Mirrors/pfSense-Certificate-Viewer
1
0
Fork 0
mirror of https://github.com/alvarsedano/pfSense-Certificate-Viewer.git synced 2025-06-28 17:26:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #3 from alvarsedano/opnsense

Browse Source 
Compatibility with OPNsense bckups (encrpted and non-encrypted).
This commit is contained in:
Alvaro Sedano 2019-09-13 02:52:56 +02:00 committed by GitHub
commit 5617a1a9b6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 41 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README-es.md
View File

@ -1,4 +1,4 @@
Script Powershell. Visor de certificados de pfSense Script Powershell. Visor de certificados de pfSense/OPNsense
A veces pasa (no debería) en pfSense que se crean certificados con SerialNumber A veces pasa (no debería) en pfSense que se crean certificados con SerialNumber
duplicado (en la misma CAroot). duplicado (en la misma CAroot).
@ -10,4 +10,6 @@ También mostrará los certificados de CA, servidor y usuario.
2017/07/21: Nueva funcionalidad: Ahora muestra en qué CRL(s) está referenciado el certificado. 2017/07/21: Nueva funcionalidad: Ahora muestra en qué CRL(s) está referenciado el certificado.
Último cambio 2019/09/11: Nueva funcionalidad: Se pueden descifrar archivos de configuración XML. Para hacerlo hay que disponer de openssl.exe. Por defecto el script lo buscará en la carpeta de instalación de openVPN. Se puede definir la ruta a openssl.exe si fuera necesario. 2019/09/11: Nueva funcionalidad: Se pueden descifrar archivos de configuración XML. Para hacerlo hay que disponer de openssl.exe. Por defecto el script lo buscará en la carpeta de instalación de openVPN. Se puede definir la ruta a openssl.exe si fuera necesario.
Último cambio 2019/09/13: También admite archivos de backup OPNsense (cifrados y no cifrados)

6
README.md
View File

@ -1,5 +1,5 @@
## pfSense-Certificate-Viewer ## pfSense-Certificate-Viewer
Powershell script: pfSense Certificate Viewer Powershell script: pfSense/OPNsense Certificate Viewer
Sometimes it happens in pfSense that certificates are created with Sometimes it happens in pfSense that certificates are created with
duplicated SerialNumbers (in the same CAroot). If any of these certificates duplicated SerialNumbers (in the same CAroot). If any of these certificates
@ -11,7 +11,9 @@ CA roots, server certificates and user certificates will also be displayed.
2019/07/21: New feature: Now it also shows the CRL(s) in which the cert appears. 2019/07/21: New feature: Now it also shows the CRL(s) in which the cert appears.
Last change 2019/09/11: New feature: Encrypted XML config files supported. To decrypt the xml files is mandatory a path to openssl.exe. By default this script looks for the openvpn bin folder. 2019/09/11: New feature: Encrypted XML config files supported. To decrypt the xml files is mandatory a path to openssl.exe. By default this script looks for the openvpn bin folder.
Last change 2019/09/13 New feature: Also supports OPNsense backups (both encrypted and unencrypted).
Thanks to [pippin](https://forum.netgate.com/user/pippin) for show me the links to the pfSense docummented issue: Thanks to [pippin](https://forum.netgate.com/user/pippin) for show me the links to the pfSense docummented issue:

