crl-monitor/bin/x509/pcap-sslcert.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Tool to parse output of ssldump (not compiled with OpenSSL) to dump raw certificate
#
# Software is free software released under the GNU General Public License version 3 and later
#
# Copyright (c) 2015 Alexandre Dulaunoy - a@foo.be

import fileinput
import re
import binascii
import OpenSSL
import argparse
import json
import base64

argParser = argparse.ArgumentParser(description='Extract certificate to PEM format from an ssldump output')
argParser.add_argument('-v', default=False, action='store_true', help='Verbose output')
argParser.add_argument('-f', default=False, action='store_true', help='CSV format - IP, certificate fingerprint, CN (scans.io host format)')
argParser.add_argument('-s', default=False, action='store_true', help='CSV format - certificate fingerprint, base64 DER encoded certificate (scans.io certs format)')
argParser.add_argument('-j', default=False, action='store_true', help='Dump JSON object per certificate')
argParser.add_argument('-r', default='-', help='Read from a file, default is stdin')
args = argParser.parse_args()

cert = None
certstring = ""
c = {}
certtag = re.compile('^\s+Certificate\s*$')
certtagend = re.compile('^\S+')
ipv4re = '\d+\.\d+\.\d+\.\d+'
flowre = 'New TCP connection #(\d+): ('+ipv4re+')\(\d+\) <-> ('+ipv4re+')\((\d+)\)'
flow = re.compile(flowre)
for l in fileinput.input(args.r):
    if certtag.match(l):
        cert = True
        continue
    elif certtagend.match(l):
        cert = None
    if flow.search(l):
        m = flow.match(l)
        if m is not None:
            c['session'] = m.group(1)
            c['srcip'] = m.group(2)
            c['dstip'] = m.group(3)
            c['dstport'] = m.group(4)

    if (cert is True):
        certstring += l.rstrip('\n')

    if ((cert is None) and (len(certstring) > 0)):
        y = re.sub(" ", "", certstring).split('=')
        a = y[1].split('certificate')[0]
        try:
            dercert = binascii.unhexlify(a)
        except TypeError:
            continue
        try:
            x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, dercert)
        except OpenSSL.crypto.Error:
            continue

        c['fp'] = x509.digest('sha1').replace(':','').lower()
        if args.v:
            print "("+c['session']+") "+c['srcip']+"<->"+c['dstip']+":"+c['dstport']
            Issuer = x509.get_issuer().CN
            if Issuer is not None:
                print "Issuer: "+ Issuer
            else:
                print "Issuer: None"
            CN = x509.get_subject().CN
            if CN is not None:
                print "CN: "+ CN
            else:
                print "Issuer: None"
        c['pem'] = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, x509)
        if args.j:
            print (json.dumps(c))
        elif args.f:
            subject = x509.get_subject().CN
            if subject is None:
                subject = ""
            print (c['dstip']+","+c['fp']+","+subject)
        elif args.s:
            print (c['fp']+","+base64.standard_b64encode(dercert))
        else:
            print (c['pem'])
        certstring = ""
        y = ""
Dump X509 certificates from ssldump pcap tool 2015-01-31 17:24:31 +00:00			`#!/usr/bin/env python`
			`# -- coding: utf-8 --`
			`#`
			`# Tool to parse output of ssldump (not compiled with OpenSSL) to dump raw certificate`
			`#`
			`# Software is free software released under the GNU General Public License version 3 and later`
			`#`
			`# Copyright (c) 2015 Alexandre Dulaunoy - a@foo.be`

			`import fileinput`
			`import re`
			`import binascii`
			`import OpenSSL`
Option to read from file added 2015-02-01 12:16:30 +00:00			`import argparse`
JSON output added (-j option) 2015-02-02 06:38:17 +00:00			`import json`
Output compatible with scans.io format (host and certs) 2015-02-02 07:10:44 +00:00			`import base64`
Option to read from file added 2015-02-01 12:16:30 +00:00
			`argParser = argparse.ArgumentParser(description='Extract certificate to PEM format from an ssldump output')`
Verbose option added (-v) to show issuer CN and subject CN 2015-02-01 13:03:16 +00:00			`argParser.add_argument('-v', default=False, action='store_true', help='Verbose output')`
Output compatible with scans.io format (host and certs) 2015-02-02 07:10:44 +00:00			`argParser.add_argument('-f', default=False, action='store_true', help='CSV format - IP, certificate fingerprint, CN (scans.io host format)')`
			`argParser.add_argument('-s', default=False, action='store_true', help='CSV format - certificate fingerprint, base64 DER encoded certificate (scans.io certs format)')`
JSON output added (-j option) 2015-02-02 06:38:17 +00:00			`argParser.add_argument('-j', default=False, action='store_true', help='Dump JSON object per certificate')`
Option to read from file added 2015-02-01 12:16:30 +00:00			`argParser.add_argument('-r', default='-', help='Read from a file, default is stdin')`
			`args = argParser.parse_args()`
Dump X509 certificates from ssldump pcap tool 2015-01-31 17:24:31 +00:00
			`cert = None`
			`certstring = ""`
JSON output added (-j option) 2015-02-02 06:38:17 +00:00			`c = {}`
Improve regexp performance 2015-02-01 12:04:27 +00:00			`certtag = re.compile('^\s+Certificate\s*$')`
			`certtagend = re.compile('^\S+')`
Include source and destination IP addresses 2015-02-01 13:32:25 +00:00			`ipv4re = '\d+\.\d+\.\d+\.\d+'`
			`flowre = 'New TCP connection #(\d+): ('+ipv4re+')\(\d+\) <-> ('+ipv4re+')\((\d+)\)'`
			`flow = re.compile(flowre)`
Option to read from file added 2015-02-01 12:16:30 +00:00			`for l in fileinput.input(args.r):`
Improve regexp performance 2015-02-01 12:04:27 +00:00			`if certtag.match(l):`
Dump X509 certificates from ssldump pcap tool 2015-01-31 17:24:31 +00:00			`cert = True`
			`continue`
Improve regexp performance 2015-02-01 12:04:27 +00:00			`elif certtagend.match(l):`
Dump X509 certificates from ssldump pcap tool 2015-01-31 17:24:31 +00:00			`cert = None`
Include source and destination IP addresses 2015-02-01 13:32:25 +00:00			`if flow.search(l):`
			`m = flow.match(l)`
Partial match group skipped 2015-02-01 13:41:15 +00:00			`if m is not None:`
JSON output added (-j option) 2015-02-02 06:38:17 +00:00			`c['session'] = m.group(1)`
			`c['srcip'] = m.group(2)`
			`c['dstip'] = m.group(3)`
			`c['dstport'] = m.group(4)`
Dump X509 certificates from ssldump pcap tool 2015-01-31 17:24:31 +00:00
			`if (cert is True):`
			`certstring += l.rstrip('\n')`

			`if ((cert is None) and (len(certstring) > 0)):`
			`y = re.sub(" ", "", certstring).split('=')`
Index bug fixed 2015-04-22 15:08:28 +00:00			`a = y[1].split('certificate')[0]`
Handle broken output format 2015-04-22 15:04:25 +00:00			`try:`
			`dercert = binascii.unhexlify(a)`
			`except TypeError:`
			`continue`
Handle OpenSSL errors 2015-04-24 06:08:27 +00:00			`try:`
			`x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, dercert)`
			`except OpenSSL.crypto.Error:`
			`continue`

JSON output added (-j option) 2015-02-02 06:38:17 +00:00			`c['fp'] = x509.digest('sha1').replace(':','').lower()`
Verbose option added (-v) to show issuer CN and subject CN 2015-02-01 13:03:16 +00:00			`if args.v:`
JSON output added (-j option) 2015-02-02 06:38:17 +00:00			`print "("+c['session']+") "+c['srcip']+"<->"+c['dstip']+":"+c['dstport']`
Handle broken output format 2015-04-22 15:04:25 +00:00			`Issuer = x509.get_issuer().CN`
			`if Issuer is not None:`
			`print "Issuer: "+ Issuer`
			`else:`
			`print "Issuer: None"`
			`CN = x509.get_subject().CN`
			`if CN is not None:`
			`print "CN: "+ CN`
			`else:`
			`print "Issuer: None"`
JSON output added (-j option) 2015-02-02 06:38:17 +00:00			`c['pem'] = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, x509)`
			`if args.j:`
			`print (json.dumps(c))`
			`elif args.f:`
Handle unset DN 2015-04-23 11:59:00 +00:00			`subject = x509.get_subject().CN`
			`if subject is None:`
			`subject = ""`
Typo fixed 2015-04-23 12:00:43 +00:00			`print (c['dstip']+","+c['fp']+","+subject)`
Output compatible with scans.io format (host and certs) 2015-02-02 07:10:44 +00:00			`elif args.s:`
			`print (c['fp']+","+base64.standard_b64encode(dercert))`
-f option added (SHA1 fingerprint only + destination IP address) 2015-02-02 06:17:44 +00:00			`else:`
JSON output added (-j option) 2015-02-02 06:38:17 +00:00			`print (c['pem'])`
Dump X509 certificates from ssldump pcap tool 2015-01-31 17:24:31 +00:00			`certstring = ""`
			`y = ""`