Merge pull request #3 from alvarsedano/opnsense

Compatibility with OPNsense bckups (encrpted and non-encrypted).

README-es.md

@@ -1,4 +1,4 @@
-Script Powershell. Visor de certificados de pfSense
+Script Powershell. Visor de certificados de pfSense/OPNsense
 
 A veces pasa (no debería) en pfSense que se crean certificados con SerialNumber
 duplicado (en la misma CAroot).
@@ -10,4 +10,6 @@ También mostrará los certificados de CA, servidor y usuario.
 
 2017/07/21: Nueva funcionalidad: Ahora muestra en qué CRL(s) está referenciado el certificado.
 
-Último cambio 2019/09/11: Nueva funcionalidad: Se pueden descifrar archivos de configuración XML. Para hacerlo hay que disponer de openssl.exe. Por defecto el script lo buscará en la carpeta de instalación de openVPN. Se puede definir la ruta a openssl.exe si fuera necesario.
+2019/09/11: Nueva funcionalidad: Se pueden descifrar archivos de configuración XML. Para hacerlo hay que disponer de openssl.exe. Por defecto el script lo buscará en la carpeta de instalación de openVPN. Se puede definir la ruta a openssl.exe si fuera necesario.
+
+Último cambio 2019/09/13: También admite archivos de backup OPNsense (cifrados y no cifrados)

README.md

@@ -1,5 +1,5 @@
 ## pfSense-Certificate-Viewer
-Powershell script: pfSense Certificate Viewer
+Powershell script: pfSense/OPNsense Certificate Viewer
 
 Sometimes it happens in pfSense that certificates are created with
 duplicated SerialNumbers (in the same CAroot). If any of these certificates
@@ -11,7 +11,9 @@ CA roots, server certificates and user certificates will also be displayed.
 
 2019/07/21: New feature: Now it also shows the CRL(s) in which the cert appears.
 
-Last change 2019/09/11: New feature: Encrypted XML config files supported. To decrypt the xml files is mandatory a path to openssl.exe. By default this script looks for the openvpn bin folder.
+2019/09/11: New feature: Encrypted XML config files supported. To decrypt the xml files is mandatory a path to openssl.exe. By default this script looks for the openvpn bin folder.
+
+Last change 2019/09/13 New feature: Also supports OPNsense backups (both encrypted and unencrypted).
 
 Thanks to [pippin](https://forum.netgate.com/user/pippin) for show me the links to the pfSense docummented issue:
 

pfSenseCertViewer.ps1

@@ -1,6 +1,6 @@
 ####
 ### pfSense Certificate Viewer (without private key)
-### Version 1.0.4
+### Version 1.0.5
 ####
 # Redefine the $cfg string variable to point to a valid unecrypted pfSense Configuration XML file.
 # You can also use the command line FilePath parameter as path to the input XML cfg file
@@ -22,12 +22,22 @@
 
 
 Function Get-BeginEndWO {
-    Param([Parameter(Mandatory=$true, Position=0)]
-          [string]$path)
+    Param([Parameter(Mandatory=$true, Position=0)][string]$path)
 
+    #OPNsense saves on the xml encrypted file information about how to decrypt it.
+    #pfSense not.
+
+    #Check if "^Version: OPNsense" exists in the line 2
     [string[]]$text = Get-Content $path -Encoding UTF8
+    if ($text[1] -match '^Version: OPNsense') {
+        [int]$start = 5
+    }
+    else {
+        [int]$start = 1
+    }
+
     #Remove 1st and last lines
-    $text[1..($text.Count-2)]
+    $text[$start..($text.Count-2)]
 }
 
 Function Get-CN {
@@ -70,7 +80,6 @@ Function Add-Lista {
     }
 }
 
-
 Function Decrypt {
     Param([Parameter(Mandatory=$true,Position=0)][string]$fileIn
          ,[Parameter(Mandatory=$true,Position=1)][string]$fileOut
@@ -83,8 +92,9 @@ Function Decrypt {
         #Look for openvpn installation
         [string]$rutaREG = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN"
         if (-not (Test-Path($rutaREG))) {
-            Write-Host 'No openvpn installation found. openssl.exe is part of the openVPN installation. If you have another openssl.exe available path, you can redefine the $openSSL variable at line 81.' -BackgroundColor DarkRed
-            Exit (3)
+            Write-Host 'No openvpn installation found. openssl.exe is part of the openVPN installation. ' + `
+                       'If you have another openssl.exe available path, you can redefine the $openSSL variable at line 90.' -BackgroundColor DarkRed
+            Exit 3
         }
         
         $openSSL = ((Get-ItemProperty -Path $rutaREG).exe_path).Replace("openvpn.exe", "openssl.exe")
@@ -134,7 +144,7 @@ Function Get-ConfigFile {
             $xml.Value = Get-Content $f1Cou.FullName -Encoding UTF8
         }
         catch {
-            Write-Host "Bad password. Process stoped." -BackgroundColor DarkRed
+            Write-Host "Error decrypting xml file: Bad password. Process stoped." -BackgroundColor DarkRed
             Exit 5
         }
         finally {
@@ -165,22 +175,33 @@ else {
 [xml]$fxml = $null
 Get-ConfigFile -filePath $cfg -xml ([ref]$fxml)
 
+#Check for pfSense/OPNsense products
+if ($fxml.ChildNodes.Count -eq 2) {
+    [System.Xml.XmlElement]$product = $fxml.ChildNodes[1]
+    if ($product.Name -notin ('pfsense','opnsense')) {
+        Write-Host 'The xml file does not contains a pfSense or OPNsense backup. Process stoped.' -BackgroundColor DarkRed
+        Exit 6
+    }
+}
+
+Remove-Variable fxml
+
 #Get the CRL revocation list
 [DateTime]$time0 = '1970-01-01'
 [array]$listaR = @()
-foreach($r in $fxml.pfsense.crl) {
+foreach($r in $product.crl) {
     $listaR += $r.cert | Select @{N='listRev';E={$r.descr.'#cdata-section'}}, caref, refid, reason, @{N='revDate';E={$time0.AddSeconds($_.revoke_time)}}
 }
 
 #Add CA Certificates to $listaC (WITHOUT private keys)
 [array]$listaC = @()
-Add-Lista -lista ([ref]$listaC) -obj ([ref]$fxml.pfsense.ca) -fromCA $true
+Add-Lista -lista ([ref]$listaC) -obj ([ref]$product.ca) -fromCA $true
 
 #Add user/server certificates to $listaC (WITHOUT private keys)
-Add-Lista -lista ([ref]$listaC) -obj ([ref]$fxml.pfsense.cert) -fromCA $false
+Add-Lista -lista ([ref]$listaC) -obj ([ref]$product.cert) -fromCA $false
 #Note: User Certificates created with old pfSense versions could set the EnhancedKeyUsageList property to <empty>.
 
-Remove-Variable fxml
+#Remove-Variable product
 
 #List of CA Certificates
 Write-Output "`nCA Certificates"