metasploit-credential 6.0.3 → 6.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 400f381379e4097dcac14f58cdc30441d19302fbbbb71a47f605d12e0de742f6
-  data.tar.gz: 00ad5bd371f705f0ceddf8a119aa0e24588b60a97fa4745298e1420ed3e41151
+  metadata.gz: c890cd98fc73ff6cbd909ded7207646f534477a4308f60f1e7dc09231cd29d88
+  data.tar.gz: 62fd27bcb61c852fb705cb89a0848771f6c4ae64b6a3c76202228ea6d2037969
 SHA512:
-  metadata.gz: 414447fd2762a658471737dbc8698eeb05cf213d1a6019d517a4f83b979dca8891c7b19dcd627769265508951262d4f96f238ad891c2cc5d9d6fc4ebf17b16fb
-  data.tar.gz: a68f92d5f6b1d57449d451411b5e36890aa370e6f9d307d5a4bdc0fa63e120551a26d37844a765b1310b8cabc68fe414d949f149ef560791b8ec7d0ebf01f200
+  metadata.gz: 06bf39bbda84fc40c4f25085a39e4f27211a50246879fbe3b50f034c502a9b6fcf7cebbe9292912a4bfc42f8804837a45e8cbc332253b5f3fc5b122983f6b23e
+  data.tar.gz: d361ca8222849ab597accea494fef812339b971537bcd9cdbc3259eb19271a57f31cd1773c8338282211bf43569ee507888eb09f7326799b9ec6d66140bc50cd

checksums.yaml.gz.sig

@@ -1,2 +1,2 @@
-w (��m���O@f��ᐾ5��Txh�J/T�LՋK˕9�l�O�wKGٻ���s�«& 1��w_2iE�s<')G��J
���I��o�^,Auv�-�}�Zw/P���0�Ӈg�9�M���Ǭ��o�����Q��s����.��`s��M5ra����Z�;]*�D����~��A](ܢ4=B�g����`
-q�U��d
+�,-�Ds����4'w��nB�rI�}m��c�z.�?�{?D�ls�BG��	>ה)�N�:����u��#[3�[�������ޚ{��0aƺ%�|����#�P~?��P�'F��#,N;��$��.�U���<�8:�w��t��{-
+�r4A��o�z��<��Q�0g��}�_�� �����K����L���GrS!O�� �2��l��wb�j�v�Z}n�2Z�+����O[�h�?���.���O�X.�

data/app/models/metasploit/credential/krb_enc_key.rb

@@ -73,7 +73,8 @@ class Metasploit::Credential::KrbEncKey < Metasploit::Credential::PasswordHash
   # Callbacks
   #
 
-  before_validation :normalize_data
+  serialize :data, Metasploit::Credential::CaseInsensitiveSerializer
+  validates_uniqueness_of :data, :case_sensitive => false
 
   #
   # Validations
@@ -162,15 +163,6 @@ class Metasploit::Credential::KrbEncKey < Metasploit::Credential::PasswordHash
     }
   end
 
-  # Normalizes {#data} by making it all lowercase so that the unique validation and index on
-  # ({Metasploit::Credential::Private#type}, {#data}) catches collision in a case-insensitive manner without the need
-  # to use case-insensitive comparisons.
-  def normalize_data
-    if data
-      self.data = data.downcase
-    end
-  end
-
   # Validates that {#data} is in the expected data format
   def data_format
     unless DATA_REGEXP.match(data)

data/app/models/metasploit/credential/ntlm_hash.rb

@@ -55,15 +55,18 @@ class Metasploit::Credential::NTLMHash < Metasploit::Credential::ReplayableHash
   #   @return [String] `'<LAN Manager hex digest>:<NT LAN Manager hex digest>'`
 
   #
-  # Callbacks
+  # Serializers
   #
 
-  before_validation :normalize_data
+  # Hash results are always downcased when stored in the database
+  # This serializer allows for ORM to search in a case-insensitive
+  serialize :data, Metasploit::Credential::CaseInsensitiveSerializer
 
   #
   # Validations
   #
 
+  validates_uniqueness_of :data, :case_sensitive => false
   validate :data_format
 
