mirror of
https://github.com/alvarsedano/pfSense-Certificate-Viewer.git
synced 2025-06-28 01:07:00 +00:00
Alvaro Sedano
GitHub
commit
ba720c638f
@ -6,4 +6,8 @@ Si se revoca alguno de estos certificados con SN duplicado, y están en uso en o
|
||||
nos llevaremos la sorpresa de haber revocado más de lo deseado. Esta herramienta encuentra
|
||||
esas duplicidades de SN usando como entrada un backup XML de configuración de pfSense no cifrado.
|
||||
|
||||
Último cambio 2017/07/21: Nueva funcionalidad: Ahora muestra en qué CRL(s) está referenciado el certificado.
|
||||
También mostrará los certificados de CA, servidor y usuario.
|
||||
|
||||
2017/07/21: Nueva funcionalidad: Ahora muestra en qué CRL(s) está referenciado el certificado.
|
||||
|
||||
Último cambio 2019/09/11: Nueva funcionalidad: Ahora también se pueden descifrar archivos de configuración XML. Para hacerlo hay que disponer de openssl.exe. Por defecto el script lo buscará en la carpeta de instalación de openVPN.
|
||||
|
||||
@ -7,7 +7,11 @@ are revoked, and it's in use by openVPN, we will be surprised of having more
|
||||
revoked certs than the desired. This tool finds those duplicated SerialNumbers
|
||||
into a non encrypted xml pfSense config backup.
|
||||
|
||||
Last change 2019/07/21: New feature: Now it also shows the CRL(s) in which the cert appears.
|
||||
CA roots, server certificates and user certificates will also be displayed.
|
||||
|
||||
2019/07/21: New feature: Now it also shows the CRL(s) in which the cert appears.
|
||||
|
||||
Last change 2019/09/11: New feature: Encrypted XML config files supported. To decrypt the xml files is mandatory a path to openssl.exe. By default this script looks for the openvpn bin folder.
|
||||
|
||||
Thanks to [pippin](https://forum.netgate.com/user/pippin) for show me the links to the pfSense docummented issue:
|
||||
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
####
|
||||
### pfSense Certificate Viewer (without private key)
|
||||
### Version 1.0.3
|
||||
### Version 1.0.4
|
||||
####
|
||||
# Redefine the $cfg string variable to point to a valid non encrypted pfSense XML configuration backup file.
|
||||
# You can also pass the command line FilePath parameter as path to the input XML cfg file.
|
||||
# Redefine the $cfg string variable to point to a valid unecrypted pfSense Configuration XML file.
|
||||
# You can also use the command line FilePath parameter as path to the input XML cfg file
|
||||
|
||||
# This script will return the CA certificates, Server certificates, User certificates (used or not) and duplicated Serial Number Certificates
|
||||
#
|
||||
@ -14,13 +14,22 @@
|
||||
#[CmdletBinding()]
|
||||
Param (
|
||||
[Parameter(Mandatory=$false,
|
||||
Position=0,
|
||||
ValueFromPipeline=$true,
|
||||
ValueFromPipelineByPropertyName=$true)]
|
||||
Position=0,
|
||||
ValueFromPipeline=$true,
|
||||
ValueFromPipelineByPropertyName=$true)]
|
||||
[Alias("File")]
|
||||
[string]$FilePath)
|
||||
|
||||
|
||||
Function Get-BeginEndWO {
|
||||
Param([Parameter(Mandatory=$true, Position=0)]
|
||||
[string]$path)
|
||||
|
||||
[string[]]$text = Get-Content $path -Encoding UTF8
|
||||
#Remove 1st and last lines
|
||||
$text[1..($text.Count-2)]
|
||||
}
|
||||
|
||||
Function Get-CN {
|
||||
Param([Parameter(Mandatory=$true)][string]$name)
|
||||
if($name -match "CN=([^,]*)") {
|
||||
@ -61,10 +70,87 @@ Function Add-Lista {
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Function Decrypt {
|
||||
Param([Parameter(Mandatory=$true,Position=0)][string]$fileIn
|
||||
,[Parameter(Mandatory=$true,Position=1)][string]$fileOut
|
||||
,[Parameter(Mandatory=$false,Position=2)][string]$pass)
