mirror of
https://github.com/Grasscutters/mitmproxy.git
synced 2024-11-27 02:24:18 +00:00
Replace CA generation with PyOpenSSL version.
We no longer call an external command.
This commit is contained in:
Aldo Cortesi
parent
d57a1d6035
commit
4e13ab1d05
@ -9,81 +9,57 @@ CERT_EXPIRY = str(365 * 3)
|
|||||||
|
|
||||||
|
|
||||||
def dummy_ca(path):
|
def dummy_ca(path):
|
||||||
"""
|
|
||||||
Creates a dummy CA, and writes it to path.
|
|
||||||
|
|
||||||
This function also creates the necessary directories if they don't exist.
|
|
||||||
|
|
||||||
Returns True if operation succeeded, False if not.
|
|
||||||
"""
|
|
||||||
dirname = os.path.dirname(path)
|
dirname = os.path.dirname(path)
|
||||||
if not os.path.exists(dirname):
|
if not os.path.exists(dirname):
|
||||||
os.makedirs(dirname)
|
os.makedirs(dirname)
|
||||||
|
|
||||||
if path.endswith(".pem"):
|
if path.endswith(".pem"):
|
||||||
basename, _ = os.path.splitext(path)
|
basename, _ = os.path.splitext(path)
|
||||||
else:
|
else:
|
||||||
basename = path
|
basename = path
|
||||||
|
|
||||||
cmd = [
|
key = OpenSSL.crypto.PKey()
|
||||||
"openssl",
|
key.generate_key(OpenSSL.crypto.TYPE_RSA, 1024)
|
||||||
"req",
|
ca = OpenSSL.crypto.X509()
|
||||||
"-new",
|
ca.set_version(3)
|
||||||
"-x509",
|
ca.set_serial_number(1)
|
||||||
"-config", utils.pkg_data.path("resources/ca.cnf"),
|
ca.get_subject().CN = "mitmproxy"
|
||||||
"-nodes",
|
ca.get_subject().OU = "mitmproxy"
|
||||||
"-days", CERT_EXPIRY,
|
ca.gmtime_adj_notBefore(0)
|
||||||
"-out", path,
|
ca.gmtime_adj_notAfter(24 * 60 * 60 * 720)
|
||||||
"-newkey", "rsa:1024",
|
ca.set_issuer(ca.get_subject())
|
||||||
"-keyout", path,
|
ca.set_pubkey(key)
|
||||||
]
|
ca.add_extensions([
|
||||||
ret = subprocess.call(
|
OpenSSL.crypto.X509Extension("basicConstraints", True,
|
||||||
cmd,
|
"CA:TRUE"),
|
||||||
stderr=subprocess.PIPE,
|
OpenSSL.crypto.X509Extension("nsCertType", True,
|
||||||
stdout=subprocess.PIPE,
|
"sslCA"),
|
||||||
stdin=subprocess.PIPE
|
OpenSSL.crypto.X509Extension("extendedKeyUsage", True,
|
||||||
)
|
"serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC"
|
||||||
# begin nocover
|
),
|
||||||
if ret:
|
OpenSSL.crypto.X509Extension("keyUsage", True,
|
||||||
return False
|
"keyCertSign, cRLSign"),
|
||||||
# end nocover
|
OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash",
|
||||||
|
subject=ca),
|
||||||
|
])
|
||||||
|
ca.sign(key, "sha1")
|
||||||
|
|
||||||
cmd = [
|
# Dump the CA plus private key
|
||||||
"openssl",
|
f = open(path, "w")
|
||||||
"pkcs12",
|
f.write(OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key))
|
||||||
"-export",
|
f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, ca))
|
||||||
"-password", "pass:",
|
f.close()
|
||||||
"-nokeys",
|
|
||||||
"-in", path,
|
|
||||||
"-out", os.path.join(dirname, basename + "-cert.p12")
|
|
||||||
]
|
|
||||||
ret = subprocess.call(
|
|
||||||
cmd,
|
|
||||||
stderr=subprocess.PIPE,
|
|
||||||
stdout=subprocess.PIPE,
|
|
||||||
stdin=subprocess.PIPE
|
|
||||||
)
|
|
||||||
# begin nocover
|
|
||||||
if ret:
|
|
||||||
return False
|
|
||||||
# end nocover
|
|
||||||
cmd = [
|
|
||||||
"openssl",
|
|
||||||
"x509",
|
|
||||||
"-in", path,
|
|
||||||
"-out", os.path.join(dirname, basename + "-cert.pem")
|
|
||||||
]
|
|
||||||
ret = subprocess.call(
|
|
||||||
cmd,
|
|
||||||
stderr=subprocess.PIPE,
|
|
||||||
stdout=subprocess.PIPE,
|
|
||||||
stdin=subprocess.PIPE
|
|
||||||
)
|
|
||||||
# begin nocover
|
|
||||||
if ret:
|
|
||||||
return False
|
|
||||||
# end nocover
|
|
||||||
|
|
||||||
|
# Dump the certificate in PEM format
|
||||||
|
f = open(os.path.join(dirname, basename + "-cert.pem"), "w")
|
||||||
|
f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, ca))
|
||||||
|
f.close()
|
||||||
|
|
||||||
|
# Dump the certificate in PKCS12 format for Windows devices
|
||||||
|
f = open(os.path.join(dirname, basename + "-cert.p12"), "w")
|
||||||
|
p12 = OpenSSL.crypto.PKCS12()
|
||||||
|
p12.set_certificate(ca)
|
||||||
|
f.write(p12.export())
|
||||||
|
f.close()
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
|
||||||
@ -182,7 +158,7 @@ def dummy_cert(certdir, ca, commonname, sans):
|
|||||||
return certpath
|
return certpath
|
||||||
|
|
||||||
|
|
||||||
class GeneralName(univ.Choice):
|
class _GeneralName(univ.Choice):
