From bc5d574157d74fc3568445fa7d041a5ecd2994bc Mon Sep 17 00:00:00 2001 From: Hakky54 Date: Sun, 29 Dec 2024 08:32:53 +0100 Subject: [PATCH 1/4] Revert "Reverted extracting system certificates" This reverts commit 70e7754e7771de6fe428e96953ea3761bfa9b4ad. --- README.MD | 4 ++++ .../crip/command/SharedProperties.java | 14 ++++++++++- src/main/resources/graalvm_config.json | 3 +++ .../crip/command/PrintCommandShould.java | 8 +++++++ .../export/DerExportCommandShould.java | 23 +++++++++++++++++++ .../export/JksExportCommandShould.java | 23 +++++++++++++++++++ .../export/PemExportCommandShould.java | 23 +++++++++++++++++++ .../export/Pkcs12ExportCommandShould.java | 23 +++++++++++++++++++ 8 files changed, 120 insertions(+), 1 deletion(-) diff --git a/README.MD b/README.MD index 5121041..47440f4 100644 --- a/README.MD +++ b/README.MD @@ -96,6 +96,7 @@ Prints the extracted certificates to the console -u, --url Url of the target server to extract the certificates. Can be provided multiple times. -t, --timeout Amount of milliseconds till the ripping should timeout --resolve-ca Indicator to automatically resolve the root ca. Possible options: true, false + --extract-system-ca Indicator to extract the operating system trusted root ca. Possible options: true, false Usage: crip export pkcs12 Export the extracted certificate to a PKCS12/p12 type truststore @@ -104,6 +105,7 @@ Export the extracted certificate to a PKCS12/p12 type truststore -d, --destination Destination of the to be stored file. Default is current directory if none is provided. -t, --timeout Amount of milliseconds till the ripping should timeout --resolve-ca Indicator to automatically resolve the root ca. Possible options: true, false + --extract-system-ca Indicator to extract the operating system trusted root ca. Possible options: true, false Usage: crip export der Export the extracted certificate to a binary form also known as DER @@ -112,6 +114,7 @@ Export the extracted certificate to a binary form also known as DER -d, --destination Destination of the to be stored file. Default is current directory if none is provided. -t, --timeout Amount of milliseconds till the ripping should timeout --resolve-ca Indicator to automatically resolve the root ca. Possible options: true, false + --extract-system-ca Indicator to extract the operating system trusted root ca. Possible options: true, false Usage: crip export pem Export the extracted certificate to a base64 encoded string also known as PEM @@ -121,6 +124,7 @@ Export the extracted certificate to a base64 encoded string also known as PEM --include-header Indicator to either omit or include additional information above the BEGIN statement. -t, --timeout Amount of milliseconds till the ripping should timeout --resolve-ca Indicator to automatically resolve the root ca. Possible options: true, false + --extract-system-ca Indicator to extract the operating system trusted root ca. Possible options: true, false Proxy options applicable for all commands --proxy-host Proxy host diff --git a/src/main/java/nl/altindag/crip/command/SharedProperties.java b/src/main/java/nl/altindag/crip/command/SharedProperties.java index f228fc6..9d69769 100644 --- a/src/main/java/nl/altindag/crip/command/SharedProperties.java +++ b/src/main/java/nl/altindag/crip/command/SharedProperties.java @@ -38,7 +38,7 @@ @SuppressWarnings({"unused", "FieldCanBeLocal", "FieldMayBeFinal"}) public class SharedProperties { - @Option(names = {"-u", "--url"}, description = "Url of the target server to extract the certificates", required = true) + @Option(names = {"-u", "--url"}, description = "Url of the target server to extract the certificates") private List urls = new ArrayList<>(); private List uniqueUrls; @@ -60,6 +60,9 @@ public class SharedProperties { @Option(names = {"--resolve-ca"}, description = "Indicator to automatically resolve the root ca%nPossible options: true, false") private Boolean resolveRootCa = true; + @Option(names = {"--extract-system-ca"}, description = "Indicator to extract