metasploit-credential 6.0.13 → 6.0.14

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d84ee592f81cc2fc01fdf4baffd55d57a97ee9ee9c35571ad053f40d34771971
-  data.tar.gz: 234e4b50c39153c7eab48cc1b47d2b0cecc06528f1db6aed34a70a0aa63564ce
+  metadata.gz: 6b08c247237833c0a93eee32f6d14a678a2f320d46827eec1553d999e2601447
+  data.tar.gz: 8c446fa6be10d1040cb8bbcdee59fc6be9cc167bcc569d4e608ac80aafbc4b01
 SHA512:
-  metadata.gz: 5954cc20987a1807378274482f583edf446d08dda3bfaeff2f2f0d35126b5c15b101bdb160266659324a96d9566c6e252ab55976e4be60fe41091698348edb78
-  data.tar.gz: 7da6a368c8813fd66d9bc77a3a556a4a71d1801238b81efe0bf1a591b46826fb31adff407312dde1f5316760c868666350159986d1b4e88924b262e5379b7ba0
+  metadata.gz: 5922d220d8a3614d21b3a6a4639527b0d0486dac4edf6d7832f9e0354274b5b3903d6ab6049722ff3ec66f5ec7bd2aedb09155980f49582307c54f08f9efe5d0
+  data.tar.gz: 40dbe1b8f9ebf70be13840c791ffc05149759e44347a08946291b4c0e76b3450a4fc718910b20d7585509731d8d4432a52dbaa5067726fefd68cd475dc118bcf

data/README.md

@@ -1,4 +1,4 @@
-# Metasploit::Credential [![Build Status](https://github.com/rapid7/metasploit-credential/actions/workflows/verify.yml/badge.svg)](https://github.com/rapid7/metasploit-credential/actions/workflows/verify.yml)[![Code Climate](https://codeclimate.com/github/rapid7/metasploit-credential.png)](https://codeclimate.com/github/rapid7/metasploit-credential)[![Dependency Status](https://gemnasium.com/rapid7/metasploit-credential.svg)](https://gemnasium.com/rapid7/metasploit-credential)[![Gem Version](https://badge.fury.io/rb/metasploit-credential.svg)](http://badge.fury.io/rb/metasploit-credential)[![Inline docs](http://inch-ci.org/github/rapid7/metasploit-credential.svg)](http://inch-ci.org/github/rapid7/metasploit-credential)[![PullReview stats](https://www.pullreview.com/github/rapid7/metasploit-credential/badges/master.svg)](https://www.pullreview.com/github/rapid7/metasploit-credential/reviews/master)
+# Metasploit::Credential [![Build Status](https://github.com/rapid7/metasploit-credential/actions/workflows/verify.yml/badge.svg)](https://github.com/rapid7/metasploit-credential/actions/workflows/verify.yml)[![Dependency Status](https://gemnasium.com/rapid7/metasploit-credential.svg)](https://gemnasium.com/rapid7/metasploit-credential)[![Gem Version](https://badge.fury.io/rb/metasploit-credential.svg)](http://badge.fury.io/rb/metasploit-credential)[![Inline docs](http://inch-ci.org/github/rapid7/metasploit-credential.svg)](http://inch-ci.org/github/rapid7/metasploit-credential)
 
 ## Versioning
 

data/app/models/metasploit/credential/pkcs12.rb

@@ -3,6 +3,7 @@ require 'base64'
 
 # A private Pkcs12 file.
 class Metasploit::Credential::Pkcs12 < Metasploit::Credential::Private
+
   #
   # Attributes
   #
@@ -12,6 +13,14 @@ class Metasploit::Credential::Pkcs12 < Metasploit::Credential::Private
   #
   #   @return [String]
 
