fix: several improvements to the https.proxy module

2025-08-19 13:09:49 -07:00 · 2018-01-14 19:34:15 +01:00 · 2018-01-14 19:34:15 +01:00 · f9f0f3d5b3
commit f9f0f3d5b3
parent 723d99cf62
9 changed files with 308 additions and 29 deletions
--- a/tls/sign.go
+++ b/tls/sign.go
@ -0,0 +1,89 @@
+package tls
+
+import (
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"math/big"
+	"net"
+	"sort"
+	"time"
+
+	"github.com/elazarl/goproxy"
+)
+
+func hashSorted(lst []string) []byte {
+	c := make([]string, len(lst))
+	copy(c, lst)
+	sort.Strings(c)
+	h := sha1.New()
+	for _, s := range c {
+		h.Write([]byte(s + ","))
+	}
+	return h.Sum(nil)
+}
+
+func hashSortedBigInt(lst []string) *big.Int {
+	rv := new(big.Int)
+	rv.SetBytes(hashSorted(lst))
+	return rv
+}
+
+func SignCertificateForHost(ca *tls.Certificate, host string) (cert *tls.Certificate, err error) {
+	var x509ca *x509.Certificate
+
+	// TODO: read actual fields from the host
+
+	if x509ca, err = x509.ParseCertificate(ca.Certificate[0]); err != nil {
+		return
+	}
+	start := time.Unix(0, 0)
+	end, err := time.Parse("2006-01-02", "2049-12-31")
+	if err != nil {
+		panic(err)
+	}
+
+	hosts := []string{host}
+	hash := hashSorted(hosts)
+	serial := new(big.Int)
+	serial.SetBytes(hash)
+	template := x509.Certificate{
+		SerialNumber: serial,
+		Issuer:       x509ca.Subject,
+		Subject: pkix.Name{
+			Organization: []string{"Cisco Systems, Inc."},
+		},
+		NotBefore: start,
+		NotAfter:  end,
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+
+	for _, h := range hosts {
+		if ip := net.ParseIP(h); ip != nil {
+			template.IPAddresses = append(template.IPAddresses, ip)
+		} else {
+			template.DNSNames = append(template.DNSNames, h)
+		}
+	}
+	var csprng goproxy.CounterEncryptorRand
+	if csprng, err = goproxy.NewCounterEncryptorRandFromKey(ca.PrivateKey, hash); err != nil {
+		return
+	}
+	var certpriv *rsa.PrivateKey
+	if certpriv, err = rsa.GenerateKey(&csprng, 1024); err != nil {
+		return
+	}
+	var derBytes []byte
+	if derBytes, err = x509.CreateCertificate(&csprng, &template, x509ca, &certpriv.PublicKey, ca.PrivateKey); err != nil {
+		return
+	}
+	return &tls.Certificate{
+		Certificate: [][]byte{derBytes, ca.Certificate[0]},
+		PrivateKey:  certpriv,
+	}, nil
+}