|
||||
|
||||
# If $openSSL is not '', we will look for the openSSL.exe available with openVPN install.
|
||||
# You can define a value for $openSSL if you have a valid openssl executable path.
|
||||
[string]$openSSL = ''
|
||||
if ($openSSL -eq '') {
|
||||
#Look for openvpn installation
|
||||
[string]$rutaREG = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN"
|
||||
if (-not (Test-Path($rutaREG))) {
|
||||
Write-Host 'No openvpn installation found. openssl.exe is part of the openVPN installation. If you have another openssl.exe available path, you can redefine the $openSSL variable at line 81.' -BackgroundColor DarkRed
|
||||
Exit (3)
|
||||
}
|
||||
|
||||
$openSSL = ((Get-ItemProperty -Path $rutaREG).exe_path).Replace("openvpn.exe", "openssl.exe")
|
||||
}
|
||||
|
||||
if ($pass -eq '') {
|
||||
[System.Security.SecureString]$pwd = Read-Host "Password XML File:" -AsSecureString
|
||||
$pass = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($pwd))
|
||||
}
|
||||
|
||||
& "$($openSSL)" enc -d -aes-256-cbc -in "$($fileIn)" -out "$($fileOut)" -salt -md md5 -k ''$($pass)''
|
||||
}
|
||||
|
||||
Function Get-ConfigFile {
|
||||
Param([Parameter(Mandatory=$true,Position=0)][string]$filePath `
|
||||
,[Parameter(Mandatory=$true,Position=1)][ref]$xml)
|
||||
|
||||
if (-not (Test-Path -Path $filePath)) {
|
||||
Write-Host "File '$cfg' not found. Process stopped." -BackgroundColor DarkRed
|
||||
Exit 1
|
||||
}
|
||||
|
||||
[bool]$encrypted = $false
|
||||
try {
|
||||
$xml.Value = Get-Content $filePath -Encoding UTF8
|
||||
}
|
||||
catch {
|
||||
$encrypted = $true
|
||||
}
|
||||
|
||||
if ($encrypted -eq $true) {
|
||||
#Encrypted xml file
|
||||
[string[]]$cifrado = Get-BeginEndWO -path $filePath
|
||||
$f1Cin = New-TemporaryFile
|
||||
$f1Cou = New-TemporaryFile
|
||||
try {
|
||||
[IO.File]::WriteAllBytes($f1Cin.FullName, [System.Convert]::FromBase64String($cifrado))
|
||||
Decrypt -fileIn $f1Cin.FullName -fileOut $f1Cou.FullName
|
||||
|
||||
# Check if file exists
|
||||
if (-not (Test-Path $f1Cou.FullName) -or (Get-Item $f1Cou.FullName).Length -eq 0) {
|
||||
Write-Host "Unable to decrypt file. Process stoped." -BackgroundColor DarkRed
|
||||
Exit 4
|
||||
}
|
||||
|
||||
# File exists
|
||||
$xml.Value = Get-Content $f1Cou.FullName -Encoding UTF8
|
||||
}
|
||||
catch {
|
||||
Write-Host "Bad password. Process stoped." -BackgroundColor DarkRed
|
||||
Exit 5
|
||||
}
|
||||
finally {
|
||||
Remove-Item $f1Cin.FullName -Force
|
||||
Remove-Item $f1Cou.FullName -Force
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# BODY
|
||||
#
|
||||
|
||||
#$ErrorActionPreference = 'SilentlyContinue'
|
||||
|
||||
# Check if param 0 is assigned
|
||||
if ($FilePath -eq $null -or $FilePath -eq '') {
|
||||
[string]$cfg = "$env:USERPROFILE\Downloads\config-pfSense01.private.xml"
|
||||
@ -75,13 +161,9 @@ else {
|
||||
}
|
||||
|
||||
|
||||
if (-not (Test-Path -Path $cfg)) {
|
||||
Write-Host "File '$cfg' not found. Process stopped." -BackgroundColor DarkRed
|
||||
Exit 1
|
||||
}
|
||||
|
||||
#Read XML pfSense config file (UTF8 enconding)
|
||||
[xml]$fxml = Get-Content $cfg -Encoding UTF8
|
||||
#Read XML pfSense config file (UTF8 Encoding)
|
||||
[xml]$fxml = $null
|
||||
Get-ConfigFile -filePath $cfg -xml ([ref]$fxml)
|
||||
|
||||
#Get the CRL revocation list
|
||||
[DateTime]$time0 = '1970-01-01'
|
||||
@ -98,7 +180,7 @@ Add-Lista -lista ([ref]$listaC) -obj ([ref]$fxml.pfsense.ca) -fromCA $true
|
||||
Add-Lista -lista ([ref]$listaC) -obj ([ref]$fxml.pfsense.cert) -fromCA $false
|
||||
#Note: User Certificates created with old pfSense versions could set the EnhancedKeyUsageList property to <empty>.
|
||||
|
||||
Remove-Variable fxml, r
|
||||
Remove-Variable fxml
|
||||
|
||||
#List of CA Certificates
|
||||
Write-Output "`nCA Certificates"
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user