├── .github ├── PULL_REQUEST_TEMPLATE.md ├── workflows │ ├── sync-labels.yml │ ├── golangci-lint.yml │ ├── steampipe-anywhere.yml │ ├── registry-publish.yml │ ├── add-issue-to-project.yml │ └── stale.yml ├── ISSUE_TEMPLATE │ ├── feature-request---new-table.md │ ├── config.yml │ ├── bug_report.md │ └── feature_request.md └── dependabot.yml ├── Makefile ├── net ├── errors.go ├── plugin.go ├── connection_config.go ├── table_net_dns_reverse.go ├── table_net_connection.go ├── utils.go ├── table_net_http_request.go ├── table_net_tls_connection.go ├── table_net_dns_record.go └── table_net_certificate.go ├── main.go ├── config └── net.spc ├── constants ├── tls_version.go └── tls_cipher.go ├── .gitignore ├── .goreleaser.yml ├── docs ├── tables │ ├── net_dns_reverse.md │ ├── net_connection.md │ ├── net_dns_record.md │ ├── net_tls_connection.md │ ├── net_certificate.md │ └── net_http_request.md ├── index.md └── LICENSE ├── README.md ├── go.mod ├── CHANGELOG.md └── LICENSE /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | # Example query results 2 |
3 | Results 4 | 5 | ``` 6 | Add example SQL query results here (please include the input queries as well) 7 | ``` 8 |
9 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | STEAMPIPE_INSTALL_DIR ?= ~/.steampipe 2 | BUILD_TAGS = netgo 3 | install: 4 | go build -o $(STEAMPIPE_INSTALL_DIR)/plugins/hub.steampipe.io/plugins/turbot/net@latest/steampipe-plugin-net.plugin -tags "${BUILD_TAGS}" *.go 5 | -------------------------------------------------------------------------------- /net/errors.go: -------------------------------------------------------------------------------- 1 | package net 2 | 3 | import "strings" 4 | 5 | func shouldRetryError(err error) bool { 6 | if err != nil { 7 | if strings.Contains(err.Error(), "i/o timeout") { 8 | return true 9 | } 10 | } 11 | return false 12 | } 13 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/turbot/steampipe-plugin-net/net" 5 | "github.com/turbot/steampipe-plugin-sdk/v5/plugin" 6 | ) 7 | 8 | func main() { 9 | plugin.Serve(&plugin.ServeOpts{PluginFunc: net.Plugin}) 10 | } 11 | -------------------------------------------------------------------------------- /.github/workflows/sync-labels.yml: -------------------------------------------------------------------------------- 1 | name: Sync Labels 2 | on: 3 | schedule: 4 | - cron: "30 22 * * 1" 5 | workflow_dispatch: 6 | 7 | jobs: 8 | sync_labels_workflow: 9 | uses: turbot/steampipe-workflows/.github/workflows/sync-labels.yml@main 10 | -------------------------------------------------------------------------------- /.github/workflows/golangci-lint.yml: -------------------------------------------------------------------------------- 1 | name: golangci-lint 2 | on: 3 | push: 4 | tags: 5 | - v* 6 | branches: 7 | - main 8 | pull_request: 9 | 10 | jobs: 11 | golangci_lint_workflow: 12 | uses: turbot/steampipe-workflows/.github/workflows/golangci-lint.yml@main 13 | -------------------------------------------------------------------------------- /config/net.spc: -------------------------------------------------------------------------------- 1 | connection "net" { 2 | plugin = "net" 3 | 4 | # Timeout in milliseconds for connection attempts. 5 | # timeout = 2000 6 | 7 | # DNS server and port used for queries. Defaults to using the Google 8 | # global public server. 9 | # dns_server = "8.8.8.8:53" 10 | } 11 | -------------------------------------------------------------------------------- /.github/workflows/steampipe-anywhere.yml: -------------------------------------------------------------------------------- 1 | name: Release Steampipe Anywhere Components 2 | 3 | on: 4 | push: 5 | tags: 6 | - 'v*' 7 | 8 | 9 | jobs: 10 | anywhere_publish_workflow: 11 | uses: turbot/steampipe-workflows/.github/workflows/steampipe-anywhere.yml@main 12 | secrets: inherit 13 | -------------------------------------------------------------------------------- /constants/tls_version.go: -------------------------------------------------------------------------------- 1 | package constants 2 | 3 | import "crypto/tls" 4 | 5 | // A map of TLS versions, along with their IDs 6 | var TLSVersions = map[string]uint16{ 7 | "TLS v1.0": tls.VersionTLS10, 8 | "TLS v1.1": tls.VersionTLS11, 9 | "TLS v1.2": tls.VersionTLS12, 10 | "TLS v1.3": tls.VersionTLS13, 11 | } 12 | -------------------------------------------------------------------------------- /.github/workflows/registry-publish.yml: -------------------------------------------------------------------------------- 1 | name: Build and Deploy OCI Image 2 | 3 | on: 4 | push: 5 | tags: 6 | - 'v*' 7 | 8 | jobs: 9 | registry_publish_workflow_ghcr: 10 | uses: turbot/steampipe-workflows/.github/workflows/registry-publish-ghcr.yml@main 11 | secrets: inherit 12 | with: 13 | releaseTimeout: 60m 14 | -------------------------------------------------------------------------------- /.github/workflows/add-issue-to-project.yml: -------------------------------------------------------------------------------- 1 | name: Assign Issue to Project 2 | 3 | on: 4 | issues: 5 | types: [opened] 6 | 7 | jobs: 8 | add-to-project: 9 | uses: turbot/steampipe-workflows/.github/workflows/assign-issue-to-project.yml@main 10 | with: 11 | issue_number: ${{ github.event.issue.number }} 12 | repository: ${{ github.repository }} 13 | secrets: inherit 14 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature-request---new-table.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request - New table 3 | about: Suggest a new table for this project 4 | title: Add table net_ 5 | labels: enhancement, new table 6 | assignees: '' 7 | 8 | --- 9 | 10 | **References** 11 | Add any related links that will help us understand the resource, including vendor documentation, related GitHub issues, and Go SDK documentation. 12 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Editor cache and lock files 2 | *.swp 3 | *.swo 4 | 5 | # Binaries for programs and plugins 6 | *.exe 7 | *.exe~ 8 | *.dll 9 | *.so 10 | *.dylib 11 | 12 | # Test binary, built with `go test -c` 13 | *.test 14 | 15 | # Output of the go coverage tool, specifically when used with LiteIDE 16 | *.out 17 | 18 | # Dependency directories (remove the comment below to include it) 19 | # vendor/ 20 | 21 | # Goland files 22 | .idea -------------------------------------------------------------------------------- /.github/workflows/stale.yml: -------------------------------------------------------------------------------- 1 | name: Stale Issues and PRs 2 | on: 3 | schedule: 4 | - cron: "30 23 * * *" 5 | workflow_dispatch: 6 | inputs: 7 | dryRun: 8 | description: Set to true for a dry run 9 | required: false 10 | default: "false" 11 | type: string 12 | 13 | jobs: 14 | stale_workflow: 15 | uses: turbot/steampipe-workflows/.github/workflows/stale.yml@main 16 | with: 17 | dryRun: ${{ github.event.inputs.dryRun }} 18 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | contact_links: 3 | - name: Questions 4 | url: https://turbot.com/community/join 5 | about: GitHub issues in this repository are only intended for bug reports and feature requests. Other issues will be closed. Please ask and answer questions through the Steampipe Slack community. 6 | - name: Steampipe CLI Bug Reports and Feature Requests 7 | url: https://github.com/turbot/steampipe/issues/new/choose 8 | about: Steampipe CLI has its own codebase. Bug reports and feature requests for those pieces of functionality should be directed to that repository. -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **Steampipe version (`steampipe -v`)** 14 | Example: v0.3.0 15 | 16 | **Plugin version (`steampipe plugin list`)** 17 | Example: v0.5.0 18 | 19 | **To reproduce** 20 | Steps to reproduce the behavior (please include relevant code and/or commands). 21 | 22 | **Expected behavior** 23 | A clear and concise description of what you expected to happen. 24 | 25 | **Additional context** 26 | Add any other context about the problem here. 27 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: enhancement 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # To get started with Dependabot version updates, you'll need to specify which 2 | # package ecosystems to update and where the package manifests are located. 3 | # Please see the documentation for all configuration options: 4 | # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates 5 | 6 | version: 2 7 | updates: 8 | - package-ecosystem: "gomod" # See documentation for possible values 9 | directory: "/" # Location of package manifests 10 | schedule: 11 | interval: "weekly" 12 | pull-request-branch-name: 13 | separator: "-" 14 | assignees: 15 | - "misraved" 16 | - "madhushreeray30" 17 | labels: 18 | - "dependencies" 19 | -------------------------------------------------------------------------------- /net/plugin.go: -------------------------------------------------------------------------------- 1 | package net 2 | 3 | import ( 4 | "context" 5 | 6 | "github.com/turbot/steampipe-plugin-sdk/v5/plugin" 7 | "github.com/turbot/steampipe-plugin-sdk/v5/plugin/transform" 8 | ) 9 | 10 | func Plugin(ctx context.Context) *plugin.Plugin { 11 | p := &plugin.Plugin{ 12 | Name: "steampipe-plugin-net", 13 | ConnectionConfigSchema: &plugin.ConnectionConfigSchema{ 14 | NewInstance: ConfigInstance, 15 | }, 16 | DefaultTransform: transform.FromGo().NullIfZero(), 17 | TableMap: map[string]*plugin.Table{ 18 | "net_certificate": tableNetCertificate(ctx), 19 | "net_connection": tableNetConnection(ctx), 20 | "net_dns_record": tableNetDNSRecord(ctx), 21 | "net_dns_reverse": tableNetDNSReverse(ctx), 22 | "net_http_request": tableNetHTTPRequest(), 23 | "net_tls_connection": tableNetTLSConnection(ctx), 24 | }, 25 | } 26 | return p 27 | } 28 | -------------------------------------------------------------------------------- /.goreleaser.yml: -------------------------------------------------------------------------------- 1 | # This is an example goreleaser.yaml file with some sane defaults. 2 | # Make sure to check the documentation at http://goreleaser.com 3 | before: 4 | hooks: 5 | - go mod tidy 6 | builds: 7 | - env: 8 | - CGO_ENABLED=0 9 | - GO111MODULE=on 10 | - GOPRIVATE=github.com/turbot 11 | goos: 12 | - linux 13 | - darwin 14 | 15 | goarch: 16 | - amd64 17 | - arm64 18 | 19 | id: "steampipe" 20 | binary: "{{ .ProjectName }}.plugin" 21 | flags: 22 | - -tags=netgo 23 | 24 | archives: 25 | - format: gz 26 | name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}" 27 | files: 28 | - none* 29 | checksum: 30 | name_template: "{{ .ProjectName }}_{{ .Version }}_SHA256SUMS" 31 | algorithm: sha256 32 | changelog: 33 | sort: asc 34 | filters: 35 | exclude: 36 | - "^docs:" 37 | - "^test:" 38 | -------------------------------------------------------------------------------- /net/connection_config.go: -------------------------------------------------------------------------------- 1 | package net 2 | 3 | import ( 4 | "context" 5 | "time" 6 | 7 | "github.com/turbot/steampipe-plugin-sdk/v5/plugin" 8 | ) 9 | 10 | type netConfig struct { 11 | Timeout *int `hcl:"timeout"` 12 | DNSServer *string `hcl:"dns_server"` 13 | } 14 | 15 | func ConfigInstance() interface{} { 16 | return &netConfig{} 17 | } 18 | 19 | // GetConfig :: retrieve and cast connection config from query data 20 | func GetConfig(connection *plugin.Connection) netConfig { 21 | if connection == nil || connection.Config == nil { 22 | return netConfig{} 23 | } 24 | config, _ := connection.Config.(netConfig) 25 | return config 26 | } 27 | 28 | func GetConfigTimeout(ctx context.Context, d *plugin.QueryData) time.Duration { 29 | // default to 2000ms 30 | ts := 2000 31 | config := GetConfig(d.Connection) 32 | if config.Timeout != nil { 33 | ts = *config.Timeout 34 | } 35 | return time.Millisecond * time.Duration(ts) 36 | } 37 | 38 | func GetConfigDNSServerAndPort(ctx context.Context, d *plugin.QueryData) string { 39 | // default to Google 40 | s := "8.8.8.8:53" 41 | config := GetConfig(d.Connection) 42 | if config.DNSServer != nil { 43 | s = *config.DNSServer 44 | } 45 | return s 46 | } 47 | -------------------------------------------------------------------------------- /net/table_net_dns_reverse.go: -------------------------------------------------------------------------------- 1 | package net 2 | 3 | import ( 4 | "context" 5 | "net" 6 | 7 | "github.com/turbot/steampipe-plugin-sdk/v5/grpc/proto" 8 | "github.com/turbot/steampipe-plugin-sdk/v5/plugin" 9 | "github.com/turbot/steampipe-plugin-sdk/v5/plugin/transform" 10 | ) 11 | 12 | func tableNetDNSReverse(ctx context.Context) *plugin.Table { 13 | return &plugin.Table{ 14 | Name: "net_dns_reverse", 15 | Description: "Reverse DNS lookup from an IP address.", 16 | List: &plugin.ListConfig{ 17 | Hydrate: tableNetDNSReverseList, 18 | KeyColumns: plugin.SingleColumn("ip_address"), 19 | }, 20 | Columns: []*plugin.Column{ 21 | // Top columns 22 | {Name: "ip_address", Type: proto.ColumnType_IPADDR, Transform: transform.FromField("IPAddress"), Description: "IP address to lookup."}, 23 | // Other columns 24 | {Name: "domains", Type: proto.ColumnType_JSON, Description: "Domain names associated with the IP address."}, 25 | }, 26 | } 27 | } 28 | 29 | type tableNetDNSReverseRow struct { 30 | IPAddress string `json:"ip_address"` 31 | Domains []string `json:"domains"` 32 | } 33 | 34 | func tableNetDNSReverseList(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { 35 | quals := d.EqualsQuals 36 | ip := quals["ip_address"].GetInetValue().GetAddr() 37 | result := tableNetDNSReverseRow{ 38 | IPAddress: ip, 39 | Domains: []string{}, 40 | } 41 | domains, err := net.LookupAddr(ip) 42 | if err != nil { 43 | if e, ok := err.(*net.DNSError); ok { 44 | if e.IsNotFound { 45 | return result, nil 46 | } 47 | } 48 | return nil, err 49 | } 50 | result.Domains = domains 51 | d.StreamListItem(ctx, result) 52 | return nil, nil 53 | } 54 | -------------------------------------------------------------------------------- /docs/tables/net_dns_reverse.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Steampipe Table: net_dns_reverse - Query DNS Reverse Zones using SQL" 3 | description: "Allows users to query DNS Reverse Zones, specifically the reverse DNS lookup information, providing insights into IP address mapping." 4 | --- 5 | 6 | # Table: net_dns_reverse - Query DNS Reverse Zones using SQL 7 | 8 | DNS service is a scalable, reliable, and managed Domain Name System (DNS) solution. It enables developers and businesses to route end users to internet applications by translating human-readable domain names (like www.example.com) into numeric IP addresses (like 192.0.2.1) that computers use to connect to each other. A Reverse DNS (rDNS) is the determination of a domain name associated with an IP address via querying DNS. 9 | 10 | ## Table Usage Guide 11 | 12 | The `net_dns_reverse` table provides insights into Reverse DNS Zones within Oracle Cloud Infrastructure's DNS service. As a network administrator, explore reverse DNS lookup details through this table, including IP address mapping and associated metadata. Utilize it to uncover information about IP addresses, such as their associated domain names, aiding in network troubleshooting and security investigations. 13 | 14 | **Important Notes** 15 | - You must specify the `ip_address` column in the `where` clause to query this table. 16 | 17 | ## Examples 18 | 19 | ### Find host names for an IP address 20 | Discover the host names associated with a specific IP address to better understand network connections and potential security risks. 