1、增加tsg diagnose 执行proxy policy时校验证书 2、修改badssl签发证书的时间

2020-09-07 14:07:11 +08:00
parent 9c3d3bbbf7
commit 2642f4ac56
2 changed files with 29 additions and 2 deletions
--- a/badssl.com/certs/Makefile
+++ b/badssl.com/certs/Makefile
@@ -14,7 +14,7 @@

 D = badssl.com
 MAIN_CERT_TYPE = rsa2048
-DAYS_DEFAULT = 730
+DAYS_DEFAULT = 3650
 HASH_DEFAULT = sha256

 SIGN_CA_DEFAULTS = 3650 $(HASH_DEFAULT) req_v3_ca
--- a/unittest_python/unittest/tsg_diagnose.py
+++ b/unittest_python/unittest/tsg_diagnose.py
@@ -164,13 +164,32 @@ class SslHttpRequestBuild:
        self.conn.setopt(self.conn.ENCODING, "gzip,deflate")
        self.conn.setopt(self.conn.RESOLVE,wpr_dns_resolve)

+    def _cert_verify(self, pxy_action_info_re,certs):
+        issuer = ()
+        for cert_info in certs[0]:
+            if cert_info[0].lower() == "issuer":
+                issuer = cert_info
+                break
+        if len(issuer) <= 0:
+            raise Exception("Error: Get certificate info error, certificate's length is %s" % len(issuer))
+        if re.search(r'\bCN[\s]*=[\s]*Tango\b',issuer[1],0):
+            if re.search(r'\bCN = Tango[\s\S]*UNTRUST\b',issuer[1],0):
+                raise Exception( pxy_info_re)
+            else:
+                raise Exception("Error: Ssl connection is intercept, cert maybe trust, cert info: %s" % issuer[1])
+        else:
+            raise Exception("Error: Got other error certificate information, cert info: %s" % issuer[1])
+
+
    def http_redirect(self,conTimeout):
        self.conn.setopt(self.conn.URL, URLRedirect)
        self.conn.setopt(self.conn.TIMEOUT, conTimeout)
        self.conn.setopt(self.conn.WRITEFUNCTION, BytesIO().write)
        self.conn.perform()
+        certs = self.conn.getinfo(self.conn.INFO_CERTINFO)
        rescode = self.conn.getinfo(self.conn.RESPONSE_CODE)
        self.conn.close()
+        self._cert_verify(http_redirect_info_re,certs)
        if rescode == 301 or rescode == 302:
            raise Exception(http_redirect_info_re)
        else:
@@ -181,8 +200,10 @@ class SslHttpRequestBuild:
        self.conn.setopt(self.conn.URL, URLReplace)
        self.conn.setopt(self.conn.TIMEOUT,conTimeout)
        self.conn.perform()
+        certs = self.conn.getinfo(self.conn.INFO_CERTINFO)
        body = self.bodyBuf.getvalue().decode('utf-8')
        self.conn.close()
+        self._cert_verify(http_replace_info_re,certs)
        if not re.search(r'EnglishSearchShared', body, 0) and \
                re.search(r'03C174CD9D809789CCEC18D6F585DF3E', body, 0):
            raise Exception(http_replace_info_re)
@@ -195,7 +216,9 @@ class SslHttpRequestBuild:
        self.conn.setopt(self.conn.TIMEOUT,conTimeout)
        self.conn.perform()
        body = self.bodyBuf.getvalue().decode('utf-8')
+        certs = self.conn.getinfo(self.conn.INFO_CERTINFO)
        self.conn.close()
+        self._cert_verify(http_insert_info_re,certs)
        if re.search(r'httpSelfcheckInsert', body, 0) and \
                re.search(r'5BE3754D1EA8D51E8D993060FA225330', body, 0):
            raise Exception(http_insert_info_re)
@@ -207,9 +230,11 @@ class SslHttpRequestBuild:
        self.conn.setopt(self.conn.TIMEOUT,conTimeout)
        self.conn.setopt(self.conn.WRITEFUNCTION, self.bodyBuf.write)
        self.conn.perform()
+        certs = self.conn.getinfo(self.conn.INFO_CERTINFO)
        rescode = self.conn.getinfo(self.conn.RESPONSE_CODE)
        body = self.bodyBuf.getvalue().decode('utf-8')
        self.conn.close()
+        self._cert_verify(http_block_info_re,certs)
        if re.search(r'E33F01E50AFE043191931DD40190B09B', body, 0) and (rescode == 404 or rescode == 451):
            raise Exception(http_block_info_re)
        else:
@@ -220,7 +245,9 @@ class SslHttpRequestBuild:
        self.conn.setopt(self.conn.URL, URLHijack)
        self.conn.setopt(self.conn.WRITEFUNCTION, self.bodyBuf.write)
        self.conn.perform()
+        certs = self.conn.getinfo(self.conn.INFO_CERTINFO)
        self.conn.close()
+        self._cert_verify(http_hijack_info_re,certs)
        if os.path.exists("/root/http_hijack.out"):
            os.remove("/root/http_hijack.out")
        cmdtodo = 'curl %s -k -s --resolve cn.bing.com:443:192.0.2.131 -o /root/http_hijack.out' % URLHijack
@@ -301,7 +328,7 @@ class SSLFileDownloadBuild:
        if len(issuer) <= 0:
            raise Exception("Error: Get certificate info error, certificate's length is %s" % len(issuer))
        if not re.search(r'\bCN = Tango[\s\S]*UNTRUST\b',issuer[1],0):
-            raise Exception("Error: Intercept fail: no Tango cert")
+            raise Exception("Error: Intercept fail: no Tango cert,cert info:%s" % issuer[1])
        
        if int(conninfo["size_download"])  == size:
            self._write_in_nezha(sizeStr,conninfo)