derusted 0.2.0

Programmable HTTPS interception and traffic inspection engine for security-critical applications
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323

//! Certificate Authority - Dynamic certificate generation for MITM
//!
//! This module handles generating fake certificates for intercepted domains.
//! It supports DNS SANs, IP SANs, wildcards, and localhost bypass.

use crate::mitm::ca_key_manager::CaKeyManager;
use anyhow::Result;
use base64::Engine;
use lru::LruCache;
use rcgen::{Certificate, CertificateParams, DnType, KeyPair, SanType};
use std::net::IpAddr;
use std::num::NonZeroUsize;
use std::sync::Arc;
use std::time::{Duration, Instant};
use thiserror::Error;
use tokio::sync::Mutex;
use tracing::{debug, warn};

/// Host identifier for certificate generation
#[derive(Debug, Clone, Hash, Eq, PartialEq)]
pub enum HostIdentifier {
    /// Regular domain (e.g., example.com)
    Domain(String),

    /// Wildcard domain (e.g., *.example.com)
    Wildcard(String),

    /// IP address (e.g., 192.168.1.1)
    IpAddress(IpAddr),

    /// Localhost (127.0.0.1, ::1, localhost)
    Localhost,
}

impl HostIdentifier {
    /// Parse from hostname string
    pub fn from_hostname(hostname: &str) -> Self {
        // Check for localhost
        if hostname == "localhost"
            || hostname == "127.0.0.1"
            || hostname == "::1"
            || hostname.starts_with("127.")
        {
            return Self::Localhost;
        }

        // Check for IP address
        if let Ok(ip) = hostname.parse::<IpAddr>() {
            if ip.is_loopback() {
                return Self::Localhost;
            }
            return Self::IpAddress(ip);
        }

        // Check for wildcard
        if hostname.starts_with("*.") {
            return Self::Wildcard(hostname.to_string());
        }

        // Regular domain
        Self::Domain(hostname.to_string())
    }
}

/// Cached certificate with TTL
#[derive(Clone)]
struct CachedCertificate {
    /// The certificate
    cert: Arc<Certificate>,

    /// When this certificate was created/cached
    created_at: Instant,
}

impl CachedCertificate {
    fn new(cert: Arc<Certificate>) -> Self {
        Self {
            cert,
            created_at: Instant::now(),
        }
    }

    /// Check if certificate has expired (TTL exceeded)
    fn is_expired(&self, ttl: Duration) -> bool {
        self.created_at.elapsed() > ttl
    }
}

/// MITM-specific errors
#[derive(Debug, Error)]
pub enum MitmError {
    #[error("Localhost bypass - MITM not allowed for localhost")]
    LocalhostBypass,

    #[error("Certificate generation failed: {0}")]
    CertGenerationFailed(String),

    #[error("Invalid hostname: {0}")]
    InvalidHostname(String),

    #[error("Cache error: {0}")]
    CacheError(String),
}

/// Certificate Authority - generates and caches certificates
pub struct CertificateAuthority {
    /// CA key manager
    ca_manager: Arc<CaKeyManager>,

    /// LRU cache for generated certificates (domain -> cert)
    cache: Arc<Mutex<LruCache<HostIdentifier, CachedCertificate>>>,

    /// Maximum cache size
    max_cache_size: usize,

    /// Certificate TTL (Time-To-Live)
    cert_ttl: Duration,
}

impl CertificateAuthority {
    /// Create new Certificate Authority with default TTL (24 hours)
    pub fn new(ca_manager: Arc<CaKeyManager>, max_cache_size: usize) -> Self {
        Self::with_ttl(ca_manager, max_cache_size, Duration::from_secs(86400))
    }

    /// Create new Certificate Authority with custom TTL
    pub fn with_ttl(
        ca_manager: Arc<CaKeyManager>,
        max_cache_size: usize,
        cert_ttl: Duration,
    ) -> Self {
        let cache_size =
            NonZeroUsize::new(max_cache_size).unwrap_or(NonZeroUsize::new(1000).unwrap());

        Self {
            ca_manager,
            cache: Arc::new(Mutex::new(LruCache::new(cache_size))),
            max_cache_size,
            cert_ttl,
        }
    }

    /// Get or generate certificate for host
    pub async fn get_or_generate(
        &self,
        host: HostIdentifier,
    ) -> Result<Arc<Certificate>, MitmError> {
        // Localhost bypass - MUST NOT MITM localhost
        if matches!(host, HostIdentifier::Localhost) {
            warn!("Attempted MITM on localhost - bypassing");
            return Err(MitmError::LocalhostBypass);
        }

        // Check cache first and validate TTL
        {
            let mut cache = self.cache.lock().await;
            if let Some(cached) = cache.get(&host) {
                // Check if certificate has expired
                if cached.is_expired(self.cert_ttl) {
                    debug!(host = ?host, "Certificate cache hit but expired, regenerating");
                    // Remove expired certificate from cache
                    cache.pop(&host);
                } else {
                    debug!(host = ?host, "Certificate cache hit (valid)");
                    return Ok(Arc::clone(&cached.cert));
                }
            }
        }