|
||||||
# We are only interested in dNSNames. We use a default handler to ignore
|
# We are only interested in dNSNames. We use a default handler to ignore
|
||||||
# other types.
|
# other types.
|
||||||
componentType = namedtype.NamedTypes(
|
componentType = namedtype.NamedTypes(
|
||||||
@ -193,11 +169,12 @@ class GeneralName(univ.Choice):
|
|||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
class GeneralNames(univ.SequenceOf):
|
class _GeneralNames(univ.SequenceOf):
|
||||||
componentType = GeneralName()
|
componentType = _GeneralName()
|
||||||
sizeSpec = univ.SequenceOf.sizeSpec + constraint.ValueSizeConstraint(1, 1024)
|
sizeSpec = univ.SequenceOf.sizeSpec + constraint.ValueSizeConstraint(1, 1024)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
class SSLCert:
|
class SSLCert:
|
||||||
def __init__(self, pemtxt):
|
def __init__(self, pemtxt):
|
||||||
"""
|
"""
|
||||||
@ -219,13 +196,12 @@ class SSLCert:
|
|||||||
for i in range(self.cert.get_extension_count()):
|
for i in range(self.cert.get_extension_count()):
|
||||||
ext = self.cert.get_extension(i)
|
ext = self.cert.get_extension(i)
|
||||||
if ext.get_short_name() == "subjectAltName":
|
if ext.get_short_name() == "subjectAltName":
|
||||||
dec = decode(ext.get_data(), asn1Spec=GeneralNames())
|
dec = decode(ext.get_data(), asn1Spec=_GeneralNames())
|
||||||
for i in dec[0]:
|
for i in dec[0]:
|
||||||
altnames.append(i[0])
|
altnames.append(i[0])
|
||||||
return altnames
|
return altnames
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
def get_remote_cert(host, port):
|
def get_remote_cert(host, port):
|
||||||
addr = socket.gethostbyname(host)
|
addr = socket.gethostbyname(host)
|
||||||
s = ssl.get_server_certificate((addr, port))
|
s = ssl.get_server_certificate((addr, port))
|
||||||
|
|||||||
@ -1,33 +0,0 @@
|
|||||||
[ req ]
|
|
||||||
prompt = no
|
|
||||||
distinguished_name = req_distinguished_name
|
|
||||||
x509_extensions = v3_ca
|
|
||||||
req_extensions = v3_ca_req
|
|
||||||
|
|
||||||
[ req_distinguished_name ]
|
|
||||||
organizationName = mitmproxy
|
|
||||||
commonName = mitmproxy
|
|
||||||
|
|
||||||
[ v3_ca ]
|
|
||||||
basicConstraints = critical,CA:true
|
|
||||||
keyUsage = cRLSign, keyCertSign
|
|
||||||
extendedKeyUsage=serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC
|
|
||||||
nsCertType = sslCA
|
|
||||||
|
|
||||||
[ v3_ca_req ]
|
|
||||||
basicConstraints = critical,CA:true
|
|
||||||
keyUsage = cRLSign, keyCertSign
|
|
||||||
extendedKeyUsage=serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC
|
|
||||||
nsCertType = sslCA
|
|
||||||
|
|
||||||
[ v3_cert ]
|
|
||||||
basicConstraints = CA:false
|
|
||||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
||||||
extendedKeyUsage=serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC
|
|
||||||
nsCertType = server
|
|
||||||
|
|
||||||
[ v3_cert_req ]
|
|
||||||
basicConstraints = CA:false
|
|
||||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
||||||
extendedKeyUsage=serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC
|
|
||||||
nsCertType = server
|
|
||||||
Loading…
Reference in New Issue
Block a user