crl-monitor/bin/x509/pcap-sslcert.py

72 lines
2.7 KiB
Python
Raw Normal View History

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Tool to parse output of ssldump (not compiled with OpenSSL) to dump raw certificate
#
# Software is free software released under the GNU General Public License version 3 and later
#
# Copyright (c) 2015 Alexandre Dulaunoy - a@foo.be
import fileinput
import re
import binascii
import OpenSSL
2015-02-01 12:16:30 +00:00
import argparse
2015-02-02 06:38:17 +00:00
import json
import base64
2015-02-01 12:16:30 +00:00
argParser = argparse.ArgumentParser(description='Extract certificate to PEM format from an ssldump output')
argParser.add_argument('-v', default=False, action='store_true', help='Verbose output')
argParser.add_argument('-f', default=False, action='store_true', help='CSV format - IP, certificate fingerprint, CN (scans.io host format)')
argParser.add_argument('-s', default=False, action='store_true', help='CSV format - certificate fingerprint, base64 DER encoded certificate (scans.io certs format)')
2015-02-02 06:38:17 +00:00
argParser.add_argument('-j', default=False, action='store_true', help='Dump JSON object per certificate')
2015-02-01 12:16:30 +00:00
argParser.add_argument('-r', default='-', help='Read from a file, default is stdin')
args = argParser.parse_args()
cert = None
certstring = ""
2015-02-02 06:38:17 +00:00
c = {}
2015-02-01 12:04:27 +00:00
certtag = re.compile('^\s+Certificate\s*$')
certtagend = re.compile('^\S+')
ipv4re = '\d+\.\d+\.\d+\.\d+'
flowre = 'New TCP connection #(\d+): ('+ipv4re+')\(\d+\) <-> ('+ipv4re+')\((\d+)\)'
flow = re.compile(flowre)
2015-02-01 12:16:30 +00:00
for l in fileinput.input(args.r):
2015-02-01 12:04:27 +00:00
if certtag.match(l):
cert = True
continue
2015-02-01 12:04:27 +00:00
elif certtagend.match(l):
cert = None
if flow.search(l):
m = flow.match(l)
2015-02-01 13:41:15 +00:00
if m is not None:
2015-02-02 06:38:17 +00:00
c['session'] = m.group(1)
c['srcip'] = m.group(2)
c['dstip'] = m.group(3)
c['dstport'] = m.group(4)
if (cert is True):
certstring += l.rstrip('\n')
if ((cert is None) and (len(certstring) > 0)):
y = re.sub(" ", "", certstring).split('=')
a = y[1].split('certificate')[0]
dercert = binascii.unhexlify(a)
x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, dercert)
2015-02-02 06:38:17 +00:00
c['fp'] = x509.digest('sha1').replace(':','').lower()
if args.v:
2015-02-02 06:38:17 +00:00
print "("+c['session']+") "+c['srcip']+"<->"+c['dstip']+":"+c['dstport']
print "Issuer: "+x509.get_issuer().CN
print "CN: " + x509.get_subject().CN
2015-02-02 06:38:17 +00:00
c['pem'] = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, x509)
if args.j:
print (json.dumps(c))
elif args.f:
2015-02-02 06:59:35 +00:00
print (c['dstip']+","+c['fp']+","+x509.get_subject().CN)
elif args.s:
print (c['fp']+","+base64.standard_b64encode(dercert))
else:
2015-02-02 06:38:17 +00:00
print (c['pem'])
certstring = ""
y = ""