draft impl

Signed-off-by: YanzheL <[email protected]>

Author: YanzheL

dfdaemon/proxy/cert.go

@@ -0,0 +1,71 @@
+/*
+ * Copyright The Dragonfly Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package proxy
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"errors"
+	"math/big"
+	"time"
+
+	"github.com/sirupsen/logrus"
+)
+
+type LeafCertSpec struct {
+	publicKey crypto.PublicKey
+
+	privateKey crypto.PrivateKey
+
+	signatureAlgorithm x509.SignatureAlgorithm
+}
+
+func genLeafCert(ca *tls.Certificate, leafCertSpec *LeafCertSpec, commonName string, dnsNames ...string) (*tls.Certificate, error) {
+	now := time.Now().Add(-1 * time.Hour).UTC()
+	if !ca.Leaf.IsCA {
+		return nil, errors.New("CA cert is not a CA")
+	}
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		logrus.Errorf("failed to generate serial number: %s", err)
+		return nil, err
+	}
+	tmpl := &x509.Certificate{
+		SerialNumber:          serialNumber,
+		Subject:               pkix.Name{CommonName: commonName},
+		NotBefore:             now,
+		NotAfter:              now.Add(24 * time.Hour),
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment | x509.KeyUsageKeyAgreement,
+		BasicConstraintsValid: true,
+		DNSNames:              dnsNames,
+		SignatureAlgorithm:    leafCertSpec.signatureAlgorithm,
+	}
+	newCert, err := x509.CreateCertificate(rand.Reader, tmpl, ca.Leaf, leafCertSpec.publicKey, ca.PrivateKey)
+	if err != nil {
+		logrus.Errorf("failed to generate leaf cert %s", err)
+		return nil, err
+	}
+	cert := new(tls.Certificate)
+	cert.Certificate = append(cert.Certificate, newCert)
+	cert.PrivateKey = leafCertSpec.privateKey
+	cert.Leaf, _ = x509.ParseCertificate(newCert)
+	return cert, nil
+}

dfdaemon/proxy/proxy.go

@@ -18,6 +18,7 @@ package proxy
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"io"
 	"net"
@@ -72,6 +73,11 @@ func WithCertFromFile(certFile, keyFile string) Option {
 			return errors.Wrap(err, "load cert")
 		}
 		logrus.Infof("use self-signed certificate (%s, %s) for https hijacking", certFile, keyFile)
+		leaf, err := x509.ParseCertificate(cert.Certificate[0])
+		if err != nil {
+			return errors.Wrap(err, "load leaf cert")
+		}
+		cert.Leaf = leaf
 		p.cert = &cert
 		return nil
 	}
@@ -314,7 +320,21 @@ func (proxy *Proxy) handleHTTPS(w http.ResponseWriter, r *http.Request) {
 	logrus.Debugln("hijack https request to", r.Host)
 
 	sConfig := new(tls.Config)
-	sConfig.Certificates = []tls.Certificate{*proxy.cert}
+	if proxy.cert.Leaf != nil && proxy.cert.Leaf.IsCA {
+		logrus.Debugf("hijack https request with CA <%s>", proxy.cert.Leaf.Subject.CommonName)
+		leafCertSpec := LeafCertSpec{
+			proxy.cert.Leaf.PublicKey,
+			proxy.cert.PrivateKey,
+			proxy.cert.Leaf.SignatureAlgorithm}
+		host, _, _ := net.SplitHostPort(r.Host)
+		sConfig.GetCertificate = func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			cConfig.ServerName = hello.ServerName
+			logrus.Debugf("Generate temporal leaf TLS cert for host <%s>", hello.ServerName)
+			return genLeafCert(proxy.cert, &leafCertSpec, hello.ServerName, host)
+		}
+	} else {
+		sConfig.Certificates = []tls.Certificate{*proxy.cert}
+	}
 
 	sConn, err := handshake(w, sConfig)
 	if err != nil {