Last active
August 21, 2018 12:45
-
-
Save P3GLEG/ab0e18e5c6a762b024c4030977230278 to your computer and use it in GitHub Desktop.
Checks your Certificate trust store within Mac OS X to find unknown certificates
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """ | |
| Checks your Certificate trust store within Mac OS X to find unknown certificates for High Sierra | |
| """ | |
| __author__ = 'Pegleg <pegleg@linux.com>' | |
| __license__ = 'MIT' | |
| import requests | |
| from bs4 import BeautifulSoup | |
| class Certificate(object): | |
| def __init__(self, cert_name, issue_by, Type, key_size, sig_alg, serial_num, expires, ev_policy, fingerprint): | |
| self.cert_name = cert_name | |
| self.issue_by = issue_by | |
| self.Type = Type | |
| self.key_size = key_size | |
| self.sig_alg = sig_alg | |
| self.serial_num = serial_num | |
| self.expires = expires | |
| self.ev_policy = ev_policy | |
| self.fingerprint = fingerprint | |
| def __str__(self): | |
| return self.fingerprint + self.expires | |
| def __hash__(self): | |
| return hash(str(self)) | |
| def __eq__(self, other): | |
| return self.fingerprint == other.fingerprint and self.expires == other.expires | |
| def generateCerts(certs): | |
| results = [] | |
| for cert in certs: | |
| cert_info = cert.findAll('td') | |
| if cert_info: #Case where td is empty due to th header | |
| c = [] | |
| for i in cert_info: | |
| c.append(i.getText().strip()) | |
| results.append(Certificate(c[0], c[1], c[2] ,c[3] ,c[4] ,c[5] ,c[6] ,c[7] ,c[8])) | |
| return results | |
| def getAppleOfficialList(): | |
| trusted = [] | |
| resp = requests.get('https://support.apple.com/en-us/HT208127') | |
| soup = BeautifulSoup(resp.content, 'html.parser') | |
| trusted = soup.find(id = 'trusted').findAll('tr') | |
| trusted_certs = generateCerts(trusted) | |
| always_ask = soup.find(id = 'alwaysask').findAll('tr') | |
| always_ask_certs = generateCerts(always_ask) | |
| blocked = soup.find(id = 'blocked').findAll('tr') | |
| blocked_certs = generateCerts(blocked) | |
| return trusted_certs, always_ask_certs, blocked_certs | |
| def getLocalhostCerts(): | |
| with open('/System/Library/Security/Certificates.bundle/Contents/Resources/TrustStore.html', encoding='utf-8') as f: | |
| html_doc = f.read() | |
| soup = BeautifulSoup(html_doc, 'html.parser') | |
| tables = soup.findAll('table') | |
| trusted = tables[0].findAll('tr') | |
| trusted_certs = generateCerts(trusted) | |
| always_ask = tables[1].findAll('tr') | |
| always_ask_certs = generateCerts(always_ask) | |
| blocked = tables[2].findAll('tr') | |
| blocked_certs = generateCerts(blocked) | |
| return trusted_certs, always_ask_certs, blocked_certs | |
| def compareStores(store_name, official, local): | |
| print(f'{store_name} sizes Official: {len(official)} Local: {len(local)}') | |
| local_diff = [cert for cert in local if cert not in official] | |
| official_diff = [cert for cert in official if cert not in local] | |
| if len(local_diff) == 0 and len(official_diff) == 0: | |
| print(f'No differences within {store_name} stores found!') | |
| else: | |
| print(f'Local {store_name} store differences\n') | |
| for cert in local_diff: | |
| print(f'{vars(cert)}\n') | |
| print(f'Official {store_name} store differences\n') | |
| for cert in official_diff: | |
| print(f'{vars(cert)}\n') | |
| official_trusted, official_always_ask, official_blocked = getAppleOfficialList() | |
| local_trusted, local_always_ask, local_blocked = getLocalhostCerts() | |
| compareStores("Trusted", official_trusted, local_trusted) | |
| compareStores("Always Ask", official_always_ask, local_always_ask) | |
| compareStores("Blocked", official_blocked, local_blocked) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment