mirror of
https://github.com/bettercap/bettercap
synced 2025-08-20 21:43:18 -07:00
fix: fixes a crash when TLS certificate can't be fetched from remote host (fixes #19)
This commit is contained in:
parent
883f200e85
commit
63761b0254
1 changed files with 56 additions and 11 deletions
67
tls/sign.go
67
tls/sign.go
|
@ -6,9 +6,14 @@ import (
|
|||
"crypto/sha1"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"crypto/x509/pkix"
|
||||
"fmt"
|
||||
"math/big"
|
||||
"net"
|
||||
"sort"
|
||||
"time"
|
||||
|
||||
"github.com/evilsocket/bettercap-ng/log"
|
||||
)
|
||||
|
||||
func hashSorted(lst []string) []byte {
|
||||
|
@ -29,9 +34,12 @@ func hashSortedBigInt(lst []string) *big.Int {
|
|||
}
|
||||
|
||||
func getServerCertificate(host string, port int) *x509.Certificate {
|
||||
log.Debug("Fetching TLS certificate from %s:%d ...", host, port)
|
||||
|
||||
config := tls.Config{InsecureSkipVerify: true}
|
||||
conn, err := tls.Dial("tcp", fmt.Sprintf("%s:%d", host, port), &config)
|
||||
if err != nil {
|
||||
log.Warning("Could not fetch TLS certificate from %s:%d: %s", host, port, err)
|
||||
return nil
|
||||
}
|
||||
defer conn.Close()
|
||||
|
@ -43,24 +51,61 @@ func getServerCertificate(host string, port int) *x509.Certificate {
|
|||
|
||||
func SignCertificateForHost(ca *tls.Certificate, host string, port int) (cert *tls.Certificate, err error) {
|
||||
var x509ca *x509.Certificate
|
||||
var template x509.Certificate
|
||||
|
||||
if x509ca, err = x509.ParseCertificate(ca.Certificate[0]); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
srvCert := getServerCertificate(host, port)
|
||||
if srvCert == nil {
|
||||
log.Debug("Could not fetch TLS certificate, falling back to default template.")
|
||||
|
||||
template := x509.Certificate{
|
||||
SerialNumber: srvCert.SerialNumber,
|
||||
Issuer: x509ca.Subject,
|
||||
Subject: srvCert.Subject,
|
||||
NotBefore: srvCert.NotBefore,
|
||||
NotAfter: srvCert.NotAfter,
|
||||
KeyUsage: srvCert.KeyUsage,
|
||||
ExtKeyUsage: srvCert.ExtKeyUsage,
|
||||
IPAddresses: srvCert.IPAddresses,
|
||||
DNSNames: srvCert.DNSNames,
|
||||
BasicConstraintsValid: true,
|
||||
notBefore := time.Now()
|
||||
aYear := time.Duration(365*24) * time.Hour
|
||||
notAfter := notBefore.Add(aYear)
|
||||
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
|
||||
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
template = x509.Certificate{
|
||||
SerialNumber: serialNumber,
|
||||
Issuer: x509ca.Subject,
|
||||
Subject: pkix.Name{
|
||||
Country: []string{"US"},
|
||||
Locality: []string{"Scottsdale"},
|
||||
Organization: []string{"GoDaddy.com, Inc."},
|
||||
OrganizationalUnit: []string{"http://certs.godaddy.com/repository/"},
|
||||
CommonName: "Go Daddy Secure Certificate Authority - G2",
|
||||
},
|
||||
NotBefore: notBefore,
|
||||
NotAfter: notAfter,
|
||||
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
|
||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
|
||||
BasicConstraintsValid: true,
|
||||
}
|
||||
|
||||
if ip := net.ParseIP(host); ip != nil {
|
||||
template.IPAddresses = append(template.IPAddresses, ip)
|
||||
} else {
|
||||
template.DNSNames = append(template.DNSNames, host)
|
||||
}
|
||||
|
||||
} else {
|
||||
template = x509.Certificate{
|
||||
SerialNumber: srvCert.SerialNumber,
|
||||
Issuer: x509ca.Subject,
|
||||
Subject: srvCert.Subject,
|
||||
NotBefore: srvCert.NotBefore,
|
||||
NotAfter: srvCert.NotAfter,
|
||||
KeyUsage: srvCert.KeyUsage,
|
||||
ExtKeyUsage: srvCert.ExtKeyUsage,
|
||||
IPAddresses: srvCert.IPAddresses,
|
||||
DNSNames: srvCert.DNSNames,
|
||||
BasicConstraintsValid: true,
|
||||
}
|
||||
}
|
||||
|
||||
var certpriv *rsa.PrivateKey
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue