mirror of
https://github.com/Grasscutters/mitmproxy.git
synced 2024-11-23 00:01:36 +00:00
[sans-io] tls tests++
This commit is contained in:
parent
7fbe8cece7
commit
09b6257de0
21
test/mitmproxy/data/verificationcerts/9da13359.0
Normal file
21
test/mitmproxy/data/verificationcerts/9da13359.0
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDazCCAlOgAwIBAgIUT0IDh7/Cho/ZPuVDs/jg7g/6+lswDQYJKoZIhvcNAQEL
|
||||||
|
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
|
||||||
|
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTExMjIyMjQxNDdaFw0zOTEx
|
||||||
|
MTcyMjQxNDdaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
|
||||||
|
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
|
||||||
|
AQUAA4IBDwAwggEKAoIBAQCvx49WJyThnCZ/qQuotMpe1ZvokAfDmpS399815yn7
|
||||||
|
kf2zsbuvb/nFGY6Y+tiaLOQkRqB7pV5fuolBng9Z5NDhu8Qw2WXAFDXQxpSsJVLx
|
||||||
|
lKyzt98RU8qoOuL9SipX2DjRMkBsm0FInCWeACWDWkn0DIPfW71FddtOIN2Q/kBE
|
||||||
|
LdpP9mZ4/RfJw6CpZXNvbwnTqwqOvpzpkaQDmbKFJwGFsKYyOctwEcE8qtR0YKs3
|
||||||
|
5dCS/FTs6kc41V3ioaMBj2HaXwq+6R0I/939wrtwDKxFpH5NwES8T4oeSvnuszlk
|
||||||
|
o7Ot0IK4uCz8R+FCLZuRU9U+yP0KOdMRTZ9OBVMoLzxZAgMBAAGjUzBRMB0GA1Ud
|
||||||
|
DgQWBBTQj9qqsEovqpBmFZlWVSJRBYxeRTAfBgNVHSMEGDAWgBTQj9qqsEovqpBm
|
||||||
|
FZlWVSJRBYxeRTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA9
|
||||||
|
0R1JZJ/075J8ZJFvuYZURjD9D3NZdcp80X503UBXmNgkePVKOTlVlxStuuF87EY4
|
||||||
|
BkUoqR+QE9xxr9uAyTX1xGMDEDCso0ylPmsT+p/uXdWzijNNQywg+X7/UprF20o+
|
||||||
|
TPJNah+fQgcunvb3bjviOsIgSBFE8N9sNZLNTn1vc5mvKfzrT0svj5y31HwbOHmZ
|
||||||
|
85nyupjrrXzgDZBCIQLQpepfkjjOxm82oD3eszzNWe1x+ukvqKFWVQtUbP3hlclT
|
||||||
|
bgZuy/1NG4oZXgqGysNn0zxx4xixxbJhKb140TtH5xwAC08X3m5sTkcmDVjqJKWG
|
||||||
|
jemUYIi4o/YRxDEMChXT
|
||||||
|
-----END CERTIFICATE-----
|
75
test/mitmproxy/data/verificationcerts/generate.py
Normal file
75
test/mitmproxy/data/verificationcerts/generate.py
Normal file
@ -0,0 +1,75 @@
|
|||||||
|
"""
|
||||||
|
Generate SSL test certificates.
|
||||||
|
"""
|
||||||
|
import subprocess
|
||||||
|
import shlex
|
||||||
|
import os
|
||||||
|
import shutil
|
||||||
|
import textwrap
|
||||||
|
|
||||||
|
ROOT_CA = "trusted-root"
|
||||||
|
SUBJECT = "example.mitmproxy.org"
|
||||||
|
|
||||||
|
|
||||||
|
def do(args):
|
||||||
|
print("> %s" % args)
|
||||||
|
args = shlex.split(args)
|
||||||
|
output = subprocess.check_output(args)
|
||||||
|
return output
|
||||||
|
|
||||||
|
|
||||||
|
def genrsa(cert: str):
|
||||||
|
do(f"openssl genrsa -out {cert}.key 2048")
|
||||||
|
|
||||||
|
|
||||||
|
def sign(cert: str, subject: str):
|
||||||
|
with open(f"openssl-{cert}.conf", "w") as f:
|
||||||
|
f.write(textwrap.dedent(f"""
|
||||||
|
authorityKeyIdentifier=keyid,issuer
|
||||||
|
basicConstraints=CA:FALSE
|
||||||
|
keyUsage = digitalSignature, keyEncipherment
|
||||||
|
subjectAltName = {subject}
|
||||||
|
"""))
|
||||||
|
do(f"openssl x509 -req -in {cert}.csr "
|
||||||
|
f"-CA {ROOT_CA}.crt "
|
||||||
|
f"-CAkey {ROOT_CA}.key "
|
||||||
|
f"-CAcreateserial "
|
||||||
|
f"-days 7300 "
|
||||||
|
f"-sha256 "
|
||||||
|
f"-extfile \"openssl-{cert}.conf\" "
|
||||||
|
f"-out {cert}.crt"
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def mkcert(cert, subject):
|
||||||
|
genrsa(cert)
|
||||||
|
do(f"openssl req -new -nodes -batch "
|
||||||
|
f"-key {cert}.key "
|
||||||
|
f"-addext \"subjectAltName = {subject}\" "
|
||||||
|
f"-out {cert}.csr"
|
||||||
|
)
|
||||||
|
sign(cert, subject)
|
||||||
|
os.remove(f"{cert}.csr")
|
||||||
|
|
||||||
|
|
||||||
|
# create trusted root CA
|
||||||
|
genrsa("trusted-root")
|
||||||
|
do("openssl req -x509 -new -nodes -batch "
|
||||||
|
"-key trusted-root.key "
|
||||||
|
"-days 7300 "
|
||||||
|
"-out trusted-root.crt"
|
||||||
|
)
|
||||||
|
h = do("openssl x509 -hash -noout -in trusted-root.crt").decode("ascii").strip()
|
||||||
|
shutil.copyfile("trusted-root.crt", "{}.0".format(h))