+  # @!attribute metadata
+  #   Metadata for this Pkcs12:
+  #     adcs_ca: The Certificate Authority that issued the certificate
+  #     adcs_template: The certificate template used to issue the certificate
+  #     pkcs12_password: The password to decrypt the Pkcs12
+  #
+  #   @return [JSONB]
+
   #
   #
   # Validations
@@ -24,15 +33,49 @@ class Metasploit::Credential::Pkcs12 < Metasploit::Credential::Private
 
   validates :data,
             presence: true
+
   #
   # Method Validations
   #
 
   validate :readable
 
+  #
+  # Class methods
+  #
+
   #
   # Instance Methods
   #
+  #
+
+  # The CA that issued the certificate
+  #
+  # @return [String]
+  def adcs_ca
+    metadata['adcs_ca']
+  end
+
+  # The certificate template used to issue the certificate
+  #
+  # @return [String]
+  def adcs_template
+    metadata['adcs_template']
+  end
+
+  # The password to decrypt the Pkcs12
+  #
+  # @return [String]
+  def pkcs12_password
+    metadata['pkcs12_password']
+  end
+
+  # The status if the certificate (active or inactive)
+  #
+  # @return [String]
+  def status
+    metadata['status']
+  end
 
   # Converts the private pkcs12 data in {#data} to an `OpenSSL::PKCS12` instance.
   #
@@ -41,7 +84,7 @@ class Metasploit::Credential::Pkcs12 < Metasploit::Credential::Private
   def openssl_pkcs12
     if data
       begin
-        password = ''
+        password = metadata.fetch('pkcs12_password', '')
         OpenSSL::PKCS12.new(Base64.strict_decode64(data), password)
       rescue OpenSSL::PKCS12::PKCS12Error => error
         raise ArgumentError.new(error)
@@ -50,7 +93,7 @@ class Metasploit::Credential::Pkcs12 < Metasploit::Credential::Private
   end
 
   # The {#data key data}'s fingerprint, suitable for displaying to the
-  # user.
+  # user. The Pkcs12 password is voluntarily not included.
   #
   # @return [String]
   def to_s
@@ -60,9 +103,12 @@ class Metasploit::Credential::Pkcs12 < Metasploit::Credential::Private
     result = []
     result << "subject:#{cert.subject.to_s}"
     result << "issuer:#{cert.issuer.to_s}"
+    result << "ADCS CA:#{metadata['adcs_ca']}" if metadata['adcs_ca']
+    result << "ADCS template:#{metadata['adcs_template']}" if metadata['adcs_template']
     result.join(',')
   end
 
+
   private
 
   #
@@ -80,5 +126,8 @@ class Metasploit::Credential::Pkcs12 < Metasploit::Credential::Private
     end
   end
 
+
+  public
+
   Metasploit::Concern.run(self)
 end

data/app/models/metasploit/credential/private.rb

@@ -50,6 +50,11 @@ class Metasploit::Credential::Private < ApplicationRecord
   #
   #   @return [DateTime]
 
+  # @!attribute metadata
+  #   Metadata related to the private data. The data contained in this JSONB structure varies based on the subclass.
+  #
+  #   @return [JSONB]
+
   #
   #
   # Search
@@ -63,6 +68,9 @@ class Metasploit::Credential::Private < ApplicationRecord
   search_attribute :data,
                    type: :string
 
+  search_attribute :metadata,
+                   type: :jsonb
+
   #
   # Search Withs
   #

data/config/locales/en.yml

@@ -87,7 +87,7 @@ en:
         metasploit/credential/pkcs12:
           attributes:
             data:
-              format: "is not a Base64 encoded pkcs12 file without a password"
+              format: "is not a serialized data containing Base64 encoded pkcs12 file without a password and metadata"
         metasploit/credential/ssh_key:
           attributes:
             data:

data/db/migrate/20250204172657_add_metadata_to_metasploit_credential_privates.rb

@@ -0,0 +1,5 @@
+class AddMetadataToMetasploitCredentialPrivates < ActiveRecord::Migration[7.0]
+  def change
+    add_column :metasploit_credential_privates, :metadata, :jsonb, null: false, default: {}
+  end
+end

