ronin 1.5.1 → 2.0.0.beta2

data/lib/ronin/cli/commands/cert_dump.rb

@@ -0,0 +1,285 @@
+# frozen_string_literal: true
+#
+# Copyright (c) 2006-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# Ronin is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ronin is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ronin.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/cli/value_processor_command'
+require 'ronin/support/crypto/cert'
+require 'ronin/support/network/ssl/mixin'
+
+require 'command_kit/printing/indent'
+require 'command_kit/printing/fields'
+require 'command_kit/printing/lists'
+
+require 'uri'
+
+module Ronin
+  class CLI
+    module Commands
+      #
+      # Prints information for SSL/TLS certificates.
+      #
+      # ## Usage
+      #
+      #     ronin cert-dump [options] {HOST:PORT | URL | FILE} ...
+      #
+      # ## Options
+      #
+      #     -f, --file FILE                  Optional file to read values from
+      #     -C, --common-name                Only prints the Common Name (CN)
+      #     -A, --subject-alt-names          Only prints the subjectAltNames
+      #     -E, --extensions                 Print all certificate extensions
+      #     -h, --help                       Print help information
+      #
+      # ## Arguments
+      #
+      #     HOST:PORT | URL | FILE ...       A HOST:PORT, URL, or cert FILE
+      #
+      # ## Examples
+      #
+      #     ronin cert-dump ssl.crt
+      #     ronin cert-dump github.com:443
+      #     ronin cert-dump https://github.com/
+      #     ronin cert-dump -C 93.184.216.34:443
+      #     ronin cert-dump -A wired.com:443
+      #
+      class CertDump < ValueProcessorCommand
+
+        include Support::Network::SSL::Mixin
+        include CommandKit::Printing::Indent
+        include CommandKit::Printing::Fields
+        include CommandKit::Printing::Lists
+
+        usage '[options] {HOST:PORT | URL | FILE} ...'
+
+        option :common_name, short: '-C',
+                             desc:  'Only prints the Common Name (CN)'
+
+        option :subject_alt_names, short: '-A',
+                                   desc:  'Only prints the subjectAltNames'
+
+        option :extensions, short: '-E',
+                            desc: 'Print all certificate extensions'
+
+        argument :target, required: true,
+                          repeats:  true,
+                          usage:   'HOST:PORT | URL | FILE',
+                          desc:    'A HOST:PORT, URL, or cert FILE'
+
+        description "Prints SSL/TLS certificate information"
+
+        examples [
+          'ssl.crt',
+          'github.com:443',
+          'https://github.com/',
+          '-C 93.184.216.34:443',
+          '-A wired.com:443'
+        ]
+
+        man_page 'ronin-cert-dump.1'
+
+        #
+        # Runs the `ronin cert-dump` command.
+        #
+        # @param [String] value
+        #   The `HOST:PORT`, `URL`, or `FILE` value to process.
+        #
+        def process_value(value)
+          case value
+          when /\A[^:]+:\d+\z/
+            host, port = value.split(':',2)
+            port = port.to_i
+
+            print_cert(ssl_cert(host,port))
+          when /\Ahttps:/
+            uri = URI.parse(value)
+            host = uri.host
+            port = uri.port
+
+            print_cert(ssl_cert(host,port))
+          else
+            unless File.file?(value)
+              print_error "no such file or directory: #{value}"
+              exit(1)
+            end
+
+            cert = Support::Crypto::Cert.load_file(value)
+
+            print_cert(cert)
+          end
+        end
+
+        #
+        # Prints the certificate.
+        #
+        # @param [Ronin::Support::Crypto::Cert] cert
+        #
+        def print_cert(cert)
+          if options[:common_name]
+            puts "#{cert.common_name}"
+          elsif options[:subject_alt_names]
+            if (alt_names = cert.subject_alt_names)
+              alt_names.each { |name| puts name }
+            end
+          else
+            print_full_cert(cert)
+          end
+        end
+
+        #
+        # Prints the full verbose information about the certificate.
+        #
+        # @param [Ronin::Support::Crypto::Cert] cert
+        #
+        def print_full_cert(cert)
+          fields = {}
+
+          fields["Serial"]     = cert.serial
+          fields["Version"]    = cert.version
+          fields["Not Before"] = cert.not_before if cert.not_before
+          fields["Not After"]  = cert.not_after  if cert.not_after
+          print_fields(fields)
+          puts
+
+          print_public_key(cert.public_key)
+          puts
+
+          puts "Subject:"
+          indent do
+            print_cert_name(cert.subject)
+
+            if (alt_names = cert.subject_alt_names)
+              puts "Alt Names:"
+              puts
+
+              indent do
+                alt_names.each { |name| puts name }
+              end
+            end
+          end
+
+          puts
+
+          puts "Issuer:"
+          indent do
+            print_cert_name(cert.issuer)
+          end
+
+          puts
+
+          fields = {}
+
+          if options[:extensions]
+            puts "Extensions:"
+            indent do
+              print_extensions(cert)
+            end
+          end
+        end
+
+        #
+        # Prints the public key.
+        #
+        # @param [OpenSSL::PKey::RSA, OpenSSL::PKey::EC] public_key
+        #
+        def print_public_key(public_key)
+          puts "Public Key:"
+
+          indent do
+            fields = {}
+
+            case public_key
+            when OpenSSL::PKey::RSA
+              fields['Type'] = 'RSA'
+            when OpenSSL::PKey::EC
+              fields['Type'] = 'EC'
+            end
+
+            print_fields(fields)
+
+            public_key.to_text.each_line do |line|
+              puts line
+            end
+          end
+        end
+
+        #
+        # Prints the X509 name.
+        #
+        # @param [Ronin::Support::Crypto::Cert::Name] name
+        #
+        def print_cert_name(name)
+          fields = {}
+
+          if name.common_name
+            fields["Common Name"] = name.common_name
+          end
+
+          if name.organization
+            fields["Organization"] = name.organization
+          end
+
+          if name.organizational_unit
+            fields["Organizational Unit"] = name.organizational_unit
+          end
+
+          if name.locality
+            fields["Locality"] = name.locality
+          end
+
+          if name.state
+            fields["State"] = name.state
+          end
+
+          if name.country
+            fields["Country"] = name.country
+          end
+
+          print_fields(fields)
+        end
+
+        #
+        # Prints the certificates extensions.
+        #
+        # @param [Ronin::Support::Crypto::Cert] cert
+        #
+        def print_extensions(cert)
+          cert.extensions.each_with_index do |ext,index|
+            puts if index > 0
+
+            print_extension(ext)
+          end
+        end
+
+        #
+        # Prints a certificate extension.
+        #
+        # @param [OpenSSL::X509::Extension] ext
+        #
+        def print_extension(ext)
+          puts "#{ext.oid}:"
+
+          indent do
+            ext.value.each_line do |line|
+              puts line
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/cli/commands/cert_gen.rb

@@ -0,0 +1,395 @@
+# frozen_string_literal: true
+#
+# Copyright (c) 2006-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# Ronin is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ronin is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ronin.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/cli/command'
+require 'ronin/support/crypto/cert'
+require 'ronin/support/text/patterns'
+
+require 'ronin/core/cli/logging'
+
+module Ronin
+  class CLI
+    module Commands
+      #
+      # Generates a new X509 certificate.
+      #
+      # ## Usage
+      #
+      #     ronin cert-gen [options]
+      #
+      # ## Options
+      #
+      #         --version NUM                The certificate version number (Default: 2)
+      #         --serial NUM                 The certificate serial number (Default: 0)
+      #         --not-before TIME            When the certificate becomes valid. Defaults to the current time.
+      #         --not-after TIME             When the certificate becomes no longer valid. Defaults to one year from now.
+      #     -c, --common-name DOMAIN         The Common Name (CN) for the certificate
+      #     -A, --subject-alt-name HOST|IP   Adds HOST or IP to subjectAltName
+      #     -O, --organization NAME          The Organization (O) for the certificate
+      #     -U, --organizational-unit NAME   The Organizational Unit (OU)
+      #     -L, --locality NAME              The locality for the certificate
+      #     -S, --state XX                   The two-letter State (ST) code for the certificate
+      #     -C, --country XX                 The two-letter Country (C) code for the certificate
+      #     -t, --key-type rsa|ec            The signing key type
+      #         --generate-key PATH          Generates and saves a random key (Default: key.pem)
+      #     -k, --key-file FILE              Loads the signing key from the FILE
+      #     -H sha256|sha1|md5,              The hash algorithm to use for signing (Default: sha256)
+      #         --signing-hash
+      #         --ca-key FILE                The Certificate Authority (CA) key
+      #         --ca-cert FILE               The Certificate Authority (CA) certificate
+      #         --ca                         Generates a CA certificate
+      #     -o, --output FILE                The output file (Default: cert.crt)
+      #     -h, --help                       Print help information
+      #
+      # ### Examples
+      #
+      #     ronin cert_gen -c test.com -O "Test Co" -U "Test Dept" -L "Test City" -S NY -C US
+      #     ronin cert_gen -c test.com -O "Test Co" -U "Test Dept" -L "Test City" -S NY -C US --key-file private.key
+      #     ronin cert_gen -c test.com -A www.test.com -O "Test Co" -U "Test Dept" -L "Test City" -S NY -C US
+      #     ronin cert_gen --ca -c "Test CA" -O "Test Co" -U "Test Dept" -L "Test City" -S NY -C US
+      #     ronin cert_gen -c test.com -O "Test Co" -U "Test Dept" -L "Test City" -S NY -C US --ca-key ca.key --ca-cert ca.crt
+      #
+      class CertGen < Command
+
+        include Core::CLI::Logging
+
+        option :version, value: {
+                           type:    Integer,
+                           usage:   'NUM',
+                           default: 2
+                         },
+                         desc: 'The certificate version number'
+
+        option :serial, value: {
+                          type:    Integer,
+                          usage:   'NUM',
+                          default: 0
+                        },
+                        desc: 'The certificate serial number'
+
+        option :not_before, value: {
+                              type:  String,
+                              usage: 'TIME'
+                            },
+                            desc: 'When the certificate becomes valid. Defaults to the current time.'
