#!/bin/bash basepath=$(pwd) echo -e "\n e88'Y88 d8 ,e, dP,e, ,e, d8 " echo -e " d888 'Y ,e e, 888,8, d88 \" 8b \" \" e88'888 ,\"Y88b d88 ,e e, " echo -e "C8888 d88 88b 888 \" d88888 888 888888 888 d888 '8 \"8\" 888 d88888 d88 88b" echo -e " Y888 ,d 888 , 888 888 888 888 888 Y888 , ,ee 888 888 888 ," echo -e " \"88,d88 \"YeeP\" 888 888 888 888 888 \"88,e8' \"88 888 888 \"YeeP\"" echo echo -e " e e " echo -e " d8b d8b ,\"Y88b 888 8e ,\"Y88b e88 888 ,e e, 888,8, " echo -e " e Y8b Y8b \"8\" 888 888 88b \"8\" 888 d888 888 d88 88b 888 \" " echo -e " d8b Y8b Y8b ,ee 888 888 888 ,ee 888 Y888 888 888 , 888 " echo -e " d888b Y8b Y8b \"88 888 888 888 \"88 888 \"88 888 \"YeeP\" 888 " echo -e " , 88P " echo -e " \"8\",P\" " echo -e " By Andrea Buzzi" while true; do echo -e "\nSelect the type of activity to perform:\n[1] Create new CSR\n[2] Create new PFX\n[3] Generate self-signed certificate\n\n[4] Extract certificates from PFX\n[5] Extract certificate from host\n\n[6] Analyze CSR\n[7] Analyze certificate\n" echo -e "[8] Test key-cert match\n[9] Test csr-cert match\n[10] Test connection negotiation\n[11] Cipher testing\n\n[0] Exit" read -p ">> Your selection [0-11]: " input if [[ "$input" == "0" ]]; then echo "You chose to exit, thank you for using this tool!" break elif [[ "$input" == "1" ]]; then echo -e "\nYou chose to create a new CSR...\n" read -p ">> New certificate folder: " input cartella=$input exist="false" if [ -e "$input" ]; then read -p ">> The folder \"$cartella\" already exists, overwrite it? [Y/N]: " input if [[ "$input" == "y" || "$input" == "Y" ]]; then rm -rf $cartella else echo -e "You chose not to overwrite the existing folder...\n" exist="true" fi fi if [[ "$exist" == "false" ]]; then mkdir $cartella cd $cartella touch config #HEADER CONFIG FILE echo "[req]" >> config echo "default_bits = 2048" >> config echo "prompt = no" >> config echo "default_md = sha256" >> config echo "req_extensions = req_ext" >> config echo "distinguished_name = dn" >> config echo -e "\n[req_ext]" >> config echo "subjectAltName = @alt_names" >> config #DATI EMITTENTE CERTIFICATO echo -e "\n[dn]" >> config read -p ">> Certificate name [CN]: " input cername=$input echo "CN = $input" >> config read -p ">> Organization [O]: " input echo "O = $input" >> config read -p ">> Organizational Unit [OU]: " input echo "OU = $input" >> config read -p ">> State/Province [ST]: " input echo "ST = $input" >> config read -p ">> Country code (2 letters) [C]: " input echo "C = $input" >> config #SAN cont=1 echo -e "\n[alt_names]" >> config echo -e "\nAdditional subject information will now be requested: enter name, DNS name, IP, etc." while true; do read -p ">> Enter SAN [. to finish input]: " input if [[ "$input" != "." ]]; then echo "DNS.$cont = $input" >> config cont=$((cont + 1)) else break fi done echo -e "\n ---STARTING CSR GENERATION---" openssl req -new -newkey rsa:2048 -nodes -keyout $cername.key -out $cername.csr -config config echo -e " ---CSR GENERATION COMPLETED---\n" fi elif [[ "$input" == "2" ]]; then echo -e "\nYou chose to create a new PFX...\n" read -p ">> Folder with private and public key: " input cartella=$input exist="true" if [ ! -e "$input" ]; then echo -e "The folder doesn't exist...\n" exist="false" fi if [[ "$exist" == "true" ]]; then cd $cartella read -p ">> Private key file name (.key): " input keyfile=$input exist="true" if [ ! -e "$input" ]; then echo -e "The specified file does not exist...\n" exist="false" else read -p ">> Public key file name (.cer/.pem): " input cerfile=$input exist="true" if [ ! -e "$input" ]; then echo -e "The specified file does not exist...\n" exist="false" else read -p ">> Certificate name: " input pfxfile=$input read -p ">> PFX password: " input password=$input echo -e "\n ---STARTING PFX GENERATION---" openssl pkcs12 -export -out $pfxfile.pfx -inkey $keyfile -in $cerfile -passout pass:$password echo -e " ---PFX GENERATION COMPLETED---\n" fi fi fi elif [[ "$input" == "3" ]]; then echo -e "\nYou chose to create a new self-signed certificate...