b612/star
1
0
Fork 0
Code Issues Pull Requests Projects Releases 6 Wiki Activity
star/tls/cert.go
starainrt 7650951518 1.http server支持黑白路由名单和子文件夹挂载 
2.http反向代理支持同一个端口按host区分不通服务,以及黑白路由名单支持
2025-06-19 23:47:39 +08:00

482 lines
16 KiB
Go
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

package tls
import (
"b612.me/starlog"
"crypto/ecdsa"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"encoding/pem"
"fmt"
"github.com/spf13/cobra"
"golang.org/x/net/idna"
"golang.org/x/net/proxy"
"net"
"os"
"path/filepath"
"strings"
"sync"
"time"
)
var hideDetail bool
var dump string
var reqRawIP int
var timeoutMillSec int
var socks5 string
var socks5Auth string
var showCA bool
var skipVerify bool
func init() {
Cmd.Flags().BoolVarP(&hideDetail, "hide-detail", "H", false, "隐藏证书详细信息")
Cmd.Flags().StringVarP(&dump, "dump", "d", "", "将证书保存到文件")
Cmd.Flags().IntVarP(&reqRawIP, "resolve-ip", "r", 0, "使用解析到的IP地址作为SNI进行tls连接输入数字表示使用解析到的第几个IP地址")
Cmd.Flags().IntVarP(&timeoutMillSec, "timeout", "t", 5000, "连接超时时间(毫秒)")
Cmd.Flags().StringVarP(&socks5, "socks5", "p", "", "socks5代理示例127.0.0.1:1080")
Cmd.Flags().StringVarP(&socks5Auth, "socks5-auth", "A", "", "socks5代理认证示例username:password")
Cmd.Flags().BoolVarP(&showCA, "show-ca", "c", false, "显示CA证书")
Cmd.Flags().BoolVarP(&skipVerify, "skip-verify", "k", false, "跳过证书验证")
}
var Cmd = &cobra.Command{
Use: "tls",
Short: "查看TLS证书信息",
Long: `查看TLS证书信息
用法: b612 tls [-d|-r|-t|-p|-A-c] [域名:端口] [域名:端口/服务器名] [域名/服务器名]
如果使用IP直接连接对于IPv6地址需要使用方括号包裹如[::1]:443
示例b612 tls -d cert.pem example.com:443/test.example.com
含义连接example.com:443SNI设置为test.example.com并将证书保存到cert.pem文件中。
示例b612 tls -r 1 example.com:443
含义连接example.com:443使用解析到的第一个IP地址进行连接并且这个IP地址作为SNI进行连接
示例b612 tls -r 1 example.com:443/example.com
含义连接example.com:443使用解析到的第一个IP地址进行连接并使用example.com作为SNI进行连接。`,
Run: func(cmd *cobra.Command, args []string) {
for _, target := range args {
showTls(target, !hideDetail, showCA, reqRawIP, dump, skipVerify, time.Duration(timeoutMillSec)*time.Millisecond)
}
},
}
func showTls(target string, showDetail, showCA bool, reqRawIP int, dumpPath string, skipVerify bool, timeout time.Duration) {
var err error
{
sp := strings.Split(target, "/")
hostname, port, err := net.SplitHostPort(sp[0])
if port == "" || err != nil {
if hostname == "" {
hostname = sp[0]
}
port = "443"
sp[0] = hostname + ":443"
target = strings.Join(sp, "/")
}
}
if timeout == 0 {
timeout = 5 * time.Second
}
hostname, _, _ := net.SplitHostPort(strings.Split(target, "/")[0])
hasHostname := false
if strings.Count(target, "/") > 0 {
strs := strings.Split(target, "/")
if len(strs) != 2 {
starlog.Errorln("invalid target format")
return
}
target = strs[0]
hostname = strs[1]
hasHostname = true
}
if reqRawIP > 0 {
domain, port, _ := net.SplitHostPort(strings.Split(target, "/")[0])
ips, err := net.LookupIP(domain)
if err != nil {
starlog.Errorln("failed to resolve domain: " + err.Error())
return
}
if len(ips) == 0 {