21 | 22 | ```sql+postgres 23 | select 24 | * 25 | from 26 | net_dns_reverse 27 | where 28 | ip_address = '1.1.1.1'; 29 | ``` 30 | 31 | ```sql+sqlite 32 | select 33 | * 34 | from 35 | net_dns_reverse 36 | where 37 | ip_address = '1.1.1.1'; 38 | ``` -------------------------------------------------------------------------------- /docs/index.md: -------------------------------------------------------------------------------- 1 | --- 2 | organization: Turbot 3 | category: ["internet"] 4 | icon_url: "/images/plugins/turbot/net.svg" 5 | brand_color: "#005A9C" 6 | display_name: Net 7 | name: net 8 | description: Steampipe plugin for querying DNS records, certificates and other network information. 9 | og_description: Query networking information with SQL! Zero ETL CLI. No DB required. 10 | og_image: "/images/plugins/turbot/net-social-graphic.png" 11 | engines: ["steampipe", "sqlite", "postgres", "export"] 12 | --- 13 | 14 | # Net + Steampipe 15 | 16 | [Steampipe](https://steampipe.io) is a CLI to instantly query cloud APIs using SQL. 17 | 18 | The net plugin is a set of utility tables for steampipe to query attributes of X.509 certificates associated with websites, DNS records, and connectivity to specific network socket addresses. 19 | 20 | For example: 21 | 22 | ```sql 23 | select 24 | issuer, 25 | not_after as exp_date 26 | from 27 | net_certificate 28 | where 29 | domain = 'steampipe.io'; 30 | ``` 31 | 32 | ```sh 33 | +----------------------------+---------------------+ 34 | | issuer | exp_date | 35 | +----------------------------+---------------------+ 36 | | CN=R3,O=Let's Encrypt,C=US | 2021-02-24 03:02:15 | 37 | +----------------------------+---------------------+ 38 | ``` 39 | 40 | ## Documentation 41 | 42 | - **[Table definitions & examples →](/plugins/turbot/net/tables)** 43 | 44 | ## Get started 45 | 46 | ### Install 47 | 48 | Download and install the latest Steampipe Net plugin: 49 | 50 | ```bash 51 | steampipe plugin install net 52 | ``` 53 | 54 | ### Credentials 55 | 56 | | Item | Description | 57 | | - | - | 58 | | Credentials | No creds required | 59 | | Permissions | n/a | 60 | | Radius | Steampipe limits searches to specific resources based on the provided `Quals` e.g. `domain` for certificates and DNS queries and `address` for network connection information | 61 | | Resolution | n/a | 62 | 63 | ### Configuration 64 | 65 | No configuration is needed. Installing the latest net plugin will create a config file (`~/.steampipe/config/net.spc`) with a single connection named `net`: 66 | 67 | ```hcl 68 | connection "net" { 69 | plugin = "net" 70 | } 71 | ``` 72 | 73 | 74 | -------------------------------------------------------------------------------- /net/table_net_connection.go: -------------------------------------------------------------------------------- 1 | package net 2 | 3 | import ( 4 | "context" 5 | "errors" 6 | "net" 7 | 8 | "github.com/turbot/steampipe-plugin-sdk/v5/grpc/proto" 9 | "github.com/turbot/steampipe-plugin-sdk/v5/plugin" 10 | ) 11 | 12 | func tableNetConnection(ctx context.Context) *plugin.Table { 13 | return &plugin.Table{ 14 | Name: "net_connection", 15 | Description: "Test network connectivity to an address.", 16 | List: &plugin.ListConfig{ 17 | Hydrate: tableNetConnectionList, 18 | KeyColumns: []*plugin.KeyColumn{ 19 | {Name: "address"}, 20 | {Name: "protocol", Require: plugin.Optional}, 21 | }, 22 | }, 23 | Columns: []*plugin.Column{ 24 | // Top columns 25 | {Name: "protocol", Type: proto.ColumnType_STRING, Description: "Protocol type: tcp, tcp4 (IPv4-only), tcp6 (IPv6-only), udp, udp4 (IPv4-only), udp6 (IPv6-only), ip, ip4 (IPv4-only), ip6 (IPv6-only), unix, unixgram or unixpacket."}, 26 | {Name: "address", Type: proto.ColumnType_STRING, Description: "Address to connect to, as specified in https://golang.org/pkg/net/#Dial."}, 27 | // Other columns 28 | {Name: "connected", Type: proto.ColumnType_BOOL, Description: "True if the connection was successful."}, 29 | {Name: "error", Type: proto.ColumnType_STRING, Description: "Error message if the connection failed."}, 30 | {Name: "local_address", Type: proto.ColumnType_STRING, Description: "Local address (ip:port) for the successful connection."}, 31 | {Name: "remote_address", Type: proto.ColumnType_STRING, Description: "Remote address (ip:port) for the successful connection."}, 32 | }, 33 | } 34 | } 35 | 36 | type connectionRow struct { 37 | Protocol string `json:"protocol"` 38 | Address string `json:"address"` 39 | Connected bool `json:"connected"` 40 | Error string `json:"error"` 41 | LocalAddress string `json:"local_address"` 42 | RemoteAddress string `json:"remote_address"` 43 | } 44 | 45 | func tableNetConnectionList(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { 46 | quals := d.EqualsQuals 47 | var protocol, address string 48 | if quals["protocol"] != nil { 49 | protocol = quals["protocol"].GetStringValue() 50 | } else { 51 | // Default to TCP 52 | protocol = "tcp" 53 | } 54 | if quals["address"] != nil { 55 | address = quals["address"].GetStringValue() 56 | } else { 57 | return nil, errors.New("address must be specified") 58 | } 59 | connectionResult, err := net.DialTimeout(protocol, address, GetConfigTimeout(ctx, d)) 60 | r := connectionRow{ 61 | Protocol: protocol, 62 | Address: address, 63 | } 64 | if err == nil { 65 | r.Connected = true 66 | r.LocalAddress = connectionResult.LocalAddr().String() 67 | r.RemoteAddress = connectionResult.RemoteAddr().String() 68 | } else { 69 | r.Error = err.Error() 70 | } 71 | d.StreamListItem(ctx, r) 72 | return nil, nil 73 | } 74 | -------------------------------------------------------------------------------- /docs/tables/net_connection.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Steampipe Table: net_connection - Query Network Connection using SQL" 3 | description: "Allows users to query Network Connections, specifically providing insights into various network connections, their statuses, and related details." 4 | --- 5 | 6 | # Table: net_connection - Query Network Connection using SQL 7 | 8 | A Network Connection is a link between two or more nodes in a network. It enables the transfer of data between these nodes, which can include computers, servers, or other network-enabled devices. The status and details of these connections are crucial for network management and troubleshooting. 9 | 10 | ## Table Usage Guide 11 | 12 | The `net_connection` table provides insights into various network connections. As a Network Engineer or IT Administrator, you can explore connection-specific details through this table, including statuses, types, and associated metadata. Utilize it to monitor and manage network connections, ensure optimal data transfer, and troubleshoot any connection issues. 13 | 14 | **Important Notes** 15 | - You must specify the `address` column in the `where` clause to query this table. 16 | 17 | ## Examples 18 | 19 | ### Test a TCP connection (the default protocol) to steampipe.io on port 443 20 | Analyze the status of a TCP connection to a specific website and port. This can be useful for troubleshooting network connectivity issues or verifying that a service is reachable and responding as expected. 21 | 22 | ```sql+postgres 23 | select 24 | * 25 | from 26 | net_connection 27 | where 28 | address = 'steampipe.io:443'; 29 | ``` 30 | 31 | ```sql+sqlite 32 | select 33 | * 34 | from 35 | net_connection 36 | where 37 | address = 'steampipe.io:443'; 38 | ``` 39 | 40 | ### Test if SSH is open on server 68.183.153.44 41 | The query allows you to assess if a specific server has an open SSH connection. This is useful for identifying potential security vulnerabilities or for troubleshooting connectivity issues. 42 | 43 | ```sql+postgres 44 | select 45 | * 46 | from 47 | net_connection 48 | where 49 | address = '68.183.153.44:ssh'; 50 | ``` 51 | 52 | ```sql+sqlite 53 | select 54 | * 55 | from 56 | net_connection 57 | where 58 | address = '68.183.153.44:ssh'; 59 | ``` 60 | 61 | ### Test a UDP connection to DNS server 1.1.1.1 on port 53 62 | Explore whether a UDP connection to a DNS server on a specific port is active. This is useful to troubleshoot network connectivity issues or validate network configurations. 63 | 64 | ```sql+postgres 65 | select 66 | * 67 | from 68 | net_connection 69 | where 70 | protocol = 'udp' 71 | and address = '1.1.1.1:53'; 72 | ``` 73 | 74 | ```sql+sqlite 75 | select 76 | * 77 | from 78 | net_connection 79 | where 80 | protocol = 'udp' 81 | and address = '1.1.1.1:53'; 82 | ``` 83 | 84 | ### Test if RDP is open on server 65.2.9.152 85 | Explore whether the Remote Desktop Protocol (RDP) is open on a specific server to ensure secure connections and prevent unauthorized access. This is particularly useful in managing network security and maintaining control over remote access to your systems. 86 | 87 | ```sql+postgres 88 | select 89 | * 90 | from 91 | net_connection 92 | where 93 | protocol = 'tcp' 94 | and address = '65.2.9.152:3389'; 95 | ``` 96 | 97 | ```sql+sqlite 98 | select 99 | * 100 | from 101 | net_connection 102 | where 103 | protocol = 'tcp' 104 | and address = '65.2.9.152:3389'; 105 | ``` -------------------------------------------------------------------------------- /docs/tables/net_dns_record.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Steampipe Table: net_dns_record - Query DNS Records using SQL" 3 | description: "Allows users to query DNS Records, specifically the details of each DNS record, providing insights into the DNS configuration and potential issues." 4 | --- 5 | 6 | # Table: net_dns_record - Query DNS Records using SQL 7 | 8 | DNS service is a scalable, reliable, and managed Domain Name System (DNS) service that provides a high-performance, global footprint for your public-facing internet resources and resolves DNS zones. It enables you to distribute traffic to your endpoints and ensures high availability and failover, thus improving the performance of your web applications. 9 | 10 | ## Table Usage Guide 11 | 12 | The `net_dns_record` table provides insights into DNS Records. As a network administrator, you can explore DNS record-specific details through this table, including record types, domain names, and associated metadata. Utilize it to uncover information about DNS records, such as those with misconfigured settings, the association between domain names and IP addresses, and the verification of DNS record settings. 13 | 14 | **Important Notes** 15 | 16 | The default DNS server used for all requests is the Google global public server, 8.8.8.8. This default can be overriden in 2 ways: 17 | 18 | - Update the `dns_server` configuration argument. 19 | - Specify `dns_server` in the query, which overrides the default and `dns_server` configuration argument. For instance, to use Cloudflare's global public server instead: 20 | 21 | ```sql+postgres 22 | select 23 | * 24 | from 25 | net_dns_record 26 | where 27 | domain = 'steampipe.io' 28 | and dns_server = '1.1.1.1:53'; 29 | ``` 30 | 31 | ```sql+sqlite 32 | select 33 | * 34 | from 35 | net_dns_record 36 | where 37 | domain = 'steampipe.io' 38 | and dns_server = '1.1.1.1:53'; 39 | ``` 40 | 41 | - A `domain` must be provided in all queries to this table. 42 | 43 | ## Examples 44 | 45 | ### DNS records for a domain 46 | Explore DNS records associated with a specific domain to understand its configuration and structure. This could be beneficial for troubleshooting or auditing purposes. 47 | 48 | ```sql+postgres 49 | select 50 | * 51 | from 52 | net_dns_record 53 | where 54 | domain = 'steampipe.io'; 55 | ``` 56 | 57 | ```sql+sqlite 58 | select 59 | * 60 | from 61 | net_dns_record 62 | where 63 | domain = 'steampipe.io'; 64 | ``` 65 | 66 | ### List TXT records for a domain 67 | Explore the text records for a specific domain to understand its associated data and time-to-live values. This could be useful for verifying domain ownership or understanding security settings. 68 | 69 | ```sql+postgres 70 | select 71 | value, 72 | ttl 73 | from 74 | net_dns_record 75 | where 76 | domain = 'github.com' 77 | and type = 'TXT'; 78 | ``` 79 | 80 | ```sql+sqlite 81 | select 82 | value, 83 | ttl 84 | from 85 | net_dns_record 86 | where 87 | domain = 'github.com' 88 | and type = 'TXT'; 89 | ``` 90 | 91 | ### Mail server records for a domain in priority order 92 | Explore the priority order of mail servers for a specific domain. This is beneficial for understanding the order in which email will be delivered or rerouted if the primary server is not available. 93 | 94 | ```sql+postgres 95 | select 96 | target, 97 | priority, 98 | ttl 99 | from 100 | net_dns_record 101 | where 102 | domain = 'turbot.com' 103 | and type = 'MX' 104 | order by 105 | priority; 106 | ``` 107 | 108 | ```sql+sqlite 109 | select 110 | target, 111 | priority, 112 | ttl 113 | from 114 | net_dns_record 115 | where 116 | domain = 'turbot.com' 117 | and type = 'MX' 118 | order by 119 | priority; 120 | ``` -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![image](https://hub.steampipe.io/images/plugins/turbot/net-social-graphic.png) 2 | 3 | # Net Plugin for Steampipe 4 | 5 | Use SQL to query DNS records, certificates and other network information. Zero ETL CLI. No DB required. 6 | 7 | * **[Get started →](https://hub.steampipe.io/plugins/turbot/net)** 8 | * Documentation: [Table definitions & examples](https://hub.steampipe.io/plugins/turbot/net/tables) 9 | * Community: [Join #steampipe on Slack →](https://turbot.com/community/join) 10 | * Get involved: [Issues](https://github.com/turbot/steampipe-plugin-net/issues) 11 | 12 | ## Quick start 13 | 14 | Install the plugin with [Steampipe](https://steampipe.io): 15 | ```shell 16 | steampipe plugin install net 17 | ``` 18 | 19 | Run a query: 20 | ```sql 21 | select * from net_certificate where domain = 'steampipe.io'; 22 | ``` 23 | 24 | ## Engines 25 | 26 | This plugin is available for the following engines: 27 | 28 | | Engine | Description 29 | |---------------|------------------------------------------ 30 | | [Steampipe](https://steampipe.io/docs) | The Steampipe CLI exposes APIs and services as a high-performance relational database, giving you the ability to write SQL-based queries to explore dynamic data. Mods extend Steampipe's capabilities with dashboards, reports, and controls built with simple HCL. The Steampipe CLI is a turnkey solution that includes its own Postgres database, plugin management, and mod support. 31 | | [Postgres FDW](https://steampipe.io/docs/steampipe_postgres/overview) | Steampipe Postgres FDWs are native Postgres Foreign Data Wrappers that translate APIs to foreign tables. Unlike Steampipe CLI, which ships with its own Postgres server instance, the Steampipe Postgres FDWs can be installed in any supported Postgres database version. 32 | | [SQLite Extension](https://steampipe.io/docs/steampipe_sqlite/overview) | Steampipe SQLite Extensions provide SQLite virtual tables that translate your queries into API calls, transparently fetching information from your API or service as you request it. 33 | | [Export](https://steampipe.io/docs/steampipe_export/overview) | Steampipe Plugin Exporters provide a flexible mechanism for exporting information from cloud services and APIs. Each exporter is a stand-alone binary that allows you to extract data using Steampipe plugins without a database. 