From 172e7970e9ea2ed7a8b14a7dce6a3876c1c69d2c Mon Sep 17 00:00:00 2001 From: Chris Hyzer Date: Sat, 7 May 2022 02:09:26 -0400 Subject: [PATCH] add cert tools --- Dockerfile | 1 + container_files/certs/TestSsl.class | Bin 0 -> 2056 bytes container_files/certs/TestSsl.java | 39 ++++++++ container_files/certs/get_tls_cert.py | 122 ++++++++++++++++++++++++++ 4 files changed, 162 insertions(+) create mode 100644 container_files/certs/TestSsl.class create mode 100644 container_files/certs/TestSsl.java create mode 100644 container_files/certs/get_tls_cert.py diff --git a/Dockerfile b/Dockerfile index 3d084135..cfb9048e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -100,6 +100,7 @@ RUN rm -f /opt/tomee/lib/slf4j-* COPY container_files/tier-support/log4j_fix/tomeeLib/slf4j-* /opt/tomee/lib/ RUN rm -f /opt/grouper/grouperWebapp/WEB-INF/lib/slf4j-api-* COPY container_files/tier-support/log4j_fix/webinfLib/* /opt/grouper/grouperWebapp/WEB-INF/lib/ +COPY container_files/certs/* /opt/grouper/certs/ # this is to improve openshift diff --git a/container_files/certs/TestSsl.class b/container_files/certs/TestSsl.class new file mode 100644 index 0000000000000000000000000000000000000000..6ce4c196153c567daf82b1c7d260a2c02665fd80 GIT binary patch literal 2056 zcmZ`)T~`xV6x|mRCyXO%P=s1+s+1BC(^6|<M2}(?+08qy_uoFu8=$$xJ#kQRtWb zaIN~#hx!A$`slNL2(G%8%jf=@{({0!Kqk;LvsRrkQa}x13p6y)La#VBe(e+ToNy=Wu#SAU5Nbq>fH>8Hi(_z`?xj z%K2JlRr*D9)sX_pyl0utlIh#(ySW()*X=-{E8h&4B~-<$pe%5^@ zFw1fxrK1tU^ zLuAveR;61K7~3nJ+uUJy>DCaazwPAS+C1EVT~MCdh$(=mpOhBE>^ zQLgQ@7P?n`{;61$0 zN~)$GNbWtS8#$HSc>^=JAYfQ*b|@P`1cvtDG}mm1DxqP=*_dn2#vYYvxWpQEmAz>C zY;Y+3K*vRNCGep@{8F*FSWw@W4a_TIPX;oabxT!`^yW&^4ed4CGDF*Qr=7Cr+u?de z$1D~Ne1wlV*fb}lJJnH21?-d zh_PLqeJTmtIEJ!;^#~!FM}=_Rzzt>C#j&#;B_9b?C=rF4Wyv5|t2xeQ%JN*7(j-ed zJbb00x*appt=SDrRu$z2{79c7@Iq)>H;TS#sVq#tOeyNwLv~b80w;)Oe62C#>`8Pj z+gj2-*39>rmq7pX%qe-wjstF17=K{5T}!70I+Qr>s9Ou01nO-_1^e9E5fwph*Z<79 zofg_0h}gJnRwHfJz`Ldwyqa&xIa>+1(bVWOs_T?Ec8os^po4GJe6AY5GJFa?<0D&0 zJcy2UuId=*!hWts!+_5N(Ox$Wa)-`h12I|x_eLJa|G?0nIP?g;%gMeiypR-i4AgNd z`6`z>(si7UJ;dt|@#Yhp%a4w9j*rB~A0k`F^b^cpeuRt5Tgc6iB|oSme|oHrh0}Eu zCSqJanTYqtV|84;k8XzO=j*jP*3{Gf{pmm4N;-tU4qM3E)w`2x9RZ% q{YMc`Kc#%`)9|B)a~ftfT-0D{yuZ+&A_>70wRj1-{6v=y{QMspFbIqQ literal 0 HcmV?d00001 diff --git a/container_files/certs/TestSsl.java b/container_files/certs/TestSsl.java new file mode 100644 index 00000000..29677b7a --- /dev/null +++ b/container_files/certs/TestSsl.java @@ -0,0 +1,39 @@ +import javax.net.ssl.SSLParameters; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; +import java.io.*; + +/** + * Establish a SSL connection to a host and port, writes a byte and + */ +public class TestSsl { + public static void main(String[] args) { + if (args.length != 2) { + System.out.println("Usage: "+TestSsl.class.getName()+" "); + System.exit(1); + } + try { + SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault(); + SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1])); + + SSLParameters sslparams = new SSLParameters(); + sslparams.setEndpointIdentificationAlgorithm("HTTPS"); + sslsocket.setSSLParameters(sslparams); + + InputStream in = sslsocket.getInputStream(); + OutputStream out = sslsocket.getOutputStream(); + + // Write a test byte to get a reaction :) + out.write(1); + + while (in.available() > 0) { + System.out.print(in.read()); + } + System.out.println("Successfully connected"); + + } catch (Exception exception) { + exception.printStackTrace(); + System.exit(1); + } + } +} diff --git a/container_files/certs/get_tls_cert.py b/container_files/certs/get_tls_cert.py new file mode 100644 index 00000000..f1989659 --- /dev/null +++ b/container_files/certs/get_tls_cert.py @@ -0,0 +1,122 @@ +import sys +import pprint +import struct +import socket +import ssl +from time import sleep + +# Standard "HELLO" message for TDS +prelogin_msg = bytearray([ 0x12, 0x01, 0x00, 0x2f, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1a, 0x00, 0x06, 0x01, 0x00, 0x20, + 0x00, 0x01, 0x02, 0x00, 0x21, 0x00, 0x01, 0x03, 0x00, 0x22, 0x00, 0x04, 0x04, 0x00, 0x26, 0x00, + 0x01, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ]) + +# Prep Header function +def prep_header(data): + data_len = len(data) + prelogin_head = bytearray([ 0x12, 0x01 ]) + header_len = 8 + total_len = header_len + data_len + data_head = prelogin_head + total_len.to_bytes(2, 'big') + data_head += bytearray([ 0x00, 0x00, 0x01, 0x00]) + return data_head + data + +def read_header(data): + if len(data) != 8: + raise ValueError("prelogin header is > 8-bytes", data) + + format = ">bbhhbb" + sct = struct.Struct(format) + unpacked = sct.unpack(data) + return { "type": unpacked[0], + "status": unpacked[1], + "length": unpacked[2], + "channel": unpacked[3], + "packet": unpacked[4], + "window": unpacked[5] + } + +tdspbuf = bytearray() +def recv_tdspacket(sock): + global tdspbuf + tdspacket = tdspbuf + header = {} + + for i in range(0,5): + tdspacket += sock.recv(4096) + print("\n# get_tdspacket: {}, tdspacket len: {} ".format(i, len(tdspacket))) + if len(tdspacket) >= 8: + header = read_header(tdspacket[:8]) + print("# Header: ", header) + if len(tdspacket) >= header['length']: + tdspbuf = tdspacket[header['length']:] + print("# Remaining tdspbuf length: {}\n".format(len(tdspbuf))) + return header, tdspacket[8:header['length']] + + sleep(0.05) + +# Ensure we have a commandline +if len(sys.argv) != 3: + print("Usage: {} ".format(sys.argv[0])) + sys.exit(1) + +hostname = sys.argv[1] +port = int(sys.argv[2]) + + +# Setup SSL +if hasattr(ssl, 'PROTOCOL_TLS'): + sslProto = ssl.PROTOCOL_TLS +else: + sslProto = ssl.PROTOCOL_SSLv23 + +sslctx = ssl.SSLContext(sslProto) +sslctx.check_hostname = False +tls_in_buf = ssl.MemoryBIO() +tls_out_buf = ssl.MemoryBIO() + +# Create the SSLObj connected to the tls_in_buf and tls_out_buf +tlssock = sslctx.wrap_bio(tls_in_buf, tls_out_buf) + +# create an INET, STREAMing socket +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.setblocking(0) +s.settimeout(1) + +# Connect to the SQL Server +s.connect(( hostname, port )) + +# Send the first TDS PRELOGIN message +s.send(prelogin_msg) + +# Get the response and ignore. We will try to negotiate encryption anyway. +header, data = recv_tdspacket(s) +while header['status']==0: + header, ext_data = recv_tdspacket(s) + data += ext_data + + +print("# Starting TLS handshake loop..") +# Craft the packet +for i in range(0,5): + try: + tlssock.do_handshake() + print("# Handshake completed, dumping certificates") + peercert = ssl.DER_cert_to_PEM_cert(tlssock.getpeercert(True)) + print(peercert) + sys.exit(0) + except ssl.SSLWantReadError as err: + # TLS wants to keep shaking hands, but because we're controlling the R/W buffers it throws an exception + print("# Shaking ({}/5)".format(i)) + + tls_data = tls_out_buf.read() + s.sendall(prep_header(tls_data)) + # TDS Packets can be split over two frames, each with their own headers. + # We have to concat these for TLS to handle nego properly + header, data = recv_tdspacket(s) + while header['status']==0: + header, ext_data = recv_tdspacket(s) + data += ext_data + + tls_in_buf.write(data) + +print("# Handshake did not complete / exiting") \ No newline at end of file