Clean up certificate generation.

- Use templates for config files. We can re-introduce customization of the
certificate attributes when we need them.

- Split CA and cert generation into separate functions.

- Generation methods provide an error return when generation fails.

- When the user explicitly specifies a certificate, we don't generate it, but
fail if it doesn't exist.

1 files changed, 33 insertions, 0 deletions

diff --git a/libmproxy/resources/ca.cnf b/libmproxy/resources/ca.cnf
new file mode 100644
index 00000000..e46bb08f
--- /dev/null
+++ b/libmproxy/resources/ca.cnf
@@ -0,0 +1,33 @@
+[ req ]
+prompt = no
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca
+req_extensions = v3_ca_req
+
+[ req_distinguished_name ]
+organizationName               = mitmproxy
+commonName                     = Dummy CA
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = critical,CA:true
+keyUsage = cRLSign, keyCertSign
+nsCertType = sslCA
+
+[ v3_ca_req ]
+basicConstraints = critical,CA:true
+keyUsage = cRLSign, keyCertSign
+nsCertType = sslCA
+
+[ v3_cert ]
+basicConstraints = CA:false
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+nsCertType = server
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+
+[ v3_cert_req ]
+basicConstraints = CA:false
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+nsCertType = server