|
||||||
|
|
||||||
|
# create trusted leaf cert.
|
||||||
|
mkcert("trusted-leaf", f'DNS:{SUBJECT}' )
|
||||||
|
|
||||||
|
# create self-signed cert
|
||||||
|
genrsa("self-signed")
|
||||||
|
do("openssl req -x509 -new -nodes -batch "
|
||||||
|
"-key self-signed.key "
|
||||||
|
f'-addext "subjectAltName = DNS:{SUBJECT}" '
|
||||||
|
"-days 7300 "
|
||||||
|
"-out self-signed.crt"
|
||||||
|
)
|
@ -0,0 +1,5 @@
|
|||||||
|
|
||||||
|
authorityKeyIdentifier=keyid,issuer
|
||||||
|
basicConstraints=CA:FALSE
|
||||||
|
keyUsage = digitalSignature, keyEncipherment
|
||||||
|
subjectAltName = DNS:example.mitmproxy.org
|
22
test/mitmproxy/data/verificationcerts/self-signed.crt
Normal file
22
test/mitmproxy/data/verificationcerts/self-signed.crt
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDjTCCAnWgAwIBAgIUaT2PYFnhh/rd5w6CdEPpM/aX7ngwDQYJKoZIhvcNAQEL
|
||||||
|
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
|
||||||
|
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTExMjIyMjQxNDdaFw0zOTEx
|
||||||
|
MTcyMjQxNDdaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
|
||||||
|
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
|
||||||
|
AQUAA4IBDwAwggEKAoIBAQDJQZUdzP2zhaNnPJr3F4tcr7Mv2JaWql1mtgRDizCi
|
||||||
|
TC4UCjeG/JPxqXvnUl9U6QgeGMVnFLIYrZIcCQl/qrVHqkgFPc6Vw7nP7MCYUY+P
|
||||||
|
div2K0S1vh+NgoBkMfgm2zMyeRjwL2P3qFRljePub3oLfEGMnw05MZHISuhxv9Nn
|
||||||
|
8lT2+V2sXK3XyEe1vDa8hoZ8SlRYSDqlYr/+HGygIjNpHjUcgQNrYeVYc2Ty31Iu
|
||||||
|
dipYRr9ivZxSLEDjxi5OKef+lCiJ3xdmykqJmmW0GQPhi6VljCQFK8LLRr+hlrdG
|
||||||
|
sP0SC4H3iMEpdcyLrm+vSgYxdIoSfhunfkUSuRP/PHgFAgMBAAGjdTBzMB0GA1Ud
|
||||||
|
DgQWBBSTLOIeV9/IwnAL12yoDrlS7bQudDAfBgNVHSMEGDAWgBSTLOIeV9/IwnAL
|
||||||
|
12yoDrlS7bQudDAPBgNVHRMBAf8EBTADAQH/MCAGA1UdEQQZMBeCFWV4YW1wbGUu
|
||||||
|
bWl0bXByb3h5Lm9yZzANBgkqhkiG9w0BAQsFAAOCAQEArCOkLh0OBhEJz9FNWvs5
|
||||||
|
yvWjk4d+I/pNnQmVbWg3TvoxbFp/3CJW3tAkZ6mwI6DqLEcIeekh8THCFhk3XbFd
|
||||||
|
GHsCA4mX2qQWmaLrWEqV+Z2Ai/GffJ0+fh7RLHSvPHK4I5/4Phv0yjuUqu+mFv9B
|
||||||
|
BT4IImQp1Tknzsew3PhtpV2zscCnnjokFhKMtPQiULbuS9BzikVtX4dGN9yWUSe2
|
||||||
|
nxKLTfFlr3K8a3CypLPXMQM8iZ76SY4ZSFBHuiRM9cq9MNmkpwRN1zSD4IkTczAR
|
||||||
|
sxkKnKvgu0xRkJHzxfLEy/v1NDFE5K+tF6kNYtyswo4SmFniguZNpXQD/7fQlyoO
|
||||||
|
RA==
|
||||||
|
-----END CERTIFICATE-----
|
27
test/mitmproxy/data/verificationcerts/self-signed.key
Normal file
27
test/mitmproxy/data/verificationcerts/self-signed.key
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEpAIBAAKCAQEAyUGVHcz9s4WjZzya9xeLXK+zL9iWlqpdZrYEQ4swokwuFAo3
|
||||||
|
hvyT8al751JfVOkIHhjFZxSyGK2SHAkJf6q1R6pIBT3OlcO5z+zAmFGPj3Yr9itE
|
||||||
|
tb4fjYKAZDH4JtszMnkY8C9j96hUZY3j7m96C3xBjJ8NOTGRyErocb/TZ/JU9vld
|
||||||
|
rFyt18hHtbw2vIaGfEpUWEg6pWK//hxsoCIzaR41HIEDa2HlWHNk8t9SLnYqWEa/
|
||||||
|
Yr2cUixA48YuTinn/pQoid8XZspKiZpltBkD4YulZYwkBSvCy0a/oZa3RrD9EguB
|
||||||
|
94jBKXXMi65vr0oGMXSKEn4bp35FErkT/zx4BQIDAQABAoIBAQCanNOeLVnKjSRX
|
||||||
|
r2ut4FykPCcA3vfxj7hpq/PioBAg3z2XD7JQ9cICqh4SPGoYpV4jIQymgHPCGbZh
