Ask Your Question

Revision history [back]

That looks a bit ... ugly so I set out to improve it and ran into a surprising number of PowerShell issues:

  1. There's no easy method to convert a hex string to a byte array So we need a helper function, e.g. Convert-HexToByte from https://www.powershellgallery.com/packages/AnsibleVault/0.2.0/Content/Private%5CConvert-HexToByte.ps1.
  2. Constructing an X509Certificate2 object with a byte array is tricky, hence the complicated argument list.

    # Using tshark, extract the certificate(s) to an array of hex strings. Note the display filter to select frames with a cert and the fields specifier to only output those fields and all occurrences of the field in the frame separated by a comma. The string "split" method is used to chop the output into an array of hex strings:

    $h = (tshark -r input.pcapng -Y tls.handshake.certificate -T fields -e tls.handshake.certificate -E occurrence=a -E "separator=,").split(",")

    # Create new X509Certificate2 objects from the hex strings

    $c = $h | ForEach-Object { New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @(,[byte[]]$(Convert-HexToByte $_)) }

    # Display the certs

    $c

That looks a bit ... ugly ugly, so I set out to improve it and ran into a surprising number of PowerShell issues:

  1. There's no easy method to convert a hex string to a byte array So we need a helper function, e.g. Convert-HexToByte from https://www.powershellgallery.com/packages/AnsibleVault/0.2.0/Content/Private%5CConvert-HexToByte.ps1.
  2. Constructing an X509Certificate2 object with a byte array is tricky, hence the complicated argument list.

    # Using tshark, extract the certificate(s) to an array of hex strings. Note the display filter to select frames with a cert and the fields specifier to only output those fields and all occurrences of the field in the frame separated by a comma. The string "split" method is used to chop the output into an array of hex strings:

    $h = (tshark -r input.pcapng -Y tls.handshake.certificate -T fields -e tls.handshake.certificate -E occurrence=a -E "separator=,").split(",")

    # Create new X509Certificate2 objects from the hex strings

    $c = $h | ForEach-Object { New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @(,[byte[]]$(Convert-HexToByte $_)) }

    # Display the certs

    $c

That looks a bit ... ugly, so I set out to improve it and ran into a surprising number of PowerShell issues:

  1. There's no easy method to convert a hex string to a byte array So we need a helper function, e.g. Convert-HexToByte from https://www.powershellgallery.com/packages/AnsibleVault/0.2.0/Content/Private%5CConvert-HexToByte.ps1.
  2. Constructing an X509Certificate2 object with a byte array is tricky, hence the complicated argument list.

Here's my PowerShell:

# Using tshark, extract the certificate(s) to an array of hex strings.  Note the display filter to select frames with a cert and the fields specifier to only output those fields and all occurrences of the field in the frame separated by a comma.  The string "split" method is used to chop the output into an array of hex strings:

strings:

$h = (tshark -r input.pcapng -Y tls.handshake.certificate -T fields -e tls.handshake.certificate -E occurrence=a -E "separator=,").split(",")

"separator=,").split(",")

# Create new X509Certificate2 objects from the hex strings

strings

$c = $h | ForEach-Object { New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @(,[byte[]]$(Convert-HexToByte $_)) }

}

# Display the certs

certs $c

$c