starlog.Errorln("no ip found for domain")
return
}
for _, v := range ips {
starlog.Infof("解析到的IP地址为: %s\n", v.String())
}
if reqRawIP > len(ips) {
reqRawIP = len(ips)
}
targetIp := ips[reqRawIP-1].String()
if ips[reqRawIP-1].To16() != nil {
targetIp = "[" + targetIp + "]"
}
target = targetIp + ":" + port
if !hasHostname {
hostname = ips[reqRawIP-1].String()
}
starlog.Noticeln("使用解析到的IP地址进行连接:", target)
}
starlog.Noticef("将使用如下地址连接:%s ; ServerName: %s\n", target, hostname)
punyCode, err := idna.ToASCII(hostname)
if err == nil {
if punyCode != hostname {
starlog.Infoln("检测到域名中含有非ASCII字符PunyCode转换后为:", punyCode)
hostname = punyCode
}
}
starlog.Infof("正在连接服务器: %s\n", target)
var netDialer = &net.Dialer{
Timeout: timeout,
}
var socksDialer *proxy.Dialer
if socks5 != "" {
var auth *proxy.Auth
if socks5Auth != "" {
up := strings.SplitN(socks5Auth, ":", 2)
if len(up) == 2 {
auth = &proxy.Auth{
User: up[0],
Password: up[1],
}
} else {
starlog.Errorln("socks5认证格式错误")
return
}
}
s5Dial, err := proxy.SOCKS5("tcp", socks5, auth, proxy.Direct)
if err == nil {
socksDialer = &s5Dial
} else {
starlog.Errorln("socks5代理错误:", err)
return
}
}
var verifyErr error
var wg sync.WaitGroup
wg.Add(1)
go func() {
defer wg.Done()
if !skipVerify {
return
}
var conn *tls.Conn
if socksDialer == nil {
conn, verifyErr = tls.DialWithDialer(netDialer, "tcp", target, &tls.Config{
InsecureSkipVerify: false,
ServerName: hostname,
MinVersion: tls.VersionSSL30,
})
if verifyErr == nil {
conn.Close()
}
} else {
con, err := (*socksDialer).Dial("tcp", target)
if err != nil {
verifyErr = err
return
}
conn = tls.Client(con, &tls.Config{
InsecureSkipVerify: false,
ServerName: hostname,
MinVersion: tls.VersionSSL30,
})
verifyErr = conn.Handshake()
con.Close()
}
}()
var conn *tls.Conn
if socksDialer == nil {
conn, err = tls.DialWithDialer(netDialer, "tcp", target, &tls.Config{
InsecureSkipVerify: skipVerify,
ServerName: hostname,
MinVersion: tls.VersionSSL30,
})
if err != nil {
starlog.Errorln("failed to connect: " + err.Error())
return
}
} else {
con, err := (*socksDialer).Dial("tcp", target)
if err != nil {
starlog.Errorln("failed to connect: " + err.Error())
return
}
defer con.Close()
conn = tls.Client(con, &tls.Config{
InsecureSkipVerify: skipVerify,
ServerName: hostname,
MinVersion: tls.VersionSSL30,
})
err = conn.Handshake()
if err != nil {
starlog.Errorln("failed to handshake: " + err.Error())
return
}
}
defer conn.Close()
starlog.Infof("连接成功对方IP:%s正在获取证书信息\n", conn.RemoteAddr().String())
certs := conn.ConnectionState().PeerCertificates
if len(certs) == 0 {
starlog.Errorln("no certificate found")
return
}
starlog.Infof("证书获取成功,证书链上共有%d个证书\n", len(certs))
state := conn.ConnectionState()
switch state.Version {
case tls.VersionSSL30:
starlog.Warningln("当前TLS版本: SSL 3.0")
case tls.VersionTLS10:
starlog.Warningln("当前TLS版本: TLS 1.0")
case tls.VersionTLS11:
starlog.Warningln("当前TLS版本: TLS 1.1")
case tls.VersionTLS12:
starlog.Infoln("当前TLS版本: TLS 1.2")
