Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SubjectAltName into certificate #28

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Add SubjectAltName into certificate #28

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
26a722d
strong certificate
zt2 Feb 10, 2020
70a64e3
spoof certificate
zt2 Feb 10, 2020
883accb
fix no SAN error
zt2 Feb 11, 2020
69878a8
remove net/http
zt2 Feb 11, 2020
729310d
Merge branch 'feature/spoof_certificate' into develop
zt2 Feb 12, 2020
e790605
make ssl reverse proxy can be accessed from remote
zt2 Feb 12, 2020
820eddf
Merge branch 'hotfix/ssl_reverse_proxy_connection_timeout' into develop
zt2 Feb 12, 2020
1743ebf
fix: param typo
zt2 Feb 13, 2020
e9afa0f
fix: weak cert error
zt2 Feb 13, 2020
f480b06
enable basic auth
zt2 Dec 13, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions lib/ritm/certs/ca.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,17 +20,18 @@ def self.load(crt, private_key)
end
end

def sign(certificate)
def sign(certificate, extensions = self.class.signing_profile)
certificate.cert.parent = @cert
certificate.cert.sign!(self.class.signing_profile)
certificate.cert.sign!(extensions)
end

def self.signing_profile
{
'extensions' => {
'keyUsage' => { 'usage' => %w[keyEncipherment digitalSignature] },
'extendedKeyUsage' => { 'usage' => %w[serverAuth clientAuth] }
}
},
'digest' => 'SHA512'
}
end

Expand Down
2 changes: 1 addition & 1 deletion lib/ritm/certs/certificate.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ def self.create(common_name, serial_number: nil)
cert.subject.country = 'AR'
cert.not_before = cert.not_before - 3600 * 24 * 30 # Substract 30 days
cert.serial_number.number = serial_number || common_name.hash.abs
cert.key_material.generate_key(1024)
cert.key_material.generate_key(4096)
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix ERR_CERT_WEAK_KEY error from browser

yield cert if block_given?
new cert
end
Expand Down
7 changes: 6 additions & 1 deletion lib/ritm/configuration.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,12 @@ def default_settings # rubocop:disable Metrics/MethodLength
{
proxy: {
bind_address: '127.0.0.1',
bind_port: 8080
bind_port: 8080,
auth_proc: Proc.new do |req, res|
WEBrick::HTTPAuth.proxy_basic_auth(req, res, 'proxy') do |user, pass|
user == "user" && pass == "pass"
end
end
},

ssl_reverse_proxy: {
Expand Down
9 changes: 8 additions & 1 deletion lib/ritm/proxy/cert_signing_https_server.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,13 @@ def prepare_sni_callback(ctx, ca)
mutex.synchronize do
unless contexts.include? servername
cert = Ritm::Certificate.create(servername)
ca.sign(cert)
extensions = Ritm::CA.signing_profile
extensions['extensions']['subjectAltName'] = {
'dns_names' => [servername],
'uris' => [servername]
}
Comment on lines +38 to +41
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix "Subject Alternative Name Missing" in browser

ca.sign(cert, extensions)

contexts[servername] = context_with_cert(sock.context, cert)
end
end
Expand Down Expand Up @@ -64,3 +70,4 @@ def duplicate_context(original_ctx)
end
end
end

4 changes: 3 additions & 1 deletion lib/ritm/proxy/launcher.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ def build_settings(session)
def build_proxy
@http = Ritm::Proxy::ProxyServer.new(BindAddress: @conf.proxy.bind_address,
Port: @conf.proxy.bind_port,
ProxyAuthProc: @conf.proxy.auth_proc,
AccessLog: [],
Logger: WEBrick::Log.new(File.open(File::NULL, 'w')),
https_forward: @https_forward,
Expand All @@ -53,7 +54,8 @@ def build_proxy
end

def build_reverse_proxy
@https = Ritm::Proxy::SSLReverseProxy.new(@conf.ssl_reverse_proxy.bind_port,
@https = Ritm::Proxy::SSLReverseProxy.new(@conf.ssl_reverse_proxy.bind_address,
@conf.ssl_reverse_proxy.bind_port,
Comment on lines +57 to +58
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Allow access from the device in the same network, this is useful when you need to inception HTTPS between an iOS app and a remote server.

@certificate,
@forwarder)
end
Expand Down
6 changes: 4 additions & 2 deletions lib/ritm/proxy/ssl_reverse_proxy.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,15 @@ module Proxy
# It does man-in-the-middle with on-the-fly certificate signing using the given CA
class SSLReverseProxy
# Creates a HTTPS server with the given settings
# @param host [String]: Host to bind the service
# @param port [Fixnum]: TCP port to bind the service
# @param ca [Ritm::CA]: The certificate authority used to sign fake server certificates
# @param forwarder [Ritm::HTTPForwarder]: Forwards http traffic with interception
def initialize(port, ca, forwarder)
def initialize(host, port, ca, forwarder)
@ca = ca
default_vhost = 'localhost'
@server = CertSigningHTTPSServer.new(Port: port,
@server = CertSigningHTTPSServer.new(BindAddress: host,
Port: port,
AccessLog: [],
Logger: WEBrick::Log.new(File.open(File::NULL, 'w')),
ca: ca,
Expand Down