Implemented a dynamic generation of SSL request certificates

[Jack12816]

- What is it good for?

This update ships a fully secure proxy handling of HTTPS requests with
the runtime generation of a certificate authority and the generation of
the request certificates based on the requested domains. A user can then
take care of the importing of the certificate authority. From the
perspective of puffing billy we do not have to handle outdated
certificates or static files anymore in the future with the help of this
feature. This is the same case for users of older puffing billy
versions as well.

The full feature mimics the mighty mitmproxy functionality which results
in secure proxying on modern browsers.

- What I did

I added three new classes, (Authority, Certificate and CertificateChain) with
unit tests for each of them. All static certificate files were removed
(mitm.{crt,key}, test-server.{crt,key}). The ProxyConnection class now makes
use of the new certificate generation. The spec test server uses now
dynamically generated certificates (same like ProxyConnection does it) and
proxy_spec/@https is configured to verify the SSL connection. (By adding our
custom certificate authority file to faraday) And last but not least I
documented the usage of the certificate authority with a Google Chrome Headless
example.

- A picture of a cute animal (not mandatory but encouraged)

[Jack12816]

It's now ready for a review. :)

@ronwsmith maybe?

[ronwsmith]

Pretty great contribution! Mostly minor comments to fix up. Will this break any existing test suites?

[ronwsmith]

Typo in Fortunately

[Jack12816]

Yep.

[ronwsmith]

Using Time.now above should pretty much guarantee this directory will never exist right?

[Jack12816]

We can do the Time.now trick, by then we have a mess while cleaning up. I think of a new configured directory like cache_dir and certs_dir. I also do not like the manipulation of the HOME environment variable. But it's just for child processes. It would be better to have a handling like written below.

[ronwsmith]

Can we create a rake task to do all this?

[Jack12816]

Would be good, yeah. This is not possible right now due to the fact that the rake task does not have access to a puffing billy module. And when it starts it, it would be meaningless, because the user test suite will get a new instance and the authority changes per run. So this would not work out.

But we could package this as a helper on the Billy module. Something which can be used like this:

RSpec.configure do |config|
  config.before :suite do
    Billy:.Browsers::Chrome.setup_user_directory
  end
end

We could also include this at the Watir and Capybara driver level. But I like to keep the
Billy:.Browsers::Chrome.setup_user_directory option open for users. (It's also for me, because I configure my drivers by myself, Chrome Headless, you know..)

[ronwsmith]

I think we should avoid the use of instance variables. Perhaps the new helper method can return a hash and be used directly as a param in this method call?

[Jack12816]

Good point.

[ronwsmith]

removed

[Jack12816]

Updated the comment.

[ronwsmith]

Maybe these three helper methods move to a proper helper so they aren't copy/pasted in both classes?

[Jack12816]

Sounds good to me.

[ronwsmith]

Can we just use 2.days.ago?

[Jack12816]

No ActiveSupport at the gemspec. ;) NoMethodError: undefined method +days+ for 2:Fixnum

[ronwsmith]

Can we just use 2.days.from_now?

[Jack12816]

No ActiveSupport at the gemspec. ;) NoMethodError: undefined method +days+ for 2:Fixnum

[ronwsmith]

concatenate

[Jack12816]

Yep.

[ronwsmith]

Let's just return a hash and use directly here: http_server.ssl_options = certificate_chain(domain)

[Jack12816]

Sure.

[Jack12816]

Will this break any existing test suites?

No, I don't think so for two reasons.

1. The original mitm.crt is expired since Oct 2 06:42:11 2013 GMT.
   So it was not valid from there on and if a browser on a suite was checking this
   it was hardly complaining all the time.
2. The original mitm.crt was never valid on the subject of the domain. In the past
   you could allow this certificate (at least until 2013) and all requests which were
   signed by it. But modern browsers like Chrome 59+ and Firefox 54+ will not allow
   any requests which are signed this certificate.

With this in mind, any user of puffing billy disabled the SSL check (like it was done on our
test suite) or was simply not using SSL with modern browsers. (Phantomjs doesn't count)
So no. No test suite will break from my point of view.

Evidence:

$  openssl x509 -text -noout -in mitm.crt

    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = US, ST = CA, L = Mountain View, O = Internet Widgits Pty Ltd, CN = Puffing Billy, emailAddress = [email protected]
        Validity
            Not Before: Oct  2 06:42:11 2012 GMT
            Not After : Oct  2 06:42:11 2013 GMT

[Jack12816]

@ronwsmith Ping :)

[ronwsmith]

@Jack12816 Looks great now. Awesome contribution, thanks!

[ronwsmith]

Released in v0.11.0