feat: full MitM support with dynamic certificate generation

Author: quintesse

.gitignore

@@ -57,3 +57,5 @@ test-recordings/
 *.war
 *.ear
 *.class
+
+tproxy-ca.*

README.md

@@ -2,6 +2,7 @@
 
 import java.io.*;
 import java.math.BigInteger;
+import java.nio.file.Path;
 import java.security.*;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
@@ -25,14 +26,15 @@
  * Certificate Authority for generating SSL certificates on-the-fly for HTTPS interception.
  *
  * <p>This class manages a root CA certificate and generates host-specific certificates signed by
- * that CA. The root CA certificate is stored in the current directory and reused across restarts.
+ * that CA. The root CA certificate is stored in a configurable directory and reused across
+ * restarts.
  */
 public class CertificateAuthority {
     private static final Logger logger = LoggerFactory.getLogger(CertificateAuthority.class);
 
     private static final String CA_ALIAS = "tproxy-ca";
-    private static final String CA_KEYSTORE_FILE = "tproxy-ca.p12";
-    private static final String CA_CERT_FILE = "tproxy-ca.crt";
+    private static final String CA_KEYSTORE_FILENAME = "tproxy-ca.p12";
+    private static final String CA_CERT_FILENAME = "tproxy-ca.crt";
     private static final char[] KEYSTORE_PASSWORD = "changeit".toCharArray();
     private static final String SIGNATURE_ALGORITHM = "SHA256withRSA";
     private static final int KEY_SIZE = 2048;
@@ -50,17 +52,30 @@ public class CertificateAuthority {
     private final PrivateKey caPrivateKey;
 
     /**
-     * Create a new Certificate Authority. If a CA keystore exists in the current directory, it will
-     * be loaded. Otherwise, a new CA certificate will be generated.
+     * Create a new Certificate Authority using the current directory for storage. If a CA keystore
+     * exists, it will be loaded. Otherwise, a new CA certificate will be generated.
      *
      * @throws IOException if there is an error loading or creating the CA
      */
     public CertificateAuthority() throws IOException {
+        this(Path.of("."));
+    }
+
+    /**
+     * Create a new Certificate Authority using the specified directory for storage. If a CA
+     * keystore exists in the directory, it will be loaded. Otherwise, a new CA certificate will be
+     * generated.
+     *
+     * @param storageDir the directory in which to store the CA keystore and certificate files
+     * @throws IOException if there is an error loading or creating the CA
+     */
+    public CertificateAuthority(Path storageDir) throws IOException {
         try {
-            File keystoreFile = new File(CA_KEYSTORE_FILE);
+            File keystoreFile = storageDir.resolve(CA_KEYSTORE_FILENAME).toFile();
+            File certFile = storageDir.resolve(CA_CERT_FILENAME).toFile();
 
             if (keystoreFile.exists()) {
-                logger.info("Loading existing CA from {}", CA_KEYSTORE_FILE);
+                logger.info("Loading existing CA from {}", keystoreFile);
                 caKeyStore = loadKeyStore(keystoreFile);
             } else {
                 logger.info("Generating new CA certificate");
@@ -77,8 +92,8 @@ public CertificateAuthority() throws IOException {
             }
 
             // Export CA certificate if it was just generated
-            if (!keystoreFile.exists() || !new File(CA_CERT_FILE).exists()) {
-                exportCACertificate(caCertificate);
+            if (!certFile.exists()) {
+                exportCACertificate(caCertificate, certFile);
             }
 
             logger.info("CA initialized: {}", caCertificate.getSubjectX500Principal());
@@ -177,7 +192,7 @@ public KeyStore generateServerCertificate(String hostname) throws IOException {
      *
      * @return the CA certificate
      */
-    public X509Certificate getCACertificate() {
+    public X509Certificate caCertificate() {
         return caCertificate;
     }
 
@@ -260,8 +275,7 @@ private void saveKeyStore(KeyStore keyStore, File file) throws Exception {
     }
 
     /** Export CA certificate to PEM file for easy import into browsers. */
-    private void exportCACertificate(X509Certificate cert) throws Exception {
-        File certFile = new File(CA_CERT_FILE);
+    private void exportCACertificate(X509Certificate cert, File certFile) throws Exception {
         try (FileWriter fw = new FileWriter(certFile)) {
             fw.write("-----BEGIN CERTIFICATE-----\n");
             fw.write(

