fix: implement correct SAN for ctx cert

src/proxy/tinymitm/ssl.cpp

@@ -38,7 +38,7 @@ bool CertificateManager::init()
 
     // der cache
     _sessionKeyDer.resize(4096);
-    int derLen = wc_RsaKeyToDer(_sessionKey.get(), _sessionKeyDer.data(), (word32)_sessionKeyDer.size());
+    int derLen = wc_RsaKeyToDer(_sessionKey.get(), _sessionKeyDer.data(), static_cast<word32>(_sessionKeyDer.size()));
     if (derLen < 0) return false;
     _sessionKeyDer.resize(derLen);
 
@@ -51,32 +51,59 @@ WOLFSSL_CTX* CertificateManager::createHostContext(const std::string& host)
     if (_hostContexts.count(host)) return _hostContexts[host];
     if (!_caKey) return nullptr;
 
+    std::string hostTrimmed = host;
+    hostTrimmed.erase(0, hostTrimmed.find_first_not_of(" \t\r\n"));
+    hostTrimmed.erase(hostTrimmed.find_last_not_of(" \t\r\n") + 1);
+
+    /*
+        cert config
+    */
     auto cert = std::make_unique<Cert>();
     memset(cert.get(), 0, sizeof(Cert));
     wc_InitCert(cert.get());
 
-    strncpy_s(cert->subject.commonName, sizeof(cert->subject.commonName), host.c_str(), _TRUNCATE);
+    cert->version = 2;
     cert->sigType = CTC_SHA256wRSA;
     cert->daysValid = 365;
 
-    uint32_t serial = std::hash<std::string>{}(host) & 0x7FFFFFFF;
+    strncpy_s(cert->subject.commonName, sizeof(cert->subject.commonName), hostTrimmed.c_str(), _TRUNCATE);
-    memcpy(cert->serial, &serial, sizeof(serial));
+    wc_SetIssuerBuffer(cert.get(), _caCertDer.data(), (int)_caCertDer.size());
-    cert->serialSz = sizeof(serial);
 
-    wc_SetAltNames(cert.get(), host.c_str());
+    // serial hash based on host
+    uint32_t hash = (uint32_t)std::hash<std::string>{}(hostTrimmed) & 0x7FFFFFFF;
+    cert->serialSz = 4;
+    cert->serial[0] = (hash >> 24) & 0xFF;
+    cert->serial[1] = (hash >> 16) & 0xFF;
+    cert->serial[2] = (hash >> 8) & 0xFF;
+    cert->serial[3] = hash & 0xFF;
 
+    // SAN
+    std::vector<unsigned char> sanDer;
+    sanDer.push_back(0x30);
+    sanDer.push_back(static_cast<unsigned char>(hostTrimmed.length() + 2));
+    sanDer.push_back(0x82);
+    sanDer.push_back(static_cast<unsigned char>(hostTrimmed.length()));
+    sanDer.insert(sanDer.end(), hostTrimmed.begin(), hostTrimmed.end());
+
+    memcpy(cert->altNames, sanDer.data(), sanDer.size());
+    cert->altNamesSz = (word16)sanDer.size();
+
+    /*
+        cert sign
+    */
     std::vector<unsigned char> hostCertDer(4096);
     int certLen =
         wc_MakeCert(cert.get(), hostCertDer.data(), (word32)hostCertDer.size(), _sessionKey.get(), nullptr, _rng.get());
 
     certLen = wc_SignCert(cert->bodySz, cert->sigType, hostCertDer.data(), (word32)hostCertDer.size(), _caKey.get(),
                           nullptr, _rng.get());
-
     hostCertDer.resize(certLen);
 
-    WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method());
+    /*
+        context setup
+    */
+    WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_server_method());
     if (!ctx) return nullptr;
-
     if (wolfSSL_CTX_use_certificate_buffer(ctx, hostCertDer.data(), (long)hostCertDer.size(), WOLFSSL_FILETYPE_ASN1) !=
             WOLFSSL_SUCCESS ||
         wolfSSL_CTX_use_PrivateKey_buffer(ctx, _sessionKeyDer.data(), (long)_sessionKeyDer.size(),
@@ -85,7 +112,6 @@ WOLFSSL_CTX* CertificateManager::createHostContext(const std::string& host)
         wolfSSL_CTX_free(ctx);
         return nullptr;
     }
-
     _hostContexts[host] = ctx;
     return ctx;
 }