hakky54 / certificate-ripper Goto Github PK

View Code? Open in Web Editor NEW

667.0 14.0 67.0 12.79 MB

🔐 A CLI tool to extract server certificates

License: Apache License 2.0

Java 96.38% Shell 3.62%

certificate ssl x509 tls java macos homebrew homebrew-tap graalvm-native-image graalvm

certificate-ripper's Introduction

Hello there 👋

👨‍💻 I'm Hakan Altındağ and working as a freelance software engineer
🔭 I’m currently working on Backend Development
🌱 I’m mainly using Java and ElasticSearch
💬 Ask me about anything, I am happy to help
😄 Pronouns: Coder, Leader and Kind Hearted
💡 Occasionaly I do participate in Hackathons
👨 Know more about me at Dzone
🌐 Visit my LinkedIn for complete background and contact.
💥 awesome octoprofile : Hakan Altındağ

Get in touch:

Some Statistics Fun

Written articles

How to Easily Set Up Mutual TLS
Secure Your gRPC Services With SSL/TLS
Unit Testing Log Messages Made Easy
Configuring SSL/TLS Connection Made Easy
Unit Testing Static Methods With Mockito
How to Configure TLS/SSL With PEM Files
How to Change Certificate Without Downtime
Compress Your Data Within Elasticsearch

Used languages and tools

certificate-ripper's People

Contributors

Stargazers

Watchers

Forkers

kinjemundi standardgalactic rethinktechnology zha0 jermainlaforce codeshane gavz kjm0001 tiizss priyanshuz keritzy curtishoughton bgrstar nanaao wangzhengbo avaudioplayer qt-pay ivu4e sanyuesiyuewuyue jackwiy resek4 mistshi kiddyhuang muminc longlong2123 rhysha sakishum bbhunter markus851 blka f0r3ns1cat0r ikpehlivan hhtetaung0 mibaltoalex 5l1v3r1 duongletsbd elraro wolkenschieber miketanca fjsnogueira rafael-itm tychobrailleur naitsirhc41 neonotu-security kylechase akshayjaing fujohnwang hotelzululima orinocoz shanthshivam sakazulu teddymwai grayarch eugeniomagana gladiopeace gmh5225 javacentric dvieral peak915 0xsojalsec pingmuict yodatak cyberguideme tomasajt wyttenbach

certificate-ripper's Issues

Allow to set timeout when destination not reachable

Is your feature request related to a problem? Please describe.
We are using crip in dockerfiles for devcontainers and fetch some certs to trust them. Unfortunately some urls are not always accessible and this leads to crip hanging for minutes when it doesn't reach its destination.

Describe the solution you'd like
use a sensible default (couple seconds) or allow to specify a timeout which is much shorter than minutes.

Describe alternatives you've considered
build logic around crip which checks if the destination is reachable before calling crip.

Customisable path for exported truststore

It doesn't actually get a fresh copy of any of the certificates

I checked with Wireshark and it doesn't actually get a fresh copy of any of the certificates in the certificate chain. I guess this should be noted!

Remove lines between -----END CERTIFICATE----- and -----BEGIN CERTIFICATE----- when using -c and export?

Hi, is there a way with -c not to have the 2 lines with text in the export between -----END CERTIFICATE----- and -----BEGIN CERTIFICATE-----, so we have a clean export ?

-----END CERTIFICATE-----
subject=CN=(STAGING) Doctored Durian Root CA X3,O=(STAGING) Internet Security Research Group,C=US
issuer=CN=(STAGING) Doctored Durian Root CA X3,O=(STAGING) Internet Security Research Group,C=US
-----BEGIN CERTIFICATE-----

Basic functionality failed with Java error on macos

Describe the bug
crip print --url=https://stackoverflow.com failed, added logs

Environmental Data:

Apple M1 Pro with Ventura 13.1

logs

crip print --url=https://stackoverflow.com

nl.altindag.ssl.exception.GenericCertificateException: java.net.ConnectException: Operation timed out
	at nl.altindag.ssl.util.CertificateExtractorUtils.getCertificatesFromRemoteFile(CertificateExtractorUtils.java:197)
	at nl.altindag.ssl.util.CertificateExtractorUtils.getRootCaFromAuthorityInfoAccessExtensionIfPresent(CertificateExtractorUtils.java:172)
	at nl.altindag.ssl.util.CertificateExtractorUtils.getRootCaIfPossible(CertificateExtractorUtils.java:154)
	at nl.altindag.ssl.util.CertificateExtractorUtils.getRootCaFromChainIfPossible(CertificateExtractorUtils.java:147)
	at nl.altindag.ssl.util.CertificateExtractorUtils.getCertificateFromExternalSource(CertificateExtractorUtils.java:120)
	at nl.altindag.ssl.util.CertificateUtils.getCertificatesFromExternalSource(CertificateUtils.java:232)
	at nl.altindag.ssl.util.CertificateUtils.lambda$getCertificatesFromExternalSources$4(CertificateUtils.java:275)
	at [email protected]/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
	at [email protected]/java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:992)
	at [email protected]/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
	at [email protected]/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
	at [email protected]/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
	at [email protected]/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at [email protected]/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
	at nl.altindag.ssl.util.CertificateUtils.getCertificatesFromExternalSources(CertificateUtils.java:276)
	at nl.altindag.ssl.util.CertificateUtils.getCertificatesFromExternalSources(CertificateUtils.java:262)
	at nl.altindag.crip.command.SharedProperties.getCertificates(SharedProperties.java:82)
	at nl.altindag.crip.command.SharedProperties.getUrlsToCertificates(SharedProperties.java:53)
	at nl.altindag.crip.command.PrintCommand.run(PrintCommand.java:43)
	at picocli.CommandLine.executeUserObject(CommandLine.java:2026)
	at picocli.CommandLine.access$1500(CommandLine.java:148)
	at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2461)
	at picocli.CommandLine$RunLast.handle(CommandLine.java:2453)
	at picocli.CommandLine$RunLast.handle(CommandLine.java:2415)
	at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2273)
	at picocli.CommandLine$RunLast.execute(CommandLine.java:2417)
	at picocli.CommandLine.execute(CommandLine.java:2170)
	at nl.altindag.crip.App.main(App.java:26)
Caused by: java.net.ConnectException: Operation timed out
	at [email protected]/sun.nio.ch.Net.connect0(Net.java)
	at [email protected]/sun.nio.ch.Net.connect(Net.java:579)
	at [email protected]/sun.nio.ch.Net.connect(Net.java:568)
	at [email protected]/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:588)
	at [email protected]/java.net.Socket.connect(Socket.java:633)
	at [email protected]/java.net.Socket.connect(Socket.java:583)
	at [email protected]/sun.net.NetworkClient.doConnect(NetworkClient.java:183)
	at [email protected]/sun.net.www.http.HttpClient.openServer(HttpClient.java:531)
	at [email protected]/sun.net.www.http.HttpClient.openServer(HttpClient.java:636)
	at [email protected]/sun.net.www.http.HttpClient.<init>(HttpClient.java:279)
	at [email protected]/sun.net.www.http.HttpClient.New(HttpClient.java:384)
	at [email protected]/sun.net.www.http.HttpClient.New(HttpClient.java:406)
	at [email protected]/sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1309)
	at [email protected]/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1242)
	at [email protected]/sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1128)
	at [email protected]/sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:1057)
	at [email protected]/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1665)
	at [email protected]/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1589)
	at nl.altindag.ssl.util.CertificateExtractorUtils.getCertificatesFromRemoteFile(CertificateExtractorUtils.java:186)
	... 27 more

Add support to export in the .CRT/PEM format (multiple files for chains)

Is your feature request related to a problem? Please describe.
We are using your tool to automate the process of getting the current certificate behind TLS inspection. The export command is perfect to get the full certificate chain but unfortunately on in most use cases we need the certificates in the .crt format and each certificate needs to have its own file. At the moment we are doing this converting and exporting inside a dockerfile ike this:

RUN sudo wget https://github.com/Hakky54/certificate-ripper/releases/download/1.0.0/crip-linux-amd64.tar.gz --no-check-certificate --output-document /tmp/crip-linux-amd64.tar.gz
RUN sudo tar xzvf /tmp/crip-linux-amd64.tar.gz -C /tmp
RUN sudo /tmp/crip export --url=https://www.google.com --destination /tmp
# add "-legacy" on ubuntu 22.04 to openssl
RUN sudo openssl pkcs12 -in /tmp/truststore.p12 -out /tmp/mitm.pem -password pass:changeit 
RUN sudo chmod 777 /tmp/mitm.pem
RUN sudo csplit --prefix=mitm- --suffix-format=%d.crt /tmp/mitm.pem '/^-----END /1' '{*}'
RUN sudo mv /mitm-* /usr/local/share/ca-certificates/
RUN update-ca-certificates

Describe the solution you'd like
It would be perfect to have an export command in crip which would output multiple .crt files which can be used for certificate stores in e.g. Ubuntu. This would remove the need to do complex string manipulations.

Describe alternatives you've considered
As a workaround we are using the docker steps above

Doesn't work in a container

Describe the bug
cript doesn't work inside a container (running on kubernetes)

To Reproduce

Exception in thread "main" java.lang.InternalError: java.lang.reflect.InvocationTargetException
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.containers.Metrics.systemMetrics(Metrics.java:67)
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.containers.Container.metrics(Container.java:44)
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.ContainerInfo.<init>(ContainerInfo.java:34)
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.Containers.memoryLimitInBytes(Containers.java:177)
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.heap.PhysicalMemory.doInitialize(PhysicalMemory.java:145)
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.heap.PhysicalMemory.size(PhysicalMemory.java:88)
        at [email protected]/java.lang.Runtime.maxMemory(Runtime.java:896)
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.jdk.DirectMemoryAccessors.initialize(Target_jdk_internal_misc_VM.java:120)
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.jdk.DirectMemoryAccessors.getPageAlignDirectMemory(Target_jdk_internal_misc_VM.java:102)
        at [email protected]/jdk.internal.misc.VM.isDirectMemoryPageAligned(VM.java:147)
        at [email protected]/java.nio.DirectByteBuffer.<init>(DirectByteBuffer.java:118)
        at [email protected]/java.nio.ByteBuffer.allocateDirect(ByteBuffer.java:332)
        at [email protected]/sun.nio.ch.Util.getTemporaryDirectBuffer(Util.java:243)
        at [email protected]/sun.nio.ch.NioSocketImpl.tryWrite(NioSocketImpl.java:394)
        at [email protected]/sun.nio.ch.NioSocketImpl.implWrite(NioSocketImpl.java:413)
        at [email protected]/sun.nio.ch.NioSocketImpl.write(NioSocketImpl.java:440)
        at [email protected]/sun.nio.ch.NioSocketImpl$2.write(NioSocketImpl.java:826)
        at [email protected]/java.net.Socket$SocketOutputStream.write(Socket.java:1035)
        at [email protected]/sun.security.ssl.SSLSocketOutputRecord.flush(SSLSocketOutputRecord.java:271)
        at [email protected]/sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:89)
        at [email protected]/sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:646)
        at [email protected]/sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:529)
        at [email protected]/sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:112)
        at [email protected]/sun.security.ssl.TransportContext.kickstart(TransportContext.java:251)
        at [email protected]/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:448)
        at [email protected]/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
        at [email protected]/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:580)
        at [email protected]/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187)
        at [email protected]/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:142)
        at nl.altindag.ssl.util.CertificateExtractorUtils.getCertificateFromExternalSource(CertificateExtractorUtils.java:117)
        at nl.altindag.ssl.util.CertificateUtils.getCertificatesFromExternalSource(CertificateUtils.java:232)
        at nl.altindag.ssl.util.CertificateUtils.lambda$getCertificatesFromExternalSources$4(CertificateUtils.java:275)
        at [email protected]/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
        at [email protected]/java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:992)
        at [email protected]/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
        at [email protected]/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
        at [email protected]/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
        at [email protected]/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at [email protected]/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
        at nl.altindag.ssl.util.CertificateUtils.getCertificatesFromExternalSources(CertificateUtils.java:276)
        at nl.altindag.ssl.util.CertificateUtils.getCertificatesFromExternalSources(CertificateUtils.java:262)
        at nl.altindag.crip.command.SharedProperties.getCertificates(SharedProperties.java:82)
        at nl.altindag.crip.command.SharedProperties.getUrlsToCertificates(SharedProperties.java:53)
        at nl.altindag.crip.command.PrintCommand.run(PrintCommand.java:43)
        at picocli.CommandLine.executeUserObject(CommandLine.java:2026)
        at picocli.CommandLine.access$1500(CommandLine.java:148)
        at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2461)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2453)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2415)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2273)
        at picocli.CommandLine$RunLast.execute(CommandLine.java:2417)
        at picocli.CommandLine.execute(CommandLine.java:2170)
        at nl.altindag.crip.App.main(App.java:26)
Caused by: java.lang.reflect.InvocationTargetException
        at [email protected]/java.lang.reflect.Method.invoke(Method.java:568)
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.containers.Metrics.systemMetrics(Metrics.java:63)
        ... 52 more
Caused by: java.lang.ExceptionInInitializerError
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.containers.CgroupSubsystemFactory.create(CgroupSubsystemFactory.java:78)
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.containers.CgroupMetrics.getInstance(CgroupMetrics.java:164)
        ... 54 more
Caused by: java.lang.NullPointerException
        at [email protected]/java.util.Objects.requireNonNull(Objects.java:208)
        at [email protected]/sun.nio.fs.UnixFileSystem.getPath(UnixFileSystem.java:263)
        at [email protected]/java.nio.file.Path.of(Path.java:147)
        at [email protected]/java.nio.file.Paths.get(Paths.java:69)
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.containers.CgroupUtil.lambda$readStringValue$0(CgroupUtil.java:57)
        at [email protected]/java.security.AccessController.executePrivileged(AccessController.java:144)
        at [email protected]/java.security.AccessController.doPrivileged(AccessController.java:569)
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.containers.CgroupUtil.readStringValue(CgroupUtil.java:59)
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.containers.CgroupSubsystemController.getStringValue(CgroupSubsystemController.java:66)
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.containers.CgroupSubsystemController.getLongValue(CgroupSubsystemController.java:125)
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.containers.cgroupv1.CgroupV1Subsystem.getLongValue(CgroupV1Subsystem.java:269)
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.containers.cgroupv1.CgroupV1Subsystem.getHierarchical(CgroupV1Subsystem.java:215)
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.containers.cgroupv1.CgroupV1Subsystem.setSubSystemControllerPath(CgroupV1Subsystem.java:203)
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.containers.cgroupv1.CgroupV1Subsystem.initSubSystem(CgroupV1Subsystem.java:111)
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.containers.cgroupv1.CgroupV1Subsystem.<clinit>(CgroupV1Subsystem.java:47)
        ... 56 more