\n" read -p ">> New certificate folder: " input cartella=$input exist="false" if [ -e "$input" ]; then read -p ">> The folder \"$cartella\" already exists, overwrite it? [Y/N]: " input if [[ "$input" == "y" || "$input" == "Y" ]]; then rm -rf $cartella else echo -e "You chose not to overwrite the existing folder...\n" exist="true" fi fi if [[ "$exist" == "false" ]]; then mkdir $cartella cd $cartella touch config #HEADER CONFIG FILE echo "[req]" >> config echo "default_bits = 2048" >> config echo "prompt = no" >> config echo "default_md = sha256" >> config echo "req_extensions = req_ext" >> config echo "distinguished_name = dn" >> config echo -e "\n[req_ext]" >> config echo "subjectAltName = @alt_names" >> config #DATI EMITTENTE CERTIFICATO echo -e "\n[dn]" >> config read -p ">> Certificate name [CN]: " input cername=$input echo "CN = $input" >> config read -p ">> Organization [O]: " input echo "O = $input" >> config read -p ">> Organizational Unit [OU]: " input echo "OU = $input" >> config read -p ">> State/Province [ST]: " input echo "ST = $input" >> config read -p ">> Country code (2 letters) [C]: " input echo "C = $input" >> config read -p ">> Duration [days]: " input days=$input read -p ">> Certificate password: " input password=$input #SAN cont=1 echo -e "\n[alt_names]" >> config echo -e "\nAdditional subject information will now be requested: enter name, DNS name, IP, etc." while true; do read -p ">> Enter SAN [. to finish input]: " input if [[ "$input" != "." ]]; then echo "DNS.$cont = $input" >> config cont=$((cont + 1)) else break fi done echo -e "\n ---STARTING CERTIFICATE GENERATION---" openssl req -x509 -newkey rsa:4096 -keyout $cername.key -out $cername.cer -sha256 -days $days -nodes -config config openssl pkcs12 -export -out $cername.pfx -inkey $cername.key -in $cername.cer -passout pass:$password echo -e " ---CERTIFICATE GENERATION COMPLETED---\n" fi elif [[ "$input" == "4" ]]; then echo -e "\nYou chose to extract data from a PFX...\n" read -p ">> Folder with PFX file: " input cartella=$input exist="true" if [ ! -e "$input" ]; then echo -e "The folder doesn't exist...\n" exist="false" fi if [[ "$exist" == "true" ]]; then cd $cartella read -p ">> PFX file name (.pfx): " input pfxfile=$input exist="true" if [ ! -e "$input" ]; then echo -e "The specified file does not exist...\n" exist="false" else read -p ">> PFX password: " input password=$input read -p ">> Certificate name: " input cername=$input echo -e "\n ---STARTING PFX INFORMATION EXTRACTION---" openssl pkcs12 -in $pfxfile -nodes -nokeys -passin pass:$password | awk '/-----BEGIN/{a=1}/-----END/{print;a=0}a' > $cername.cer openssl pkcs12 -in $pfxfile -nodes -nocerts -passin pass:$password | awk '/-----BEGIN/{a=1}/-----END/{print;a=0}a' > $cername.key echo -e " ---PFX INFORMATION EXTRACTION COMPLETED---\n" fi fi elif [[ "$input" == "5" ]]; then echo -e "\nYou chose to extract certificate from host...\n" read -p ">> Flolder: " input cartella=$input exist="true" if [ ! -e "$input" ]; then mkdir $cartella fi if [[ "$exist" == "true" ]]; then cd $cartella read -p ">> Host: " input host=$input read -p ">> Port: " input porta=$input echo -e "\n ---STARTING HOST CERTIFICATE EXTRACTION---" echo "" | openssl s_client -connect $host:$porta -prexit 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' >> $host.cer echo -e " ---HOST CERTIFICATE INFORMATION EXTRACTION COMPLETED---\n" fi elif [[ "$input" == "6" ]]; then echo -e "\nYou chose to analyze a CSR...\n" read -p ">> CSR folder: " input cartella=$input exist="true" if [ ! -e "$input" ]; then echo -e "The folder doesn't exist...