45
pfSenseCertViewer.ps1
View File

@ -1,6 +1,6 @@
#### ####
### pfSense Certificate Viewer (without private key) ### pfSense Certificate Viewer (without private key)
### Version 1.0.4 ### Version 1.0.5
#### ####
# Redefine the $cfg string variable to point to a valid unecrypted pfSense Configuration XML file. # Redefine the $cfg string variable to point to a valid unecrypted pfSense Configuration XML file.
# You can also use the command line FilePath parameter as path to the input XML cfg file # You can also use the command line FilePath parameter as path to the input XML cfg file
@ -22,12 +22,22 @@
Function Get-BeginEndWO { Function Get-BeginEndWO {
Param([Parameter(Mandatory=$true, Position=0)] Param([Parameter(Mandatory=$true, Position=0)][string]$path)
[string]$path)
#OPNsense saves on the xml encrypted file information about how to decrypt it.
#pfSense not.
#Check if "^Version: OPNsense" exists in the line 2
[string[]]$text = Get-Content $path -Encoding UTF8 [string[]]$text = Get-Content $path -Encoding UTF8
if ($text[1] -match '^Version: OPNsense') {
[int]$start = 5
}
else {
[int]$start = 1
}
#Remove 1st and last lines #Remove 1st and last lines
$text[1..($text.Count-2)] $text[$start..($text.Count-2)]
} }
Function Get-CN { Function Get-CN {
@ -70,7 +80,6 @@ Function Add-Lista {
} }
} }
Function Decrypt { Function Decrypt {
Param([Parameter(Mandatory=$true,Position=0)][string]$fileIn Param([Parameter(Mandatory=$true,Position=0)][string]$fileIn
,[Parameter(Mandatory=$true,Position=1)][string]$fileOut ,[Parameter(Mandatory=$true,Position=1)][string]$fileOut
@ -83,8 +92,9 @@ Function Decrypt {
#Look for openvpn installation #Look for openvpn installation
[string]$rutaREG = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN" [string]$rutaREG = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN"
if (-not (Test-Path($rutaREG))) { if (-not (Test-Path($rutaREG))) {
Write-Host 'No openvpn installation found. openssl.exe is part of the openVPN installation. If you have another openssl.exe available path, you can redefine the $openSSL variable at line 81.' -BackgroundColor DarkRed Write-Host 'No openvpn installation found. openssl.exe is part of the openVPN installation. ' + `
Exit (3) 'If you have another openssl.exe available path, you can redefine the $openSSL variable at line 90.' -BackgroundColor DarkRed
Exit 3
} }
$openSSL = ((Get-ItemProperty -Path $rutaREG).exe_path).Replace("openvpn.exe", "openssl.exe") $openSSL = ((Get-ItemProperty -Path $rutaREG).exe_path).Replace("openvpn.exe", "openssl.exe")
@ -134,7 +144,7 @@ Function Get-ConfigFile {
$xml.Value = Get-Content $f1Cou.FullName -Encoding UTF8 $xml.Value = Get-Content $f1Cou.FullName -Encoding UTF8
} }
catch { catch {
Write-Host "Bad password. Process stoped." -BackgroundColor DarkRed Write-Host "Error decrypting xml file: Bad password. Process stoped." -BackgroundColor DarkRed
Exit 5 Exit 5
} }
finally { finally {
@ -165,22 +175,33 @@ else {
[xml]$fxml = $null [xml]$fxml = $null
Get-ConfigFile -filePath $cfg -xml ([ref]$fxml) Get-ConfigFile -filePath $cfg -xml ([ref]$fxml)
#Check for pfSense/OPNsense products
if ($fxml.ChildNodes.Count -eq 2) {
[System.Xml.XmlElement]$product = $fxml.ChildNodes[1]
if ($product.Name -notin ('pfsense','opnsense')) {
Write-Host 'The xml file does not contains a pfSense or OPNsense backup. Process stoped.' -BackgroundColor DarkRed
Exit 6
}
}
Remove-Variable fxml
#Get the CRL revocation list #Get the CRL revocation list
[DateTime]$time0 = '1970-01-01' [DateTime]$time0 = '1970-01-01'
[array]$listaR = @() [array]$listaR = @()
foreach($r in $fxml.pfsense.crl) { foreach($r in $product.crl) {
$listaR += $r.cert | Select @{N='listRev';E={$r.descr.'#cdata-section'}}, caref, refid, reason, @{N='revDate';E={$time0.AddSeconds($_.revoke_time)}} $listaR += $r.cert | Select @{N='listRev';E={$r.descr.'#cdata-section'}}, caref, refid, reason, @{N='revDate';E={$time0.AddSeconds($_.revoke_time)}}
} }
#Add CA Certificates to $listaC (WITHOUT private keys) #Add CA Certificates to $listaC (WITHOUT private keys)
[array]$listaC = @() [array]$listaC = @()
Add-Lista -lista ([ref]$listaC) -obj ([ref]$fxml.pfsense.ca) -fromCA $true Add-Lista -lista ([ref]$listaC) -obj ([ref]$product.ca) -fromCA $true
#Add user/server certificates to $listaC (WITHOUT private keys) #Add user/server certificates to $listaC (WITHOUT private keys)
Add-Lista -lista ([ref]$listaC) -obj ([ref]$fxml.pfsense.cert) -fromCA $false Add-Lista -lista ([ref]$listaC) -obj ([ref]$product.cert) -fromCA $false
#Note: User Certificates created with old pfSense versions could set the EnhancedKeyUsageList property to <empty>. #Note: User Certificates created with old pfSense versions could set the EnhancedKeyUsageList property to <empty>.
Remove-Variable fxml #Remove-Variable product
#List of CA Certificates #List of CA Certificates
Write-Output "`nCA Certificates" Write-Output "`nCA Certificates"