summaryrefslogtreecommitdiffstats
path: root/Tools/scripts/get-remote-certificate.py
diff options
context:
space:
mode:
Diffstat (limited to 'Tools/scripts/get-remote-certificate.py')
-rw-r--r--Tools/scripts/get-remote-certificate.py83
1 files changed, 83 insertions, 0 deletions
diff --git a/Tools/scripts/get-remote-certificate.py b/Tools/scripts/get-remote-certificate.py
new file mode 100644
index 0000000..02f1c8a
--- /dev/null
+++ b/Tools/scripts/get-remote-certificate.py
@@ -0,0 +1,83 @@
+#!/usr/bin/env python3
+#
+# fetch the certificate that the server(s) are providing in PEM form
+#
+# args are HOST:PORT [, HOST:PORT...]
+#
+# By Bill Janssen.
+
+import re
+import os
+import ssl
+import sys
+import tempfile
+
+
+def fetch_server_certificate (host, port):
+
+ def subproc(cmd):
+ from subprocess import Popen, PIPE, STDOUT
+ proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, shell=True)
+ status = proc.wait()
+ output = proc.stdout.read()
+ return status, output
+
+ def strip_to_x509_cert(certfile_contents, outfile=None):
+ m = re.search(br"^([-]+BEGIN CERTIFICATE[-]+[\r]*\n"
+ br".*[\r]*^[-]+END CERTIFICATE[-]+)$",
+ certfile_contents, re.MULTILINE | re.DOTALL)
+ if not m:
+ return None
+ else:
+ tn = tempfile.mktemp()
+ fp = open(tn, "wb")
+ fp.write(m.group(1) + b"\n")
+ fp.close()
+ try:
+ tn2 = (outfile or tempfile.mktemp())
+ status, output = subproc(r'openssl x509 -in "%s" -out "%s"' %
+ (tn, tn2))
+ if status != 0:
+ raise OperationError(status, tsig, output)
+ fp = open(tn2, 'rb')
+ data = fp.read()
+ fp.close()
+ os.unlink(tn2)
+ return data
+ finally:
+ os.unlink(tn)
+
+ if sys.platform.startswith("win"):
+ tfile = tempfile.mktemp()
+ fp = open(tfile, "w")
+ fp.write("quit\n")
+ fp.close()
+ try:
+ status, output = subproc(
+ 'openssl s_client -connect "%s:%s" -showcerts < "%s"' %
+ (host, port, tfile))
+ finally:
+ os.unlink(tfile)
+ else:
+ status, output = subproc(
+ 'openssl s_client -connect "%s:%s" -showcerts < /dev/null' %
+ (host, port))
+ if status != 0:
+ raise OSError(status)
+ certtext = strip_to_x509_cert(output)
+ if not certtext:
+ raise ValueError("Invalid response received from server at %s:%s" %
+ (host, port))
+ return certtext
+
+
+if __name__ == "__main__":
+ if len(sys.argv) < 2:
+ sys.stderr.write(
+ "Usage: %s HOSTNAME:PORTNUMBER [, HOSTNAME:PORTNUMBER...]\n" %
+ sys.argv[0])
+ sys.exit(1)
+ for arg in sys.argv[1:]:
+ host, port = arg.split(":")
+ sys.stdout.buffer.write(fetch_server_certificate(host, int(port)))
+ sys.exit(0)