\n" exist="false" fi if [[ "$exist" == "true" ]]; then cd $cartella read -p ">> CSR file name: " input csrfile=$input exist="true" if [ ! -e "$input" ]; then echo -e "The specified file does not exist...\n" exist="false" else openssl req -in $csrfile -noout -text echo -e "\n" fi fi elif [[ "$input" == "7" ]]; then echo -e "\nYou chose to analyze a certificate...\n" read -p ">> Certificate folder: " input cartella=$input exist="true" if [ ! -e "$input" ]; then echo -e "The folder doesn't exist...\n" exist="false" fi if [[ "$exist" == "true" ]]; then cd $cartella read -p ">> Certificate file name (.cer): " input cerfile=$input exist="true" if [ ! -e "$input" ]; then echo -e "The specified file does not exist...\n" exist="false" else openssl x509 -in $cerfile -text -noout echo -e "\n" fi fi elif [[ "$input" == "8" ]]; then echo -e "\nYou chose to test key-cert match...\n" read -p ">> Cartella: " input cartella=$input exist="true" if [ ! -e "$input" ]; then echo -e "The folder doesn't exist...\n" exist="false" fi if [[ "$exist" == "true" ]]; then cd $cartella read -p ">> Certificate file name (.cer): " input cerfile=$input exist="true" if [ ! -e "$input" ]; then echo -e "The specified file does not exist...\n" exist="false" else read -p ">> Private key file name (.key): " input keyfile=$input exist="true" if [ ! -e "$input" ]; then echo -e "The specified file does not exist...\n" exist="false" else shakey=$(openssl pkey -in $keyfile -pubout -outform pem | sha256sum) shacer=$(openssl x509 -in $cerfile -pubkey -noout -outform pem | sha256sum) if [[ "$shakey" == "$shacer" ]]; then echo -e "\nVERIFICATION RESULT: the two files match\n" else echo -e "\nVERIFICATION RESULT: the two files do not match\n" fi fi fi fi elif [[ "$input" == "9" ]]; then echo -e "\nYou chose to test csr-cert match...\n" read -p ">> Cartella: " input cartella=$input exist="true" if [ ! -e "$input" ]; then echo -e "The folder doesn't exist...\n" exist="false" fi if [[ "$exist" == "true" ]]; then cd $cartella read -p ">> Certificate file name (.cer): " input cerfile=$input exist="true" if [ ! -e "$input" ]; then echo -e "The specified file does not exist...\n" exist="false" else read -p ">> CSR file name (.csr): " input csrfile=$input exist="true" if [ ! -e "$input" ]; then echo -e "The specified file does not exist...\n" exist="false" else shacsr=$(openssl req -in $csrfile -pubkey -noout -outform pem | sha256sum) shacer=$(openssl x509 -in $cerfile -pubkey -noout -outform pem | sha256sum) if [[ "$shacsr" == "$shacer" ]]; then echo -e "\nVERIFICATION RESULT: the two files match\n" else echo -e "\nVERIFICATION RESULT: the two files do not match\n" fi fi fi fi elif [[ "$input" == "10" ]]; then echo -e "\nYou chose to test secure connection to a host...\n" read -p ">> Host: " input host=$input read -p ">> Port: " input porta=$input echo -e "\n ---STARTING CONNECTION TESTING---" echo | openssl s_client -connect $host:$porta 2>null | sed -n -e '/SSL-Session:/,/---/ p' echo -e " ---CONNECTION TESTING COMPLETED---\n" elif [[ "$input" == "11" ]]; then echo -e "\nYou chose to test all ciphers on a host...\n" read -p ">> Host: " input host=$input read -p ">> Port: " input porta=$input echo -e "\n ---STARTING CIPHER TESTING---" for cipher in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do result=$(echo -n | openssl s_client -cipher "$cipher" -connect $host:$porta 2>&1) if [[ "$result" =~ ":error:" ]] ; then error=$(echo -n $result | cut -d':' -f6) echo -e "-> $cipher\n\tNOT SUPPORTED: $error" else if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher :" ]] ; then echo -e "-> $cipher\n\tSUPPORTED" else echo -e "-> $cipher\n\tTEST FAILED: $result" fi fi done echo -e " ---CIPHER TESTING COMPLETED---\n" else echo -e "\nThe selected option is not valid...\n" fi cd $basepath read -n 1 -s -r -p "Press any key to continue..." echo -e "\n\nnunununununununununununununununununununununununununununununununununununununununununun" done