ProxyConfig: --cert to options

Also incidentally improve handling of invalid certificate formats.
author: Aldo Cortesi <aldo@nullcube.com> 2016-07-18 16:02:54 +1200
committer: Aldo Cortesi <aldo@nullcube.com> 2016-07-19 16:25:09 +1200
commit: f24f8ce9714bb4014c68275aef36194b6f12c419 (patch)
tree: c4ffb1c19c8964b884966ecae397664cc7add712
parent: 856e1c2ba938c6fb7639286cb27ae5cf3f63e2c8 (diff)
download: mitmproxy-f24f8ce9714bb4014c68275aef36194b6f12c419.tar.gz
mitmproxy-f24f8ce9714bb4014c68275aef36194b6f12c419.tar.bz2
mitmproxy-f24f8ce9714bb4014c68275aef36194b6f12c419.zip
3 files changed, 30 insertions, 17 deletions
diff --git a/mitmproxy/cmdline.py b/mitmproxy/cmdline.py
index 3c63ec35..9cf8be3c 100644
--- a/mitmproxy/cmdline.py
+++ b/mitmproxy/cmdline.py
@@ -184,6 +184,15 @@ def get_common_options(args):
                 "That would trigger an infinite loop."
             )
 
+
+    # Proxy config
+    certs = []
+    for i in args.certs:
+        parts = i.split("=", 1)
+        if len(parts) == 1:
+            parts = ["*", parts[0]]
+        certs.append(parts)
+
     return dict(
         app=args.app,
         app_host=args.app_host,
@@ -213,10 +222,11 @@ def get_common_options(args):
         replay_ignore_payload_params=args.replay_ignore_payload_params,
         replay_ignore_host=args.replay_ignore_host,
 
-        listen_host = args.addr,
-        listen_port = args.port,
         cadir = args.cadir,
+        certs = certs,
         clientcerts = args.clientcerts,
+        listen_host = args.addr,
+        listen_port = args.port,
     )
 
 
diff --git a/mitmproxy/flow/options.py b/mitmproxy/flow/options.py
index f05d2373..51672f9c 100644
--- a/mitmproxy/flow/options.py
+++ b/mitmproxy/flow/options.py
@@ -40,6 +40,7 @@ class Options(options.Options):
 
             # Proxy options
             cadir = cmdline.CA_DIR,  # type: str
+            certs = (),  # type: Sequence[Tuple[str, str]]
             clientcerts = None,  # type: Optional[str]
             listen_host = "",  # type: str
             listen_port = 8080,  # type: int
@@ -74,7 +75,9 @@ class Options(options.Options):
         self.replay_ignore_payload_params = replay_ignore_payload_params
         self.replay_ignore_host = replay_ignore_host
 
+        # Proxy options
         self.cadir = cadir
+        self.certs = certs
         self.clientcerts = clientcerts
         self.listen_host = listen_host
         self.listen_port = listen_port
diff --git a/mitmproxy/proxy/config.py b/mitmproxy/proxy/config.py
index 0a0188a5..ae15a347 100644
--- a/mitmproxy/proxy/config.py
+++ b/mitmproxy/proxy/config.py
@@ -5,7 +5,7 @@ import os
 import re
 
 import six
-from OpenSSL import SSL
+from OpenSSL import SSL, crypto
 
 from mitmproxy import platform
 from mitmproxy import exceptions
@@ -117,9 +117,6 @@ class ProxyConfig:
         self.config(options)
         options.changed.connect(self)
 
-        for spec, cert in certs:
-            self.certstore.add_cert_file(spec, cert)
-
     def config(self, options):
         certstore_path = os.path.expanduser(options.cadir)
         if not os.path.exists(certstore_path):
@@ -140,6 +137,20 @@ class ProxyConfig:
                 )
             self.clientcerts = clientcerts
 
+        for spec, cert in options.certs:
+            cert = os.path.expanduser(cert)
+            if not os.path.exists(cert):
+                raise exceptions.OptionsError(
+                    "Certificate file does not exist: %s" % cert
+                )
+            try:
+                self.certstore.add_cert_file(spec, cert)
+            except crypto.Error:
+                raise exceptions.OptionsError(
+                    "Invalid certificate format: %s" % cert
+                )
+
+
 
 def process_proxy_options(parser, options, args):
     body_size_limit = args.body_size_limit
@@ -214,16 +225,6 @@ def process_proxy_options(parser, options, args):
     else:
         authenticator = authentication.NullProxyAuth(None)
 
-    certs = []
-    for i in args.certs:
-        parts = i.split("=", 1)
-        if len(parts) == 1:
-            parts = ["*", parts[0]]
-        parts[1] = os.path.expanduser(parts[1])
-        if not os.path.exists(parts[1]):
-            parser.error("Certificate file does not exist: %s" % parts[1])
-        certs.append(parts)
-
     return ProxyConfig(
         options,
         no_upstream_cert=args.no_upstream_cert,
@@ -238,7 +239,6 @@ def process_proxy_options(parser, options, args):
         authenticator=authenticator,
         ciphers_client=args.ciphers_client,
         ciphers_server=args.ciphers_server,
-        certs=tuple(certs),
         ssl_version_client=args.ssl_version_client,
         ssl_version_server=args.ssl_version_server,
         ssl_verify_upstream_cert=args.ssl_verify_upstream_cert,
author	Aldo Cortesi <aldo@nullcube.com>	2016-07-18 16:02:54 +1200
committer	Aldo Cortesi <aldo@nullcube.com>	2016-07-19 16:25:09 +1200
commit	f24f8ce9714bb4014c68275aef36194b6f12c419 (patch)
tree	c4ffb1c19c8964b884966ecae397664cc7add712
parent	856e1c2ba938c6fb7639286cb27ae5cf3f63e2c8 (diff)
download	mitmproxy-f24f8ce9714bb4014c68275aef36194b6f12c419.tar.gz mitmproxy-f24f8ce9714bb4014c68275aef36194b6f12c419.tar.bz2 mitmproxy-f24f8ce9714bb4014c68275aef36194b6f12c419.zip