|
||||||
|
619swQy7ncnunOkUjWU2o7/iROZxZGupltwWc5Vx9YwFbY4i68uNPxM1knLOVHdh
|
||||||
|
/XvaNbIhGLiS+64A/l/s6/9fQ+t5sojGRg1FYpiEam1U9BEGBs/gSKWj7uThR1Xi
|
||||||
|
feU0LFKRVuOBWtbQuoR9EnookQkyVnmtMuR0fYxuC0qFDV1UQKn0NI6PW7oldpbB
|
||||||
|
oLJn+mREK5yoWIgyO6uDT2X3OE9c3W1chrFDUSnIqeHpDFsC2KTZtOf1F7ZuP/hW
|
||||||
|
JXNedSOBAoGBAPEcBsTeinErezB/ZDkQoFT8gjHFfE7LFUZHuy7vQjfyG9kSEJn7
|
||||||
|
iR7AMxGSb4WD2Clz87Cdm54c6hq/9kBShuePxAa502kGAcumsVg4xAWFY5oSatyd
|
||||||
|
Y6Yyvj+k11H1top2sd3fd523UmOUHs/HmlQYN86oqTX0Rd+qMLSoMsN5AoGBANWv
|
||||||
|
eFMQ+r3Tw1mPNzH93Sx66xEUVFO9mp+X+ZkKatbY5AfWoAsrn/bcJXEynkjBJ2O9
|
||||||
|
BxXPbycCT9/jn+s1ba7z3+vGG9zoB7TX2VnpA1/J158veHzHnfteNUS/mUS1M8AG
|
||||||
|
fijk0nMklutXhtFaEkxK73psAm/91HCaozYigEntAoGAVBRX7/NDB/AHx4PFKXk4
|
||||||
|
0Co2JLEfhkKfqqB9EALzbpsJRwtbqrbivEx+ApS0OzUc/menBWIQ0HR41tc2QnwE
|
||||||
|
+19RFp9ar/ceTSxWD9PL17kKYMInbcOc6mormfob9ELhYyu9Hwg8qE0zd/JBRGfw
|
||||||
|
036Wh4SdbWk/rJ2m2nkFKtECgYEAuh1H5smeKuIbfpDPmTosfoZc4RZc0EcPOrvK
|
||||||
|
iLJbFd/41J7p7HDFteROtEZLOMELRsKoPiXbARXxbea7LcjuTHha6uc083Yg6DEs
|
||||||
|
PTRHXRHXPO3CuqO+hOar7MIYg5Bzj2fYUFPkvKb8z+P/J66Uy2BlLrKOeO6TLrRx
|
||||||
|
PUBVjo0CgYAoA9aOVArgskbcDlCNJh0hlA+GtAOJMCR7Sk+JsXVY6XzjrPc2PAq0
|
||||||
|
mE2aiN04nHNzQH8LYfwSa361I480FDc8ZmCIKSc58b5RU9+PWko93qaxPc8fRjyJ
|
||||||
|
GzpvHWJpxWkdocv6iywysyh2jsE+KlE7YBryLnp8hsUs+M8m7B3VRA==
|
||||||
|
-----END RSA PRIVATE KEY-----
|
21
test/mitmproxy/data/verificationcerts/trusted-leaf.crt
Normal file
21
test/mitmproxy/data/verificationcerts/trusted-leaf.crt
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDdTCCAl2gAwIBAgIUPoeu9ozif3OWwzCVA7tZWtlzLz8wDQYJKoZIhvcNAQEL
|
||||||
|
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
|
||||||
|
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTExMjIyMjQxNDdaFw0zOTEx
|
||||||
|
MTcyMjQxNDdaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
|
||||||
|
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
|
||||||
|
AQUAA4IBDwAwggEKAoIBAQCZQxoIZMee+qy7FVOFG11Rv7b37/fX5M3SG/Z5ZVoX
|
||||||
|
Nvdz339ULaJTSaoTX2l/zQrMzu420TyfEXLkr/wZUaV9GfZli1gYn6Mu0TYOSY9h
|
||||||
|
saA98aHK5eAzD4PGR+HgumqN+SFXbcFlw6kjbWuMscPZw7jNF2WHsmCimrJBKKbU
|
||||||
|
cg9rHeUoLOw0357Mrg7gDwTBHefbqWlGA/bqOwY3N7F5jdS/2IAZ0WBndeKC/7bd
|
||||||
|
LqLNLSYG6H7VBHS9wmQ+YdzgIIPNOz+ghRJX/hV15vZbyW0ZzRIg3xTNty6mxpFk
|
||||||
|
kOu5Js1bu9TIpTWjdSyIYGBeBLp5z6Zs8c2oZu7cqGihAgMBAAGjXTBbMB8GA1Ud
|
||||||
|
IwQYMBaAFNCP2qqwSi+qkGYVmVZVIlEFjF5FMAkGA1UdEwQCMAAwCwYDVR0PBAQD
|
||||||
|
AgWgMCAGA1UdEQQZMBeCFWV4YW1wbGUubWl0bXByb3h5Lm9yZzANBgkqhkiG9w0B
|
||||||
|
AQsFAAOCAQEAOGGDdHBuqPhQXubWB3BNqILUSQn02ghs2mBG2unuXYukcQOTvW3e
|
||||||
|
eVTRNgPd/Ph9IcPJBcncKKjk+uW2dkbbM3BMQ1IZJoUuUjheWeV7fKrJML7l6gzi
|
||||||
|
3EHJ2Tx4wDOfx1M0FQK+aNZzbNKdzgFuhiPHHc32h7/srNltuYzzpB2iNj8MIi9Y
|
||||||
|
rJrAaHLQS/5GXyMfBX6Cz6sbneZRogMEygZwtl90+6HT6FoO8so8UcshTS0Jx4Qp
|
||||||
|
GtX3ktpjlJHvH8HZ3i15l+MhrEA17bEGO02yeg5T0ScZnMJ+0MoLoUPpwplYXN1U
|
||||||
|
/U5iwEc4J4dQtiyEbgbWIfKwzbyiLtI2RQ==
