caj
/
go-mitmproxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
addon-dailer
v1.5.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9637cde659'
${ noResults }
go-mitmproxy/cert/cert.go

284 lines
6.0 KiB
Go
Raw Normal View History Unescape Escape

package cert
4 years ago
package cert
cert load
4 years ago
import (
cert create
4 years ago
"crypto/rand"
cert load
4 years ago
"crypto/rsa"
DummyCert
4 years ago
"crypto/tls"
cert load
4 years ago
"crypto/x509"
cert create
4 years ago
"crypto/x509/pkix"
cert load
4 years ago
"encoding/pem"
"errors"
"fmt"
cert
4 years ago
"io"
cert load
4 years ago
"io/ioutil"
cert create
4 years ago
"math/big"
cert load
4 years ago
"os"
"path/filepath"
cert create
4 years ago
"time"
lru cache cert
4 years ago
"github.com/golang/groupcache/lru"
logger
4 years ago
_log "github.com/sirupsen/logrus"
cert load
4 years ago
)
logger
4 years ago
var log = _log.WithField("at", "cert")
readme
4 years ago
// reference
// https://docs.mitmproxy.org/stable/concepts-certificates/
// https://github.com/mitmproxy/mitmproxy/blob/master/mitmproxy/certs.py
cert load
4 years ago
var caErrNotFound = errors.New("ca not found")
type CA struct {
rsa.PrivateKey
RootCert x509.Certificate
StorePath string
lru cache cert
4 years ago
cache *lru.Cache
cert load
4 years ago
}
func NewCA(path string) (*CA, error) {
storePath, err := getStorePath(path)
if err != nil {
return nil, err
}
lru cache cert
4 years ago
ca := &CA{
StorePath: storePath,
cache: lru.New(100),
}
cert load
4 years ago
if err := ca.load(); err != nil {
if err != caErrNotFound {
return nil, err
}
cert create
4 years ago
} else {
logger
4 years ago
log.Debug("load root ca")
cert create
4 years ago
return ca, nil
cert load
4 years ago
}
if err := ca.create(); err != nil {
return nil, err
}
logger
4 years ago
log.Debug("create root ca")
cert load
4 years ago
return ca, nil
}
func getStorePath(path string) (string, error) {
if path == "" {
homeDir, err := os.UserHomeDir()
if err != nil {
return "", err
}
cert create
4 years ago
path = filepath.Join(homeDir, ".go_mitmproxy")
cert load
4 years ago
}
if !filepath.IsAbs(path) {
dir, err := os.Getwd()
if err != nil {
return "", err
}
path = filepath.Join(dir, path)
}
stat, err := os.Stat(path)
if err != nil {
if os.IsNotExist(err) {
err = os.MkdirAll(path, os.ModePerm)
if err != nil {
return "", err
}
} else {
return "", err
}
} else {
if !stat.Mode().IsDir() {
return "", fmt.Errorf("路径 %v 不是文件夹,请移除此文件重试", path)
}
}
return path, nil
}
cert create
4 years ago
// The certificate and the private key in PEM format.
func (ca *CA) caFile() string {
return filepath.Join(ca.StorePath, "mitmproxy-ca.pem")
}
// The certificate in PEM format.
