Add MITM proxy for HTTPS requests

2025-07-01 18:47:29 -04:00 · 2019-11-24 00:14:49 +01:00
parent c48562e873
commit ef4f829572
6 changed files with 321 additions and 37 deletions
--- a/cert.go
+++ b/cert.go
@ -0,0 +1,176 @@
+package main
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"errors"
+	"math/big"
+	"net"
+	"time"
+)
+
+// MaxSerialNumber is the upper boundary that is used to create unique serial
+// numbers for the certificate. This can be any unsigned integer up to 20
+// bytes (2^(8*20)-1).
+var MaxSerialNumber = big.NewInt(0).SetBytes(bytes.Repeat([]byte{255}, 20))
+
+// CertConfig is a set of configuration values that are used to build TLS configs
+// capable of MITM
+type CertConfig struct {
+	ca     *x509.Certificate
+	caPriv crypto.PrivateKey
+	priv   *rsa.PrivateKey
+	keyID  []byte
+}
+
+// NewCertConfig creates a MITM config using the CA certificate and
+// private key to generate on-the-fly certificates.
+func NewCertConfig(ca *x509.Certificate, caPrivKey crypto.PrivateKey) (*CertConfig, error) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+	pub := priv.Public()
+
+	// Subject Key Identifier support for end entity certificate.
+	// https://www.ietf.org/rfc/rfc3280.txt (section 4.2.1.2)
+	pkixPubKey, err := x509.MarshalPKIXPublicKey(pub)
+	if err != nil {
+		return nil, err
+	}
+	h := sha1.New()
+	h.Write(pkixPubKey)
+	keyID := h.Sum(nil)
+
+	return &CertConfig{
+		ca:     ca,
+		caPriv: caPrivKey,
+		priv:   priv,
+		keyID:  keyID,
+	}, nil
+}
+
+// NewCA creates a new CA certificate and associated private key.
+func NewCA(name, organization string, validity time.Duration) (*x509.Certificate, *rsa.PrivateKey, error) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, nil, err
+	}
+	pub := priv.Public()
+
+	// Subject Key Identifier support for end entity certificate.
+	// https://www.ietf.org/rfc/rfc3280.txt (section 4.2.1.2)
+	pkixpub, err := x509.MarshalPKIXPublicKey(pub)
+	if err != nil {
+		return nil, nil, err
+	}
+	h := sha1.New()
+	h.Write(pkixpub)
+	keyID := h.Sum(nil)
+
+	// TODO: keep a map of used serial numbers to avoid potentially reusing a
+	// serial multiple times.
+	serial, err := rand.Int(rand.Reader, MaxSerialNumber)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	tmpl := &x509.Certificate{
+		SerialNumber: serial,
+		Subject: pkix.Name{
+			CommonName:   name,
+			Organization: []string{organization},
+		},
+		SubjectKeyId:          keyID,
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		NotBefore:             time.Now().Add(-24 * time.Hour),
+		NotAfter:              time.Now().Add(24 * time.Hour),
+		DNSNames:              []string{name},
+		IsCA:                  true,
+	}
+
+	raw, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, pub, priv)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Parse certificate bytes so that we have a leaf certificate.
+	x509c, err := x509.ParseCertificate(raw)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return x509c, priv, nil
+}
+
+// TLSConfig returns a *tls.Config that will generate certificates on-the-fly using
+// the SNI extension in the TLS ClientHello.
+func (c *CertConfig) TLSConfig() *tls.Config {
+	return &tls.Config{
+		GetCertificate: func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			if clientHello.ServerName == "" {
+				return nil, errors.New("missing server name (SNI)")
+			}
+			return c.cert(clientHello.ServerName)
+		},
+		NextProtos: []string{"http/1.1"},
+	}
+}
+
+func (c *CertConfig) cert(hostname string) (*tls.Certificate, error) {
+	// Remove the port if it exists.
+	host, _, err := net.SplitHostPort(hostname)
+	if err == nil {
+		hostname = host
+	}
+
+	serial, err := rand.Int(rand.Reader, MaxSerialNumber)
+	if err != nil {
+		return nil, err
+	}
+
+	tmpl := &x509.Certificate{
+		SerialNumber: serial,
+		Subject: pkix.Name{
+			CommonName:   hostname,
+			Organization: []string{"Gurp"},
+		},
+		SubjectKeyId:          c.keyID,
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		NotBefore:             time.Now().Add(-24 * time.Hour),
+		NotAfter:              time.Now().Add(24 * time.Hour),
+	}
+
+	if ip := net.ParseIP(hostname); ip != nil {
+		tmpl.IPAddresses = []net.IP{ip}
+	} else {
+		tmpl.DNSNames = []string{hostname}
+	}
+
+	raw, err := x509.CreateCertificate(rand.Reader, tmpl, c.ca, c.priv.Public(), c.caPriv)
+	if err != nil {
+		return nil, err
+	}
+
+	// Parse certificate bytes so that we have a leaf certificate.
+	x509c, err := x509.ParseCertificate(raw)
+	if err != nil {
+		return nil, err
+	}
+
+	return &tls.Certificate{
+		Certificate: [][]byte{raw, c.ca.Raw},
+		PrivateKey:  c.priv,
+		Leaf:        x509c,
+	}, nil
+}