diff options
Diffstat (limited to 'test/mitmproxy/net/data/verificationcerts/generate.py')
-rw-r--r-- | test/mitmproxy/net/data/verificationcerts/generate.py | 54 |
1 files changed, 32 insertions, 22 deletions
diff --git a/test/mitmproxy/net/data/verificationcerts/generate.py b/test/mitmproxy/net/data/verificationcerts/generate.py index 8439c9e6..1e09138d 100644 --- a/test/mitmproxy/net/data/verificationcerts/generate.py +++ b/test/mitmproxy/net/data/verificationcerts/generate.py @@ -5,10 +5,10 @@ import subprocess import shlex import os import shutil - +import textwrap ROOT_CA = "trusted-root" -SUBJECT = "/CN=example.mitmproxy.org/" +SUBJECT = "example.mitmproxy.org" def do(args): @@ -18,29 +18,39 @@ def do(args): return output -def genrsa(cert): - do("openssl genrsa -out {cert}.key 2048".format(cert=cert)) +def genrsa(cert: str): + do(f"openssl genrsa -out {cert}.key 2048") -def sign(cert): - do("openssl x509 -req -in {cert}.csr " - "-CA {root_ca}.crt " - "-CAkey {root_ca}.key " - "-CAcreateserial " - "-days 7300 " - "-out {cert}.crt".format(root_ca=ROOT_CA, cert=cert) +def sign(cert: str, subject: str): + with open(f"openssl-{cert}.conf", "w") as f: + f.write(textwrap.dedent(f""" + authorityKeyIdentifier=keyid,issuer + basicConstraints=CA:FALSE + keyUsage = digitalSignature, keyEncipherment + subjectAltName = {subject} + """)) + do(f"openssl x509 -req -in {cert}.csr " + f"-CA {ROOT_CA}.crt " + f"-CAkey {ROOT_CA}.key " + f"-CAcreateserial " + f"-days 7300 " + f"-sha256 " + f"-extfile \"openssl-{cert}.conf\" " + f"-out {cert}.crt" ) + os.remove(f"openssl-{cert}.conf") -def mkcert(cert, args): +def mkcert(cert, subject): genrsa(cert) - do("openssl req -new -nodes -batch " - "-key {cert}.key " - "{args} " - "-out {cert}.csr".format(cert=cert, args=args) + do(f"openssl req -new -nodes -batch " + f"-key {cert}.key " + f"-addext \"subjectAltName = {subject}\" " + f"-out {cert}.csr" ) - sign(cert) - os.remove("{cert}.csr".format(cert=cert)) + sign(cert, subject) + os.remove(f"{cert}.csr") # create trusted root CA @@ -54,13 +64,13 @@ h = do("openssl x509 -hash -noout -in trusted-root.crt").decode("ascii").strip() shutil.copyfile("trusted-root.crt", "{}.0".format(h)) # create trusted leaf cert. -mkcert("trusted-leaf", "-subj {}".format(SUBJECT)) +mkcert("trusted-leaf", f'DNS:{SUBJECT}') # create self-signed cert genrsa("self-signed") do("openssl req -x509 -new -nodes -batch " "-key self-signed.key " - "-subj {} " + f'-addext "subjectAltName = DNS:{SUBJECT}" ' "-days 7300 " - "-out self-signed.crt".format(SUBJECT) - ) + "-out self-signed.crt" + )
\ No newline at end of file |