Update pfSenseCertViewer.ps1

2025-08-18 18:42:23 +00:00 · 2019-09-11 02:38:41 +02:00 · 2019-09-11 02:38:41 +02:00 · 4ce05e5c24
commit 4ce05e5c24
parent 684737ebbb
1 changed files with 96 additions and 14 deletions
--- a/pfSenseCertViewer.ps1
+++ b/pfSenseCertViewer.ps1
@ -1,9 +1,9 @@
 ####
 ### pfSense Certificate Viewer (without private key)
-### Version 1.0.3
+### Version 1.0.4
 ####
-# Redefine the $cfg string variable to point to a valid non encrypted pfSense XML configuration backup file.
-# You can also pass the command line FilePath parameter as path to the input XML cfg file.
+# Redefine the $cfg string variable to point to a valid unecrypted pfSense Configuration XML file.
+# You can also use the command line FilePath parameter as path to the input XML cfg file

 # This script will return the CA certificates, Server certificates, User certificates (used or not) and duplicated Serial Number Certificates
 #
@ -14,13 +14,22 @@
 #[CmdletBinding()]
    Param (
        [Parameter(Mandatory=$false,
-                        Position=0,
-                        ValueFromPipeline=$true,
-                        ValueFromPipelineByPropertyName=$true)]
+                   Position=0,
+                   ValueFromPipeline=$true,
+                   ValueFromPipelineByPropertyName=$true)]
        [Alias("File")]
        [string]$FilePath)


+Function Get-BeginEndWO {
+    Param([Parameter(Mandatory=$true, Position=0)]
+          [string]$path)
+
+    [string[]]$text = Get-Content $path -Encoding UTF8
+    #Remove 1st and last lines
+    $text[1..($text.Count-2)]
+}
+
 Function Get-CN {
    Param([Parameter(Mandatory=$true)][string]$name)
    if($name -match "CN=([^,]*)") {
@ -61,10 +70,87 @@ Function Add-Lista {
    }
 }

+
+Function Decrypt {
+    Param([Parameter(Mandatory=$true,Position=0)][string]$fileIn
+         ,[Parameter(Mandatory=$true,Position=1)][string]$fileOut
+         ,[Parameter(Mandatory=$false,Position=2)][string]$pass)
+
+    # If $openSSL is not '', we will look for the openSSL.exe available with openVPN install.
+    # You can define a value for $openSSL if you have a valid openssl executable path.
+    [string]$openSSL = ''
+    if ($openSSL -eq '') {
+        #Look for openvpn installation
+        [string]$rutaREG = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN"
+        if (-not (Test-Path($rutaREG))) {
+            Write-Host 'No openvpn installation found. openssl.exe is part of the openVPN installation. If you have another openssl.exe available path, you can redefine the $openSSL variable at line 81.' -BackgroundColor DarkRed
+            Exit (3)
+        }
+        
+        $openSSL = ((Get-ItemProperty -Path $rutaREG).exe_path).Replace("openvpn.exe", "openssl.exe")
+    }
+
+    if ($pass -eq '') {
+        [System.Security.SecureString]$pwd = Read-Host "Password XML File:" -AsSecureString
+        $pass = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($pwd))
+    }
+
+    & "$($openSSL)" enc -d -aes-256-cbc -in "$($fileIn)" -out "$($fileOut)" -salt -md md5 -k ''$($pass)''
+}
+
+Function Get-ConfigFile {
+    Param([Parameter(Mandatory=$true,Position=0)][string]$filePath `
+         ,[Parameter(Mandatory=$true,Position=1)][ref]$xml)
+
+    if (-not (Test-Path -Path $filePath)) {
+        Write-Host "File '$cfg' not found. Process stopped." -BackgroundColor DarkRed
+        Exit 1
+    }
+
+    [bool]$encrypted = $false
+    try {
+        $xml.Value = Get-Content $filePath -Encoding UTF8
+    }
+    catch {
+        $encrypted = $true
+    }
+
+    if ($encrypted -eq $true) {
+        #Encrypted xml file
+        [string[]]$cifrado = Get-BeginEndWO -path $filePath
+        $f1Cin  = New-TemporaryFile
+        $f1Cou  = New-TemporaryFile
+        try {
+            [IO.File]::WriteAllBytes($f1Cin.FullName, [System.Convert]::FromBase64String($cifrado))
+            Decrypt -fileIn $f1Cin.FullName -fileOut $f1Cou.FullName
+
+            # Check if file exists
+            if (-not (Test-Path $f1Cou.FullName) -or (Get-Item $f1Cou.FullName).Length -eq 0) {
+                Write-Host "Unable to decrypt file. Process stoped." -BackgroundColor DarkRed
+                Exit 4
+            }
+            
+            # File exists
+            $xml.Value = Get-Content $f1Cou.FullName -Encoding UTF8
+        }
+        catch {
+            Write-Host "Bad password. Process stoped." -BackgroundColor DarkRed
+            Exit 5
+        }
+        finally {
+            Remove-Item $f1Cin.FullName -Force
+            Remove-Item $f1Cou.FullName -Force
+        }
+    }
+}
+
+
 #
 # BODY
 #

+#$ErrorActionPreference = 'SilentlyContinue'
+
 # Check if param 0 is assigned
 if ($FilePath -eq $null -or $FilePath -eq '') {
    [string]$cfg = "$env:USERPROFILE\Downloads\config-pfSense01.private.xml"
@ -75,13 +161,9 @@ else {
 }


-if (-not (Test-Path -Path $cfg)) {
-    Write-Host "File '$cfg' not found. Process stopped." -BackgroundColor DarkRed
-    Exit 1
-}
-
-#Read XML pfSense config file (UTF8 enconding)
-[xml]$fxml = Get-Content $cfg -Encoding UTF8
+#Read XML pfSense config file (UTF8 Encoding)
+[xml]$fxml = $null
+Get-ConfigFile -filePath $cfg -xml ([ref]$fxml)

 #Get the CRL revocation list
 [DateTime]$time0 = '1970-01-01'
@ -98,7 +180,7 @@ Add-Lista -lista ([ref]$listaC) -obj ([ref]$fxml.pfsense.ca) -fromCA $true
 Add-Lista -lista ([ref]$listaC) -obj ([ref]$fxml.pfsense.cert) -fromCA $false
 #Note: User Certificates created with old pfSense versions could set the EnhancedKeyUsageList property to <empty>.

-Remove-Variable fxml, r
+Remove-Variable fxml

 #List of CA Certificates
 Write-Output "`nCA Certificates"