src/main/java/org/codejive/tproxy/CertificateAuthority.java

@@ -0,0 +1,120 @@
+package org.codejive.tproxy;
+
+import java.io.IOException;
+import java.net.Socket;
+import java.security.*;
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.concurrent.ConcurrentHashMap;
+import javax.net.ssl.*;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * X509ExtendedKeyManager that generates server certificates on-the-fly based on the SNI hostname
+ * from the client's TLS ClientHello.
+ *
+ * <p>When a TLS handshake begins, this key manager extracts the requested hostname from the SNI
+ * extension, generates a certificate for that hostname using the provided CertificateAuthority, and
+ * returns it for the handshake. Generated certificates are cached for reuse.
+ */
+class CertificateGeneratingKeyManager extends X509ExtendedKeyManager {
+    private static final Logger logger =
+            LoggerFactory.getLogger(CertificateGeneratingKeyManager.class);
+    private static final char[] PASSWORD = "changeit".toCharArray();
+
+    private final CertificateAuthority certificateAuthority;
+    private final ConcurrentHashMap<String, KeyStore> certificateCache = new ConcurrentHashMap<>();
+
+    CertificateGeneratingKeyManager(CertificateAuthority certificateAuthority) {
+        this.certificateAuthority = certificateAuthority;
+    }
+
+    @Override
+    public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine) {
+        if (engine == null) return null;
+        try {
+            SSLSession session = engine.getHandshakeSession();
+            if (session instanceof ExtendedSSLSession extSession) {
+                List<SNIServerName> serverNames = extSession.getRequestedServerNames();
+                for (SNIServerName name : serverNames) {
+                    if (name instanceof SNIHostName hostName) {
+                        String hostname = hostName.getAsciiName();
+                        ensureCertificateExists(hostname);
+                        return hostname;
+                    }
+                }
+            }
+        } catch (Exception e) {
+            logger.error("Error choosing server alias from SNI", e);
+        }
+        return null;
+    }
+
+    @Override
+    public PrivateKey getPrivateKey(String alias) {
+        KeyStore ks = certificateCache.get(alias);
+        if (ks != null) {
+            try {
+                return (PrivateKey) ks.getKey(alias, PASSWORD);
+            } catch (GeneralSecurityException e) {
+                logger.error("Error getting private key for alias: {}", alias, e);
+            }
+        }
+        return null;
+    }
+
+    @Override
+    public X509Certificate[] getCertificateChain(String alias) {
+        KeyStore ks = certificateCache.get(alias);
+        if (ks != null) {
+            try {
+                java.security.cert.Certificate[] chain = ks.getCertificateChain(alias);
+                if (chain != null) {
+                    X509Certificate[] x509Chain = new X509Certificate[chain.length];
+                    for (int i = 0; i < chain.length; i++) {
+                        x509Chain[i] = (X509Certificate) chain[i];
+                    }
+                    return x509Chain;
+                }
+            } catch (KeyStoreException e) {
+                logger.error("Error getting certificate chain for alias: {}", alias, e);
+            }
+        }
+        return null;
+    }
+
+    private void ensureCertificateExists(String hostname) {
+        certificateCache.computeIfAbsent(
+                hostname,
+                h -> {
+                    try {
+                        logger.debug("Generating certificate for: {}", h);
+                        return certificateAuthority.generateServerCertificate(h);
+                    } catch (IOException e) {
+                        throw new RuntimeException("Failed to generate certificate for " + h, e);
+                    }
+                });
+    }
+
+    // Server-side only — client methods are unused
+    @Override
+    public String[] getClientAliases(String keyType, Principal[] issuers) {
+        return null;
+    }
+
+    @Override
+    public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
+        return null;
+    }
+
+    @Override
+    public String[] getServerAliases(String keyType, Principal[] issuers) {
+        return null;
+    }
+
+    @Override
+    public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
+        return null;
+    }
+}

src/main/java/org/codejive/tproxy/CertificateGeneratingKeyManager.java

@@ -70,26 +70,4 @@ public static Headers filterForForwarding(Headers headers) {
 
         return Headers.of(filtered);
     }
-
-    /**
-     * Check if a header should be filtered (removed) when forwarding.
-     *
-     * @param headerName the header name (case-insensitive)
-     * @return true if the header should be removed, false otherwise
-     */
-    public static boolean shouldFilter(String headerName) {
-        String nameLower = headerName.toLowerCase(Locale.ROOT);
-        return HOP_BY_HOP_HEADERS.contains(nameLower) || PROXY_SPECIFIC_HEADERS.contains(nameLower);
-    }
-
-    /**
-     * Add or update the Host header based on the target URI.
-     *
-     * @param headers the current headers
-     * @param host the target host (e.g., "example.com:443")
-     * @return headers with updated Host header
-     */
-    public static Headers withHost(Headers headers, String host) {
-        return headers.with("Host", host);
-    }
 }

src/main/java/org/codejive/tproxy/HeaderFilter.java

@@ -54,7 +54,7 @@ public static Headers of(String n1, String v1, String n2, String v2) {
      *
      * @return the values, or an empty list if the header is not present
      */
-    public List<String> getAll(String name) {
+    public List<String> all(String name) {
         List<String> values = map.get(name);
         return values != null ? values : List.of();
     }
@@ -64,7 +64,7 @@ public List<String> getAll(String name) {
      *
      * @return the first value, or {@code null} if the header is not present
      */
-    public String getFirst(String name) {
+    public String first(String name) {
         List<String> values = map.get(name);
         return (values != null && !values.isEmpty()) ? values.get(0) : null;
     }