From adc2e8d2b6ca937d719f88148b8b208b1247fffd Mon Sep 17 00:00:00 2001 From: Miro Karvonen Date: Fri, 28 Aug 2020 16:58:20 +0300 Subject: [PATCH 1/3] new commandline argument --cert-passphrase added. For decrypting the private key that is provided with the --certs command --- mitmproxy/certs.py | 10 +++--- mitmproxy/options.py | 4 +++ mitmproxy/proxy/config.py | 5 +-- mitmproxy/tools/cmdline.py | 1 + test/mitmproxy/data/mitmproxy.pem | 51 +++++++++++++++++++++++++++++++ test/mitmproxy/test_certs.py | 6 ++++ test/mitmproxy/test_proxy.py | 11 ++++--- 7 files changed, 77 insertions(+), 11 deletions(-) create mode 100644 test/mitmproxy/data/mitmproxy.pem diff --git a/mitmproxy/certs.py b/mitmproxy/certs.py index bac6c59a3..dde584e95 100644 --- a/mitmproxy/certs.py +++ b/mitmproxy/certs.py @@ -196,7 +196,7 @@ class CertStore: return dh @classmethod - def from_store(cls, path, basename, key_size): + def from_store(cls, path, basename, key_size, passphrase: str = None): ca_path = os.path.join(path, basename + "-ca.pem") if not os.path.exists(ca_path): key, ca = cls.create_store(path, basename, key_size) @@ -208,7 +208,8 @@ class CertStore: raw) key = OpenSSL.crypto.load_privatekey( OpenSSL.crypto.FILETYPE_PEM, - raw) + raw, + None if passphrase is None else bytes(passphrase, "utf-8")) dh_path = os.path.join(path, basename + "-dhparam.pem") dh = cls.load_dhparam(dh_path) return cls(key, ca, ca_path, dh) @@ -280,7 +281,7 @@ class CertStore: return key, ca - def add_cert_file(self, spec: str, path: str) -> None: + def add_cert_file(self, spec: str, path: str, passphrase: str = None) -> None: with open(path, "rb") as f: raw = f.read() cert = Cert( @@ -290,7 +291,8 @@ class CertStore: try: privatekey = OpenSSL.crypto.load_privatekey( OpenSSL.crypto.FILETYPE_PEM, - raw) + raw, + None if passphrase is None else bytes(passphrase, "utf-8")) except Exception: privatekey = self.default_privatekey self.add_cert( diff --git a/mitmproxy/options.py b/mitmproxy/options.py index b92b3f503..e5cab21b4 100644 --- a/mitmproxy/options.py +++ b/mitmproxy/options.py @@ -47,6 +47,10 @@ class Options(optmanager.OptManager): certificate as the first entry. """ ) + self.add_option( + "cert_passphrase", Optional[str], None, + "Passphrase for decyrpting the private key provided in the --cert setting." + ) self.add_option( "ciphers_client", Optional[str], None, "Set supported ciphers for client connections using OpenSSL syntax." diff --git a/mitmproxy/proxy/config.py b/mitmproxy/proxy/config.py index 982afb755..ebaa69d32 100644 --- a/mitmproxy/proxy/config.py +++ b/mitmproxy/proxy/config.py @@ -65,7 +65,8 @@ class ProxyConfig: self.certstore = certs.CertStore.from_store( certstore_path, moptions.CONF_BASENAME, - key_size + key_size, + options.cert_passphrase ) for c in options.certs: @@ -79,7 +80,7 @@ class ProxyConfig: "Certificate file does not exist: %s" % cert ) try: - self.certstore.add_cert_file(parts[0], cert) + self.certstore.add_cert_file(parts[0], cert, options.cert_passphrase) except crypto.Error: raise exceptions.OptionsError( "Invalid certificate format: %s" % cert