Feature Request: Find and query TLS certificates
arcrose opened this issue · comments
This request came in from atoll, who has described his use case like so (my paraphrasing):
- We would like to be able to identify certificate files on hosts, then
- Decode the certificate file and parse its ASN.1 structure, then
- Execute a query over the parsed structure to answer questions like:
- Is the certificate self-signed?
- Is the certificate using secure crypto. primitives?
- Is the certificate explicitly disallowing the use of insecure crypto. primitives?
You could write a new module that imports the file
module to list files that contain -----BEGIN CERTIFICATE-----
and then process those files. However, scanning an entire file system takes too much time and typically gets killed before completion. It would succeed if you limit it to /etc
though.