1 #!/usr/bin/env python

     2 #

     3 # fetch the certificate that the server(s) are providing in PEM form

     4 #

     5 # args are HOST:PORT [, HOST:PORT...]

     6 #

     7 # By Bill Janssen.

     8 

     9 import sys

    10 

    11 def fetch_server_certificate (host, port):

    12 

    13     import re, tempfile, os, ssl

    14 

    15     def subproc(cmd):

    16         from subprocess import Popen, PIPE, STDOUT

    17         proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, shell=True)

    18         status = proc.wait()

    19         output = proc.stdout.read()

    20         return status, output

    21 

    22     def strip_to_x509_cert(certfile_contents, outfile=None):

    23         m = re.search(r"^([-]+BEGIN CERTIFICATE[-]+[\r]*\n"

    24                       r".*[\r]*^[-]+END CERTIFICATE[-]+)$",

    25                       certfile_contents, re.MULTILINE | re.DOTALL)

    26         if not m:

    27             return None

    28         else:

    29             tn = tempfile.mktemp()

    30             fp = open(tn, "w")

    31             fp.write(m.group(1) + "\n")

    32             fp.close()

    33             try:

    34                 tn2 = (outfile or tempfile.mktemp())

    35                 status, output = subproc(r'openssl x509 -in "%s" -out "%s"' %

    36                                          (tn, tn2))

    37                 if status != 0:

    38                     raise OperationError(status, tsig, output)

    39                 fp = open(tn2, 'rb')

    40                 data = fp.read()

    41                 fp.close()

    42                 os.unlink(tn2)

    43                 return data

    44             finally:

    45                 os.unlink(tn)

    46 

    47     if sys.platform.startswith("win"):

    48         tfile = tempfile.mktemp()

    49         fp = open(tfile, "w")

    50         fp.write("quit\n")

    51         fp.close()

    52         try:

    53             status, output = subproc(

    54                 'openssl s_client -connect "%s:%s" -showcerts < "%s"' %

    55                 (host, port, tfile))

    56         finally:

    57             os.unlink(tfile)

    58     else:

    59         status, output = subproc(

    60             'openssl s_client -connect "%s:%s" -showcerts < /dev/null' %

    61             (host, port))

    62     if status != 0:

    63         raise OSError(status)

    64     certtext = strip_to_x509_cert(output)

    65     if not certtext:

    66         raise ValueError("Invalid response received from server at %s:%s" %

    67                          (host, port))

    68     return certtext

    69 

    70 if __name__ == "__main__":

    71     if len(sys.argv) < 2:

    72         sys.stderr.write(

    73             "Usage:  %s HOSTNAME:PORTNUMBER [, HOSTNAME:PORTNUMBER...]\n" %

    74             sys.argv[0])

    75         sys.exit(1)

    76     for arg in sys.argv[1:]:

    77         host, port = arg.split(":")

    78         sys.stdout.write(fetch_server_certificate(host, int(port)))

    79     sys.exit(0)