Self-signed certificate generation (#532)

FileGo · 0xERR0R · web-flow · commit 92fd6235bff2 · 2022-05-27T22:20:44.000+02:00
* Added self-signed certificate functionality

Co-authored-by: Dimitri Herzog &lt;dimitri.herzog@gmail.com&gt;
diff --git a/config/config.go b/config/config.go
@@ -17,7 +17,6 @@ import (
 	"github.com/miekg/dns"
 
 	"github.com/hako/durafmt"
-	"github.com/hashicorp/go-multierror"
 
 	"github.com/0xERR0R/blocky/log"
 	"github.com/creasty/defaults"
@@ -609,30 +608,17 @@ func unmarshalConfig(data []byte, cfg *Config) error {
 		return fmt.Errorf("wrong file structure: %w", err)
 	}
 
-	err = validateConfig(cfg)
-	if err != nil {
-		return fmt.Errorf("unable to validate config: %w", err)
-	}
+	validateConfig(cfg)
 
 	return nil
 }
 
-func validateConfig(cfg *Config) (err error) {
-	if len(cfg.TLSPorts) != 0 && (cfg.CertFile == "" || cfg.KeyFile == "") {
-		err = multierror.Append(err, errors.New("'certFile' and 'keyFile' parameters are mandatory for TLS"))
-	}
-
-	if len(cfg.HTTPSPorts) != 0 && (cfg.CertFile == "" || cfg.KeyFile == "") {
-		err = multierror.Append(err, errors.New("'certFile' and 'keyFile' parameters are mandatory for HTTPS"))
-	}
-
+func validateConfig(cfg *Config) {
 	if cfg.DisableIPv6 {
 		log.Log().Warnf("'disableIPv6' is deprecated. Please use 'filtering.queryTypes' with 'AAAA' instead.")
 
 		cfg.Filtering.QueryTypes.Insert(dns.Type(dns.TypeAAAA))
 	}
-
-	return
 }
 
 // GetConfig returns the current config
diff --git a/config/config_test.go b/config/config_test.go
@@ -161,78 +161,17 @@ bootstrapDns:
 			})
 		})
 
-		When("Validation fails", func() {
-			It("should return error", func() {
-				cfg := Config{}
-				data :=
-					`httpsPort: 443`
-				err := unmarshalConfig([]byte(data), &cfg)
-				Expect(err).Should(HaveOccurred())
-				Expect(err.Error()).Should(ContainSubstring("'certFile' and 'keyFile' parameters are mandatory for HTTPS"))
-			})
-		})
-
-		When("TlsPort is defined", func() {
-			It("certFile/keyFile must be set", func() {
-
-				By("certFile/keyFile not set", func() {
-					c := &Config{
-						TLSPorts: ListenConfig{"953"},
-					}
-					err := validateConfig(c)
-					Expect(err).Should(HaveOccurred())
-					Expect(err.Error()).Should(ContainSubstring("'certFile' and 'keyFile' parameters are mandatory for TLS"))
-				})
-
-				By("certFile/keyFile set", func() {
-					c := &Config{
-						TLSPorts: ListenConfig{"953"},
-						KeyFile:  "key",
-						CertFile: "cert",
-					}
-					err := validateConfig(c)
-					Expect(err).Should(Succeed())
-
-				})
-			})
-		})
-
 		When("Deprecated parameter 'disableIPv6' is set", func() {
 			It("should add 'AAAA' to filter.queryTypes", func() {
 				c := &Config{
 					DisableIPv6: true,
 				}
-				err := validateConfig(c)
-				Expect(err).Should(Succeed())
+				validateConfig(c)
 				Expect(c.Filtering.QueryTypes).Should(HaveKey(QType(dns.TypeAAAA)))
 				Expect(c.Filtering.QueryTypes.Contains(dns.Type(dns.TypeAAAA))).Should(BeTrue())
 			})
 		})
 
