From 96f6a82102e0cf91dcde90c7a64bc2eb36231337 Mon Sep 17 00:00:00 2001
From: Park jihee <j31d0@kaist.ac.kr>
Date: Thu, 4 Oct 2018 15:45:59 +0900
Subject: [PATCH 1/3] add subjectAltName for valid certification in recent
 browser

---
 proxy2.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/proxy2.py b/proxy2.py
index e2defb9..f759366 100644
--- a/proxy2.py
+++ b/proxy2.py
@@ -12,6 +12,7 @@
 import time
 import json
 import re
+from string import Template
 from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
 from SocketServer import ThreadingMixIn
 from cStringIO import StringIO
@@ -44,6 +45,7 @@ class ProxyRequestHandler(BaseHTTPRequestHandler):
     cacert = join_with_script_dir('ca.crt')
     certkey = join_with_script_dir('cert.key')
     certdir = join_with_script_dir('certs/')
+    conf_template = Template("subjectAltName=DNS:${hostname}")
     timeout = 5
     lock = threading.Lock()
 
@@ -69,13 +71,17 @@ def do_CONNECT(self):
     def connect_intercept(self):
         hostname = self.path.split(':')[0]
         certpath = "%s/%s.crt" % (self.certdir.rstrip('/'), hostname)
+        confpath = "%s/%s.cnf" % (self.certdir.rstrip('/'), hostname)
 
         with self.lock:
             if not os.path.isfile(certpath):
+                with open(confpath, 'w') as fp:
+                    fp.write(self.conf_template.substitute(hostname=hostname))
                 epoch = "%d" % (time.time() * 1000)
                 p1 = Popen(["openssl", "req", "-new", "-key", self.certkey, "-subj", "/CN=%s" % hostname], stdout=PIPE)
-                p2 = Popen(["openssl", "x509", "-req", "-days", "3650", "-CA", self.cacert, "-CAkey", self.cakey, "-set_serial", epoch, "-out", certpath], stdin=p1.stdout, stderr=PIPE)
+                p2 = Popen(["openssl", "x509", "-req", "-extfile", confpath, "-days", "3650", "-CA", self.cacert, "-CAkey", self.cakey, "-set_serial", epoch, "-out", certpath], stdin=p1.stdout, stderr=PIPE)
                 p2.communicate()
+                os.unlink(confpath)
 
         self.wfile.write("%s %d %s\r\n" % (self.protocol_version, 200, 'Connection Established'))
         self.end_headers()

From 6799338db57f599cf8a95dd681eb7106ade326c3 Mon Sep 17 00:00:00 2001
From: Park jihee <j31d0@kaist.ac.kr>
Date: Thu, 4 Oct 2018 22:17:23 +0900
Subject: [PATCH 2/3] support both IP certificate and DNS certificate

---
 proxy2.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/proxy2.py b/proxy2.py
index f759366..97ebacb 100644
--- a/proxy2.py
+++ b/proxy2.py
@@ -45,7 +45,7 @@ class ProxyRequestHandler(BaseHTTPRequestHandler):
     cacert = join_with_script_dir('ca.crt')
     certkey = join_with_script_dir('cert.key')
     certdir = join_with_script_dir('certs/')
-    conf_template = Template("subjectAltName=DNS:${hostname}")
+    conf_template = Template("subjectAltName=${category}:${hostname}")
     timeout = 5
     lock = threading.Lock()
 
@@ -70,13 +70,20 @@ def do_CONNECT(self):
 
     def connect_intercept(self):
         hostname = self.path.split(':')[0]
+        ippat = re.compile("^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")
+        if ippat.match(hostname):
+            cert_category = "IP"
+        else:
+            cert_category = "DNS"
+
+
         certpath = "%s/%s.crt" % (self.certdir.rstrip('/'), hostname)
         confpath = "%s/%s.cnf" % (self.certdir.rstrip('/'), hostname)
 
         with self.lock:
             if not os.path.isfile(certpath):
                 with open(confpath, 'w') as fp:
-                    fp.write(self.conf_template.substitute(hostname=hostname))
+                    fp.write(self.conf_template.substitute(category = cert_category, hostname = hostname))
                 epoch = "%d" % (time.time() * 1000)
                 p1 = Popen(["openssl", "req", "-new", "-key", self.certkey, "-subj", "/CN=%s" % hostname], stdout=PIPE)
                 p2 = Popen(["openssl", "x509", "-req", "-extfile", confpath, "-days", "3650", "-CA", self.cacert, "-CAkey", self.cakey, "-set_serial", epoch, "-out", certpath], stdin=p1.stdout, stderr=PIPE)

From 693df4d17e5a7f26e67f46ef02e2a15780a5edc8 Mon Sep 17 00:00:00 2001
From: Jihee Park <j31d0@users.noreply.github.com>
Date: Mon, 4 Nov 2019 22:46:23 +0900
Subject: [PATCH 3/3] use stronger hash

---
 proxy2.py                | 2 +-
 setup_https_intercept.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/proxy2.py b/proxy2.py
index 97ebacb..b16c5a5 100644
--- a/proxy2.py
+++ b/proxy2.py
@@ -86,7 +86,7 @@ def connect_intercept(self):
                     fp.write(self.conf_template.substitute(category = cert_category, hostname = hostname))
                 epoch = "%d" % (time.time() * 1000)
                 p1 = Popen(["openssl", "req", "-new", "-key", self.certkey, "-subj", "/CN=%s" % hostname], stdout=PIPE)
-                p2 = Popen(["openssl", "x509", "-req", "-extfile", confpath, "-days", "3650", "-CA", self.cacert, "-CAkey", self.cakey, "-set_serial", epoch, "-out", certpath], stdin=p1.stdout, stderr=PIPE)
+                p2 = Popen(["openssl", "x509", "-req", "-extfile", confpath, "-days", "3650", "-CA", self.cacert, "-CAkey", self.cakey, "-set_serial", epoch, "-sha512", "-out", certpath], stdin=p1.stdout, stderr=PIPE)
                 p2.communicate()
                 os.unlink(confpath)
 
diff --git a/setup_https_intercept.sh b/setup_https_intercept.sh
index e630abc..7539988 100755
--- a/setup_https_intercept.sh
+++ b/setup_https_intercept.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
 openssl genrsa -out ca.key 2048
-openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/CN=proxy2 CA"
+openssl req -new -x509 -days 3650 -key ca.key -sha512 -out ca.crt -subj "/CN=proxy2 CA"
 openssl genrsa -out cert.key 2048
 mkdir certs/