Alexandre Dulaunoy
e4344dcfae
Sample query: curl http://127.0.0.1:8888/cfetch/37ffbb160d4c97c42f5126bebc9c18eeffe5ede3 { "pem": "-----BEGIN CERTIFICATE-----\nMIIEwTCCA6mgAwIBAgIJAIo7DnOg3SPpMA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD\nVQQGEwItLTELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxEjAQBgNVBAoT\nCU15Q29tcGFueTEOMAwGA1UECxMFTXlPcmcxHjAcBgNVBAMTFWxvY2FsaG9zdC5s\nb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3QubG9jYWxk\nb21haW4wHhcNMTMxMDA5MDkzODU3WhcNMjMxMDA3MDkzODU3WjCBmzELMAkGA1UE\nBhMCLS0xCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMRIwEAYDVQQKEwlN\neUNvbXBhbnkxDjAMBgNVBAsTBU15T3JnMR4wHAYDVQQDExVsb2NhbGhvc3QubG9j\nYWxkb21haW4xKTAnBgkqhkiG9w0BCQEWGnJvb3RAbG9jYWxob3N0LmxvY2FsZG9t\nYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmE+M/HAURvtG9JPc\nKndfyZ0UhGDHUg8Y+UHxKbOomscUh55EGkxdhdFeSyOTdugZ4eADf3ssCrvv0kop\nljay3yOI9Q3nWEMO4Zk0B5fA8XLuY4+pRPakskyJeoKHkY9tiIUxAaPCrwj2aiNF\nqnt0Cd9w2h0eAz1oaJNoXlOxINRFkyB2sfMg8e1XKxQFBrjK5fANqLd++HrWOeV3\nRxCf8pWJMBK4rTz8p0dDMWhaN1n66kP6qbUxwqtTe1YZ4t/Gy87u2g7WcI8XH9or\nZpqzdt5H+mswfKK/CIcGPqj5xx4ad+VvhMM+bijw5DMCttZA0Okv6T12nRuzFe9n\noJmwZQIDAQABo4IBBDCCAQAwHQYDVR0OBBYEFJswttZ8BCZz+JhJCjRueL3i9Qs4\nMIHQBgNVHSMEgcgwgcWAFJswttZ8BCZz+JhJCjRueL3i9Qs4oYGhpIGeMIGbMQsw\nCQYDVQQGEwItLTELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxEjAQBgNV\nBAoTCU15Q29tcGFueTEOMAwGA1UECxMFTXlPcmcxHjAcBgNVBAMTFWxvY2FsaG9z\ndC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3QubG9j\nYWxkb21haW6CCQCKOw5zoN0j6TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA\nA4IBAQBAECr0U7DZhuIZQW5aNlysJM1WIbAajnKyILthTXya18zcTsJQisn0zUc5\nl4obCj1xQ1krJOEupTE5miBRtvwhp4ymfBjLxLFT7R6rHO7/t5dZUPvXtkfK3QeY\nrtqb9vZSdKhfm+zzr7ra/N0XeWlgoja9+54Dtc3qZqzY1tUblDy3J2NBabOz7eF7\nf0jgHEbF+2CP20bhCltklGyA7U7m1qUS6bgKsGr/gfPL+ioDKPGNJTiPrfsD9YsN\nYyG05ZJ6RUpU1TNTOvcao29Yk2DLfriYgBIqi1oriFZYxX6TryUryhqVjGTi+Ksf\n4DX9WTUxVPEg8uYgUktztLGlRTK9\n-----END CERTIFICATE-----\n", "info": { "subject": "C=--, ST=WA, L=Seattle, O=MyCompany, OU=MyOrg, CN=localhost.localdomain/emailAddress=root@localhost.localdomain", "not_before": "2013-10-09T09:38:57+00:00", "issuer": "C=--, ST=WA, L=Seattle, O=MyCompany, OU=MyOrg, CN=localhost.localdomain/emailAddress=root@localhost.localdomain", "fingerprint": "16C25D401F35DD52FB4AEC85EB1F1A28CE16F961", "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmE+M/HAURvtG9JPcKndf\nyZ0UhGDHUg8Y+UHxKbOomscUh55EGkxdhdFeSyOTdugZ4eADf3ssCrvv0kopljay\n3yOI9Q3nWEMO4Zk0B5fA8XLuY4+pRPakskyJeoKHkY9tiIUxAaPCrwj2aiNFqnt0\nCd9w2h0eAz1oaJNoXlOxINRFkyB2sfMg8e1XKxQFBrjK5fANqLd++HrWOeV3RxCf\n8pWJMBK4rTz8p0dDMWhaN1n66kP6qbUxwqtTe1YZ4t/Gy87u2g7WcI8XH9orZpqz\ndt5H+mswfKK/CIcGPqj5xx4ad+VvhMM+bijw5DMCttZA0Okv6T12nRuzFe9noJmw\nZQIDAQAB\n-----END PUBLIC KEY-----\n", "keylength": 2048, "not_after": "2023-10-07T09:38:57+00:00", "extension": { "basicConstraints": "CA:TRUE", "authorityKeyIdentifier": "keyid:9B:30:B6:D6:7C:04:26:73:F8:98:49:0A:34:6E:78:BD:E2:F5:0B:38\nDirName:/C=--/ST=WA/L=Seattle/O=MyCompany/OU=MyOrg/CN=localhost.localdomain/emailAddress=root@localhost.localdomain\nserial:8A:3B:0E:73:A0:DD:23:E9\n", "subjectKeyIdentifier": "9B:30:B6:D6:7C:04:26:73:F8:98:49:0A:34:6E:78:BD:E2:F5:0B:38" } } } |
