LiquidProxy Lua Edition
nilfinx.tngl.sh
Implement cache, fix the cert time, send serial for cert refresh with modern clients
1local fs = require "fs"
2Key = fs.readFileSync("certs/"..Config.key)
3Cert = fs.readFileSync("certs/"..Config.cert)
4
5if not (Key and Cert) then l:error "Certificate or key file not found" os.exit(1) end
6
7local openssl = require "openssl"
8local x509 = openssl.x509
9
10local ca = assert(x509.read(Cert))
11local cakey = assert(openssl.pkey.read(Key, true))
12
13local ccache = {}
14
15-- Inspired from https://github.com/zhaozg/lua-openssl/issues/208. Thanks xdays!
16-- Bilal(bilalzero) + Nameless(truemedian) also helped me on it.
17-- TODO: A mess. Try to reduce the mess. Please.
18function GenCert(names)
19 if type(names) == "string" then names = {names} end
20 local c = ccache[names[1]]
21 if c and c[1]:validat() then return unpack(c) end
22
23 local now = os.time()
24 local ckey = assert(openssl.pkey.new("rsa", Config.secure.tls.key_length))
25
26 local name = openssl.x509.name.new {{CN=names[1]}}
27
28 local hosts, ips = {}, {}
29 for _, v in pairs(names) do
30 if v:match("^[0-9.]+$") then
31 table.insert(ips, v)
32 else
33 table.insert(hosts, v)
34 end
35 end
36 local w = ""
37 if #ips > 0 then
38 w = w .. "IP:"..table.concat(ips, ",IP:")
39 end
40 if #hosts > 0 then
41 w = w .. "DNS:"..table.concat(hosts, ",DNS:")
42 end
43 local san = {
44 object = "subjectAltName",
45 value = w
46 }
47
48 local req = x509.req.new(name, ckey)
49 req:extensions({x509.extension.new_extension(san)})
50 req:public(ckey)
51
52 req:sign(ckey, "sha256")
53
54 c = req:to_x509(ckey, 1)
55 c:serial(openssl.bn.random(128))
56 c:subject(name)
57 c:validat(now - One.hour, now + One.hour * 24)
58 c:extensions({x509.extension.new_extension(san)})
59
60 c:sign(cakey, ca, "sha256")
61
62 ccache[names[1]] = {c, ckey}
63
64 return c, ckey
65end