From e82d122a538b5b336b0d5f1a72f459ffede5c435 Mon Sep 17 00:00:00 2001 From: Alvaro Sedano Date: Sun, 21 Jul 2019 12:32:09 +0200 Subject: [PATCH 1/6] Add files via upload --- pfSenseCerts.ps1 | 88 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 pfSenseCerts.ps1 diff --git a/pfSenseCerts.ps1 b/pfSenseCerts.ps1 new file mode 100644 index 0000000..4e3b7b3 --- /dev/null +++ b/pfSenseCerts.ps1 @@ -0,0 +1,88 @@ +#### +### Extracting pfSense Certificates (without private key) +#### +# Redefine the $cfg string variable to point to a valid unecripted pfSense Configuration XML file +# The script will return the CA certificates, Server certificates, User certificated (used or not used) and duplicate Serial Number Certificates +# +# Tested on PowerShell 5 and avobe +# Created by Alvaro Sedano Galindo. al_sedano@hotmail.com +# + +Function Get-CN { + Param([Parameter(Mandatory=$true)][string]$name) + if($name -match "CN=([^,]*)") { + $Matches[1] } + else {$name} +} + +Function Add-Lista { + Param([Parameter(Mandatory=$true)][ref]$lista ` + ,[Parameter(Mandatory=$true)][ref]$obj ` + ,[Parameter(Mandatory=$true)][bool]$fromCA) + + [string]$oidCLI = '1.3.6.1.5.5.7.3.2' + [string]$oidSRV = '1.3.6.1.5.5.7.3.1' + [array]$revs = $listaR | Select -ExpandProperty refid -Unique + [System.Security.Cryptography.X509Certificates.X509Certificate2]$ccc = $null + foreach($c in $obj.Value) { + $ccc = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new([System.Convert]::FromBase64String($c.crt)) + $ccc.FriendlyName = $c.descr.'#cdata-section' + $lista.Value += $ccc | Select *, @{N='IsCA';E={$fromCA}} ` + , @{N='IsServer';E={-not $fromCA -and $_.EnhancedKeyUsageList.ObjectId -contains $oidSRV}} ` + , @{N='IsClient';E={-not $fromCA -and $_.EnhancedKeyUsageList.ObjectId -contains $oidCLI}} ` + , @{N='sIssuer';E={Get-CN($_.Issuer)}}, @{N='sSubject';E={Get-CN($_.Subject)}} ` + , @{N='refid'; E={$c.refid}} ` + , @{N='isRevoked'; E={-not $fromCA -and $c.refid -in $revs}} + #, @{N='refid'; E={$c.refid}}, @{N='isRevoked'; E={(-not $fromCA) -and ($_.refid -in $listaR.refid)}} + } +} + + +#$CRL = New-Object -ComObject "X509Enrollment.CX509CertificateRevocationList" +#$CRLContents = [System.Convert]::ToBase64String((Get-Content "C:\Users\ASG\Downloads\revocados.crl" -Encoding Byte)) +#[System.Security.Cryptography.X509Certificates.X509CRL2]$ccc = $null + +#https://msdnshared.blob.core.windows.net/media/2016/04/CRLFreshCheck.psm1_.txt + +# +# BODY +# + +#Read XML pfSense config file +[string]$cfg = "$env:USERPROFILE\Downloads\config-pfSense01.casi.es.private.xml" +#[string]$cfg = "C:\Users\ASG\Downloads\config-e.tecnube.es-20190630223501.xml" +[xml]$aaa = Get-Content $cfg -Encoding Default + +#Get the CRL revocation list +[DateTime]$o = '1970-01-01' +#[array]$listaR = $aaa.pfsense.crl.cert | Select caref, refid, reason, @{N='revDate';E={$o.AddSeconds($_.revoke_time)}} +[array]$listaR = @() +foreach($r in $aaa.pfsense.crl) { + $listaR += $r.cert | Select @{N='listRev';E={$r.descr.'#cdata-section'}}, caref, refid, reason, @{N='revDate';E={$o.AddSeconds($_.revoke_time)}} +} + +#Add CA Certificates to $listaC (WITHOUT private keys) +[array]$listaC = @() +Add-Lista -lista ([ref]$listaC) -obj ([ref]$aaa.pfsense.ca) -fromCA $true + +#Add user/server certificates to $listaC (WITHOUT private keys) +Add-Lista -lista ([ref]$listaC) -obj ([ref]$aaa.pfsense.cert) -fromCA $false +#Note: User Certificates created with old pfSense versions can set the EnhancedKeyUsageList property to + +Remove-Variable aaa, r + +#List of CA Certificates +Write-Output "`nCA Certificates" +$listaC | Where-Object {$_.isCA} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject | Sort-Object -Property sIssuer, SerialNumber | ft + +#List of Server Certificates +Write-Output "`nServer Certificates" +$listaC | Where-Object {$_.isServer} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject | Sort-Object -Property sIssuer, SerialNumber | ft + +#List of User Certificates (not CA and not Server) +Write-Output "`nUser Certificates" +$listaC | Where-Object {-not ($_.isCA -or $_.isServer)} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject | Sort-Object -Property sIssuer, SerialNumber | ft + +#List of Dupicated SerialNumbers (per CA) +Write-Output "`nDuplicated Serial Numbers (per CA)" +$listaC | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject | Group-Object -Property sIssuer, SerialNumber | Where-Object {$_.Count -gt 1} | Select -ExpandProperty Group | ft From e265e5ab0965218161d64d5c87e0e65ca93608f8 Mon Sep 17 00:00:00 2001 From: Alvaro Sedano Date: Sun, 21 Jul 2019 12:33:56 +0200 Subject: [PATCH 2/6] Update pfSenseCertViewer.ps1 --- pfSenseCertViewer.ps1 | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/pfSenseCertViewer.ps1 b/pfSenseCertViewer.ps1 index e50ff59..8ffd2ec 100644 --- a/pfSenseCertViewer.ps1 +++ b/pfSenseCertViewer.ps1 @@ -1,11 +1,12 @@ #### ### Extracting pfSense Certificates (without private key) #### -# Redefine the $cfg string variable to point to a valid unencrypted pfSense Configuration XML file -# The script will return the CA, Server, User and Duplicated Serial Number Certificates +# Redefine the $cfg string variable to point to a valid unecripted pfSense Configuration XML file +# The script will return the CA certificates, Server certificates, User certificated (used or not used) and duplicate Serial Number Certificates # # Tested on PowerShell 5 and avobe # Created by Alvaro Sedano Galindo. al_sedano@hotmail.com +# Function Get-CN { Param([Parameter(Mandatory=$true)][string]$name) @@ -21,25 +22,45 @@ Function Add-Lista { [string]$oidCLI = '1.3.6.1.5.5.7.3.2' [string]$oidSRV = '1.3.6.1.5.5.7.3.1' + [array]$revs = $listaR | Select -ExpandProperty refid -Unique [System.Security.Cryptography.X509Certificates.X509Certificate2]$ccc = $null foreach($c in $obj.Value) { $ccc = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new([System.Convert]::FromBase64String($c.crt)) - $ccc.FriendlyName = "[$($c.refid)] $($c.descr.'#cdata-section')" + $ccc.FriendlyName = $c.descr.'#cdata-section' $lista.Value += $ccc | Select *, @{N='IsCA';E={$fromCA}} ` , @{N='IsServer';E={-not $fromCA -and $_.EnhancedKeyUsageList.ObjectId -contains $oidSRV}} ` , @{N='IsClient';E={-not $fromCA -and $_.EnhancedKeyUsageList.ObjectId -contains $oidCLI}} ` - , @{N='sIssuer';E={Get-CN($_.Issuer)}}, @{N='sSubject';E={Get-CN($_.Subject)}} + , @{N='sIssuer';E={Get-CN($_.Issuer)}}, @{N='sSubject';E={Get-CN($_.Subject)}} ` + , @{N='refid'; E={$c.refid}} ` + , @{N='isRevoked'; E={-not $fromCA -and $c.refid -in $revs}} + #, @{N='refid'; E={$c.refid}}, @{N='isRevoked'; E={(-not $fromCA) -and ($_.refid -in $listaR.refid)}} } } + +#$CRL = New-Object -ComObject "X509Enrollment.CX509CertificateRevocationList" +#$CRLContents = [System.Convert]::ToBase64String((Get-Content "C:\Users\ASG\Downloads\revocados.crl" -Encoding Byte)) +#[System.Security.Cryptography.X509Certificates.X509CRL2]$ccc = $null + +#https://msdnshared.blob.core.windows.net/media/2016/04/CRLFreshCheck.psm1_.txt + # # BODY # #Read XML pfSense config file -[string]$cfg = "$env:USERPROFILE\Downloads\config-pfSense01.private.xml" +[string]$cfg = "$env:USERPROFILE\Downloads\config-pfSense01.casi.es.private.xml" +#[string]$cfg = "C:\Users\ASG\Downloads\config-e.tecnube.es-20190630223501.xml" [xml]$aaa = Get-Content $cfg -Encoding Default +#Get the CRL revocation list +[DateTime]$o = '1970-01-01' +#[array]$listaR = $aaa.pfsense.crl.cert | Select caref, refid, reason, @{N='revDate';E={$o.AddSeconds($_.revoke_time)}} +[array]$listaR = @() +foreach($r in $aaa.pfsense.crl) { + $listaR += $r.cert | Select @{N='listRev';E={$r.descr.'