feat: Generate self-signed at startup to avoid fingerprint

src/embedded_certificate.rs

@@ -1,23 +1,31 @@
 use log::info;
+use rcgen::{date_time_ymd, CertificateParams, DnType, KeyPair};
 use std::sync::LazyLock;
-use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer};
+use std::time::Instant;
+use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
 
-pub static TLS_PRIVATE_KEY: LazyLock<PrivateKeyDer<'static>> = LazyLock::new(|| {
-    info!("Loading embedded tls private key");
+pub static TLS_CERTIFICATE: LazyLock<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)> = LazyLock::new(|| {
+    info!("Generating self-signed tls certificate");
 
-    let key = include_bytes!("../certs/key.pem");
-    let key = rustls_pemfile::private_key(&mut key.as_slice())
-        .expect("failed to load embedded tls private key")
-        .expect("failed to load embedded tls private key");
-    key
-});
-pub static TLS_CERTIFICATE: LazyLock<Vec<CertificateDer<'static>>> = LazyLock::new(|| {
-    info!("Loading embedded tls certificate");
-
-    let cert = include_bytes!("../certs/cert.pem");
-    let certs = rustls_pemfile::certs(&mut cert.as_slice())
-        .next()
-        .expect("failed to load embedded tls certificate");
-
-    certs.into_iter().collect()
+    let now = Instant::now();
+    let key_pair = KeyPair::generate().unwrap();
+    let mut cert = CertificateParams::new(vec![]).unwrap();
+    cert.distinguished_name = rcgen::DistinguishedName::new();
+    cert.distinguished_name.push(DnType::CountryName, "FR".to_string());
+    let el = now.elapsed();
+    let year = 2024 - (el.as_nanos() % 2) as i32;
+    let month = 1 + (el.as_nanos() % 12) as u8;
+    let day = 1 + (el.as_nanos() % 31) as u8;
+    cert.not_before = date_time_ymd(year, month, day);
+
+    let el = now.elapsed();
+    let year = 2024 + (el.as_nanos() % 50) as i32;
+    let month = 1 + (el.as_nanos() % 12) as u8;
+    let day = 1 + (el.as_nanos() % 31) as u8;
+    cert.not_after = date_time_ymd(year, month, day);
+
+    let cert = cert.self_signed(&key_pair).unwrap().der().clone();
+    let private_key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(key_pair.serialized_der().to_vec()));
+
+    (vec![cert], private_key)
 });

src/main.rs

@@ -1069,13 +1069,13 @@ async fn main() -> anyhow::Result<()> {
                 let tls_certificate = if let Some(cert_path) = &args.tls_certificate {
                     tls::load_certificates_from_pem(cert_path).expect("Cannot load tls certificate")
                 } else {
-                    embedded_certificate::TLS_CERTIFICATE.clone()
+                    embedded_certificate::TLS_CERTIFICATE.0.clone()
                 };
 
                 let tls_key = if let Some(key_path) = &args.tls_private_key {
                     tls::load_private_key_from_file(key_path).expect("Cannot load tls private key")
                 } else {
-                    embedded_certificate::TLS_PRIVATE_KEY.clone_key()
+                    embedded_certificate::TLS_CERTIFICATE.1.clone_key()
                 };
 
                 let tls_client_ca_certificates = args.tls_client_ca_certs.as_ref().map(|tls_client_ca| {
@@ -1125,7 +1125,7 @@ async fn main() -> anyhow::Result<()> {
             let http_proxy = mk_http_proxy(args.http_proxy, args.http_proxy_login, args.http_proxy_password)?;
             let server_config = WsServerConfig {
                 socket_so_mark: args.socket_so_mark,
-                bind: args.remote_addr.socket_addrs(|| Some(8080)).unwrap()[0],
+                bind: args.remote_addr.socket_addrs(|| Some(8080))?[0],
                 websocket_ping_frequency: args
                     .websocket_ping_frequency_sec
                     .or(Some(Duration::from_secs(30)))
@@ -1157,7 +1157,7 @@ async fn main() -> anyhow::Result<()> {
         }
     }
 
-    tokio::signal::ctrl_c().await.unwrap();
+    tokio::signal::ctrl_c().await?;
     Ok(())
 }