34 | | [Turbot Pipes](https://turbot.com/pipes/docs) | Turbot Pipes is the only intelligence, automation & security platform built specifically for DevOps. Pipes provide hosted Steampipe database instances, shared dashboards, snapshots, and more. 35 | 36 | ## Developing 37 | 38 | Prerequisites: 39 | - [Steampipe](https://steampipe.io/downloads) 40 | - [Golang](https://golang.org/doc/install) 41 | 42 | Clone: 43 | 44 | ```sh 45 | git clone https://github.com/turbot/steampipe-plugin-net.git 46 | cd steampipe-plugin-net 47 | ``` 48 | 49 | Build, which automatically installs the new version to your `~/.steampipe/plugins` directory: 50 | ``` 51 | make 52 | ``` 53 | 54 | Configure the plugin: 55 | ``` 56 | cp config/* ~/.steampipe/config 57 | ``` 58 | 59 | Try it! 60 | ``` 61 | steampipe query 62 | > .inspect net 63 | ``` 64 | 65 | Further reading: 66 | * [Writing plugins](https://steampipe.io/docs/develop/writing-plugins) 67 | * [Writing your first table](https://steampipe.io/docs/develop/writing-your-first-table) 68 | 69 | ## Open Source & Contributing 70 | 71 | This repository is published under the [Apache 2.0](https://www.apache.org/licenses/LICENSE-2.0) (source code) and [CC BY-NC-ND](https://creativecommons.org/licenses/by-nc-nd/2.0/) (docs) licenses. Please see our [code of conduct](https://github.com/turbot/.github/blob/main/CODE_OF_CONDUCT.md). We look forward to collaborating with you! 72 | 73 | [Steampipe](https://steampipe.io) is a product produced from this open source software, exclusively by [Turbot HQ, Inc](https://turbot.com). It is distributed under our commercial terms. Others are allowed to make their own distribution of the software, but cannot use any of the Turbot trademarks, cloud services, etc. You can learn more in our [Open Source FAQ](https://turbot.com/open-source). 74 | 75 | ## Get Involved 76 | 77 | **[Join #steampipe on Slack →](https://turbot.com/community/join)** 78 | 79 | Want to help but don't know where to start? Pick up one of the `help wanted` issues: 80 | - [Steampipe](https://github.com/turbot/steampipe/labels/help%20wanted) 81 | - [Net Plugin](https://github.com/turbot/steampipe-plugin-net/labels/help%20wanted) 82 | -------------------------------------------------------------------------------- /docs/tables/net_tls_connection.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Steampipe Table: net_tls_connection - Query Network TLS Connections using SQL" 3 | description: "Allows users to query Network TLS Connections, specifically details about SSL/TLS connections established by the system, providing insights into connection parameters and potential security issues." 4 | --- 5 | 6 | # Table: net_tls_connection - Query Network TLS Connections using SQL 7 | 8 | A Network TLS Connection is a secure connection established between two systems using the Transport Layer Security (TLS) protocol. This protocol provides privacy and data integrity between applications communicating over a network. Information about these connections can be useful in understanding network traffic patterns and identifying potential security vulnerabilities. 9 | 10 | ## Table Usage Guide 11 | 12 | The `net_tls_connection` table provides insights into the SSL/TLS connections established by your system. As a network administrator or security analyst, explore connection-specific details through this table, including connection parameters, encryption algorithms used, and certificate details. Utilize it to uncover information about connections, such as those using weak encryption algorithms, expired certificates, and potential security vulnerabilities. 13 | 14 | **Important Notes** 15 | - You must specify the `address` column of the format address:port (e.g., steamipe.io:443) in the `where` clause to query this table. 16 | - You can also provide a protocol version and/or cipher suite to verify specific TLS connection requirements. For example: 17 | 18 | ```sql+postgres 19 | select 20 | * 21 | from 22 | net_tls_connection 23 | where 24 | address = 'steampipe.io:443' 25 | and version = 'TLS v1.3' 26 | and cipher_suite_name = 'TLS_AES_128_GCM_SHA256'; 27 | ``` 28 | 29 | ```sql+sqlite 30 | select 31 | * 32 | from 33 | net_tls_connection 34 | where 35 | address = 'steampipe.io:443' 36 | and version = 'TLS v1.3' 37 | and cipher_suite_name = 'TLS_AES_128_GCM_SHA256'; 38 | ``` 39 | 40 | - SSL protocols (e.g. SSL v3 and SSL v2) are not supported by this table. 41 | - This table supports a limited set of cipher suites, as defined by the [TLS package](https://pkg.go.dev/crypto/tls#pkg-constants). 42 | 43 | ## Examples 44 | 45 | ### List all supported protocols and cipher suites for which a TLS connection could be established 46 | Explore which protocols and cipher suites can successfully establish a TLS connection to a specific address. This can be useful to ensure secure and compatible connections in your network communication. 47 | 48 | ```sql+postgres 49 | select 50 | address, 51 | version, 52 | cipher_suite_name, 53 | handshake_completed 54 | from 55 | net_tls_connection 56 | where 57 | address = 'steampipe.io:443' 58 | and handshake_completed; 59 | ``` 60 | 61 | ```sql+sqlite 62 | select 63 | address, 64 | version, 65 | cipher_suite_name, 66 | handshake_completed 67 | from 68 | net_tls_connection 69 | where 70 | address = 'steampipe.io:443' 71 | and handshake_completed; 72 | ``` 73 | 74 | ### Check TLS handshake with a certain protocol and cipher suite 75 | Identify instances where a specific protocol and cipher suite have successfully completed a TLS handshake with a particular server. This can be useful to ensure secure communication and confirm the server's compatibility with desired security standards. 76 | 77 | ```sql+postgres 78 | select 79 | address, 80 | version, 81 | cipher_suite_name, 82 | handshake_completed 83 | from 84 | net_tls_connection 85 | where 86 | address = 'steampipe.io:443' 87 | and version = 'TLS v1.3' 88 | and cipher_suite_name = 'TLS_AES_128_GCM_SHA256'; 89 | ``` 90 | 91 | ```sql+sqlite 92 | select 93 | address, 94 | version, 95 | cipher_suite_name, 96 | handshake_completed 97 | from 98 | net_tls_connection 99 | where 100 | address = 'steampipe.io:443' 101 | and version = 'TLS v1.3' 102 | and cipher_suite_name = 'TLS_AES_128_GCM_SHA256'; 103 | ``` 104 | 105 | ### Check if a server allows connections with an insecure cipher suite 106 | Determine if a server is susceptible to security risks by identifying connections that use potentially insecure cipher suites. This can be useful for enhancing security measures and preventing potential cyber threats. 107 | 108 | ```sql+postgres 109 | select 110 | address, 111 | version, 112 | cipher_suite_name, 113 | handshake_completed 114 | from 115 | net_tls_connection 116 | where 117 | address = 'steampipe.io:443' 118 | and cipher_suite_name in ('TLS_RSA_WITH_RC4_128_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256') 119 | and handshake_completed; 120 | ``` 121 | 122 | ```sql+sqlite 123 | select 124 | address, 125 | version, 126 | cipher_suite_name, 127 | handshake_completed 128 | from 129 | net_tls_connection 130 | where 131 | address = 'steampipe.io:443' 132 | and cipher_suite_name in ('TLS_RSA_WITH_RC4_128_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256') 133 | and handshake_completed = 1; 134 | ``` -------------------------------------------------------------------------------- /docs/tables/net_certificate.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Steampipe Table: net_certificate - Query Net Certificates using SQL" 3 | description: "Allows users to query Net Certificates, providing details about the certificate's validity, issuer, subject, and other related information." 4 | --- 5 | 6 | # Table: net_certificate - Query Net Certificates using SQL 7 | 8 | A Net Certificate is a digital document that verifies a server's details. When a browser initiates a connection with a secure website, the web server sends its public key certificate for the browser to check. This document contains the server's public key, the certificate's validity dates, and an identifier for the certificate authority (CA) that issued the certificate. 9 | 10 | ## Table Usage Guide 11 | 12 | The `net_certificate` table provides insights into Net Certificates. As a Security Analyst, explore certificate-specific details through this table, including issuer, subject, validity, and associated metadata. Utilize it to uncover information about certificates, such as their validity status, issuer details, and the verification of the certificate authority. 13 | 14 | **Important Notes** 15 | - You must specify the `address` column of the format address:port (e.g., steamipe.io:443) in the `where` clause to query this table. 16 | 17 | ## Examples 18 | 19 | ### Basic info 20 | Analyze the settings to understand the security certificates associated with a specific web address, such as 'steampipe.io:443'. This can be useful for assessing the security status and identifying any potential issues or vulnerabilities. 21 | 22 | ```sql+postgres 23 | select 24 | * 25 | from 26 | net_certificate 27 | where 28 | address = 'steampipe.io:443'; 29 | ``` 30 | 31 | ```sql+sqlite 32 | select 33 | * 34 | from 35 | net_certificate 36 | where 37 | address = 'steampipe.io:443'; 38 | ``` 39 | 40 | ### Get time until the certificate expires 41 | Determine the remaining validity period of a specific certificate. This query is useful in monitoring and ensuring that the certificate does not expire unexpectedly, thereby preventing potential service interruptions. 42 | 43 | ```sql+postgres 44 | select 45 | address, 46 | age(not_after, current_timestamp) as time_until_expiration 47 | from 48 | net_certificate 49 | where 50 | address = 'steampipe.io:443'; 51 | ``` 52 | 53 | ```sql+sqlite 54 | select 55 | address, 56 | julianday(not_after) - julianday(current_timestamp) as time_until_expiration 57 | from 58 | net_certificate 59 | where 60 | address = 'steampipe.io:443'; 61 | ``` 62 | 63 | ### Check if the certificate is currently valid 64 | Explore which security certificates are currently valid by assessing their validity periods. This is particularly useful to ensure your connections to certain addresses, like 'steampipe.io:443', are secure and up-to-date. 65 | 66 | ```sql+postgres 67 | select 68 | address, 69 | not_before, 70 | not_after 71 | from 72 | net_certificate 73 | where 74 | address = 'steampipe.io:443' 75 | and not_before < current_timestamp 76 | and not_after > current_timestamp; 77 | ``` 78 | 79 | ```sql+sqlite 80 | select 81 | address, 82 | not_before, 83 | not_after 84 | from 85 | net_certificate 86 | where 87 | address = 'steampipe.io:443' 88 | and not_before < datetime('now') 89 | and not_after > datetime('now'); 90 | ``` 91 | 92 | ### Check if the certificate was revoked by the CA 93 | Determine if a specific website's security certificate has been revoked by the certificate authority. This is useful for understanding the security status of your web connections. 94 | 95 | ```sql+postgres 96 | select 97 | address, 98 | not_before, 99 | not_after 100 | from 101 | net_certificate 102 | where 103 | address = 'steampipe.io:443' 104 | and revoked; 105 | ``` 106 | 107 | ```sql+sqlite 108 | select 109 | address, 110 | not_before, 111 | not_after 112 | from 113 | net_certificate 114 | where 115 | address = 'steampipe.io:443' 116 | and revoked; 117 | ``` 118 | 119 | ### Check certificate revocation status with OCSP 120 | Determine the revocation status of a certificate using Online Certificate Status Protocol (OCSP). This can help in identifying if a certificate has been revoked, and if so, when it happened, which is crucial for maintaining secure online connections. 121 | 122 | ```sql+postgres 123 | select 124 | address, 125 | ocsp ->> 'status' as revocation_status, 126 | ocsp ->> 'revoked_at' as revoked_at 127 | from 128 | net_certificate 129 | where 130 | address = 'steampipe.io:443'; 131 | ``` 132 | 133 | ```sql+sqlite 134 | select 135 | address, 136 | json_extract(ocsp, '$.status') as revocation_status, 137 | json_extract(ocsp, '$.revoked_at') as revoked_at 138 | from 139 | net_certificate 140 | where 141 | address = 'steampipe.io:443'; 142 | ``` 143 | 144 | ### Check if certificate using insecure algorithm (e.g., MD2, MD5, SHA1) 145 | Explore which digital certificates are using insecure algorithms, such as MD2, MD5, or SHA1. This query is beneficial for identifying potential security risks associated with outdated or weak cryptographic algorithms. 146 | 147 | ```sql+postgres 148 | select 149 | address, 150 | not_before, 151 | not_after, 152 | signature_algorithm 153 | from 154 | net_certificate 155 | where 156 | address = 'steampipe.io:443' 157 | and signature_algorithm like any (array['%SHA1%', '%MD2%', '%MD5%']); 158 | ``` 159 | 160 | ```sql+sqlite 161 | select 162 | address, 163 | not_before, 164 | not_after, 165 | signature_algorithm 166 | from 167 | net_certificate 168 | where 169 | address = 'steampipe.io:443' 170 | and (signature_algorithm like '%SHA1%' or signature_algorithm like '%MD2%' or signature_algorithm like '%MD5%'); 171 | ``` -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/turbot/steampipe-plugin-net 2 | 3 | go 1.24 4 | 5 | toolchain go1.24.1 6 | 7 | require ( 8 | github.com/miekg/dns v1.1.50 9 | github.com/sethvargo/go-retry v0.2.4 10 | github.com/turbot/steampipe-plugin-sdk/v5 v5.13.1 11 | golang.org/x/crypto v0.36.0 12 | golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 13 | ) 14 | 15 | require ( 16 | cloud.google.com/go v0.112.1 // indirect 17 | cloud.google.com/go/compute/metadata v0.3.0 // indirect 18 | cloud.google.com/go/iam v1.1.6 // indirect 19 | cloud.google.com/go/storage v1.38.0 // indirect 20 | github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect 21 | github.com/agext/levenshtein v1.2.3 // indirect 22 | github.com/allegro/bigcache/v3 v3.1.0 // indirect 23 | github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect 24 | github.com/aws/aws-sdk-go v1.44.183 // indirect 25 | github.com/beorn7/perks v1.0.1 // indirect 26 | github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect 27 | github.com/btubbs/datetime v0.1.1 // indirect 28 | github.com/cenkalti/backoff/v4 v4.3.0 // indirect 29 | github.com/cespare/xxhash/v2 v2.3.0 // indirect 30 | github.com/danwakefield/fnmatch v0.0.0-20160403171240-cbb64ac3d964 // indirect 31 | github.com/dgraph-io/ristretto v0.2.0 // indirect 32 | github.com/dustin/go-humanize v1.0.1 // indirect 33 | github.com/eko/gocache/lib/v4 v4.1.6 // indirect 34 | github.com/eko/gocache/store/bigcache/v4 v4.2.1 // indirect 35 | github.com/eko/gocache/store/ristretto/v4 v4.2.1 // indirect 36 | github.com/fatih/color v1.17.0 // indirect 37 | github.com/felixge/httpsnoop v1.0.4 // indirect 38 | github.com/fsnotify/fsnotify v1.7.0 // indirect 39 | github.com/gertd/go-pluralize v0.2.1 // indirect 40 | github.com/ghodss/yaml v1.0.0 // indirect 41 | github.com/go-logr/logr v1.4.1 // indirect 42 | github.com/go-logr/stdr v1.2.2 // indirect 43 | github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect 44 | github.com/golang/mock v1.6.0 // indirect 45 | github.com/golang/protobuf v1.5.4 // indirect 46 | github.com/google/go-cmp v0.6.0 // indirect 47 | github.com/google/s2a-go v0.1.7 // indirect 48 | github.com/google/uuid v1.6.0 // indirect 49 | github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect 50 | github.com/googleapis/gax-go/v2 v2.12.3 // indirect 51 | github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect 52 | github.com/hashicorp/go-cleanhttp v0.5.2 // indirect 53 | github.com/hashicorp/go-getter v1.7.9 // indirect 54 | github.com/hashicorp/go-hclog v1.6.3 // indirect 55 | github.com/hashicorp/go-plugin v1.6.1 // indirect 56 | github.com/hashicorp/go-safetemp v1.0.0 // indirect 57 | github.com/hashicorp/go-version v1.7.0 // indirect 58 | github.com/hashicorp/hcl/v2 v2.20.1 // indirect 59 | github.com/hashicorp/yamux v0.1.1 // indirect 60 | github.com/iancoleman/strcase v0.3.0 // indirect 61 | github.com/jmespath/go-jmespath v0.4.0 // indirect 62 | github.com/klauspost/compress v1.17.2 // indirect 63 | github.com/mattn/go-colorable v0.1.13 // indirect 64 | github.com/mattn/go-isatty v0.0.20 // indirect 65 | github.com/mattn/go-runewidth v0.0.15 // indirect 66 | github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect 67 | github.com/mitchellh/go-homedir v1.1.0 // indirect 68 | github.com/mitchellh/go-testing-interface v1.14.1 // indirect 69 | github.com/mitchellh/go-wordwrap v1.0.0 // indirect 70 | github.com/mitchellh/mapstructure v1.5.0 // indirect 71 | github.com/oklog/run v1.0.0 // indirect 72 | github.com/olekukonko/tablewriter v0.0.5 // indirect 73 | github.com/pkg/errors v0.9.1 // indirect 74 | github.com/prometheus/client_golang v1.14.0 // indirect 75 | github.com/prometheus/client_model v0.3.0 // indirect 76 | github.com/prometheus/common v0.37.0 // indirect 77 | github.com/prometheus/procfs v0.8.0 // indirect 78 | github.com/rivo/uniseg v0.2.0 // indirect 79 | github.com/stevenle/topsort v0.2.0 // indirect 80 | github.com/tkrajina/go-reflector v0.5.6 // indirect 81 | github.com/turbot/go-kit v1.1.0 // indirect 82 | github.com/ulikunitz/xz v0.5.15 // indirect 83 | github.com/zclconf/go-cty v1.14.4 // indirect 84 | go.opencensus.io v0.24.0 // indirect 85 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect 86 | go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect 87 | go.opentelemetry.io/otel v1.26.0 // indirect 88 | go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.26.0 // indirect 89 | go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0 // indirect 90 | go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.24.0 // indirect 91 | go.opentelemetry.io/otel/metric v1.26.0 // indirect 92 | go.opentelemetry.io/otel/sdk v1.26.0 // indirect 93 | go.opentelemetry.io/otel/sdk/metric v1.26.0 // indirect 94 | go.opentelemetry.io/otel/trace v1.26.0 // indirect 95 | go.opentelemetry.io/proto/otlp v1.2.0 // indirect 96 | golang.org/x/mod v0.19.0 // indirect 97 | golang.org/x/net v0.38.0 // indirect 98 | golang.org/x/oauth2 v0.27.0 // indirect 99 | golang.org/x/sync v0.12.0 // indirect 100 | golang.org/x/sys v0.31.0 // indirect 101 | golang.org/x/text v0.23.0 // indirect 102 | golang.org/x/time v0.5.0 // indirect 103 | golang.org/x/tools v0.23.0 // indirect 104 | google.golang.org/api v0.171.0 // indirect 105 | google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect 106 | google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117 // indirect 107 | google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117 // indirect 108 | google.golang.org/grpc v1.66.0 // indirect 109 | google.golang.org/protobuf v1.34.2 // indirect 110 | gopkg.in/yaml.v2 v2.4.0 // indirect 111 | ) 112 | -------------------------------------------------------------------------------- /docs/tables/net_http_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Steampipe Table: net_http_request - Query Network HTTP Requests using SQL" 3 | description: "Allows users to query Network HTTP Requests, specifically details about HTTP requests and responses, providing insights into network traffic patterns and potential anomalies." 4 | --- 5 | 6 | # Table: net_http_request - Query Network HTTP Requests using SQL 7 | 8 | A Network HTTP Request is a service that allows you to send HTTP requests and receive HTTP responses over the network. It provides a way to interact with web services and retrieve information from web servers. Network HTTP Request helps you communicate with other services, fetch data from various sources, and interact with APIs. 9 | 10 | ## Table Usage Guide 11 | 12 | The `net_http_request` table provides insights into HTTP requests and responses over the network. As a Network Engineer or a Developer, explore details through this table, including request method, status code, response time, and associated metadata. Utilize it to monitor network traffic, analyze performance of your web services, and troubleshoot issues related to HTTP requests and responses. 13 | 14 | **Important Notes** 15 | - You must specify the `url` column in the `where` clause to query this table. 16 | 17 | ## Examples 18 | 19 | ### Send a GET request to GitHub API 20 | Explore how to evaluate the response from a specific URL, in this case, GitHub's API. This query can be used to understand the status and details of a response from a GET request to a web service, thereby aiding in API monitoring and troubleshooting. 21 | 22 | ```sql+postgres 23 | select 24 | url, 25 | method, 26 | response_status_code, 27 | jsonb_pretty(response_body::jsonb) as response_body 28 | from 29 | net_http_request 30 | where 31 | url = 'https://api.github.com/users/github'; 32 | ``` 33 | 34 | ```sql+sqlite 35 | select 36 | url, 37 | method, 38 | response_status_code, 39 | response_body as response_body 40 | from 41 | net_http_request 42 | where 43 | url = 'https://api.github.com/users/github'; 44 | ``` 45 | 46 | ### Send a GET request with a modified user agent 47 | Explore the results of sending a GET request with a modified user agent. This can be useful to test how your website or application responds to different user agents. 48 | 49 | ```sql+postgres 50 | select 51 | url, 52 | method, 53 | response_status_code, 54 | jsonb_pretty(request_headers) as request_headers, 55 | response_body 56 | from 57 | net_http_request 58 | where 59 | url = 'http://httpbin.org/user-agent' 60 | and request_headers = jsonb_object( 61 | '{user-agent, accept}', 62 | '{steampipe-test-user, application/json}' 63 | ); 64 | ``` 65 | 66 | ```sql+sqlite 67 | select 68 | url, 69 | method, 70 | response_status_code, 71 | request_headers, 72 | response_body 73 | from 74 | net_http_request 75 | where 76 | url = 'http://httpbin.org/user-agent' 77 | and request_headers = '{"user-agent":"steampipe-test-user", "accept":"application/json"}'; 78 | ``` 79 | 80 | ### Send a POST request with request body and headers 81 | This query allows you to send a POST request to a specified URL with a custom request body and headers. This can be useful for testing API endpoints, examining the response, and ensuring the server is correctly processing your request data. 82 | 83 | ```sql+postgres 84 | select 85 | url, 86 | method, 87 | response_status_code, 88 | jsonb_pretty(request_headers) as request_headers, 89 | response_body 90 | from 91 | net_http_request 92 | where 93 | url = 'http://httpbin.org/anything' 94 | and method = 'POST' 95 | and request_body = jsonb_object( 96 | '{username, password}', 97 | '{steampipe, test_password}' 98 | )::text 99 | and request_headers = jsonb_object( 100 | '{content-type}', 101 | '{application/json}' 102 | ); 103 | ``` 104 | 105 | ```sql+sqlite 106 | select 107 | url, 108 | method, 109 | response_status_code, 110 | request_headers, 111 | response_body 112 | from 113 | net_http_request 114 | where 115 | url = 'http://httpbin.org/anything' 116 | and method = 'POST' 117 | and request_body = '{"username":"steampipe", "password":"test_password"}' 118 | and request_headers = '{"content-type":"application/json"}'; 119 | ``` 120 | 121 | ### Send a GET request with multiple values for a request header 122 | Discover the response details of a GET request sent to a specific URL, with multiple values for a request header. This can be useful for debugging or validating how your application handles different header configurations. 123 | 124 | ```sql+postgres 125 | select 126 | url, 127 | method, 128 | response_status_code, 129 | jsonb_pretty(request_headers) as request_headers, 130 | response_body 131 | from 132 | net_http_request 133 | where 134 | url = 'http://httpbin.org/anything' 135 | and request_headers = '{ 136 | "authorization": "Basic YWxhZGRpbjpvcGVuc2VzYW2l", 137 | "accept": ["application/json", "application/xml"] 138 | }'::jsonb; 139 | ``` 140 | 141 | ```sql+sqlite 142 | select 143 | url, 144 | method, 145 | response_status_code, 146 | request_headers, 147 | response_body 148 | from 149 | net_http_request 150 | where 151 | url = 'http://httpbin.org/anything' 152 | and request_headers = '{ 153 | "authorization": "Basic YWxhZGRpbjpvcGVuc2VzYW2l", 154 | "accept": ["application/json", "application/xml"] 155 | }'; 156 | ``` 157 | 158 | ### Check for HTTP Strict Transport Security (HSTS) protection 159 | Analyze the settings to understand whether a specific website, in this case, Microsoft's, has HTTP Strict Transport Security (HSTS) protection enabled. This query is useful in identifying potential security vulnerabilities related to data transmission. 160 | 161 | ```sql+postgres 162 | select 163 | url, 164 | method, 165 | response_status_code, 166 | case 167 | when response_headers -> 'Strict-Transport-Security' is not null then 'enabled' 168 | else 'disabled' 169 | end as hsts_protection 170 | from 171 | net_http_request 172 | where 173 | url = 'http://microsoft.com'; 174 | ``` 175 | 176 | ```sql+sqlite 177 | select 178 | url, 179 | method, 180 | response_status_code, 181 | case 182 | when json_extract(response_headers, '$.Strict-Transport-Security') is not null then 'enabled' 183 | else 'disabled' 184 | end as hsts_protection 185 | from 186 | net_http_request 187 | where 188 | url = 'http://microsoft.com'; 189 | ``` -------------------------------------------------------------------------------- /net/utils.go: -------------------------------------------------------------------------------- 1 | package net 2 | 3 | import ( 4 | "context" 5 | "crypto/tls" 6 | "net/http" 7 | "time" 8 | "unicode/utf8" 9 | 10 | "golang.org/x/exp/slices" 11 | 12 | "github.com/sethvargo/go-retry" 13 | "github.com/turbot/steampipe-plugin-sdk/v5/grpc/proto" 14 | "github.com/turbot/steampipe-plugin-sdk/v5/plugin" 15 | ) 16 | 17 | func getQuals(qualValue *proto.QualValue) []string { 18 | var data []string 19 | // Check for nil 20 | if qualValue == nil { 21 | return data 22 | } 23 | if qualList := qualValue.GetListValue(); qualList != nil { 24 | for _, q := range qualList.Values { 25 | data = append(data, q.GetStringValue()) 26 | } 27 | } else { 28 | data = append(data, qualValue.GetStringValue()) 29 | } 30 | return data 31 | } 32 | 33 | func getAuthHeaderQuals(qualValue *proto.QualValue) (authHeader string, present bool) { 34 | if qualValue == nil { 35 | return "", false 36 | } 37 | if qualList := qualValue.GetListValue(); qualList != nil { 38 | for _, q := range qualList.Values { 39 | return q.GetStringValue(), true 40 | } 41 | } 42 | return qualValue.GetStringValue(), true 43 | } 44 | 45 | func addRequestHeaders(request *http.Request, headers map[string]interface{}) *http.Request { 46 | for header, value := range headers { 47 | content, isArray := value.([]interface{}) 48 | if isArray { 49 | for _, i := range content { 50 | request.Header.Add(header, i.(string)) 51 | } 52 | } else { 53 | request.Header.Add(header, value.(string)) 54 | } 55 | } 56 | return request 57 | } 58 | 59 | type tableNetWebRequestRow struct { 60 | Url string 61 | Method string 62 | RequestBody string 63 | RequestHeaders string 64 | FollowRedirects bool 65 | Status int 66 | ResponseStatusCode int 67 | ResponseHeaders map[string][]string 68 | ResponseBody string 69 | Error string 70 | HeaderContentSecurityPolicy string 71 | HeaderStrictTransportSecurity string 72 | HeaderContentType string 73 | HeaderCrossSiteScriptingProtection string 74 | HeaderPermissionsPolicy string 75 | HeaderReferrerPolicy string 76 | HeaderXFrameOptions string 77 | HeaderXContentTypeOptions string 78 | } 79 | 80 | type baseRequestAttributes struct { 81 | Url string 82 | Methods []string 83 | RequestBody string 84 | Headers map[string]interface{} 85 | } 86 | 87 | func removeInvalidUTF8Char(str string) string { 88 | if !utf8.ValidString(str) { 89 | v := make([]rune, 0, len(str)) 90 | for i, r := range str { 91 | if r == utf8.RuneError { 92 | _, size := utf8.DecodeRuneInString(str[i:]) 93 | if size == 1 { 94 | continue 95 | } 96 | } 97 | v = append(v, r) 98 | } 99 | str = string(v) 100 | } 101 | return str 102 | } 103 | 104 | func getQualListValues(ctx context.Context, quals map[string]*proto.QualValue, qualName string) []string { 105 | values := make([]string, 0) 106 | if quals[qualName].GetStringValue() != "" { 107 | values = append(values, quals[qualName].GetStringValue()) 108 | } else if quals[qualName].GetListValue() != nil { 109 | for _, value := range quals[qualName].GetListValue().Values { 110 | str := value.GetStringValue() 111 | values = append(values, str) 112 | } 113 | } 114 | return values 115 | } 116 | 117 | // List all cipher suites supported by `crypto/tls` package 118 | func cipherSuites() []*tls.CipherSuite { 119 | allCiphers := tls.CipherSuites() 120 | 121 | // also append insecure ciphers 122 | allCiphers = append(allCiphers, tls.InsecureCipherSuites()...) 123 | return allCiphers 124 | } 125 | 126 | // List all cipher suites supported by TLS v1.3 127 | func cipherSuitesTLS13() []string { 128 | allCiphers := cipherSuites() 129 | var ciphersTLS13 []string 130 | 131 | for _, i := range allCiphers { 132 | if slices.Contains(i.SupportedVersions, tls.VersionTLS13) { 133 | ciphersTLS13 = append(ciphersTLS13, i.Name) 134 | } 135 | } 136 | return ciphersTLS13 137 | } 138 | 139 | // List all cipher suites supported by TLS v1.2 140 | func cipherSuitesTLS12() []string { 141 | allCiphers := cipherSuites() 142 | var ciphersTLS12 []string 143 | 144 | for _, i := range allCiphers { 145 | if slices.Contains(i.SupportedVersions, tls.VersionTLS12) { 146 | ciphersTLS12 = append(ciphersTLS12, i.Name) 147 | } 148 | } 149 | return ciphersTLS12 150 | } 151 | 152 | // List all cipher suites supported by TLS v1.0 - TLS v1.1 153 | func cipherSuitesUptoTLS11() []string { 154 | allCiphers := cipherSuites() 155 | var ciphersUptoTLS11 []string 156 | 157 | for _, i := range allCiphers { 158 | if slices.Contains(i.SupportedVersions, tls.VersionTLS12) || slices.Contains(i.SupportedVersions, tls.VersionTLS11) || slices.Contains(i.SupportedVersions, tls.VersionTLS10) { 159 | ciphersUptoTLS11 = append(ciphersUptoTLS11, i.Name) 160 | } 161 | } 162 | return ciphersUptoTLS11 163 | } 164 | 165 | // Check if given cipher suite is supported by the given protocol version 166 | func cipherSuiteIsSupported(protocol string, cipher string) bool { 167 | switch protocol { 168 | case "TLS v1.0": 169 | case "TLS v1.1": 170 | ciphers := cipherSuitesUptoTLS11() 171 | return slices.Contains(ciphers, cipher) 172 | case "TLS v1.2": 173 | ciphers := cipherSuitesTLS12() 174 | return slices.Contains(ciphers, cipher) 175 | case "TLS v1.3": 176 | ciphers := cipherSuitesTLS13() 177 | return slices.Contains(ciphers, cipher) 178 | } 179 | return false 180 | } 181 | 182 | // Invokes the hydrate function with retryable errors and retries the function until the maximum attempts before throwing error 183 | func retryHydrate(ctx context.Context, d *plugin.QueryData, hydrateData *plugin.HydrateData, hydrateFunc plugin.HydrateFunc) (interface{}, error) { 184 | 185 | // Retry configs 186 | maxRetries := 10 187 | interval := time.Duration(500) 188 | 189 | // Create the backoff based on the given mode 190 | backoff := retry.NewFibonacci(interval * time.Millisecond) 191 | 192 | 193 | // Ensure the maximum value is 2.5s. In this scenario, the sleep values would be 194 | // 0.5s, 0.5s, 1s, 1.5s, 2.5s, 2.5s, 2.5s... 195 | backoff = retry.WithCappedDuration(2500*time.Millisecond, backoff) 196 | 197 | var hydrateResult interface{} 198 | 199 | err := retry.Do(ctx, retry.WithMaxRetries(uint64(maxRetries), backoff), func(ctx context.Context) error { 200 | var err error 201 | hydrateResult, err = hydrateFunc(ctx, d, hydrateData) 202 | if err != nil { 203 | if shouldRetryError(err) { 204 | err = retry.RetryableError(err) 205 | } 206 | } 207 | return err 208 | }) 209 | 210 | return hydrateResult, err 211 | } 212 | -------------------------------------------------------------------------------- /net/table_net_http_request.go: -------------------------------------------------------------------------------- 1 | package net 2 | 3 | import ( 4 | "bytes" 5 | "context" 6 | "encoding/json" 7 | "fmt" 8 | "net/http" 9 | "strings" 10 | 11 | "github.com/turbot/steampipe-plugin-sdk/v5/grpc/proto" 12 | "github.com/turbot/steampipe-plugin-sdk/v5/plugin" 13 | "github.com/turbot/steampipe-plugin-sdk/v5/plugin/transform" 14 | ) 15 | 16 | //// TABLE DEFINITION 17 | 18 | func tableNetHTTPRequest() *plugin.Table { 19 | return &plugin.Table{ 20 | Name: "net_http_request", 21 | Description: "An HTTP request is made by a client, to a named host, which is located on a server.", 22 | List: &plugin.ListConfig{ 23 | ParentHydrate: listBaseRequestAttributes, 24 | Hydrate: listRequestResponses, 25 | KeyColumns: plugin.KeyColumnSlice{ 26 | {Name: "url", Require: plugin.Required}, 27 | {Name: "method", Require: plugin.Optional, CacheMatch: "exact"}, 28 | {Name: "follow_redirects", Require: plugin.Optional, Operators: []string{"=", "<>"}, CacheMatch: "exact"}, 29 | {Name: "request_headers", Require: plugin.Optional, CacheMatch: "exact"}, 30 | {Name: "request_body", Require: plugin.Optional, CacheMatch: "exact"}, 31 | }, 32 | }, 33 | Columns: []*plugin.Column{ 34 | {Name: "url", Transform: transform.FromField("Url"), Type: proto.ColumnType_STRING, Description: "URL of the site."