add PyRunner

Author: noisecode3

CMakeLists.txt

@@ -59,7 +59,9 @@ set(LIEF_MACHO OFF)
 set(LIEF_DEX OFF)
 set(LIEF_ART OFF)
 
-if(NOT EXISTS "${CMAKE_SOURCE_DIR}/libs/LIEF/CMakeLists.txt" AND NOT NO_DATABASE)
+if(NOT EXISTS "${CMAKE_SOURCE_DIR}/libs/LIEF/CMakeLists.txt"
+        AND NOT NO_DATABASE
+    )
     message(STATUS "Submodule 'libs/LIEF' not found. Updating submodules...")
     execute_process(
         COMMAND git submodule update --init --recursive
@@ -91,6 +93,8 @@ set(SOURCES_MC
     src/Model.cpp
     src/Network.hpp
     src/Network.cpp
+    src/PyRunner.cpp
+    src/PyRunner.hpp
     src/Runner.cpp
     src/Runner.hpp
     src/binary.hpp
@@ -147,6 +151,19 @@ if(TEST)
         CXX_STANDARD 17
         CXX_STANDARD_REQUIRED ON
     )
+    message(STATUS "Setup test files")
+    execute_process(
+        COMMAND bash set_up_files.sh "${CMAKE_SOURCE_DIR}/build"
+        WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}/test"
+        RESULT_VARIABLE SETUP_RESULT
+    )
+
+    if(NOT SETUP_RESULT EQUAL 0)
+        message(
+            FATAL_ERROR
+            "set_up_files.sh failed with exit code ${SETUP_RESULT}"
+        )
+    endif()
 else()
     set(SOURCES ${SOURCES_MC} ${SOURCES_VIEW})
     add_executable(${PROJECT_NAME} ${SOURCES})

database/get_leaf_cert.py

@@ -1,11 +1,13 @@
 """
-This module retrieves only the leaf certificate from servers that don't
-follow the standard TLS handshake procedure and fail to provide the complete
-certificate chain. While `curl` can still connect to these servers by
-specifying only the leaf certificate (and defaults to finding the chain in
-/etc/ssl/certs), the `requests` module requires a full certificate bundle.
-This module is intended for use cases where only the leaf certificate
-is needed.
+Leaf Certificate Fetcher and Inspector for Misconfigured HTTPS Servers.
+
+This module retrieves **only the leaf certificate** (the server's own certificate)
+from a given hostname over TLS, without verifying the chain.
+
+Some servers are misconfigured and fail to send the full certificate chain
+during the TLS handshake. While `curl` can still connect to these by relying
+on system root certificates, higher-level libraries like `requests` may reject
+the connection unless a full CA bundle is provided.
 """
 
 import sys
@@ -18,40 +20,73 @@
 
 
 def get_certificate(hostname):
-    """OpenSSL with TCP get the certificate"""
+    """
+    Perform a raw TLS connection to fetch the server's leaf certificate.
+
+    This bypasses certificate verification to ensure we can still retrieve
+    certificates from misconfigured servers.
+
+    Args:
+        hostname (str): The domain to connect to (without scheme or port).
+
+    Returns:
+        x509.Certificate: Parsed certificate object, or None on failure.
+    """
     context = ssl.create_default_context()
-    # Disable certificate verification for the first connection
-    context.check_hostname = False
-    context.verify_mode = ssl.CERT_NONE
+    context.check_hostname = False  # Don't verify host name
+    context.verify_mode = ssl.CERT_NONE  # Don't verify certificate chain
 
     with socket.create_connection((hostname, 443)) as sock:
         with context.wrap_socket(sock, server_hostname=hostname) as ssock:
-            # Get certificate info
-            cert_der = ssock.getpeercert(True)
+            cert_der = ssock.getpeercert(True)  # Get DER-encoded certificate
             if cert_der:
                 return x509.load_der_x509_certificate(cert_der, default_backend())
     return None
 
 
 def get_sha256_fingerprint(cert):
-    """Identify the sum, we might want verify the certificate"""
+    """
+    Compute SHA-256 fingerprint of a certificate.
+
+    Args:
+        cert (x509.Certificate): The certificate to hash.
+
+    Returns:
+        bytes: Raw SHA-256 digest.
+    """
     cert_der = cert.public_bytes(serialization.Encoding.DER)
     digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
     digest.update(cert_der)
     return digest.finalize()
 
 
 def get_serial_number_hex(cert):
-    """Identify the serial, this can be use to look for the certificate"""
-    # Get the serial number in a byte format
-    serial_number_bytes = cert.serial_number \
-        .to_bytes((cert.serial_number.bit_length() + 7) // 8, 'big')
-    # Format it as a hex string
+    """
+    Return the certificate's serial number formatted as hexadecimal.
+
+    Useful for identifying and verifying specific certs manually.
+
+    Args:
+        cert (x509.Certificate): The certificate to inspect.
+
+    Returns:
+        str: Colon-separated hex string (e.g., "01:AB:CD:EF").
+    """
+    serial_number_bytes = cert.serial_number.to_bytes(
+        (cert.serial_number.bit_length() + 7) // 8, 'big'
+    )
     return ':'.join(f'{b:02X}' for b in serial_number_bytes)
 
