From 65f283253eaf9a1f46e9665567a2fd2d901379d8 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Sat, 31 Jan 2015 18:24:31 +0100
Subject: [PATCH] Dump X509 certificates from ssldump pcap tool

---
 bin/x509/pcap-sslcert.py | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 bin/x509/pcap-sslcert.py

diff --git a/bin/x509/pcap-sslcert.py b/bin/x509/pcap-sslcert.py
new file mode 100644
index 0000000..e8188d3
--- /dev/null
+++ b/bin/x509/pcap-sslcert.py
@@ -0,0 +1,36 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+# Tool to parse output of ssldump (not compiled with OpenSSL) to dump raw certificate
+#
+# Software is free software released under the GNU General Public License version 3 and later
+#
+# Copyright (c) 2015 Alexandre Dulaunoy - a@foo.be
+
+import fileinput
+import re
+import binascii
+import OpenSSL
+
+cert = None
+certstring = ""
+
+for l in fileinput.input():
+    if re.match('^\s+Certificate\s*$', l):
+        cert = True
+        continue
+    elif re.match('^\S+', l):
+        cert = None
+
+    if (cert is True):
+        certstring += l.rstrip('\n')
+
+    if ((cert is None) and (len(certstring) > 0)):
+        y = re.sub(" ", "", certstring).split('=')
+        a = y[1].split('certificate')[0]
+        dercert = binascii.unhexlify(a)
+        x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, dercert)
+        fp = x509.digest('sha1').replace(':','').lower()
+        print OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, x509)
+        certstring = ""
+        y = ""