evil-proxy 0.0.2 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f4c501bef2b64e58b8393c8cc73a6516739f8b87
-  data.tar.gz: 9f8c54251a54e7f68cb47b04363ea746ed0956e1
+  metadata.gz: 53684305896f9e807ca7a800ce16365d1075047b
+  data.tar.gz: 9f3436b932cd284a97d572630b8eef0c82f8ccba
 SHA512:
-  metadata.gz: dc6113ee6f3043cc8ddd8e70dc4423dc717281c5eb589cbc878531fa2019b280b09d1fbb8c9ae789d7b2c1ce8d93d4ad44f061a7c6ff8b67506838c44dc85b4c
-  data.tar.gz: c598d95d33cdbaf4ec131697f3b95015f39f5a31dda3fe8043522d912d9ed9bbf0a0ad903fa51e251def4f3f7829facaa4af45aa4bc20f5873028408312cc8e1
+  metadata.gz: f4ab48b584aedfb81bdd292a29764fbcd17a2b55f91ad648ef1c07f572ccc5a8552bcea270a088c5766dc806bbf6f1243b6d77e0c34e4e9ed9fcc70503ff15f8
+  data.tar.gz: 6f4f16d5c257a680e7e13a6b8090ffa2bc561f324e75e7b29d302ee36f5dcd146ba761333942066042ffdd6af54900b2e34f2e30da7cfe4ead31d7fa9f3852fa

data/.gitignore

@@ -10,6 +10,7 @@ coverage
 doc/
 lib/bundler/man
 pkg
+certs
 rdoc
 spec/reports
 test/tmp

data/README.md

@@ -1,6 +1,6 @@
 # EvilProxy
 
-A ruby http proxy to do :imp: things.
+A ruby http/https proxy, with SSL MITM support to do :imp: things.
 
 ## Installation
 
@@ -18,6 +18,45 @@ Or install it yourself as:
 
 ## Usage
 
+#### MITMProxyServer
+`MITMProxyServer` is a subclass of `HTTPProxyServer`, so it also has the callback & plugin system, this proxy will embed a mini CA, which generates certificates on the fly, so you may need to import the CA certificate (./certs/CA/cacert.pem) into your browser.
+
+```ruby
+require 'evil-proxy'
+
+proxy = EvilProxy::MITMProxyServer.new Port: 8080
+proxy.start
+```
+
+Without import the CA certificate
+```shell
+$ https_proxy=http://localhost:8080 curl https://github.com
+# =>
+# curl: (60) SSL certificate problem: Invalid certificate chain
+# More details here: http://curl.haxx.se/docs/sslcerts.html
+# 
+# curl performs SSL certificate verification by default, using a "bundle"
+#  of Certificate Authority (CA) public keys (CA certs). If the default
+#  bundle file isn't adequate, you can specify an alternate file
+#  using the --cacert option.
+# If this HTTPS server uses a certificate signed by a CA represented in
+#  the bundle, the certificate verification probably failed due to a
+#  problem with the certificate (it might be expired, or the name might
+#  not match the domain name in the URL).
+# If you'd like to turn off curl's verification of the certificate, use
+#  the -k (or --insecure) option.
+```
+
+```shell
+$ https_proxy=http://localhost:8080 curl https://github.com --insecure
+# =>
+# <!DOCTYPE html>
+# <html lang="en" class="">
+# ...
+```
+
+So you can intercept and modify https traffic, ie: requests & responses.
