ProxyConfig: --cert to options

Also incidentally improve handling of invalid certificate formats.

mitmproxy/cmdline.py

@@ -184,6 +184,15 @@ def get_common_options(args):
                 "That would trigger an infinite loop."
             )
 
+
+    # Proxy config
+    certs = []
+    for i in args.certs:
+        parts = i.split("=", 1)
+        if len(parts) == 1:
+            parts = ["*", parts[0]]
+        certs.append(parts)
+
     return dict(
         app=args.app,
         app_host=args.app_host,
@@ -213,10 +222,11 @@ def get_common_options(args):
         replay_ignore_payload_params=args.replay_ignore_payload_params,
         replay_ignore_host=args.replay_ignore_host,
 
+        cadir = args.cadir,
+        certs = certs,
+        clientcerts = args.clientcerts,
         listen_host = args.addr,
         listen_port = args.port,
-        cadir = args.cadir,
-        clientcerts = args.clientcerts,
     )
 
 

mitmproxy/flow/options.py

@@ -40,6 +40,7 @@ class Options(options.Options):
 
             # Proxy options
             cadir = cmdline.CA_DIR,  # type: str
+            certs = (),  # type: Sequence[Tuple[str, str]]
             clientcerts = None,  # type: Optional[str]
             listen_host = "",  # type: str
             listen_port = 8080,  # type: int
@@ -74,7 +75,9 @@ class Options(options.Options):
         self.replay_ignore_payload_params = replay_ignore_payload_params
         self.replay_ignore_host = replay_ignore_host
 
+        # Proxy options
         self.cadir = cadir
+        self.certs = certs
         self.clientcerts = clientcerts
         self.listen_host = listen_host
         self.listen_port = listen_port

mitmproxy/proxy/config.py

@@ -5,7 +5,7 @@ import os
 import re
 
 import six
-from OpenSSL import SSL
+from OpenSSL import SSL, crypto
 
 from mitmproxy import platform
 from mitmproxy import exceptions
@@ -117,9 +117,6 @@ class ProxyConfig:
         self.config(options)
         options.changed.connect(self)
 
-        for spec, cert in certs:
-            self.certstore.add_cert_file(spec, cert)
-
     def config(self, options):
         certstore_path = os.path.expanduser(options.cadir)
         if not os.path.exists(certstore_path):
@@ -140,6 +137,20 @@ class ProxyConfig:
                 )
             self.clientcerts = clientcerts
 
+        for spec, cert in options.certs:
+            cert = os.path.expanduser(cert)
+            if not os.path.exists(cert):
+                raise exceptions.OptionsError(
+                    "Certificate file does not exist: %s" % cert
+                )
+            try:
+                self.certstore.add_cert_file(spec, cert)
+            except crypto.Error:
+                raise exceptions.OptionsError(
+                    "Invalid certificate format: %s" % cert
+                )
+
+
 
 def process_proxy_options(parser, options, args):
     body_size_limit = args.body_size_limit
@@ -214,16 +225,6 @@ def process_proxy_options(parser, options, args):
     else:
         authenticator = authentication.NullProxyAuth(None)
 
-    certs = []
-    for i in args.certs:
-        parts = i.split("=", 1)
-        if len(parts) == 1:
-            parts = ["*", parts[0]]
-        parts[1] = os.path.expanduser(parts[1])
-        if not os.path.exists(parts[1]):
-            parser.error("Certificate file does not exist: %s" % parts[1])
-        certs.append(parts)
-
     return ProxyConfig(
         options,
         no_upstream_cert=args.no_upstream_cert,
@@ -238,7 +239,6 @@ def process_proxy_options(parser, options, args):
         authenticator=authenticator,
         ciphers_client=args.ciphers_client,
         ciphers_server=args.ciphers_server,
-        certs=tuple(certs),
         ssl_version_client=args.ssl_version_client,
         ssl_version_server=args.ssl_version_server,
         ssl_verify_upstream_cert=args.ssl_verify_upstream_cert,