func (ca *CA) caCertFile() string {
return filepath.Join(ca.StorePath, "mitmproxy-ca-cert.pem")
}
cert load
4 years ago
func (ca *CA) load() error {
cert create
4 years ago
caFile := ca.caFile()
cert load
4 years ago
stat, err := os.Stat(caFile)
if err != nil {
if os.IsNotExist(err) {
return caErrNotFound
}
return err
}
if !stat.Mode().IsRegular() {
return fmt.Errorf("%v 不是文件", caFile)
}
data, err := ioutil.ReadFile(caFile)
if err != nil {
return err
}
keyDERBlock, data := pem.Decode(data)
if keyDERBlock == nil {
return fmt.Errorf("%v 中不存在 PRIVATE KEY", caFile)
}
certDERBlock, _ := pem.Decode(data)
if certDERBlock == nil {
return fmt.Errorf("%v 中不存在 CERTIFICATE", caFile)
}
key, err := x509.ParsePKCS8PrivateKey(keyDERBlock.Bytes)
if err != nil {
return err
}
if v, ok := key.(*rsa.PrivateKey); ok {
ca.PrivateKey = *v
} else {
return errors.New("found unknown rsa private key type in PKCS#8 wrapping")
}
x509Cert, err := x509.ParseCertificate(certDERBlock.Bytes)
if err != nil {
return err
}
ca.RootCert = *x509Cert
return nil
}
func (ca *CA) create() error {
cert create
4 years ago
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return err
}
ca.PrivateKey = *key
template := &x509.Certificate{
SerialNumber: big.NewInt(time.Now().UnixNano() / 100000),
Subject: pkix.Name{
CommonName: "mitmproxy",
Organization: []string{"mitmproxy"},
},
NotBefore: time.Now().Add(-time.Hour * 48),
NotAfter: time.Now().Add(time.Hour * 24 * 365 * 3),
BasicConstraintsValid: true,
IsCA: true,
SignatureAlgorithm: x509.SHA256WithRSA,
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
ExtKeyUsage: []x509.ExtKeyUsage{
x509.ExtKeyUsageServerAuth,
x509.ExtKeyUsageClientAuth,
x509.ExtKeyUsageEmailProtection,
x509.ExtKeyUsageTimeStamping,
x509.ExtKeyUsageCodeSigning,
x509.ExtKeyUsageMicrosoftCommercialCodeSigning,
x509.ExtKeyUsageMicrosoftServerGatedCrypto,
x509.ExtKeyUsageNetscapeServerGatedCrypto,
},
}
certBytes, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
if err != nil {
return err
}
cert, err := x509.ParseCertificate(certBytes)
if err != nil {
return err
}
ca.RootCert = *cert
if err := ca.save(); err != nil {
return err
}
return ca.saveCert()
cert load
4 years ago
}
cert
4 years ago
func (ca *CA) saveTo(out io.Writer) error {
keyBytes, err := x509.MarshalPKCS8PrivateKey(&ca.PrivateKey)
if err != nil {
return err
}
err = pem.Encode(out, &pem.Block{Type: "PRIVATE KEY", Bytes: keyBytes})
if err != nil {
return err
}
cert create
4 years ago
return pem.Encode(out, &pem.Block{Type: "CERTIFICATE", Bytes: ca.RootCert.Raw})
}
func (ca *CA) saveCertTo(out io.Writer) error {
return pem.Encode(out, &pem.Block{Type: "CERTIFICATE", Bytes: ca.RootCert.Raw})
}
func (ca *CA) save() error {
file, err := os.Create(ca.caFile())
cert
4 years ago
if err != nil {
return err
}
cert create
4 years ago
defer file.Close()
cert
4 years ago
cert create
4 years ago
return ca.saveTo(file)
cert
4 years ago
}
cert create
4 years ago
func (ca *CA) saveCert() error {
file, err := os.Create(ca.caCertFile())
if err != nil {
return err
}
defer file.Close()
cert
4 years ago
cert create
4 years ago
return ca.saveCertTo(file)
cert
4 years ago
}
DummyCert
4 years ago
lru cache cert
4 years ago
func (ca *CA) GetCert(commonName string) (*tls.Certificate, error) {
if val, ok := ca.cache.Get(commonName); ok {
return val.(*tls.Certificate), nil
}
cert, err := ca.DummyCert(commonName)
if err != nil {
return cert, err
}
ca.cache.Add(commonName, cert)
return cert, err
}
DummyCert
4 years ago
// TODO: 是否应该支持多个 SubjectAltName
func (ca *CA) DummyCert(commonName string) (*tls.Certificate, error) {
template := &x509.Certificate{
SerialNumber: big.NewInt(time.Now().UnixNano() / 100000),
Subject: pkix.Name{
CommonName: commonName,
Organization: []string{"mitmproxy"},
},
NotBefore: time.Now().Add(-time.Hour * 48),
NotAfter: time.Now().Add(time.Hour * 24 * 365),
SignatureAlgorithm: x509.SHA256WithRSA,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
DNSNames: []string{commonName},
}
certBytes, err := x509.CreateCertificate(rand.Reader, template, &ca.RootCert, &ca.PrivateKey.PublicKey, &ca.PrivateKey)
if err != nil {
return nil, err
}
cert := &tls.Certificate{
Certificate: [][]byte{certBytes},
解析https初步调试成功
4 years ago
PrivateKey: &ca.PrivateKey,
DummyCert
4 years ago
}
return cert, nil
}