|
||||||
|
-----END CERTIFICATE-----
|
27
test/mitmproxy/data/verificationcerts/trusted-leaf.key
Normal file
27
test/mitmproxy/data/verificationcerts/trusted-leaf.key
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEowIBAAKCAQEAmUMaCGTHnvqsuxVThRtdUb+29+/31+TN0hv2eWVaFzb3c99/
|
||||||
|
VC2iU0mqE19pf80KzM7uNtE8nxFy5K/8GVGlfRn2ZYtYGJ+jLtE2DkmPYbGgPfGh
|
||||||
|
yuXgMw+Dxkfh4LpqjfkhV23BZcOpI21rjLHD2cO4zRdlh7JgopqyQSim1HIPax3l
|
||||||
|
KCzsNN+ezK4O4A8EwR3n26lpRgP26jsGNzexeY3Uv9iAGdFgZ3Xigv+23S6izS0m
|
||||||
|
Buh+1QR0vcJkPmHc4CCDzTs/oIUSV/4Vdeb2W8ltGc0SIN8UzbcupsaRZJDruSbN
|
||||||
|
W7vUyKU1o3UsiGBgXgS6ec+mbPHNqGbu3KhooQIDAQABAoIBAA2kpYqdvg9u7TVy
|
||||||
|
Po8Y0oPWdyk3GW8ElTXg+13vIcfzQq/z81fBADQ92IAE/FU+IXn96cLDeYwHd5zX
|
||||||
|
9a8jT4IFb6O2dc8rVtFyGkfHUJY3w7X/7pErSXwCI47hE0B4F8gvp0IrKQ4wDrxy
|
||||||
|
nyJVKMQX4jmPnaAoxuVys++M+NzsbyLQ02KLtiB7YdIEZBiLLronm3vKfzzRJ506
|
||||||
|
IxDtwknSvFTZ5KzJEHj1JlAs4DYSrV4wzoh75/xEYjbYDOc5vSFxn+qIlDzr7RdH
|
||||||
|
YWKl66fRuI5n+YZCd/WtyC+lHPtaNxZZhmX6h+L0Lxz6e3ePIlh1K17pNvEgI5yp
|
||||||
|
NOFCfakCgYEAxuGlm6GaRnYI7UCaNR8A4Ma9j99dV4lPkZRNreNxRf1hqmy02BYk
|
||||||
|
8XXl+u+xI+mcoswUpqj1qvPOfCI7UQD4ZMEjlpjJO0BpQAioyN1rmOz2sshsZHtI
|
||||||
|
coUtJjNhbJHyW62yuZKUjoGmyGOfyzyXmHYU2B06O5E7R90+vDO2K28CgYEAxUdj
|
||||||
|
IL6EOZ1sUD8DhaM/fpOuSqwVhjoCv3Mpn85Xb6DP1WPN2LEwdYZVk0Quhi81hidD
|
||||||
|
pPXBqSHf8Z7Z2GI+XNz1UcXBq6up/pOXREHN2OyzSvFuX0P/f8liXuu/KNbd/q/k
|
||||||
|
NBqOIwUU+n6DTbkyRjZqwfljOW8EVapMYDAJ5O8CgYBOpuJVoB1hDEEPguL5ax9v
|
||||||
|
xWkmQtGpUrZS/nGR+UbMxR4gxgjnBCrsCxI+oRhO+Y5mm4r3Ng6h4vWgBfGrYVTa
|
||||||
|
k789SYMbmaeGGWaWuWpZ+iy+G6EyQ8cs8xod52f6BeXw98qctSlnCkMpMKz7NSVG
|
||||||
|
uDwaE8T51b+59fdfepvqpQKBgClFC9m3wVWENzp6VDRKuGe0YUvBwCb6T8TZRKXn
|
||||||
|
tqblj1TmshNYzfhoB9Ls+oabrajI4f/KYZ8ONRkI0C3SL5Whq7hVlHRjTwawvX5L
|
||||||
|
/dIZglB1PU+0m+iRqoCM9MqIWJyFE0pLG9z7nS3h9Xn2+ityCtdVYoqLTO7W129v
|
||||||
|
3UIFAoGBALxSL2q/Qn2N2mA1iuNzZ/SIMTqgYWyxwCnIQnyJZm/VtpnWd/o2jKdT
|
||||||
|
affYTSuaIQwR4O4zg5DBFhVq9YYxmqiTwi9PqYGWCshssMNH4KARFPunoXOltNoa
|
||||||
|
E5SiVQrzxkvw7Jh/6uhFf1xTdZoHTnioOGTKV2X6Qu61OG29Zb81
|
||||||
|
-----END RSA PRIVATE KEY-----
|
21
test/mitmproxy/data/verificationcerts/trusted-root.crt
Normal file
21
test/mitmproxy/data/verificationcerts/trusted-root.crt
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDazCCAlOgAwIBAgIUT0IDh7/Cho/ZPuVDs/jg7g/6+lswDQYJKoZIhvcNAQEL
|
||||||
|
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
|
||||||
|
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTExMjIyMjQxNDdaFw0zOTEx
|
||||||
|
MTcyMjQxNDdaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
|
||||||
|
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
|
||||||
|
AQUAA4IBDwAwggEKAoIBAQCvx49WJyThnCZ/qQuotMpe1ZvokAfDmpS399815yn7
|
||||||
|
kf2zsbuvb/nFGY6Y+tiaLOQkRqB7pV5fuolBng9Z5NDhu8Qw2WXAFDXQxpSsJVLx
|
||||||
|
lKyzt98RU8qoOuL9SipX2DjRMkBsm0FInCWeACWDWkn0DIPfW71FddtOIN2Q/kBE
|
||||||
|
LdpP9mZ4/RfJw6CpZXNvbwnTqwqOvpzpkaQDmbKFJwGFsKYyOctwEcE8qtR0YKs3