the operating system trusted root ca%nPossible options: true, false") + private Boolean includeSystemCertificates = false; + public CertificateHolder getCertificateHolder() { List resolvedUrls = getUrls(); @@ -70,6 +73,15 @@ public CertificateHolder getCertificateHolder() { .map(url -> new AbstractMap.SimpleEntry<>(url, client.get(url))) .collect(Collectors.collectingAndThen(Collectors.toMap(AbstractMap.SimpleEntry::getKey, AbstractMap.SimpleEntry::getValue, (key1, key2) -> key1, LinkedHashMap::new), HashMap::new)); + if (includeSystemCertificates) { + List systemTrustedCertificates = CertificateUtils.getSystemTrustedCertificates(); + urlsToCertificates.put("system", systemTrustedCertificates); + } + + if (urlsToCertificates.isEmpty()) { + System.err.println("No certificates have been extracted. Please provide at least one url"); + } + return new CertificateHolder(urlsToCertificates); } diff --git a/src/main/resources/graalvm_config.json b/src/main/resources/graalvm_config.json index 0ba2bd8..839fc3e 100644 --- a/src/main/resources/graalvm_config.json +++ b/src/main/resources/graalvm_config.json @@ -33,6 +33,9 @@ }, { "name": "resolveRootCa" + }, + { + "name": "includeSystemCertificates" } ] }, diff --git a/src/test/java/nl/altindag/crip/command/PrintCommandShould.java b/src/test/java/nl/altindag/crip/command/PrintCommandShould.java index f3503f2..354efcd 100644 --- a/src/test/java/nl/altindag/crip/command/PrintCommandShould.java +++ b/src/test/java/nl/altindag/crip/command/PrintCommandShould.java @@ -101,4 +101,12 @@ void printCertificateInPemFormat() { } } + @Test + void provideHelpFullInformationWhenThereIsNothingToProcess() { + cmd.execute("print", "-f=pem"); + + String output = String.join(System.lineSeparator(), consoleCaptor.getErrorOutput()); + assertThat(output).contains("No certificates have been extracted. Please provide at least one url"); + } + } diff --git a/src/test/java/nl/altindag/crip/command/export/DerExportCommandShould.java b/src/test/java/nl/altindag/crip/command/export/DerExportCommandShould.java index 0ab056c..e7dd698 100644 --- a/src/test/java/nl/altindag/crip/command/export/DerExportCommandShould.java +++ b/src/test/java/nl/altindag/crip/command/export/DerExportCommandShould.java @@ -141,4 +141,27 @@ void timeoutWhenServerTakesToLongToRespond() throws IOException { logCaptor.close(); } + @Test + void processSystemTrustedCertificates() throws IOException { + createTempDirAndClearConsoleCaptor(); + + cmd.execute("export", "der", "--extract-system-ca=true", "--destination=" + TEMP_DIRECTORY.toAbsolutePath()); + + List files = Files.walk(TEMP_DIRECTORY, 1) + .filter(Files::isRegularFile) + .collect(Collectors.toList()); + + assertThat(files) + .hasSizeGreaterThan(1) + .allMatch(path -> path.toString().endsWith(".crt")); + } + + @Test + void provideHelpFullInformationWhenThereIsNothingToProcess() { + cmd.execute("export", "der"); + + String output = String.join(System.lineSeparator(), consoleCaptor.getErrorOutput()); + assertThat(output).contains("No certificates have been extracted. Please provide at least one url"); + } + } diff --git a/src/test/java/nl/altindag/crip/command/export/JksExportCommandShould.java b/src/test/java/nl/altindag/crip/command/export/JksExportCommandShould.java index 6964528..b63304d 100644 --- a/src/test/java/nl/altindag/crip/command/export/JksExportCommandShould.java +++ b/src/test/java/nl/altindag/crip/command/export/JksExportCommandShould.java @@ -107,4 +107,27 @@ void getKeyStoreType() { assertThat(keyStoreType).isEqualTo("JKS"); } + @Test + void processSystemTrustedCertificates() throws IOException { + createTempDirAndClearConsoleCaptor(); + + cmd.execute("export", "jks", "--extract-system-ca=true", "--destination=" + TEMP_DIRECTORY.toAbsolutePath().resolve("my-truststore.jks")); + + List files = Files.walk(TEMP_DIRECTORY, 1) + .filter(Files::isRegularFile) + .collect(Collectors.toList()); + + assertThat(files) + .hasSize(1) + .allMatch(path -> path.toString().endsWith(".jks")); + } + + @Test + void