diff options
author | Fred Miller <fghzxm@outlook.com> | 2018-10-21 00:05:24 +0800 |
---|---|---|
committer | Fred Miller <fghzxm@outlook.com> | 2018-10-22 22:53:58 +0800 |
commit | f16621a38b17d53c76600c12d67031544c055d74 (patch) | |
tree | ba4599900895e439e81b4cf0bc1922b9ca36e073 /mitmproxy | |
parent | e8d76d050d89820c08fac2c33a97ed3ae3fc8f26 (diff) | |
download | mitmproxy-f16621a38b17d53c76600c12d67031544c055d74.tar.gz mitmproxy-f16621a38b17d53c76600c12d67031544c055d74.tar.bz2 mitmproxy-f16621a38b17d53c76600c12d67031544c055d74.zip |
Make private keys readable only by the owner
Diffstat (limited to 'mitmproxy')
-rw-r--r-- | mitmproxy/certs.py | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/mitmproxy/certs.py b/mitmproxy/certs.py index 58aea6d5..8b8ba6f2 100644 --- a/mitmproxy/certs.py +++ b/mitmproxy/certs.py @@ -5,6 +5,7 @@ import datetime import ipaddress import sys import typing +import contextlib from pyasn1.type import univ, constraint, char, namedtype, tag from pyasn1.codec.der.decoder import decode @@ -196,6 +197,21 @@ class CertStore: return cls(key, ca, ca_path, dh) @staticmethod + @contextlib.contextmanager + def umask_secret(): + """ + Context to temporarily set umask to its original value bitor 0o77. + Useful when writing private keys to disk so that only the owner + will be able to read them. + """ + original_umask = os.umask(0) + os.umask(original_umask | 0o77) + try: + yield + finally: + os.umask(original_umask) + + @staticmethod def create_store(path, basename, o=None, cn=None, expiry=DEFAULT_EXP): if not os.path.exists(path): os.makedirs(path) @@ -205,7 +221,7 @@ class CertStore: key, ca = create_ca(o=o, cn=cn, exp=expiry) # Dump the CA plus private key - with open(os.path.join(path, basename + "-ca.pem"), "wb") as f: + with CertStore.umask_secret(), open(os.path.join(path, basename + "-ca.pem"), "wb") as f: f.write( OpenSSL.crypto.dump_privatekey( OpenSSL.crypto.FILETYPE_PEM, @@ -236,7 +252,7 @@ class CertStore: f.write(p12.export()) # Dump the certificate and key in a PKCS12 format for Windows devices - with open(os.path.join(path, basename + "-ca.p12"), "wb") as f: + with CertStore.umask_secret(), open(os.path.join(path, basename + "-ca.p12"), "wb") as f: p12 = OpenSSL.crypto.PKCS12() p12.set_certificate(ca) p12.set_privatekey(key) |