neru/tinymitm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: misc ssl changes

Browse Source
This commit is contained in:
neru
2026-06-19 07:02:44 -03:00
parent f5442a8fc4
commit b7a0d494fb
1 changed files with 34 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/proxy/tinymitm/ssl.cpp
+34 -19
View File
@@ -62,10 +62,17 @@ WOLFSSL_CTX* CertificateManager::createHostContext(const std::string& host)
memset(cert.get(), 0, sizeof(Cert)); memset(cert.get(), 0, sizeof(Cert));
wc_InitCert(cert.get()); wc_InitCert(cert.get());
cert->isCA = 0;
cert->basicConstSet = 1;
cert->basicConstCrit = 0;
cert->version = 2; cert->version = 2;
cert->sigType = CTC_SHA256wRSA; cert->sigType = CTC_SHA256wRSA;
cert->daysValid = 365; cert->daysValid = 365;
cert->keyUsage = KEYUSE_DIGITAL_SIG | KEYUSE_KEY_ENCIPHER;
cert->extKeyUsage = EXTKEYUSE_SERVER_AUTH;
strncpy_s(cert->subject.commonName, sizeof(cert->subject.commonName), hostTrimmed.c_str(), _TRUNCATE); strncpy_s(cert->subject.commonName, sizeof(cert->subject.commonName), hostTrimmed.c_str(), _TRUNCATE);
wc_SetIssuerBuffer(cert.get(), _caCertDer.data(), (int)_caCertDer.size()); wc_SetIssuerBuffer(cert.get(), _caCertDer.data(), (int)_caCertDer.size());
@@ -78,41 +85,41 @@ WOLFSSL_CTX* CertificateManager::createHostContext(const std::string& host)
cert->serial[3] = hash & 0xFF; cert->serial[3] = hash & 0xFF;
// SAN // SAN
std::vector<unsigned char> sanDer; strncpy_s(reinterpret_cast<char*>(cert->altNames), sizeof(cert->altNames), hostTrimmed.c_str(), _TRUNCATE);
sanDer.push_back(0x30); cert->altNamesSz = static_cast<word16>(hostTrimmed.length());
sanDer.push_back(static_cast<unsigned char>(hostTrimmed.length() + 2));
sanDer.push_back(0x82);
sanDer.push_back(static_cast<unsigned char>(hostTrimmed.length()));
sanDer.insert(sanDer.end(), hostTrimmed.begin(), hostTrimmed.end());
memcpy(cert->altNames, sanDer.data(), sanDer.size()); wc_SetSubjectKeyIdFromPublicKey(cert.get(), _sessionKey.get(), nullptr);
cert->altNamesSz = static_cast<word16>(sanDer.size()); wc_SetAuthKeyIdFromCert(cert.get(), _caCertDer.data(), _caCertDer.size());
/* /*
cert sign cert sign
*/ */
std::vector<unsigned char> hostCertDer(4096); std::vector<unsigned char> hostCertDer(8192);
int certLen = int certLen = wc_MakeCert(cert.get(), hostCertDer.data(), static_cast<word32>(hostCertDer.size()),
wc_MakeCert(cert.get(), hostCertDer.data(), static_cast<word32>(hostCertDer.size()), _sessionKey.get(), nullptr, _rng.get()); _sessionKey.get(), nullptr, _rng.get());
if (certLen < 0) return nullptr;
certLen = wc_SignCert(cert->bodySz, cert->sigType, hostCertDer.data(), static_cast<word32>(hostCertDer.size()), _caKey.get(), int signedLen = wc_SignCert(cert->bodySz, cert->sigType, hostCertDer.data(),
nullptr, _rng.get()); static_cast<word32>(hostCertDer.size()), _caKey.get(), nullptr, _rng.get());
hostCertDer.resize(certLen); if (signedLen < 0) return nullptr;
hostCertDer.resize(signedLen);
/* /*
context setup context setup
*/ */
WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfTLS_server_method());
if (!ctx) return nullptr; if (!ctx) return nullptr;