data/lib/metasploit/credential/creation.rb

@@ -480,7 +480,7 @@ module Metasploit::Credential::Creation
         when :ssh_key
           private_object = Metasploit::Credential::SSHKey.where(data: private_data).first_or_create
         when :pkcs12
-          private_object = Metasploit::Credential::Pkcs12.where(data: private_data).first_or_create
+          private_object = Metasploit::Credential::Pkcs12.where(data: private_data, metadata: opts.fetch(:private_metadata, {})).first_or_create
         when :krb_enc_key
           private_object = Metasploit::Credential::KrbEncKey.where(data: private_data).first_or_create
         when :ntlm_hash

data/lib/metasploit/credential/version.rb

@@ -3,7 +3,7 @@
 module Metasploit
   module Credential
     # VERSION is managed by GemRelease
-    VERSION = '6.0.13'
+    VERSION = '6.0.14'
 
     # @return [String]
     #

data/spec/dummy/db/structure.sql

@@ -1,6 +1,7 @@
 SET statement_timeout = 0;
 SET lock_timeout = 0;
 SET idle_in_transaction_session_timeout = 0;
+SET transaction_timeout = 0;
 SET client_encoding = 'UTF8';
 SET standard_conforming_strings = on;
 SELECT pg_catalog.set_config('search_path', '', false);
@@ -929,7 +930,8 @@ CREATE TABLE public.metasploit_credential_privates (
     data text NOT NULL,
     created_at timestamp without time zone NOT NULL,
     updated_at timestamp without time zone NOT NULL,
-    jtr_format character varying
+    jtr_format character varying,
+    metadata jsonb DEFAULT '{}'::jsonb NOT NULL
 );
 
 
@@ -4147,6 +4149,7 @@ INSERT INTO "schema_migrations" (version) VALUES
 ('20190308134512'),
 ('20190507120211'),
 ('20221209005658'),
+('20250204172657'),
 ('21'),
 ('22'),
 ('23'),

data/spec/factories/metasploit/credential/pkcs12.rb

@@ -10,10 +10,15 @@ FactoryBot.define do
       subject { '/C=BE/O=Test/OU=Test/CN=Test' }
       # the cert issuer
       issuer { '/C=BE/O=Test/OU=Test/CN=Test' }
+      # the pkcs12 password
+      pkcs12_password { '' }
+      # the cert not_before date
+      not_before { Time.now }
+      # the cert not_after date
+      not_after { Time.now + 365 * 24 * 60 * 60 }
     end
 
     data {
-      password = ''
       pkcs12_name = ''
 
       private_key = OpenSSL::PKey::RSA.new(key_size)
@@ -22,16 +27,71 @@ FactoryBot.define do
       cert = OpenSSL::X509::Certificate.new
       cert.subject = OpenSSL::X509::Name.parse(subject)
       cert.issuer = OpenSSL::X509::Name.parse(issuer)
-      cert.not_before = Time.now
-      cert.not_after = Time.now + 365 * 24 * 60 * 60
+      cert.not_before = not_before
+      cert.not_after = not_after
       cert.public_key = public_key
       cert.serial = 0x0
       cert.version = 2
       cert.sign(private_key, OpenSSL::Digest.new(signing_algorithm))
 