case tls.VersionTLS13:
starlog.Infoln("当前TLS版本: TLS 1.3")
}
switch state.CipherSuite {
case tls.TLS_RSA_WITH_RC4_128_SHA:
starlog.Infoln("当前加密套件: TLS_RSA_WITH_RC4_128_SHA")
case tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA:
starlog.Infoln("当前加密套件: TLS_RSA_WITH_3DES_EDE_CBC_SHA")
case tls.TLS_RSA_WITH_AES_128_CBC_SHA:
starlog.Infoln("当前加密套件: TLS_RSA_WITH_AES_128_CBC_SHA")
case tls.TLS_RSA_WITH_AES_256_CBC_SHA:
starlog.Infoln("当前加密套件: TLS_RSA_WITH_AES_256_CBC_SHA")
case tls.TLS_RSA_WITH_AES_128_CBC_SHA256:
starlog.Infoln("当前加密套件: TLS_RSA_WITH_AES_128_CBC_SHA256")
case tls.TLS_RSA_WITH_AES_128_GCM_SHA256:
starlog.Infoln("当前加密套件: TLS_RSA_WITH_AES_128_GCM_SHA256")
case tls.TLS_RSA_WITH_AES_256_GCM_SHA384:
starlog.Infoln("当前加密套件: TLS_RSA_WITH_AES_256_GCM_SHA384")
case tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
starlog.Infoln("当前加密套件: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA")
case tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
starlog.Infoln("当前加密套件: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA")
case tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
starlog.Infoln("当前加密套件: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA")
case tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA:
starlog.Infoln("当前加密套件: TLS_ECDHE_RSA_WITH_RC4_128_SHA")
case tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
starlog.Infoln("当前加密套件: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA")
case tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
starlog.Infoln("当前加密套件: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA")
case tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
starlog.Infoln("当前加密套件: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA")
case tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
starlog.Infoln("当前加密套件: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256")
case tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
starlog.Infoln("当前加密套件: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256")
case tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
starlog.Infoln("当前加密套件: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")
case tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
starlog.Infoln("当前加密套件: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256")
case tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
starlog.Infoln("当前加密套件: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")
case tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
starlog.Infoln("当前加密套件: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384")
case tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:
starlog.Infoln("当前加密套件: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305")
case tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
starlog.Infoln("当前加密套件: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305")
case tls.TLS_AES_128_GCM_SHA256:
starlog.Infoln("当前加密套件: TLS_AES_128_GCM_SHA256")