|
||||||
|
5dCS/FTs6kc41V3ioaMBj2HaXwq+6R0I/939wrtwDKxFpH5NwES8T4oeSvnuszlk
|
||||||
|
o7Ot0IK4uCz8R+FCLZuRU9U+yP0KOdMRTZ9OBVMoLzxZAgMBAAGjUzBRMB0GA1Ud
|
||||||
|
DgQWBBTQj9qqsEovqpBmFZlWVSJRBYxeRTAfBgNVHSMEGDAWgBTQj9qqsEovqpBm
|
||||||
|
FZlWVSJRBYxeRTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA9
|
||||||
|
0R1JZJ/075J8ZJFvuYZURjD9D3NZdcp80X503UBXmNgkePVKOTlVlxStuuF87EY4
|
||||||
|
BkUoqR+QE9xxr9uAyTX1xGMDEDCso0ylPmsT+p/uXdWzijNNQywg+X7/UprF20o+
|
||||||
|
TPJNah+fQgcunvb3bjviOsIgSBFE8N9sNZLNTn1vc5mvKfzrT0svj5y31HwbOHmZ
|
||||||
|
85nyupjrrXzgDZBCIQLQpepfkjjOxm82oD3eszzNWe1x+ukvqKFWVQtUbP3hlclT
|
||||||
|
bgZuy/1NG4oZXgqGysNn0zxx4xixxbJhKb140TtH5xwAC08X3m5sTkcmDVjqJKWG
|
||||||
|
jemUYIi4o/YRxDEMChXT
|
||||||
|
-----END CERTIFICATE-----
|
27
test/mitmproxy/data/verificationcerts/trusted-root.key
Normal file
27
test/mitmproxy/data/verificationcerts/trusted-root.key
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEowIBAAKCAQEAr8ePVick4Zwmf6kLqLTKXtWb6JAHw5qUt/ffNecp+5H9s7G7
|
||||||
|
r2/5xRmOmPrYmizkJEage6VeX7qJQZ4PWeTQ4bvEMNllwBQ10MaUrCVS8ZSss7ff
|
||||||
|
EVPKqDri/UoqV9g40TJAbJtBSJwlngAlg1pJ9AyD31u9RXXbTiDdkP5ARC3aT/Zm
|
||||||
|
eP0XycOgqWVzb28J06sKjr6c6ZGkA5myhScBhbCmMjnLcBHBPKrUdGCrN+XQkvxU
|
||||||
|
7OpHONVd4qGjAY9h2l8KvukdCP/d/cK7cAysRaR+TcBEvE+KHkr57rM5ZKOzrdCC
|
||||||
|
uLgs/EfhQi2bkVPVPsj9CjnTEU2fTgVTKC88WQIDAQABAoIBAQCPTS15mufiVZ69
|
||||||
|
LF8o5lqk/Zfg/KqXuInNgPIjy5TaVqZxvE+6Mpt5J+CsrrOu3TIQsNNcefB6MmR7
|
||||||
|
bhQtwPDZVm4XNORStyc4UOwbe0InWIGC8j+UrK7mfztWKwRiIRAQ29rRr7CFNWcl
|
||||||
|
bBEpCI6Juzo2+V9QJUjoZLq83coeybjswv+Iq4+j5u3KW8Ws1EAAj88SBHA2UAF1
|
||||||
|
oIxoEv4jpyAPnTx0DEe3kJKwsLro7pQ9f2u2GY9ICfimcE7qEDnt+TIhDdi0nVuR
|
||||||
|
iY+Xvxi1HO4QHR3SJR+N6HAFOa9t0dhFLlrVv/0f9yZZjKPO+RGI5znX/ITqT3CE
|
||||||
|
VCBzy69RAoGBANbZpJt4T8NMiFj3V6ocXoAJxCzAzU3pO8IpDDn8t6tfgU+LNfEU
|
||||||
|
hv8pSJ70lsr/Qv/WjeVdEN9cQuBuOEeMPXQVfkqKA8J3pcpr8zY2nwxxw1A3H19Z
|
||||||
|
oaYP7YBx7RO5QVzAz+C5msSZSwGP5+5gTsZNRi0lpQBUst9tpooKGjs7AoGBANFy
|
||||||
|
PM4ITzk83CHMV5NGBcNSMSfQkhm50qJ7sMizhd13rC/iuuNDfDZWWSH2hkxspTSc
|
||||||
|
D8nTjnqxsSIWqojGQxgnVne/maitMK1TCWCIzQLgXjQjzKlwFNK8Fesw8foDAUD8
|
||||||
|
Q+LajUQMVkqLGgxaOPAxFLWjp6POCziapC6QO+V7AoGATTAKBFT4Cwke3x+Vnibt
|
||||||
|
CID5ur5VxAzsDDhlDRwu/GGmemZgLcmbKmaxkXH8DtggQPvbJLEH08c4u5q9m27V
|
||||||
|
0TO7mJn2+dG0fYHE8hAzmevxKIt1OPNhsOB+Cixj6TcgNWuMA4eLA+Cy4s/Jmol9
|
||||||
|
I581fBjPK8xCKyUgtO0mOWsCgYAXpWUWAbwoAyX7Lt3IQ8SMy6+/Bf4op2EPdRV9
|
||||||
|
Yz8+xK8M7PUaiVjxrYf8nJ+G61EvglsJ9zeDxKHx7kssi+2xQWeyt0/6yirPtqs9
|
||||||
|
WdSDeZ9JFa2ah4viStfSqMD47/PpSVHEv9XpE9d+LPww3tLE01W6OBLKHI4JwvO8
|
||||||
|
Sg5pFwKBgEA0VO9UFijjm6fIARM6Fhdpq0PZDiuPodWrAD3z0C5V6mR4ecgkUIcN
|
||||||
|
sBvQErzxA9dcUv5D3dPtqP7RIk5+lGfNn0Dqm8Ynr0V018Cojxi6hmmCoXvJNR68
|
||||||
|
y81DA04Kbo4mjScGxxawN7IfvXRQ5RNPXAuAcw7bEn1RzRlfHiFU
|
||||||
|
-----END RSA PRIVATE KEY-----
|
1
test/mitmproxy/data/verificationcerts/trusted-root.srl
Normal file
1
test/mitmproxy/data/verificationcerts/trusted-root.srl