-      pkcs12 = OpenSSL::PKCS12.create(password, pkcs12_name, private_key, cert)
-      pkcs12_base64 = Base64.strict_encode64(pkcs12.to_der)
-      pkcs12_base64
+      pkcs12 = OpenSSL::PKCS12.create(pkcs12_password, pkcs12_name, private_key, cert)
+      Base64.strict_encode64(pkcs12.to_der)
     }
   end
+
+  factory :metasploit_credential_pkcs12_with_ca, parent: :metasploit_credential_pkcs12 do
+    transient do
+      # The CA that issued the certificate
+      adcs_ca { 'test-ca' }
+    end
+
+    metadata { { adcs_ca: adcs_ca } }
+  end
+
+  factory :metasploit_credential_pkcs12_with_adcs_template, parent: :metasploit_credential_pkcs12 do
+    transient do
+      # The certificate template used to issue the certificate
+      adcs_template { 'User' }
+    end
+
+    metadata { { adcs_template: adcs_template} }
+  end
+
+  factory :metasploit_credential_pkcs12_with_pkcs12_password, parent: :metasploit_credential_pkcs12 do
+    transient do
+      # The password to decrypt the pkcs12
+      pkcs12_password { 'Password!' }
+    end
+
+    metadata { { pkcs12_password: pkcs12_password } }
+  end
+
+  factory :metasploit_credential_pkcs12_with_status, parent: :metasploit_credential_pkcs12 do
+    transient do
+      # The CA that issued the certificate
+      status { 'active' }
+    end
+
+    metadata { { status: status } }
+  end
+
+  factory :metasploit_credential_pkcs12_with_ca_and_adcs_template, parent: :metasploit_credential_pkcs12 do
+    transient do
+      adcs_ca { 'test-ca' }
+      adcs_template { 'User' }
+    end
+
+    metadata { { adcs_ca: adcs_ca, adcs_template: adcs_template } }
+  end
+
+  factory :metasploit_credential_pkcs12_with_ca_and_adcs_template_and_pkcs12_password, parent: :metasploit_credential_pkcs12 do
+    transient do
+      adcs_ca { 'test-ca' }
+      adcs_template { 'User' }
+      pkcs12_password { 'Password!' }
+    end
+
+    metadata { { adcs_ca: adcs_ca, adcs_template: adcs_template, pkcs12_password: pkcs12_password } }
+  end
+
 end

data/spec/lib/metasploit/credential/creation_spec.rb

@@ -864,13 +864,36 @@ RSpec.describe Metasploit::Credential::Creation do
     end
 
     context 'when :private_type is pkcs12' do
-      it 'creates a Metasploit::Credential::Pkcs12' do
-        opts = {
+      let(:opts) {
+        {
           private_data: FactoryBot.build(:metasploit_credential_pkcs12).data,
           private_type: :pkcs12
         }
+      }
+      it 'creates a Metasploit::Credential::Pkcs12' do
         expect{ test_object.create_credential_private(opts) }.to change{ Metasploit::Credential::Pkcs12.count }.by(1)
       end
+
+      context 'with metadata' do
+        it 'creates a Metasploit::Credential::Pkcs12 with the expected metadata' do
+          adcs_ca = 'test_ca'
+          adcs_template = 'test_template'
+          opts[:private_metadata] = { adcs_ca: adcs_ca, adcs_template: adcs_template }
+          pkcs12 = test_object.create_credential_private(opts)
+          expect(pkcs12.adcs_ca).to eq(adcs_ca)
+          expect(pkcs12.adcs_template).to eq(adcs_template)
+        end
+      end
+
+      context 'and the Pkcs12 has a password' do
+        it 'creates a valid Metasploit::Credential::Pkcs12' do
+          pkcs12_password = 'test_password'
+          opts[:private_data] = FactoryBot.build(:metasploit_credential_pkcs12, pkcs12_password: pkcs12_password ).data
+          opts[:private_metadata] = { pkcs12_password: pkcs12_password }
+          pkcs12 = test_object.create_credential_private(opts)
+          expect(pkcs12).to be_valid
+        end
+      end
     end
   end
 

data/spec/models/metasploit/credential/pkcs12_spec.rb

@@ -1,6 +1,8 @@
 RSpec.describe Metasploit::Credential::Pkcs12, type: :model do
   it_should_behave_like 'Metasploit::Concern.run'
 
+  it { is_expected.to be_a Metasploit::Credential::Private }
+
   context 'factories' do
     context 'metasploit_credential_pkcs12' do
       subject(:metasploit_credential_pkcs12) do
@@ -9,6 +11,54 @@ RSpec.describe Metasploit::Credential::Pkcs12, type: :model do
 