case tls.TLS_AES_256_GCM_SHA384:
starlog.Infoln("当前加密套件: TLS_AES_256_GCM_SHA384")
case tls.TLS_CHACHA20_POLY1305_SHA256:
starlog.Infoln("当前加密套件: TLS_CHACHA20_POLY1305_SHA256")
default:
starlog.Infoln("当前加密套件:", state.CipherSuite)
}
starlog.Infoln("服务器名称:", state.ServerName)
wg.Wait()
if verifyErr != nil {
starlog.Red("证书验证失败: " + verifyErr.Error())
} else {
starlog.Green("证书验证成功")
}
if showDetail {
for _, c := range certs {
if c.IsCA && !showCA {
continue
}
fmt.Printf("----------\n")
if c.IsCA {
fmt.Println("这是一个CA证书")
}
fmt.Printf("证书基础信息: %+v\n", c.Subject)
fmt.Printf("证书颁发者: %+v\n", c.Issuer)
fmt.Printf("证书生效时间: %+v 距今:%.1f天\n", c.NotBefore.In(time.Local), time.Since(c.NotBefore).Hours()/24)
fmt.Printf("证书过期时间: %+v 剩余:%.1f天\n", c.NotAfter.In(time.Local), c.NotAfter.Sub(time.Now()).Hours()/24)
fmt.Printf("证书序列号: %s\n", c.SerialNumber.Text(16))
fmt.Printf("证书签名算法: %s\n", c.SignatureAlgorithm)
fmt.Printf("证书公钥算法: %s\n", c.PublicKeyAlgorithm)
switch pub := c.PublicKey.(type) {
case *rsa.PublicKey:
fmt.Printf("RSA公钥位数: %d\n", pub.Size()*8) // RSA公钥的位数
fmt.Printf("RSA公钥指数: %d\n", pub.E) // RSA公钥的指数
case *ecdsa.PublicKey:
fmt.Printf("ECDSA Curve位数: %d\n", pub.Curve.Params().BitSize) // ECDSA公钥的位数
}
if len(c.DNSNames) != 0 {
fmt.Printf("可选使用的DNS: %s\n", strings.Join(c.DNSNames, ", "))
}
if len(c.IPAddresses) != 0 {
ipAddr := ""
for _, ip := range c.IPAddresses {
ipAddr += ip.String() + ", "
}
ipAddr = ipAddr[:len(ipAddr)-2]
fmt.Printf("可选使用的IP: %s\n", ipAddr)
}
if len(c.EmailAddresses) != 0 {
fmt.Printf("可选使用的Email: %s\n", strings.Join(c.EmailAddresses, ", "))
}
if len(c.URIs) != 0 {
fmt.Printf("可选使用的URI: %v\n", c.URIs)
}
if len(c.PermittedDNSDomains) != 0 {
fmt.Printf("批准使用的DNS: %s\n", strings.Join(c.PermittedDNSDomains, ", "))
}
if len(c.ExcludedDNSDomains) != 0 {
fmt.Printf("禁止使用的DNS: %s\n", strings.Join(c.ExcludedDNSDomains, ", "))
}
if len(c.PermittedIPRanges) != 0 {
ipRange := ""
for _, ip := range c.PermittedIPRanges {
ipRange += ip.String() + ", "
}
ipRange = ipRange[:len(ipRange)-2]
fmt.Printf("批准使用的IP: %s\n", ipRange)
}
if len(c.ExcludedIPRanges) != 0 {
ipRange := ""
for _, ip := range c.ExcludedIPRanges {
ipRange += ip.String() + ", "
}
ipRange = ipRange[:len(ipRange)-2]
fmt.Printf("禁止使用的IP: %s\n", ipRange)
}
if len(c.PermittedEmailAddresses) != 0 {
fmt.Printf("批准使用的Email: %s\n", strings.Join(c.PermittedEmailAddresses, ", "))
}
if len(c.ExcludedEmailAddresses) != 0 {
fmt.Printf("禁止使用的Email: %s\n", strings.Join(c.ExcludedEmailAddresses, ", "))
}
if len(c.PermittedURIDomains) != 0 {
fmt.Printf("批准使用的URI: %s\n", strings.Join(c.PermittedURIDomains, ", "))
}
if len(c.ExcludedURIDomains) != 0 {
fmt.Printf("禁止使用的URI: %s\n", strings.Join(c.ExcludedURIDomains, ", "))
}
fmt.Printf("证书密钥用途: %s\n", strings.Join(KeyUsageToString(c.KeyUsage), ", "))
extKeyUsage := []string{}
for _, v := range c.ExtKeyUsage {
switch v {
case x509.ExtKeyUsageAny:
extKeyUsage = append(extKeyUsage, "任何用途")
