From 7c221d6f3308d39e489193b50f4f4bd932ea487a Mon Sep 17 00:00:00 2001 From: Zinovii Dmytriv Date: Thu, 16 Feb 2017 22:05:15 +0200 Subject: [PATCH 01/31] Initial commit --- .gitignore | 4 + circle.yml | 20 ++ pom.xml | 234 +++++++++++------- .../mitm/BouncyCastleSslEngineSource.java | 34 ++- .../mitm/CertificateSniffingMitmManager.java | 17 +- .../proxy/mitm/LittleProxyMitmProxy.java | 2 +- 6 files changed, 200 insertions(+), 111 deletions(-) create mode 100644 circle.yml diff --git a/.gitignore b/.gitignore index 0ca11bd..621bbe2 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,7 @@ /*.log /littleproxy_cert /littleproxy_keystore.jks + +### IntelliJ template +.idea/ +*.iml diff --git a/circle.yml b/circle.yml new file mode 100644 index 0000000..5b55da8 --- /dev/null +++ b/circle.yml @@ -0,0 +1,20 @@ +--- +general: + branches: + ignore: + - /release.*/ +machine: + java: + version: oraclejdk8 +dependencies: + override: + - mvn clean dependency:go-offline install -Dmaven.test.skip=true --fail-never --threads 5 -B +test: + override: + - mvn test -T2C -Djacoco.haltOnFailure=true -Dsurefire.rerunFailingTestsCount=2 +deployment: + snapshot: + branch: vgs-edition + owner: verygoodsecurity + commands: + - mvn deploy -DskipTests=true diff --git a/pom.xml b/pom.xml index 4741748..71aeee2 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ com.github.ganskef littleproxy-mitm jar - 1.1.1-SNAPSHOT + 1.0.0-VGS LittleProxy - Man-In-The-Middle LittleProxy is a high performance HTTP proxy written in Java and using the Netty networking framework. @@ -79,14 +79,12 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. --> - + @@ -117,6 +115,58 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. 3.0.4 + + + spring-snapshots + Spring Snapshots + http://repo.spring.io/snapshot + + true + + + + + spring-milestones + Spring Milestones + http://repo.spring.io/milestone + + false + + + + + spring-releases + Spring Releases + http://repo.spring.io/release + + false + + + + + jcenter + jcenter + https://jcenter.bintray.com/ + + + + repo.spring.io + repo.spring.io + http://repo.spring.io/libs-snapshot-local + + + + + + yle-public + Yle public repository + http://maven.c4.yle.fi/release + + false + + + + @@ -211,26 +261,26 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. - - org.apache.maven.plugins - maven-javadoc-plugin - 2.10.3 - - private - 1.7 - - http://netty.io/4.0/api/ - - - - - attach-javadocs - - jar - - - - + + + + + + + + + + + + + + + + + + + + org.sonatype.plugins @@ -259,9 +309,9 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. - kr.motd.maven - os-maven-plugin - 1.2.3.Final + fi.yle.tools + aws-maven + 1.4.0 @@ -269,18 +319,18 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. - - org.codehaus.mojo - findbugs-maven-plugin - 2.5.2 - + + + + + - - - org.apache.maven.plugins - maven-project-info-reports-plugin - 2.6 - + + + + + + - - org.codehaus.mojo - taglist-maven-plugin - 2.4 - - true - - mudo - todo - idea - MUDO - TODO - IDEA - - - - - - org.apache.maven.plugins - maven-surefire-report-plugin - 2.16 - - false - - - - - org.apache.maven.plugins - maven-changes-plugin - 2.8 - - - - github-report - - - - - - - org.codehaus.mojo - jxr-maven-plugin - 2.3 - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -347,14 +397,16 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. - - ossrh - https://oss.sonatype.org/content/repositories/snapshots - - ossrh - https://oss.sonatype.org/service/local/staging/deploy/maven2/ + vg-release + VG Release Repository + s3://very-good/software/release/ + + vg-snapshot + VG Snapshot Repository + s3://very-good/software/snapshot/ + diff --git a/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java b/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java index 24973dc..f636bdd 100644 --- a/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java +++ b/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java @@ -108,8 +108,17 @@ public BouncyCastleSslEngineSource(Authority authority, this.trustAllServers = trustAllServers; this.sendCerts = sendCerts; this.serverSSLContexts = sslContexts; + + init(); + } + + protected void init() + throws RootCertificateException, GeneralSecurityException, + OperatorCreationException, IOException { + initializeKeyStore(); - initializeSSLContext(); + KeyStore ks = loadCACertificates(); + sslContext = initializeSSLContext(ks); } /** @@ -167,14 +176,14 @@ private void filterWeakCipherSuites(SSLEngine sslEngine) { } public SSLEngine newSslEngine() { - SSLEngine sslEngine = sslContext.createSSLEngine(); + SSLEngine sslEngine = getSSLContext().createSSLEngine(); filterWeakCipherSuites(sslEngine); return sslEngine; } @Override public SSLEngine newSslEngine(String remoteHost, int remotePort) { - SSLEngine sslEngine = sslContext + SSLEngine sslEngine = getSSLContext() .createSSLEngine(remoteHost, remotePort); sslEngine.setUseClientMode(true); if (!tryHostNameVerificationJava7(sslEngine)) { @@ -184,6 +193,10 @@ public SSLEngine newSslEngine(String remoteHost, int remotePort) { return sslEngine; } + protected SSLContext getSSLContext() { + return sslContext; + } + private boolean tryHostNameVerificationJava7(SSLEngine sslEngine) { for (Method method : SSLParameters.class.getMethods()) { // method is available since Java 7 @@ -209,7 +222,7 @@ private boolean tryHostNameVerificationJava7(SSLEngine sslEngine) { return false; } - private void initializeKeyStore() throws RootCertificateException, + protected void initializeKeyStore() throws RootCertificateException, GeneralSecurityException, OperatorCreationException, IOException { if (authority.aliasFile(KEY_STORE_FILE_EXTENSION).exists() && authority.aliasFile(".pem").exists()) { @@ -234,13 +247,16 @@ private void initializeKeyStore() throws RootCertificateException, exportPem(authority.aliasFile(".pem"), cert); } - private void initializeSSLContext() throws GeneralSecurityException, - IOException { + protected KeyStore loadCACertificates() throws GeneralSecurityException, IOException { KeyStore ks = loadKeyStore(); caCert = ks.getCertificate(authority.alias()); caPrivKey = (PrivateKey) ks.getKey(authority.alias(), - authority.password()); + authority.password()); + return ks; + } + protected SSLContext initializeSSLContext(KeyStore ks) throws GeneralSecurityException, + IOException { TrustManager[] trustManagers; if (trustAllServers) { trustManagers = InsecureTrustManagerFactory.INSTANCE @@ -256,12 +272,12 @@ private void initializeSSLContext() throws GeneralSecurityException, keyManagers = new KeyManager[0]; } - sslContext = CertificateHelper.newClientContext(keyManagers, - trustManagers); + SSLContext sslContext = CertificateHelper.newClientContext(keyManagers, trustManagers); SSLEngine