From b6fe8871df9f1c0b7507135d7e091e0a4cc1a16a Mon Sep 17 00:00:00 2001
From: Alex X <alexey.khit@gmail.com>
Date: Sat, 22 Nov 2025 20:00:34 +0300
Subject: [PATCH] Add self-signed cert generator (not used yet)

---
 pkg/xnet/tls/tls.go | 63 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 pkg/xnet/tls/tls.go

diff --git a/pkg/xnet/tls/tls.go b/pkg/xnet/tls/tls.go
new file mode 100644
index 00000000..b4b6f60b
--- /dev/null
+++ b/pkg/xnet/tls/tls.go
@@ -0,0 +1,63 @@
+package tls
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"net"
+	"time"
+)
+
+func CreateCertificate() (*tls.Certificate, error) {
+	// 1. Generate an RSA private key
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+
+	// 2. Define the certificate template
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return nil, err
+	}
+
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			Organization: []string{"home"},
+			CommonName:   "localhost",
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(365 * 24 * time.Hour), // Valid for 1 year
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+
+		// Add localhost as a valid IP and DNS name
+		IPAddresses: []net.IP{[]byte{127, 0, 0, 1}},
+		DNSNames:    []string{"localhost"},
+	}
+
+	// 3. Create a self-signed certificate
+	// The parent is the template itself, and we use the generated public and private keys.
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	derBytes = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	keyBytes := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)})
+
+	cert, err := tls.X509KeyPair(derBytes, keyBytes)
+	if err != nil {
+		return nil, err
+	}
+
+	return &cert, nil
+}