(privkey, cacert, commonname, sans)
| 12 | |
| 13 | |
| 14 | def monkey_dummy_cert(privkey, cacert, commonname, sans): |
| 15 | ss = [] |
| 16 | for i in sans: |
| 17 | try: |
| 18 | ipaddress.ip_address(i.decode("ascii")) |
| 19 | except ValueError: |
| 20 | # Change values in Certificate's Alt Name as well. |
| 21 | if ctx.options.certwrongCN: |
| 22 | ss.append(b"DNS:%sm" % i) |
| 23 | else: |
| 24 | ss.append(b"DNS:%s" % i) |
| 25 | else: |
| 26 | ss.append(b"IP:%s" % i) |
| 27 | ss = b", ".join(ss) |
| 28 | |
| 29 | cert = OpenSSL.crypto.X509() |
| 30 | if ctx.options.certbeginon: |
| 31 | # Set certificate start time somewhere in the future |
| 32 | cert.gmtime_adj_notBefore(3600 * 48) |
| 33 | else: |
| 34 | cert.gmtime_adj_notBefore(-3600 * 48) |
| 35 | |
| 36 | if ctx.options.certexpire: |
| 37 | # sets the expire date of the certificate in the past. |
| 38 | cert.gmtime_adj_notAfter(-3600 * 24) |
| 39 | else: |
| 40 | cert.gmtime_adj_notAfter(94608000) # = 24 * 60 * 60 * 365 * 3 |
| 41 | |
| 42 | cert.set_issuer(cacert.get_subject()) |
| 43 | if commonname is not None and len(commonname) < 64: |
| 44 | if ctx.options.certwrongCN: |
| 45 | # append an extra char to make certs common name different than original one. |
| 46 | # APpending a char in the end of the domain name. |
| 47 | new_cn = commonname + b"m" |
| 48 | cert.get_subject().CN = new_cn |
| 49 | |
| 50 | else: |
| 51 | cert.get_subject().CN = commonname |
| 52 | |
| 53 | cert.set_serial_number(int(time.time() * 10000)) |
| 54 | if ss: |
| 55 | cert.set_version(2) |
| 56 | cert.add_extensions( |
| 57 | [OpenSSL.crypto.X509Extension(b"subjectAltName", False, ss)] |
| 58 | ) |
| 59 | cert.set_pubkey(cacert.get_pubkey()) |
| 60 | cert.sign(privkey, "sha256") |
| 61 | return Cert(cert) |
| 62 | |
| 63 | |
| 64 | class CheckSSLPinning: |
nothing calls this directly
no test coverage detected
searching dependent graphs…