   #
@@ -130,15 +133,6 @@ class Metasploit::Credential::NTLMHash < Metasploit::Credential::ReplayableHash
 
   private
 
-  # Normalizes {#data} by making it all lowercase so that the unique validation and index on
-  # ({Metasploit::Credential::Private#type}, {#data}) catches collision in a case-insensitive manner without the need
-  # to use case-insensitive comparisons.
-  def normalize_data
-    if data
-      self.data = data.downcase
-    end
-  end
-
   # Validates that {#data} is in the NTLM data format of <LAN Manager hex digest>:<NT LAN Manager hex digest>. Both hex
   # digests are 32 lowercase hexadecimal characters.
   def data_format

data/app/models/metasploit/credential/pkcs12.rb

@@ -0,0 +1,84 @@
+require 'openssl'
+require 'base64'
+
+# A private Pkcs12 file.
+class Metasploit::Credential::Pkcs12 < Metasploit::Credential::Private
+  #
+  # Attributes
+  #
+
+  # @!attribute data
+  #   A private pkcs12 file, base64 encoded - i.e. starting with 'MIIMhgIBAzCCDFAGCSqGSIb3DQEHAaCC....'
+  #
+  #   @return [String]
+
+  #
+  #
+  # Validations
+  #
+  #
+
+  #
+  # Attribute Validations
+  #
+
+  validates :data,
+            presence: true
+  #
+  # Method Validations
+  #
+
+  validate :readable
+
+  #
+  # Instance Methods
+  #
+
+  # Converts the private pkcs12 data in {#data} to an `OpenSSL::PKCS12` instance.
+  #
+  # @return [OpenSSL::PKCS12]
+  # @raise [ArgumentError] if {#data} cannot be loaded
+  def openssl_pkcs12
+    if data
+      begin
+        password = ''
+        OpenSSL::PKCS12.new(Base64.strict_decode64(data), password)
+      rescue OpenSSL::PKCS12::PKCS12Error => error
+        raise ArgumentError.new(error)
+      end
+    end
+  end
+
+  # The {#data key data}'s fingerprint, suitable for displaying to the
+  # user.
+  #
+  # @return [String]
+  def to_s
+    return '' unless data
+
+    cert = openssl_pkcs12.certificate
+    result = []
+    result << "subject:#{cert.subject.to_s}"
+    result << "issuer:#{cert.issuer.to_s}"
+    result.join(',')
+  end
+
+  private
+
+  #
+  # Validates that {#data} can be read by OpenSSL and a `OpenSSL::PKCS12` can be created from {#data}.  Any exception
+  # raised will be reported as a validation error.
+  #
+  # @return [void]
+  def readable
+    if data
+      begin
+        openssl_pkcs12
+      rescue => error
+        errors.add(:data, "#{error.class} #{error}")
+      end
+    end
+  end
+
+  Metasploit::Concern.run(self)
+end

data/app/models/metasploit/credential/postgres_md5.rb

@@ -13,7 +13,8 @@ class Metasploit::Credential::PostgresMD5 < Metasploit::Credential::ReplayableHa
   # Callbacks
   #
 
-  before_validation :normalize_data
+  serialize :data, Metasploit::Credential::CaseInsensitiveSerializer
+  validates_uniqueness_of :data, :case_sensitive => false
 
   #
   # Validations
@@ -23,15 +24,6 @@ class Metasploit::Credential::PostgresMD5 < Metasploit::Credential::ReplayableHa
 
   private
 
-  # Normalizes {#data} by making it all lowercase so that the unique validation and index on
-  # ({Metasploit::Credential::Private#type}, {#data}) catches collision in a case-insensitive manner without the need
-  # to use case-insensitive comparisons.
-  def normalize_data
-    if data
-      self.data = data.downcase
-    end
-  end
-
   def data_format
     unless DATA_REGEXP.match(data)
       errors.add(:data, 'is not in Postgres MD5 Hash format')

data/app/models/metasploit/credential/private.rb

@@ -74,6 +74,7 @@ class Metasploit::Credential::Private < ApplicationRecord
                 Metasploit::Credential::Password
                 Metasploit::Credential::SSHKey
                 Metasploit::Credential::KrbEncKey
+                Metasploit::Credential::Pkcs12
               }
 