diff --git a/mitmproxy/tools/cmdline.py b/mitmproxy/tools/cmdline.py index eac1561c0..a94f28206 100644 --- a/mitmproxy/tools/cmdline.py +++ b/mitmproxy/tools/cmdline.py @@ -67,6 +67,7 @@ def common_options(parser, opts): # Proxy SSL options group = parser.add_argument_group("SSL") opts.make_parser(group, "certs", metavar="SPEC") + opts.make_parser(group, "cert_passphrase", metavar="PASS") opts.make_parser(group, "ssl_insecure", short="k") opts.make_parser(group, "key_size", metavar="KEY_SIZE") diff --git a/test/mitmproxy/data/mitmproxy.pem b/test/mitmproxy/data/mitmproxy.pem new file mode 100644 index 000000000..f29d40274 --- /dev/null +++ b/test/mitmproxy/data/mitmproxy.pem @@ -0,0 +1,51 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI9fSurwMcOA4CAggA +MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECKALBF48zvQnBIIEyKDIy72IMJoZ +4q7LsG0dCSa8oGI/CtAnC9YqRlDj+paWoGKDUkzxnMloUbJkpQlTEYRHXp0xKtdP +IcCjWFqWeQjsaJUlwILNLiliVpbyW/0PLmNQmRSfvLhlZ77rRk08DyLU0mcW2zRX +DuKHuxGhdlmte7EKsNf8czch9hDXqrCLqxlzr86K0pwT40W1r32TgQdX68edluoj +acggWuEzeTTKy1BKkVtlCq63dflgRfSo0as+dYX38wxzC6O6hxKpax277ijoJZHc +QsXxi/zREa+gtVOq9D6Vz5E+MmmIIAzVrXsFe1Uj4wYb3XUSO6WnJ9GlrixqWeu3 +9lkOZOEKyyDgIY+twn06kyZBspKnXvQMMPjeiSSeaqI9LA0qpvRsxuWCxyTJ2YZI +s+xab8j5g5RKOmrt1bGtLl66tcrGNP9jYC5pjMNl6fz3c8+oxC0Bun4q+yOA9QzG +4GaiA834x+9wtsEBSjlMB5AMwYH+1ODo6Q+VUAWH1qBvCm/gQT2mvSgcrz6bcGJI +gimfzl/IbqVuVkWl7yFqNN/renE47pvy34Dbymb0FBK/5Gb1FImno3CcAkCuaEJ1 +sWdx2Ej0Ezit8v1iJN2q29xlD7MrxB0uPvklUPRlD9RVcDJ15GwBPA8ugN/Fjj50 +2BiMJ2/uqBoEnAjMyStINArS5PWL6gthIXenVJ4w0wegBciCsGo4G7UFQ0z/w2Je +7NJ8TjwKdTYJdAfgO5Rr8u6j0ybn72T/+QJfjugNLufRx4sakvPZR90/AFb2YX+L +kgCVS3ySOfom9p5JcxdnI8omelBIi1Qa9xwPKMPaV6oYkqBVjmcDDZocC6qN15PD +jCrgGryV3Fsn5OLYTB+EQDLNqmo+qd1O0pNY2THwD/DGGlx6VhmeQnWdt534g5lo +clQOmLXEeUWIb2u5PanakqNpY5mBQcOJ88/RS+oGAjTGU0e3I1zLb6EN/Ftndjv1 +sfEh+HMwHxIWxdnJb6z6m73XJr4z30VGN8e+f1lC8c9SJ9aTQ/9vH3bsaXLW6GFY +DBisBg2/+vMwRSG9PkYrp1p6rGAhwbaofnZE5zApT7PFEX2RVNPU7lgXn84ycRHw +gZ89Mpa9zShL4T1PS8BrKwS7AH/se7ofKW/s8Z9SgngTWj0Efd4hZmn/EenVHBWf +kjAkvKIgGE8FJF1QlmU5dHDFhRiUGXIaB1rYAcwwuwB06fxRqEL3pU6jkHSru3ry +sYaY/cfpd5D5PT+FlxkzAPH1iiC3knXpcotWpJ2iQshsw9ifwg/vVJB0n20+Rxeu +XTgwiT+X5mJNAQUCj6aExWUg+D5gPnJPwFmzAWBGKWrvwI+vI6zIv4MJywzU+Ei8 +1lU5rezPovAbGSTwUBPDydhORua0P8tVT8KPMmPJhza6IORTPpzdEOCXCOH17CWg +VWKjYvEul8CdNh4O3CJDU4lN8yn6RXCBPK4NKDea17GCIEBgnOnpFny+jdfNT+Ce +9aNh8ah61vbPag9EM2okmBlbnpkhUO+x8K8prZHZE7qRgUbmn1cJwIP6pNN/263q +S2uKZMnoaT65BaQh9wpgSvWmDup3/lGG/C2+m0k087QBVHMSfpTK9WcZ94BbzoeR +S9rWCU2k/woEUOv3hssY5w== +-----END ENCRYPTED PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIDdTCCAl2gAwIBAgIURm3Wk48Uc3RtqZ0FFxCaE33TvjcwDQYJKoZIhvcNAQEL +BQAwSTELMAkGA1UEBhMCVVMxDTALBgNVBAgMBENhbGkxDTALBgNVBAcMBHRlc3Qx +DTALBgNVBAoMBHRlc3QxDTALBgNVBAMMBHRlc3QwIBcNMjAwODI4MTIyNDU4WhgP +MjI5NDA2MTIxMjI0NThaMEkxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARDYWxpMQ0w +CwYDVQQHDAR0ZXN0MQ0wCwYDVQQKDAR0ZXN0MQ0wCwYDVQQDDAR0ZXN0MIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvyrgqfiwRh2EcPYk/GFMgF2k8yJq +4mkQcjpWlowp/fL99W/c33ySEtV/LyMJ6LtPAIKN4SambUFcx97pEgJi9YEDLRGW +aN9jznss5AAe03uXN2gizpq9LmdPxr/vmH1DnqdI5MKwa8g9phpe9tT6ik3f2qkm +1V9Ka38GlkHbB+w743ytz20jM6ifTtrX0SuDqDbAppandv5Ix3CHdlllRS/MKNEw +LAs7LVkct0UNTp+soTIhGcASmbf24dvJnO+Msfuqw60mHJpoUP/xDcRGcXnjsgAZ +zAi0UXlV9QiItQeOKxLBHIlMSAEd9oEejPCi6uN+zjKb3De7LUD2Vxu7iwIDAQAB +o1MwUTAdBgNVHQ4EFgQU6tvbiSgA6pujKJBSFw/j+QRZOiwwHwYDVR0jBBgwFoAU +6tvbiSgA6pujKJBSFw/j+QRZOiwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B +AQsFAAOCAQEAgVa/jUdGqElv3EzxzSqtYkGxmeY5m2aLPKgsUl2zOPWwgyE1Synu +TuFS+B5pyTT1KZ6IDwRQ+hA9jOnEopNK33lVelz7XBuw7485qVidG4o6QH1uo/J9 +GlxjM5SCY6yQ4frCI8lCY6+LA0NbI05qtVNTS1zgdOBnC/IOlMFpp0oDaf5FZHxc +Ci1I/g32ES3rvKiAGBY2m6hy138GzYpZTXnKS03MaTfUCFfsOvqq/z2KBCeCd4mH +VDO7adjhw4I7EYYXjmly2um6NaqyXtT6/AARY3JuQgFoW7W3XBV6TCsYmsGSeUTH +JrhnGnHiNi06IuBwOXYZDID+orBMr9NDKw== +-----END CERTIFICATE----- diff --git a/test/mitmproxy/test_certs.py b/test/mitmproxy/test_certs.py index 37604f54a..3a977f3c9 100644 --- a/test/mitmproxy/test_certs.py +++ b/test/mitmproxy/test_certs.py @@ -204,3 +204,9 @@ class TestCert: x = certs.Cert('') x.set_state(a) assert x == c + + def test_from_store_with_passphrase(self, tdata, tmpdir): + ca = certs.CertStore.from_store(str(tmpdir), "mitmproxy", 2048, "password") + ca.add_cert_file("*", tdata.path("mitmproxy/data/mitmproxy.pem"), "password") + + assert ca.get_cert(b"foo", []) diff --git a/test/mitmproxy/test_proxy.py b/test/mitmproxy/test_proxy.py index f455b0ff2..56d934f67 100644 --- a/test/mitmproxy/test_proxy.py +++ b/test/mitmproxy/test_proxy.py @@ -42,11 +42,12 @@ class TestProcessProxyOptions: assert self.p() def test_certs(self, tdata): - self.assert_noerr( - "--cert", - tdata.path("mitmproxy/data/testkey.pem")) - with pytest.raises(Exception, match="does not exist"): - self.p("--cert", "nonexistent") + with pytest.raises(Exception, match="ambiguous option"): + self.assert_noerr( + "--cert", + tdata.path("mitmproxy/data/testkey.pem")) + with pytest.raises(Exception, match="does not exist"): + self.p("--cert", "nonexistent") class TestProxyServer: From 770811b121c57cb352598fc2e753b848ea4ac94d Mon Sep 17 00:00:00 2001 From: Miro Karvonen Date: Fri, 28 Aug 2020 17:12:08 +0300 Subject: [PATCH 2/3] Updating the CHANGELOG, adding --cert-passphrase command line argument --- CHANGELOG | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG b/CHANGELOG index 75fef3b52..3cafb2035 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -11,6 +11,7 @@ Unreleased: mitmproxy next * Display HTTP trailers in mitmweb (@sanlengjingvv) * Revamp onboarding app (@mhils) * Add ASGI support for embedded apps (@mhils) + * Add --cert-passphrase command line argument (@mirosyn) * --- TODO: add new PRs above this line --- From abbdc31ad305f7251de2073d153e57055d71a05a Mon Sep 17 00:00:00 2001 From: Miro Karvonen Date: Mon, 31 Aug 2020 09:01:45 +0300 Subject: [PATCH 3/3] Review comment fixes, passphrase is now always required to be bytes in add_cert_file and from_store. --- mitmproxy/certs.py | 8 ++++---- mitmproxy/options.py | 2 +- mitmproxy/proxy/config.py | 5 +++-- test/mitmproxy/test_proxy.py | 2 -- 4 files changed, 8 