From 549e89adf0198cbbfc6a8ef75a79d1d58a97db30 Mon Sep 17 00:00:00 2001 From: Gael Muller Date: Sun, 10 Nov 2019 15:02:56 +0100 Subject: [PATCH] fix dynamic certificates --- .gitignore | 3 +++ fakenet/listeners/HTTPListener.py | 2 +- fakenet/listeners/ssl_utils/__init__.py | 32 +++++++++++++++---------- 3 files changed, 23 insertions(+), 14 deletions(-) diff --git a/.gitignore b/.gitignore index 5ab4810..5889855 100644 --- a/.gitignore +++ b/.gitignore @@ -94,3 +94,6 @@ ENV/ # PyCharm .idea/ + +# mypy +.mypy_cache diff --git a/fakenet/listeners/HTTPListener.py b/fakenet/listeners/HTTPListener.py index 5a02e86..e101b8d 100644 --- a/fakenet/listeners/HTTPListener.py +++ b/fakenet/listeners/HTTPListener.py @@ -112,7 +112,7 @@ def start(self): 'ca_key': self.config.get('ca_key') } self.sslwrapper = SSLWrapper(config) - self.server.sslwrapper = sslwrapper + self.server.sslwrapper = self.sslwrapper self.server.socket = self.server.sslwrapper.wrap_socket( self.server.socket) diff --git a/fakenet/listeners/ssl_utils/__init__.py b/fakenet/listeners/ssl_utils/__init__.py index f99d7ab..7099a4b 100644 --- a/fakenet/listeners/ssl_utils/__init__.py +++ b/fakenet/listeners/ssl_utils/__init__.py @@ -36,8 +36,8 @@ def __init__(self, config): self.ca_key = self.config.get('ca_key', None) else: self.ca_cert, self.ca_key = self.create_cert(self.CN) - if ( not self.config.get('networkmode', None) == 'multihost' and - not self.config.get('static_ca') == 'Yes'): + if ( not self.config.get('networkmode', None) == 'multihost' and + not self.config.get('static_ca') == 'Yes'): self.logger.debug('adding root cert: %s', self.ca_cert) self._add_root_ca(self.ca_cert) @@ -67,7 +67,7 @@ def wrap_socket_fallback(self, s): certfile_path = ListenerBase.abs_config_path(certfile_path) if certfile_path is None: raise RuntimeError('Cound not locate %s' % (certfile_path,)) - + return ssl.wrap_socket(s, keyfile=keyfile_path, certfile=certfile_path, server_side=True, ciphers='RSA') @@ -86,7 +86,7 @@ def create_cert(self, cn, ca_cert=None, ca_key=None, cert_dir=None): cert_dir = os.path.abspath(self.config.get('cert_dir')) else: cert_dir = os.path.abspath(cert_dir) - + cert_file = os.path.join(cert_dir, "%s.crt" % (cn)) key_file = os.path.join(cert_dir, "%s.key" % (cn)) if os.path.exists(cert_file) and os.path.exists(key_file): @@ -116,12 +116,20 @@ def create_cert(self, cn, ca_cert=None, ca_key=None, cert_dir=None): cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(na) cert.set_pubkey(key) + + cert.set_version(2) + cert.add_extensions([ + crypto.X509Extension( + "subjectAltName", False, "DNS:{}".format(cn) + ) + ]) + if f_selfsign: cert.set_issuer(cert.get_subject()) - cert.sign(key, "sha1") + cert.sign(key, "sha256") else: cert.set_issuer(ca_cert_data.get_subject()) - cert.sign(ca_key_data, "sha1") + cert.sign(ca_key_data, "sha256") try: with open(cert_file, "wb") as cert_file_input: @@ -159,7 +167,7 @@ def _load_cert(self, certpath): except: self.logger.error("Failed to load certficate") return ca_cert - + def _load_private_key(self, keypath): try: with open(keypath, 'rb') as key_file_input: @@ -188,18 +196,16 @@ def _add_root_ca(self, ca_cert_file): def _remove_root_ca(self, cn): argv = ['certutil', '-delstore', 'Root', cn] return self._run_win_certutil(argv) - - + + def __del__(self): cert = None if self.ca_cert: cert = self._load_cert(self.ca_cert) if (cert is not None and - not self.config.get('networkmode', None) == 'multihost' and - not self.config.get('static_ca') == 'Yes'): + not self.config.get('networkmode', None) == 'multihost' and + not self.config.get('static_ca') == 'Yes'): self._remove_root_ca(cert.get_subject().CN) shutil.rmtree(self.config.get('cert_dir'), ignore_errors=True) return - -