if (wolfSSL_CTX_use_certificate_buffer(ctx, hostCertDer.data(), static_cast<long>(hostCertDer.size()), WOLFSSL_FILETYPE_ASN1) != if (wolfSSL_CTX_use_certificate_buffer(ctx, hostCertDer.data(), static_cast<long>(hostCertDer.size()),
WOLFSSL_SUCCESS || WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS ||
wolfSSL_CTX_use_PrivateKey_buffer(ctx, _sessionKeyDer.data(), static_cast<long>(_sessionKeyDer.size()), wolfSSL_CTX_use_PrivateKey_buffer(ctx, _sessionKeyDer.data(), static_cast<long>(_sessionKeyDer.size()),
WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS)
{ {
wolfSSL_CTX_free(ctx); wolfSSL_CTX_free(ctx);
return nullptr; return nullptr;
} }
_hostContexts[host] = ctx; _hostContexts[host] = ctx;
return ctx; return ctx;
} }
@@ -172,10 +179,15 @@ bool CertificateManager::generateAndSaveCA(const char* caName, int days, const s
cert->sigType = CTC_SHA256wRSA; cert->sigType = CTC_SHA256wRSA;
cert->daysValid = days; cert->daysValid = days;
cert->keyUsage = KEYUSE_KEY_CERT_SIGN | KEYUSE_CRL_SIGN; cert->keyUsage = KEYUSE_KEY_CERT_SIGN | KEYUSE_CRL_SIGN;
cert->pathLenSet = 0;
cert->pathLen = 0;
cert->serialSz = 1; cert->serialSz = 1;
cert->serial[0] = 1; cert->serial[0] = 1;
wc_SetSubjectKeyIdFromPublicKey(cert.get(), _caKey.get(), 0);
wc_SetAuthKeyIdFromCert(cert.get(), _caCertDer.data(), _caCertDer.size());
/* /*
CA sign CA sign
*/ */
@@ -239,7 +251,8 @@ bool CertificateManager::loadCA(const char* certPath, const char* keyPath)
std::vector<unsigned char> keyDer; std::vector<unsigned char> keyDer;
DerBuffer* derBuff = nullptr; DerBuffer* derBuff = nullptr;
int ret = wc_PemToDer(certPem.data(), static_cast<long>(certPem.size()), CERT_TYPE, &derBuff, nullptr, nullptr, nullptr); int ret =
wc_PemToDer(certPem.data(), static_cast<long>(certPem.size()), CERT_TYPE, &derBuff, nullptr, nullptr, nullptr);
if (ret == 0 && derBuff) if (ret == 0 && derBuff)
{ {
certDer.assign(derBuff->buffer, derBuff->buffer + derBuff->length); certDer.assign(derBuff->buffer, derBuff->buffer + derBuff->length);
@@ -249,7 +262,8 @@ bool CertificateManager::loadCA(const char* certPath, const char* keyPath)
return false; return false;
derBuff = nullptr; derBuff = nullptr;
ret = wc_PemToDer(keyPem.data(), static_cast<long>(keyPem.size()), PRIVATEKEY_TYPE, &derBuff, nullptr, nullptr, nullptr); ret = wc_PemToDer(keyPem.data(), static_cast<long>(keyPem.size()), PRIVATEKEY_TYPE, &derBuff, nullptr, nullptr,
nullptr);
if (ret == 0 && derBuff) if (ret == 0 && derBuff)
{ {
keyDer.assign(derBuff->buffer, derBuff->buffer + derBuff->length); keyDer.assign(derBuff->buffer, derBuff->buffer + derBuff->length);
@@ -260,6 +274,7 @@ bool CertificateManager::loadCA(const char* certPath, const char* keyPath)
return decodeCA(certDer, keyDer); return decodeCA(certDer, keyDer);
} }
bool CertificateManager::decodeCA(const std::vector<unsigned char>& certDer, const std::vector<unsigned char>& keyDer) bool CertificateManager::decodeCA(const std::vector<unsigned char>& certDer, const std::vector<unsigned char>& keyDer)
{ {
if (certDer.empty() || keyDer.empty()) return false; if (certDer.empty() || keyDer.empty()) return false;