   #

data/config/locales/en.yml

@@ -57,6 +57,7 @@ en:
       metasploit/credential/ntlm_hash: "NTLM hash"
       metasploit/credential/ssh_key: "SSH key"
       metasploit/credential/krb_enc_key: 'Krb enc key'
+      metasploit/credential/pkcs12: 'Pkcs12 (pfx)'
     errors:
       models:
         metasploit/credential/core:
@@ -83,10 +84,14 @@ en:
           attributes:
             data:
               format: "is not in the KrbEncKey data format of 'msf_krbenckey:<ENCTYPE>:<KEY>:<SALT>', where the key and salt are in hexadecimal characters"
+        metasploit/credential/pkcs12:
+          attributes:
+            data:
+              format: "is not a Base64 encoded pkcs12 file without a password"
         metasploit/credential/ssh_key:
           attributes:
             data:
-              encrypted: "is encrypted, but Metasploit::Credential::SSHKey only supports unencrypred private keys."
+              encrypted: "is encrypted, but Metasploit::Credential::SSHKey only supports unencrypted private keys."
               not_private: "is not a private key."
   errors:
     messages:

data/db/migrate/20221209005658_create_index_on_private_data_and_type_for_pkcs12.rb

@@ -0,0 +1,32 @@
+class CreateIndexOnPrivateDataAndTypeForPkcs12 < ActiveRecord::Migration[6.1]
+  def up
+    # Drop the existing index created by 20161107153145_recreate_index_on_private_data_and_type.rb, and recreate it
+    # with Metasploit::Credential::Pkcs12 ignored
+    remove_index :metasploit_credential_privates, [:type, :data], if_exists: true
+    change_table :metasploit_credential_privates do |t|
+      t.index [:type, :data],
+              unique: true,
+              where: "NOT (type = 'Metasploit::Credential::SSHKey' or type = 'Metasploit::Credential::Pkcs12')"
+    end
+
+    # Create a new index similar to 20161107203710_create_index_on_private_data_and_type_for_ssh_key.rb
+    sql = <<~EOF
+      CREATE UNIQUE INDEX IF NOT EXISTS "index_metasploit_credential_privates_on_type_and_data_pkcs12" ON
+      "metasploit_credential_privates" ("type", decode(md5(data), 'hex'))
+      WHERE type in ('Metasploit::Credential::Pkcs12')
+    EOF
+    execute(sql)
+  end
+
+  def down
+    # Restore the original metasploit_credential_privates index from /Users/adfoster/Documents/code/metasploit-credential/db/migrate/20161107153145_recreate_index_on_private_data_and_type.rb
+    # XXX: this would crash if there are any Pkcs12 entries present, so for the simplicity of avoiding a data migration we keep the pkcs12 type ommitted from the index
+    remove_index :metasploit_credential_privates, [:type, :data], if_exists: true
+    change_table :metasploit_credential_privates do |t|
+      t.index [:type, :data],
+              unique: true,
+              where: "NOT (type = 'Metasploit::Credential::SSHKey' or type = 'Metasploit::Credential::Pkcs12')"
+    end
+    remove_index :metasploit_credential_privates, name: :index_metasploit_credential_privates_on_type_and_data_pkcs12, if_exists: true
+  end
+end

data/lib/metasploit/credential/case_insensitive_serializer.rb

@@ -0,0 +1,9 @@
+class Metasploit::Credential::CaseInsensitiveSerializer
+    def self.load(value)
+        value
+    end
+
+    def self.dump(value)
+        value.downcase
+    end
+end

data/lib/metasploit/credential/creation.rb

@@ -479,6 +479,8 @@ module Metasploit::Credential::Creation
           private_object = Metasploit::Credential::Password.where(data: private_data).first_or_create
         when :ssh_key
           private_object = Metasploit::Credential::SSHKey.where(data: private_data).first_or_create
+        when :pkcs12
+          private_object = Metasploit::Credential::Pkcs12.where(data: private_data).first_or_create
         when :krb_enc_key
           private_object = Metasploit::Credential::KrbEncKey.where(data: private_data).first_or_create
         when :ntlm_hash

data/lib/metasploit/credential/importer/core.rb

@@ -116,7 +116,6 @@ class Metasploit::Credential::Importer::Core
         private_class = row['private_type'].present? ? row['private_type'].constantize : ''
         private_data  = row['private_data'].present? ? row['private_data'] : ''
 
-
         if realms[realm_value].nil?
           realms[realm_value]  = Metasploit::Credential::Realm.where(key: realm_key, value: realm_value).first_or_create
         end
@@ -210,7 +209,7 @@ class Metasploit::Credential::Importer::Core
         if private_data.strip == BLANK_TOKEN
           private_object_for_row = Metasploit::Credential::BlankPassword.first_or_create
         else
-          private_object_for_row = @private_credential_type.constantize.where(data: row['private_data']).first_or_create
+          private_object_for_row = @private_credential_type.constantize.where(data: private_data).first_or_create
         end
 
         # need to check private_object_for_row.valid? to raise a user facing message if any cred had invalid private

data/lib/metasploit/credential/version.rb

@@ -3,7 +3,7 @@
 module Metasploit
   module Credential
     # VERSION is managed by GemRelease
-    VERSION = '6.0.3'
+    VERSION = '6.0.5'
 
     # @return [String]
     #

data/lib/metasploit/credential.rb

@@ -28,6 +28,7 @@ module Metasploit
 
     autoload :BlankPassword
     autoload :BlankUsername
+    autoload :CaseInsensitiveSerializer
     autoload :Core
     autoload :CoreValidations
     autoload :Creation
@@ -43,6 +44,7 @@ module Metasploit
     autoload :Origin
     autoload :Password
     autoload :PasswordHash
+    autoload :Pkcs12
     autoload :PostgresMD5
     autoload :Private
     autoload :Public

data/spec/dummy/config/database.yml

@@ -1,6 +1,6 @@
 development: &pgsql
   adapter: postgresql
-  database: metasploit-credential_development1
+  database: metasploit-credential_development2
   username: msf
   password: pass123
   host: localhost
@@ -10,4 +10,4 @@ development: &pgsql
   min_messages: warning
 test:
   <<: *pgsql
-  database: metasploit-credential_test1
+  database: metasploit-credential_test2

data/spec/factories/metasploit/credential/pkcs12.rb

@@ -0,0 +1,37 @@
+FactoryBot.define do
+  factory :metasploit_credential_pkcs12,
+          class: Metasploit::Credential::Pkcs12 do
+    transient do
+      # key size tuned for speed.  DO NOT use for production, it is below current recommended key size of 2048
+      key_size { 1024 }
+      # signing algorithm for the pkcs12 cert
+      signing_algorithm { 'SHA256' }
+      # the cert subject
+      subject { '/C=BE/O=Test/OU=Test/CN=Test' }
+      # the cert issuer
+      issuer { '/C=BE/O=Test/OU=Test/CN=Test' }
+    end
+
+    data {
+      password = ''
+      pkcs12_name = ''
+
+      private_key = OpenSSL::PKey::RSA.new(key_size)
+      public_key = private_key.public_key
+
+      cert = OpenSSL::X509::Certificate.new
+      cert.subject = OpenSSL::X509::Name.parse(subject)
+      cert.issuer = OpenSSL::X509::Name.parse(issuer)
+      cert.not_before = Time.now
+      cert.not_after = Time.now + 365 * 24 * 60 * 60
+      cert.public_key = public_key
+      cert.serial = 0x0
+      cert.version = 2
+      cert.sign(private_key, OpenSSL::Digest.new(signing_algorithm))
+
+      pkcs12 = OpenSSL::PKCS12.create(password, pkcs12_name, private_key, cert)
+      pkcs12_base64 = Base64.strict_encode64(pkcs12.to_der)
+      pkcs12_base64
+    }
+  end
+end

