I'm creating an antivirus for a project at the Institute. As part of the project, I am trying to create a proxy server that can intercept https data. To do this, I created a CA certificate and attached it to the Firefox and Windows storage. It was created using:
from OpenSSL import crypto
import os
KEY_FILE = "self_sertificate.key"
CERT_FILE = "self_sertificate.crt"
def get_self_sert():
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 2048)
cert = crypto.X509()
cert.set_version(2)
cert.get_subject().C = "US"
cert.get_subject().ST = "State"
cert.get_subject().L = "City"
cert.get_subject().O = "Organization"
cert.get_subject().OU = "Organization CA"
cert.get_subject().CN = "Organization CA"
cert.set_serial_number(24695562)
cert.add_extensions([
crypto.X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
crypto.X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=cert),
])
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10*365*24*60*60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha256')
return cert,k
def create_self_signed_cert(dir='\\cert'):
cert,k = get_self_sert()
with open(os.path.join(os.getcwd() + dir, CERT_FILE), "wb") as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(os.path.join(os.getcwd() + dir, KEY_FILE), "wb") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
The creation of the subsequent certificates:
def create_cert_req(url):
pKey = crypto.PKey()
pKey.generate_key(crypto.TYPE_RSA, 2048)
req = crypto.X509Req()
subj = req.get_subject()
subj.C = 'US'
subj.ST = 'State'
subj.L = 'City'
subj.O = 'Organization'
subj.OU = 'Organization CA'
subj.CN = url
subj.emailAddress = '[email protected]'
req.set_pubkey(pKey)
req.sign(pKey,'sha256')
return req
def create_signed_cert_demo(url,serial=106570068,dir='\\lib\\cert\\',cert_name=str(random.randint(100000,1000000))):
req = create_cert_req(url)
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(os.getcwd() + dir + CERT_FILE).read())
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(os.getcwd() + dir + KEY_FILE).read())
cert = crypto.X509()
cert.set_version(2)
cert.set_serial_number(serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10*365*24*60*60)
cert.set_issuer(ca_cert.get_subject())
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.add_extensions([crypto.X509Extension(b"subjectAltName", False, b"DNS:" + url.encode())])
cert.sign(ca_key,'sha256')
with open(os.path.join(os.getcwd() + dir, cert_name+'.crt'), "wb") as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(os.path.join(os.getcwd() + dir, cert_name+'.key'), "wb") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM,cert.get_pubkey()))
return cert_name+'.crt',cert_name+'.key'
Then a proxy was created that accepts https connections and creates new certificates:
cert_crt,cert_key = certificate.create_signed_cert_demo(headers['host']) # Calling the function that creates the certificate
print('\\lib\\cert\\'+cert_crt)
print('\\lib\\cert\\'+cert_key)
conn = ssl.wrap_socket(conn,server_side=True,certfile=os.getcwd() +'\\lib\\cert\\'+cert_crt,keyfile=os.getcwd() +'\\lib\\cert\\'+cert_key)
data = conn.recv(1024)
when I go to http sites through the browser, my proxy works fine, but when I go to an https site, an error appears:
Firefox:
SEC_ERROR_REUSED_ISSUER_AND_SERIAL
Chrome:
ERR_CERT_AUTHORITY_INVALID
Error in Python:
File "Proxy.py", line 102, in <module>
conn.start()
File "Proxy.py", line 52, in start
conn = ssl.wrap_socket(conn,server_side=True,certfile=os.getcwd() +'\\lib\\cert\\'+cert_crt,keyfile=os.getcwd() +'\\lib\\cert\\'+cert_key)
File "C:\Users\Илья\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 1405, in wrap_socket
return context.wrap_socket(
File "C:\Users\Илья\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "C:\Users\Илья\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 1040, in _create
self.do_handshake()
File "C:\Users\Илья\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1108)
Examples of certificates: CA
-----BEGIN CERTIFICATE-----
