From eb0b8469a9d4c73b13e73e58deb087c1884fc949 Mon Sep 17 00:00:00 2001 From: Barna Csorogi Date: Mon, 5 Feb 2018 01:37:10 +0100 Subject: [PATCH] use the correct signature algorithm for mitm certs Use the signature algorithm of the provided CA rather than the one from the server cert. --- proxy/certfaker.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/proxy/certfaker.go b/proxy/certfaker.go index be53ce0..2616103 100644 --- a/proxy/certfaker.go +++ b/proxy/certfaker.go @@ -27,9 +27,17 @@ func newCertFaker(caPath, keyPath string) (*certFaker, error) { } func (cf *certFaker) FakeCert(original *x509.Certificate) (*tls.Certificate, error) { - fakeCertData, err := x509.CreateCertificate(nil, original, cf.ca, cf.ca.PublicKey, cf.key) + template := cf.createTemplate(original) + fakeCertData, err := x509.CreateCertificate(nil, template, cf.ca, cf.ca.PublicKey, cf.key) return &tls.Certificate{ Certificate: [][]byte{fakeCertData}, PrivateKey: cf.key, }, err } + +func (cf *certFaker) createTemplate(cert *x509.Certificate) *x509.Certificate { + template := &x509.Certificate{} + *template = *cert + template.SignatureAlgorithm = cf.ca.SignatureAlgorithm + return template +}