From 3324163cefab7fb9a5c1a2f8f215d03fda97b638 Mon Sep 17 00:00:00 2001 From: Alvaro Sedano Date: Wed, 11 Sep 2019 02:33:35 +0200 Subject: [PATCH 1/6] Update README.md --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d9c51ec..574e848 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,8 @@ are revoked, and it's in use by openVPN, we will be surprised of having more revoked certs than the desired. This tool finds those duplicated SerialNumbers into a non encrypted xml pfSense config backup. -Last change 2019/07/21: New feature: Now it also shows the CRL(s) in which the cert appears. +2019/07/21: New feature: Now it also shows the CRL(s) in which the cert appears. +Last change 2019/09/11: New feature: Encrypted XML config files supported. To decrypt the xml files is mandatory a path to openssl.exe. By default this script looks for the openvpn bin folder. Thanks to [pippin](https://forum.netgate.com/user/pippin) for show me the links to the pfSense docummented issue: From 684737ebbb4d2494c902db10fc2256821b65002f Mon Sep 17 00:00:00 2001 From: Alvaro Sedano Date: Wed, 11 Sep 2019 02:35:57 +0200 Subject: [PATCH 2/6] Update README-es.md --- README-es.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README-es.md b/README-es.md index 4d706ef..f5e77c1 100644 --- a/README-es.md +++ b/README-es.md @@ -6,4 +6,6 @@ Si se revoca alguno de estos certificados con SN duplicado, y están en uso en o nos llevaremos la sorpresa de haber revocado más de lo deseado. Esta herramienta encuentra esas duplicidades de SN usando como entrada un backup XML de configuración de pfSense no cifrado. -ültimo cambio 2017/07/21: Nueva funcionalidad: Ahora muestra en qué CRL(s) está referenciado el certificado. +2017/07/21: Nueva funcionalidad: Ahora muestra en qué CRL(s) está referenciado el certificado. + +Último cambio 2019/09/11: Nueva funcionalidad: Ahora también se pueden descifrar archivos de configuración XML. Para hacerlo hay que disponer de openssl.exe. Por defecto el script lo buscara en la carpeta de instalación de openVPN. From 4ce05e5c249fdc3d4c6962579080aff57701eca6 Mon Sep 17 00:00:00 2001 From: Alvaro Sedano Date: Wed, 11 Sep 2019 02:38:41 +0200 Subject: [PATCH 3/6] Update pfSenseCertViewer.ps1 --- pfSenseCertViewer.ps1 | 110 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 96 insertions(+), 14 deletions(-) diff --git a/pfSenseCertViewer.ps1 b/pfSenseCertViewer.ps1 index 98697c2..33121e9 100644 --- a/pfSenseCertViewer.ps1 +++ b/pfSenseCertViewer.ps1 @@ -1,9 +1,9 @@ #### ### pfSense Certificate Viewer (without private key) -### Version 1.0.3 +### Version 1.0.4 #### -# Redefine the $cfg string variable to point to a valid non encrypted pfSense XML configuration backup file. -# You can also pass the command line FilePath parameter as path to the input XML cfg file. +# Redefine the $cfg string variable to point to a valid unecrypted pfSense Configuration XML file. +# You can also use the command line FilePath parameter as path to the input XML cfg file # This script will return the CA certificates, Server certificates, User certificates (used or not) and duplicated Serial Number Certificates # @@ -14,13 +14,22 @@ #[CmdletBinding()] Param ( [Parameter(Mandatory=$false, - Position=0, - ValueFromPipeline=$true, - ValueFromPipelineByPropertyName=$true)] + Position=0, + ValueFromPipeline=$true, + ValueFromPipelineByPropertyName=$true)] [Alias("File")] [string]$FilePath) +Function Get-BeginEndWO { + Param([Parameter(Mandatory=$true, Position=0)] + [string]$path) + + [string[]]$text = Get-Content $path -Encoding UTF8 + #Remove 1st and last lines + $text[1..($text.Count-2)] +} + Function Get-CN { Param([Parameter(Mandatory=$true)][string]$name) if($name -match "CN=([^,]*)") { @@ -61,10 +70,87 @@ Function Add-Lista { } } + +Function Decrypt { + Param([Parameter(Mandatory=$true,Position=0)][string]$fileIn + ,[Parameter(Mandatory=$true,Position=1)][string]$fileOut + ,[Parameter(Mandatory=$false,Position=2)][string]$pass) + + # If $openSSL is not '', we will look for the openSSL.exe available with openVPN install. + # You can define a value for $openSSL if you have a valid openssl executable path. + [string]$openSSL = '' + if ($openSSL -eq '') { + #Look for openvpn installation + [string]$rutaREG = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN" + if (-not (Test-Path($rutaREG))) { + Write-Host 'No openvpn installation found. openssl.exe is part of the openVPN installation. If you have another openssl.exe available path, you can redefine the $openSSL variable at line 81.' -BackgroundColor DarkRed + Exit (3) + } + + $openSSL = ((Get-ItemProperty -Path $rutaREG).exe_path).Replace("openvpn.exe", "openssl.exe") + } + + if ($pass -eq '') { + [System.Security.SecureString]$pwd = Read-Host "Password XML File:" -AsSecureString + $pass = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($pwd)) + } + + & "$($openSSL)" enc -d -aes-256-cbc -in "$($fileIn)" -out "$($fileOut)" -salt -md md5 -k ''$($pass)'' +} + +Function Get-ConfigFile { + Param([Parameter(Mandatory=$true,Position=0)][string]$filePath ` + ,[Parameter(Mandatory=$true,Position=1)][ref]$xml) + + if (-not (Test-Path -Path $filePath)) { + Write-Host "File '$cfg' not found. Process stopped." -BackgroundColor DarkRed + Exit 1 + } + + [bool]$encrypted = $false + try { + $xml.Value = Get-Content $filePath -Encoding UTF8 + } + catch { + $encrypted = $true + } + + if ($encrypted -eq $true) { + #Encrypted xml file + [string[]]$cifrado = Get-BeginEndWO -path $filePath + $f1Cin = New-TemporaryFile + $f1Cou = New-TemporaryFile + try { + [IO.File]::WriteAllBytes($f1Cin.FullName, [System.Convert]::FromBase64String($cifrado)) + Decrypt -fileIn $f1Cin.FullName -fileOut $f1Cou.FullName + + # Check if file exists + if (-not (Test-Path $f1Cou.FullName) -or (Get-Item $f1Cou.FullName).Length -eq 0) { + Write-Host "Unable to decrypt file. Process stoped." -BackgroundColor DarkRed + Exit 4 + } + + # File exists + $xml.Value = Get-Content $f1Cou.FullName -Encoding UTF8 + } + catch { + Write-Host "Bad password. Process stoped." -BackgroundColor DarkRed + Exit 5 + } + finally { + Remove-Item $f1Cin.FullName -Force + Remove-Item $f1Cou.FullName -Force + } + } +} + + # # BODY # +#$ErrorActionPreference = 'SilentlyContinue' + # Check if param 0 is assigned if ($FilePath -eq $null -or $FilePath -eq '') { [string]$cfg = "$env:USERPROFILE\Downloads\config-pfSense01.private.xml" @@ -75,13 +161,9 @@ else { } -if (-not (Test-Path -Path $cfg)) { - Write-Host "File '$cfg' not found. Process stopped." -BackgroundColor DarkRed - Exit 1 -} - -#Read XML pfSense config file (UTF8 enconding) -[xml]$fxml = Get-Content $cfg -Encoding UTF8 +#Read XML pfSense config file (UTF8 Encoding) +[xml]$fxml = $null +Get-ConfigFile -filePath $cfg -xml ([ref]$fxml) #Get the CRL revocation list [DateTime]$time0 = '1970-01-01' @@ -98,7 +180,7 @@ Add-Lista -lista ([ref]$listaC) -obj ([ref]$fxml.pfsense.ca) -fromCA $true Add-Lista -lista ([ref]$listaC) -obj ([ref]$fxml.pfsense.cert) -fromCA $false #Note: User Certificates created with old pfSense versions could set the EnhancedKeyUsageList property to . -Remove-Variable fxml, r +Remove-Variable fxml #List of CA Certificates Write-Output "`nCA Certificates" From 83edf404eaba91a04528c9d8d167e3b29b025383 Mon Sep 17 00:00:00 2001 From: Alvaro Sedano Date: Wed, 11 Sep 2019 02:40:03 +0200 Subject: [PATCH 4/6] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 574e848..0eaed57 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ revoked certs than the desired. This tool finds those duplicated SerialNumbers into a non encrypted xml pfSense config backup. 2019/07/21: New feature: Now it also shows the CRL(s) in which the cert appears. + Last change 2019/09/11: New feature: Encrypted XML config files supported. To decrypt the xml files is mandatory a path to openssl.exe. By default this script looks for the openvpn bin folder. Thanks to [pippin](https://forum.netgate.com/user/pippin) for show me the links to the pfSense docummented issue: From 8013668ca8fcd41925aac32700b0126a90f83bb7 Mon Sep 17 00:00:00 2001 From: Alvaro Sedano Date: Wed, 11 Sep 2019 11:30:01 +0200 Subject: [PATCH 5/6] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 0eaed57..64cf45c 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,8 @@ are revoked, and it's in use by openVPN, we will be surprised of having more revoked certs than the desired. This tool finds those duplicated SerialNumbers into a non encrypted xml pfSense config backup. +CA roots, server certificates and user certificates will also be displayed. + 2019/07/21: New feature: Now it also shows the CRL(s) in which the cert appears. Last change 2019/09/11: New feature: Encrypted XML config files supported. To decrypt the xml files is mandatory a path to openssl.exe. By default this script looks for the openvpn bin folder. From a741a94f8682825a1c872584df20715d98ef3d9a Mon Sep 17 00:00:00 2001 From: Alvaro Sedano Date: Wed, 11 Sep 2019 11:35:30 +0200 Subject: [PATCH 6/6] Update README-es.md --- README-es.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README-es.md b/README-es.md index f5e77c1..159de68 100644 --- a/README-es.md +++ b/README-es.md @@ -6,6 +6,8 @@ Si se revoca alguno de estos certificados con SN duplicado, y están en uso en o nos llevaremos la sorpresa de haber revocado más de lo deseado. Esta herramienta encuentra esas duplicidades de SN usando como entrada un backup XML de configuración de pfSense no cifrado. +También mostrará los certificados de CA, servidor y usuario. + 2017/07/21: Nueva funcionalidad: Ahora muestra en qué CRL(s) está referenciado el certificado. -Último cambio 2019/09/11: Nueva funcionalidad: Ahora también se pueden descifrar archivos de configuración XML. Para hacerlo hay que disponer de openssl.exe. Por defecto el script lo buscara en la carpeta de instalación de openVPN. +Último cambio 2019/09/11: Nueva funcionalidad: Ahora también se pueden descifrar archivos de configuración XML. Para hacerlo hay que disponer de openssl.exe. Por defecto el script lo buscará en la carpeta de instalación de openVPN.