#cdata-section'}}, caref, refid, reason, @{N='revDate';E={$o.AddSeconds($_.revoke_time)}} +} + #Add CA Certificates to $listaC (WITHOUT private keys) [array]$listaC = @() Add-Lista -lista ([ref]$listaC) -obj ([ref]$aaa.pfsense.ca) -fromCA $true @@ -48,7 +69,7 @@ Add-Lista -lista ([ref]$listaC) -obj ([ref]$aaa.pfsense.ca) -fromCA $true Add-Lista -lista ([ref]$listaC) -obj ([ref]$aaa.pfsense.cert) -fromCA $false #Note: User Certificates created with old pfSense versions can set the EnhancedKeyUsageList property to -Remove-Variable aaa +Remove-Variable aaa, r #List of CA Certificates Write-Output "`nCA Certificates" @@ -64,4 +85,4 @@ $listaC | Where-Object {-not ($_.isCA -or $_.isServer)} | Select sIssuer, Serial #List of Dupicated SerialNumbers (per CA) Write-Output "`nDuplicated Serial Numbers (per CA)" -$listaC | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject | Group-Object -Property sIssuer, SerialNumber | Where-Object {$_.Count -gt 1} | Select -ExpandProperty Group | ft \ No newline at end of file +$listaC | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject | Group-Object -Property sIssuer, SerialNumber | Where-Object {$_.Count -gt 1} | Select -ExpandProperty Group | ft From 451156969a56348a6a95a5b6976ebc2a3ffa03a0 Mon Sep 17 00:00:00 2001 From: Alvaro Sedano Date: Sun, 21 Jul 2019 12:34:30 +0200 Subject: [PATCH 3/6] Delete pfSenseCerts.ps1 --- pfSenseCerts.ps1 | 88 ------------------------------------------------ 1 file changed, 88 deletions(-) delete mode 100644 pfSenseCerts.ps1 diff --git a/pfSenseCerts.ps1 b/pfSenseCerts.ps1 deleted file mode 100644 index 4e3b7b3..0000000 --- a/pfSenseCerts.ps1 +++ /dev/null @@ -1,88 +0,0 @@ -#### -### Extracting pfSense Certificates (without private key) -#### -# Redefine the $cfg string variable to point to a valid unecripted pfSense Configuration XML file -# The script will return the CA certificates, Server certificates, User certificated (used or not used) and duplicate Serial Number Certificates -# -# Tested on PowerShell 5 and avobe -# Created by Alvaro Sedano Galindo. al_sedano@hotmail.com -# - -Function Get-CN { - Param([Parameter(Mandatory=$true)][string]$name) - if($name -match "CN=([^,]*)") { - $Matches[1] } - else {$name} -} - -Function Add-Lista { - Param([Parameter(Mandatory=$true)][ref]$lista ` - ,[Parameter(Mandatory=$true)][ref]$obj ` - ,[Parameter(Mandatory=$true)][bool]$fromCA) - - [string]$oidCLI = '1.3.6.1.5.5.7.3.2' - [string]$oidSRV = '1.3.6.1.5.5.7.3.1' - [array]$revs = $listaR | Select -ExpandProperty refid -Unique - [System.Security.Cryptography.X509Certificates.X509Certificate2]$ccc = $null - foreach($c in $obj.Value) { - $ccc = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new([System.Convert]::FromBase64String($c.crt)) - $ccc.FriendlyName = $c.descr.'