From d65f2215cb9191a24b36ad6a4fcbf474798d3b2d Mon Sep 17 00:00:00 2001 From: Aldo Cortesi Date: Wed, 5 Mar 2014 17:25:12 +1300 Subject: [PATCH] Much more sophisticated cert handling - Specify per-domain certificates and keys - Certs are no longer regenerated for SANs - And more. :) --- libmproxy/app.py | 7 +-- libmproxy/proxy.py | 96 ++++++++++++++------------------ test/test_app.py | 4 +- test/test_console_contentview.py | 2 +- test/test_proxy.py | 14 ++--- test/test_server.py | 5 +- test/tservers.py | 13 +++-- 7 files changed, 62 insertions(+), 79 deletions(-) diff --git a/libmproxy/app.py b/libmproxy/app.py index b046f7123..3ebbb61b4 100644 --- a/libmproxy/app.py +++ b/libmproxy/app.py @@ -1,5 +1,6 @@ import flask import os.path +import proxy mapp = flask.Flask(__name__) mapp.debug = True @@ -16,14 +17,12 @@ def index(): @mapp.route("/cert/pem") def certs_pem(): - capath = master().server.config.cacert - p = os.path.splitext(capath)[0] + "-cert.pem" + p = os.path.join(master().server.config.confdir, proxy.CONF_BASENAME + "-cert.pem") return flask.Response(open(p, "rb").read(), mimetype='application/x-x509-ca-cert') @mapp.route("/cert/p12") def certs_p12(): - capath = master().server.config.cacert - p = os.path.splitext(capath)[0] + "-cert.p12" + p = os.path.join(master().server.config.confdir, proxy.CONF_BASENAME + "-cert.p12") return flask.Response(open(p, "rb").read(), mimetype='application/x-pkcs12') diff --git a/libmproxy/proxy.py b/libmproxy/proxy.py index b0fb94495..1eebba074 100644 --- a/libmproxy/proxy.py +++ b/libmproxy/proxy.py @@ -4,9 +4,12 @@ from netlib import tcp, http, certutils, http_auth import utils, version, platform, controller, stateobject TRANSPARENT_SSL_PORTS = [443, 8443] +CONF_BASENAME = "mitmproxy" +CONF_DIR = "~/.mitmproxy" CA_CERT_NAME = "mitmproxy-ca.pem" + class AddressPriority(object): """ Enum that signifies the priority of the given address when choosing the destination host. @@ -38,15 +41,12 @@ class Log: class ProxyConfig: - def __init__(self, certfile=None, keyfile=None, cacert=None, clientcerts=None, + def __init__(self, confdir=CONF_DIR, clientcerts=None, no_upstream_cert=False, body_size_limit=None, reverse_proxy=None, forward_proxy=None, transparent_proxy=None, authenticator=None, - ciphers=None + ciphers=None, certs=None ): self.ciphers = ciphers - self.certfile = certfile - self.keyfile = keyfile - self.cacert = cacert self.clientcerts = clientcerts self.no_upstream_cert = no_upstream_cert self.body_size_limit = body_size_limit @@ -54,7 +54,9 @@ class ProxyConfig: self.forward_proxy = forward_proxy self.transparent_proxy = transparent_proxy self.authenticator = authenticator - self.certstore = certutils.CertStore(cacert) + self.confdir = os.path.expanduser(confdir) + self.certstore = certutils.CertStore.from_store(confdir, CONF_BASENAME) + class ClientConnection(tcp.BaseHandler, stateobject.SimpleStateObject): @@ -386,10 +388,9 @@ class ConnectionHandler: if client: if self.client_conn.ssl_established: raise ProxyError(502, "SSL to Client already established.") - dummycert = self.find_cert() + cert, key = self.find_cert() self.client_conn.convert_to_ssl( - dummycert, - self.config.keyfile or self.config.cacert, + cert, key, handle_sni = self.handle_sni, cipher_list = self.config.ciphers ) @@ -420,22 +421,18 @@ class ConnectionHandler: self.channel.tell("log", Log(msg)) def find_cert(self): - if self.config.certfile: - with open(self.config.certfile, "rb") as f: - return certutils.SSLCert.from_pem(f.read()) - else: - host = self.server_conn.address.host - sans = [] - if not self.config.no_upstream_cert or not self.server_conn.ssl_established: - upstream_cert = self.server_conn.cert - if upstream_cert.cn: - host = upstream_cert.cn.decode("utf8").encode("idna") - sans = upstream_cert.altnames + host = self.server_conn.address.host + sans = [] + if not self.config.no_upstream_cert or not self.server_conn.ssl_established: + upstream_cert = self.server_conn.cert + if upstream_cert.cn: + host = upstream_cert.cn.decode("utf8").encode("idna") + sans = upstream_cert.altnames - ret = self.config.certstore.get_cert(host, sans) - if not ret: - raise ProxyError(502, "Unable to generate dummy cert.") - return ret + ret = self.config.certstore.get_cert(host, sans) + if not ret: + raise ProxyError(502, "Unable to generate dummy cert.") + return ret def handle_sni(self, connection): """ @@ -451,9 +448,9 @@ class ConnectionHandler: self.server_reconnect() # reconnect to upstream server with SNI # Now, change client context to reflect changed certificate: new_context = SSL.Context(SSL.TLSv1_METHOD) - new_context.use_privatekey_file(self.config.certfile or self.config.cacert) - dummycert = self.find_cert() - new_context.use_certificate(dummycert.x509) + cert, key = self.find_cert() + new_context.use_privatekey_file(key) + new_context.use_certificate(cert.X509) connection.set_context(new_context) # An unhandled exception in this method will core dump PyOpenSSL, so # make dang sure it doesn't happen. @@ -510,14 +507,12 @@ class DummyServer: def ssl_option_group(parser): group = parser.add_argument_group("SSL") group.add_argument( - "--certfile", action="store", - type=str, dest="certfile", default=None, - help="SSL certificate in PEM format, optionally with the key in the same file." - ) - group.add_argument( - "--keyfile", action="store", - type=str, dest="keyfile", default=None, - help="Key matching certfile." + "--cert", dest='certs', default=[], type=str, + metavar = "SPEC", action="append", + help='Add an SSL certificate. SPEC is of the form "[domain=]path". '\ + 'The domain may include a wildcard, and is equal to "*" if not specified. '\ + 'The file at path is a certificate in PEM format. If a private key is included in the PEM, '\ + 'it is used, else the default key in the conf dir is used. Can be passed multiple times.' ) group.add_argument( "--client-certs", action="store", @@ -532,23 +527,6 @@ def ssl_option_group(parser): def process_proxy_options(parser, options): - if options.certfile: - options.certfile = os.path.expanduser(options.certfile) - if not os.path.exists(options.certfile): - return parser.error("Certificate file does not exist: %s" % options.certfile) - - if options.keyfile: - options.keyfile = os.path.expanduser(options.keyfile) - if not os.path.exists(options.keyfile): - return parser.error("Key file does not exist: %s" % options.keyfile) - - if options.certfile and not options.keyfile: - options.keyfile = options.certfile - - cacert = os.path.join(options.confdir, CA_CERT_NAME) - cacert = os.path.expanduser(cacert) - if not os.path.exists(cacert): - certutils.dummy_ca(cacert) body_size_limit = utils.parse_size(options.body_size_limit) if options.reverse_proxy and options.transparent_proxy: return parser.error("Can't set both reverse proxy and transparent proxy.") @@ -601,10 +579,17 @@ def process_proxy_options(parser, options): else: authenticator = http_auth.NullProxyAuth(None) + certs = [] + for i in options.certs: + parts = i.split("=", 1) + if len(parts) == 1: + parts = ["*", parts[0]] + parts[1] = os.path.expanduser(parts[1]) + if not os.path.exists(parts[1]): + parser.error("Certificate file does not exist: %s"%parts[1]) + certs.append(parts) + return ProxyConfig( - certfile=options.certfile, - keyfile=options.keyfile, - cacert=cacert, clientcerts=options.clientcerts, body_size_limit=body_size_limit, no_upstream_cert=options.no_upstream_cert, @@ -613,4 +598,5 @@ def process_proxy_options(parser, options): transparent_proxy=trans, authenticator=authenticator, ciphers=options.ciphers, + certs = certs, ) diff --git a/test/test_app.py b/test/test_app.py index f0eab7cc7..52cd1ba62 100644 --- a/test/test_app.py +++ b/test/test_app.py @@ -9,11 +9,9 @@ class TestApp(tservers.HTTPProxTest): assert self.app("/").status_code == 200 def test_cert(self): - path = tutils.test_data.path("data/confdir/") + "mitmproxy-ca-cert." with tutils.tmpdir() as d: for ext in ["pem", "p12"]: resp = self.app("/cert/%s" % ext) assert resp.status_code == 200 - with open(path + ext, "rb") as f: - assert resp.content == f.read() + assert resp.content diff --git a/test/test_console_contentview.py b/test/test_console_contentview.py index a878ad4e3..0aabd2c5e 100644 --- a/test/test_console_contentview.py +++ b/test/test_console_contentview.py @@ -120,7 +120,7 @@ class TestContentView: def test_view_css(self): v = cv.ViewCSS() - with open('./test/data/1.css', 'r') as fp: + with open(tutils.test_data.path('data/1.css'), 'r') as fp: fixture_1 = fp.read() result = v([], 'a', 100) diff --git a/test/test_proxy.py b/test/test_proxy.py index 5ff002904..b15e3f846 100644 --- a/test/test_proxy.py +++ b/test/test_proxy.py @@ -70,13 +70,6 @@ class TestProcessProxyOptions: def test_simple(self): assert self.p() - def test_certfile_keyfile(self): - self.assert_noerr("--certfile", tutils.test_data.path("data/testkey.pem")) - self.assert_err("does not exist", "--certfile", "nonexistent") - - self.assert_noerr("--keyfile", tutils.test_data.path("data/testkey.pem")) - self.assert_err("does not exist", "--keyfile", "nonexistent") - def test_confdir(self): with tutils.tmpdir() as confdir: self.assert_noerr("--confdir", confdir) @@ -93,11 +86,16 @@ class TestProcessProxyOptions: self.assert_err("invalid reverse proxy", "-P", "reverse") self.assert_noerr("-P", "http://localhost") - def test_certs(self): + def test_client_certs(self): with tutils.tmpdir() as confdir: self.assert_noerr("--client-certs", confdir) self.assert_err("directory does not exist", "--client-certs", "nonexistent") + def test_certs(self): + with tutils.tmpdir() as confdir: + self.assert_noerr("--cert", tutils.test_data.path("data/testkey.pem")) + self.assert_err("does not exist", "--cert", "nonexistent") + def test_auth(self): p = self.assert_noerr("--nonanonymous") assert p.authenticator diff --git a/test/test_server.py b/test/test_server.py index 2714ef52a..ed21e75ce 100644 --- a/test/test_server.py +++ b/test/test_server.py @@ -213,8 +213,9 @@ class TestHTTPSNoCommonName(tservers.HTTPProxTest): """ ssl = True ssloptions=pathod.SSLOptions( - certfile = tutils.test_data.path("data/no_common_name.pem"), - keyfile = tutils.test_data.path("data/no_common_name.pem"), + certs = [ + ("*", tutils.test_data.path("data/no_common_name.pem")) + ] ) def test_http(self): f = self.pathod("202") diff --git a/test/tservers.py b/test/tservers.py index 540cda605..3a6a610fd 100644 --- a/test/tservers.py +++ b/test/tservers.py @@ -1,4 +1,5 @@ import threading, Queue +import shutil, tempfile import flask import libpathod.test, libpathod.pathoc from libmproxy import proxy, flow, controller @@ -72,7 +73,6 @@ class ProxTestBase(object): ssl = None ssloptions = False clientcerts = False - certfile = None no_upstream_cert = False authenticator = None masterclass = TestMaster @@ -82,9 +82,10 @@ class ProxTestBase(object): cls.server = libpathod.test.Daemon(ssl=cls.ssl, ssloptions=cls.ssloptions) cls.server2 = libpathod.test.Daemon(ssl=cls.ssl, ssloptions=cls.ssloptions) pconf = cls.get_proxy_config() + cls.confdir = tempfile.gettempdir() config = proxy.ProxyConfig( no_upstream_cert = cls.no_upstream_cert, - cacert = tutils.test_data.path("data/confdir/mitmproxy-ca.pem"), + confdir = cls.confdir, authenticator = cls.authenticator, **pconf ) @@ -93,6 +94,10 @@ class ProxTestBase(object): cls.proxy = ProxyThread(tmaster) cls.proxy.start() + @classmethod + def tearDownAll(cls): + shutil.rmtree(cls.confdir) + @property def master(cls): return cls.proxy.tmaster @@ -127,9 +132,6 @@ class ProxTestBase(object): d = dict() if cls.clientcerts: d["clientcerts"] = tutils.test_data.path("data/clientcert") - if cls.certfile: - d["certfile"] =tutils.test_data.path("data/testkey.pem") - d["keyfile"] =tutils.test_data.path("data/testkey.pem") return d @@ -254,7 +256,6 @@ class ChainProxTest(ProxTestBase): """ n = 2 chain_config = [lambda: proxy.ProxyConfig( - cacert = tutils.test_data.path("data/confdir/mitmproxy-ca.pem"), )] * n @classmethod def setupAll(cls):