我在浏览令人困惑的Ruby OpenSSL库世界时遇到了一些麻烦。
所需的最终结果是动态创建SSL服务器证书和密钥,以便与WEBrick::HTTPProxyServer一起使用,每个证书和密钥的CN对应于所请求的域,并且所有人共享同一个CA.
这样做的原因是允许HTTP代理通过首先将CACert加载到浏览器中来拦截和监控启用了HSTS标头的网站的HTTPS流量,从而使我的自签名证书看起来像每个给定网站都是合法的。
如果有人有这方面的经验,我们将非常感谢代码示例。
提前致谢。
PS。这里没有任何险恶的事,仅improving feature penetration testing software {/ 3}}。
答案 0 :(得分:1)
想出来。 :)
ca = OpenSSL::X509::Certificate.new( File.read( INTERCEPTOR_CA_CERTIFICATE ) )
ca_key = OpenSSL::PKey::RSA.new( File.read( INTERCEPTOR_CA_KEY ) )
keypair = OpenSSL::PKey::RSA.new( 4096 )
req = OpenSSL::X509::Request.new
req.version = 0
req.subject = OpenSSL::X509::Name.parse(
"CN=www.origin-server.com/O=Arachni/OU=Proxy/L=Athens/ST=Attika/C=GR"
)
req.public_key = keypair.public_key
req.sign( keypair, OpenSSL::Digest::SHA1.new )
cert = OpenSSL::X509::Certificate.new
cert.version = 2
cert.serial = rand( 999999 )
cert.not_before = Time.new
cert.not_after = cert.not_before + (60 * 60 * 24 * 365)
cert.public_key = req.public_key
cert.subject = req.subject
cert.issuer = ca.subject
ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = cert
ef.issuer_certificate = ca
cert.extensions = [
ef.create_extension( 'basicConstraints', 'CA:FALSE', true ),
ef.create_extension( 'extendedKeyUsage', 'serverAuth', false ),
ef.create_extension( 'subjectKeyIdentifier', 'hash' ),
ef.create_extension( 'authorityKeyIdentifier', 'keyid:always,issuer:always' ),
ef.create_extension( 'keyUsage',
%w(nonRepudiation digitalSignature
keyEncipherment dataEncipherment).join(","),
true
)
]
cert.sign( ca_key, OpenSSL::Digest::SHA1.new )
有用的资源: