Mirrors/pfSense-Certificate-Viewer
1
0
Fork 0
mirror of https://github.com/alvarsedano/pfSense-Certificate-Viewer.git synced 2025-06-28 01:07:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #2 from alvarsedano/encryptedXML

Browse Source 
Encrypted xml
This commit is contained in:
Alvaro Sedano 2019-09-12 00:09:56 +02:00 committed by GitHub
commit ba720c638f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 106 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README-es.md
View File

@ -6,4 +6,8 @@ Si se revoca alguno de estos certificados con SN duplicado, y están en uso en o
nos llevaremos la sorpresa de haber revocado más de lo deseado. Esta herramienta encuentra nos llevaremos la sorpresa de haber revocado más de lo deseado. Esta herramienta encuentra
esas duplicidades de SN usando como entrada un backup XML de configuración de pfSense no cifrado. esas duplicidades de SN usando como entrada un backup XML de configuración de pfSense no cifrado.
Último cambio 2017/07/21: Nueva funcionalidad: Ahora muestra en qué CRL(s) está referenciado el certificado. También mostrará los certificados de CA, servidor y usuario.
2017/07/21: Nueva funcionalidad: Ahora muestra en qué CRL(s) está referenciado el certificado.
Último cambio 2019/09/11: Nueva funcionalidad: Ahora también se pueden descifrar archivos de configuración XML. Para hacerlo hay que disponer de openssl.exe. Por defecto el script lo buscará en la carpeta de instalación de openVPN.

6
README.md
View File

@ -7,7 +7,11 @@ are revoked, and it's in use by openVPN, we will be surprised of having more
revoked certs than the desired. This tool finds those duplicated SerialNumbers revoked certs than the desired. This tool finds those duplicated SerialNumbers
into a non encrypted xml pfSense config backup. into a non encrypted xml pfSense config backup.
Last change 2019/07/21: New feature: Now it also shows the CRL(s) in which the cert appears. CA roots, server certificates and user certificates will also be displayed.
2019/07/21: New feature: Now it also shows the CRL(s) in which the cert appears.
Last change 2019/09/11: New feature: Encrypted XML config files supported. To decrypt the xml files is mandatory a path to openssl.exe. By default this script looks for the openvpn bin folder.
Thanks to [pippin](https://forum.netgate.com/user/pippin) for show me the links to the pfSense docummented issue: Thanks to [pippin](https://forum.netgate.com/user/pippin) for show me the links to the pfSense docummented issue:

