net.lightbody.bmp.mitm.exception.MitmException Java Examples

The following examples show how to use net.lightbody.bmp.mitm.exception.MitmException. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: ImpersonatingMitmManager.java    From CapturePacket with MIT License 6 votes vote down vote up
@Override
public SSLEngine serverSslEngine(String peerHost, int peerPort) {
    try {
        SSLEngine sslEngine = upstreamServerSslContext.get().newEngine(ByteBufAllocator.DEFAULT, peerHost, peerPort);

        // support SNI by setting the endpoint identification algorithm. this requires Java 7+.
        SSLParameters sslParams = new SSLParameters();
        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.N) {
            sslParams.setEndpointIdentificationAlgorithm("HTTPS");
        }
        sslEngine.setSSLParameters(sslParams);

        return sslEngine;
    } catch (RuntimeException e) {
        throw new MitmException("Error creating SSLEngine for connection to upstream server: " + peerHost + ":" + peerPort, e);
    }
}
 
Example #2
Source File: ImpersonatingMitmManager.java    From Dream-Catcher with MIT License 6 votes vote down vote up
@Override
public SSLEngine serverSslEngine(String peerHost, int peerPort) {
    try {
        SSLEngine sslEngine = upstreamServerSslContext.get().newEngine(ByteBufAllocator.DEFAULT, peerHost, peerPort);

        // support SNI by setting the endpoint identification algorithm. this requires Java 7+.
        SSLParameters sslParams = new SSLParameters();
        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.N) {
            sslParams.setEndpointIdentificationAlgorithm("HTTPS");
        }
        sslEngine.setSSLParameters(sslParams);

        return sslEngine;
    } catch (RuntimeException e) {
        throw new MitmException("Error creating SSLEngine for connection to upstream server: " + peerHost + ":" + peerPort, e);
    }
}
 
Example #3
Source File: ImpersonatingMitmManager.java    From AndroidHttpCapture with MIT License 6 votes vote down vote up
@Override
public SSLEngine serverSslEngine(String peerHost, int peerPort) {
    try {
        SSLEngine sslEngine = upstreamServerSslContext.get().newEngine(ByteBufAllocator.DEFAULT, peerHost, peerPort);

        // support SNI by setting the endpoint identification algorithm. this requires Java 7+.
        SSLParameters sslParams = new SSLParameters();
        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.N) {
            sslParams.setEndpointIdentificationAlgorithm("HTTPS");
        }
        sslEngine.setSSLParameters(sslParams);

        return sslEngine;
    } catch (RuntimeException e) {
        throw new MitmException("Error creating SSLEngine for connection to upstream server: " + peerHost + ":" + peerPort, e);
    }
}
 
Example #4
Source File: ImpersonatingMitmManager.java    From CapturePacket with MIT License 5 votes vote down vote up
@Override
public SSLEngine serverSslEngine() {
    try {
        SSLEngine sslEngine = upstreamServerSslContext.get().newEngine(ByteBufAllocator.DEFAULT);

        return sslEngine;
    } catch (RuntimeException e) {
        throw new MitmException("Error creating SSLEngine for connection to upstream server", e);
    }
}
 
Example #5
Source File: ImpersonatingMitmManager.java    From CapturePacket with MIT License 5 votes vote down vote up
@Override
public SSLEngine clientSslEngineFor(HttpRequest httpRequest, SSLSession sslSession) {
    String requestedHostname = HttpUtil.getHostFromRequest(httpRequest);

    try {
        SslContext ctx = getHostnameImpersonatingSslContext(requestedHostname, sslSession);

        return ctx.newEngine(ByteBufAllocator.DEFAULT);
    } catch (RuntimeException e) {
        throw new MitmException("Error creating SSLEngine for connection to client to impersonate upstream host: " + requestedHostname, e);
    }
}
 
Example #6
Source File: ImpersonatingMitmManager.java    From Dream-Catcher with MIT License 5 votes vote down vote up
@Override
public SSLEngine serverSslEngine() {
    try {
        SSLEngine sslEngine = upstreamServerSslContext.get().newEngine(ByteBufAllocator.DEFAULT);

        return sslEngine;
    } catch (RuntimeException e) {
        throw new MitmException("Error creating SSLEngine for connection to upstream server", e);
    }
}
 
Example #7
Source File: ImpersonatingMitmManager.java    From Dream-Catcher with MIT License 5 votes vote down vote up
@Override
public SSLEngine clientSslEngineFor(HttpRequest httpRequest, SSLSession sslSession) {
    String requestedHostname = HttpUtil.getHostFromRequest(httpRequest);

    try {
        SslContext ctx = getHostnameImpersonatingSslContext(requestedHostname, sslSession);

        return ctx.newEngine(ByteBufAllocator.DEFAULT);
    } catch (RuntimeException e) {
        throw new MitmException("Error creating SSLEngine for connection to client to impersonate upstream host: " + requestedHostname, e);
    }
}
 
Example #8
Source File: ImpersonatingMitmManager.java    From AndroidHttpCapture with MIT License 5 votes vote down vote up
@Override
public SSLEngine serverSslEngine() {
    try {
        SSLEngine sslEngine = upstreamServerSslContext.get().newEngine(ByteBufAllocator.DEFAULT);

        return sslEngine;
    } catch (RuntimeException e) {
        throw new MitmException("Error creating SSLEngine for connection to upstream server", e);
    }
}
 
Example #9
Source File: ImpersonatingMitmManager.java    From AndroidHttpCapture with MIT License 5 votes vote down vote up
@Override
public SSLEngine clientSslEngineFor(HttpRequest httpRequest, SSLSession sslSession) {
    String requestedHostname = HttpUtil.getHostFromRequest(httpRequest);

    try {
        SslContext ctx = getHostnameImpersonatingSslContext(requestedHostname, sslSession);

        return ctx.newEngine(ByteBufAllocator.DEFAULT);
    } catch (RuntimeException e) {
        throw new MitmException("Error creating SSLEngine for connection to client to impersonate upstream host: " + requestedHostname, e);
    }
}
 
Example #10
Source File: ImpersonatingMitmManager.java    From CapturePacket with MIT License 4 votes vote down vote up
/**
 * Generates an {@link SslContext} using an impersonated certificate containing the information in the specified
 * certificateInfo.
 *
 * @param certificateInfo certificate information to impersonate
 * @return an SslContext that will present the impersonated certificate to the client
 */
private SslContext createImpersonatingSslContext(CertificateInfo certificateInfo) {
    long impersonationStart = System.currentTimeMillis();

    // generate a public and private key pair for the forged certificate. the SslContext will send the impersonated certificate to clients
    // to impersonate the real upstream server, and will use the private key to encrypt the channel.
    KeyPair serverKeyPair = serverKeyGenerator.generate();

    // get the CA root certificate and private key that will be used to sign the forged certificate
    X509Certificate caRootCertificate = rootCertificate.get().getCertificate();
    PrivateKey caPrivateKey = rootCertificate.get().getPrivateKey();
    if (caRootCertificate == null || caPrivateKey == null) {
        throw new IllegalStateException("A CA root certificate and private key are required to sign a server certificate. Root certificate was: "
                + caRootCertificate + ". Private key was: " + caPrivateKey);
    }

    // determine if the server private key was signed with an RSA private key. though TLS no longer requires the server
    // certificate to use the same private key type as the root certificate, Java bug JDK-8136442 prevents Java from creating a opening an SSL socket
    // if the CA and server certificates are not of the same type. see https://bugs.openjdk.java.net/browse/JDK-8136442
    // note this only applies to RSA CAs signing EC server certificates; Java seems to properly handle EC CAs signing
    // RSA server certificates.
    if (EncryptionUtil.isEcKey(serverKeyPair.getPrivate()) && EncryptionUtil.isRsaKey(caPrivateKey)) {
        log.warn("CA private key is an RSA key and impersonated server private key is an Elliptic Curve key. JDK bug 8136442 may prevent the proxy server from creating connections to clients due to 'no cipher suites in common'.");
    }

    // create the forged server certificate and sign it with the root certificate and private key
    CertificateAndKey impersonatedCertificateAndKey = securityProviderTool.createServerCertificate(
            certificateInfo,
            caRootCertificate,
            caPrivateKey,
            serverKeyPair,
            serverCertificateMessageDigest);

    X509Certificate[] certChain = {impersonatedCertificateAndKey.getCertificate(), caRootCertificate};
    SslContext sslContext;
    try {
        sslContext = SslContextBuilder.forServer(impersonatedCertificateAndKey.getPrivateKey(), certChain)
                .ciphers(clientCipherSuites, SupportedCipherSuiteFilter.INSTANCE)
                .build();

    } catch (SSLException e) {
        throw new MitmException("Error creating SslContext for connection to client using impersonated certificate and private key", e);
    }

    long impersonationFinish = System.currentTimeMillis();

    statistics.certificateCreated(impersonationStart, impersonationFinish);

    log.debug("Impersonated certificate for {} in {}ms", certificateInfo.getCommonName(), impersonationFinish - impersonationStart);

    return sslContext;
}
 
Example #11
Source File: ImpersonatingMitmManager.java    From Dream-Catcher with MIT License 4 votes vote down vote up
/**
 * Generates an {@link SslContext} using an impersonated certificate containing the information in the specified
 * certificateInfo.
 *
 * @param certificateInfo certificate information to impersonate
 * @return an SslContext that will present the impersonated certificate to the client
 */
private SslContext createImpersonatingSslContext(CertificateInfo certificateInfo) {
    long impersonationStart = System.currentTimeMillis();

    // generate a public and private key pair for the forged certificate. the SslContext will send the impersonated certificate to clients
    // to impersonate the real upstream server, and will use the private key to encrypt the channel.
    KeyPair serverKeyPair = serverKeyGenerator.generate();

    // get the CA root certificate and private key that will be used to sign the forced certificate
    X509Certificate caRootCertificate = rootCertificate.get().getCertificate();
    PrivateKey caPrivateKey = rootCertificate.get().getPrivateKey();
    if (caRootCertificate == null || caPrivateKey == null) {
        throw new IllegalStateException("A CA root certificate and private key are required to sign a server certificate. Root certificate was: "
                + caRootCertificate + ". Private key was: " + caPrivateKey);
    }