}, 35 | {Name: "method", Type: proto.ColumnType_STRING, Description: "Specifies the HTTP method (GET, POST)."}, 36 | {Name: "follow_redirects", Type: proto.ColumnType_BOOL, Description: "If true, the requests will follow the redirects."}, 37 | {Name: "request_body", Type: proto.ColumnType_STRING, Description: "The request's body."}, 38 | {Name: "request_headers", Type: proto.ColumnType_JSON, Transform: transform.FromQual("request_headers"), Description: "A map of headers passed in the request."}, 39 | {Name: "response_status_code", Type: proto.ColumnType_INT, Description: "HTTP status code is a server response to a browser's request."}, 40 | {Name: "response_body", Type: proto.ColumnType_STRING, Description: "Represents the response body."}, 41 | {Name: "response_error", Type: proto.ColumnType_STRING, Description: "Represents an error or failure, either from a non-successful HTTP status, an error while executing the request, or some other failure which occurred during the parsing of the response.", Transform: transform.FromField("Error")}, 42 | {Name: "response_headers", Type: proto.ColumnType_JSON, Description: "A map of response headers used by web applications to configure security defenses in web browsers."}, 43 | }, 44 | } 45 | } 46 | 47 | func listBaseRequestAttributes(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { 48 | logger := plugin.Logger(ctx) 49 | 50 | var methods []string 51 | var requestBody string 52 | headers := make(map[string]interface{}) 53 | 54 | queryCols := d.EqualsQuals 55 | 56 | urls := getQuals(queryCols["url"]) 57 | logger.Debug("listBaseRequestAttributes", "urls", urls) 58 | logger.Debug("listBaseRequestAttributes", "query cols", queryCols) 59 | if queryCols["method"] != nil { 60 | methods = getQuals(queryCols["method"]) 61 | } else { 62 | methods = []string{"GET"} 63 | } 64 | 65 | requestHeadersString := queryCols["request_headers"].GetJsonbValue() 66 | logger.Debug("listBaseRequestAttributes", "request headers", requestHeadersString) 67 | 68 | if requestHeadersString != "" { 69 | err := json.Unmarshal([]byte(requestHeadersString), &headers) 70 | if err != nil { 71 | plugin.Logger(ctx).Error("net_http_request.listBaseRequestAttributes", "unmarshal_error", err) 72 | return nil, fmt.Errorf("failed to unmarshal request headers: %v", err) 73 | } 74 | } 75 | 76 | for k, v := range headers { 77 | logger.Debug("listBaseRequestAttributes", "header", k, v) 78 | } 79 | 80 | if requestBodyData, present := getAuthHeaderQuals(queryCols["request_body"]); present { 81 | requestBody = requestBodyData 82 | } 83 | 84 | logger.Debug("listBaseRequestAttributes", "urls", urls) 85 | logger.Debug("listBaseRequestAttributes", "methods", methods) 86 | logger.Debug("listBaseRequestAttributes", "headers", headers) 87 | 88 | for _, url := range urls { 89 | d.StreamListItem(ctx, baseRequestAttributes{url, methods, requestBody, headers}) 90 | } 91 | 92 | return nil, nil 93 | } 94 | 95 | func listRequestResponses(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { 96 | logger := plugin.Logger(ctx) 97 | baseRequestAttribute := h.Item.(baseRequestAttributes) 98 | 99 | logger.Debug("listRequestResponses", "attributes", baseRequestAttribute) 100 | 101 | url := baseRequestAttribute.Url 102 | methods := baseRequestAttribute.Methods 103 | headers := baseRequestAttribute.Headers 104 | requestBody := baseRequestAttribute.RequestBody 105 | client := &http.Client{} 106 | 107 | // Set true to follow the redirects 108 | // Default set to true 109 | // If passed using follow_redirects, override the default 110 | followRedirects := true 111 | if d.Quals["follow_redirects"] != nil { 112 | for _, q := range d.Quals["follow_redirects"].Quals { 113 | switch q.Operator { 114 | case "<>": 115 | followRedirects = false 116 | case "=": 117 | followRedirects = true 118 | } 119 | } 120 | } 121 | 122 | if !followRedirects { 123 | client.CheckRedirect = func(req *http.Request, via []*http.Request) error { 124 | return http.ErrUseLastResponse 125 | } 126 | } 127 | 128 | // Execute the request for each type of method per url 129 | for _, method := range methods { 130 | var req *http.Request 131 | var res *http.Response 132 | var err error 133 | var requestErr error 134 | 135 | switch method { 136 | case "GET": 137 | req, err = http.NewRequest("GET", url, nil) 138 | if err != nil { 139 | logger.Error("listRequestResponses", "url", url, "New GET Request error", err) 140 | return nil, err 141 | } 142 | case "POST": 143 | requestBodyReader := strings.NewReader(requestBody) 144 | req, err = http.NewRequest("POST", url, requestBodyReader) 145 | if err != nil { 146 | logger.Error("listRequestResponses", "url", url, "New Post Request error", err) 147 | return nil, err 148 | } 149 | default: 150 | logger.Warn("listRequestResponses", "unsupported method", method) 151 | continue 152 | } 153 | 154 | req = addRequestHeaders(req, headers) 155 | logger.Debug("listRequestResponses", "request", req) 156 | 157 | item := tableNetWebRequestRow{ 158 | Url: url, 159 | Method: method, 160 | RequestBody: requestBody, 161 | FollowRedirects: followRedirects, 162 | } 163 | 164 | // Make request 165 | res, requestErr = client.Do(req) 166 | if requestErr != nil { 167 | logger.Error("listRequestResponses do request error", "url", url, "request method", req.Method, "error", requestErr.Error()) 168 | item.Error = requestErr.Error() 169 | } 170 | 171 | if requestErr == nil { 172 | // Read response 173 | buf := new(bytes.Buffer) 174 | _, err = buf.ReadFrom(res.Body) 175 | if err != nil { 176 | logger.Error("listRequestResponses buffer reading error", "url", url, "request method", req.Method, "error", err) 177 | return nil, err 178 | } 179 | 180 | // Close response reading 181 | res.Body.Close() 182 | body := removeInvalidUTF8Char(buf.String()) 183 | 184 | item.ResponseStatusCode = res.StatusCode 185 | item.ResponseHeaders = res.Header 186 | item.ResponseBody = body 187 | } 188 | 189 | // Generate table row item 190 | d.StreamListItem(ctx, item) 191 | } 192 | 193 | return nil, nil 194 | } 195 | -------------------------------------------------------------------------------- /net/table_net_tls_connection.go: -------------------------------------------------------------------------------- 1 | package net 2 | 3 | import ( 4 | "context" 5 | "crypto/rand" 6 | "crypto/tls" 7 | "fmt" 8 | "net" 9 | "sync" 10 | 11 | "github.com/turbot/steampipe-plugin-net/constants" 12 | "github.com/turbot/steampipe-plugin-sdk/v5/grpc/proto" 13 | "github.com/turbot/steampipe-plugin-sdk/v5/plugin" 14 | "github.com/turbot/steampipe-plugin-sdk/v5/plugin/transform" 15 | ) 16 | 17 | //// TABLE DEFINITION 18 | 19 | func tableNetTLSConnection(ctx context.Context) *plugin.Table { 20 | return &plugin.Table{ 21 | Name: "net_tls_connection", 22 | Description: "Check server TLS connectivity to an address.", 23 | List: &plugin.ListConfig{ 24 | Hydrate: tableNetTLSConnectionList, 25 | KeyColumns: plugin.KeyColumnSlice{ 26 | {Name: "address", Require: plugin.Required, Operators: []string{"="}}, 27 | {Name: "version", Require: plugin.Optional, Operators: []string{"="}}, 28 | {Name: "cipher_suite_name", Require: plugin.Optional, Operators: []string{"="}}, 29 | }, 30 | }, 31 | Columns: []*plugin.Column{ 32 | {Name: "address", Type: proto.ColumnType_STRING, Description: "Address to connect to, as specified in https://golang.org/pkg/net/#Dial.", Transform: transform.FromQual("address")}, 33 | {Name: "server_name", Type: proto.ColumnType_STRING, Description: "The server name indication extension sent by the client."}, 34 | {Name: "version", Type: proto.ColumnType_STRING, Description: "The TLS version used by the connection."}, 35 | {Name: "cipher_suite_name", Type: proto.ColumnType_STRING, Description: "The cipher suite negotiated for the connection."}, 36 | {Name: "cipher_suite_id", Type: proto.ColumnType_STRING, Description: "The ID of the cipher suite."}, 37 | {Name: "handshake_completed", Type: proto.ColumnType_BOOL, Description: "True if the handshake was successful."}, 38 | {Name: "error", Type: proto.ColumnType_STRING, Description: "Error message if the connection failed."}, 39 | {Name: "fallback_scsv_supported", Type: proto.ColumnType_BOOL, Description: "True if the TLS fallback SCSV is enabled to prevent protocol downgrade attacks.", Hydrate: checkFallbackSCSVSupport, Transform: transform.FromValue()}, 40 | {Name: "alpn_supported", Type: proto.ColumnType_BOOL, Description: "True if the ALPN is supported.", Hydrate: checkAPLNSupport, Transform: transform.FromValue()}, 41 | {Name: "local_address", Type: proto.ColumnType_STRING, Description: "Local address (ip:port) for the successful connection."}, 42 | {Name: "remote_address", Type: proto.ColumnType_STRING, Description: "Remote address (ip:port) for the successful connection."}, 43 | }, 44 | } 45 | } 46 | 47 | type tlsConnectionRow struct { 48 | Version string `json:"version"` 49 | CipherSuiteName string `json:"cipher_suite_name"` 50 | CipherSuiteID string `json:"cipher_suite_id"` 51 | ServerName string `json:"server_name"` 52 | HandshakeCompleted bool `json:"handshake_completed"` 53 | Error string `json:"error"` 54 | LocalAddress string `json:"local_address"` 55 | RemoteAddress string `json:"remote_address"` 56 | } 57 | 58 | //// LIST FUNCTION 59 | 60 | func tableNetTLSConnectionList(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { 61 | plugin.Logger(ctx).Trace("tableNetTLSConnectionList") 62 | 63 | // You must pass 1 or more domain quals to the query 64 | quals := d.EqualsQuals 65 | address := d.EqualsQualString("address") 66 | 67 | // By default, consider all available protocols and ciphers 68 | var ciphers []string 69 | for _, c := range cipherSuites() { 70 | ciphers = append(ciphers, c.Name) 71 | } 72 | protocols := []string{"TLS v1.3", "TLS v1.2", "TLS v1.1", "TLS v1.0"} 73 | 74 | // Check for additional quals 75 | if d.EqualsQuals["version"] != nil { 76 | protocols = getQualListValues(ctx, quals, "version") 77 | } 78 | if d.EqualsQuals["cipher_suite_name"] != nil { 79 | ciphers = getQualListValues(ctx, quals, "cipher_suite_name") 80 | } 81 | 82 | var wg sync.WaitGroup 83 | for _, protocol := range protocols { 84 | for _, cipher := range ciphers { 85 | wg.Add(1) 86 | go func(p string, c string) { 87 | row := getTLSConnectionRowData(ctx, address, p, c) 88 | d.StreamListItem(ctx, row) 89 | 90 | wg.Done() 91 | }(protocol, cipher) 92 | } 93 | } 94 | wg.Wait() 95 | 96 | return nil, nil 97 | } 98 | 99 | func getTLSConnectionRowData(ctx context.Context, address string, protocol string, cipher string) tlsConnectionRow { 100 | r := tlsConnectionRow{ 101 | Version: protocol, 102 | CipherSuiteName: cipher, 103 | CipherSuiteID: fmt.Sprintf("0x%04x", constants.CipherSuites[cipher]), 104 | } 105 | 106 | if cipherSuiteIsSupported(protocol, cipher) { 107 | conn, err := getTLSConnection(ctx, address, protocol, cipher) 108 | if err == nil && conn != nil { 109 | // Fetch the negotiated cipher suite from the connection state 110 | state := conn.ConnectionState() 111 | negotiatedCipherID := state.CipherSuite 112 | negotiatedCipherName := tls.CipherSuiteName(negotiatedCipherID) // Get the name of the cipher suite 113 | 114 | // Update the row with the negotiated cipher suite 115 | r.CipherSuiteName = negotiatedCipherName 116 | r.CipherSuiteID = fmt.Sprintf("0x%04x", negotiatedCipherID) 117 | 118 | r.ServerName = state.ServerName 119 | r.HandshakeCompleted = state.HandshakeComplete 120 | r.LocalAddress = conn.LocalAddr().String() 121 | r.RemoteAddress = conn.RemoteAddr().String() 122 | } else { 123 | r.Error = err.Error() 124 | } 125 | } else { 126 | r.Error = "unsupported protocol-cipher combination" 127 | } 128 | 129 | return r 130 | } 131 | 132 | // Initiate a TLS handshake and return TLS connection 133 | func getTLSConnection(ctx context.Context, address string, protocol string, cipher string) (*tls.Conn, error) { 134 | cfg := tls.Config{ 135 | Rand: rand.Reader, 136 | InsecureSkipVerify: true, 137 | } 138 | 139 | // Set protocol versions 140 | if protocol != "" { 141 | if _, ok := constants.TLSVersions[protocol]; !ok { 142 | return nil, fmt.Errorf("%s is not a valid protocol version. Possible values are: TLS v1.0, TLS v1.1, TLS v1.2, and TLS v1.3", protocol) 143 | } 144 | cfg.MaxVersion = constants.TLSVersions[protocol] 145 | cfg.MinVersion = constants.TLSVersions[protocol] 146 | } 147 | 148 | // Set cipher suites 149 | if cipher != "" { 150 | if _, ok := constants.CipherSuites[cipher]; !ok { 151 | return nil, fmt.Errorf("%s is not a valid cipher suite", cipher) 152 | } 153 | cfg.CipherSuites = []uint16{constants.CipherSuites[cipher]} 154 | } 155 | 156 | // Dial the TLS connection 157 | conn, err := tls.DialWithDialer(&net.Dialer{}, "tcp", address, &cfg) 158 | if err != nil { 159 | plugin.Logger(ctx).Error("net_tls_connection.getTLSConnection", "TLS connection failed: ", err) 160 | return nil, err 161 | } 162 | 163 | return conn, nil 164 | } 165 | 166 | // Check if TLS Fallback Signaling Cipher Suite Value supported 167 | func checkFallbackSCSVSupport(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { 168 | data := h.Item.(tlsConnectionRow) 169 | 170 | // Return nil, if connection is failed 171 | if data.Error != "" { 172 | return nil, nil 173 | } 174 | 175 | cfg := tls.Config{ 176 | Rand: rand.Reader, 177 | InsecureSkipVerify: true, 178 | CipherSuites: []uint16{constants.CipherSuites["TLS_FALLBACK_SCSV"]}, 179 | } 180 | 181 | addr := d.EqualsQualString("address") 182 | 183 | conn, err := tls.DialWithDialer(&net.Dialer{}, "tcp", addr, &cfg) 184 | if err != nil { 185 | plugin.Logger(ctx).Error("net_tls_connection.checkFallbackSCSVSupport", "check_fallback_scsv_support", err) 186 | return false, nil 187 | } 188 | 189 | if conn == nil { 190 | return false, nil 191 | } 192 | 193 | return true, nil 194 | } 195 | 196 | // Check if Application-Layer Protocol Negotiation (ALPN) supported 197 | func checkAPLNSupport(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { 198 | data := h.Item.