+
+        option :not_after, value: {
+                             type:  String,
+                             usage: 'TIME'
+                           },
+                           desc: 'When the certificate becomes no longer valid. Defaults to one year from now.'
+
+        option :common_name, short: '-c',
+                             value: {
+                               type:  String,
+                               usage: 'DOMAIN'
+                             },
+                             desc: 'The Common Name (CN) for the certificate'
+
+        option :subject_alt_name, short: '-A',
+                                  value: {
+                                     type:  /[a-z0-9:\._-]+/,
+                                     usage: 'HOST|IP'
+                                  },
+                                  desc: 'Adds HOST or IP to subjectAltName' do |value|
+                                    @subject_alt_names << value
+                                  end
+
+        option :organization, short: '-O',
+                              value: {
+                                type:  String,
+                                usage: 'NAME'
+                              },
+                              desc: 'The Organization (O) for the certificate'
+
+        option :organizational_unit, short: '-U',
+                                     value: {
+                                       type:  String,
+                                       usage: 'NAME'
+                                     },
+                                     desc: 'The Organizational Unit (OU)'
+
+        option :locality, short: '-L',
+                          value: {
+                            type:  String,
+                            usage: 'NAME'
+                          },
+                          desc: 'The locality for the certificate'
+
+        option :state, short: '-S',
+                       value: {
+                         type:  String,
+                         usage: 'XX'
+                       },
+                       desc: 'The two-letter State (ST) code for the certificate'
+
+        option :country, short: '-C',
+                         value: {
+                           type:  String,
+                           usage: 'XX'
+                         },
+                         desc: 'The two-letter Country (C) code for the certificate'
+
+        option :key_type, short: '-t',
+                          value: {
+                            type: [:rsa, :ec]
+                          },
+                          desc: 'The signing key type'
+
+        option :generate_key, value: {
+                                type:    String,
+                                usage:   'PATH',
+                                default: 'key.pem'
+                              },
+                              desc: 'Generates and saves a random key'
+
+        option :key_file, short: '-k',
+                          value: {
+                            type:  String,
+                            usage: 'FILE'
+                          },
+                          desc: 'Loads the signing key from the FILE'
+
+        option :signing_hash, short: '-H',
+                              value: {
+                                type: [:sha256, :sha1, :md5],
+                                default: :sha256
+                              },
+                              desc: 'The hash algorithm to use for signing'
+
+        option :ca_key, value: {
+                          type:  String,
+                          usage: 'FILE'
+                        },
+                        desc: 'The Certificate Authority (CA) key'
+
+        option :ca_cert, value: {
+                           type:  String,
+                           usage: 'FILE'
+                         },
+                         desc: 'The Certificate Authority (CA) certificate'
+
+        option :ca, desc: 'Generates a CA certificate'
+
+        option :output, short: '-o',
+                        value: {
+                          type:    String,
+                          usage:   'FILE',
+                          default: 'cert.crt'
+                        },
+                        desc: 'The output file'
+
+        examples [
+          '-c test.com -O "Test Co" -U "Test Dept" -L "Test City" -S NY -C US',
+          '-c test.com -O "Test Co" -U "Test Dept" -L "Test City" -S NY -C US --key-file private.key',
+          '-c test.com -A www.test.com -O "Test Co" -U "Test Dept" -L "Test City" -S NY -C US',
+          '--ca -c "Test CA" -O "Test Co" -U "Test Dept" -L "Test City" -S NY -C US',
+          '-c test.com -O "Test Co" -U "Test Dept" -L "Test City" -S NY -C US --ca-key ca.key --ca-cert ca.crt'
+        ]
+
+        description 'Generates a new X509 certificate'
+
+        man_page 'ronin-cert-gen.1'
+
+        #
+        # Initializes the `ronin cert-gen` command.