 
 def print_certificate_details(cert):
-    """Log basic certificate information"""
+    """
+    Print human-readable information about the certificate.
+
+    Includes fingerprint, serial number, subject and issuer details.
+
+    Args:
+        cert (x509.Certificate): The certificate to print.
+    """
     fingerprint = get_sha256_fingerprint(cert)
     fingerprint_hex = ':'.join(f'{b:02X}' for b in fingerprint)
     serial_number_hex = get_serial_number_hex(cert)
@@ -64,80 +99,32 @@ def print_certificate_details(cert):
 
 
 def run(url):
-    """Retrieve and return the certificate's public key in PEM byte format."""
+    """
+    Determine the target host from the URL, fetch and print its leaf certificate.
+
+    Args:
+        url (str): The full URL (must start with one of the known domains).
+
+    Returns:
+        bytes: The PEM-encoded certificate (as bytes), or exits on failure.
+    """
+    # Map URL to known hosts. These are the only ones we allow.
     if url.startswith("https://www.trle.net"):
         host = 'trle.net'
     elif url.startswith("https://trcustoms.org"):
         host = 'trcustoms.org'
     else:
-        sys.exit(1)
+        sys.exit(1)  # Reject unknown domains for safety
+
     certificate = get_certificate(host)
     if not certificate:
+        print("Failed to retrieve certificate.")
         sys.exit(1)
 
     print_certificate_details(certificate)
+
     if not isinstance(certificate, Certificate):
+        print("Invalid certificate object.")
         sys.exit(1)
 
     return certificate.public_bytes(encoding=serialization.Encoding.PEM)
-
-
-'''
-def validate_downloaded_key(id_number, expected_serial):
-    """Validate the certificate in binary form with the cryptography module"""
-    pem_key = get_response(f"https://crt.sh/?d={id_number}", 'application/pkix-cert')
-
-    if not isinstance(pem_key, bytes):
-        logging.error("Data type error, expected bytes got %s", type(pem_key))
-        sys.exit(1)
-
-    # Load the certificate
-    certificate = x509.load_pem_x509_certificate(pem_key, default_backend())
-
-    # Extract the serial number and convert it to hex (without leading '0x')
-    hex_serial = f'{certificate.serial_number:x}'
-
-    # Compare the serial numbers
-    if hex_serial == expected_serial:
-        print("The downloaded PEM key matches the expected serial number.")
-    else:
-        logging.error("Serial mismatch! Expected: %s, but got: %s", expected_serial, hex_serial)
-        sys.exit(1)
-
-    # Extract and validate the domain (Common Name)
-    valid_domains = ["trle.net", "trcustoms.org", "data.trcustoms.org", "staging.trcustoms.org"]
-
-    # Check the Common Name (CN) in the certificate subject
-    comon_name = certificate.subject.get_attributes_for_oid(x509.NameOID.COMMON_NAME)[0].value
-    if comon_name in valid_domains:
-        print(f"Valid domain found in CN: {comon_name}")
-    else:
-        logging.error("Invalid domain in CN: %s", comon_name)
-        sys.exit(1)
-
-    # Extract the Subject Alternative Name (SAN) extension
-    try:
-        san_extension = certificate.extensions \
-            .get_extension_for_oid(ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
-
-        # Extract all DNS names listed in the SAN extension
-        dns_names = san_extension.value.get_values_for_type(x509.DNSName) # type: ignore
-
-        print(f"DNS Names in SAN: {dns_names}")
-
-        # Check if any of the DNS names match the valid domain list
-        valid_domains = ["trle.net", "www.trle.net", "trcustoms.org", "*.trcustoms.org",
-                         "data.trcustoms.org", 'staging.trcustoms.org']
-
-        if all(domain in valid_domains for domain in dns_names):
-            print(f"Valid domain found in SAN: {dns_names}")
-        else:
-            print(f"Invalid domain in SAN: {dns_names}")
-            sys.exit(1)
-
-    except x509.ExtensionNotFound:
-        print("No Subject Alternative Name (SAN) extension found in the certificate.")
-
-    pem_data = certificate.public_bytes(encoding=serialization.Encoding.PEM)
-    return pem_data.decode('utf-8')
-'''

database/https.py

@@ -206,6 +206,10 @@ def get_response(self, url, content_type):
                     if not self.leaf_cert:
                         sys.exit(1)
                     temp_cert_path = self.set_leaf(curl)
+                    curl.setopt(pycurl.SSL_VERIFYPEER, 1)
+                    curl.setopt(pycurl.SSL_VERIFYHOST, 2)
+                    pinned_key = "sha256//7WRPcNY2QpOjWiQSLbiBu/9Og69JmzccPAdfj2RT5Vw="
+                    curl.setopt(pycurl.PINNEDPUBLICKEY, pinned_key)
 
                 headers_list = [
                     'User-Agent: Wget/1.21.1 (linux-gnu)',