sslEngine = sslContext.createSSLEngine(); if (!tryHostNameVerificationJava7(sslEngine)) { LOG.warn("Host Name Verification is not supported, causes insecure HTTPS connection to upstream servers."); } + return sslContext; } private KeyStore loadKeyStore() throws GeneralSecurityException, diff --git a/src/main/java/org/littleshoot/proxy/mitm/CertificateSniffingMitmManager.java b/src/main/java/org/littleshoot/proxy/mitm/CertificateSniffingMitmManager.java index 252665c..5e56adf 100644 --- a/src/main/java/org/littleshoot/proxy/mitm/CertificateSniffingMitmManager.java +++ b/src/main/java/org/littleshoot/proxy/mitm/CertificateSniffingMitmManager.java @@ -24,19 +24,16 @@ public class CertificateSniffingMitmManager implements MitmManager { private BouncyCastleSslEngineSource sslEngineSource; - public CertificateSniffingMitmManager() throws RootCertificateException { + public CertificateSniffingMitmManager() throws Exception { this(new Authority()); } - public CertificateSniffingMitmManager(Authority authority) - throws RootCertificateException { - try { - sslEngineSource = new BouncyCastleSslEngineSource(authority, true, - true); - } catch (final Exception e) { - throw new RootCertificateException( - "Errors during assembling root CA.", e); - } + public CertificateSniffingMitmManager(Authority authority) throws Exception { + this(new BouncyCastleSslEngineSource(authority, true, true)); + } + + public CertificateSniffingMitmManager(BouncyCastleSslEngineSource sslEngineSource) throws RootCertificateException { + this.sslEngineSource = sslEngineSource; } public SSLEngine serverSslEngine(String peerHost, int peerPort) { diff --git a/src/test/java/org/littleshoot/proxy/mitm/LittleProxyMitmProxy.java b/src/test/java/org/littleshoot/proxy/mitm/LittleProxyMitmProxy.java index 6068a1e..edeb4fc 100644 --- a/src/test/java/org/littleshoot/proxy/mitm/LittleProxyMitmProxy.java +++ b/src/test/java/org/littleshoot/proxy/mitm/LittleProxyMitmProxy.java @@ -38,7 +38,7 @@ public class LittleProxyMitmProxy extends de.ganskef.test.Proxy implements private final MitmManager mitmManager; - public LittleProxyMitmProxy(int proxyPort) throws RootCertificateException { + public LittleProxyMitmProxy(int proxyPort) throws Exception { this(proxyPort, new CertificateSniffingMitmManager()); } From 36855991474da5afa4550104f1c1e3ff9b0d94c1 Mon Sep 17 00:00:00 2001 From: Zinovii Dmytriv Date: Thu, 16 Feb 2017 22:19:23 +0200 Subject: [PATCH 02/31] Commented release plugin --- pom.xml | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/pom.xml b/pom.xml index 71aeee2..a8fcd52 100644 --- a/pom.xml +++ b/pom.xml @@ -282,29 +282,29 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. - - org.sonatype.plugins - nexus-staging-maven-plugin - 1.6.3 - true - - ossrh - https://oss.sonatype.org/ - true - - + + + + + + + + + + + - - org.apache.maven.plugins - maven-release-plugin - 2.5 - - true - false - release - deploy - - + + + + + + + + + + + From c496c65a746457407bb1811444ed4b165d52fe3e Mon Sep 17 00:00:00 2001 From: Marshall Jones Date: Sat, 8 Apr 2017 11:44:46 -0700 Subject: [PATCH 03/31] New Development Environment and Support for AWS Environment Variables --- pom.xml | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/pom.xml b/pom.xml index a8fcd52..1aa5701 100644 --- a/pom.xml +++ b/pom.xml @@ -158,11 +158,11 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. - yle-public - Yle public repository - http://maven.c4.yle.fi/release + jfog + jfrog + https://dl.bintray.com/vg/vgs-misc - false + true @@ -308,11 +308,13 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. + - fi.yle.tools + io.vgs.tools aws-maven - 1.4.0 + 1.4.2 + @@ -398,14 +400,14 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. - vg-release - VG Release Repository - s3://very-good/software/release/ + vault-http-release + AWS Release Repository + s3://vault-dev-01-audits-01-artifact-19k6160zpr44j/software/release/ - vg-snapshot - VG Snapshot Repository - s3://very-good/software/snapshot/ + vault-http-snapshot + AWS Snapshot Repository + s3://vault-dev-01-audits-01-artifact-19k6160zpr44j/software/snapshot/ From 3a6a83e7b35d90754eff804599e2084487a99f85 Mon Sep 17 00:00:00 2001 From: Slava Fomin Date: Thu, 24 Jan 2019 21:45:54 +0200 Subject: [PATCH 04/31] Certificate Cache Expiration Fix (#3) * Expire certificate cache in 12 hours * Updates version --- pom.xml | 2 +- .../org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 1aa5701..9cb1a30 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ com.github.ganskef littleproxy-mitm jar - 1.0.0-VGS + 1.0.1-VGS LittleProxy - Man-In-The-Middle LittleProxy is a high performance HTTP proxy written in Java and using the Netty networking framework. diff --git a/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java b/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java index f636bdd..1c24659 100644 --- a/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java +++ b/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java @@ -147,6 +147,7 @@ public BouncyCastleSslEngineSource(Authority authority, private static Cache initDefaultCertificateCache() { return CacheBuilder.newBuilder() // .expireAfterAccess(5, TimeUnit.MINUTES) // + .expireAfterWrite(12, TimeUnit.HOURS) .concurrencyLevel(16) // .build(); } From 7199f1ddfc2193c0821d7d1a8a6fe08125836655 Mon Sep 17 00:00:00 2001 From: Slava Fomin Date: Fri, 25 Jan 2019 12:10:44 +0200 Subject: [PATCH 05/31] CircleCi 2.0 support (#4) * Circleci 2.0 support * Fixed aws-maven version * update --- .circleci/config.yml | 138 ++++++++++++++++++++++++++++++++++++ circle.yml | 20 ------ pom.xml | 28 +++++++- scripts/env.sh | 14 ++++ scripts/run_circle_tests.sh | 6 ++ 5 files changed, 184 insertions(+), 22 deletions(-) create mode 100644 .circleci/config.yml delete mode 100644 circle.yml create mode 100755 scripts/env.sh create mode 100755 scripts/run_circle_tests.sh diff --git a/.circleci/config.yml b/.circleci/config.yml new file mode 100644 index 0000000..7f3d834 --- /dev/null +++ b/.circleci/config.yml @@ -0,0 +1,138 @@ +job-defaults: &job-defaults + working_directory: &working_directory + ~/LittleProxy-mitm + test_results_directory: &test_results_directory + /tmp/test-results + environment: + - RELEASE_BRANCH: vgs-edition + - AWS_DEFAULT_REGION: us-west-2 + - AWS_REGION: us-west-2 + - AWS_PROFILE: vgs-dev + +# Set up AWS environment +setup-env: &setup-env + run: + name: Setup Environment + command: ./scripts/env.sh + +# Template to save Maven dependency cache to restore it in another jobs +save-maven-cache: &save-maven-cache + save_cache: + key: LittleProxy-mitm-{{ checksum "pom.xml" }} + paths: + - ~/.m2 + +restore-maven-cache: &restore-maven-cache + restore_cache: + key: LittleProxy-mitm-{{ checksum "pom.xml" }} + +# Persists workspace so it can be attached in another jobs as soon as it was checked out and built +persist-workspace: &persist-workspace + persist_to_workspace: + root: . + paths: "*" + +attach-workspace: &attach-workspace + attach_workspace: + at: *working_directory + +# === JOBS === +version: 2 +jobs: + build: + <<: *job-defaults + machine: + enabled: true + steps: + - checkout + - <<: *setup-env + - <<: *restore-maven-cache + - run: + name: Maven Clean Package + command: | + unset AWS_ACCESS_KEY_ID; unset AWS_SECRET_ACCESS_KEY; mvn clean dependency:go-offline install -Dmaven.test.skip=true --threads 5 -B + - <<: *save-maven-cache + - <<: *persist-workspace + test: + <<: *job-defaults + machine: + enabled: true + steps: + - <<: *attach-workspace + - <<: *restore-maven-cache + - run: + name: Run test + command: | + unset AWS_ACCESS_KEY_ID; unset AWS_SECRET_ACCESS_KEY; ./scripts/run_circle_tests.sh + deployment: + <<: *job-defaults + machine: + enabled: true + steps: + - <<: *attach-workspace + - <<: *restore-maven-cache + - <<: *setup-env + - run: + name: Deploy + command: | + unset AWS_ACCESS_KEY_ID; unset AWS_SECRET_ACCESS_KEY; mvn deploy -DskipTests=true + release: + <<: *job-defaults + machine: + enabled: true + steps: + - <<: *attach-workspace + - <<: *restore-maven-cache + - <<: *setup-env + - add_ssh_keys: + fingerprints: + - "c8:47:51:8b:5e:89:95:7d:2a:2d:26:5f:0a:ea:8a:4b" + - run: + name: Release + command: | + unset AWS_ACCESS_KEY_ID + unset AWS_SECRET_ACCESS_KEY + git config user.name "circleci" + git config user.email "circleci@vgs.com" + git fetch + git checkout $RELEASE_BRANCH + git pull origin $RELEASE_BRANCH + git reset --hard + git tag -d $CIRCLE_TAG + mvn -B -X -e gitflow:release-start -DreleaseVersion=$CIRCLE_TAG + mvn -B -X -e gitflow:release-finish -DreleaseVersion=$CIRCLE_TAG -DpostReleaseGoals='deploy -DskipTests' + git push origin $RELEASE_BRANCH + +# === WORKFLOW === +workflows: + version: 2 + build_test_and_deploy: + jobs: + - build: + context: artifact-publisher + filters: + tags: + only: /.*/ + - test: + context: artifact-publisher + requires: + - build + filters: + tags: + only: /.*/ + - deployment: + context: artifact-publisher + requires: + - test + filters: + branches: + only: vgs-edition + - release: + context: artifact-publisher + requires: + - test + filters: + branches: + ignore: /.*/ + tags: + only: /.*/ diff --git a/circle.yml b/circle.yml deleted file mode 100644 index 5b55da8..0000000 --- a/circle.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -general: - branches: - ignore: - - /release.*/ -machine: - java: - version: oraclejdk8 -dependencies: - override: - - mvn clean dependency:go-offline install -Dmaven.test.skip=true --fail-never --threads 5 -B -test: - override: - - mvn test -T2C -Djacoco.haltOnFailure=true -Dsurefire.rerunFailingTestsCount=2 -deployment: - snapshot: - branch: vgs-edition - owner: verygoodsecurity - commands: - - mvn deploy -DskipTests=true diff --git a/pom.xml b/pom.xml index 9cb1a30..f66952b 100644 --- a/pom.xml +++ b/pom.xml @@ -154,13 +154,37 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. repo.spring.io http://repo.spring.io/libs-snapshot-local + + + verygood-release-repo + Very Good Release Repository + s3://vault-dev-01-audits-01-artifact-19k6160zpr44j/software/release/ + + true + + + false + + + + + verygood-snapshot-repo + Very Good Snapshot Repository + s3://vault-dev-01-audits-01-artifact-19k6160zpr44j/software/snapshot/ + + false + + + true + + jfog jfrog - https://dl.bintray.com/vg/vgs-misc + https://dl.bintray.com/vg/vgs-oss true @@ -312,7 +336,7 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. io.vgs.tools aws-maven - 1.4.2 + 1.4.3 diff --git a/scripts/env.sh b/scripts/env.sh new file mode 100755 index 0000000..0da2566 --- /dev/null +++ b/scripts/env.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +mkdir -p ~/.aws + +echo " +[default] +region = us-west-2 +aws_access_key_id=$AWS_ACCESS_KEY_ID +aws_secret_access_key=$AWS_SECRET_ACCESS_KEY +[vgs-dev] +region = us-west-2 +role_arn = arn:aws:iam::883127560329:role/VGSStageDeploy +source_profile = default +" > ~/.aws/credentials \ No newline at end of file diff --git a/scripts/run_circle_tests.sh b/scripts/run_circle_tests.sh new file mode 100755 index 0000000..21245dc --- /dev/null +++ b/scripts/run_circle_tests.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +if [ "$CIRCLE_TAG" == "" ] +then + mvn test -T2C +fi \ No newline at end of file From 3e1b11c6521e7c980bca887adea4a2de591aec60 Mon Sep 17 00:00:00 2001 From: Zinovii Dmytriv Date: Fri, 25 Jan 2019 12:26:12 +0200 Subject: [PATCH 06/31] Fixed gitflow plugin --- pom.xml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pom.xml b/pom.xml index f66952b..2c75c7e 100644 --- a/pom.xml +++ b/pom.xml @@ -285,6 +285,12 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. + + com.amashchenko.maven.plugin + gitflow-maven-plugin + 1.8.0 + + From 2c8b095465c6e781d398288d56a951a36f3ae7d2 Mon Sep 17 00:00:00 2001 From: Zinovii Dmytriv Date: Fri, 25 Jan 2019 12:39:54 +0200 Subject: [PATCH 07/31] Tuned gitflow plugin --- pom.xml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 2c75c7e..ff13809 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ com.github.ganskef littleproxy-mitm jar - 1.0.1-VGS + 1.0.2-VGS-SNAPSHOT LittleProxy - Man-In-The-Middle LittleProxy is a high performance HTTP proxy written in Java and using the Netty networking framework. @@ -289,6 +289,24 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. com.amashchenko.maven.plugin gitflow-maven-plugin 1.8.0 + + true + 2 + true + false + true + true + + vgs-edition + vgs-edition + release- + + + + update versions for @{version} release + update for next development version @{version} + + From 6c6a26d04e231e07d71cf975dc53d6c02658bf51 Mon Sep 17 00:00:00 2001 From: Zinovii Dmytriv Date: Fri, 25 Jan 2019 12:53:52 +0200 Subject: [PATCH 08/31] updated ssh key fingerprint --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 7f3d834..f1dafe1 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -86,7 +86,7 @@ jobs: - <<: *setup-env - add_ssh_keys: fingerprints: - - "c8:47:51:8b:5e:89:95:7d:2a:2d:26:5f:0a:ea:8a:4b" + - "40:88:ac:fe:ba:22:75:4d:a7:84:e3:cc:07:d4:0c:e8" - run: name: Release command: | From c33a7b97618be4582e14ad977cf632bef07610d3 Mon Sep 17 00:00:00 2001 From: Zinovii Dmytriv Date: Fri, 25 Jan 2019 13:12:28 +0200 Subject: [PATCH 09/31] updated github ssh key fingerprint --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index f1dafe1..7835bf7 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -86,7 +86,7 @@ jobs: - <<: *setup-env - add_ssh_keys: fingerprints: - - "40:88:ac:fe:ba:22:75:4d:a7:84:e3:cc:07:d4:0c:e8" + - "be:4f:56:d1:19:52:3f:92:0c:51:3f:5e:11:1e:50:fe" - run: name: Release command: | From e8d2c904fef5c01f109766efb687042e5928ec79 Mon Sep 17 00:00:00 2001 From: circleci Date: Fri, 25 Jan 2019 11:16:05 +0000 Subject: [PATCH 10/31] update versions for 1.0.2-VGS release --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index ff13809..597a052 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ com.github.ganskef littleproxy-mitm jar - 1.0.2-VGS-SNAPSHOT + 1.0.2-VGS LittleProxy - Man-In-The-Middle LittleProxy is a high performance HTTP proxy written in Java and using the Netty networking framework. From b3afdcfb85c7a0c6ed59dea9bde4ee100c319b87 Mon Sep 17 00:00:00 2001 From: circleci Date: Fri, 25 Jan 2019 11:16:43 +0000 Subject: [PATCH 11/31] update for next development version 1.0.3-VGS-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 597a052..b846aaa 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ com.github.ganskef littleproxy-mitm jar - 1.0.2-VGS + 1.0.3-VGS-SNAPSHOT LittleProxy - Man-In-The-Middle LittleProxy is a high performance HTTP proxy written in Java and using the Netty networking framework. From 5ea3def4b5c9f049ae6ac726a76f376a15cf3d45 Mon Sep 17 00:00:00 2001 From: Slava Fomin Date: Fri, 25 Jan 2019 15:07:44 +0200 Subject: [PATCH 12/31] Expire cert in one hour (#5) * Expire cert in one hour * Test build --- .../org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java b/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java index 1c24659..7d2465d 100644 --- a/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java +++ b/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java @@ -147,7 +147,7 @@ public BouncyCastleSslEngineSource(Authority authority, private static Cache initDefaultCertificateCache() { return CacheBuilder.newBuilder() // .expireAfterAccess(5, TimeUnit.MINUTES) // - .expireAfterWrite(12, TimeUnit.HOURS) + .expireAfterWrite(1, TimeUnit.HOURS) // .concurrencyLevel(16) // .build(); } From 10ef0ce11dcfb2fc151c083e92a96c38b4d39a27 Mon Sep 17 00:00:00 2001 From: circleci Date: Fri, 25 Jan 2019 13:11:05 +0000 Subject: [PATCH 13/31] update versions for 1.0.3-VGS release --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index b846aaa..4cbe6e6 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ com.github.ganskef littleproxy-mitm jar - 1.0.3-VGS-SNAPSHOT + 1.0.3-VGS LittleProxy - Man-In-The-Middle LittleProxy is a high performance HTTP proxy written in Java and using the Netty networking framework. From 968d8f69abad3a08224fcc446032ce8f439e6eb7 Mon Sep 17 00:00:00 2001 From: circleci Date: Fri, 25 Jan 2019 13:11:45 +0000 Subject: [PATCH 14/31] update for next development version 1.0.4-VGS-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 4cbe6e6..1bd716a 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ com.github.ganskef littleproxy-mitm jar - 1.0.3-VGS + 1.0.4-VGS-SNAPSHOT LittleProxy - Man-In-The-Middle LittleProxy is a high performance HTTP proxy written in Java and using the Netty networking framework. From 92bf2d25d24d3c2618cb00abd619c71749945708 Mon Sep 17 00:00:00 2001 From: Kostiantyn Severynov Date: Tue, 11 Jun 2019 19:05:06 +0300 Subject: [PATCH 15/31] license report (#6) --- .circleci/config.yml | 5 +++++ pom.xml | 15 +++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 7835bf7..2f4a93f 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -51,6 +51,11 @@ jobs: name: Maven Clean Package command: | unset AWS_ACCESS_KEY_ID; unset AWS_SECRET_ACCESS_KEY; mvn clean dependency:go-offline install -Dmaven.test.skip=true --threads 5 -B + - run: + name: Collect Licenses + command: unset AWS_ACCESS_KEY_ID; unset AWS_SECRET_ACCESS_KEY; mvn license:aggregate-third-party-report + - store_artifacts: + path: target/site/aggregate-third-party-report.html - <<: *save-maven-cache - <<: *persist-workspace test: diff --git a/pom.xml b/pom.xml index 1bd716a..4601ecf 100644 --- a/pom.xml +++ b/pom.xml @@ -23,6 +23,7 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. 4.12 1.0.0.1 2.6 + 1.20 @@ -309,6 +310,20 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. + + org.codehaus.mojo + license-maven-plugin + ${license-maven-plugin.version} + + + download-licenses + + download-licenses + + + + + From a2449b46c08fd156ac97a5eefd20c888a9ecb5a9 Mon Sep 17 00:00:00 2001 From: Oleh Sklyarenko Date: Thu, 5 Mar 2020 15:02:11 +0200 Subject: [PATCH 16/31] Configurable key sizes for impersonating x509 (#7) * Configurable key sizes for impersonating x509 * Renamed param --- .../mitm/BouncyCastleSslEngineSource.java | 19 +++-- .../proxy/mitm/CertificateHelper.java | 15 ++-- .../proxy/mitm/CertificateSettings.java | 69 +++++++++++++++++++ .../mitm/CertificateSniffingMitmManager.java | 2 +- .../java/de/ganskef/test/TrustedServer.java | 3 +- 5 files changed, 91 insertions(+), 17 deletions(-) create mode 100644 src/main/java/org/littleshoot/proxy/mitm/CertificateSettings.java diff --git a/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java b/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java index 7d2465d..8ca8d3f 100644 --- a/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java +++ b/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java @@ -79,6 +79,8 @@ public class BouncyCastleSslEngineSource implements SslEngineSource { private Cache serverSSLContexts; + private CertificateSettings certificateSettings; + /** * Creates a SSL engine source create a Certificate Authority if needed and * initializes a SSL context. Exceptions will be thrown to let the manager @@ -98,9 +100,12 @@ public class BouncyCastleSslEngineSource implements SslEngineSource { * Generation takes between 50 to 500ms, but only once per * thread, since there is a connection cache too. It's save to * give a null cache to prevent memory or locking issues. + * @param certificateSettings + * parameters for generating x509 certificates */ public BouncyCastleSslEngineSource(Authority authority, boolean trustAllServers, boolean sendCerts, + CertificateSettings certificateSettings, Cache sslContexts) throws GeneralSecurityException, OperatorCreationException, RootCertificateException, IOException { @@ -108,6 +113,7 @@ public BouncyCastleSslEngineSource(Authority authority, this.trustAllServers = trustAllServers; this.sendCerts = sendCerts; this.serverSSLContexts = sslContexts; + this.certificateSettings = certificateSettings; init(); } @@ -135,13 +141,14 @@ protected void init() * @param trustAllServers * * @param sendCerts + * @param certificateSettings + * parameters for generating x509 certificates */ public BouncyCastleSslEngineSource(Authority authority, - boolean trustAllServers, boolean sendCerts) + boolean trustAllServers, boolean sendCerts, CertificateSettings certificateSettings) throws RootCertificateException, GeneralSecurityException, IOException, OperatorCreationException { - this(authority, trustAllServers, sendCerts, - initDefaultCertificateCache()); + this(authority, trustAllServers, sendCerts, certificateSettings, initDefaultCertificateCache()); } private static Cache initDefaultCertificateCache() { @@ -231,7 +238,7 @@ protected void initializeKeyStore() throws RootCertificateException, } MillisecondsDuration duration = new MillisecondsDuration(); KeyStore keystore = CertificateHelper.createRootCertificate(authority, - KEY_STORE_TYPE); + KEY_STORE_TYPE, certificateSettings.getDefaultRootKeySize()); LOG.info("Created root certificate authority key store in {}ms", duration); @@ -352,7 +359,7 @@ private SSLContext createServerContext(String commonName, MillisecondsDuration duration = new MillisecondsDuration(); KeyStore ks = CertificateHelper.createServerCertificate(commonName, - subjectAlternativeNames, authority, caCert, caPrivKey); + subjectAlternativeNames, authority, caCert, caPrivKey, certificateSettings.getFakeKeySize()); KeyManager[] keyManagers = CertificateHelper.getKeyManagers(ks, authority); @@ -368,7 +375,7 @@ public void initializeServerCertificates(String commonName, IOException { KeyStore ks = CertificateHelper.createServerCertificate(commonName, - subjectAlternativeNames, authority, caCert, caPrivKey); + subjectAlternativeNames, authority, caCert, caPrivKey, certificateSettings.getFakeKeySize()); PrivateKey key = (PrivateKey) ks.getKey(authority.alias(), authority.password()); diff --git a/src/main/java/org/littleshoot/proxy/mitm/CertificateHelper.java b/src/main/java/org/littleshoot/proxy/mitm/CertificateHelper.java index a4358e2..9ea9a74 100644 --- a/src/main/java/org/littleshoot/proxy/mitm/CertificateHelper.java +++ b/src/main/java/org/littleshoot/proxy/mitm/CertificateHelper.java @@ -1,5 +1,7 @@ package org.littleshoot.proxy.mitm; +import com.google.common.base.Preconditions; +import com.google.common.base.Verify; import java.io.ByteArrayInputStream; import java.io.IOException; import java.math.BigInteger; @@ -79,10 +81,6 @@ public final class CertificateHelper { */ private static final String SIGNATURE_ALGORITHM = (is32BitJvm() ? "SHA256" : "SHA512") + "WithRSAEncryption"; - private static final int ROOT_KEYSIZE = 2048; - - private static final int FAKE_KEYSIZE = 1024; - /** The milliseconds of a day */ private static final long ONE_DAY = 86400000L; @@ -147,11 +145,11 @@ private static boolean is32BitJvm() { } public static KeyStore createRootCertificate(Authority authority, - String keyStoreType) throws NoSuchAlgorithmException, + String keyStoreType, int keySize) throws NoSuchAlgorithmException, NoSuchProviderException, IOException, OperatorCreationException, CertificateException, KeyStoreException { - KeyPair keyPair = generateKeyPair(ROOT_KEYSIZE); + KeyPair keyPair = generateKeyPair(keySize); X500NameBuilder nameBuilder = new X500NameBuilder(BCStyle.INSTANCE); nameBuilder.addRDN(BCStyle.CN, authority.commonName()); @@ -209,12 +207,11 @@ private static SubjectKeyIdentifier createSubjectKeyIdentifier(Key key) public static KeyStore createServerCertificate(String commonName, SubjectAlternativeNameHolder subjectAlternativeNames, - Authority authority, Certificate caCert, PrivateKey caPrivKey) + Authority authority, Certificate caCert, PrivateKey caPrivKey, int keySize) throws NoSuchAlgorithmException, NoSuchProviderException, IOException, OperatorCreationException, CertificateException, InvalidKeyException, SignatureException, KeyStoreException { - - KeyPair keyPair = generateKeyPair(FAKE_KEYSIZE); + KeyPair keyPair = generateKeyPair(keySize); X500Name issuer = new X509CertificateHolder(caCert.getEncoded()) .getSubject(); diff --git a/src/main/java/org/littleshoot/proxy/mitm/CertificateSettings.java b/src/main/java/org/littleshoot/proxy/mitm/CertificateSettings.java new file mode 100644 index 0000000..837f9a7 --- /dev/null +++ b/src/main/java/org/littleshoot/proxy/mitm/CertificateSettings.java @@ -0,0 +1,69 @@ +package org.littleshoot.proxy.mitm; + +import com.google.common.base.Preconditions; + +public class CertificateSettings { + public static final int DEFAULT_ROOT_KEY_SIZE = 2048; + public static final int DEFAULT_FAKE_KEY_SIZE = 1024; + + public static final int MIN_KEY_SIZE = 1024; + public static final int MAX_KEY_SIZE = 8192; + + private final int defaultRootKeySize; + private final int fakeKeySize; + + /** + * @param defaultRootKeySize + * RSA key size used to generate fallback root certificate. + * If there's a root authority file found on system this parameter is ignored. + * @param fakeKeySize + * RSA key size for 'fake' x509 used to impersonate upstreams. + */ + private CertificateSettings(int defaultRootKeySize, int fakeKeySize) { + this.defaultRootKeySize = defaultRootKeySize; + this.fakeKeySize = fakeKeySize; + } + + public int getDefaultRootKeySize() { + return defaultRootKeySize; + } + + public int getFakeKeySize() { + return fakeKeySize; + } + + public static CertificateSettingsBuilder builder() { + return new CertificateSettingsBuilder(); + } + + public static class CertificateSettingsBuilder { + private int defaultRootKeySize = DEFAULT_ROOT_KEY_SIZE; + private int defaultFakeKeySize = DEFAULT_FAKE_KEY_SIZE; + + public CertificateSettingsBuilder setDefaultRootKeySize(int defaultRootKeySize) { + checkKeySize(defaultRootKeySize); + this.defaultRootKeySize = defaultRootKeySize; + return this; + } + + public CertificateSettingsBuilder setDefaultFakeKeySize(int defaultFakeKeySize) { + checkKeySize(defaultFakeKeySize); + this.defaultFakeKeySize = defaultFakeKeySize; + return this; + } + + public CertificateSettings build() { + return new CertificateSettings(defaultRootKeySize, defaultFakeKeySize); + } + + private static void checkKeySize(int keySize) { + Preconditions.checkArgument(keySize >= MIN_KEY_SIZE, "keySize does not satisfy the min requirements"); + Preconditions.checkArgument(keySize <= MAX_KEY_SIZE, "keySize does not satisfy the max requirements"); + Preconditions.checkArgument(isPowerOf2(keySize), "keySize should be a power of 2"); + } + + private static boolean isPowerOf2(int number) { + return (number & (number - 1)) == 0; + } + } +} diff --git a/src/main/java/org/littleshoot/proxy/mitm/CertificateSniffingMitmManager.java b/src/main/java/org/littleshoot/proxy/mitm/CertificateSniffingMitmManager.java index 5e56adf..232ca22 100644 --- a/src/main/java/org/littleshoot/proxy/mitm/CertificateSniffingMitmManager.java +++ b/src/main/java/org/littleshoot/proxy/mitm/CertificateSniffingMitmManager.java @@ -29,7 +29,7 @@ public