rapid7 · cdelafuente-r7 · Dec 16, 2024
diff --git a/app/models/metasploit/credential/pkcs12.rb b/app/models/metasploit/credential/pkcs12.rb
@@ -3,6 +3,15 @@
 
 # A private Pkcs12 file.
 class Metasploit::Credential::Pkcs12 < Metasploit::Credential::Private
+
+  #
+  # Constants
+  #
+
+  # Valid format for {#data} composed of `'msf_pkcs12:<base64 cert>:<ca>:<ADCS template>'`.
+  DATA_REGEXP = /\Amsf_pkcs12:(?<pkcs12>[^:]+):(?<ca>[^:]*):(?<adcs_template>.*)\z/
+  private_constant :DATA_REGEXP
+
   #
   # Attributes
   #
@@ -28,11 +37,52 @@ class Metasploit::Credential::Pkcs12 < Metasploit::Credential::Private
   # Method Validations
   #
 
+  validate :data_format
+
   validate :readable
 
+  #
+  # Class methods
+  #
+
+  # @param [Integer] pkcs12 The Base64-encoded  Pkcs12 certificate
+  # @param [String,nil] ca The CA that issued the certificate
+  # @param [String,nil] adcs_template The certificate template used to issue the certificate
+  # @return [String]
+  # @raise [ArgumentError] if an option is invalid
+  def self.build_data(pkcs12:, ca: nil, adcs_template: nil)
+    raise ArgumentError.new('pkcs12 must be set') if pkcs12.nil?
+    raise ArgumentError.new('ca must be a non-empty string') if ca && (!ca.is_a?(String) || ca.empty?)
+    raise ArgumentError.new('adcs_template must be a non-empty string') if adcs_template && (!adcs_template.is_a?(String) || adcs_template.empty?)
+
+    "msf_pkcs12:#{pkcs12}:#{ca}:#{adcs_template}"
+  end
+
   #
   # Instance Methods
   #
+  #
+
+  # The Base64-encoded Pkcs12 certificate
+  #
+  # @return [String]
+  def pkcs12
+    parsed_data[:pkcs12]
+  end
+
+  # The CA that issued the certificate
+  #
+  # @return [String]
+  def ca
+    parsed_data[:ca]
+  end
+
+  # The certificate template used to issue the certificate
+  #
+  # @return [String]
+  def adcs_template
+    parsed_data[:adcs_template]
+  end
 
   # Converts the private pkcs12 data in {#data} to an `OpenSSL::PKCS12` instance.
   #
@@ -42,7 +92,7 @@ def openssl_pkcs12
     if data
       begin
         password = ''
-        OpenSSL::PKCS12.new(Base64.strict_decode64(data), password)
+        OpenSSL::PKCS12.new(Base64.strict_decode64(pkcs12), password)
       rescue OpenSSL::PKCS12::PKCS12Error => error
         raise ArgumentError.new(error)
       end
@@ -60,6 +110,8 @@ def to_s
     result = []
     result << "subject:#{cert.subject.to_s}"
     result << "issuer:#{cert.issuer.to_s}"
+    result << "CA:#{ca}" if ca
+    result << "ADCS_template:#{adcs_template}" if adcs_template
     result.join(',')
   end
 
@@ -80,5 +132,26 @@ def readable
     end
   end
 
+  # @return [Hash] The parsed data with enctype, key, salt keys
+  def parsed_data
+    match = data.match(DATA_REGEXP)
+    return {} unless match
+
+    {
+      pkcs12: match[:pkcs12],
+      ca: match[:ca].empty? ? nil : match[:ca],
+      adcs_template: match[:adcs_template].empty? ? nil : match[:adcs_template]
+    }
+  end
+
+  # Validates that {#data} is in the expected data format
+  def data_format
+    unless DATA_REGEXP.match(data)
+      errors.add(:data, :format)
+    end
+  end
+
+  public
+
   Metasploit::Concern.run(self)
 end
diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -87,7 +87,7 @@ en:
         metasploit/credential/pkcs12:
           attributes:
             data:
-              format: "is not a Base64 encoded pkcs12 file without a password"
+              format: "is not a serialized data containing Base64 encoded pkcs12 file without a password and metadata"
         metasploit/credential/ssh_key:
           attributes:
             data:

diff --git a/spec/factories/metasploit/credential/pkcs12.rb b/spec/factories/metasploit/credential/pkcs12.rb
@@ -10,28 +10,57 @@
       subject { '/C=BE/O=Test/OU=Test/CN=Test' }
       # the cert issuer
       issuer { '/C=BE/O=Test/OU=Test/CN=Test' }
+      # the base64-encoded cert
+      pkcs12_base64 {
+        password = ''
+        pkcs12_name = ''
+
+        private_key = OpenSSL::PKey::RSA.new(key_size)
+        public_key = private_key.public_key
+
+        cert = OpenSSL::X509::Certificate.new
+        cert.subject = OpenSSL::X509::Name.parse(subject)
+        cert.issuer = OpenSSL::X509::Name.parse(issuer)
+        cert.not_before = Time.now
+        cert.not_after = Time.now + 365 * 24 * 60 * 60
+        cert.public_key = public_key
+        cert.serial = 0x0
+        cert.version = 2
+        cert.sign(private_key, OpenSSL::Digest.new(signing_algorithm))
+
+        pkcs12 = OpenSSL::PKCS12.create(password, pkcs12_name, private_key, cert)
+        Base64.strict_encode64(pkcs12.to_der)
+      }
+    end
+
+    data { Metasploit::Credential::Pkcs12.build_data(pkcs12: pkcs12_base64) }
+  end
+
+  factory :metasploit_credential_pkcs12_with_ca, parent: :metasploit_credential_pkcs12 do
+    transient do
+      # The CA that issued the certificate
+      ca { "test-ca" }
     end
 
-    data {
-      password = ''
-      pkcs12_name = ''
-
-      private_key = OpenSSL::PKey::RSA.new(key_size)
-      public_key = private_key.public_key
-
-      cert = OpenSSL::X509::Certificate.new
-      cert.subject = OpenSSL::X509::Name.parse(subject)
-      cert.issuer = OpenSSL::X509::Name.parse(issuer)
-      cert.not_before = Time.now
-      cert.not_after = Time.now + 365 * 24 * 60 * 60
-      cert.public_key = public_key
-      cert.serial = 0x0
-      cert.version = 2
-      cert.sign(private_key, OpenSSL::Digest.new(signing_algorithm))
-
-      pkcs12 = OpenSSL::PKCS12.create(password, pkcs12_name, private_key, cert)
-      pkcs12_base64 = Base64.strict_encode64(pkcs12.to_der)
-      pkcs12_base64
-    }
+    data { Metasploit::Credential::Pkcs12.build_data(pkcs12: pkcs12_base64, ca: ca) }
   end
+
+  factory :metasploit_credential_pkcs12_with_adcs_template, parent: :metasploit_credential_pkcs12 do
+    transient do
+      # The certificate template used to issue the certificate
+      adcs_template { "User" }
+    end
+
+    data { Metasploit::Credential::Pkcs12.build_data(pkcs12: pkcs12_base64, adcs_template: adcs_template) }
+  end
+
+  factory :metasploit_credential_pkcs12_with_ca_and_adcs_template, parent: :metasploit_credential_pkcs12 do
+    transient do
+      ca { "test-ca" }
+      adcs_template { "User" }
+    end
+
+    data { Metasploit::Credential::Pkcs12.build_data(pkcs12: pkcs12_base64, ca: ca, adcs_template: adcs_template) }
+  end
+
 end