#cdata-section' - $lista.Value += $ccc | Select *, @{N='IsCA';E={$fromCA}} ` - , @{N='IsServer';E={-not $fromCA -and $_.EnhancedKeyUsageList.ObjectId -contains $oidSRV}} ` - , @{N='IsClient';E={-not $fromCA -and $_.EnhancedKeyUsageList.ObjectId -contains $oidCLI}} ` - , @{N='sIssuer';E={Get-CN($_.Issuer)}}, @{N='sSubject';E={Get-CN($_.Subject)}} ` - , @{N='refid'; E={$c.refid}} ` - , @{N='isRevoked'; E={-not $fromCA -and $c.refid -in $revs}} - #, @{N='refid'; E={$c.refid}}, @{N='isRevoked'; E={(-not $fromCA) -and ($_.refid -in $listaR.refid)}} - } -} - - -#$CRL = New-Object -ComObject "X509Enrollment.CX509CertificateRevocationList" -#$CRLContents = [System.Convert]::ToBase64String((Get-Content "C:\Users\ASG\Downloads\revocados.crl" -Encoding Byte)) -#[System.Security.Cryptography.X509Certificates.X509CRL2]$ccc = $null - -#https://msdnshared.blob.core.windows.net/media/2016/04/CRLFreshCheck.psm1_.txt - -# -# BODY -# - -#Read XML pfSense config file -[string]$cfg = "$env:USERPROFILE\Downloads\config-pfSense01.casi.es.private.xml" -#[string]$cfg = "C:\Users\ASG\Downloads\config-e.tecnube.es-20190630223501.xml" -[xml]$aaa = Get-Content $cfg -Encoding Default - -#Get the CRL revocation list -[DateTime]$o = '1970-01-01' -#[array]$listaR = $aaa.pfsense.crl.cert | Select caref, refid, reason, @{N='revDate';E={$o.AddSeconds($_.revoke_time)}} -[array]$listaR = @() -foreach($r in $aaa.pfsense.crl) { - $listaR += $r.cert | Select @{N='listRev';E={$r.descr.'#cdata-section'}}, caref, refid, reason, @{N='revDate';E={$o.AddSeconds($_.revoke_time)}} -} - -#Add CA Certificates to $listaC (WITHOUT private keys) -[array]$listaC = @() -Add-Lista -lista ([ref]$listaC) -obj ([ref]$aaa.pfsense.ca) -fromCA $true - -#Add user/server certificates to $listaC (WITHOUT private keys) -Add-Lista -lista ([ref]$listaC) -obj ([ref]$aaa.pfsense.cert) -fromCA $false -#Note: User Certificates created with old pfSense versions can set the EnhancedKeyUsageList property to - -Remove-Variable aaa, r - -#List of CA Certificates -Write-Output "`nCA Certificates" -$listaC | Where-Object {$_.isCA} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject | Sort-Object -Property sIssuer, SerialNumber | ft - -#List of Server Certificates -Write-Output "`nServer Certificates" -$listaC | Where-Object {$_.isServer} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject | Sort-Object -Property sIssuer, SerialNumber | ft - -#List of User Certificates (not CA and not Server) -Write-Output "`nUser Certificates" -$listaC | Where-Object {-not ($_.isCA -or $_.isServer)} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject | Sort-Object -Property sIssuer, SerialNumber | ft - -#List of Dupicated SerialNumbers (per CA) -Write-Output "`nDuplicated Serial Numbers (per CA)" -$listaC | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject | Group-Object -Property sIssuer, SerialNumber | Where-Object {$_.Count -gt 1} | Select -ExpandProperty Group | ft From 09f0445c5e3f6c42346937cb2369585bcb8584f1 Mon Sep 17 00:00:00 2001 From: Alvaro Sedano Date: Sun, 21 Jul 2019 12:37:00 +0200 Subject: [PATCH 4/6] Create TODO --- TODO | 1 + 1 file changed, 1 insertion(+) create mode 100644 TODO diff --git a/TODO b/TODO new file mode 100644 index 0000000..b70e524 --- /dev/null +++ b/TODO @@ -0,0 +1 @@ +Check if a certificate is included into a CRL, and show on which one(s) it is. From b6c421de4654552be23054d2d4232c2719759381 Mon Sep 17 00:00:00 2001 From: Alvaro Sedano Date: Sun, 21 Jul 2019 14:08:28 +0200 Subject: [PATCH 5/6] Update pfSenseCertViewer.ps1 --- pfSenseCertViewer.ps1 | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/pfSenseCertViewer.ps1 b/pfSenseCertViewer.ps1 index 8ffd2ec..6d60796 100644 --- a/pfSenseCertViewer.ps1 +++ b/pfSenseCertViewer.ps1 @@ -27,13 +27,24 @@ Function Add-Lista { foreach($c in $obj.Value) { $ccc = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new([System.Convert]::FromBase64String($c.crt)) $ccc.FriendlyName = $c.descr.'