-		When("HttpsPort is defined", func() {
-			It("certFile/keyFile must be set", func() {
-
-				By("certFile/keyFile not set", func() {
-					c := &Config{
-						HTTPSPorts: ListenConfig{"443"},
-					}
-					err := validateConfig(c)
-					Expect(err).Should(HaveOccurred())
-					Expect(err.Error()).Should(ContainSubstring("'certFile' and 'keyFile' parameters are mandatory for HTTPS"))
-				})
-
-				By("certFile/keyFile set", func() {
-					c := &Config{
-						TLSPorts: ListenConfig{"443"},
-						KeyFile:  "key",
-						CertFile: "cert",
-					}
-					err := validateConfig(c)
-					Expect(err).Should(Succeed())
-				})
-			})
-		})
-
 		When("config directory does not exist", func() {
 			It("should return error", func() {
 				err := os.Chdir("../..")
diff --git a/docs/config.yml b/docs/config.yml
@@ -185,7 +185,7 @@ port: 53
 # optional: HTTPS listener port(s) and bind ip address(es), default empty = no http listener. If > 0, will be used for prometheus metrics, pprof, REST API, DoH... Example: 443, :443, 127.0.0.1:443
 httpPort: 4000
 #httpsPort: 443
-# mandatory, if https port > 0: path to cert and key file for SSL encryption
+# if https port > 0: path to cert and key file for SSL encryption. if not set, self-signed certificate will be generated
 #certFile: server.crt
 #keyFile: server.key
 # optional: use this DNS server to resolve blacklist urls and upstream DNS servers. Useful if no DNS resolver is configured and blocky needs to resolve a host name. Format net:IP:port, net must be udp or tcp
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -17,8 +17,8 @@ configuration properties as [JSON](config.yml).
 | tlsPort      | [IP]:port[,[IP]:port]*          | no                    |               | Port(s) and optional bind ip address(es) to serve DoT DNS endpoint (DNS-over-TLS). If you wish to specify a specific IP, you can do so such as `192.168.0.1:853`. Example: `83`, `:853`, `127.0.0.1:853,[::1]:853`                                |
 | httpPort     | [IP]:port[,[IP]:port]*          | no                    |               | Port(s) and optional bind ip address(es) to serve HTTP used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as `192.168.0.1:4000`. Example: `4000`, `:4000`, `127.0.0.1:4000,[::1]:4000` |
 | httpsPort    | [IP]:port[,[IP]:port]*          | no                    |               | Port(s) and optional bind ip address(es) to serve HTTPS used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as `192.168.0.1:443`. Example: `443`, `:443`, `127.0.0.1:443,[::1]:443`     |
-| certFile     | path                            | yes, if httpsPort > 0 |               | Path to cert and key file for SSL encryption (DoH and DoT)                                                                                                                                                                                        |
-| keyFile      | path                            | yes, if httpsPort > 0 |               | Path to cert and key file for SSL encryption (DoH and DoT)
+| certFile     | path                            | no                    |               | Path to cert and key file for SSL encryption (DoH and DoT); if empty, self-signed certificate is generated                                               |
+| keyFile      | path                            | no                    |               | Path to cert and key file for SSL encryption (DoH and DoT); if empty, self-signed certificate is generated                                              |
 | logLevel     | enum (debug, info, warn, error) | no                    | info          | Log level                                                                                                                                                                                                                                         |
 | logFormat    | enum (text, json)               | no                    | text          | Log format (text or json).                                                                                                                                                                                                                        |
 | logTimestamp | bool                            | no                    | true          | Log time stamps (true or false).                                                                                                                                                                                                                  |
diff --git a/server/server.go b/server/server.go
@@ -1,8 +1,15 @@
 package server
 
 import (
+	"bytes"
+	"crypto/rand"
+	"crypto/rsa"
 	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
+	"math/big"
+	mrand "math/rand"
 	"net"
 	"net/http"
 	"runtime"
@@ -27,6 +34,9 @@ import (
 
 const (
 	maxUDPBufferSize = 65535
+	caExpiryYears    = 10
+	certExpiryYears  = 5
+	certRSAsize      = 4096
 )
 
 // Server controls the endpoints for DNS and HTTP
@@ -37,6 +47,7 @@ type Server struct {
 	queryResolver  resolver.Resolver
 	cfg            *config.Config
 	httpMux        *chi.Mux
+	cert           tls.Certificate
 }
 
 func logger() *logrus.Entry {
@@ -67,10 +78,27 @@ func getServerAddress(addr string) string {
 type NewServerFunc func(address string) (*dns.Server, error)
 
 // NewServer creates new server instance with passed config
+// nolint:funlen
 func NewServer(cfg *config.Config) (server *Server, err error) {
 	log.ConfigureLogger(cfg.LogLevel, cfg.LogFormat, cfg.LogTimestamp)
 
-	dnsServers, err := createServers(cfg)
+	var cert tls.Certificate
+
+	if cfg.CertFile == "" && cfg.KeyFile == "" {
+		cert, err = createSelfSignedCert()
+		if err != nil {
+			return nil, fmt.Errorf("unable to generate self-signed certificate: %w", err)
+		}
+
+		log.Log().Info("using self-signed certificate")
+	} else {
+		cert, err = tls.LoadX509KeyPair(cfg.CertFile, cfg.KeyFile)
+		if err != nil {
+			return nil, fmt.Errorf("can't load certificate files: %w", err)
+		}
+	}
+
+	dnsServers, err := createServers(cfg, cert)
 	if err != nil {
 		return nil, fmt.Errorf("server creation failed: %w", err)
 	}
@@ -110,6 +138,7 @@ func NewServer(cfg *config.Config) (server *Server, err error) {
 		httpListeners:  httpListeners,
 		httpsListeners: httpsListeners,
 		httpMux:        router,
+		cert:           cert,
 	}
 
 	server.printConfiguration()
@@ -122,7 +151,7 @@ func NewServer(cfg *config.Config) (server *Server, err error) {
 	return server, err
 }
 
-func createServers(cfg *config.Config) ([]*dns.Server, error) {
+func createServers(cfg *config.Config, cert tls.Certificate) ([]*dns.Server, error) {
 	var dnsServers []*dns.Server
 
 	var err *multierror.Error
@@ -144,7 +173,7 @@ func createServers(cfg *config.Config) ([]*dns.Server, error) {
 		addServers(createUDPServer, cfg.DNSPorts),
 		addServers(createTCPServer, cfg.DNSPorts),
 		addServers(func(address string) (*dns.Server, error) {
-			return createTLSServer(address, cfg.CertFile, cfg.KeyFile)
+			return createTLSServer(address, cert)
 		}, cfg.TLSPorts))
 
 	return dnsServers, err.ErrorOrNil()
@@ -191,17 +220,12 @@ func registerResolverAPIEndpoints(router chi.Router, res resolver.Resolver) {
 	}
 }
 
-func createTLSServer(address string, certFile string, keyFile string) (*dns.Server, error) {
-	cer, err := tls.LoadX509KeyPair(certFile, keyFile)
-	if err != nil {
-		return nil, fmt.Errorf("can't load certificate files: %w", err)
-	}
-
+func createTLSServer(address string, cert tls.Certificate) (*dns.Server, error) {
 	return &dns.Server{
 		Addr: address,
 		Net:  "tcp-tls",
 		TLSConfig: &tls.Config{
-			Certificates: []tls.Certificate{cer},
+			Certificates: []tls.Certificate{cert},
 			MinVersion:   tls.VersionTLS12,
 			CipherSuites: tlsCipherSuites(),
 		},
@@ -235,6 +259,90 @@ func createUDPServer(address string) (*dns.Server, error) {
 	}, nil
 }
 