(tlsConnectionRow) 199 | 200 | // Return nil, if connection is failed 201 | if data.Error != "" { 202 | return nil, nil 203 | } 204 | 205 | cfg := tls.Config{ 206 | Rand: rand.Reader, 207 | InsecureSkipVerify: true, 208 | NextProtos: []string{"http/0.9", "http/1.0", "http/1.1", "spdy/1", "spdy/2", "spdy/3", "stun.turn", "stun.nat-discovery", "h2", "h2c", "webrtc", "c-webrtc", "ftp", "imap", "pop3", "managesieve", "coap", "xmpp-client", "xmpp-server", "acme-tls/1", "mqtt", "dot", "ntske/1", "sunrpc", "h3", "smb", "irc", "nntp", "nnsp", "doq"}, // A list of all available TLS ALPN protocol. Please refer: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids 209 | } 210 | 211 | addr := d.EqualsQualString("address") 212 | 213 | conn, err := tls.DialWithDialer(&net.Dialer{}, "tcp", addr, &cfg) 214 | if err != nil { 215 | plugin.Logger(ctx).Error("net_tls_connection.checkAPLNSupport", "check_tls_alpn_support", err) 216 | return nil, err 217 | } 218 | 219 | if conn.ConnectionState().HandshakeComplete && conn.ConnectionState().NegotiatedProtocol != "" { 220 | return true, nil 221 | } 222 | 223 | return nil, nil 224 | } 225 | -------------------------------------------------------------------------------- /net/table_net_dns_record.go: -------------------------------------------------------------------------------- 1 | package net 2 | 3 | import ( 4 | "context" 5 | "fmt" 6 | "net" 7 | "strings" 8 | 9 | "github.com/miekg/dns" 10 | 11 | "github.com/turbot/steampipe-plugin-sdk/v5/grpc/proto" 12 | "github.com/turbot/steampipe-plugin-sdk/v5/plugin" 13 | "github.com/turbot/steampipe-plugin-sdk/v5/plugin/transform" 14 | ) 15 | 16 | func tableNetDNSRecord(ctx context.Context) *plugin.Table { 17 | return &plugin.Table{ 18 | Name: "net_dns_record", 19 | Description: "DNS records associated with a given domain.", 20 | List: &plugin.ListConfig{ 21 | Hydrate: tableDNSRecordList, 22 | KeyColumns: plugin.KeyColumnSlice{ 23 | {Name: "domain", Require: plugin.Required, Operators: []string{"="}}, 24 | {Name: "type", Require: plugin.Optional, Operators: []string{"="}}, 25 | {Name: "dns_server", Require: plugin.Optional, Operators: []string{"="}, CacheMatch: "exact"}, 26 | }, 27 | }, 28 | Columns: []*plugin.Column{ 29 | {Name: "domain", Type: proto.ColumnType_STRING, Description: "Domain name for the record."}, 30 | {Name: "type", Type: proto.ColumnType_STRING, Description: "Type of the DNS record: A, CNAME, MX, etc."}, 31 | {Name: "dns_server", Type: proto.ColumnType_STRING, Description: "DNS server name and port used for queries.", Transform: transform.FromQual("dns_server")}, 32 | {Name: "ip", Transform: transform.FromField("IP"), Type: proto.ColumnType_IPADDR, Description: "IP address for the record, such as for A records."}, 33 | {Name: "target", Type: proto.ColumnType_STRING, Description: "Target of the record, such as the target address for CNAME records."}, 34 | {Name: "priority", Type: proto.ColumnType_INT, Description: "Priority of the record, such as for MX records."}, 35 | {Name: "tag", Type: proto.ColumnType_STRING, Description: "An ASCII string that represents the identifier of the property represented by the record, such as for CAA records."}, 36 | {Name: "value", Type: proto.ColumnType_STRING, Description: "Value of the record, such as the text of a TXT record."}, 37 | {Name: "ttl", Transform: transform.FromField("TTL"), Type: proto.ColumnType_INT, Description: "Time To Live in seconds for the record in DNS cache."}, 38 | {Name: "serial", Type: proto.ColumnType_INT, Description: "Specifies the SOA serial number."}, 39 | {Name: "minimum", Type: proto.ColumnType_INT, Description: "Specifies the SOA minimum value in seconds, which indicates how long negative answers are stored in the DNS cache."}, 40 | {Name: "refresh", Type: proto.ColumnType_INT, Description: "Specifies the SOA refresh interval in seconds, which configures how often a name server should check its primary server to see if there has been any updates to the zone which it does by comparing Serial numbers."}, 41 | {Name: "retry", Type: proto.ColumnType_INT, Description: "Specifies SOA retry value in seconds, which indicates how long a name server should wait to retry an attempt to get fresh zone data from the primary name server if the first attempt should fail."}, 42 | {Name: "expire", Type: proto.ColumnType_INT, Description: "Specifies SOA expire value in seconds, which indicates when the zone data is no longer authoritative."}, 43 | }, 44 | } 45 | } 46 | 47 | type tableDNSRecordRow struct { 48 | Domain string 49 | Type string 50 | DNSServer string 51 | IP string 52 | Target string 53 | TTL uint32 54 | Priority uint16 55 | Tag string 56 | Value string 57 | Serial uint32 58 | Minimum uint32 59 | Refresh uint32 60 | Retry uint32 61 | Expire uint32 62 | } 63 | 64 | func getTypeQuals(typeQualsWrapper *proto.Quals) []string { 65 | if typeQualsWrapper == nil { 66 | var allTypes []string 67 | return append(allTypes, "A", "AAAA", "CAA", "CERT", "CNAME", "MX", "NS", "PTR", "SOA", "SRV", "TXT") 68 | } 69 | var types []string 70 | typeQuals := typeQualsWrapper.Quals[0].Value 71 | if qualList := typeQuals.GetListValue(); qualList != nil { 72 | for _, q := range qualList.Values { 73 | types = append(types, q.GetStringValue()) 74 | } 75 | } else { 76 | types = append(types, typeQuals.GetStringValue()) 77 | } 78 | return types 79 | } 80 | 81 | func dnsTypeToDNSLibTypeEnum(recordType string) (uint16, error) { 82 | switch recordType { 83 | case "A": 84 | return dns.TypeA, nil 85 | case "AAAA": 86 | return dns.TypeAAAA, nil 87 | case "CAA": 88 | return dns.TypeCAA, nil 89 | case "CERT": 90 | return dns.TypeCERT, nil 91 | case "CNAME": 92 | return dns.TypeCNAME, nil 93 | case "MX": 94 | return dns.TypeMX, nil 95 | case "NS": 96 | return dns.TypeNS, nil 97 | case "PTR": 98 | return dns.TypePTR, nil 99 | case "SOA": 100 | return dns.TypeSOA, nil 101 | case "SRV": 102 | return dns.TypeSRV, nil 103 | case "TXT": 104 | return dns.TypeTXT, nil 105 | } 106 | return dns.TypeANY, fmt.Errorf("Unsupported DNS record type: %s", recordType) 107 | } 108 | 109 | func getRecords(domain string, dnsType string, answer dns.RR) []tableDNSRecordRow { 110 | var records []tableDNSRecordRow 111 | switch typedRecord := answer.(type) { 112 | case *dns.A: 113 | records = append(records, tableDNSRecordRow{ 114 | Domain: domain, 115 | Type: dnsType, 116 | IP: typedRecord.A.String(), 117 | TTL: typedRecord.Hdr.Ttl, 118 | }) 119 | case *dns.AAAA: 120 | records = append(records, tableDNSRecordRow{ 121 | Domain: domain, 122 | Type: dnsType, 123 | IP: typedRecord.AAAA.String(), 124 | TTL: typedRecord.Hdr.Ttl, 125 | }) 126 | case *dns.CAA: 127 | records = append(records, tableDNSRecordRow{ 128 | Domain: domain, 129 | Type: dnsType, 130 | TTL: typedRecord.Hdr.Ttl, 131 | Tag: typedRecord.Tag, 132 | Value: typedRecord.Value, 133 | }) 134 | case *dns.CERT: 135 | records = append(records, tableDNSRecordRow{ 136 | Domain: domain, 137 | Type: dnsType, 138 | TTL: typedRecord.Hdr.Ttl, 139 | Value: typedRecord.String(), 140 | }) 141 | case *dns.CNAME: 142 | records = append(records, tableDNSRecordRow{ 143 | Domain: domain, 144 | Type: dnsType, 145 | Target: typedRecord.Target, 146 | TTL: typedRecord.Hdr.Ttl, 147 | }) 148 | case *dns.MX: 149 | records = append(records, tableDNSRecordRow{ 150 | Domain: domain, 151 | Type: dnsType, 152 | Priority: typedRecord.Preference, 153 | Target: typedRecord.Mx, 154 | TTL: typedRecord.Hdr.Ttl, 155 | }) 156 | case *dns.NS: 157 | records = append(records, tableDNSRecordRow{ 158 | Domain: domain, 159 | Type: dnsType, 160 | Target: typedRecord.Ns, 161 | TTL: typedRecord.Hdr.Ttl, 162 | }) 163 | case *dns.PTR: 164 | records = append(records, tableDNSRecordRow{ 165 | Domain: domain, 166 | Type: dnsType, 167 | Target: typedRecord.Ptr, 168 | TTL: typedRecord.Hdr.Ttl, 169 | }) 170 | case *dns.SOA: 171 | records = append(records, tableDNSRecordRow{ 172 | Domain: domain, 173 | Type: dnsType, 174 | Target: typedRecord.Ns, 175 | TTL: typedRecord.Hdr.Ttl, 176 | Serial: typedRecord.Serial, 177 | Minimum: typedRecord.Minttl, 178 | Refresh: typedRecord.Refresh, 179 | Retry: typedRecord.Retry, 180 | Expire: typedRecord.Expire, 181 | }) 182 | case *dns.SRV: 183 | records = append(records, tableDNSRecordRow{ 184 | Domain: domain, 185 | Type: dnsType, 186 | Priority: typedRecord.Priority, 187 | Target: typedRecord.Target, 188 | TTL: typedRecord.Hdr.Ttl, 189 | }) 190 | case *dns.TXT: 191 | for _, txt := range typedRecord.Txt { 192 | records = append(records, tableDNSRecordRow{ 193 | Domain: domain, 194 | Type: dnsType, 195 | TTL: typedRecord.Hdr.Ttl, 196 | Value: txt, 197 | }) 198 | } 199 | } 200 | return records 201 | } 202 | 203 | func tableDNSRecordList(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { 204 | logger := plugin.Logger(ctx) 205 | 206 | queryCols := d.QueryContext.Columns 207 | 208 | // You must pass 1 or more domain quals to the query 209 | if d.EqualsQuals["domain"] == nil { 210 | logger.Trace("tableDNSRecordList", "No domain quals provided") 211 | return nil, nil 212 | } 213 | domain := d.EqualsQualString("domain") 214 | 215 | typeQualsWrapper := d.QueryContext.UnsafeQuals["type"] 216 | types := getTypeQuals(typeQualsWrapper) 217 | 218 | c := new(dns.Client) 219 | // Ensure a single request of the same question, type and class at a time. 220 | c.SingleInflight = true 221 | // Use our configuration for the timeout 222 | c.Timeout = GetConfigTimeout(ctx, d) 223 | 224 | var dnsServer string 225 | if d.EqualsQuals["dns_server"] != nil { 226 | dnsServer = d.EqualsQualString("dns_server") 227 | // Append port if not specified 228 | if !strings.HasSuffix(dnsServer, ":53") { 229 | dnsServer = net.JoinHostPort(dnsServer, "53") 230 | } 231 | } else { 232 | dnsServer = GetConfigDNSServerAndPort(ctx, d) 233 | } 234 | 235 | logger.Debug("tableDNSRecordList", "Cols", queryCols) 236 | logger.Debug("tableDNSRecordList", "Domain", domain) 237 | logger.Debug("tableDNSRecordList", "Types", types) 238 | logger.Debug("tableDNSRecordList", "DNS server", dnsServer) 239 | 240 | for _, dnsType := range types { 241 | dnsTypeEnumVal, err := dnsTypeToDNSLibTypeEnum(dnsType) 242 | if err != nil { 243 | logger.Error(err.Error()) 244 | continue 245 | } 246 | 247 | listRecordSet := func(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { 248 | m := new(dns.Msg) 249 | m.SetQuestion(dns.Fqdn(domain), dnsTypeEnumVal) 250 | m.RecursionDesired = true 251 | 252 | co, err := c.Dial(dnsServer) 253 | if err != nil { 254 | return nil, fmt.Errorf("unable to connect to the address: %v", err) 255 | } 256 | 257 | r, _, err := c.ExchangeWithConn(m, co) 258 | if err != nil { 259 | return nil, err 260 | } 261 | if r.Rcode != dns.RcodeSuccess { 262 | return nil, err 263 | } 264 | 265 | logger.Debug("tableDNSRecordList", "Question", r.Question) 266 | logger.Debug("tableDNSRecordList", "Answer", r.Answer) 267 | logger.Debug("tableDNSRecordList", "Extra", r.Extra) 268 | logger.Debug("tableDNSRecordList", "NS", r.Ns) 269 | 270 | return r.Answer, nil 271 | } 272 | 273 | listRecordSetResponse, err := retryHydrate(ctx, d, h, listRecordSet) 274 | if err != nil { 275 | return nil, err 276 | } 277 | 278 | var listResponse []dns.RR 279 | if listRecordSetResponse != nil { 280 | listResponse = listRecordSetResponse.([]dns.RR) 281 | } 282 | 283 | for _, answer := range listResponse { 284 | for _, record := range getRecords(domain, dnsType, answer) { 285 | logger.Trace("tableDNSRecordList", "Record", record) 286 | d.StreamListItem(ctx, record) 287 | } 288 | } 289 | } 290 | 291 | return nil, nil 292 | } 293 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | ## v1.1.0 [2025-10-13] 2 | 3 | _Dependencies_ 4 | 5 | - Recompiled plugin with Go version `1.24`. ([#111](https://github.com/turbot/steampipe-plugin-net/pull/111)) 6 | - Recompiled plugin with [steampipe-plugin-sdk v5.13.1](https://github.com/turbot/steampipe-plugin-sdk/blob/develop/CHANGELOG.md#v5131-2025-09-25) that addresses critical and high vulnerabilities in dependent packages. ([#112](https://github.com/turbot/steampipe-plugin-net/pull/112)) 7 | 8 | ## v1.1.0 [2025-04-18] 9 | 10 | _Bug fixes_ 11 | 12 | - Fixed the `cipher_suite_name` and `cipher_suite_id` columns in `net_tls_connection` table to correctly rerturn the negotiated cipher suite instead of requested cipher suite value per [Automatic cipher suite ordering in crypto/tls](https://go.dev/blog/tls-cipher-suites). ([#92](https://github.com/turbot/steampipe-plugin-net/pull/92)) 13 | 14 | _Dependencies_ 15 | 16 | - Recompiled plugin with Go version `1.23.1`. ([#103](https://github.com/turbot/steampipe-plugin-net/pull/103)) 17 | - Recompiled plugin with [steampipe-plugin-sdk v5.11.5](https://github.com/turbot/steampipe-plugin-sdk/blob/v5.11.5/CHANGELOG.md#v5115-2025-03-31) that addresses critical and high vulnerabilities in dependent packages. ([#103](https://github.com/turbot/steampipe-plugin-net/pull/103)) 18 | 19 | ## v1.0.0 [2024-10-22] 20 | 21 | There are no significant changes in this plugin version; it has been released to align with [Steampipe's v1.0.0](https://steampipe.io/changelog/steampipe-cli-v1-0-0) release. This plugin adheres to [semantic versioning](https://semver.org/#semantic-versioning-specification-semver), ensuring backward compatibility within each major version. 22 | 23 | _Dependencies_ 24 | 25 | - Recompiled plugin with Go version `1.22`. ([#90](https://github.com/turbot/steampipe-plugin-net/pull/90)) 26 | - Recompiled plugin with [steampipe-plugin-sdk v5.10.4](https://github.com/turbot/steampipe-plugin-sdk/blob/develop/CHANGELOG.md#v5104-2024-08-29) that fixes logging in the plugin export tool. ([#90](https://github.com/turbot/steampipe-plugin-net/pull/90)) 27 | 28 | ## v0.12.0 [2023-12-12] 29 | 30 | _What's new?_ 31 | 32 | - The plugin can now be downloaded and used with the [Steampipe CLI](https://steampipe.io/docs), as a [Postgres FDW](https://steampipe.io/docs/steampipe_postgres/overview), as a [SQLite extension](https://steampipe.io/docs//steampipe_sqlite/overview) and as a standalone [exporter](https://steampipe.io/docs/steampipe_export/overview). ([#85](https://github.com/turbot/steampipe-plugin-net/pull/85)) 33 | - The table docs have been updated to provide corresponding example queries for Postgres FDW and SQLite extension. ([#85](https://github.com/turbot/steampipe-plugin-net/pull/85)) 34 | - Docs license updated to match Steampipe [CC BY-NC-ND license](https://github.com/turbot/steampipe-plugin-net/blob/main/docs/LICENSE). ([#85](https://github.com/turbot/steampipe-plugin-net/pull/85)) 35 | 36 | _Dependencies_ 37 | 38 | - Recompiled plugin with [steampipe-plugin-sdk v5.8.0](https://github.com/turbot/steampipe-plugin-sdk/blob/main/CHANGELOG.md#v580-2023-12-11) that includes plugin server encapsulation for in-process and GRPC usage, adding Steampipe Plugin SDK version to `_ctx` column, and fixing connection and potential divide-by-zero bugs. ([#84](https://github.com/turbot/steampipe-plugin-net/pull/84)) 39 | 40 | ## v0.11.1 [2023-10-04] 41 | 42 | _Dependencies_ 43 | 44 | - Recompiled plugin with [steampipe-plugin-sdk v5.6.2](https://github.com/turbot/steampipe-plugin-sdk/blob/main/CHANGELOG.md#v562-2023-10-03) which prevents nil pointer reference errors for implicit hydrate configs. ([#73](https://github.com/turbot/steampipe-plugin-net/pull/73)) 45 | 46 | ## v0.11.0 [2023-10-02] 47 | 48 | _Dependencies_ 49 | 50 | - Upgraded to [steampipe-plugin-sdk v5.6.1](https://github.com/turbot/steampipe-plugin-sdk/blob/main/CHANGELOG.md#v561-2023-09-29) with support for rate limiters. ([#70](https://github.com/turbot/steampipe-plugin-net/pull/70)) 51 | - Recompiled plugin with Go version `1.21`. ([#70](https://github.com/turbot/steampipe-plugin-net/pull/70)) 52 | 53 | ## v0.10.0 [2023-09-12] 54 | 55 | _Deprecations_ 56 | 57 | - Deprecated `domain` column in `net_certificate` table, which has been replaced by the `address` column. Please note that the `address` column requires a port, e.g., `github.com:443`. This column will be removed in a future version. ([#50](https://github.com/turbot/steampipe-plugin-net/pull/50)) 58 | 59 | _What's new?