+        #
+        # @param [Hash{Symbol => Object}] kwargs
+        #   Additional keyword arguments.
+        #
+        def initialize(**kwargs)
+          super(**kwargs)
+
+          @subject_alt_names = []
+        end
+
+        #
+        # Runs the `ronin cert-gen` command.
+        #
+        def run
+          if options[:generate_key]
+            log_info "Generating new #{options.fetch(:key_type,:rsa).upcase} key ..."
+          end
+
+          key  = signing_key
+          cert = Ronin::Support::Crypto::Cert.generate(
+            version:    options[:version],
+            serial:     options[:serial],
+            not_before: not_before,
+            not_after:  not_after,
+            key:        key,
+            ca_key:     ca_key,
+            ca_cert:    ca_cert,
+            subject: {
+              common_name:         options[:common_name],
+              organization:        options[:organization],
+              organizational_unit: options[:organizational_unit],
+              locality:            options[:locality],
+              state:               options[:state],
+              country:             options[:country]
+            },
+            extensions: extensions
+          )
+
+          if options[:generate_key]
+            log_info "Saving key to #{options[:generate_key]} ..."
+            key.save(options[:generate_key])
+          end
+
+          log_info "Saving certificate to #{options[:output]} ..."
+          cert.save(options[:output])
+        end
+
+        #
+        # The parsed `--not-before` time or now.
+        #
+        # @return [Time]
+        #
+        def not_before
+          @not_before ||= if options[:not_before]
+                            Time.parse(options[:not_before])
+                          else
+                            Time.now
+                          end
+        end
+
+        #
+        # The parsed `--not-after` time or one year from now.
+        #
+        # @return [Time]
+        #
+        def not_after
+          @not_after ||= if options[:not_after]
+                           Time.parse(options[:not_after])
+                         else
+                           not_before+Support::Crypto::Cert::ONE_YEAR
+                         end
+        end
+
+        #
+        # The `--key-type` key class.
+        #
+        # @return [Class<Ronin::Support::Key::RSA>,
+        #          Class<Ronin::Support::Key::EC>, nil]
+        #
+        def key_class
+          case options[:key_type]
+          when :rsa then Support::Crypto::Key::RSA
+          when :ec  then Support::Crypto::Key::EC
+          end
+        end
+
+        #
+        # Loads the `--key-file` key file or generates a new signing key.
+        #
+        # @return [Ronin::Support::Key::RSA, Ronin::Support::Key::EC, nil]
+        #
+        def signing_key
+          if options[:key_file]
+            if options[:key_type]
+              key_class.load_file(options[:key_file])
+            else
+              begin
+                Support::Crypto::Key.load_file(options[:key_file])
+              rescue ArgumentError => error
+                print_error(error.message)
+                exit(-1)
+              end
+            end
+          else
+            (key_class || Support::Crypto::Key::RSA).random
+          end
+        end
+
+        #
+        # Loads the `--ca-key` key file.
+        #
+        # @return [Ronin::Support::Key::RSA, nil]
+        #
+        def ca_key
+          if options[:ca_key]
+            Support::Crypto::Key::RSA.load_file(options[:ca_key])
+          end
+        end
+
+        #
+        # Loads the `--ca-cert` certificate file.
+        #
+        # @return [Ronin::Support::Crypto::Cert, nil]
+        #
+        def ca_cert
+          if options[:ca_cert]
+            Support::Crypto::Cert.load_file(options[:ca_cert])
+          end
+        end
+
+        #
+        # Builds the extensions.
+        #
+        # @return [Hash{String => Object}, nil]
+        #
+        def extensions
+          exts = {}
+
+          if (ext = basic_constraints_ext)
+            exts['basicConstraints'] = ext
+          end
+
+          if (ext = subject_alt_name_ext)
+            exts['subjectAltName'] = ext
+          end
+
+          exts unless exts.empty?
+        end
+
+        #
+        # Builds the `basicConstraints` extension.
+        #
+        # @return [(String, Boolean), nil]
+        #
+        def basic_constraints_ext
+          if options[:ca]
+            ['CA:TRUE', true]
+          elsif options[:ca_key] || options[:ca_cert]
+            ['CA:FALSE', true]
+          end
+        end
+
+        IP_REGEXP = Support::Text::Patterns::IP
+
+        #
+        # Builds the `subjectAltName` extension.
+        #
+        # @return [String, nil]
+        #
+        def subject_alt_name_ext
+          if !@subject_alt_names.empty?
+            @subject_alt_names.map { |name|
+              if name =~ IP_REGEXP
+                "IP: #{name}"
+              else
+                "DNS: #{name}"
+              end
+            }.join(', ')
+          end
+        end
+
+      end
+    end
+  end
+end