#cdata-section' - $lista.Value += $ccc | Select *, @{N='IsCA';E={$fromCA}} ` + $objTmp = $ccc | Select *, @{N='IsCA';E={$fromCA}} ` , @{N='IsServer';E={-not $fromCA -and $_.EnhancedKeyUsageList.ObjectId -contains $oidSRV}} ` , @{N='IsClient';E={-not $fromCA -and $_.EnhancedKeyUsageList.ObjectId -contains $oidCLI}} ` , @{N='sIssuer';E={Get-CN($_.Issuer)}}, @{N='sSubject';E={Get-CN($_.Subject)}} ` , @{N='refid'; E={$c.refid}} ` - , @{N='isRevoked'; E={-not $fromCA -and $c.refid -in $revs}} - #, @{N='refid'; E={$c.refid}}, @{N='isRevoked'; E={(-not $fromCA) -and ($_.refid -in $listaR.refid)}} + , @{N='isRevoked'; E={-not $fromCA -and $c.refid -in $revs}} ` + , @{N='revokedOn'; Expression={$null}} ` + + if ($objTmp.isRevoked) { + [string[]]$strRev = @() + foreach($d in $listaR) { + if ($d.refid -eq $c.refid) { + $strRev += [string]($d.listRev) + } + } + $objTmp.revokedOn = $strRev + } + $lista.Value += $objTmp } } @@ -54,11 +65,11 @@ Function Add-Lista { [xml]$aaa = Get-Content $cfg -Encoding Default #Get the CRL revocation list -[DateTime]$o = '1970-01-01' +[DateTime]$time0 = '1970-01-01' #[array]$listaR = $aaa.pfsense.crl.cert | Select caref, refid, reason, @{N='revDate';E={$o.AddSeconds($_.revoke_time)}} [array]$listaR = @() foreach($r in $aaa.pfsense.crl) { - $listaR += $r.cert | Select @{N='listRev';E={$r.descr.'#cdata-section'}}, caref, refid, reason, @{N='revDate';E={$o.AddSeconds($_.revoke_time)}} + $listaR += $r.cert | Select @{N='listRev';E={$r.descr.'#cdata-section'}}, caref, refid, reason, @{N='revDate';E={$time0.AddSeconds($_.revoke_time)}} } #Add CA Certificates to $listaC (WITHOUT private keys) @@ -77,12 +88,12 @@ $listaC | Where-Object {$_.isCA} | Select sIssuer, SerialNumber, FriendlyName, D #List of Server Certificates Write-Output "`nServer Certificates" -$listaC | Where-Object {$_.isServer} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject | Sort-Object -Property sIssuer, SerialNumber | ft +$listaC | Where-Object {$_.isServer} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject, revokedOn | Sort-Object -Property sIssuer, SerialNumber | ft #List of User Certificates (not CA and not Server) Write-Output "`nUser Certificates" -$listaC | Where-Object {-not ($_.isCA -or $_.isServer)} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject | Sort-Object -Property sIssuer, SerialNumber | ft +$listaC | Where-Object {-not ($_.isCA -or $_.isServer)} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject, revokedOn | Sort-Object -Property sIssuer, SerialNumber | ft #List of Dupicated SerialNumbers (per CA) Write-Output "`nDuplicated Serial Numbers (per CA)" -$listaC | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject | Group-Object -Property sIssuer, SerialNumber | Where-Object {$_.Count -gt 1} | Select -ExpandProperty Group | ft +$listaC | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject, revokedOn | Group-Object -Property sIssuer, SerialNumber | Where-Object {$_.Count -gt 1} | Select -ExpandProperty Group | ft From 82ce316efd67ec3a64c31c8e4cb1d8a14ce4ecdf Mon Sep 17 00:00:00 2001 From: Alvaro Sedano Date: Sun, 21 Jul 2019 14:09:16 +0200 Subject: [PATCH 6/6] Delete TODO --- TODO | 1 - 1 file changed, 1 deletion(-) delete mode 100644 TODO diff --git a/TODO b/TODO deleted file mode 100644 index b70e524..0000000 --- a/TODO +++ /dev/null @@ -1 +0,0 @@ -Check if a certificate is included into a CRL, and show on which one(s) it is.