+
 #### Basic usage: hooks
 
 ```ruby

data/bin/evil-proxy

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+
+require 'evil-proxy'
+
+logger = WEBrick::Log.new(nil, 5)
+
+proxy = EvilProxy::MITMProxyServer.new Port: 8080, Logger: logger
+proxy.start

data/evil-proxy.gemspec

@@ -8,8 +8,8 @@ Gem::Specification.new do |spec|
   spec.version       = EvilProxy::VERSION
   spec.authors       = ["Theo"]
   spec.email         = ["bbtfrr@gmail.com"]
-  spec.summary       = %q{A ruby http proxy to do EVIL things.}
-  spec.description   = %q{A ruby http proxy to do EVIL things.}
+  spec.summary       = %q{A ruby http/https proxy to do EVIL things.}
+  spec.description   = %q{A ruby http/https proxy, with SSL MITM support.}
   spec.homepage      = "https://github.com/bbtfr/evil-proxy"
   spec.license       = "MIT"
 
@@ -20,4 +20,5 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency "bundler", "~> 1.6"
   spec.add_development_dependency "rake"
+  spec.add_development_dependency "pry-byebug"
 end

data/lib/evil-proxy.rb

@@ -1,5 +1,6 @@
 require "evil-proxy/version"
 require "evil-proxy/httpproxy"
+require "evil-proxy/mitmproxy"
 require "evil-proxy/httprequest"
 
 module EvilProxy

data/lib/evil-proxy/agentproxy.rb

@@ -0,0 +1,54 @@
+require 'webrick'
+require 'webrick/https'
+require 'webrick/httpproxy'
+require 'openssl'
+
+require 'pry-byebug'
+
+class EvilProxy::AgentProxyServer < EvilProxy::HTTPProxyServer
+
+  def initialize_callbacks config
+    @mitm_server = config[:MITMProxyServer]
+  end
+
+  def fire key, *args
+    @mitm_server.fire key, *args, self
+  end
+
+  def perform_proxy_request(req, res)
+    uri = req.request_uri
+    path = uri.path.dup
+    path << "?" << uri.query if uri.query
+    header = Hash.new
+    choose_header(req, header)
+    response = nil
+
+    http = Net::HTTP.new(uri.host, uri.port)
+    http.use_ssl = true
+    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    http.start do
+      if @config[:ProxyTimeout]
+        ##################################   these issues are
+        http.open_timeout = 30   # secs  #   necessary (maybe because
+        http.read_timeout = 60   # secs  #   Ruby's bug, but why?)
+        ##################################
+      end
+
+      response = yield(http, path, header)
+    end
+
+    # Persistent connection requirements are mysterious for me.
+    # So I will close the connection in every response.
+    res['proxy-connection'] = "close"
+    res['connection'] = "close"
+
+    # Convert Net::HTTP::HTTPResponse to WEBrick::HTTPResponse
+    res.status = response.code.to_i
+    choose_header(response, res)
+    set_cookie(response, res)
+    res.body = response.body
+  end
+
+  alias_method :service, :proxy_service
+
+end

data/lib/evil-proxy/httpproxy.rb

@@ -2,12 +2,14 @@ require 'webrick'
 require 'webrick/httpproxy'
 
 class EvilProxy::HTTPProxyServer < WEBrick::HTTPProxyServer
+  attr_reader :callbacks
+
   VALID_CALBACKS = Array.new
   DEFAULT_CALLBACKS = Hash.new
 
-  def initialize *args
-    initialize_callbacks
-    fire :when_initialize, *args
+  def initialize config = {}, default = WEBrick::Config::HTTP
+    initialize_callbacks config
+    fire :when_initialize, config, default
     super
   end
 
@@ -27,7 +29,7 @@ class EvilProxy::HTTPProxyServer < WEBrick::HTTPProxyServer
     end
   end
 
-  def proxy_service req, res
+  def service req, res
     fire :before_request, req
     super
     fire :before_response, req, res
@@ -64,7 +66,7 @@ class EvilProxy::HTTPProxyServer < WEBrick::HTTPProxyServer
   end
 
 private
-  def initialize_callbacks
+  def initialize_callbacks config
     @callbacks = Hash.new
     DEFAULT_CALLBACKS.each do |key, callbacks|
       @callbacks[key] = callbacks.clone

data/lib/evil-proxy/httprequest.rb

@@ -1,11 +1,5 @@
-WEBrick::HTTPRequest.class_eval do
-  alias_method :original_body, :body
-  def body
-    @evil_body || original_body
-  end
-
-  def body= body
-    @evil_body = body
-  end
+require 'webrick/httprequest'
 
+WEBrick::HTTPRequest.class_eval do
+  attr_writer :body, :unparsed_uri
 end

data/lib/evil-proxy/mitmproxy.rb

@@ -0,0 +1,116 @@
+require 'evil-proxy/httpproxy'
+require 'evil-proxy/agentproxy'
+require 'evil-proxy/quickcert'
+
+class EvilProxy::MITMProxyServer < EvilProxy::HTTPProxyServer
+
+  def initialize config
+    super
+    @mitm_servers = {}
+    @mitm_port = 4433
+  end
+
+  def ca
+    return @ca if @ca
+    logger.info "Create CA"
+
+    ca_config = {}
+    ca_config[:hostname] = 'ca'
+    ca_config[:domainname] = 'mitm.proxy'
+    ca_config[:password] = 'password'
+    ca_config[:CA_dir] ||= File.join(Dir.pwd, "certs/CA")
+
+    ca_config[:keypair_file] ||= File.join ca_config[:CA_dir], "private/cakeypair.pem"
+    ca_config[:cert_file] ||= File.join ca_config[:CA_dir], "cacert.pem"
+    ca_config[:serial_file] ||= File.join ca_config[:CA_dir], "serial"
+    ca_config[:new_certs_dir] ||= File.join ca_config[:CA_dir], "newcerts"
+    ca_config[:new_keypair_dir] ||= File.join ca_config[:CA_dir], "private/keypair_backup"
+    ca_config[:crl_dir] ||= File.join ca_config[:CA_dir], "crl"
+
+    ca_config[:ca_cert_days] ||= 5 * 365 # five years
+    ca_config[:ca_rsa_key_length] ||= 2048
+
+    ca_config[:cert_days] ||= 365 # one year
+    ca_config[:cert_key_length_min] ||= 1024
+    ca_config[:cert_key_length_max] ||= 2048
+
+    ca_config[:crl_file] ||= File.join ca_config[:crl_dir], "#{ca_config[:hostname]}.crl"
+    ca_config[:crl_pem_file] ||= File.join ca_config[:crl_dir], "#{ca_config[:hostname]}.pem"
+    ca_config[:crl_days] ||= 14
+
+    if ca_config[:name].nil?
+      ca_config[:name] = [
+        ['C', 'US', OpenSSL::ASN1::PRINTABLESTRING],
+        ['O', ca_config[:domainname], OpenSSL::ASN1::UTF8STRING],
+        ['OU', ca_config[:hostname], OpenSSL::ASN1::UTF8STRING],
+      ]
+    end
+
+    @ca = QuickCert.new ca_config
+  end
+
+  def create_self_signed_cert host
+    cn = [["C", "US"], ["O", host], ["CN", host]]
+    comment = "Generated by Ruby/OpenSSL/MITMProxyServer"
+    name = OpenSSL::X509::Name.new(cn)
+    hostname = name.to_s.scan(/CN=([\w.]+)/)[0][0]
+
+    logger.info "Create cert for #{hostname}"
+    cert_config = { type: 'server', hostname: hostname }
+    cert_file, cert, key = ca.create_cert(cert_config)
+
+    return cert, key
+  end
+
+  def retry_start_agent_server config
+    mitm_server = nil
+    10.times do
+      begin
+        # XXX: ask system for an unused port
+        config = config.merge(Port: @mitm_port)
+        mitm_server = EvilProxy::AgentProxyServer.new config
+      rescue Errno::EADDRINUSE
+      ensure
+        @mitm_port += 1
+        return mitm_server if mitm_server
+      end
+    end
+    raise RuntimeError, "No avaliable port found, stop retrying"
+  end
+
+  def start_mitm_server unparsed_uri, host, port
+    if @mitm_servers[unparsed_uri]
+      return @mitm_servers[unparsed_uri].config[:Port]
+    else
+      cert, key = create_self_signed_cert host
+      agent_config = self.config.merge(
+        MITMProxyServer: self,
+        SSLEnable: true,
+        SSLVerifyClient: OpenSSL::SSL::VERIFY_NONE,
+        SSLCertificate: cert,
+        SSLPrivateKey: key,
+      )
+      mitm_server = retry_start_agent_server agent_config
+
+      @mitm_servers[unparsed_uri] = mitm_server
+
+      Thread.new do mitm_server.start end
+      return mitm_server.config[:Port]
+    end
+  end
+
+  def do_MITM req, res
+    unparsed_uri = req.unparsed_uri
+    host, port = unparsed_uri.split(":")
+    port ||= 443
+
+    mitm_port = start_mitm_server unparsed_uri, host, port
+    req.unparsed_uri = "127.0.0.1:#{mitm_port}"
+  end
+
+  def do_CONNECT req, res
+    do_MITM req, res
+    super
+  end
+
+end

data/lib/evil-proxy/quickcert.rb

@@ -0,0 +1,349 @@
+require 'openssl'
+# QuickCert from http://segment7.net/projects/ruby/QuickCert/
+# QuickCert allows you to quickly and easily create SSL
+# certificates.  It uses a simple configuration file to generate
+# self-signed client and server certificates.
+#
+# QuickCert is a compilation of NAKAMURA Hiroshi's post to
+# ruby-talk number 89917:
+#
+# http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/89917
+#
+# the example scripts referenced in the above post, and
+# gen_csr.rb from Ruby's OpenSSL examples.
+#
+# A simple QuickCert configuration file looks like:
+#
+#   full_hostname = `hostname`.strip
+#   domainname = full_hostname.split('.')[1..-1].join('.')
+#   hostname = full_hostname.split('.')[0]
+#
+#   CA[:hostname] = hostname
+#   CA[:domainname] = domainname
+#   CA[:CA_dir] = File.join Dir.pwd, "CA"
+#   CA[:password] = '1234'
+#
+#   CERTS << {
+#     :type => 'server',
+#     :hostname => 'uriel',
+#     :password => '5678',
+#   }
+#
+#   CERTS << {
+#     :type => 'client',
+#     :user => 'drbrain',
+#     :email => 'drbrain@segment7.net',
+#   }
+#
+# This configuration will create a Certificate Authority in a
+# 'CA' directory in the current directory, a server certificate
+# with password '5678' for the server 'uriel' in a directory
+# named 'uriel', and a client certificate for drbrain in the
+# directory 'drbrain' with no password.
+#
+# There are additional SSL knobs you can tweak in the
+# qc_defaults.rb file.
+#
+# To generate the certificates, simply create a qc_config file
+# where you want the certificate directories to be created, then
+# run QuickCert.
+#
+# QuickCert's homepage is:
+# http://segment7.net/projects/ruby/QuickCert/
+
+class QuickCert
+
+  ##
+  # QuickCert Version
+
+  VERSION = "1.0.2"
+  CERT_DIR = File.join(Dir.pwd, "certs")
+  Dir.mkdir(CERT_DIR) unless File.exists?(CERT_DIR)
+
+  ##
+  # Creates a new QuickCert instance using the Certificate
+  # Authority described in +ca_config+.  If there is no CA at
+  # ca_config[:CA_dir], then QuickCert will initialize a new one.
+
+  def initialize(ca_config)
+    @ca_config = ca_config
+
+    create_ca
+  end
+
+  ##
+  # Creates a new certificate from +cert_config+ that is signed
+  # by the CA.
+
+  def create_cert(cert_config)
+    dest = cert_config[:hostname] || cert_config[:user]
+    key_file = "#{CERT_DIR}/#{dest}/#{dest}_keypair.pem"
+    cert_file = "#{CERT_DIR}/#{dest}/cert_#{dest}.pem"
+    if File.exists?(cert_file) && File.exists?(key_file)
+      key = OpenSSL::PKey::RSA.new(File.read(key_file))
+      cert = OpenSSL::X509::Certificate.new(File.read(cert_file))
+    else
+      cert_keypair, key = create_key(cert_config)
+      cert_csr = create_csr(cert_config, cert_keypair)
+      cert_file, cert = sign_cert(cert_config, cert_keypair, cert_csr)
+    end
+    return cert_file, cert, key
+  end
+
+  ##
+  # Creates a new Certificate Authority from @ca_config if it
+  # does not already exist at ca_config[:CA_dir].
+
+  def create_ca
+    return if File.exists? @ca_config[:CA_dir]
+
+    Dir.mkdir @ca_config[:CA_dir]
+
+    Dir.mkdir File.join(@ca_config[:CA_dir], 'private'), 0700
+    Dir.mkdir File.join(@ca_config[:CA_dir], 'newcerts')
+    Dir.mkdir File.join(@ca_config[:CA_dir], 'crl')
+
+    File.open @ca_config[:serial_file], 'w' do |f| f << "#{Time.now.to_i}" end
+
+    puts "Generating CA keypair" if $DEBUG
+    keypair = OpenSSL::PKey::RSA.new @ca_config[:ca_rsa_key_length]
+
+    cert = OpenSSL::X509::Certificate.new
+    name = @ca_config[:name].dup << ['CN', 'CA']
+    cert.subject = cert.issuer = OpenSSL::X509::Name.new(name)
+    cert.not_before = Time.now
+    cert.not_after = Time.now + @ca_config[:ca_cert_days] * 24 * 60 * 60
+    cert.public_key = keypair.public_key
+    cert.serial = 0x0
+    cert.version = 2 # X509v3
+
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ef.subject_certificate = cert
+    ef.issuer_certificate = cert
+    cert.extensions = [
+      ef.create_extension("basicConstraints","CA:TRUE", true),
+      ef.create_extension("nsComment","Ruby/OpenSSL Generated Certificate"),
+      ef.create_extension("subjectKeyIdentifier", "hash"),
+      ef.create_extension("keyUsage", "cRLSign,keyCertSign", true),
+    ]
+    cert.add_extension ef.create_extension("authorityKeyIdentifier",
+                                           "keyid:always,issuer:always")
+    cert.sign(keypair, OpenSSL::Digest::SHA1.new)
+
+    keypair_export = keypair.export(OpenSSL::Cipher::DES.new(:EDE3, :CBC), @ca_config[:password])
+
+    puts "Writing keypair to #{@ca_config[:keypair_file]}" if $DEBUG
+    File.open @ca_config[:keypair_file], "w", 0400 do |fp|
+      fp << keypair_export
+    end
+
+    puts "Writing cert to #{@ca_config[:cert_file]}" if $DEBUG
+    File.open @ca_config[:cert_file], "w", 0644 do |f|
+      f << cert.to_pem
+    end
+
+    puts "Done generating certificate for #{cert.subject}" if $DEBUG
+  end
+
+  ##
+  # Creates a new RSA key from +cert_config+.
+
+  def create_key(cert_config)
+    dest = cert_config[:hostname] || cert_config[:user]
+    keypair_file = "#{CERT_DIR}/#{dest}/#{dest}_keypair.pem"
+    if File.exists?(keypair_file)
+      keypair = OpenSSL::PKey::RSA.new(File.read(keypair_file),
+                                       cert_config[:password])
+      return keypair_file, keypair
+    end
+    Dir.mkdir("#{CERT_DIR}/#{dest}", 0700) unless File.exists?("#{CERT_DIR}/#{dest}")
+
+    puts "Generating RSA keypair" if $DEBUG
+    keypair = OpenSSL::PKey::RSA.new 1024
+
+    if cert_config[:password].nil? then
+      File.open keypair_file, "w", 0400 do |f|
+        f << keypair.to_pem
+      end
+    else
+      keypair_export = keypair.export(OpenSSL::Cipher::DES.new(:EDE3, :CBC),
+                                      cert_config[:password])
+
+      puts "Writing keypair to #{keypair_file}" if $DEBUG
+      File.open keypair_file, "w", 0400 do |f|
+        f << keypair_export
+      end
+    end
+
+    return keypair_file, keypair
+  end
+
+  ##
+  # Creates a new Certificate Signing Request for the keypair in
+  # +keypair_file+, generating and saving new keypair if nil.