provideHelpFullInformationWhenThereIsNothingToProcess() { + cmd.execute("export", "jks"); + + String output = String.join(System.lineSeparator(), consoleCaptor.getErrorOutput()); + assertThat(output).contains("No certificates have been extracted. Please provide at least one url"); + } + } diff --git a/src/test/java/nl/altindag/crip/command/export/PemExportCommandShould.java b/src/test/java/nl/altindag/crip/command/export/PemExportCommandShould.java index 6a56e41..aa8253c 100644 --- a/src/test/java/nl/altindag/crip/command/export/PemExportCommandShould.java +++ b/src/test/java/nl/altindag/crip/command/export/PemExportCommandShould.java @@ -215,4 +215,27 @@ void resolveRootCaOnlyWhenEnabled() throws IOException { } } + @Test + void processSystemTrustedCertificates() throws IOException { + createTempDirAndClearConsoleCaptor(); + + cmd.execute("export", "pem", "--extract-system-ca=true", "--combined=true", "--destination=" + TEMP_DIRECTORY.toAbsolutePath()); + + List files = Files.walk(TEMP_DIRECTORY, 1) + .filter(Files::isRegularFile) + .collect(Collectors.toList()); + + assertThat(files) + .hasSize(1) + .allMatch(path -> path.toString().endsWith(".crt")); + } + + @Test + void provideHelpFullInformationWhenThereIsNothingToProcess() { + cmd.execute("export", "pem"); + + String output = String.join(System.lineSeparator(), consoleCaptor.getErrorOutput()); + assertThat(output).contains("No certificates have been extracted. Please provide at least one url"); + } + } diff --git a/src/test/java/nl/altindag/crip/command/export/Pkcs12ExportCommandShould.java b/src/test/java/nl/altindag/crip/command/export/Pkcs12ExportCommandShould.java index 24db9f4..3a02412 100644 --- a/src/test/java/nl/altindag/crip/command/export/Pkcs12ExportCommandShould.java +++ b/src/test/java/nl/altindag/crip/command/export/Pkcs12ExportCommandShould.java @@ -107,4 +107,27 @@ void getKeyStoreType() { assertThat(keyStoreType).isEqualTo("PKCS12"); } + @Test + void processSystemTrustedCertificates() throws IOException { + createTempDirAndClearConsoleCaptor(); + + cmd.execute("export", "p12", "--extract-system-ca=true", "--destination=" + TEMP_DIRECTORY.toAbsolutePath().resolve("my-truststore.p12")); + + List files = Files.walk(TEMP_DIRECTORY, 1) + .filter(Files::isRegularFile) + .collect(Collectors.toList()); + + assertThat(files) + .hasSize(1) + .allMatch(path -> path.toString().endsWith(".p12")); + } + + @Test + void provideHelpFullInformationWhenThereIsNothingToProcess() { + cmd.execute("export", "p12"); + + String output = String.join(System.lineSeparator(), consoleCaptor.getErrorOutput()); + assertThat(output).contains("No certificates have been extracted. Please provide at least one url"); + } + } From 90b3b1b73a49281faab9d527dd163e5c0f92e96e Mon Sep 17 00:00:00 2001 From: Hakky54 Date: Wed, 5 Feb 2025 09:26:22 +0100 Subject: [PATCH 2/4] Simplified usage of system certificates --- .../crip/command/SharedProperties.java | 25 +++++++++++-------- .../crip/command/PrintCommandShould.java | 8 ------ .../export/DerExportCommandShould.java | 10 +------- .../export/JksExportCommandShould.java | 10 +------- .../export/PemExportCommandShould.java | 10 +------- .../export/Pkcs12ExportCommandShould.java | 10 +------- 6 files changed, 18 insertions(+), 55 deletions(-) diff --git a/src/main/java/nl/altindag/crip/command/SharedProperties.java b/src/main/java/nl/altindag/crip/command/SharedProperties.java index 9d69769..a2e19da 100644 --- a/src/main/java/nl/altindag/crip/command/SharedProperties.java +++ b/src/main/java/nl/altindag/crip/command/SharedProperties.java @@ -38,7 +38,9 @@ @SuppressWarnings({"unused", "FieldCanBeLocal", "FieldMayBeFinal"}) public class SharedProperties { - @Option(names = {"-u", "--url"}, description = "Url of the target server to extract the certificates") + private static final String SYSTEM = "system"; + + @Option(names = {"-u", "--url"}, description = "Url of the target server to extract the certificates", required = true) private List urls = new ArrayList<>(); private List