MIIDoTCCAomgAwIBAgIEAXjTCjANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJV
UzEOMAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkxFTATBgNVBAoMDE9yZ2Fu
aXphdGlvbjEYMBYGA1UECwwPT3JnYW5pemF0aW9uIENBMRgwFgYDVQQDDA9Pcmdh
bml6YXRpb24gQ0EwHhcNMjAwNjMwMDYxODAzWhcNMzAwNjI4MDYxODAzWjB3MQsw
CQYDVQQGEwJVUzEOMAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkxFTATBgNV
BAoMDE9yZ2FuaXphdGlvbjEYMBYGA1UECwwPT3JnYW5pemF0aW9uIENBMRgwFgYD
VQQDDA9Pcmdhbml6YXRpb24gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCywk1rl4sltY6c3yfLVplhYjCkXHsZIUsTxr58rdX6igKiY6iNuSE5mhAo
dT/im0sTuFbn7EK4iopjlAqOJ0zo6abp2pkD2aCG2OC+3tl0brzim7yeG4TtPY/A
HoWh/Ax3csrGgVxWQjjNDJTgDqiC6u3rP75JjF0dqyF+0XyPOK+IjrKzzFDyTsI9
vC+rSGEi78Lo0x+Gx5FGBdaZXP8nMRaaTDagWTI37dijb0Cx2BaRxeQUUqX7tp/W
ilGxb5swu0/CLKDv9k0IPeqiMax/YFZTjg9efUkUBtT4nTJi4QXkwAv1sF9InmMm
/kVcihVvtic+lCbDvGKbheY9XcrvAgMBAAGjNTAzMBIGA1UdEwEB/wQIMAYBAf8C
AQAwHQYDVR0OBBYEFNo5o+5ea0sNMlW/75VgGJCv2AcJMA0GCSqGSIb3DQEBCwUA
A4IBAQB2s+HyTJN0M83Ovvyl8TAOI1jDRHqe48mWSYgBTEge7kSu/BwIdfz3W/S2
M2MN8kdm0T8s0+s2Hqwo5kgfoI2QVahNB0gHhycE+Pnmvey6rfgvaRzCU1UvnLJu
PhSJaAth0IOVifcfCIWdVSVwRslJPwr/VkSR8al6bMA9ZVQ2lcw8NqtHZkVDFidZ
GdJefC9cS+M+1B9T/uR+cXJTBTdOKzwilwLFwP5NoPdQEg3OgFjWWaYyvdMM/DLO
YSqn/Uuc7+eJfFPPLgai1Rgkx912HWvQz/C8R3UHopii/789AfnWp3Nq7wNjAITK
lgjuq1T/u7kCvn9sBzBFUlN7akCT
-----END CERTIFICATE-----
example.org
-----BEGIN CERTIFICATE-----
MIIDpzCCAo+gAwIBAgIEBlohVDANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJV
UzEOMAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkxFTATBgNVBAoMDE9yZ2Fu
aXphdGlvbjEYMBYGA1UECwwPT3JnYW5pemF0aW9uIENBMRgwFgYDVQQDDA9Pcmdh
bml6YXRpb24gQ0EwHhcNMjAwNjMwMDYzMDA3WhcNMzAwNjI4MDYzMDA3WjCBlzEL
MAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRUwEwYD
VQQKDAxPcmdhbml6YXRpb24xGDAWBgNVBAsMD09yZ2FuaXphdGlvbiBDQTEUMBIG
A1UEAwwLZXhhbXBsZS5vcmcxIjAgBgkqhkiG9w0BCQEWE2V4YW1wbGVAZXhhbXBs
ZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCbPNPw/IdWx67
aY8H6ODRhxum/sdll9PjYgkrvGbJoERPUthaON/MaIMAHZXuqnXITwYL3FgFzZ/f
YlbCWoTapT/+N9/jnjR0XZEhIBubK+Asgy/pmQ5Nq0bjT7agMhp5z4eqKjXgziNf
6BdPdb5MDXIlvZ50Nm3b6wTx16yCvZ1tcCnkv+8vj/ADcq5/soPI/pI0mBv/MTI/
AzAC0OvAMXEoG2KX2GHl8F3CA+4PnsUnhY7PBJJ8XuG9tmbgD5zDUe9v4KmwIw7H
L6oMc8Dij+Z1gU7zCKyTMyuiS0yoIziPixFGY7ApVkr7LVF1z0y0snZffDdMrFnP
Zrg64D/FAgMBAAGjGjAYMBYGA1UdEQQPMA2CC2V4YW1wbGUub3JnMA0GCSqGSIb3
DQEBCwUAA4IBAQB6fRWks0FanwRVBsTVHpAJmoUSVf7PxyhH+/ZXJx5L74wT587B
sbjefwFlDMHimsyFHJxLBK7A/HPbkbNIioW2rmBHdipTSs4s6X/wQTJjLt9YvCs6
l4LzZ5Iqs68PvkgVMRkbOZKbPbIBEW2qe2zg++BB3ye9EWhE/jGa338+RvwzwnVn
f8EV1KIKtK9p9rUQPaY/ipV+8E74oDoL0Hk/M4qobjpCJEQzI/triORzDefdjZ50
UVpVbsOMjtlhymUon/h8OluwY0to/ehjs1RD6KIxZ6sjK0cERMotSSzYnlQh7xW8
8ZxXEYF2jVJkqSLnW9QDrK6tGZJ/MbeRqJKc
-----END CERTIFICATE-----
It turned out that browsers remember certificates within a single session. To solve the problem, you need to save the certificates and use them. Updated the function create_signed_cert_demo:
def create_signed_cert_demo(url,serial=random.randint(1,100000000),dir='\\lib\\cert\\',cert_name=str(random.randint(100000,1000000))):
dir_list = os.listdir(os.getcwd() + dir)
if url + '.crt' in dir_list:
return url + '.crt', url + '.key'
req = create_cert_req(url)
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(os.getcwd() + dir + CERT_FILE).read())
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(os.getcwd() + dir + KEY_FILE).read())
cert = crypto.X509()
cert.set_version(2)
cert.set_serial_number(serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10*365*24*60*60)
cert.set_issuer(ca_cert.get_subject())
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.add_extensions([crypto.X509Extension(b"subjectAltName", False, b"DNS:" + url.encode())])
cert.sign(ca_key,'sha256')
with open(os.path.join(os.getcwd() + dir, url+'.crt'), "wb") as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(os.path.join(os.getcwd() + dir, url+'.key'), "wb") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM,cert.get_pubkey()))
return url+'.crt',url+'.key'