+
+  def create_csr(cert_config, keypair_file = nil)
+    keypair = nil
+    dest = cert_config[:hostname] || cert_config[:user]
+    csr_file = "#{CERT_DIR}/#{dest}/csr_#{dest}.pem"
+
+    name = @ca_config[:name].dup
+    case cert_config[:type]
+    when 'server' then
+      name << ['OU', 'CA']
+      name << ['CN', cert_config[:hostname]]
+    when 'client' then
+      name << ['CN', cert_config[:user]]
+      name << ['emailAddress', cert_config[:email]]
+    end
+    name = OpenSSL::X509::Name.new name
+
+    if File.exists? keypair_file then
+      keypair = OpenSSL::PKey::RSA.new(File.read(keypair_file),
+                                       cert_config[:password])
+    else
+      keypair = create_key cert_config
+    end
+
+    puts "Generating CSR for #{name}" if $DEBUG
+
+    req = OpenSSL::X509::Request.new
+    req.version = 0
+    req.subject = name
+    req.public_key = keypair.public_key
+    req.sign keypair, OpenSSL::Digest::MD5.new
+
+    puts "Writing CSR to #{csr_file}" if $DEBUG
+    File.open csr_file, "w" do |f|
+      f << req.to_pem
+    end
+
+    return csr_file
+  end
+
+  ##
+  # Signs the certificate described in +cert_config+ and
+  # +csr_file+, saving it to +cert_file+.
+
+  def sign_cert(cert_config, cert_file, csr_file)
+    csr = OpenSSL::X509::Request.new File.read(csr_file)
+
+    raise "CSR sign verification failed." unless csr.verify csr.public_key
+
+    if csr.public_key.n.num_bits < @ca_config[:cert_key_length_min] then
+      raise "Key length too short"
+    end
+
+    if csr.public_key.n.num_bits > @ca_config[:cert_key_length_max] then
+      raise "Key length too long"
+    end
+
+    if csr.subject.to_a[0, @ca_config[:name].size] != @ca_config[:name] then
+      raise "DN does not match"
+    end
+
+    # Only checks signature here.  You must verify CSR according to your
+    # CP/CPS.
+
+    # CA setup
+
+    puts "Reading CA cert from #{@ca_config[:cert_file]}" if $DEBUG
+    ca = OpenSSL::X509::Certificate.new File.read(@ca_config[:cert_file])
+
+    puts "Reading CA keypair from #{@ca_config[:keypair_file]}" if $DEBUG
+    ca_keypair = OpenSSL::PKey::RSA.new File.read(@ca_config[:keypair_file]),
+                                        @ca_config[:password]
+
+    serial = File.read(@ca_config[:serial_file]).chomp.hex
+    File.open @ca_config[:serial_file], "w" do |f|
+      f << "%04X" % (serial + 1)
+    end
+
+    puts "Generating cert" if $DEBUG
+
+    cert = OpenSSL::X509::Certificate.new
+    from = Time.now
+    cert.subject = csr.subject
+    cert.issuer = ca.subject
+    cert.not_before = from
+    cert.not_after = from + @ca_config[:cert_days] * 24 * 60 * 60
+    cert.public_key = csr.public_key
+    cert.serial = serial
+    cert.version = 2 # X509v3
+
+    basic_constraint = nil
+    key_usage = []
+    ext_key_usage = []
+
+    case cert_config[:type]
+    when "ca" then
+      basic_constraint = "CA:TRUE"
+      key_usage << "cRLSign" << "keyCertSign"
+    when "terminalsubca" then
+      basic_constraint = "CA:TRUE,pathlen:0"
+      key_usage << "cRLSign" << "keyCertSign"
+    when "server" then
+      basic_constraint = "CA:FALSE"
+      key_usage << "digitalSignature" << "keyEncipherment"
+      ext_key_usage << "serverAuth"
+    when "ocsp" then
+      basic_constraint = "CA:FALSE"
+      key_usage << "nonRepudiation" << "digitalSignature"
+      ext_key_usage << "serverAuth" << "OCSPSigning"
+    when "client" then