        // Generate new certificate
        debug!(host = ?host, "Generating new certificate");
        let cert = self.generate_certificate(&host).await?;
        let cert_arc = Arc::new(cert);

        // Store in cache with timestamp
        {
            let mut cache = self.cache.lock().await;
            cache.put(host.clone(), CachedCertificate::new(Arc::clone(&cert_arc)));
        }

        Ok(cert_arc)
    }

    /// Generate certificate for host
    async fn generate_certificate(&self, host: &HostIdentifier) -> Result<Certificate, MitmError> {
        let mut params = CertificateParams::default();

        // Set common name and SAN based on host type
        match host {
            HostIdentifier::Domain(domain) => {
                params
                    .distinguished_name
                    .push(DnType::CommonName, domain.clone());
                params.subject_alt_names = vec![SanType::DnsName(domain.clone())];
            }
            HostIdentifier::Wildcard(wildcard) => {
                params
                    .distinguished_name
                    .push(DnType::CommonName, wildcard.clone());
                params.subject_alt_names = vec![SanType::DnsName(wildcard.clone())];
            }
            HostIdentifier::IpAddress(ip) => {
                params
                    .distinguished_name
                    .push(DnType::CommonName, ip.to_string());
                params.subject_alt_names = vec![SanType::IpAddress(*ip)];
            }
            HostIdentifier::Localhost => {
                return Err(MitmError::LocalhostBypass);
            }
        }

        // Set validity period (90 days) - using time crate for rcgen compatibility
        params.not_before = time::OffsetDateTime::now_utc() - time::Duration::days(1);
        params.not_after = time::OffsetDateTime::now_utc() + time::Duration::days(90);

        // Generate unique serial number (crypto RNG + timestamp)
        let serial_number = self.generate_serial_number();
        params.serial_number = Some(serial_number.into());

        // Generate key pair for the leaf certificate
        let key_pair = KeyPair::generate(&rcgen::PKCS_ECDSA_P256_SHA256)
            .map_err(|e| MitmError::CertGenerationFailed(e.to_string()))?;

        // Create the certificate from params and key
        let temp_cert = Certificate::from_params(params)
            .map_err(|e| MitmError::CertGenerationFailed(e.to_string()))?;

        // Sign with CA (rcgen 0.12 API)
        let ca_cert = self.ca_manager.certificate();

        // Serialize with CA's signature (ca_cert is Arc<Certificate>, so just dereference once)
        let cert_der = temp_cert
            .serialize_der_with_signer(&*ca_cert)
            .map_err(|e| MitmError::CertGenerationFailed(e.to_string()))?;

        // Convert DER to PEM and reconstruct with the key pair
        let cert_pem = format!(
            "-----BEGIN CERTIFICATE-----\n{}\n-----END CERTIFICATE-----",
            base64::engine::general_purpose::STANDARD.encode(&cert_der)
        );

        // Reconstruct Certificate from PEM and KeyPair
        let cert = Certificate::from_params(
            CertificateParams::from_ca_cert_pem(&cert_pem, key_pair)
                .map_err(|e| MitmError::CertGenerationFailed(e.to_string()))?,
        )
        .map_err(|e| MitmError::CertGenerationFailed(e.to_string()))?;

        Ok(cert)
    }

    /// Generate unique serial number using crypto RNG + timestamp
    fn generate_serial_number(&self) -> u64 {
        use rand::Rng;
        let mut rng = rand::thread_rng();
        let random_part: u32 = rng.gen();
        let timestamp_part = chrono::Utc::now().timestamp() as u32;

        // Combine for unique 64-bit serial
        ((timestamp_part as u64) << 32) | (random_part as u64)
    }

    /// Get cache statistics
    pub async fn cache_stats(&self) -> (usize, usize) {
        let cache = self.cache.lock().await;
        (cache.len(), self.max_cache_size)
    }

    /// Clear cache (for testing or rotation)
    pub async fn clear_cache(&self) {
        let mut cache = self.cache.lock().await;
        cache.clear();
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_host_identifier_parsing() {
        // Localhost variants
        assert!(matches!(
            HostIdentifier::from_hostname("localhost"),
            HostIdentifier::Localhost
        ));
        assert!(matches!(
            HostIdentifier::from_hostname("127.0.0.1"),
            HostIdentifier::Localhost
        ));
        assert!(matches!(
            HostIdentifier::from_hostname("::1"),
            HostIdentifier::Localhost
        ));

        // IP address
        assert!(matches!(
            HostIdentifier::from_hostname("192.168.1.1"),
            HostIdentifier::IpAddress(_)
        ));

        // Wildcard
        assert!(matches!(
            HostIdentifier::from_hostname("*.example.com"),
            HostIdentifier::Wildcard(_)
        ));

        // Regular domain
        assert!(matches!(
            HostIdentifier::from_hostname("example.com"),
            HostIdentifier::Domain(_)
        ));
    }

    // TODO: Add tests for:
    // - Certificate generation with DNS SAN
    // - Certificate generation with IP SAN
    // - Wildcard certificate generation
    // - Localhost bypass enforcement
    // - Serial number uniqueness
    // - Cache hit/miss behavior
}