Normal file
@ -0,0 +1 @@
|
|||||||
|
3E87AEF68CE27F7396C3309503BB595AD9732F3F
|
@ -69,16 +69,20 @@ class SSLTest:
|
|||||||
"""Helper container for Python's builtin SSL object."""
|
"""Helper container for Python's builtin SSL object."""
|
||||||
|
|
||||||
def __init__(self, server_side: bool = False, alpn: typing.Optional[typing.List[str]] = None,
|
def __init__(self, server_side: bool = False, alpn: typing.Optional[typing.List[str]] = None,
|
||||||
sni: typing.Optional[bytes] = b"example.com"):
|
sni: typing.Optional[bytes] = b"example.mitmproxy.org"):
|
||||||
self.inc = ssl.MemoryBIO()
|
self.inc = ssl.MemoryBIO()
|
||||||
self.out = ssl.MemoryBIO()
|
self.out = ssl.MemoryBIO()
|
||||||
self.ctx = ssl.SSLContext()
|
self.ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER if server_side else ssl.PROTOCOL_TLS_CLIENT)
|
||||||
if alpn:
|
if alpn:
|
||||||
self.ctx.set_alpn_protocols(alpn)
|
self.ctx.set_alpn_protocols(alpn)
|
||||||
if server_side:
|
if server_side:
|
||||||
self.ctx.load_cert_chain(
|
self.ctx.load_cert_chain(
|
||||||
certfile=tlsdata.path("../../net/data/verificationcerts/trusted-root.crt"),
|
certfile=tlsdata.path("../../data/verificationcerts/trusted-leaf.crt"),
|
||||||
keyfile=tlsdata.path("../../net/data/verificationcerts/trusted-root.key"),
|
keyfile=tlsdata.path("../../data/verificationcerts/trusted-leaf.key"),
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
self.ctx.load_verify_locations(
|
||||||
|
cafile=tlsdata.path("../../data/verificationcerts/trusted-root.crt"),
|
||||||
)
|
)
|
||||||
self.obj = self.ctx.wrap_bio(
|
self.obj = self.ctx.wrap_bio(
|
||||||
self.inc,
|
self.inc,
|
||||||
@ -106,7 +110,9 @@ class TlsEchoLayer(tutils.EchoLayer):
|
|||||||
def _handle_event(self, event: events.Event) -> commands.TCommandGenerator:
|
def _handle_event(self, event: events.Event) -> commands.TCommandGenerator:
|
||||||
if isinstance(event, events.DataReceived) and event.data == b"establish-server-tls":
|
if isinstance(event, events.DataReceived) and event.data == b"establish-server-tls":
|
||||||
# noinspection PyTypeChecker
|
# noinspection PyTypeChecker
|
||||||
self.err = yield tls.EstablishServerTLS(self.context.server)
|
err = yield tls.EstablishServerTLS(self.context.server)
|
||||||
|
if err:
|
||||||
|
yield commands.SendData(event.connection, f"server-tls-failed: {err}".encode())
|
||||||
else:
|
else:
|
||||||
yield from super()._handle_event(event)
|
yield from super()._handle_event(event)
|
||||||
|
|
||||||
@ -121,7 +127,7 @@ def interact(playbook: tutils.Playbook, conn: context.Connection, tssl: SSLTest)
|
|||||||
tssl.inc.write(data())
|
tssl.inc.write(data())
|
||||||
|
|
||||||
|
|
||||||
def reply_tls_start(alpn: typing.Optional[bytes] = None,*args, **kwargs) -> tutils.reply:
|
def reply_tls_start(alpn: typing.Optional[bytes] = None, *args, **kwargs) -> tutils.reply:
|
||||||
"""
|
"""
|
||||||
Helper function to simplify the syntax for tls_start hooks.