||
---|---|---|
bin | ||
client | ||
.gitignore | ||
COLLECTOR.md | ||
LICENSE | ||
README.md | ||
REQUIREMENTS |
crl-monitor
CRL Monitor - X.509 Certificate Revocation List monitoring
X.509 Subject Cache
There is a set of tool to maintain a cache of certificate fingerprints along with the IP addresses seen with a specific fingerprint and subject.
In order to feed the cache, dumps of SSL scans need to be imported.
If you use the great dumps from scans.io, you can do the following to import the certificate data:
zcat ./scans-io/data/20141208_certs.gz | python dumpx509subject.py -p 6381 -s
This command parses all the certificates and extract the subjects and imports these into the Redis-compatible database running on TCP port 6381.
Then you need to import the mapping between scanned IP addresses and the fingerprint of the X.509 certificate seen:
zcat ./scans-io/data/20141208_hosts.gz | python hoststoredis.py -p 6381 -s
The above procedure can be repeated with additional scans or you can import multiple scans in parallel using GNU Parallel.
IP Subnet Lookup in X.509 Subject Cache
ip-ssl-subject.py can query a network subnet and display the known certificate seen and display the X.509 subject if known.
python ./bin/x509/ip-ssl-subject.py -s 199.16.156.0/28 -p 6381
199.16.156.6
1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446, C=US/postalCode=94107, ST=California, L=San Francisco/street=795 Folsom St, Suite 600, O=Twitter, Inc., OU=Twitter Security, CN=twitter.com
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended Validation SSL CA
add53f6680fe66e383cbac3e60922e3b4c412bed
e3fc0ad84f2f5a83ed6f86f567f8b14b40dcbf12
199.16.156.7
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
C=US, ST=CA, L=San Francisco, O=Twitter, Inc., OU=Twitter Security, CN=tdweb.twitter.com
859b86acd1604078f7d0f4680fdff59965096745
1858b819fffad8c948fac853882c5e8bbc5e7953
199.16.156.8
d8015bf46dfb91c6e4b1b6ab9a72c168933dc2d9
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Secure Server CA - G2
C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=Twitter Security, CN=api.twitter.com
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3
199.16.156.9
C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
serialNumber=X5-6oDhQgpWsUADnOU2IdZ38YWlIV8/8, C=US, ST=California, L=San Francisco, O=Twitter, Inc., CN=*.twitter.com
199.16.156.10
add53f6680fe66e383cbac3e60922e3b4c412bed
e3fc0ad84f2f5a83ed6f86f567f8b14b40dcbf12
199.16.156.11
C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=Twitter Security, CN=t.co
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3
199.16.156.12
C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=Twitter Security, CN=support.twitter.com
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3
Data store format
{IPv4} -> set of {SHA1 FP}
{SHA1 FP} -> set of {Subject}
{s:SHA1 FP} -> set of {IPv4}