_ 60 | 61 | - Added `address` column to the `net_certificate` table to allow specifying a port with the domain name. ([#50](https://github.com/turbot/steampipe-plugin-net/pull/50)) 62 | 63 | ## v0.9.0 [2023-04-10] 64 | 65 | _Dependencies_ 66 | 67 | - Recompiled plugin with [steampipe-plugin-sdk v5.3.0](https://github.com/turbot/steampipe-plugin-sdk/blob/main/CHANGELOG.md#v530-2023-03-16) which includes fixes for query cache pending item mechanism and aggregator connections not working for dynamic tables. ([#58](https://github.com/turbot/steampipe-plugin-net/pull/58)) 68 | 69 | ## v0.8.1 [2022-12-27] 70 | 71 | _Bug fixes_ 72 | 73 | - Fixed the example query in `docs/index.md` to correctly check the expiry date of certificates associated with websites. ([#53](https://github.com/turbot/steampipe-plugin-net/pull/53)) (Thanks [@pdecat](https://github.com/pdecat) for the contribution!) 74 | - Fixed the typo in the example query of `net_connection` table document. ([#54](https://github.com/turbot/steampipe-plugin-net/pull/54)) (Thanks [@muescha](https://github.com/muescha) for the contribution!) 75 | 76 | _Dependencies_ 77 | 78 | - Recompiled plugin with [steampipe-plugin-sdk v4.1.8](https://github.com/turbot/steampipe-plugin-sdk/blob/main/CHANGELOG.md#v418-2022-09-08) which increases the default open file limit. ([#52](https://github.com/turbot/steampipe-plugin-net/pull/52)) 79 | 80 | ## v0.8.0 [2022-09-28] 81 | 82 | _Bug fixes_ 83 | 84 | - Fixed the `net_certificate` table to return `null` instead of an error when the queried host doesn't exist in a DNS. ([#49](https://github.com/turbot/steampipe-plugin-net/pull/49)) (Thanks [@bdd4329](https://github.com/bdd4329) for the contribution!) 85 | 86 | _Dependencies_ 87 | 88 | - Recompiled plugin with [steampipe-plugin-sdk v4.1.7](https://github.com/turbot/steampipe-plugin-sdk/blob/main/CHANGELOG.md#v417-2022-09-08) which includes several caching and memory management improvements. ([#46](https://github.com/turbot/steampipe-plugin-net/pull/46)) 89 | - Recompiled plugin with Go version `1.19`. ([#46](https://github.com/turbot/steampipe-plugin-net/pull/46)) 90 | 91 | ## v0.7.0 [2022-08-17] 92 | 93 | _Bug fixes_ 94 | 95 | - Fixed the `net_certificate` table to return an empty row instead of an error if the domain does not have an SSL certificate. ([#42](https://github.com/turbot/steampipe-plugin-net/pull/42)) 96 | 97 | _Dependencies_ 98 | 99 | - Recompiled plugin with [steampipe-plugin-sdk v3.3.2](https://github.com/turbot/steampipe-plugin-sdk/blob/main/CHANGELOG.md#v332--2022-07-11) which includes several caching fixes. ([#39](https://github.com/turbot/steampipe-plugin-net/pull/39)) 100 | 101 | ## v0.6.0 [2022-06-30] 102 | 103 | _Enhancements_ 104 | 105 | - Improved the backoff/retry mechanism in the `net_dns_record` table to return results faster and more reliably. ([#32](https://github.com/turbot/steampipe-plugin-net/pull/32)) 106 | - Recompiled plugin with [miekg/dns v1.1.50](https://github.com/miekg/dns/releases/tag/v1.1.50). ([#32](https://github.com/turbot/steampipe-plugin-net/pull/32)) 107 | 108 | ## v0.5.0 [2022-06-24] 109 | 110 | _What's new?_ 111 | 112 | - New tables added: 113 | - [net_http_request](https://hub.steampipe.io/plugins/turbot/net/tables/net_http_request) ([#38](https://github.com/turbot/steampipe-plugin-net/pull/38)) 114 | 115 | _Enhancements_ 116 | 117 | - Updated the `net_certificate` table to return an error for any non-200 response status codes. ([#37](https://github.com/turbot/steampipe-plugin-net/pull/37)) 118 | - Recompiled plugin with [steampipe-plugin-sdk v3.3.0](https://github.com/turbot/steampipe-plugin-sdk/blob/main/CHANGELOG.md#v330--2022-6-22). ([#38](https://github.com/turbot/steampipe-plugin-net/pull/38)) 119 | 120 | ## v0.4.0 [2022-06-09] 121 | 122 | _What's new?_ 123 | 124 | - New tables added: 125 | - [net_tls_connection](https://hub.steampipe.io/plugins/turbot/net/tables/net_tls_connection) ([#35](https://github.com/turbot/steampipe-plugin-net/pull/35)) 126 | 127 | _Enhancements_ 128 | 129 | - Added `tag` column to `net_dns_record` table. ([#33](https://github.com/turbot/steampipe-plugin-net/pull/33)) 130 | - Added `crl_distribution_points`, `issuer_name`, `ocsp`, `ocsp_servers`, `public_key_length`, `revoked`, and `transparent` columns to `net_certificate` table. ([#33](https://github.com/turbot/steampipe-plugin-net/pull/33)) 131 | 132 | ## v0.3.0 [2022-04-28] 133 | 134 | _Enhancements_ 135 | 136 | - Added columns `dns_server`, `expire`, `minimum`, `refresh`, `retry`, `serial` to `net_dns_record` table. ([#28](https://github.com/turbot/steampipe-plugin-net/pull/28)) 137 | - Updated `net_dns_record` table to use Google's global public DNS instead of Cloudflare's for faster results. ([#28](https://github.com/turbot/steampipe-plugin-net/pull/28)) 138 | - Recompiled plugin with miekg/dns v1.1.47. ([#28](https://github.com/turbot/steampipe-plugin-net/pull/28)) 139 | 140 | _Bug fixes_ 141 | 142 | - Fixed `net_dns_record` table not returning correct results for consecutive queries when using the `type` list key column. ([#28](https://github.com/turbot/steampipe-plugin-net/pull/28)) 143 | 144 | ## v0.2.0 [2022-04-27] 145 | 146 | _Enhancements_ 147 | 148 | - Added support for native Linux ARM and Mac M1 builds. ([#29](https://github.com/turbot/steampipe-plugin-net/pull/29)) 149 | - Recompiled plugin with [steampipe-plugin-sdk v3.1.0](https://github.com/turbot/steampipe-plugin-sdk/blob/main/CHANGELOG.md#v310--2022-03-30) and Go version `1.18`. ([#27](https://github.com/turbot/steampipe-plugin-net/pull/27)) 150 | 151 | ## v0.1.1 [2022-01-12] 152 | 153 | _Enhancements_ 154 | 155 | - Updated the Slack channel links in the `docs/index.md` and the `README.md` files ([#18](https://github.com/turbot/steampipe-plugin-net/pull/18)) 156 | - Recompiled plugin with [steampipe-plugin-sdk v1.8.3](https://github.com/turbot/steampipe-plugin-sdk/blob/main/CHANGELOG.md#v183--2021-12-23) ([#19](https://github.com/turbot/steampipe-plugin-net/pull/19)) 157 | 158 | ## v0.1.0 [2021-12-21] 159 | 160 | _Enhancements_ 161 | 162 | - The `protocol` column of `net_connection` is now optional and it defaults to `tcp` 163 | 164 | ## v0.0.2 [2021-11-23] 165 | 166 | _What's new?_ 167 | 168 | _Enhancements_ 169 | 170 | - Recompiled plugin with go version 1.17 ([#13](https://github.com/turbot/steampipe-plugin-net/pull/13)) 171 | - Recompiled plugin with [steampipe-plugin-sdk v1.8.2](https://github.com/turbot/steampipe-plugin-sdk/blob/main/CHANGELOG.md#v182--2021-11-22) ([#12](https://github.com/turbot/steampipe-plugin-net/pull/12)) 172 | 173 | _Bug fixes_ 174 | 175 | - Fixed: SQL in first example of net_connection docs 176 | 177 | ## v0.0.1 [2021-04-28] 178 | 179 | _What's new?_ 180 | 181 | - New tables added 182 | - [net_certificate](https://hub.steampipe.io/plugins/turbot/net/tables/net_certificate) 183 | - [net_connection](https://hub.steampipe.io/plugins/turbot/net/tables/net_connection) 184 | - [net_dns_record](https://hub.steampipe.io/plugins/turbot/net/tables/net_dns_record) 185 | - [net_dns_reverse](https://hub.steampipe.io/plugins/turbot/net/tables/net_dns_reverse) 186 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [2022] [Turbot] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /docs/LICENSE: -------------------------------------------------------------------------------- 1 | Attribution-NonCommercial-NoDerivatives 4.0 International 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 58 | International Public License 59 | 60 | By exercising the Licensed Rights (defined below), You accept and agree 61 | to be bound by the terms and conditions of this Creative Commons 62 | Attribution-NonCommercial-NoDerivatives 4.0 International Public 63 | License ("Public License"). To the extent this Public License may be 64 | interpreted as a contract, You are granted the Licensed Rights in 65 | consideration of Your acceptance of these terms and conditions, and the 66 | Licensor grants You such rights in consideration of benefits the 67 | Licensor receives from making the Licensed Material available under 68 | these terms and conditions. 69 | 70 | 71 | Section 1 -- Definitions. 72 | 73 | a. Adapted Material means material subject to Copyright and Similar 74 | Rights that is derived from or based upon the Licensed Material 75 | and in which the Licensed Material is translated, altered, 76 | arranged, transformed, or otherwise modified in a manner requiring 77 | permission under the Copyright and Similar Rights held by the 78 | Licensor. For purposes of this Public License, where the Licensed 79 | Material is a musical work, performance, or sound recording, 80 | Adapted Material is always produced where the Licensed Material is 81 | synched in timed relation with a moving image. 82 | 83 | b. Copyright and Similar Rights means copyright and/or similar rights 84 | closely related to copyright including, without limitation, 85 | performance, broadcast, sound recording, and Sui Generis Database 86 | Rights, without regard to how the rights are labeled or 87 | categorized. For purposes of this Public License, the rights 88 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 89 | Rights. 90 | 91 | c. Effective Technological Measures means those measures that, in the 92 | absence of proper authority, may not be circumvented under laws 93 | fulfilling obligations under Article 11 of the WIPO Copyright 94 | Treaty adopted on December 20, 1996, and/or similar international 95 | agreements. 96 | 97 | d. Exceptions and Limitations means fair use, fair dealing, and/or 98 | any other exception or limitation to Copyright and Similar Rights 99 | that applies to Your use of the Licensed Material. 100 | 101 | e. Licensed Material means the artistic or literary work, database, 102 | or other material to which the Licensor applied this Public 103 | License. 104 | 105 | f. Licensed Rights means the rights granted to You subject to the 106 | terms and conditions of this Public License, which are limited to 107 | all Copyright and Similar Rights that apply to Your use of the 108 | Licensed Material and that the Licensor has authority to license. 109 | 110 | g. Licensor means the individual(s) or entity(ies) granting rights 111 | under this Public License. 112 | 113 | h. NonCommercial means not primarily intended for or directed towards 114 | commercial advantage or monetary compensation. For purposes of 115 | this Public License, the exchange of the Licensed Material for 116 | other material subject to Copyright and Similar Rights by digital 117 | file-sharing or similar means is NonCommercial provided there is 118 | no payment of monetary compensation in connection with the 119 | exchange. 120 | 121 | i. Share means to provide material to the public by any means or 122 | process that requires permission under the Licensed Rights, such 123 | as reproduction, public display, public performance, distribution, 124 | dissemination, communication, or importation, and to make material 125 | available to the public including in ways that members of the 126 | public may access the material from a place and at a time 127 | individually chosen by them. 128 | 129 | j. Sui Generis Database Rights means rights other than copyright 130 | resulting from Directive 96/9/EC of the European Parliament and of 131 | the Council of 11 March 1996 on the legal protection of databases, 132 | as amended and/or succeeded, as well as other essentially 133 | equivalent rights anywhere in the world. 134 | 135 | k. You means the individual or entity exercising the Licensed Rights 136 | under this Public License. Your has a corresponding meaning. 137 | 138 | 139 | Section 2 -- Scope. 140 | 141 | a. License grant. 142 | 143 | 1. Subject to the terms and conditions of this Public License, 144 | the Licensor hereby grants You a worldwide, royalty-free, 145 | non-sublicensable, non-exclusive, irrevocable license to 146 | exercise the Licensed Rights in the Licensed Material to: 147 | 148 | a. reproduce and Share the Licensed Material, in whole or 149 | in part, for NonCommercial purposes only; and 150 | 151 | b. produce and reproduce, but not Share, Adapted Material 152 | for NonCommercial purposes only. 153 | 154 | 2. Exceptions and Limitations. For the avoidance of doubt, where 155 | Exceptions and Limitations apply to Your use, this Public 156 | License does not apply, and You do not need to comply with 157 | its terms and conditions. 158 | 159 | 3. Term. The term of this Public License is specified in Section 160 | 6(a). 161 | 162 | 4. Media and formats; technical modifications allowed. The 163 | Licensor authorizes You to exercise the Licensed Rights in 164 | all media and formats whether now known or hereafter created, 165 | and to make technical modifications necessary to do so. The 166 | Licensor waives and/or agrees not to assert any right or 167 | authority to forbid You from making technical modifications 168 | necessary to exercise the Licensed Rights, including 169 | technical modifications necessary to circumvent Effective 170 | Technological Measures. For purposes of this Public License, 171 | simply making modifications authorized by this Section 2(a) 172 | (4) never produces Adapted Material. 173 | 174 | 5. Downstream recipients. 175 | 176 | a. Offer from the Licensor -- Licensed Material. Every 177 | recipient of the Licensed Material automatically 178 | receives an offer from the Licensor to exercise the 179 | Licensed Rights under the terms and conditions of this 180 | Public License. 181 | 182 | b. No downstream restrictions. You may not offer or impose 183 | any additional or different terms or conditions on, or 184 | apply any Effective Technological Measures to, the 185 | Licensed Material if doing so restricts exercise of the 186 | Licensed Rights by any recipient of the Licensed 187 | Material. 188 | 189 | 6. No endorsement. Nothing in this Public License constitutes or 190 | may be construed as permission to assert or imply that You 191 | are, or that Your use of the Licensed Material is, connected 192 | with, or sponsored, endorsed, or granted official status by, 193 | the Licensor or others designated to receive attribution as 194 | provided in Section 3(a)(1)(A)(i). 195 | 196 | b. Other rights. 197 | 198 | 1. Moral rights, such as the right of integrity, are not 199 | licensed under this Public License, nor are publicity, 200 | privacy, and/or other similar personality rights; however, to 201 | the extent possible, the Licensor waives and/or agrees not to 202 | assert any such rights held by the Licensor to the limited 203 | extent necessary to allow You to exercise the Licensed 204 | Rights, but not otherwise. 205 | 206 | 2. Patent and trademark rights are not licensed under this 207 | Public License. 208 | 209 | 3. To the extent possible, the Licensor waives any right to 210 | collect royalties from You for the exercise of the Licensed 211 | Rights, whether directly or through a collecting society 212 | under any voluntary or waivable statutory or compulsory 213 | licensing scheme. In all other cases the Licensor expressly 214 | reserves any right to collect such royalties, including when 215 | the Licensed Material is used other than for NonCommercial 216 | purposes. 217 | 218 | 219 | Section 3 -- License Conditions. 220 | 221 | Your exercise of the Licensed Rights is expressly made subject to the 222 | following conditions. 223 | 224 | a. Attribution. 