fix: fixes a crash when TLS certificate can't be fetched from remote host (fixes #19)

2025-08-20 13:33:21 -07:00 · 2018-01-16 09:53:35 +01:00 · 2018-01-16 09:53:35 +01:00 · 63761b0254
commit 63761b0254
parent 883f200e85
1 changed files with 56 additions and 11 deletions
--- a/tls/sign.go
+++ b/tls/sign.go
@ -6,9 +6,14 @@ import (
 	"crypto/sha1"
 	"crypto/tls"
 	"crypto/x509"
+	"crypto/x509/pkix"
 	"fmt"
 	"math/big"
+	"net"
 	"sort"
+	"time"
+
+	"github.com/evilsocket/bettercap-ng/log"
 )

 func hashSorted(lst []string) []byte {
@ -29,9 +34,12 @@ func hashSortedBigInt(lst []string) *big.Int {
 }

 func getServerCertificate(host string, port int) *x509.Certificate {
+	log.Debug("Fetching TLS certificate from %s:%d ...", host, port)
+
 	config := tls.Config{InsecureSkipVerify: true}
 	conn, err := tls.Dial("tcp", fmt.Sprintf("%s:%d", host, port), &config)
 	if err != nil {
+		log.Warning("Could not fetch TLS certificate from %s:%d: %s", host, port, err)
 		return nil
 	}
 	defer conn.Close()
@ -43,24 +51,61 @@ func getServerCertificate(host string, port int) *x509.Certificate {

 func SignCertificateForHost(ca *tls.Certificate, host string, port int) (cert *tls.Certificate, err error) {
 	var x509ca *x509.Certificate
+	var template x509.Certificate

 	if x509ca, err = x509.ParseCertificate(ca.Certificate[0]); err != nil {
 		return
 	}

 	srvCert := getServerCertificate(host, port)
+	if srvCert == nil {
+		log.Debug("Could not fetch TLS certificate, falling back to default template.")

-	template := x509.Certificate{
-		SerialNumber:          srvCert.SerialNumber,
-		Issuer:                x509ca.Subject,
-		Subject:               srvCert.Subject,
-		NotBefore:             srvCert.NotBefore,
-		NotAfter:              srvCert.NotAfter,
-		KeyUsage:              srvCert.KeyUsage,
-		ExtKeyUsage:           srvCert.ExtKeyUsage,
-		IPAddresses:           srvCert.IPAddresses,
-		DNSNames:              srvCert.DNSNames,
-		BasicConstraintsValid: true,
+		notBefore := time.Now()
+		aYear := time.Duration(365*24) * time.Hour
+		notAfter := notBefore.Add(aYear)
+		serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+		serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+		if err != nil {
+			return nil, err
+		}
+
+		template = x509.Certificate{
+			SerialNumber: serialNumber,
+			Issuer:       x509ca.Subject,
+			Subject: pkix.Name{
+				Country:            []string{"US"},
+				Locality:           []string{"Scottsdale"},
+				Organization:       []string{"GoDaddy.com, Inc."},
+				OrganizationalUnit: []string{"http://certs.godaddy.com/repository/"},
+				CommonName:         "Go Daddy Secure Certificate Authority - G2",
+			},
+			NotBefore:             notBefore,
+			NotAfter:              notAfter,
+			KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+			ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+			BasicConstraintsValid: true,
+		}
+
+		if ip := net.ParseIP(host); ip != nil {
+			template.IPAddresses = append(template.IPAddresses, ip)
+		} else {
+			template.DNSNames = append(template.DNSNames, host)
+		}
+
+	} else {
+		template = x509.Certificate{
+			SerialNumber:          srvCert.SerialNumber,
+			Issuer:                x509ca.Subject,
+			Subject:               srvCert.Subject,
+			NotBefore:             srvCert.NotBefore,
+			NotAfter:              srvCert.NotAfter,
+			KeyUsage:              srvCert.KeyUsage,
+			ExtKeyUsage:           srvCert.ExtKeyUsage,
+			IPAddresses:           srvCert.IPAddresses,
+			DNSNames:              srvCert.DNSNames,
+			BasicConstraintsValid: true,
+		}
 	}

 	var certpriv *rsa.PrivateKey