diff options
| author | Aldo Cortesi <aldo@nullcube.com> | 2012-03-11 14:34:17 +1300 |
|---|---|---|
| committer | Aldo Cortesi <aldo@nullcube.com> | 2012-03-11 14:34:17 +1300 |
| commit | 22d4559a7aa8a02995796110d15e6970e922455f (patch) | |
| tree | ad1bedc81806a160eb9c7c8f149c290241954660 /libmproxy/certutils.py | |
| parent | 4e13ab1d05a3d9e265e225c60e9aca1353ab323e (diff) | |
| download | mitmproxy-22d4559a7aa8a02995796110d15e6970e922455f.tar.gz mitmproxy-22d4559a7aa8a02995796110d15e6970e922455f.tar.bz2 mitmproxy-22d4559a7aa8a02995796110d15e6970e922455f.zip | |
Use PyOpenSSL for certificate generation.
We no longer call external OpenSSL commands at all.
Diffstat (limited to 'libmproxy/certutils.py')
| -rw-r--r-- | libmproxy/certutils.py | 74 |
1 files changed, 65 insertions, 9 deletions
diff --git a/libmproxy/certutils.py b/libmproxy/certutils.py index 176e7b61..6650486b 100644 --- a/libmproxy/certutils.py +++ b/libmproxy/certutils.py @@ -8,15 +8,7 @@ CERT_SLEEP_TIME = 1 CERT_EXPIRY = str(365 * 3) -def dummy_ca(path): - dirname = os.path.dirname(path) - if not os.path.exists(dirname): - os.makedirs(dirname) - if path.endswith(".pem"): - basename, _ = os.path.splitext(path) - else: - basename = path - +def create_ca(): key = OpenSSL.crypto.PKey() key.generate_key(OpenSSL.crypto.TYPE_RSA, 1024) ca = OpenSSL.crypto.X509() @@ -42,6 +34,19 @@ def dummy_ca(path): subject=ca), ]) ca.sign(key, "sha1") + return key, ca + + +def dummy_ca(path): + dirname = os.path.dirname(path) + if not os.path.exists(dirname): + os.makedirs(dirname) + if path.endswith(".pem"): + basename, _ = os.path.splitext(path) + else: + basename = path + + key, ca = create_ca() # Dump the CA plus private key f = open(path, "w") @@ -76,6 +81,57 @@ def dummy_cert(certdir, ca, commonname, sans): if os.path.exists(certpath): return certpath + ss = [] + for i in sans: + ss.append("DNS: %s"%i) + ss = ", ".join(ss) + + if ca: + raw = file(ca, "r").read() + ca = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, raw) + key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, raw) + else: + key, ca = create_ca() + + pkey = ca.get_pubkey() + req = OpenSSL.crypto.X509Req() + subj = req.get_subject() + subj.CN = commonname + req.set_pubkey(ca.get_pubkey()) + req.sign(key, "sha1") + if ss: + req.add_extensions([OpenSSL.crypto.X509Extension("subjectAltName", True, ss)]) + + cert = OpenSSL.crypto.X509() + cert.gmtime_adj_notBefore(0) + cert.gmtime_adj_notAfter(60 * 60 * 24 * 30) + cert.set_issuer(ca.get_subject()) + cert.set_subject(req.get_subject()) + if ss: + cert.add_extensions([OpenSSL.crypto.X509Extension("subjectAltName", True, ss)]) + cert.set_pubkey(req.get_pubkey()) + cert.sign(key, "sha1") + + f = open(certpath, "w") + f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert)) + f.close() + + return certpath + + +def dummy_cert_(certdir, ca, commonname, sans): + """ + certdir: Certificate directory. + ca: Path to the certificate authority file, or None. + commonname: Common name for the generated certificate. + + Returns cert path if operation succeeded, None if not. + """ + namehash = hashlib.sha256(commonname).hexdigest() + certpath = os.path.join(certdir, namehash + ".pem") + if os.path.exists(certpath): + return certpath + confpath = os.path.join(certdir, namehash + ".cnf") reqpath = os.path.join(certdir, namehash + ".req") |