Environmental Data:

OS (Windows/Linux/MacOS)
Ubuntu 22.04.2 LTS

The crip export don't trow error when permission issue

thanks for your tool so usefull to boostrap cerets to wsl2
In fedora wsl2, i must run

sudo crip export pem -u=https://github.com --combined=true -d /etc/pki/ca-trust/source/anchors/fullchain.pem
because

/etc/pki/ca-trust/source/anchors$ sudo crip export pem -u=https://github.com --combined=true -d /etc/pki/ca-trust/source/anchors/fullchain.pem

Certificate ripper statistics:
- Certificate count

  * 4: https://github.com
         [cn=githubcom_o=github_-inc_l=san-francisco_st=california_c=us]
         [cn=XXX-dpi_ou=XXX=XXXX]
         [cn=XXX-subca_dc=#XXXX=#XXX]
         [cn=XXXX-rootca]

Extracted 4 certificates.
It has been exported to /etc/pki/ca-trust/source/anchors/fullchain.pem

I dont have any error but it don't create a file :/

"PKIX path building failed" and "unable to find valid certification path to requested target"

If your http client is using the default ssl configuration and you are getting the following error message:

PKIX path building failed
unable to find valid certification path to requested target

You can run the following snippet below. Please replace the host and port yo your actual values.

crip export jks -u=https://[HOST]:[PORT] -d=$JAVA_HOME/jre/lib/security/cacerts

An example would be:

crip export jks -u=https://localhost:8443 -d=$JAVA_HOME/jre/lib/security/cacerts
crip export jks -u=https://github.com -d=$JAVA_HOME/jre/lib/security/cacerts

This command will get the certificate of the server and add it to your list of trusted certificates of the default JDK cacerts.

SSL Certificate Bundle Splitting Functionality

Description

I would like to see if a new functionality could be added. Currently, there is a "missing feature" that I believe could enhance firther the usability of the tool. The suggested feature is the ability to split a given SSL certificate bundle into its individual certificates.

Consider a scenario where an SSL certificate bundle is obtained, and there is a need to extract individual certificates from it. I know there is no "ripping" here, but this could be useful in situations where specific certificates need to be deployed to different services or systems.

Describe the Solution You Would Like

For the tools to accept an SSL bundle and split it accordingly.

Something like crip split --location /path/to/ssl/bundle.crt

Describe Alternatives You Have Considered

The usual hack, that never works correctly when copied from any answer, of using openssl and a combination of several other commands with /dev/null — and what not.

Of course, I've also tried crip export pem --url /path/to/bundle.crt but it fails with java.net.MalformedURLException: no protocol 🤣 — and even further with file:/path/to/bundle.crt, to provide a protocol, but this time it doesn't find anything 😬

Additional Context

N/A

No Linux aarch64 binary anymore?

Hi,

Sorry it is not really a bug report per say...

I'm maintaining the certificate-rippper-bin AUR package and I noticed there's no Linux aarch64 binary in the latest 2.0.1 release. Did you forget it or is it intended?
It's just to know if I should drop aarch64 support on the AUR package side as well :)

Regards,
Antiz