    // determine if the server private key was signed with an RSA private key. though TLS no longer requires the server
    // certificate to use the same private key type as the root certificate, Java bug JDK-8136442 prevents Java from creating a opening an SSL socket
    // if the CA and server certificates are not of the same type. see https://bugs.openjdk.java.net/browse/JDK-8136442
    // note this only applies to RSA CAs signing EC server certificates; Java seems to properly handle EC CAs signing
    // RSA server certificates.
    if (EncryptionUtil.isEcKey(serverKeyPair.getPrivate()) && EncryptionUtil.isRsaKey(caPrivateKey)) {
        log.warn("CA private key is an RSA key and impersonated server private key is an Elliptic Curve key. JDK bug 8136442 may prevent the proxy server from creating connections to clients due to 'no cipher suites in common'.");
    }

    // create the forged server certificate and sign it with the root certificate and private key
    CertificateAndKey impersonatedCertificateAndKey = securityProviderTool.createServerCertificate(
            certificateInfo,
            caRootCertificate,
            caPrivateKey,
            serverKeyPair,
            serverCertificateMessageDigest);

    X509Certificate[] certChain = {impersonatedCertificateAndKey.getCertificate(), caRootCertificate};
    SslContext sslContext;
    try {
        sslContext = SslContextBuilder.forServer(impersonatedCertificateAndKey.getPrivateKey(), certChain)
                .ciphers(clientCipherSuites, SupportedCipherSuiteFilter.INSTANCE)
                .build();

    } catch (SSLException e) {
        throw new MitmException("Error creating SslContext for connection to client using impersonated certificate and private key", e);
    }

    long impersonationFinish = System.currentTimeMillis();

    statistics.certificateCreated(impersonationStart, impersonationFinish);

    log.debug("Impersonated certificate for {} in {}ms", certificateInfo.getCommonName(), impersonationFinish - impersonationStart);

    return sslContext;
}
 
Example #12
Source File: ImpersonatingMitmManager.java    From AndroidHttpCapture with MIT License 4 votes vote down vote up
/**
 * Generates an {@link SslContext} using an impersonated certificate containing the information in the specified
 * certificateInfo.
 *
 * @param certificateInfo certificate information to impersonate
 * @return an SslContext that will present the impersonated certificate to the client
 */
private SslContext createImpersonatingSslContext(CertificateInfo certificateInfo) {
    long impersonationStart = System.currentTimeMillis();

    // generate a public and private key pair for the forged certificate. the SslContext will send the impersonated certificate to clients
    // to impersonate the real upstream server, and will use the private key to encrypt the channel.
    KeyPair serverKeyPair = serverKeyGenerator.generate();

    // get the CA root certificate and private key that will be used to sign the forged certificate
    X509Certificate caRootCertificate = rootCertificate.get().getCertificate();
    PrivateKey caPrivateKey = rootCertificate.get().getPrivateKey();
    if (caRootCertificate == null || caPrivateKey == null) {
        throw new IllegalStateException("A CA root certificate and private key are required to sign a server certificate. Root certificate was: "
                + caRootCertificate + ". Private key was: " + caPrivateKey);
    }

    // determine if the server private key was signed with an RSA private key. though TLS no longer requires the server
    // certificate to use the same private key type as the root certificate, Java bug JDK-8136442 prevents Java from creating a opening an SSL socket
    // if the CA and server certificates are not of the same type. see https://bugs.openjdk.java.net/browse/JDK-8136442
    // note this only applies to RSA CAs signing EC server certificates; Java seems to properly handle EC CAs signing
    // RSA server certificates.
    if (EncryptionUtil.isEcKey(serverKeyPair.getPrivate()) && EncryptionUtil.isRsaKey(caPrivateKey)) {
        log.warn("CA private key is an RSA key and impersonated server private key is an Elliptic Curve key. JDK bug 8136442 may prevent the proxy server from creating connections to clients due to 'no cipher suites in common'.");
    }

    // create the forged server certificate and sign it with the root certificate and private key
    CertificateAndKey impersonatedCertificateAndKey = securityProviderTool.createServerCertificate(
            certificateInfo,
            caRootCertificate,
            caPrivateKey,
            serverKeyPair,
            serverCertificateMessageDigest);

    X509Certificate[] certChain = {impersonatedCertificateAndKey.getCertificate(), caRootCertificate};
    SslContext sslContext;
    try {
        sslContext = SslContextBuilder.forServer(impersonatedCertificateAndKey.getPrivateKey(), certChain)
                .ciphers(clientCipherSuites, SupportedCipherSuiteFilter.INSTANCE)
                .build();

    } catch (SSLException e) {
        throw new MitmException("Error creating SslContext for connection to client using impersonated certificate and private key", e);
    }

    long impersonationFinish = System.currentTimeMillis();

    statistics.certificateCreated(impersonationStart, impersonationFinish);

    log.debug("Impersonated certificate for {} in {}ms", certificateInfo.getCommonName(), impersonationFinish - impersonationStart);

    return sslContext;
}