CertificateSniffingMitmManager() throws Exception { } public CertificateSniffingMitmManager(Authority authority) throws Exception { - this(new BouncyCastleSslEngineSource(authority, true, true)); + this(new BouncyCastleSslEngineSource(authority, true, true, CertificateSettings.builder().build())); } public CertificateSniffingMitmManager(BouncyCastleSslEngineSource sslEngineSource) throws RootCertificateException { diff --git a/src/test/java/de/ganskef/test/TrustedServer.java b/src/test/java/de/ganskef/test/TrustedServer.java index 5f52a54..c484b99 100644 --- a/src/test/java/de/ganskef/test/TrustedServer.java +++ b/src/test/java/de/ganskef/test/TrustedServer.java @@ -4,6 +4,7 @@ import org.littleshoot.proxy.mitm.Authority; import org.littleshoot.proxy.mitm.BouncyCastleSslEngineSource; +import org.littleshoot.proxy.mitm.CertificateSettings; import org.littleshoot.proxy.mitm.SubjectAlternativeNameHolder; public class TrustedServer extends SecureServer { @@ -21,7 +22,7 @@ public TrustedServer(int port) { public Server start() throws Exception { BouncyCastleSslEngineSource es = new BouncyCastleSslEngineSource( - new Authority(), true, true); + new Authority(), true, true, CertificateSettings.builder().build()); SubjectAlternativeNameHolder san = new SubjectAlternativeNameHolder(); // san.addDomainName("localhost"); es.initializeServerCertificates(commonName, san); From d29991f780ae531228a20f33be910796009331e3 Mon Sep 17 00:00:00 2001 From: Oleh Sklyarenko Date: Thu, 5 Mar 2020 15:44:03 +0200 Subject: [PATCH 17/31] Renamed builder params (#8) --- .../org/littleshoot/proxy/mitm/CertificateSettings.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/littleshoot/proxy/mitm/CertificateSettings.java b/src/main/java/org/littleshoot/proxy/mitm/CertificateSettings.java index 837f9a7..c7adab2 100644 --- a/src/main/java/org/littleshoot/proxy/mitm/CertificateSettings.java +++ b/src/main/java/org/littleshoot/proxy/mitm/CertificateSettings.java @@ -38,7 +38,7 @@ public static CertificateSettingsBuilder builder() { public static class CertificateSettingsBuilder { private int defaultRootKeySize = DEFAULT_ROOT_KEY_SIZE; - private int defaultFakeKeySize = DEFAULT_FAKE_KEY_SIZE; + private int fakeKeySize = DEFAULT_FAKE_KEY_SIZE; public CertificateSettingsBuilder setDefaultRootKeySize(int defaultRootKeySize) { checkKeySize(defaultRootKeySize); @@ -46,14 +46,14 @@ public CertificateSettingsBuilder setDefaultRootKeySize(int defaultRootKeySize) return this; } - public CertificateSettingsBuilder setDefaultFakeKeySize(int defaultFakeKeySize) { + public CertificateSettingsBuilder setFakeKeySize(int defaultFakeKeySize) { checkKeySize(defaultFakeKeySize); - this.defaultFakeKeySize = defaultFakeKeySize; + this.fakeKeySize = defaultFakeKeySize; return this; } public CertificateSettings build() { - return new CertificateSettings(defaultRootKeySize, defaultFakeKeySize); + return new CertificateSettings(defaultRootKeySize, fakeKeySize); } private static void checkKeySize(int keySize) { From b8d63daabc116d283298b3b4af1dd4e570bdc899 Mon Sep 17 00:00:00 2001 From: Nestor Sokil Date: Tue, 10 Mar 2020 11:32:32 +0200 Subject: [PATCH 18/31] Updated SSH fingerprint to use RW key (#9) --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 2f4a93f..05fe6af 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -91,7 +91,7 @@ jobs: - <<: *setup-env - add_ssh_keys: fingerprints: - - "be:4f:56:d1:19:52:3f:92:0c:51:3f:5e:11:1e:50:fe" + - "84:9b:0b:4f:de:ab:78:9e:ef:01:98:64:85:98:7f:cd" - run: name: Release command: | From 6852f4c6c004c3239ef1e41dc978630fd9610171 Mon Sep 17 00:00:00 2001 From: kochniev <49079680+kochniev@users.noreply.github.com> Date: Wed, 16 Mar 2022 13:13:06 +0200 Subject: [PATCH 19/31] Fix wrong SANs return in case of SNI (#15) * APPSEC-653, CSL3-1005 - Fix wrong SANs return in case of SNI * APPSEC-653, CSL3-1005 - Avoid is empty check on getAlternativesIdentifier * APPSEC-653, CSL3-1005 - Update fingerprint in order to fix build on CircleCI * APPSEC-653, CSL3-1005 - Bintray retire --- .circleci/config.yml | 2 +- pom.xml | 22 +++--- .../mitm/BouncyCastleSslEngineSource.java | 6 +- .../mitm/SubjectAlternativeNameHolder.java | 18 +++++ .../mitm/BouncyCastleSslEngineSourceTest.java | 67 +++++++++++++++++++ .../SubjectAlternativeNameHolderTest.java | 55 +++++++++++++++ 6 files changed, 156 insertions(+), 14 deletions(-) create mode 100644 src/test/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSourceTest.java create mode 100644 src/test/java/org/littleshoot/proxy/mitm/SubjectAlternativeNameHolderTest.java diff --git a/.circleci/config.yml b/.circleci/config.yml index 05fe6af..6615e14 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -91,7 +91,7 @@ jobs: - <<: *setup-env - add_ssh_keys: fingerprints: - - "84:9b:0b:4f:de:ab:78:9e:ef:01:98:64:85:98:7f:cd" + - "3c:54:4d:27:85:f6:b7:19:2e:73:2c:77:89:c1:14:b6" - run: name: Release command: | diff --git a/pom.xml b/pom.xml index 4601ecf..029b0f1 100644 --- a/pom.xml +++ b/pom.xml @@ -144,12 +144,6 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. - - jcenter - jcenter - https://jcenter.bintray.com/ - - repo.spring.io repo.spring.io @@ -183,12 +177,16 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. - jfog - jfrog - https://dl.bintray.com/vg/vgs-oss + central + https://repo.maven.apache.org/maven2 - true + false + fail + + true + fail + @@ -373,9 +371,9 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. - io.vgs.tools + com.verygoodsecurity aws-maven - 1.4.3 + 1.4.5 diff --git a/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java b/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java index 8ca8d3f..3d24d75 100644 --- a/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java +++ b/src/main/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSource.java @@ -340,7 +340,8 @@ public SSLEngine createCertForHost(final String commonName, if (serverSSLContexts == null) { ctx = createServerContext(commonName, subjectAlternativeNames); } else { - ctx = serverSSLContexts.get(commonName, new Callable() { + final String alternativesIdentifier = subjectAlternativeNames.getAlternativesIdentifier(commonName); + ctx = serverSSLContexts.get(alternativesIdentifier, new Callable() { @Override public SSLContext call() throws Exception { return createServerContext(commonName, @@ -402,6 +403,9 @@ private void exportPem(File exportFile, Object... certs) } } + protected Cache getServerSSLContexts() { + return serverSSLContexts; + } } class MillisecondsDuration { diff --git a/src/main/java/org/littleshoot/proxy/mitm/SubjectAlternativeNameHolder.java b/src/main/java/org/littleshoot/proxy/mitm/SubjectAlternativeNameHolder.java index b24c750..8787048 100644 --- a/src/main/java/org/littleshoot/proxy/mitm/SubjectAlternativeNameHolder.java +++ b/src/main/java/org/littleshoot/proxy/mitm/SubjectAlternativeNameHolder.java @@ -1,8 +1,11 @@ package org.littleshoot.proxy.mitm; +import com.google.common.base.Joiner; import java.util.ArrayList; import java.util.Collection; import java.util.List; +import java.util.Set; +import java.util.TreeSet; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -17,6 +20,7 @@ public class SubjectAlternativeNameHolder { private static final Pattern TAGS_PATTERN = Pattern.compile("[" + GeneralName.iPAddress + GeneralName.dNSName + "]"); + private static final String ALTERNATIVES_IDENTIFIER_DELIMITER = " "; private final List sans = new ArrayList(); @@ -58,4 +62,18 @@ private ASN1Encodable parseGeneralName(List nameEntry) { } throw new IllegalArgumentException(String.valueOf(nameEntry)); } + + public String getAlternativesIdentifier(String commonName) { + if (commonName == null) { + throw new IllegalArgumentException( + "Error, 'commonName' is not allowed to be null!"); + } + Set alternativesIdentifier = new TreeSet<>(); + alternativesIdentifier.add(commonName); + + for (ASN1Encodable san : sans) { + alternativesIdentifier.add(san.toString()); + } + return Joiner.on(ALTERNATIVES_IDENTIFIER_DELIMITER).join(alternativesIdentifier); + } } diff --git a/src/test/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSourceTest.java b/src/test/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSourceTest.java new file mode 100644 index 0000000..74df847 --- /dev/null +++ b/src/test/java/org/littleshoot/proxy/mitm/BouncyCastleSslEngineSourceTest.java @@ -0,0 +1,67 @@ +package org.littleshoot.proxy.mitm; + +import static org.littleshoot.proxy.mitm.SubjectAlternativeNameHolderTest.CN; + +import java.io.IOException; +import java.security.GeneralSecurityException; +import java.util.Collections; +import java.util.concurrent.ExecutionException; +import javax.net.ssl.SSLContext; +import junit.framework.TestCase; +import org.bouncycastle.operator.OperatorCreationException; +import org.junit.Test; + +public class BouncyCastleSslEngineSourceTest extends TestCase { + + private BouncyCastleSslEngineSource bouncyCastleSslEngineSource; + + @Test + public void testCreateCertForHost() throws RootCertificateException, GeneralSecurityException, + IOException, OperatorCreationException, ExecutionException { + // given + bouncyCastleSslEngineSource = + new BouncyCastleSslEngineSource(new Authority(), false, false, CertificateSettings.builder().build()); + + SubjectAlternativeNameHolder subjectAlternativeNameHolderMiddesk = new SubjectAlternativeNameHolder(); + SubjectAlternativeNameHolder subjectAlternativeNameHolderMyMy = new SubjectAlternativeNameHolder(); + SubjectAlternativeNameHolder subjectAlternativeNameHolderRaiffeisen = new SubjectAlternativeNameHolder(); + subjectAlternativeNameHolderMiddesk.addDomainName(CN); + subjectAlternativeNameHolderMiddesk.addDomainName("*.middesk.com"); + subjectAlternativeNameHolderMiddesk.addDomainName("middesk.com"); + + subjectAlternativeNameHolderMyMy.addDomainName(CN); + subjectAlternativeNameHolderMyMy.addDomainName("*.my-my.com"); + subjectAlternativeNameHolderMyMy.addDomainName("my-my.com"); + + subjectAlternativeNameHolderRaiffeisen.addDomainName(CN); + subjectAlternativeNameHolderRaiffeisen.addDomainName("*.raiffeisen.ua"); + subjectAlternativeNameHolderRaiffeisen.addDomainName("raiffeisen.ua"); + + final String middeskCacheKey = "2: *.middesk.com 2: middesk.com 2: sni.cloudflaressl.com sni.cloudflaressl.com"; + final String myMyCacheKey = "2: *.my-my.com 2: my-my.com 2: sni.cloudflaressl.com sni.cloudflaressl.com"; + final String raiffeisenCacheKey = "2: *.raiffeisen.ua 2: raiffeisen.ua 2: sni.cloudflaressl.com sni.cloudflaressl.com"; + + bouncyCastleSslEngineSource.createCertForHost(CN, subjectAlternativeNameHolderMiddesk); + bouncyCastleSslEngineSource.createCertForHost(CN, subjectAlternativeNameHolderMyMy); + bouncyCastleSslEngineSource.createCertForHost(CN, subjectAlternativeNameHolderRaiffeisen); + + // when + final SSLContext middeskSslContext = bouncyCastleSslEngineSource.getServerSSLContexts() + .getAllPresent(Collections.singletonList(middeskCacheKey)).get(middeskCacheKey); + final SSLContext myMySslContext = bouncyCastleSslEngineSource.getServerSSLContexts() + .getAllPresent(Collections.singletonList(myMyCacheKey)).get(myMyCacheKey); + final SSLContext raiffeisenContext = bouncyCastleSslEngineSource.getServerSSLContexts() + .getAllPresent(Collections.singletonList(raiffeisenCacheKey)).get(raiffeisenCacheKey); + final SSLContext shouldBeNull = bouncyCastleSslEngineSource.getServerSSLContexts() + .getAllPresent(Collections.singletonList("")).get(""); + + // then + assertEquals(3, bouncyCastleSslEngineSource.getServerSSLContexts().size()); + assertNotNull(middeskSslContext); + assertNotNull(myMySslContext); + assertNotNull(raiffeisenContext); + assertNull(shouldBeNull); + + } + +} \ No newline at end of file diff --git a/src/test/java/org/littleshoot/proxy/mitm/SubjectAlternativeNameHolderTest.java b/src/test/java/org/littleshoot/proxy/mitm/SubjectAlternativeNameHolderTest.java new file mode 100644 index 0000000..78ce64c --- /dev/null +++ b/src/test/java/org/littleshoot/proxy/mitm/SubjectAlternativeNameHolderTest.java @@ -0,0 +1,55 @@ +package org.littleshoot.proxy.mitm; + +import junit.framework.TestCase; +import org.junit.Test; + +public class SubjectAlternativeNameHolderTest extends TestCase { + + static final String CN = "sni.cloudflaressl.com"; + SubjectAlternativeNameHolder subjectAlternativeNameHolder = new SubjectAlternativeNameHolder(); + + @Test + public void testGetAlternativesIdentifier() { + // given + subjectAlternativeNameHolder.addDomainName(CN); + subjectAlternativeNameHolder.addDomainName("*.middesk.com"); + subjectAlternativeNameHolder.addDomainName("middesk.com"); + + // when + final String actual = subjectAlternativeNameHolder.getAlternativesIdentifier(CN); + + // then + assertEquals("2: *.middesk.com 2: middesk.com 2: sni.cloudflaressl.com sni.cloudflaressl.com", actual); + } + + @Test + public void testGetAlternativesIdentifierWhenOnlyOneDomainName() { + // given + subjectAlternativeNameHolder.addDomainName("*." + CN); + + // when + final String actual = subjectAlternativeNameHolder.getAlternativesIdentifier(CN); + + // then + assertEquals("2: *.sni.cloudflaressl.com sni.cloudflaressl.com", actual); + } + + @Test + public void testGetAlternativesIdentifierWhenSansEmpty() { + // when + final String actual = subjectAlternativeNameHolder.getAlternativesIdentifier(CN); + + // then + assertEquals("sni.cloudflaressl.com", actual); + } + + @Test + public void testGetAlternativesIdentifierWhenCNNull() { + try { + subjectAlternativeNameHolder.getAlternativesIdentifier(null); + fail( "No exception was thrown when CN was null" ); + } catch( IllegalArgumentException e ) { + assertEquals( "Error, 'commonName' is not allowed to be null!", e.getMessage() ); // Optionally make sure you get the correct message, too + } + } +} \ No newline at end of file From 5b197d5723201e3018e2306813115e3589f4629b Mon Sep 17 00:00:00 2001 From: circleci Date: Wed, 16 Mar 2022 14:34:24 +0000 Subject: [PATCH 20/31] update versions for 1.0.5-testrelease1 release --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 029b0f1..ad4e385 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ com.github.ganskef littleproxy-mitm jar - 1.0.4-VGS-SNAPSHOT + 1.0.5-testrelease1 LittleProxy - Man-In-The-Middle LittleProxy is a high performance HTTP proxy written in Java and using the Netty networking framework. From b464e947e4919c544ea267c841c20264999e7f1e Mon Sep 17 00:00:00 2001 From: circleci Date: Wed, 16 Mar 2022 14:34:55 +0000 Subject: [PATCH 21/31] update for next development version 1.0.6-testrelease1-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index ad4e385..4437e00 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ com.github.ganskef littleproxy-mitm jar - 1.0.5-testrelease1 + 1.0.6-testrelease1-SNAPSHOT LittleProxy - Man-In-The-Middle LittleProxy is a high performance HTTP proxy written in Java and using the Netty networking framework. From aa761e1f58d4436d378c0084ab0a433f903c2d28 Mon Sep 17 00:00:00 2001 From: kochniev <49079680+kochniev@users.noreply.github.com> Date: Wed, 16 Mar 2022 16:41:53 +0200 Subject: [PATCH 22/31] APPSEC-653, CSL3-1005 - Update fingerprint (#16) --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 6615e14..9d6e377 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -91,7 +91,7 @@ jobs: - <<: *setup-env - add_ssh_keys: fingerprints: - - "3c:54:4d:27:85:f6:b7:19:2e:73:2c:77:89:c1:14:b6" + - "3b:ed:ab:df:96:fb:b2:6c:00:44:ac:3e:3d:ae:72:90" - run: name: Release command: | From bb9c6b956ce5e0e15dd506b6cc8efefc81caf5cd Mon Sep 17 00:00:00 2001 From: circleci Date: Wed, 16 Mar 2022 14:43:11 +0000 Subject: [PATCH 23/31] update versions for 1.0.5-VGS release --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 4437e00..13311ab 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ com.github.ganskef littleproxy-mitm jar - 1.0.6-testrelease1-SNAPSHOT + 1.0.5-VGS LittleProxy - Man-In-The-Middle LittleProxy is a high performance HTTP proxy written in Java and using the Netty networking framework. From ad0a1e340295d7c2e7bd52d4d9c61803b6fbf6cf Mon Sep 17 00:00:00 2001 From: circleci Date: Wed, 16 Mar 2022 14:43:41 +0000 Subject: [PATCH 24/31] update for next development version 1.0.6-VGS-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 13311ab..5203cb9 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ com.github.ganskef littleproxy-mitm jar - 1.0.5-VGS + 1.0.6-VGS-SNAPSHOT LittleProxy - Man-In-The-Middle LittleProxy is a high performance HTTP proxy written in Java and using the Netty networking framework. From a69e5dd94c9526925fdcff0dc3c0967836c9fe96 Mon Sep 17 00:00:00 2001 From: circleci Date: Thu, 8 Jun 2023 19:33:30 +0000 Subject: [PATCH 25/31] update versions for 1.0.6-VGS release --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 5203cb9..835fdeb 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ com.github.ganskef littleproxy-mitm jar - 1.0.6-VGS-SNAPSHOT + 1.0.6-VGS LittleProxy - Man-In-The-Middle LittleProxy is a high performance HTTP proxy written in Java and using the Netty networking framework. From 691aedbd5384fd2ab9edb28b61e3ade75cada3c4 Mon Sep 17 00:00:00 2001 From: circleci Date: Thu, 8 Jun 2023 19:34:11 +0000 Subject: [PATCH 26/31] update for next development version 1.0.7-VGS-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 835fdeb..bc3cc6e 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ com.github.ganskef littleproxy-mitm jar - 1.0.6-VGS + 1.0.7-VGS-SNAPSHOT LittleProxy - Man-In-The-Middle LittleProxy is a high performance HTTP proxy written in Java and using the Netty networking framework. From 0cbaf1429b4f8d0d3bb5ae5b997792354c396c4d Mon Sep 17 00:00:00 2001 From: kochniev <49079680+kochniev@users.noreply.github.com> Date: Fri, 9 Jun 2023 10:25:50 -0400 Subject: [PATCH 27/31] CSL3-1537 - Update libs (#20) --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index bc3cc6e..db900c8 100644 --- a/pom.xml +++ b/pom.xml @@ -16,9 +16,9 @@ This is an extension module to enable Man-In-The-Middle impersonation for HTTPS. github false - 4.0.36.Final + 4.1.93.Final 1.7.21 - 1.51 + 1.70 1.1.0 4.12 1.0.0.1 From b63d3203a3c6593379718e59fe40e239b7d03ab3 Mon Sep 17 00:00:00 2001 From: circleci Date: Fri, 9 Jun 2023 14:29:35 +0000 Subject: [PATCH 28/31] update versions for 1.0.6-VGS release --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index db900c8..99a1f97 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ com.github.ganskef littleproxy-mitm jar - 1.0.7-VGS-SNAPSHOT + 1.0.6-VGS LittleProxy - Man-In-The-Middle LittleProxy is a high performance HTTP proxy written in Java and using the Netty networking framework. From d64ad9ad85aa27cf91f0762654a42e8b4ac7a59d Mon Sep 17 00:00:00 2001 From: circleci Date: Fri, 9 Jun 2023 14:30:01 +0000 Subject: [PATCH 29/31] update for next development version 1.0.7-VGS-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 99a1f97..db900c8 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ com.github.ganskef littleproxy-mitm jar - 1.0.6-VGS + 1.0.7-VGS-SNAPSHOT LittleProxy - Man-In-The-Middle LittleProxy is a high performance HTTP proxy written in Java and using the Netty networking framework. From 3d8b2b437c073fa09909c71a7cfc28a604b1f851 Mon Sep 17 00:00:00 2001 From: circleci Date: Wed, 21 Jun 2023 20:07:57 +0000 Subject: [PATCH 30/31] update versions for 1.0.7-VGS release --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index db900c8..0061580 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ com.github.ganskef littleproxy-mitm jar - 1.0.7-VGS-SNAPSHOT + 1.0.7-VGS LittleProxy - Man-In-The-Middle LittleProxy is a high performance HTTP proxy written in Java and using the Netty networking framework. From 3931b0aa1ee056d7773668e0b3832b80dd7dc9ab Mon Sep 17 00:00:00 2001 From: circleci Date: Wed, 21 Jun 2023 20:08:28 +0000 Subject: [PATCH 31/31] update for next development version 1.0.8-VGS-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 0061580..30bedf1 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ com.github.ganskef littleproxy-mitm jar - 1.0.7-VGS + 1.0.8-VGS-SNAPSHOT LittleProxy - Man-In-The-Middle LittleProxy is a high performance HTTP proxy written in Java and using the Netty networking framework.