+// nolint:funlen
+func createSelfSignedCert() (tls.Certificate, error) {
+	// Create CA
+	ca := &x509.Certificate{
+		SerialNumber:          big.NewInt(int64(mrand.Intn(certRSAsize))), //nolint:gosec
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().AddDate(caExpiryYears, 0, 0),
+		IsCA:                  true,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		BasicConstraintsValid: true,
+	}
+
+	caPrivKey, err := rsa.GenerateKey(rand.Reader, certRSAsize)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+
+	caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+
+	caPEM := new(bytes.Buffer)
+	if err = pem.Encode(caPEM, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caBytes,
+	}); err != nil {
+		return tls.Certificate{}, err
+	}
+
+	caPrivKeyPEM := new(bytes.Buffer)
+	if err = pem.Encode(caPrivKeyPEM, &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(caPrivKey),
+	}); err != nil {
+		return tls.Certificate{}, err
+	}
+
+	// Create certificate
+	cert := &x509.Certificate{
+		SerialNumber: big.NewInt(int64(mrand.Intn(certRSAsize))), //nolint:gosec
+		DNSNames:     []string{"*"},
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().AddDate(certExpiryYears, 0, 0),
+		SubjectKeyId: []byte{1, 2, 3, 4, 6},
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		KeyUsage:     x509.KeyUsageDigitalSignature,
+	}
+
+	certPrivKey, err := rsa.GenerateKey(rand.Reader, certRSAsize)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+
+	certBytes, err := x509.CreateCertificate(rand.Reader, cert, ca, &certPrivKey.PublicKey, caPrivKey)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+
+	certPEM := new(bytes.Buffer)
+	if err = pem.Encode(certPEM, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: certBytes,
+	}); err != nil {
+		return tls.Certificate{}, err
+	}
+
+	certPrivKeyPEM := new(bytes.Buffer)
+	if err = pem.Encode(certPrivKeyPEM, &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
+	}); err != nil {
+		return tls.Certificate{}, err
+	}
+
+	keyPair, err := tls.X509KeyPair(certPEM.Bytes(), certPrivKeyPEM.Bytes())
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+
+	return keyPair, nil
+}
+
 func createQueryResolver(
 	cfg *config.Config,
 	bootstrap *resolver.Bootstrap,
@@ -366,10 +474,11 @@ func (s *Server) Start(errCh chan<- error) {
 				TLSConfig: &tls.Config{
 					MinVersion:   tls.VersionTLS12,
 					CipherSuites: tlsCipherSuites(),
+					Certificates: []tls.Certificate{s.cert},
 				},
 			}
 
-			if err := server.ServeTLS(listener, s.cfg.CertFile, s.cfg.KeyFile); err != nil {
+			if err := server.ServeTLS(listener, "", ""); err != nil {
 				errCh <- fmt.Errorf("start https listener failed: %w", err)
 			}
 		}()
diff --git a/server/server_test.go b/server/server_test.go
@@ -641,6 +641,29 @@ var _ = Describe("Running DNS server", func() {
 		})
 	})
 
+	Describe("self-signed certificate creation", func() {
+		var (
+			cfg  config.Config
+			cErr error
+		)
+		BeforeEach(func() {
+			cErr = defaults.Set(&cfg)
+
+			Expect(cErr).Should(Succeed())
+
+			cfg.Upstream.ExternalResolvers = map[string][]config.Upstream{
+				"default": {config.Upstream{Net: config.NetProtocolTcpUdp, Host: "4.4.4.4", Port: 53}}}
+		})
+
+		It("should create self-signed certificate if key/cert files are not provided", func() {
+			cfg.KeyFile = ""
+			cfg.CertFile = ""
+
+			sut, err := NewServer(&cfg)
+			Expect(err).Should(Succeed())
+			Expect(sut.cert.Certificate).ShouldNot(BeNil())
+		})
+	})
 })
 
 func requestServer(request *dns.Msg) *dns.Msg {