data/spec/lib/metasploit/credential/creation_spec.rb

@@ -134,20 +134,30 @@ RSpec.describe Metasploit::Credential::Creation do
       nonreplayable_hash: "Metasploit::Credential::NonreplayableHash",
       ntlm_hash: "Metasploit::Credential::NTLMHash",
       postgres_md5: "Metasploit::Credential::PostgresMD5",
-      ssh_key: "Metasploit::Credential::SSHKey"
+      ssh_key: "Metasploit::Credential::SSHKey",
+      krb_enc_key: "Metasploit::Credential::KrbEncKey",
+      pkcs12: "Metasploit::Credential::Pkcs12"
     }.each_pair do |private_type, public_class|
       context "Origin[manual], Public[Username], Private[#{private_type}]" do
         let(:ssh_key) {
           key_class = OpenSSL::PKey.const_get(:RSA)
           key_class.generate(512).to_s
         }
+        let(:krb_enc_key) {
+          FactoryBot.build(:metasploit_credential_krb_enc_key).data
+        }
+        let(:pkcs12) {
+          FactoryBot.build(:metasploit_credential_pkcs12).data
+        }
         let(:private_data) { {
           password: 'password',
           blank_password: '',
           nonreplayable_hash: '435ba65d2e46d35bc656086694868d1ab2c0f9fd',
           ntlm_hash: 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0',
           postgres_md5: 'md5ac4bbe016b808c3c0b816981f240dcae',
-          ssh_key: ssh_key
+          ssh_key: ssh_key,
+          krb_enc_key: krb_enc_key,
+          pkcs12: pkcs12
         }}
         let(:credential_data) {{
           workspace_id: workspace.id,
@@ -168,6 +178,37 @@ RSpec.describe Metasploit::Credential::Creation do
         end
       end
     end
+    context 'deletion and creation' do
+      let(:private_data) { 'md5ac4bbe016b808c3c0b816981f240dcae' }
+      let(:private_data_upcase) { private_data.upcase }
+      let(:credential_data) {{
+        workspace_id: workspace.id,
+        user_id: user.id,
+        origin_type: :manual,
+        username: 'admin',
+        private_data: private_data,
+        private_type: :postgres_md5
+      }}
+      it 'creates a private cred' do
+        expect{ test_object.create_credential(credential_data) }.to change{ Metasploit::Credential::PostgresMD5.count }.by(1)
+      end
+      let(:credential_data_upcase) {{
+        workspace_id: workspace.id,
+        user_id: user.id,
+        origin_type: :manual,
+        username: 'admin',
+        private_data: private_data_upcase,
+        private_type: :postgres_md5
+      }}
+      it 'allows for the recreation of core with case insensitive private credentials set to different case' do
+        expect{ test_object.create_credential(credential_data) }.to change{ Metasploit::Credential::PostgresMD5.count }.by(1)
+        expect{ Metasploit::Credential::Core.first.destroy }.to change{ Metasploit::Credential::Core.count }.by(-1)
+        expect( Metasploit::Credential::PostgresMD5.count ).to eq(1)
+        expect( Metasploit::Credential::Core.count ).to eq(0)
+        expect{ test_object.create_credential(credential_data_upcase) }.to change{ Metasploit::Credential::Core.count }.by(1)
+        expect( Metasploit::Credential::PostgresMD5.count ).to eq(1)
+      end
+    end
   end
 
   context '#create_credential_and_login' do
@@ -821,6 +862,16 @@ RSpec.describe Metasploit::Credential::Creation do
         expect{ test_object.create_credential_private(opts) }.to change{ Metasploit::Credential::KrbEncKey.count }.by(1)
       end
     end
+
+    context 'when :private_type is pkcs12' do
+      it 'creates a Metasploit::Credential::Pkcs12' do
+        opts = {
+          private_data: FactoryBot.build(:metasploit_credential_pkcs12).data,
+          private_type: :pkcs12
+        }
+        expect{ test_object.create_credential_private(opts) }.to change{ Metasploit::Credential::Pkcs12.count }.by(1)
+      end
+    end
   end
 
   context '#create_credential_core' do

data/spec/models/metasploit/credential/krb_enc_key_spec.rb

@@ -148,4 +148,30 @@ RSpec.describe Metasploit::Credential::KrbEncKey, type: :model do
       end
     end
   end
+
+  context 'serialization' do
+    context '#first_or_create' do
+      let(:data) { 'msf_krbenckey:23:e22e04519aa757d12f1219c4f31252f4:' }
+      let(:upcase_data) {data.upcase}
+
+      context 'creates a new instance that stores case-insensitive value' do
+        it 'creates case insensitive data' do
+          expect{ Metasploit::Credential::KrbEncKey.where(data: data).first_or_create }.to change{Metasploit::Credential::KrbEncKey.count}.by(1)
+          expect{ Metasploit::Credential::KrbEncKey.where(data: upcase_data).first_or_create }.not_to change{Metasploit::Credential::KrbEncKey.count}
+        end
+      end
+
+      context 'finds an existing case insensitive match' do
+        let(:krb_enc_key) do
+          FactoryBot.build(
+              :metasploit_credential_krb_enc_key,
+              data: upcase_data
+          )
+        end
+        it 'successfully looks up credential in case insensitive way' do
+          expect( krb_enc_key.data ).to eq(data)
+        end
+      end
+    end
+  end
 end

data/spec/models/metasploit/credential/ntlm_hash_spec.rb

@@ -397,5 +397,29 @@ RSpec.describe Metasploit::Credential::NTLMHash, type: :model do
     end
   end
 
+  context 'serialization' do
+    context '#first_or_create' do
+      let(:data) { 'aad3b435b51404eeaad3b435b51404ee:4dc0249ad90ab626362050195893c788' }
+      let(:upcase_data) {data.upcase}
+
+      context 'creates a new instance that stores case-insensitive value' do
+        it 'creates case insensitive data' do
+          expect{ Metasploit::Credential::NTLMHash.where(data: data).first_or_create }.to change{Metasploit::Credential::NTLMHash.count}.by(1)
+          expect{ Metasploit::Credential::NTLMHash.where(data: upcase_data).first_or_create }.not_to change{Metasploit::Credential::NTLMHash.count}
+        end
+      end
 
+      context 'finds an existing case insensitive match' do
+        let(:ntlm_hash) do
+          FactoryBot.build(
+              :metasploit_credential_ntlm_hash,
+              data: upcase_data
+          )
+        end
+        it 'successfully looks up credential in case insensitive way' do
+          expect( ntlm_hash.data ).to eq(data)
+        end
+      end
+    end
+  end
 end

data/spec/models/metasploit/credential/pkcs12_spec.rb

@@ -0,0 +1,116 @@
+RSpec.describe Metasploit::Credential::Pkcs12, type: :model do
+  it_should_behave_like 'Metasploit::Concern.run'
+
+  context 'factories' do
+    context 'metasploit_credential_pkcs12' do
+      subject(:metasploit_credential_pkcs12) do
+        FactoryBot.build(:metasploit_credential_pkcs12)
+      end
+
+      it { is_expected.to be_valid }
+    end
+  end
+
+  context 'validations' do
+    it { is_expected.to validate_presence_of :data }
+
+    context 'on #data' do
+      subject(:data_errors) do
+        pkcs12.errors[:data]
+      end
+
+      let(:pkcs12) do
+        FactoryBot.build(:metasploit_credential_pkcs12)
+      end
+
+      context '#readable' do
+        context 'with #data' do
+          context 'with error' do
+            #
+            # Shared Examples
+            #
+
+            shared_examples_for 'exception' do
+              it 'includes error class' do
+                exception_class_name = exception.class.to_s
+                expect(
+                    data_errors.any? { |error|
+                      error.include? exception_class_name
+                    }
+                ).to be true
+              end
+
+              it 'includes error message' do
+                exception_message = exception.to_s
+
+                expect(
+                    data_errors.any? { |error|
+                      error.include? exception_message
+                    }
+                ).to be true
+              end
+            end
+
+            #
+            # Callbacks
+            #
+
+            before(:example) do
+              expect(pkcs12).to receive(:openssl_pkcs12).and_raise(exception)
+
+              pkcs12.valid?
+            end
+
+            context 'with ArgumentError' do
+              let(:exception) do
+                ArgumentError.new("Bad Argument")
+              end
+
+              it_should_behave_like 'exception'
+            end
+
+            context 'with OpenSSL::PKCS12::PKCS12Error' do
+              let(:exception) do
+                OpenSSL::PKCS12::PKCS12Error.new('mac verify failure')
+              end
+
+              it_should_behave_like 'exception'
+            end
+          end
+
+          context 'without error' do
+            before(:example) do
+              pkcs12.valid?
+            end
+
+            it { is_expected.to be_empty }
+          end
+        end
+
+        context 'without #data' do
+          let(:error) do
+            I18n.translate!('errors.messages.blank')
+          end
+
+          #
+          # Callbacks
+          #
+
+          before(:example) do
+            pkcs12.data = nil
+
+            pkcs12.valid?
+          end
+
+          it { is_expected.to include(error) }
+        end
+      end
+    end
+  end
+
+  describe 'human name' do
+    it 'properly determines the model\'s human name' do
+      expect(described_class.model_name.human).to eq('Pkcs12 (pfx)')
+    end
+  end
+end

data/spec/models/metasploit/credential/postgres_md5_spec.rb

@@ -119,4 +119,30 @@ RSpec.describe Metasploit::Credential::PostgresMD5, type: :model do
     end
   end
 