insertions(+), 9 deletions(-) diff --git a/mitmproxy/certs.py b/mitmproxy/certs.py index dde584e95..686c05745 100644 --- a/mitmproxy/certs.py +++ b/mitmproxy/certs.py @@ -196,7 +196,7 @@ class CertStore: return dh @classmethod - def from_store(cls, path, basename, key_size, passphrase: str = None): + def from_store(cls, path, basename, key_size, passphrase: typing.Optional[bytes] = None): ca_path = os.path.join(path, basename + "-ca.pem") if not os.path.exists(ca_path): key, ca = cls.create_store(path, basename, key_size) @@ -209,7 +209,7 @@ class CertStore: key = OpenSSL.crypto.load_privatekey( OpenSSL.crypto.FILETYPE_PEM, raw, - None if passphrase is None else bytes(passphrase, "utf-8")) + passphrase) dh_path = os.path.join(path, basename + "-dhparam.pem") dh = cls.load_dhparam(dh_path) return cls(key, ca, ca_path, dh) @@ -281,7 +281,7 @@ class CertStore: return key, ca - def add_cert_file(self, spec: str, path: str, passphrase: str = None) -> None: + def add_cert_file(self, spec: str, path: str, passphrase: typing.Optional[bytes] = None) -> None: with open(path, "rb") as f: raw = f.read() cert = Cert( @@ -292,7 +292,7 @@ class CertStore: privatekey = OpenSSL.crypto.load_privatekey( OpenSSL.crypto.FILETYPE_PEM, raw, - None if passphrase is None else bytes(passphrase, "utf-8")) + passphrase) except Exception: privatekey = self.default_privatekey self.add_cert( diff --git a/mitmproxy/options.py b/mitmproxy/options.py index f90221e84..03cb6945a 100644 --- a/mitmproxy/options.py +++ b/mitmproxy/options.py @@ -49,7 +49,7 @@ class Options(optmanager.OptManager): ) self.add_option( "cert_passphrase", Optional[str], None, - "Passphrase for decyrpting the private key provided in the --cert setting." + "Passphrase for decrypting the private key provided in the --cert option." ) self.add_option( "ciphers_client", Optional[str], None, diff --git a/mitmproxy/proxy/config.py b/mitmproxy/proxy/config.py index ebaa69d32..0ba46ee58 100644 --- a/mitmproxy/proxy/config.py +++ b/mitmproxy/proxy/config.py @@ -62,11 +62,12 @@ class ProxyConfig: os.path.dirname(certstore_path) ) key_size = options.key_size + passphrase = options.cert_passphrase.encode("utf-8") if options.cert_passphrase else None self.certstore = certs.CertStore.from_store( certstore_path, moptions.CONF_BASENAME, key_size, - options.cert_passphrase + passphrase ) for c in options.certs: @@ -80,7 +81,7 @@ class ProxyConfig: "Certificate file does not exist: %s" % cert ) try: - self.certstore.add_cert_file(parts[0], cert, options.cert_passphrase) + self.certstore.add_cert_file(parts[0], cert, passphrase) except crypto.Error: raise exceptions.OptionsError( "Invalid certificate format: %s" % cert diff --git a/test/mitmproxy/test_proxy.py b/test/mitmproxy/test_proxy.py index 56d934f67..1cca58250 100644 --- a/test/mitmproxy/test_proxy.py +++ b/test/mitmproxy/test_proxy.py @@ -46,8 +46,6 @@ class TestProcessProxyOptions: self.assert_noerr( "--cert", tdata.path("mitmproxy/data/testkey.pem")) - with pytest.raises(Exception, match="does not exist"): - self.p("--cert", "nonexistent") class TestProxyServer: