +5,9 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
+	"crypto/elliptic"
+	"crypto/ecdsa"
+	"encoding/asn1"
 	"encoding/pem"
 	"fmt"
 	"io/ioutil"
@@ -122,7 +125,8 @@ func createSigningCertificate(signerId string) error {

 func createTLSCertificate(host string) error {
 	fmt.Println("Generating TLS keys. This may take a minute...")
-	priv, err := rsa.GenerateKey(rand.Reader, 4096)
+//	priv, err := rsa.GenerateKey(rand.Reader, 4096)
+	priv, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
 	if err != nil {
 		return err
 	}
@@ -147,7 +151,13 @@ func createTLSCertificate(host string) error {
 	if err != nil {
 		return fmt.Errorf("failed to open %s for writing: %s\n", privFile, err)
 	}
-	pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
+//	pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
+	secp384r1, err := asn1.Marshal(asn1.ObjectIdentifier{1, 3, 132, 0, 34})		// http://www.ietf.org/rfc/rfc5480.txt
+	pem.Encode(keyOut, &pem.Block{Type: "EC PARAMETERS", Bytes: secp384r1})
+	ecder, err := x509.MarshalECPrivateKey(priv)
+	pem.Encode(keyOut, &pem.Block{Type: "EC PRIVATE KEY", Bytes: ecder})
+	pem.Encode(keyOut, &pem.Block{Type: "CERTIFICATE", Bytes: tlsCert})
+
 	keyOut.Close()
 	fmt.Printf("TLS private key saved to: %s\n", privFile)

--- a/main.go
+++ b/main.go
@@ -17,7 +17,7 @@ func main() {
 	app.Version = "0.1.1"
 	app.Usage = "I2P tools and reseed server"
 	app.Author = "martin61"
-	app.Email = "-"
+	app.Email = "na"
 	app.Flags = []cli.Flag{}
 	app.Commands = []cli.Command{
 		cmd.NewReseedCommand(),
--- a/reseed/server.go
+++ b/reseed/server.go
@@ -82,11 +82,13 @@ func NewServer(prefix string, trustProxy bool) *Server {
 			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 		},
+		CurvePreferences: []tls.CurveID{tls.CurveP384, tls.CurveP521},		// default CurveP256 removed
 	}
 	h := &http.Server{TLSConfig: config}
 	server := Server{Server: h, Reseeder: nil}

-	th := throttled.RateLimit(throttled.PerDay(4), &throttled.VaryBy{RemoteAddr: true}, store.NewMemStore(200000))
+//	th := throttled.RateLimit(throttled.PerDay(4), &throttled.VaryBy{RemoteAddr: true}, store.NewMemStore(200000))
+	th := throttled.RateLimit(throttled.PerHour(4), &throttled.VaryBy{RemoteAddr: true}, store.NewMemStore(200000))

 	middlewareChain := alice.New()
 	if trustProxy {
--- a/reseed/service.go
+++ b/reseed/service.go
@@ -54,7 +54,8 @@ func NewReseeder(netdb NetDbProvider) *ReseederImpl {
 		netdb:           netdb,
 		su3s:            make(chan [][]byte),
 		NumRi:           75,
-		RebuildInterval: 24 * time.Hour,
+//		RebuildInterval: 24 * time.Hour,
+		RebuildInterval: 72 * time.Hour,
 	}
 }

--- a/reseed/utils.go
+++ b/reseed/utils.go
@@ -2,7 +2,8 @@ package reseed

 import (
 	"crypto/rand"
-	"crypto/rsa"
+//	"crypto/rsa"
+	"crypto/ecdsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
@@ -33,9 +34,10 @@ func SignerFilename(signer string) string {
 	return strings.Replace(signer, "@", "_at_", 1) + ".crt"
 }

-func NewTLSCertificate(host string, priv *rsa.PrivateKey) ([]byte, error) {
+//func NewTLSCertificate(host string, priv *rsa.PrivateKey) ([]byte, error) {
+func NewTLSCertificate(host string, priv *ecdsa.PrivateKey) ([]byte, error) {
 	notBefore := time.Now()
-	notAfter := notBefore.Add(2 * 365 * 24 * time.Hour)
+	notAfter := notBefore.Add(5 * 365 * 24 * time.Hour)

 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
 	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
@@ -55,7 +57,8 @@ func NewTLSCertificate(host string, priv *rsa.PrivateKey) ([]byte, error) {
 		},
 		NotBefore:          notBefore,
 		NotAfter:           notAfter,
-		SignatureAlgorithm: x509.SHA256WithRSA,
+//              SignatureAlgorithm: x509.SHA256WithRSA,
+		SignatureAlgorithm: x509.ECDSAWithSHA512,

 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},