1 files changed, 73 insertions, 0 deletions
diff --git a/packet-detector/src/tls_util.rs b/packet-detector/src/tls_util.rs
new file mode 100644
index 0000000..456991b
--- /dev/null
+++ b/packet-detector/src/tls_util.rs
@@ -0,0 +1,73 @@
+use rcgen::{DistinguishedName, DnType};
+use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
+use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
+use rustls::{DigitallySignedStruct, Error, SignatureScheme};
+use sha2::{Digest, Sha256};
+use x509_parser::prelude::*;
+/// SHA256 fingerprint (truncated to 16 bytes by default)
+pub fn fingerprint(cert: &CertificateDer<'_>, full: bool) -> String {
+    let hash = Sha256::digest(cert.as_ref());
+    if full { hex::encode(hash) } else { hex::encode(&hash[..16]) }
+}
+pub fn dn(cn: &str, org: &str) -> DistinguishedName {
+    let mut d = DistinguishedName::new();
+    d.push(DnType::CommonName, cn);
+    d.push(DnType::OrganizationName, org);
+    d.push(DnType::CountryName, "US");
+    d
+}
+/// Parse certs from PEM
+pub fn parse_pem(pem: &str) -> Result<Vec<CertificateDer<'static>>, std::io::Error> {
+    rustls_pemfile::certs(&mut pem.as_bytes()).collect()
+}
+fn schemes() -> Vec<SignatureScheme> {
+    rustls::crypto::ring::default_provider()
+        .signature_verification_algorithms
+        .supported_schemes()
+}
+/// Macro to implement the boilerplate verifier methods
+macro_rules! impl_verifier_base {
+    () => {
+        fn verify_tls12_signature(&self, _: &[u8], _: &CertificateDer<'_>, _: &DigitallySignedStruct) -> Result<HandshakeSignatureValid, Error> {
+            Ok(HandshakeSignatureValid::assertion())
+        }
+        fn verify_tls13_signature(&self, _: &[u8], _: &CertificateDer<'_>, _: &DigitallySignedStruct) -> Result<HandshakeSignatureValid, Error> {
+            Ok(HandshakeSignatureValid::assertion())
+        }
+        fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
+            schemes()
+        }
+    };
+}
+/// Accepts all certificates, logs info
+#[derive(Debug)]
+pub struct LoggingVerifier;
+impl ServerCertVerifier for LoggingVerifier {
+    fn verify_server_cert(&self, cert: &CertificateDer<'_>, intermediates: &[CertificateDer<'_>], _: &ServerName<'_>, _: &[u8], _: UnixTime) -> Result<ServerCertVerified, Error> {
+        println!("\n=== Server Certificate ===");
+        match X509Certificate::from_der(cert.as_ref()) {
+            Ok((_, x)) => {
+                println!("Subject: {}", x.subject());
+                println!("Issuer:  {}", x.issuer());
+                println!("SHA256:  {}", fingerprint(cert, true));
+                if x.subject() == x.issuer() { println!("Type:    Self-Signed"); }
+            }
+            Err(e) => println!("Parse failed: {}", e),
+        }
+        for (i, c) in intermediates.iter().enumerate() {
+            if let Ok((_, x)) = X509Certificate::from_der(c.as_ref()) {
+                println!("Intermediate #{}: {}", i + 1, x.subject());
+            }
+        }
+        println!("Chain length: {}\n", 1 + intermediates.len());
+        Ok(ServerCertVerified::assertion())
+    }
+    impl_verifier_base!();
+}

diff --git a/packet-detector/src/tls_util.rs b/packet-detector/src/tls_util.rs new file mode 100644 index 0000000..456991b --- /dev/null +++ b/packet-detector/src/tls_util.rs
@@ -0,0 +1,73 @@
	1	use rcgen::{DistinguishedName, DnType};
	2	use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
	3	use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
	4	use rustls::{DigitallySignedStruct, Error, SignatureScheme};
	5	use sha2::{Digest, Sha256};
	6	use x509_parser::prelude::*;
	7
	8	/// SHA256 fingerprint (truncated to 16 bytes by default)
	9	pub fn fingerprint(cert: &CertificateDer<'_>, full: bool) -> String {
	10	let hash = Sha256::digest(cert.as_ref());
	11	if full { hex::encode(hash) } else { hex::encode(&hash[..16]) }
	12	}
	13
	14	pub fn dn(cn: &str, org: &str) -> DistinguishedName {
	15	let mut d = DistinguishedName::new();
	16	d.push(DnType::CommonName, cn);
	17	d.push(DnType::OrganizationName, org);
	18	d.push(DnType::CountryName, "US");
	19	d
	20	}
	21
	22	/// Parse certs from PEM
	23	pub fn parse_pem(pem: &str) -> Result<Vec<CertificateDer<'static>>, std::io::Error> {
	24	rustls_pemfile::certs(&mut pem.as_bytes()).collect()
	25	}
	26
	27	fn schemes() -> Vec<SignatureScheme> {
	28	rustls::crypto::ring::default_provider()
	29	.signature_verification_algorithms
	30	.supported_schemes()
	31	}
	32
	33	/// Macro to implement the boilerplate verifier methods
	34	macro_rules! impl_verifier_base {
	35	() => {
	36	fn verify_tls12_signature(&self, _: &[u8], _: &CertificateDer<'_>, _: &DigitallySignedStruct) -> Result<HandshakeSignatureValid, Error> {
	37	Ok(HandshakeSignatureValid::assertion())
	38	}
	39	fn verify_tls13_signature(&self, _: &[u8], _: &CertificateDer<'_>, _: &DigitallySignedStruct) -> Result<HandshakeSignatureValid, Error> {
	40	Ok(HandshakeSignatureValid::assertion())
	41	}
	42	fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
	43	schemes()
	44	}
	45	};
	46	}
	47
	48	/// Accepts all certificates, logs info
	49	#[derive(Debug)]
	50	pub struct LoggingVerifier;
	51
	52	impl ServerCertVerifier for LoggingVerifier {
	53	fn verify_server_cert(&self, cert: &CertificateDer<'_>, intermediates: &[CertificateDer<'_>], _: &ServerName<'_>, _: &[u8], _: UnixTime) -> Result<ServerCertVerified, Error> {
	54	println!("\n=== Server Certificate ===");
	55	match X509Certificate::from_der(cert.as_ref()) {
	56	Ok((_, x)) => {
	57	println!("Subject: {}", x.subject());
	58	println!("Issuer: {}", x.issuer());
	59	println!("SHA256: {}", fingerprint(cert, true));
	60	if x.subject() == x.issuer() { println!("Type: Self-Signed"); }
	61	}
	62	Err(e) => println!("Parse failed: {}", e),
	63	}
	64	for (i, c) in intermediates.iter().enumerate() {
	65	if let Ok((_, x)) = X509Certificate::from_der(c.as_ref()) {
	66	println!("Intermediate #{}: {}", i + 1, x.subject());
	67	}
	68	}
	69	println!("Chain length: {}\n", 1 + intermediates.len());
	70	Ok(ServerCertVerified::assertion())
	71	}
	72	impl_verifier_base!();
	73	}