Merge pull request #66 from joeferner/wilcard

Wilcard certificates

Author: joeferner

README.md

@@ -161,15 +161,26 @@ __Arguments__
  * hostname - Requested hostname.
  * callback - The function to be called when certificate files' path were already computed.
 
-__Example__
+__Example 1__
 
     proxy.onCertificateRequired = function(hostname, callback) {
       return callback(null, {
         keyFile: path.resolve('/ca/certs/', hostname + '.key'),
         certFile: path.resolve('/ca/certs/', hostname + '.crt')
-        });
+      });
+    };
+
+__Example 2: Wilcard certificates__
+
+    proxy.onCertificateRequired = function(hostname, callback) {
+      return callback(null, {
+        keyFile: path.resolve('/ca/certs/', hostname + '.key'),
+        certFile: path.resolve('/ca/certs/', hostname + '.crt'),
+        hosts: ["*.mydomain.com"]
+      });
     };
 
+
 <a name="proxy_onCertificateMissing" />
 ### proxy.onCertificateMissing = function(ctx, files, callback)
 
@@ -181,10 +192,10 @@ __Arguments__
  * hostname - The hostname which requires certificates
  * data.keyFileExists - Whether key file exists or not
  * data.certFileExists - Whether certificate file exists or not
-* files - missing files names (`files.keyFile` and `files.certFile`)
+* files - missing files names (`files.keyFile`, `files.certFile` and optional `files.hosts`)
 * callback - The function to be called to pass certificate data back (`keyFileData` and `certFileData`)
 
-__Example__
+__Example 1__
 
     proxy.onCertificateMissing = function(ctx, files, callback) {
       console.log('Looking for "%s" certificates',   ctx.hostname);
@@ -200,6 +211,17 @@ __Example__
       // });
       };
 
+__Example 2: Wilcard certificates__
+
+    proxy.onCertificateMissing = function(ctx, files, callback) {
+      return callback(null, {
+        keyFileData: keyFileData,
+        certFileData: certFileData,
+        hosts: ["*.mydomain.com"]
+      });
+    };
+
+
 <a name="proxy_onRequest" />
 ### proxy.onRequest(fn) or ctx.onRequest(fn)
 
@@ -424,6 +446,10 @@ __Example__
       onWebSocketClose: function(ctx, code, message, callback) {  },
     });
 
+node-http-mitm-proxy provide some ready to use modules:
+- `Proxy.gunzip` Gunzip response filter (uncompress gzipped content before onResponseData and compress back after)
+- `Proxy.wildcard` Generates wilcard certificates by default (so less certificates are generated)
+
 <a name="context"/>
 ## Context
 

bin/mitm-proxy.js

@@ -20,9 +20,9 @@ if (args.help) {
 }
 
 var proxy = require('../lib/proxy')();
-proxy.onError(function(ctx, err) {
+proxy.onError(function(ctx, err, errorKind) {
   if (!args.silent) {
-    console.error('proxy error:', err);
+    console.error(errorKind, err);
   }
 });
 proxy.listen(args);

examples/wildcard.js

@@ -0,0 +1,17 @@
+'use strict';
+
+var port = 8081;
+
+var Proxy = require('../');
+var proxy = Proxy();
+
+proxy.use(Proxy.wildcard);
+
+proxy.onError(function(ctx, err, errorKind) {
+  // ctx may be null
+  var url = (ctx && ctx.clientToProxyRequest) ? ctx.clientToProxyRequest.url : '';
+  console.error(errorKind + ' on ' + url + ':', err);
+});
+
+proxy.listen({ port: port });
+console.log('listening on ' + port);

lib/ca.js

@@ -48,15 +48,6 @@ var CAextensions = [{
   sslCA: true,
   emailCA: true,
   objCA: true
-}, {
-  name: 'subjectAltName',
-  altNames: [{
-    type: 6, // URI
-    value: 'http://example.org/webid#me'
-  }, {
-    type: 7, // IP
-    ip: '127.0.0.1'
-  }]
 }, {
   name: 'subjectKeyIdentifier'
 }];
@@ -127,7 +118,6 @@ var CA = function (caFolder) {
   } catch (e) {
     this.generateCA();
   }
-  this.currentlyGenerating = {};
 };
 
 CA.prototype.randomSerialNumber = function () {
@@ -169,7 +159,9 @@ CA.prototype.loadCA = function () {
   };
 };
 
-CA.prototype.generateServerCertificateKeys = function (hostname, cb) {
+CA.prototype.generateServerCertificateKeys = function (hosts, cb) {
+  if (typeof(hosts) === "string") hosts = [hosts];
+  var mainHost = hosts[0];
   var keysServer = pki.rsa.generateKeyPair(1024);
   var certServer = pki.createCertificate();
   certServer.publicKey = keysServer.publicKey;
@@ -180,52 +172,26 @@ CA.prototype.generateServerCertificateKeys = function (hostname, cb) {
   var attrsServer = ServerAttrs.slice(0);
   attrsServer.unshift({
     name: 'commonName',
-    value: hostname
+    value: mainHost
   })
   certServer.setSubject(attrsServer);
   certServer.setIssuer(this.CAcert.issuer.attributes);
-  certServer.setExtensions(ServerExtensions);
+  certServer.setExtensions(ServerExtensions.concat([{
+    name: 'subjectAltName',
+    altNames: hosts.map(function(host) {
+      return {type: 2, value: host};
+    })
+  }]));
   certServer.sign(this.CAkeys.privateKey, Forge.md.sha256.create());
   var certPem = pki.certificateToPem(certServer);
   var keyPrivatePem = pki.privateKeyToPem(keysServer.privateKey)
   var keyPublicPem = pki.publicKeyToPem(keysServer.publicKey)
-  FS.writeFile(this.certsFolder + '/' + hostname + '.pem', certPem);
-  FS.writeFile(this.keysFolder + '/' + hostname + '.key', keyPrivatePem);
-  FS.writeFile(this.keysFolder + '/' + hostname + '.public.key', keyPublicPem);
+  FS.writeFile(this.certsFolder + '/' + mainHost.replace(/\*/g, '_') + '.pem', certPem);
+  FS.writeFile(this.keysFolder + '/' + mainHost.replace(/\*/g, '_') + '.key', keyPrivatePem);
+  FS.writeFile(this.keysFolder + '/' + mainHost.replace(/\*/g, '_') + '.public.key', keyPublicPem);
   cb(certPem, keyPrivatePem);
 };
 
-CA.prototype.getServerCertificateKeys = function (hostname, cb) {
-  if (this.currentlyGenerating.hasOwnProperty(hostname)) {
-    this.currentlyGenerating[hostname].push(cb);
-  } else {
-    this.currentlyGenerating[hostname] = [cb];
-    FS.stat(this.certsFolder + '/' + hostname + '.pem', function (err, stat) {
-      if (typeof err !== 'undefined') {
-        this.generateServerCertificateKeys(hostname, function (cert, key) {
-          // possible race condition here...
-          var tmp = this.currentlyGenerating[hostname];
-          tmp.forEach(function (c) {
-            c(cert, key);
-          });
-          delete this.currentlyGenerating[hostname];
-        }.bind(this));
-      } else {
-        FS.readFile(this.certsFolder + '/' + hostname + '.pem', function (err, dataCert) {
-          FS.readFile(this.keysFolder + '/' + hostname + '.key', function (err, dataKey) {
-            // possible race condition here...
-            var tmp = this.currentlyGenerating[hostname];
-            tmp.forEach(function (c) {
-              c(dataCert, dataKey);
-            });
-            delete this.currentlyGenerating[hostname];
-          }.bind(this));
-        }.bind(this));
-      }
-    }.bind(this));
-  }
-};
-
 CA.prototype.getCACertPath = function () {
   return this.certsFolder + '/ca.pem';
 };

lib/middleware/wildcard.js

@@ -0,0 +1,23 @@
+'use strict';
+
+/**
+ * group1: subdomain
+ * group2: domain.ext
+ * exclude short domains (length < 4) to avoid catching double extensions (ex: net.au, co.uk, ...)
+ */
+const HOSTNAME_REGEX = /^(.+)(\.[^\.]{4,}(\.[^\.]{1,3})*\.[^\.]+)$/;
+
+module.exports = {
+  onCertificateRequired: function (hostname, callback) {
+    var rootHost = hostname;
+    if (HOSTNAME_REGEX.test(hostname)) {
+    	rootHost = hostname.replace(/^[^\.]+\./, '');
+    }
+    return callback(null, {
+      keyFile: this.sslCaDir + '/keys/_.' + rootHost + '.key',
+      certFile: this.sslCaDir + '/certs/_.' + rootHost + '.pem',
+      hosts: ['*.' + rootHost, rootHost]
+    });
+    return this;
+  }
+};