From d7b56871a9367cb97a2ec7398ed69496d34241e6 Mon Sep 17 00:00:00 2001
From: ginuerzh <ginuerzh@gmail.com>
Date: Wed, 27 Jul 2022 16:58:49 +0800
Subject: [PATCH] customize random-generated certificate information

---
 config/config.go          |  5 +++++
 config/parsing/tls.go     | 26 +++++++++++++++++++-------
 handler/http/metadata.go  | 17 +++++++++++------
 handler/http2/metadata.go | 15 ++++++++++-----
 4 files changed, 45 insertions(+), 18 deletions(-)

diff --git a/config/config.go b/config/config.go
index 5bdf01a..c619a28 100644
--- a/config/config.go
+++ b/config/config.go
@@ -71,6 +71,11 @@ type TLSConfig struct {
 	CAFile     string `yaml:"caFile,omitempty" json:"caFile,omitempty"`
 	Secure     bool   `yaml:",omitempty" json:"secure,omitempty"`
 	ServerName string `yaml:"serverName,omitempty" json:"serverName,omitempty"`
+
+	// for auto-generated default certificate.
+	Validity     time.Duration `yaml:",omitempty" json:"validity,omitempty"`
+	CommonName   string        `yaml:"commonName,omitempty" json:"commonName,omitempty"`
+	Organization string        `yaml:",omitempty" json:"organization,omitempty"`
 }
 
 type AutherConfig struct {
diff --git a/config/parsing/tls.go b/config/parsing/tls.go
index 4a1bb93..9dffc1f 100644
--- a/config/parsing/tls.go
+++ b/config/parsing/tls.go
@@ -31,7 +31,7 @@ func BuildDefaultTLSConfig(cfg *config.TLSConfig) {
 	tlsConfig, err := loadConfig(cfg.CertFile, cfg.KeyFile)
 	if err != nil {
 		// generate random self-signed certificate.
-		cert, err := genCertificate()
+		cert, err := genCertificate(cfg.Validity, cfg.Organization, cfg.CommonName)
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -58,15 +58,15 @@ func loadConfig(certFile, keyFile string) (*tls.Config, error) {
 	return cfg, nil
 }
 
-func genCertificate() (cert tls.Certificate, err error) {
-	rawCert, rawKey, err := generateKeyPair()
+func genCertificate(validity time.Duration, org string, cn string) (cert tls.Certificate, err error) {
+	rawCert, rawKey, err := generateKeyPair(validity, org, cn)
 	if err != nil {
 		return
 	}
 	return tls.X509KeyPair(rawCert, rawKey)
 }
 
-func generateKeyPair() (rawCert, rawKey []byte, err error) {
+func generateKeyPair(validity time.Duration, org string, cn string) (rawCert, rawKey []byte, err error) {
 	// Create private key and self-signed certificate
 	// Adapted from https://golang.org/src/crypto/tls/generate_cert.go
 
@@ -74,7 +74,18 @@ func generateKeyPair() (rawCert, rawKey []byte, err error) {
 	if err != nil {
 		return
 	}
-	validFor := time.Hour * 24 * 365 * 10 // ten years
+
+	if validity <= 0 {
+		validity = time.Hour * 24 * 365 // one year
+	}
+	if org == "" {
+		org = "GOST"
+	}
+	if cn == "" {
+		cn = "gost.run"
+	}
+
+	validFor := validity
 	notBefore := time.Now()
 	notAfter := notBefore.Add(validFor)
 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
@@ -86,7 +97,8 @@ func generateKeyPair() (rawCert, rawKey []byte, err error) {
 	template := x509.Certificate{
 		SerialNumber: serialNumber,
 		Subject: pkix.Name{
-			Organization: []string{"gost"},
+			Organization: []string{org},
+			CommonName:   cn,
 		},
 		NotBefore: notBefore,
 		NotAfter:  notAfter,
@@ -96,7 +108,7 @@ func generateKeyPair() (rawCert, rawKey []byte, err error) {
 		BasicConstraintsValid: true,
 	}
 
-	template.DNSNames = append(template.DNSNames, "gost.run")
+	template.DNSNames = append(template.DNSNames, cn)
 	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
 	if err != nil {
 		return
diff --git a/handler/http/metadata.go b/handler/http/metadata.go
index d99a695..4a8d225 100644
--- a/handler/http/metadata.go
+++ b/handler/http/metadata.go
@@ -16,10 +16,11 @@ type metadata struct {
 
 func (h *httpHandler) parseMetadata(md mdata.Metadata) error {
 	const (
-		header         = "header"
-		probeResistKey = "probeResistance"
-		knock          = "knock"
-		enableUDP      = "udp"
+		header          = "header"
+		probeResistKey  = "probeResistance"
+		probeResistKeyX = "probe_resist"
+		knock           = "knock"
+		enableUDP       = "udp"
 	)
 
 	if m := mdx.GetStringMapString(md, header); len(m) > 0 {
@@ -30,8 +31,12 @@ func (h *httpHandler) parseMetadata(md mdata.Metadata) error {
 		h.md.header = hd
 	}
 
-	if v := mdx.GetString(md, probeResistKey); v != "" {
-		if ss := strings.SplitN(v, ":", 2); len(ss) == 2 {
+	pr := mdx.GetString(md, probeResistKey)
+	if pr == "" {
+		pr = mdx.GetString(md, probeResistKeyX)
+	}
+	if pr != "" {
+		if ss := strings.SplitN(pr, ":", 2); len(ss) == 2 {
 			h.md.probeResistance = &probeResistance{
 				Type:  ss[0],
 				Value: ss[1],
diff --git a/handler/http2/metadata.go b/handler/http2/metadata.go
index 92e1fe1..42f7033 100644
--- a/handler/http2/metadata.go
+++ b/handler/http2/metadata.go
@@ -15,9 +15,10 @@ type metadata struct {
 
 func (h *http2Handler) parseMetadata(md mdata.Metadata) error {
 	const (
-		header         = "header"
-		probeResistKey = "probeResistance"
-		knock          = "knock"
+		header          = "header"
+		probeResistKey  = "probeResistance"
+		probeResistKeyX = "probe_resist"
+		knock           = "knock"
 	)
 
 	if m := mdx.GetStringMapString(md, header); len(m) > 0 {
@@ -28,8 +29,12 @@ func (h *http2Handler) parseMetadata(md mdata.Metadata) error {
 		h.md.header = hd
 	}
 
-	if v := mdx.GetString(md, probeResistKey); v != "" {
-		if ss := strings.SplitN(v, ":", 2); len(ss) == 2 {
+	pr := mdx.GetString(md, probeResistKey)
+	if pr == "" {
+		pr = mdx.GetString(md, probeResistKeyX)
+	}
+	if pr != "" {
+		if ss := strings.SplitN(pr, ":", 2); len(ss) == 2 {
 			h.md.probeResistance = &probeResistance{
 				Type:  ss[0],
 				Value: ss[1],