110
pfSenseCertViewer.ps1
View File

@ -1,9 +1,9 @@
#### ####
### pfSense Certificate Viewer (without private key) ### pfSense Certificate Viewer (without private key)
### Version 1.0.3 ### Version 1.0.4
#### ####
# Redefine the $cfg string variable to point to a valid non encrypted pfSense XML configuration backup file. # Redefine the $cfg string variable to point to a valid unecrypted pfSense Configuration XML file.
# You can also pass the command line FilePath parameter as path to the input XML cfg file. # You can also use the command line FilePath parameter as path to the input XML cfg file
# This script will return the CA certificates, Server certificates, User certificates (used or not) and duplicated Serial Number Certificates # This script will return the CA certificates, Server certificates, User certificates (used or not) and duplicated Serial Number Certificates
# #
@ -14,13 +14,22 @@
#[CmdletBinding()] #[CmdletBinding()]
Param ( Param (
[Parameter(Mandatory=$false, [Parameter(Mandatory=$false,
Position=0, Position=0,
ValueFromPipeline=$true, ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true)] ValueFromPipelineByPropertyName=$true)]
[Alias("File")] [Alias("File")]
[string]$FilePath) [string]$FilePath)
Function Get-BeginEndWO {
Param([Parameter(Mandatory=$true, Position=0)]
[string]$path)
[string[]]$text = Get-Content $path -Encoding UTF8
#Remove 1st and last lines
$text[1..($text.Count-2)]
}
Function Get-CN { Function Get-CN {
Param([Parameter(Mandatory=$true)][string]$name) Param([Parameter(Mandatory=$true)][string]$name)
if($name -match "CN=([^,]*)") { if($name -match "CN=([^,]*)") {
@ -61,10 +70,87 @@ Function Add-Lista {
} }
} }
Function Decrypt {
Param([Parameter(Mandatory=$true,Position=0)][string]$fileIn
,[Parameter(Mandatory=$true,Position=1)][string]$fileOut
,[Parameter(Mandatory=$false,Position=2)][string]$pass)
# If $openSSL is not '', we will look for the openSSL.exe available with openVPN install.
# You can define a value for $openSSL if you have a valid openssl executable path.
[string]$openSSL = ''
if ($openSSL -eq '') {
#Look for openvpn installation
[string]$rutaREG = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN"
if (-not (Test-Path($rutaREG))) {
Write-Host 'No openvpn installation found. openssl.exe is part of the openVPN installation. If you have another openssl.exe available path, you can redefine the $openSSL variable at line 81.' -BackgroundColor DarkRed
Exit (3)
}
$openSSL = ((Get-ItemProperty -Path $rutaREG).exe_path).Replace("openvpn.exe", "openssl.exe")
}
if ($pass -eq '') {
[System.Security.SecureString]$pwd = Read-Host "Password XML File:" -AsSecureString
$pass = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($pwd))
}
& "$($openSSL)" enc -d -aes-256-cbc -in "$($fileIn)" -out "$($fileOut)" -salt -md md5 -k ''$($pass)''
}
Function Get-ConfigFile {
Param([Parameter(Mandatory=$true,Position=0)][string]$filePath `
,[Parameter(Mandatory=$true,Position=1)][ref]$xml)
if (-not (Test-Path -Path $filePath)) {
Write-Host "File '$cfg' not found. Process stopped." -BackgroundColor DarkRed
Exit 1
}
[bool]$encrypted = $false
try {
$xml.Value = Get-Content $filePath -Encoding UTF8
}
catch {
$encrypted = $true
}
if ($encrypted -eq $true) {
#Encrypted xml file
[string[]]$cifrado = Get-BeginEndWO -path $filePath
$f1Cin = New-TemporaryFile
$f1Cou = New-TemporaryFile
try {
[IO.File]::WriteAllBytes($f1Cin.FullName, [System.Convert]::FromBase64String($cifrado))
Decrypt -fileIn $f1Cin.FullName -fileOut $f1Cou.FullName
# Check if file exists
if (-not (Test-Path $f1Cou.FullName) -or (Get-Item $f1Cou.FullName).Length -eq 0) {
Write-Host "Unable to decrypt file. Process stoped." -BackgroundColor DarkRed
Exit 4
}
# File exists
$xml.Value = Get-Content $f1Cou.FullName -Encoding UTF8
}
catch {
Write-Host "Bad password. Process stoped." -BackgroundColor DarkRed
Exit 5
}
finally {
Remove-Item $f1Cin.FullName -Force
Remove-Item $f1Cou.FullName -Force
}
}
}
# #
# BODY # BODY
# #
#$ErrorActionPreference = 'SilentlyContinue'
# Check if param 0 is assigned # Check if param 0 is assigned
if ($FilePath -eq $null -or $FilePath -eq '') { if ($FilePath -eq $null -or $FilePath -eq '') {
[string]$cfg = "$env:USERPROFILE\Downloads\config-pfSense01.private.xml" [string]$cfg = "$env:USERPROFILE\Downloads\config-pfSense01.private.xml"
@ -75,13 +161,9 @@ else {
} }
if (-not (Test-Path -Path $cfg)) { #Read XML pfSense config file (UTF8 Encoding)
Write-Host "File '$cfg' not found. Process stopped." -BackgroundColor DarkRed [xml]$fxml = $null
Exit 1 Get-ConfigFile -filePath $cfg -xml ([ref]$fxml)
}
#Read XML pfSense config file (UTF8 enconding)
[xml]$fxml = Get-Content $cfg -Encoding UTF8
#Get the CRL revocation list #Get the CRL revocation list
[DateTime]$time0 = '1970-01-01' [DateTime]$time0 = '1970-01-01'
@ -98,7 +180,7 @@ Add-Lista -lista ([ref]$listaC) -obj ([ref]$fxml.pfsense.ca) -fromCA $true
Add-Lista -lista ([ref]$listaC) -obj ([ref]$fxml.pfsense.cert) -fromCA $false Add-Lista -lista ([ref]$listaC) -obj ([ref]$fxml.pfsense.cert) -fromCA $false
#Note: User Certificates created with old pfSense versions could set the EnhancedKeyUsageList property to <empty>. #Note: User Certificates created with old pfSense versions could set the EnhancedKeyUsageList property to <empty>.
Remove-Variable fxml, r Remove-Variable fxml
#List of CA Certificates #List of CA Certificates
Write-Output "`nCA Certificates" Write-Output "`nCA Certificates"