scott/cert-deets
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Fix project.script installation

Browse source
This commit is contained in:
Scott Wallace 2024-09-27 12:03:05 +01:00
parent 64fc78426d
commit ad4bcc66cf
Signed by: scott
SSH key fingerprint: SHA256:+LJug6Dj01Jdg86CILGng9r0lJseUrpI0xfRqdW9Uws
1 changed files with 105 additions and 105 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

210
cert_deets.py
View file

@ -68,135 +68,135 @@ def display_error(
print(str(error)) print(str(error))
if __name__ == "__main__": def parseargs() -> argparse.Namespace:
"""
Parse the CLI
def parseargs() -> argparse.Namespace: Returns:
""" argparse.Namespace: parsed arguments
Parse the CLI """
parser = argparse.ArgumentParser()
Returns: parser.add_argument("site", help="site to lookup")
argparse.Namespace: parsed arguments parser.add_argument("-a", "--address", help="explicit address to connect to")
"""
parser = argparse.ArgumentParser()
parser.add_argument("site", help="site to lookup") return parser.parse_args()
parser.add_argument("-a", "--address", help="explicit address to connect to")
return parser.parse_args()
def main() -> int: def main() -> int:
""" """
Main entrypoint Main entrypoint
Returns: Returns:
int: return value int: return value
""" """
args = parseargs() args = parseargs()
url = args.site url = args.site
if "://" not in url: if "://" not in url:
url = f"https://{url}" url = f"https://{url}"
parts = urlparse(args.site, scheme="https") parts = urlparse(args.site, scheme="https")
if not parts.netloc: if not parts.netloc:
parts = parts._replace(netloc=args.site) parts = parts._replace(netloc=args.site)
if not parts.port: if not parts.port:
parts = parts._replace(netloc=f"{parts.netloc}:443") parts = parts._replace(netloc=f"{parts.netloc}:443")
if not parts.hostname or not parts.port: if not parts.hostname or not parts.port:
display_error(args.site, "Cannot parse hostname") display_error(args.site, "Cannot parse hostname")
return 1 return 1
endpoint = f"{parts.hostname}:{parts.port}" endpoint = f"{parts.hostname}:{parts.port}"
try:
if args.address:
pem_data = get_cert_with_servername(
(args.address, parts.port),
servername=parts.hostname,
)
else:
pem_data = ssl.get_server_certificate(
(parts.hostname, parts.port),
timeout=10,
).encode("utf-8")
cert_chain = CertificateChain()
try: try:
if args.address: cert_chain = resolve(pem_data)
pem_data = get_cert_with_servername( except urllib.error.URLError:
(args.address, parts.port), pass
servername=parts.hostname, except (
) ConnectionRefusedError,
else: ConnectionResetError,
pem_data = ssl.get_server_certificate( socket.gaierror,
(parts.hostname, parts.port), ssl.CertificateError,
timeout=10, ssl.SSLError,
).encode("utf-8") TimeoutError,
) as error:
display_error(endpoint, error)
return 2
cert_chain = CertificateChain() if not pem_data:
try: display_error(endpoint, "Cannot fetch PEM data")
cert_chain = resolve(pem_data) return 3
except urllib.error.URLError:
pass
except (
ConnectionRefusedError,
ConnectionResetError,
socket.gaierror,
ssl.CertificateError,
ssl.SSLError,
TimeoutError,
) as error:
display_error(endpoint, error)
return 2
if not pem_data: cert = x509.load_pem_x509_certificate(pem_data, default_backend())
display_error(endpoint, "Cannot fetch PEM data")
return 3
cert = x509.load_pem_x509_certificate(pem_data, default_backend()) sans = [
f"DNS:{dns}"
sans = [ for dns in cert.extensions.get_extension_for_class(
f"DNS:{dns}" x509.SubjectAlternativeName
for dns in cert.extensions.get_extension_for_class( ).value.get_values_for_type(x509.DNSName)
]
sans.extend(
[
f"IP:{ip}"
for ip in cert.extensions.get_extension_for_class(
x509.SubjectAlternativeName x509.SubjectAlternativeName
).value.get_values_for_type(x509.DNSName) ).value.get_values_for_type(x509.IPAddress)
] ]
sans.extend( )
sangroups = [
sans[group : group + SAN_GROUPING]
for group in range(0, len(sans), SAN_GROUPING)
]
table = [
["Common name", cert.subject.rfc4514_string()],
[f"SANs ({len(sans)})", tabulate(sangroups, tablefmt="plain")],
["Valid from", cert.not_valid_before_utc],
["Valid to", cert.not_valid_after_utc],
["Issuer", cert.issuer.rfc4514_string()],
[
"Fingerprint",
f"{format_fingerprint(cert.fingerprint(hashes.SHA1()))} (SHA1)",
],
]
if cert_chain:
table.append(
[ [
f"IP:{ip}" "CA chain",
for ip in cert.extensions.get_extension_for_class( "\n".join(
x509.SubjectAlternativeName [
).value.get_values_for_type(x509.IPAddress) f"{cert.common_name} "
f"(Issuer: {cert.issuer})\n"
"Fingerprint: "
f"{format_fingerprint(cert.get_fingerprint(hashes.SHA1))} (SHA1)"
for cert in list(cert_chain.intermediates) + [cert_chain.root]
if cert
]
),
] ]
) )
sangroups = [ print(tabulate(table, tablefmt="plain"))
sans[group : group + SAN_GROUPING]
for group in range(0, len(sans), SAN_GROUPING)
]
table = [ return 0
["Common name", cert.subject.rfc4514_string()],
[f"SANs ({len(sans)})", tabulate(sangroups, tablefmt="plain")],
["Valid from", cert.not_valid_before_utc],
["Valid to", cert.not_valid_after_utc],
["Issuer", cert.issuer.rfc4514_string()],
[
"Fingerprint",
f"{format_fingerprint(cert.fingerprint(hashes.SHA1()))} (SHA1)",
],
]
if cert_chain:
table.append(
[
"CA chain",
"\n".join(
[
f"{cert.common_name} "
f"(Issuer: {cert.issuer})\n"
"Fingerprint: "
f"{format_fingerprint(cert.get_fingerprint(hashes.SHA1))} (SHA1)"
for cert in list(cert_chain.intermediates)
+ [cert_chain.root]
if cert
]
),
]
)
print(tabulate(table, tablefmt="plain"))
return 0
if __name__ == "__main__":
sys.exit(main()) sys.exit(main())