case x509.ExtKeyUsageServerAuth:
extKeyUsage = append(extKeyUsage, "服务器认证")
case x509.ExtKeyUsageClientAuth:
extKeyUsage = append(extKeyUsage, "客户端认证")
case x509.ExtKeyUsageCodeSigning:
extKeyUsage = append(extKeyUsage, "代码签名")
case x509.ExtKeyUsageEmailProtection:
extKeyUsage = append(extKeyUsage, "电子邮件保护")
case x509.ExtKeyUsageIPSECEndSystem:
extKeyUsage = append(extKeyUsage, "IPSEC终端系统")
case x509.ExtKeyUsageIPSECTunnel:
extKeyUsage = append(extKeyUsage, "IPSEC隧道")
case x509.ExtKeyUsageIPSECUser:
extKeyUsage = append(extKeyUsage, "IPSEC用户")
case x509.ExtKeyUsageTimeStamping:
extKeyUsage = append(extKeyUsage, "时间戳")
case x509.ExtKeyUsageOCSPSigning:
extKeyUsage = append(extKeyUsage, "OCSP签名")
case x509.ExtKeyUsageMicrosoftServerGatedCrypto:
extKeyUsage = append(extKeyUsage, "Microsoft服务器门控加密")
case x509.ExtKeyUsageNetscapeServerGatedCrypto:
extKeyUsage = append(extKeyUsage, "Netscape服务器门控加密")
case x509.ExtKeyUsageMicrosoftCommercialCodeSigning:
extKeyUsage = append(extKeyUsage, "Microsoft商业代码签名")
case x509.ExtKeyUsageMicrosoftKernelCodeSigning:
extKeyUsage = append(extKeyUsage, "Microsoft内核代码签名")
default:
extKeyUsage = append(extKeyUsage, fmt.Sprintf("未知用途(%d)", v))
}
}
fmt.Printf("证书扩展密钥用途: %s\n", strings.Join(extKeyUsage, ", "))
if len(c.CRLDistributionPoints) > 0 {
fmt.Printf("证书CRL分发点: %s\n", strings.Join(c.CRLDistributionPoints, ","))
}
if len(c.OCSPServer) > 0 {
fmt.Printf("证书OCSP服务器: %s\n", strings.Join(c.OCSPServer, ", "))
}
if len(c.SubjectKeyId) > 0 {
fmt.Printf("证书主题密钥ID: %x\n", c.SubjectKeyId)
}
if len(c.AuthorityKeyId) > 0 {
fmt.Printf("证书颁发者密钥ID: %x\n", c.AuthorityKeyId)
}
if c.MaxPathLenZero {
fmt.Println("证书最大路径长度为0")
}
if c.MaxPathLen > 0 {
fmt.Printf("证书最大路径长度: %d\n", c.MaxPathLen)
}
fmt.Printf("证书版本: %d\n----------\n", c.Version)
//fmt.Printf("证书扩展信息: %+v\n\n----------", c.Extensions)
}
if dumpPath != "" {
var data []byte
var name string
for _, c := range certs {
if name == "" {
name = c.Subject.CommonName + ".crt"
}
certBlock := &pem.Block{
Type: "CERTIFICATE",
Bytes: c.Raw,
}
data = append(data, pem.EncodeToMemory(certBlock)...)
}
err = os.WriteFile(filepath.Join(dumpPath, name), data, 0644)
if err != nil {
starlog.Errorln("failed to write file: " + err.Error())
return
}
starlog.Infoln("dumped to " + filepath.Join(dumpPath, name))
}
}
}
func KeyUsageToString(ku x509.KeyUsage) []string {
usages := []string{}
flags := []struct {
Flag x509.KeyUsage
Name string
}{
{x509.KeyUsageDigitalSignature, "数字签名"},
{x509.KeyUsageContentCommitment, "内容承诺"},
{x509.KeyUsageKeyEncipherment, "密钥加密"},
{x509.KeyUsageDataEncipherment, "数据加密"},
{x509.KeyUsageKeyAgreement, "密钥协商"},
{x509.KeyUsageCertSign, "证书签名"},
{x509.KeyUsageCRLSign, "CRL签名"},
{x509.KeyUsageEncipherOnly, "仅加密"},
{x509.KeyUsageDecipherOnly, "仅解密"},
}
for _, flag := range flags {
if ku&flag.Flag != 0 {
usages = append(usages, flag.Name)
}
}
return usages
}
Reference in New Issue View Git Blame Copy Permalink