uniqueUrls; @@ -60,9 +62,6 @@ public class SharedProperties { @Option(names = {"--resolve-ca"}, description = "Indicator to automatically resolve the root ca%nPossible options: true, false") private Boolean resolveRootCa = true; - @Option(names = {"--extract-system-ca"}, description = "Indicator to extract the operating system trusted root ca%nPossible options: true, false") - private Boolean includeSystemCertificates = false; - public CertificateHolder getCertificateHolder() { List resolvedUrls = getUrls(); @@ -73,13 +72,13 @@ public CertificateHolder getCertificateHolder() { .map(url -> new AbstractMap.SimpleEntry<>(url, client.get(url))) .collect(Collectors.collectingAndThen(Collectors.toMap(AbstractMap.SimpleEntry::getKey, AbstractMap.SimpleEntry::getValue, (key1, key2) -> key1, LinkedHashMap::new), HashMap::new)); - if (includeSystemCertificates) { - List systemTrustedCertificates = CertificateUtils.getSystemTrustedCertificates(); - urlsToCertificates.put("system", systemTrustedCertificates); - } - - if (urlsToCertificates.isEmpty()) { - System.err.println("No certificates have been extracted. Please provide at least one url"); + if (urls.contains(SYSTEM)) { + try { + List systemTrustedCertificates = CertificateUtils.getSystemTrustedCertificates(); + urlsToCertificates.put(SYSTEM, systemTrustedCertificates); + } catch (UnsatisfiedLinkError error) { + System.out.printf("Unable to extract system certificates for %s\n", System.getProperty("os.name")); + } } return new CertificateHolder(urlsToCertificates); @@ -112,6 +111,10 @@ public List getUrls() { Map> hostToPort = new HashMap<>(); for (String url : urls) { + if (SYSTEM.equals(url)) { + continue; + } + String host = UriUtils.extractHost(url); int port = UriUtils.extractPort(url); diff --git a/src/test/java/nl/altindag/crip/command/PrintCommandShould.java b/src/test/java/nl/altindag/crip/command/PrintCommandShould.java index 354efcd..f3503f2 100644 --- a/src/test/java/nl/altindag/crip/command/PrintCommandShould.java +++ b/src/test/java/nl/altindag/crip/command/PrintCommandShould.java @@ -101,12 +101,4 @@ void printCertificateInPemFormat() { } } - @Test - void provideHelpFullInformationWhenThereIsNothingToProcess() { - cmd.execute("print", "-f=pem"); - - String output = String.join(System.lineSeparator(), consoleCaptor.getErrorOutput()); - assertThat(output).contains("No certificates have been extracted. Please provide at least one url"); - } - } diff --git a/src/test/java/nl/altindag/crip/command/export/DerExportCommandShould.java b/src/test/java/nl/altindag/crip/command/export/DerExportCommandShould.java index e7dd698..71632ac 100644 --- a/src/test/java/nl/altindag/crip/command/export/DerExportCommandShould.java +++ b/src/test/java/nl/altindag/crip/command/export/DerExportCommandShould.java @@ -145,7 +145,7 @@ void timeoutWhenServerTakesToLongToRespond() throws IOException { void processSystemTrustedCertificates() throws IOException { createTempDirAndClearConsoleCaptor(); - cmd.execute("export", "der", "--extract-system-ca=true", "--destination=" + TEMP_DIRECTORY.toAbsolutePath()); + cmd.execute("export", "der", "--url=system", "--destination=" + TEMP_DIRECTORY.toAbsolutePath()); List files = Files.walk(TEMP_DIRECTORY, 1) .filter(Files::isRegularFile) @@ -156,12 +156,4 @@ void processSystemTrustedCertificates() throws IOException { .allMatch(path -> path.toString().endsWith(".crt")); } - @Test - void provideHelpFullInformationWhenThereIsNothingToProcess() { - cmd.execute("export", "der"); - - String output = String.join(System.lineSeparator(), consoleCaptor.getErrorOutput()); - assertThat(output).contains("No certificates have been extracted. Please provide at least one url"); - } - } diff --git a/src/test/java/nl/altindag/crip/command/export/JksExportCommandShould.java b/src/test/java/nl/altindag/crip/command/export/JksExportCommandShould.java index b63304d..449542d 100644 --- a/src/test/java/nl/altindag/crip/command/export/JksExportCommandShould.java +++ b/src/test/java/nl/altindag/crip/command/export/JksExportCommandShould.java @@ -111,7 +111,7 @@ void getKeyStoreType() { void processSystemTrustedCertificates() throws IOException { createTempDirAndClearConsoleCaptor(); - cmd.execute("export", "jks", "--extract-system-ca=true", "--destination=" + TEMP_DIRECTORY.toAbsolutePath().resolve("my-truststore.jks")); + cmd.execute("export", "jks", "--url=system", "--destination=" + TEMP_DIRECTORY.toAbsolutePath().resolve("my-truststore.jks")); List files = Files.walk(TEMP_DIRECTORY, 1) .filter(Files::isRegularFile) @@ -122,12 +122,4 @@ void processSystemTrustedCertificates() throws IOException { .allMatch(path -> path.toString().endsWith(".jks")); } - @Test - void provideHelpFullInformationWhenThereIsNothingToProcess() { - cmd.execute("export", "jks"); - - String output = String.join(System.lineSeparator(), consoleCaptor.getErrorOutput()); - assertThat(output).contains("No certificates have been extracted. Please provide at least one url"); - } - } diff --git a/src/test/java/nl/altindag/crip/command/export/PemExportCommandShould.java b/src/test/java/nl/altindag/crip/command/export/PemExportCommandShould.java index aa8253c..329834d 100644 --- a/src/test/java/nl/altindag/crip/command/export/PemExportCommandShould.java +++ b/src/test/java/nl/altindag/crip/command/export/PemExportCommandShould.java @@ -219,7 +219,7 @@ void resolveRootCaOnlyWhenEnabled() throws IOException { void processSystemTrustedCertificates() throws IOException { createTempDirAndClearConsoleCaptor(); - cmd.execute("export", "pem", "--extract-system-ca=true", "--combined=true", "--destination=" + TEMP_DIRECTORY.toAbsolutePath()); + cmd.execute("export", "pem", "--url=system", "--combined=true", "--destination=" + TEMP_DIRECTORY.toAbsolutePath()); List files = Files.walk(TEMP_DIRECTORY, 1) .filter(Files::isRegularFile) @@ -230,12 +230,4 @@ void processSystemTrustedCertificates() throws IOException { .allMatch(path -> path.toString().endsWith(".crt")); } - @Test - void provideHelpFullInformationWhenThereIsNothingToProcess() { - cmd.execute("export", "pem"); - - String output = String.join(System.lineSeparator(), consoleCaptor.getErrorOutput()); - assertThat(output).contains("No certificates have been extracted. Please provide at least one url"); - } - } diff --git a/src/test/java/nl/altindag/crip/command/export/Pkcs12ExportCommandShould.java b/src/test/java/nl/altindag/crip/command/export/Pkcs12ExportCommandShould.java index 3a02412..156e694 100644 --- a/src/test/java/nl/altindag/crip/command/export/Pkcs12ExportCommandShould.java +++ b/src/test/java/nl/altindag/crip/command/export/Pkcs12ExportCommandShould.java @@ -111,7 +111,7 @@ void getKeyStoreType() { void processSystemTrustedCertificates() throws IOException { createTempDirAndClearConsoleCaptor(); - cmd.execute("export", "p12", "--extract-system-ca=true", "--destination=" + TEMP_DIRECTORY.toAbsolutePath().resolve("my-truststore.p12")); + cmd.execute("export", "p12", "--url=system", "--destination=" + TEMP_DIRECTORY.toAbsolutePath().resolve("my-truststore.p12")); List files = Files.walk(TEMP_DIRECTORY, 1) .filter(Files::isRegularFile) @@ -122,12 +122,4 @@ void processSystemTrustedCertificates() throws IOException { .allMatch(path -> path.toString().endsWith(".p12")); } - @Test - void provideHelpFullInformationWhenThereIsNothingToProcess() { - cmd.execute("export", "p12"); - - String output = String.join(System.lineSeparator(), consoleCaptor.getErrorOutput()); - assertThat(output).contains("No certificates have been extracted. Please provide at least one url"); - } - } From 78a5f661456d2079a27c8284ddff290b3393b330 Mon Sep 17 00:00:00 2001 From: Hakky54 Date: Wed, 5 Feb 2025 10:33:32 +0100 Subject: [PATCH 3/4] Disabled Apple KeychainStore --- src/main/java/nl/altindag/crip/App.java | 8 ++ .../provider/CertificateRipperProvider.java | 58 ++++++++++ .../crip/provider/DummyKeychainStore.java | 109 ++++++++++++++++++ 3 files changed, 175 insertions(+) create mode 100644 src/main/java/nl/altindag/crip/provider/CertificateRipperProvider.java create mode 100644 src/main/java/nl/altindag/crip/provider/DummyKeychainStore.java diff --git a/src/main/java/nl/altindag/crip/App.java b/src/main/java/nl/altindag/crip/App.java index 27b9ab7..f62d2b8 100644 --- a/src/main/java/nl/altindag/crip/App.java +++ b/src/main/java/nl/altindag/crip/App.java @@ -16,12 +16,20 @@ package nl.altindag.crip; import nl.altindag.crip.command.CertificateRipper; +import nl.altindag.crip.provider.CertificateRipperProvider; import nl.altindag.crip.util.HelpFactory; import picocli.CommandLine; +import java.security.Security; + public class App { public static void main(String[] applicationArguments) { + // Temporally ignoring KeychainStore as it does not work with Graal VM yet. + // The actual call to get the KeychainStore from the Apple Provider will be intercepted, and it will return a dummy keystore + // See here for the related issue https://github.com/oracle/graal/issues/10387 + Security.insertProviderAt(new CertificateRipperProvider(), 1); + new CommandLine(new CertificateRipper()) .setCaseInsensitiveEnumValuesAllowed(true) .setHelpFactory(new HelpFactory()) diff --git a/src/main/java/nl/altindag/crip/provider/CertificateRipperProvider.java b/src/main/java/nl/altindag/crip/provider/CertificateRipperProvider.java new file mode 100644 index 0000000..0917ccd --- /dev/null +++ b/src/main/java/nl/altindag/crip/provider/CertificateRipperProvider.java @@ -0,0 +1,58 @@ +/* + * Copyright 2021 Thunderberry. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package nl.altindag.crip.provider; + +import java.security.AccessController; +import java.security.NoSuchAlgorithmException; +import java.security.PrivilegedAction; +import java.security.Provider; +import java.security.ProviderException; + +public final class CertificateRipperProvider extends Provider { + + private static final class MockAppleProviderService extends Provider.Service { + + public MockAppleProviderService(Provider p, String type, String algo, String cn) { + super(p, type, algo, cn, null, null); + } + + @Override + public Object newInstance(Object constructorParameter) throws NoSuchAlgorithmException { + String type = getType(); + String algo = getAlgorithm(); + try { + if (type.equals("KeyStore") && algo.equals("KeychainStore") || algo.equals("KeychainStore-ROOT")) { + return new DummyKeychainStore(); + } + } catch (Exception ex) { + throw new NoSuchAlgorithmException("Error constructing " + type + " for " + algo, ex); + } + throw new ProviderException("No impl for " + algo + " " + type); + } + } + + public CertificateRipperProvider() { + super("CertificateRipper", 1.0, "Certificate Ripper Security Provider"); + + final Provider provider = this; + AccessController.doPrivileged((PrivilegedAction) () -> { + putService(new MockAppleProviderService(provider, "KeyStore", "KeychainStore", "apple.security.KeychainStore$USER")); + putService(new MockAppleProviderService(provider, "KeyStore", "KeychainStore-ROOT", "apple.security.KeychainStore$ROOT")); + return null; + }); + } + +} \ No newline at end of file diff --git a/src/main/java/nl/altindag/crip/provider/DummyKeychainStore.java b/src/main/java/nl/altindag/crip/provider/DummyKeychainStore.java new file mode 100644 index 0000000..67aefc8 --- /dev/null +++ b/src/main/java/nl/altindag/crip/provider/DummyKeychainStore.java @@ -0,0 +1,109 @@ +/* + * Copyright 2021 Thunderberry. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package nl.altindag.crip.provider; + +import java.io.InputStream; +import java.io.OutputStream; +import java.security.Key; +import java.security.KeyStoreSpi; +import java.security.cert.Certificate; +import java.util.Collections; +import java.util.Date; +import java.util.Enumeration; + +final class DummyKeychainStore extends KeyStoreSpi { + + @Override + public Key engineGetKey(String alias, char[] password) { + return null; + } + + @Override + public Certificate[] engineGetCertificateChain(String alias) { + return new Certificate[0]; + } + + @Override + public Certificate engineGetCertificate(String