|
Helper function to simplify the syntax for tls_start hooks.
|
||||||
"""
|
"""
|
||||||
@ -132,10 +138,14 @@ def reply_tls_start(alpn: typing.Optional[bytes] = None,*args, **kwargs) -> tuti
|
|||||||
ssl_context = SSL.Context(SSL.SSLv23_METHOD)
|
ssl_context = SSL.Context(SSL.SSLv23_METHOD)
|
||||||
if tls_start.conn == tls_start.context.client:
|
if tls_start.conn == tls_start.context.client:
|
||||||
ssl_context.use_privatekey_file(
|
ssl_context.use_privatekey_file(
|
||||||
tlsdata.path("../../net/data/verificationcerts/trusted-leaf.key")
|
tlsdata.path("../../data/verificationcerts/trusted-leaf.key")
|
||||||
)
|
)
|
||||||
ssl_context.use_certificate_chain_file(
|
ssl_context.use_certificate_chain_file(
|
||||||
tlsdata.path("../../net/data/verificationcerts/trusted-leaf.crt")
|
tlsdata.path("../../data/verificationcerts/trusted-leaf.crt")
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
ssl_context.load_verify_locations(
|
||||||
|
cafile=tlsdata.path("../../data/verificationcerts/trusted-root.crt")
|
||||||
)
|
)
|
||||||
if alpn is not None:
|
if alpn is not None:
|
||||||
if tls_start.conn == tls_start.context.client:
|
if tls_start.conn == tls_start.context.client:
|
||||||
@ -145,6 +155,26 @@ def reply_tls_start(alpn: typing.Optional[bytes] = None,*args, **kwargs) -> tuti
|
|||||||
|
|
||||||
tls_start.ssl_conn = SSL.Connection(ssl_context)
|
tls_start.ssl_conn = SSL.Connection(ssl_context)
|
||||||
|
|
||||||
|
if tls_start.conn != tls_start.context.client:
|
||||||
|
# Set SNI
|
||||||
|
tls_start.ssl_conn.set_tlsext_host_name(tls_start.conn.sni)
|
||||||
|
|
||||||
|
# Manually enable hostname verification.
|
||||||
|
# Recent OpenSSL versions provide slightly nicer ways to do this, but they are not exposed in
|
||||||
|
# cryptography and likely a PITA to add.
|
||||||
|
# https://wiki.openssl.org/index.php/Hostname_validation
|
||||||
|
param = SSL._lib.SSL_get0_param(tls_start.ssl_conn._ssl)
|
||||||
|
# Common Name matching is disabled in both Chrome and Firefox, so we should disable it, too.
|
||||||
|
# https://www.chromestatus.com/feature/4981025180483584
|
||||||
|
SSL._lib.X509_VERIFY_PARAM_set_hostflags(
|
||||||
|
param,
|
||||||
|
SSL._lib.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS | SSL._lib.X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
|
||||||
|
)
|
||||||
|
SSL._openssl_assert(
|
||||||
|
SSL._lib.X509_VERIFY_PARAM_set1_host(param, tls_start.conn.sni, 0) == 1
|
||||||
|
)
|
||||||
|
SSL._lib.SSL_set_verify(tls_start.ssl_conn._ssl, SSL.VERIFY_PEER, SSL._ffi.NULL)
|
||||||
|
|
||||||
return tutils.reply(*args, side_effect=make_conn, **kwargs)
|
return tutils.reply(*args, side_effect=make_conn, **kwargs)
|
||||||
|
|
||||||
|
|
||||||
@ -167,7 +197,8 @@ class TestServerTLS:
|
|||||||
layer = tls.ServerTLSLayer(tctx)
|
layer = tls.ServerTLSLayer(tctx)
|
||||||
playbook = tutils.Playbook(layer)
|
playbook = tutils.Playbook(layer)
|
||||||
tctx.server.connected = True
|
tctx.server.connected = True
|
||||||
tctx.server.address = ("example.com", 443)
|
tctx.server.address = ("example.mitmproxy.org", 443)
|
||||||
|
tctx.server.sni = b"example.mitmproxy.org"
|
||||||
|
|
||||||
tssl = SSLTest(server_side=True)
|
tssl = SSLTest(server_side=True)
|
||||||
|
|
||||||
@ -202,6 +233,41 @@ class TestServerTLS:
|
|||||||
# Echo
|
# Echo
|
||||||
_test_echo(playbook, tssl, tctx.server)
|
_test_echo(playbook, tssl, tctx.server)
|
||||||
|
|
||||||
|
def test_untrusted_cert(self, tctx):
|
||||||
|
"""If the certificate is not trusted, we should fail."""
|
||||||
|
layer = tls.ServerTLSLayer(tctx)
|
||||||
|
playbook = tutils.Playbook(layer)
|
||||||
|
tctx.server.connected = True
|
||||||
|
tctx.server.address = ("wrong.host.mitmproxy.org", 443)
|
||||||
|
tctx.server.sni = b"wrong.host.mitmproxy.org"
|
||||||
|
|
||||||
|
tssl = SSLTest(server_side=True)
|
||||||
|
|
||||||
|
# send ClientHello
|
||||||
|
data = tutils.Placeholder()
|
||||||
|
assert (
|
||||||
|
playbook
|
||||||
|
>> events.DataReceived(tctx.client, b"establish-server-tls")
|
||||||
|
<< commands.Hook("next_layer", tutils.Placeholder())
|
||||||
|
>> tutils.reply_next_layer(TlsEchoLayer)
|
||||||
|
<< commands.Hook("tls_start", tutils.Placeholder())
|
||||||
|
>> reply_tls_start()
|
||||||
|
<< commands.SendData(tctx.server, data)
|
||||||
|
)
|
||||||
|
|
||||||
|
# receive ServerHello, finish client handshake
|
||||||
|
tssl.inc.write(data())
|
||||||
|
with pytest.raises(ssl.SSLWantReadError):
|
||||||
|
tssl.obj.do_handshake()
|
||||||
|
|
||||||
|
assert (
|
||||||
|
playbook
|
||||||
|
>> events.DataReceived(tctx.server, tssl.out.read())
|
||||||
|
<< commands.SendData(tctx.client,
|
||||||
|
b"server-tls-failed: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")
|
||||||
|
)
|
||||||
|
assert not tctx.server.tls_established
|
||||||
|
|
||||||
|
|
||||||
def _make_client_tls_layer(tctx: context.Context) -> typing.Tuple[tutils.Playbook, tls.ClientTLSLayer]:
|
def _make_client_tls_layer(tctx: context.Context) -> typing.Tuple[tutils.Playbook, tls.ClientTLSLayer]:
|
||||||
# This is a bit contrived as the client layer expects a server layer as parent.
|
# This is a bit contrived as the client layer expects a server layer as parent.
|
||||||
@ -214,15 +280,13 @@ def _make_client_tls_layer(tctx: context.Context) -> typing.Tuple[tutils.Playboo
|
|||||||
return playbook, client_layer
|
return playbook, client_layer
|
||||||
|
|
||||||
|
|
||||||
def _test_tls_client_server(
|
def _test_tls_client_server(tctx: context.Context, **kwargs) -> typing.Tuple[
|
||||||
tctx: context.Context,
|
tutils.Playbook, tls.ClientTLSLayer, SSLTest]:
|
||||||
sni: typing.Optional[bytes] = b"example.com",
|
|
||||||
alpn: typing.Optional[typing.List[str]] = None
|
|
||||||
) -> typing.Tuple[tutils.Playbook, tls.ClientTLSLayer, SSLTest]:
|
|
||||||
playbook, client_layer = _make_client_tls_layer(tctx)
|
playbook, client_layer = _make_client_tls_layer(tctx)
|
||||||
tctx.server.tls = True
|
tctx.server.tls = True
|
||||||
tctx.server.address = ("example.com", 443)
|
tctx.server.address = ("example.mitmproxy.org", 443)
|
||||||
tssl_client = SSLTest(sni=sni, alpn=alpn)
|
tctx.server.sni = b"example.mitmproxy.org"
|
||||||
|
tssl_client = SSLTest(**kwargs)
|
||||||
|
|
||||||
# Send ClientHello
|
# Send ClientHello
|
||||||
with pytest.raises(ssl.SSLWantReadError):
|
with pytest.raises(ssl.SSLWantReadError):
|
||||||
@ -296,7 +360,7 @@ class TestClientTLS:
|
|||||||
to establish TLS with the client.
|
to establish TLS with the client.
|
||||||
"""
|
"""
|
||||||
tssl_server = SSLTest(server_side=True, alpn=["quux"])
|
tssl_server = SSLTest(server_side=True, alpn=["quux"])
|
||||||
playbook, client_layer, tssl_client = _test_tls_client_server(tctx, sni=None, alpn=["quux"])
|
playbook, client_layer, tssl_client = _test_tls_client_server(tctx, alpn=["quux"])
|
||||||
|
|
||||||
# We should now get instructed to open a server connection.
|
# We should now get instructed to open a server connection.
|
||||||
data = tutils.Placeholder()
|
data = tutils.Placeholder()
|
||||||
|
Loading…
Reference in New Issue
Block a user