       it { is_expected.to be_valid }
     end
+
+    context 'metasploit_credential_pkcs12_with_ca' do
+      subject(:metasploit_credential_pkcs12_with_ca) do
+        FactoryBot.build(:metasploit_credential_pkcs12_with_ca)
+      end
+
+      it { is_expected.to be_valid }
+    end
+
+    context 'metasploit_credential_pkcs12_with_adcs_template' do
+      subject(:metasploit_credential_pkcs12_with_adcs_template) do
+        FactoryBot.build(:metasploit_credential_pkcs12_with_adcs_template)
+      end
+
+      it { is_expected.to be_valid }
+    end
+
+    context 'metasploit_credential_pkcs12_with_pkcs12_password' do
+      subject(:metasploit_credential_pkcs12_with_pkcs12_password) do
+        FactoryBot.build(:metasploit_credential_pkcs12_with_pkcs12_password)
+      end
+
+      it { is_expected.to be_valid }
+    end
+
+    context 'metasploit_credential_pkcs12_with_status' do
+      subject(:metasploit_credential_pkcs12_with_status) do
+        FactoryBot.build(:metasploit_credential_pkcs12_with_status)
+      end
+
+      it { is_expected.to be_valid }
+    end
+
+    context 'metasploit_credential_pkcs12_with_ca_and_adcs_template' do
+      subject(:metasploit_credential_pkcs12_with_ca_and_adcs_template) do
+        FactoryBot.build(:metasploit_credential_pkcs12_with_ca_and_adcs_template)
+      end
+
+      it { is_expected.to be_valid }
+    end
+
+    context 'metasploit_credential_pkcs12_with_ca_and_adcs_template_and_pkcs12_password' do
+      subject(:metasploit_credential_pkcs12_with_ca_and_adcs_template_and_pkcs12_password) do
+        FactoryBot.build(:metasploit_credential_pkcs12_with_ca_and_adcs_template_and_pkcs12_password)
+      end
+
+      it { is_expected.to be_valid }
+    end
   end
 