alias) { + return null; + } + + @Override + public Date engineGetCreationDate(String alias) { + return null; + } + + @Override + public void engineSetKeyEntry(String alias, Key key, char[] password, Certificate[] chain) { + + } + + @Override + public void engineSetKeyEntry(String alias, byte[] key, Certificate[] chain) { + + } + + @Override + public void engineSetCertificateEntry(String alias, Certificate cert) { + + } + + @Override + public void engineDeleteEntry(String alias) { + + } + + @Override + public Enumeration engineAliases() { + return Collections.emptyEnumeration(); + } + + @Override + public boolean engineContainsAlias(String alias) { + return false; + } + + @Override + public int engineSize() { + return 0; + } + + @Override + public boolean engineIsKeyEntry(String alias) { + return false; + } + + @Override + public boolean engineIsCertificateEntry(String alias) { + return false; + } + + @Override + public String engineGetCertificateAlias(Certificate cert) { + return ""; + } + + @Override + public void engineStore(OutputStream stream, char[] password) { + + } + + @Override + public void engineLoad(InputStream stream, char[] password) { + + } + +} From f6a58669b41a8a4d33cb6fd2a48abfcd14c6199e Mon Sep 17 00:00:00 2001 From: Hakky54 Date: Wed, 5 Feb 2025 10:38:17 +0100 Subject: [PATCH 4/4] Updated command --- README.MD | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/README.MD b/README.MD index 1503180..357771c 100644 --- a/README.MD +++ b/README.MD @@ -99,7 +99,6 @@ Prints the extracted certificates to the console -u, --url Url of the target server to extract the certificates. Can be provided multiple times. -t, --timeout Amount of milliseconds till the ripping should timeout --resolve-ca Indicator to automatically resolve the root ca. Possible options: true, false - --extract-system-ca Indicator to extract the operating system trusted root ca. Possible options: true, false Usage: crip export pkcs12 Export the extracted certificate to a PKCS12/p12 type truststore @@ -108,7 +107,6 @@ Export the extracted certificate to a PKCS12/p12 type truststore -d, --destination Destination of the to be stored file. Default is current directory if none is provided. -t, --timeout Amount of milliseconds till the ripping should timeout --resolve-ca Indicator to automatically resolve the root ca. Possible options: true, false - --extract-system-ca Indicator to extract the operating system trusted root ca. Possible options: true, false Usage: crip export der Export the extracted certificate to a binary form also known as DER @@ -117,7 +115,6 @@ Export the extracted certificate to a binary form also known as DER -d, --destination Destination of the to be stored file. Default is current directory if none is provided. -t, --timeout Amount of milliseconds till the ripping should timeout --resolve-ca Indicator to automatically resolve the root ca. Possible options: true, false - --extract-system-ca Indicator to extract the operating system trusted root ca. Possible options: true, false Usage: crip export pem Export the extracted certificate to a base64 encoded string also known as PEM @@ -127,7 +124,6 @@ Export the extracted certificate to a base64 encoded string also known as PEM --include-header Indicator to either omit or include additional information above the BEGIN statement. -t, --timeout Amount of milliseconds till the ripping should timeout --resolve-ca Indicator to automatically resolve the root ca. Possible options: true, false - --extract-system-ca Indicator to extract the operating system trusted root ca. Possible options: true, false Proxy options applicable for all commands --proxy-host Proxy host @@ -196,6 +192,11 @@ Works only with the combined option while only specifying a single url. crip export pem -u=https://github.com --combined=true --destination=/path/to/export/github-chain.crt ``` +### Extract system certificates +```bash +crip export pem -u=system +``` + ## Contributing There are plenty of ways to contribute to this project: