提取pcap中的网站证书,输出为.der文件,并将提取的相关信息输出为.json文件,例如:
- 安装依赖:
pip install -r requirements.txt - 运行主程序, 如:
python main.py ca-bundle-extracted pcaps certs这会将pcaps文件夹下所有pcap包的证书提取到certs文件夹,证书命名为<证书md5>.der,ca-bundle-extracted文件夹下存放的是受信任证书(根证书),用它来验证证书链
{ // (发certificate包的一端就是目的 -- 客户端也可能发certificate包)
"src_ip": "172.20.113.76", // 源ip
"dst_ip": "182.61.200.6", // 目的ip
"src_port": 59686, // 源端口
"dst_port": 443, // 目的端口
"server_name": "www.baidu.com", // server_name字段 (从client hello消息中提取出来)
"cert_chain_len": 2, // 证书链长度
"is_valid": true, // 验证证书链是否通过
"cert_chain": [ // 证书链, 最后一个是根证书
{
"CN": "baidu.com",
"ISSUER_CN": "GlobalSign Organization Validation CA - SHA256 - G2",
"md5": "539b071cf7d2f02b1c85cc09da1186e5"
},
{
"CN": "GlobalSign Organization Validation CA - SHA256 - G2",
"ISSUER_CN": "GlobalSign Root CA",
"md5": "d3e8706d8292ace4ddebf7a8bbbd566b"
}
]
}> openssl x509 -in 50663ef56a53174a02db02b14ea7fcca.der -inform DER -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:72:b8:49:6f:4e:1e:c7:6e:d3:0c:8b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
Validity
Not Before: Oct 20 06:57:18 2020 GMT
Not After : Jul 26 05:31:02 2021 GMT
Subject: C = CN, ST = beijing, L = beijing, OU = service operation department, O = "Beijing Baidu Netcom Science Technology Co., Ltd", CN = baidu.com
Subject Public Key Info:
# ......