   context 'validations' do
@@ -105,6 +155,194 @@ RSpec.describe Metasploit::Credential::Pkcs12, type: :model do
           it { is_expected.to include(error) }
         end
       end
+
+    end
+  end
+
+  context '#data' do
+    it 'returns the base64 encoded pkcs12' do
+      cert = 'mycert'
+      data = Base64.strict_encode64(cert)
+      pkcs12 = FactoryBot.build(:metasploit_credential_pkcs12, data: data)
+      expect(pkcs12.data).to eq(data)
+    end
+  end
+
+  context '#metadata' do
+    let(:cert) { 'mycert' }
+    let(:data) { Base64.strict_encode64(cert) }
+
+    context 'with the CA' do
+      it 'returns the CA in the metadata' do
+        adcs_ca = 'myca'
+        pkcs12 = FactoryBot.build(:metasploit_credential_pkcs12, data: data, metadata: { adcs_ca: adcs_ca })
+        expect(pkcs12.metadata).to eq( { 'adcs_ca' => adcs_ca } )
+      end
+    end
+
+    context 'with the Certififate Template' do
+      it 'returns the certificate template in the metadata' do
+        adcs_template = 'mytemplate'
+        pkcs12 = FactoryBot.build(:metasploit_credential_pkcs12, data: data, metadata: { adcs_template: adcs_template })
+        expect(pkcs12.metadata).to eq( { 'adcs_template' => adcs_template } )
+      end
+    end
+
+    context 'with both the CA and the Certififate Template' do
+      it 'returns the CA and the certificate template in the metadata' do
+        adcs_ca = 'myca'
+        adcs_template = 'mytemplate'
+        pkcs12 = FactoryBot.build(:metasploit_credential_pkcs12, data: data, metadata: { adcs_ca: adcs_ca, adcs_template: adcs_template })
+        expect(pkcs12.metadata).to eq( { 'adcs_ca' => adcs_ca, 'adcs_template' => adcs_template } )
+      end
+    end
+
+    context 'with both the CA, the Certififate Template and the cert password' do
+      it 'returns the CA and the certificate template in the metadata' do
+        adcs_ca = 'myca'
+        adcs_template = 'mytemplate'
+        pkcs12_password = 'mypassword'
+        pkcs12 = FactoryBot.build(:metasploit_credential_pkcs12, data: data, metadata: { adcs_ca: adcs_ca, adcs_template: adcs_template, pkcs12_password: pkcs12_password })
+        expect(pkcs12.metadata).to eq( { 'adcs_ca' => adcs_ca, 'adcs_template' => adcs_template, 'pkcs12_password' => pkcs12_password } )
+      end
+    end
+  end
+
+  context '#adcs_ca' do
+    it 'returns the CA' do
+      cert = 'mycert'
+      data = Base64.strict_encode64(cert)
+      adcs_ca = 'myca'
+      pkcs12 = FactoryBot.build(:metasploit_credential_pkcs12, data: data, metadata: { adcs_ca: adcs_ca })
+      expect(pkcs12.adcs_ca).to eq(adcs_ca)
+    end
+  end
+
+  context '#adcs_template' do
+    it 'returns the certificate template' do
+      cert = 'mycert'
+      data = Base64.strict_encode64(cert)
+      adcs_template = 'mytemplate'
+      pkcs12 = FactoryBot.build(:metasploit_credential_pkcs12, data: data, metadata: { adcs_template: adcs_template })
+      expect(pkcs12.adcs_template).to eq(adcs_template)
+    end
+  end
+
+  context '#pkcs12_password' do
+    it 'returns the Pkcs12 password' do
+      cert = 'mycert'
+      data = Base64.strict_encode64(cert)
+      pkcs12_password = 'mypassword'
+      pkcs12 = FactoryBot.build(:metasploit_credential_pkcs12, data: data, metadata: { pkcs12_password: pkcs12_password })
+      expect(pkcs12.pkcs12_password).to eq(pkcs12_password)
+    end
+  end
+
+  context '#openssl_pkcs12' do
+    subject { FactoryBot.build(:metasploit_credential_pkcs12).openssl_pkcs12 }
+
+    it { is_expected.to be_a OpenSSL::PKCS12 }
+
+    it 'raises an exception if data is not a base64-encoded certificate' do
+      expect {
+        FactoryBot.build(:metasploit_credential_pkcs12, data: 'wrong_cert').openssl_pkcs12
+      }.to raise_error(ArgumentError)
+    end
+
+    it 'returns the expected OpenSSL::PKCS12' do
+      subject = '/C=FR/O=Yeah/OU=Yeah/CN=Yeah'
+      issuer = '/C=FR/O=Issuer1/OU=Issuer1/CN=Issuer1'
+      pkcs12 = FactoryBot.build(
+        :metasploit_credential_pkcs12,
+        signing_algorithm: 'SHA512',
+        subject: subject,
+        issuer: issuer
+      )
+      openssl_pkcs12 = pkcs12.openssl_pkcs12
+      expect(openssl_pkcs12.certificate.signature_algorithm).to eq("sha512WithRSAEncryption")
+      expect(openssl_pkcs12.certificate.subject.to_s).to eq(subject)
+      expect(openssl_pkcs12.certificate.issuer.to_s).to eq(issuer)
+    end
+  end
+
+  context '#to_s' do
+    let(:subject) { '/C=FR/O=Yeah/OU=Yeah/CN=Yeah' }
+    let(:issuer) { '/C=FR/O=Issuer1/OU=Issuer1/CN=Issuer1' }
+    let(:adcs_ca) { 'myca' }
+    let(:adcs_template) { 'mytemplate' }
+    let(:pkcs12_password) { 'mypassword' }
+
+    context 'with the pkcs21 only' do
+      it 'returns the expected string' do
+        pkcs12 = FactoryBot.build(
+          :metasploit_credential_pkcs12,
+          subject: subject,
+          issuer: issuer
+        )
+        expect(pkcs12.to_s).to eq("subject:#{subject},issuer:#{issuer}")
+      end
+    end
+
+    context 'with the pkcs21 and the CA' do
+      it 'returns the expected string' do
+        pkcs12 = FactoryBot.build(
+          :metasploit_credential_pkcs12_with_ca,
+          subject: subject,
+          issuer: issuer,
+          metadata: { adcs_ca: adcs_ca }
+        )
+        expect(pkcs12.to_s).to eq("subject:#{subject},issuer:#{issuer},ADCS CA:#{adcs_ca}")
+      end
+    end
+
+    context 'with the pkcs21 and the ADCS template' do
+      it 'returns the expected string' do
+        pkcs12 = FactoryBot.build(
+          :metasploit_credential_pkcs12_with_adcs_template,
+          subject: subject,
+          issuer: issuer,
+          metadata: { adcs_template: adcs_template }
+        )
+        expect(pkcs12.to_s).to eq("subject:#{subject},issuer:#{issuer},ADCS template:#{adcs_template}")
+      end
+    end
+
+    context 'with the pkcs21, the CA and the ADCS template' do
+      it 'returns the expected string' do
+        subject = '/C=FR/O=Yeah/OU=Yeah/CN=Yeah'
+        issuer = '/C=FR/O=Issuer1/OU=Issuer1/CN=Issuer1'
+        pkcs12 = FactoryBot.build(
+          :metasploit_credential_pkcs12_with_ca_and_adcs_template,
+          subject: subject,
+          issuer: issuer,
+          metadata: { adcs_ca: adcs_ca, adcs_template: adcs_template }
+        )
+        expect(pkcs12.to_s).to eq("subject:#{subject},issuer:#{issuer},ADCS CA:#{adcs_ca},ADCS template:#{adcs_template}")
+      end
+    end
+
+    context 'with the pkcs21, the CA, the ADCS template and the pkcs12 password' do
+      it 'returns the expected string' do
+        subject = '/C=FR/O=Yeah/OU=Yeah/CN=Yeah'
+        issuer = '/C=FR/O=Issuer1/OU=Issuer1/CN=Issuer1'
+        pkcs12_password = 'mypassword'
+        pkcs12 = FactoryBot.build(
+          :metasploit_credential_pkcs12_with_ca_and_adcs_template_and_pkcs12_password,
+          subject: subject,
+          issuer: issuer,
+          pkcs12_password: pkcs12_password,
+          metadata: { adcs_ca: adcs_ca, adcs_template: adcs_template, pkcs12_password: pkcs12_password }
+        )
+        # The Pkcs12 password is voluntarily not included
+        expect(pkcs12.to_s).to eq("subject:#{subject},issuer:#{issuer},ADCS CA:#{adcs_ca},ADCS template:#{adcs_template}")
+      end
+    end
+
+    context 'with no data' do
+      it 'returns an empty string' do
+        pkcs12 = FactoryBot.build(:metasploit_credential_pkcs12, data: nil)
+        expect(pkcs12.to_s).to eq('')
+      end
     end
   end
 