+  context 'serialization' do
+    context '#first_or_create' do
+      let(:data) { "md5#{SecureRandom.hex(16)}" }
+      let(:upcase_data) {data.upcase}
+
+      context 'creates a new instance that stores case-insensitive value' do
+        it 'creates case insensitive data' do
+          expect{ Metasploit::Credential::PostgresMD5.where(data: data).first_or_create }.to change{Metasploit::Credential::PostgresMD5.count}.by(1)
+          expect{ Metasploit::Credential::PostgresMD5.where(data: upcase_data).first_or_create }.not_to change{Metasploit::Credential::PostgresMD5.count}
+        end
+      end
+
+      context 'finds an existing case insensitive match' do
+        let(:postgres_md5) do
+          FactoryBot.build(
+            :metasploit_credential_postgres_md5,
+            data: upcase_data
+          )
+        end
+
+        it 'successfully looks up credential in case insensitive way' do
+          expect( postgres_md5.data ).to eq(data)
+        end
+      end
+    end
+  end
 end

data/spec/models/metasploit/credential/private_spec.rb

@@ -135,6 +135,7 @@ RSpec.describe Metasploit::Credential::Private, type: :model do
                               Metasploit::Credential::Password
                               Metasploit::Credential::SSHKey
                               Metasploit::Credential::KrbEncKey
+                              Metasploit::Credential::Pkcs12
                             }
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: metasploit-credential
 version: !ruby/object:Gem::Version
-  version: 6.0.3
+  version: 6.0.5
 platform: ruby
 authors:
 - Metasploit Hackers
@@ -93,7 +93,7 @@ cert_chain:
   EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
   9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
   -----END CERTIFICATE-----
-date: 2023-04-06 00:00:00.000000000 Z
+date: 2023-05-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: metasploit-concern
@@ -255,6 +255,7 @@ files:
 - app/models/metasploit/credential/origin/session.rb
 - app/models/metasploit/credential/password.rb
 - app/models/metasploit/credential/password_hash.rb
+- app/models/metasploit/credential/pkcs12.rb
 - app/models/metasploit/credential/postgres_md5.rb
 - app/models/metasploit/credential/private.rb
 - app/models/metasploit/credential/public.rb
@@ -288,7 +289,9 @@ files:
 - db/migrate/20150106201450_old_creds_to_new_creds2.rb
 - db/migrate/20161107153145_recreate_index_on_private_data_and_type.rb
 - db/migrate/20161107203710_create_index_on_private_data_and_type_for_ssh_key.rb
+- db/migrate/20221209005658_create_index_on_private_data_and_type_for_pkcs12.rb
 - lib/metasploit/credential.rb
+- lib/metasploit/credential/case_insensitive_serializer.rb
 - lib/metasploit/credential/core_validations.rb
 - lib/metasploit/credential/creation.rb
 - lib/metasploit/credential/engine.rb
@@ -366,6 +369,7 @@ files:
 - spec/factories/metasploit/credential/origin/sessions.rb
 - spec/factories/metasploit/credential/password_hashes.rb
 - spec/factories/metasploit/credential/passwords.rb
+- spec/factories/metasploit/credential/pkcs12.rb
 - spec/factories/metasploit/credential/postgres_md5.rb
 - spec/factories/metasploit/credential/privates.rb
 - spec/factories/metasploit/credential/publics.rb
@@ -401,6 +405,7 @@ files:
 - spec/models/metasploit/credential/origin/session_spec.rb
 - spec/models/metasploit/credential/password_hash_spec.rb
 - spec/models/metasploit/credential/password_spec.rb
+- spec/models/metasploit/credential/pkcs12_spec.rb
 - spec/models/metasploit/credential/postgres_md5_spec.rb
 - spec/models/metasploit/credential/private_spec.rb
 - spec/models/metasploit/credential/public_spec.rb
@@ -497,6 +502,7 @@ test_files:
 - spec/factories/metasploit/credential/origin/sessions.rb
 - spec/factories/metasploit/credential/password_hashes.rb
 - spec/factories/metasploit/credential/passwords.rb
+- spec/factories/metasploit/credential/pkcs12.rb
 - spec/factories/metasploit/credential/postgres_md5.rb
 - spec/factories/metasploit/credential/privates.rb
 - spec/factories/metasploit/credential/publics.rb
@@ -532,6 +538,7 @@ test_files:
 - spec/models/metasploit/credential/origin/session_spec.rb
 - spec/models/metasploit/credential/password_hash_spec.rb
 - spec/models/metasploit/credential/password_spec.rb
+- spec/models/metasploit/credential/pkcs12_spec.rb
 - spec/models/metasploit/credential/postgres_md5_spec.rb
 - spec/models/metasploit/credential/private_spec.rb
 - spec/models/metasploit/credential/public_spec.rb