+      basic_constraint = "CA:FALSE"
+      key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment"
+      ext_key_usage << "clientAuth" << "emailProtection"
+    else
+      raise "unknonw cert type \"#{cert_config[:type]}\""
+    end
+
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ef.subject_certificate = cert
+    ef.issuer_certificate = ca
+    ex = []
+    ex << ef.create_extension("basicConstraints", basic_constraint, true)
+    ex << ef.create_extension("nsComment",
+                              "Ruby/OpenSSL Generated Certificate")
+    ex << ef.create_extension("subjectKeyIdentifier", "hash")
+    #ex << ef.create_extension("nsCertType", "client,email")
+    unless key_usage.empty? then
+      ex << ef.create_extension("keyUsage", key_usage.join(","))
+    end
+    #ex << ef.create_extension("authorityKeyIdentifier",
+    #                          "keyid:always,issuer:always")
+    #ex << ef.create_extension("authorityKeyIdentifier", "keyid:always")
+    unless ext_key_usage.empty? then
+      ex << ef.create_extension("extendedKeyUsage", ext_key_usage.join(","))
+    end
+
+    if @ca_config[:cdp_location] then
+      ex << ef.create_extension("crlDistributionPoints",
+                                @ca_config[:cdp_location])
+    end
+
+    if @ca_config[:ocsp_location] then
+      ex << ef.create_extension("authorityInfoAccess",
+                                "OCSP;" << @ca_config[:ocsp_location])
+    end
+    cert.extensions = ex
+    cert.sign(ca_keypair, OpenSSL::Digest::SHA1.new)
+
+    backup_cert_file = @ca_config[:new_certs_dir] + "/cert_#{cert.serial}.pem"
+    puts "Writing backup cert to #{backup_cert_file}" if $DEBUG
+    File.open backup_cert_file, "w", 0644 do |f|
+      f << cert.to_pem
+    end
+
+    # Write cert
+    dest = cert_config[:hostname] || cert_config[:user]
+    cert_file = "#{CERT_DIR}/#{dest}/cert_#{dest}.pem"
+    puts "Writing cert to #{cert_file}" if $DEBUG
+    File.open cert_file, "w", 0644 do |f|
+      f << cert.to_pem
+    end
+
+    return cert_file, cert
+  end
+
+end # class QuickCert

data/lib/evil-proxy/version.rb

@@ -1,3 +1,3 @@
 module EvilProxy
-  VERSION = "0.0.2"
+  VERSION = "0.0.3"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: evil-proxy
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.3
 platform: ruby
 authors:
 - Theo
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-08-05 00:00:00.000000000 Z
+date: 2015-11-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -38,10 +38,25 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: A ruby http proxy to do EVIL things.
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: A ruby http/https proxy, with SSL MITM support.
 email:
 - bbtfrr@gmail.com
-executables: []
+executables:
+- evil-proxy
 extensions: []
 extra_rdoc_files: []
 files:
@@ -50,11 +65,15 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- bin/evil-proxy
 - evil-proxy.gemspec
 - lib/evil-proxy.rb
+- lib/evil-proxy/agentproxy.rb
 - lib/evil-proxy/async.rb
 - lib/evil-proxy/httpproxy.rb
 - lib/evil-proxy/httprequest.rb
+- lib/evil-proxy/mitmproxy.rb
+- lib/evil-proxy/quickcert.rb
 - lib/evil-proxy/selenium.rb
 - lib/evil-proxy/store.rb
 - lib/evil-proxy/version.rb
@@ -81,5 +100,5 @@ rubyforge_project:
 rubygems_version: 2.4.6
 signing_key: 
 specification_version: 4
-summary: A ruby http proxy to do EVIL things.
+summary: A ruby http/https proxy to do EVIL things.
 test_files: []