data/spec/models/metasploit/credential/private_spec.rb

@@ -126,6 +126,15 @@ RSpec.describe Metasploit::Credential::Private, type: :model do
                             :type,
                             type: :string
 
+      it_should_behave_like 'search_attribute',
+                            :data,
+                            type: :string
+
+      it_should_behave_like 'search_attribute',
+                            :metadata,
+                            type: :jsonb
+
+
       it_should_behave_like 'search_with',
                             Metasploit::Credential::Search::Operator::Type,
                             name: :type,

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: metasploit-credential
 version: !ruby/object:Gem::Version
-  version: 6.0.13
+  version: 6.0.14
 platform: ruby
 authors:
 - Metasploit Hackers
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-04-01 00:00:00.000000000 Z
+date: 2025-04-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: metasploit-concern
@@ -205,6 +205,7 @@ files:
 - db/migrate/20161107153145_recreate_index_on_private_data_and_type.rb
 - db/migrate/20161107203710_create_index_on_private_data_and_type_for_ssh_key.rb
 - db/migrate/20221209005658_create_index_on_private_data_and_type_for_pkcs12.rb
+- db/migrate/20250204172657_add_metadata_to_metasploit_credential_privates.rb
 - lib/metasploit/credential.rb
 - lib/metasploit/credential/case_insensitive_serializer.rb
 - lib/metasploit/credential/core_validations.rb