vibe/voicepaste
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
35032c177758de305f0513885e0586504a44cf38
voicepaste/internal/tls/tls.go

63 lines
1.6 KiB
Go
Raw Blame History

package tls
import (
"crypto/tls"
"crypto/x509"
"fmt"
"log/slog"
"net"
"os"
"path/filepath"
"time"
)
// certDir returns the directory for storing certificates.
func certDir() string {
home, _ := os.UserHomeDir()
dir := filepath.Join(home, ".voicepaste", "certs")
os.MkdirAll(dir, 0700)
return dir
}
// GetTLSConfig returns a tls.Config for the given LAN IP.
// It tries to load cached self-signed certs, or generates new ones.
func GetTLSConfig(lanIP string) (*tls.Config, error) {
dir := certDir()
certFile := filepath.Join(dir, "cert.pem")
keyFile := filepath.Join(dir, "key.pem")
// Try loading existing cert
if cert, err := tls.LoadX509KeyPair(certFile, keyFile); err == nil {
// Check if cert covers this IP and is not expired
if leaf, err := x509.ParseCertificate(cert.Certificate[0]); err == nil {
if time.Now().Before(leaf.NotAfter) && certCoversIP(leaf, lanIP) {
slog.Info("using cached TLS certificate", "expires", leaf.NotAfter.Format("2006-01-02"))
return &tls.Config{Certificates: []tls.Certificate{cert}}, nil
}
}
}
// Generate new self-signed cert
slog.Info("generating self-signed TLS certificate", "ip", lanIP)
cert, err := generateSelfSigned(lanIP, certFile, keyFile)
if err != nil {
return nil, fmt.Errorf("generate TLS cert: %w", err)
}
return &tls.Config{Certificates: []tls.Certificate{cert}}, nil
}
// certCoversIP checks if the certificate covers the given IP.
func certCoversIP(cert *x509.Certificate, ip string) bool {
target := net.ParseIP(ip)
if target == nil {
return false
}
for _, certIP := range cert.IPAddresses {
if certIP.Equal(target) {
return true
}
}
return false
}
Reference in New Issue View Git Blame Copy Permalink