225 | 226 | 1. If You Share the Licensed Material, You must: 227 | 228 | a. retain the following if it is supplied by the Licensor 229 | with the Licensed Material: 230 | 231 | i. identification of the creator(s) of the Licensed 232 | Material and any others designated to receive 233 | attribution, in any reasonable manner requested by 234 | the Licensor (including by pseudonym if 235 | designated); 236 | 237 | ii. a copyright notice; 238 | 239 | iii. a notice that refers to this Public License; 240 | 241 | iv. a notice that refers to the disclaimer of 242 | warranties; 243 | 244 | v. a URI or hyperlink to the Licensed Material to the 245 | extent reasonably practicable; 246 | 247 | b. indicate if You modified the Licensed Material and 248 | retain an indication of any previous modifications; and 249 | 250 | c. indicate the Licensed Material is licensed under this 251 | Public License, and include the text of, or the URI or 252 | hyperlink to, this Public License. 253 | 254 | For the avoidance of doubt, You do not have permission under 255 | this Public License to Share Adapted Material. 256 | 257 | 2. You may satisfy the conditions in Section 3(a)(1) in any 258 | reasonable manner based on the medium, means, and context in 259 | which You Share the Licensed Material. For example, it may be 260 | reasonable to satisfy the conditions by providing a URI or 261 | hyperlink to a resource that includes the required 262 | information. 263 | 264 | 3. If requested by the Licensor, You must remove any of the 265 | information required by Section 3(a)(1)(A) to the extent 266 | reasonably practicable. 267 | 268 | 269 | Section 4 -- Sui Generis Database Rights. 270 | 271 | Where the Licensed Rights include Sui Generis Database Rights that 272 | apply to Your use of the Licensed Material: 273 | 274 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 275 | to extract, reuse, reproduce, and Share all or a substantial 276 | portion of the contents of the database for NonCommercial purposes 277 | only and provided You do not Share Adapted Material; 278 | 279 | b. if You include all or a substantial portion of the database 280 | contents in a database in which You have Sui Generis Database 281 | Rights, then the database in which You have Sui Generis Database 282 | Rights (but not its individual contents) is Adapted Material; and 283 | 284 | c. You must comply with the conditions in Section 3(a) if You Share 285 | all or a substantial portion of the contents of the database. 286 | 287 | For the avoidance of doubt, this Section 4 supplements and does not 288 | replace Your obligations under this Public License where the Licensed 289 | Rights include other Copyright and Similar Rights. 290 | 291 | 292 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 293 | 294 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 295 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 296 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 297 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 298 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 299 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 300 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 301 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 302 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 303 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 304 | 305 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 306 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 307 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 308 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 309 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 310 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 311 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 312 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 313 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 314 | 315 | c. The disclaimer of warranties and limitation of liability provided 316 | above shall be interpreted in a manner that, to the extent 317 | possible, most closely approximates an absolute disclaimer and 318 | waiver of all liability. 319 | 320 | 321 | Section 6 -- Term and Termination. 322 | 323 | a. This Public License applies for the term of the Copyright and 324 | Similar Rights licensed here. However, if You fail to comply with 325 | this Public License, then Your rights under this Public License 326 | terminate automatically. 327 | 328 | b. Where Your right to use the Licensed Material has terminated under 329 | Section 6(a), it reinstates: 330 | 331 | 1. automatically as of the date the violation is cured, provided 332 | it is cured within 30 days of Your discovery of the 333 | violation; or 334 | 335 | 2. upon express reinstatement by the Licensor. 336 | 337 | For the avoidance of doubt, this Section 6(b) does not affect any 338 | right the Licensor may have to seek remedies for Your violations 339 | of this Public License. 340 | 341 | c. For the avoidance of doubt, the Licensor may also offer the 342 | Licensed Material under separate terms or conditions or stop 343 | distributing the Licensed Material at any time; however, doing so 344 | will not terminate this Public License. 345 | 346 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 347 | License. 348 | 349 | 350 | Section 7 -- Other Terms and Conditions. 351 | 352 | a. The Licensor shall not be bound by any additional or different 353 | terms or conditions communicated by You unless expressly agreed. 354 | 355 | b. Any arrangements, understandings, or agreements regarding the 356 | Licensed Material not stated herein are separate from and 357 | independent of the terms and conditions of this Public License. 358 | 359 | 360 | Section 8 -- Interpretation. 361 | 362 | a. For the avoidance of doubt, this Public License does not, and 363 | shall not be interpreted to, reduce, limit, restrict, or impose 364 | conditions on any use of the Licensed Material that could lawfully 365 | be made without permission under this Public License. 366 | 367 | b. To the extent possible, if any provision of this Public License is 368 | deemed unenforceable, it shall be automatically reformed to the 369 | minimum extent necessary to make it enforceable. If the provision 370 | cannot be reformed, it shall be severed from this Public License 371 | without affecting the enforceability of the remaining terms and 372 | conditions. 373 | 374 | c. No term or condition of this Public License will be waived and no 375 | failure to comply consented to unless expressly agreed to by the 376 | Licensor. 377 | 378 | d. Nothing in this Public License constitutes or may be interpreted 379 | as a limitation upon, or waiver of, any privileges and immunities 380 | that apply to the Licensor or You, including from the legal 381 | processes of any jurisdiction or authority. 382 | 383 | ======================================================================= 384 | 385 | Creative Commons is not a party to its public 386 | licenses. Notwithstanding, Creative Commons may elect to apply one of 387 | its public licenses to material it publishes and in those instances 388 | will be considered the “Licensor.” The text of the Creative Commons 389 | public licenses is dedicated to the public domain under the CC0 Public 390 | Domain Dedication. Except for the limited purpose of indicating that 391 | material is shared under a Creative Commons public license or as 392 | otherwise permitted by the Creative Commons policies published at 393 | creativecommons.org/policies, Creative Commons does not authorize the 394 | use of the trademark "Creative Commons" or any other trademark or logo 395 | of Creative Commons without its prior written consent including, 396 | without limitation, in connection with any unauthorized modifications 397 | to any of its public licenses or any other arrangements, 398 | understandings, or agreements concerning use of licensed material. For 399 | the avoidance of doubt, this paragraph does not form part of the 400 | public licenses. 401 | 402 | Creative Commons may be contacted at creativecommons.org. -------------------------------------------------------------------------------- /constants/tls_cipher.go: -------------------------------------------------------------------------------- 1 | package constants 2 | 3 | // A map of of cipher suites, along with their IDs 4 | // 5 | // See https://www.iana.org/assignments/tls-parameters/tls-parameters.xml 6 | var CipherSuites = map[string]uint16{ 7 | "TLS_RSA_WITH_NULL_SHA": 0x0002, 8 | "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA": 0x000d, 9 | "TLS_NULL_WITH_NULL_NULL": 0x0000, 10 | "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA": 0x000b, 11 | "TLS_DH_DSS_WITH_DES_CBC_SHA": 0x000c, 12 | "TLS_RSA_WITH_DES_CBC_SHA": 0x0009, 13 | "TLS_RSA_WITH_RC4_128_MD5": 0x0004, 14 | "TLS_RSA_WITH_IDEA_CBC_SHA": 0x0007, 15 | "TLS_RSA_EXPORT_WITH_RC4_40_MD5": 0x0003, 16 | "TLS_RSA_WITH_NULL_MD5": 0x0001, 17 | "TLS_RSA_WITH_3DES_EDE_CBC_SHA": 0x000a, 18 | "TLS_RSA_WITH_RC4_128_SHA": 0x0005, 19 | "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA": 0x0008, 20 | "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5": 0x0006, 21 | "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA": 0x0011, 22 | "TLS_KRB5_WITH_IDEA_CBC_SHA": 0x0021, 23 | "TLS_DH_RSA_WITH_DES_CBC_SHA": 0x000f, 24 | "TLS_DH_anon_WITH_RC4_128_MD5": 0x0018, 25 | "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA": 0x0019, 26 | "TLS_RSA_PSK_WITH_NULL_SHA384": 0x00b9, 27 | "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA": 0x0010, 28 | "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA": 0x000e, 29 | "TLS_DHE_DSS_WITH_DES_CBC_SHA": 0x0012, 30 | "TLS_DH_anon_WITH_DES_CBC_SHA": 0x001a, 31 | "TLS_KRB5_WITH_DES_CBC_MD5": 0x0022, 32 | "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA": 0x0013, 33 | "TLS_KRB5_WITH_RC4_128_SHA": 0x0020, 34 | "TLS_DHE_RSA_WITH_DES_CBC_SHA": 0x0015, 35 | "TLS_KRB5_WITH_3DES_EDE_CBC_SHA": 0x001f, 36 | "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA": 0x0014, 37 | "TLS_KRB5_WITH_DES_CBC_SHA": 0x001e, 38 | "TLS_KRB5_WITH_3DES_EDE_CBC_MD5": 0x0023, 39 | "TLS_KRB5_WITH_RC4_128_MD5": 0x0024, 40 | "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384": 0x009f, 41 | "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA": 0x0016, 42 | "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA": 0x001b, 43 | "TLS_DH_RSA_WITH_AES_128_GCM_SHA256": 0x00a0, 44 | "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5": 0x0017, 45 | "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA": 0x0086, 46 | "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384": 0x00ad, 47 | "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256": 0x00ac, 48 | "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA": 0x0087, 49 | "TLS_PSK_WITH_AES_128_CBC_SHA256": 0x00ae, 50 | "TLS_DH_anon_WITH_AES_128_GCM_SHA256": 0x00a6, 51 | "TLS_DH_anon_WITH_AES_256_GCM_SHA384": 0x00a7, 52 | "TLS_PSK_WITH_AES_256_GCM_SHA384": 0x00a9, 53 | "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384": 0x00a3, 54 | "TLS_PSK_WITH_AES_256_CBC_SHA384": 0x00af, 55 | "TLS_KRB5_WITH_IDEA_CBC_MD5": 0x0025, 56 | "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA": 0x0088, 57 | "TLS_DH_DSS_WITH_AES_128_GCM_SHA256": 0x00a4, 58 | "TLS_PSK_WITH_AES_128_GCM_SHA256": 0x00a8, 59 | "TLS_PSK_WITH_NULL_SHA256": 0x00b0, 60 | "TLS_DH_RSA_WITH_AES_256_GCM_SHA384": 0x00a1, 61 | "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA": 0x0026, 62 | "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256": 0x00aa, 63 | "TLS_ECDH_anon_WITH_AES_256_CBC_SHA": 0xc019, 64 | "TLS_DH_DSS_WITH_AES_256_GCM_SHA384": 0x00a5, 65 | "TLS_PSK_WITH_NULL_SHA384": 0x00b1, 66 | "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384": 0x00ab, 67 | "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA": 0x0089, 68 | "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256": 0x00b2, 69 | "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256": 0x00a2, 70 | "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256": 0x00ba, 71 | "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA": 0x0027, 72 | "TLS_PSK_WITH_RC4_128_SHA": 0x008a, 73 | "TLS_DHE_PSK_WITH_NULL_SHA384": 0x00b5, 74 | "TLS_KRB5_EXPORT_WITH_RC4_40_SHA": 0x0028, 75 | "TLS_PSK_WITH_3DES_EDE_CBC_SHA": 0x008b, 76 | "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5": 0x0029, 77 | "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384": 0x00b3, 78 | "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256": 0x00b6, 79 | "TLS_PSK_WITH_AES_128_CBC_SHA": 0x008c, 80 | "TLS_DHE_PSK_WITH_NULL_SHA256": 0x00b4, 81 | "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5": 0x002a, 82 | "TLS_PSK_WITH_AES_256_CBC_SHA": 0x008d, 83 | "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384": 0x00b7, 84 | "TLS_KRB5_EXPORT_WITH_RC4_40_MD5": 0x002b, 85 | "TLS_DHE_PSK_WITH_RC4_128_SHA": 0x008e, 86 | "TLS_ECDH_ECDSA_WITH_NULL_SHA": 0xc001, 87 | "TLS_RSA_WITH_SEED_CBC_SHA": 0x0096, 88 | "TLS_RSA_PSK_WITH_NULL_SHA256": 0x00b8, 89 | "TLS_PSK_WITH_NULL_SHA": 0x002c, 90 | "TLS_DHE_PSK_WITH_NULL_SHA": 0x002d, 91 | "TLS_ECDH_ECDSA_WITH_RC4_128_SHA": 0xc002, 92 | "TLS_DH_DSS_WITH_SEED_CBC_SHA": 0x0097, 93 | "TLS_RSA_PSK_WITH_NULL_SHA": 0x002e, 94 | "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA": 0xc003, 95 | "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA": 0x008f, 96 | "TLS_RSA_WITH_AES_128_CBC_SHA": 0x002f, 97 | "TLS_DH_RSA_WITH_SEED_CBC_SHA": 0x0098, 98 | "TLS_DHE_PSK_WITH_AES_128_CBC_SHA": 0x0090, 99 | "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA": 0xc004, 100 | "TLS_DH_DSS_WITH_AES_128_CBC_SHA": 0x0030, 101 | "TLS_DHE_PSK_WITH_AES_256_CBC_SHA": 0x0091, 102 | "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA": 0xc005, 103 | "TLS_DH_RSA_WITH_AES_128_CBC_SHA": 0x0031, 104 | "TLS_RSA_PSK_WITH_RC4_128_SHA": 0x0092, 105 | "TLS_DHE_DSS_WITH_AES_128_CBC_SHA": 0x0032, 106 | "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA": 0x0093, 107 | "TLS_ECDHE_ECDSA_WITH_NULL_SHA": 0xc006, 108 | "TLS_DHE_RSA_WITH_AES_128_CBC_SHA": 0x0033, 109 | "TLS_RSA_PSK_WITH_AES_128_CBC_SHA": 0x0094, 110 | "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": 0xc007, 111 | "TLS_DH_anon_WITH_AES_128_CBC_SHA": 0x0034, 112 | "TLS_RSA_WITH_AES_256_CBC_SHA": 0x0035, 113 | "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA": 0xc008, 114 | "TLS_RSA_PSK_WITH_AES_256_CBC_SHA": 0x0095, 115 | "TLS_DHE_DSS_WITH_SEED_CBC_SHA": 0x0099, 116 | "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": 0xc009, 117 | "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256": 0x00bb, 118 | "TLS_DH_DSS_WITH_AES_256_CBC_SHA": 0x0036, 119 | "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256": 0x00bc, 120 | "TLS_DHE_RSA_WITH_SEED_CBC_SHA": 0x009a, 121 | "TLS_DH_RSA_WITH_AES_256_CBC_SHA": 0x0037, 122 | "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": 0xc00a, 123 | "TLS_DH_anon_WITH_SEED_CBC_SHA": 0x009b, 124 | "TLS_DHE_DSS_WITH_AES_256_CBC_SHA": 0x0038, 125 | "TLS_ECDH_RSA_WITH_NULL_SHA": 0xc00b, 126 | "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256": 0x00bd, 127 | "TLS_DHE_RSA_WITH_AES_256_CBC_SHA": 0x0039, 128 | "TLS_ECDH_RSA_WITH_RC4_128_SHA": 0xc00c, 129 | "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256": 0x00be, 130 | "TLS_RSA_WITH_AES_128_GCM_SHA256": 0x009c, 131 | "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA": 0xc00d, 132 | "TLS_DH_anon_WITH_AES_256_CBC_SHA": 0x003a, 133 | "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256": 0x00bf, 134 | "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA": 0xc00e, 135 | "TLS_RSA_WITH_NULL_SHA256": 0x003b, 136 | "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256": 0x00c0, 137 | "TLS_RSA_WITH_AES_256_GCM_SHA384": 0x009d, 138 | "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA": 0xc00f, 139 | "TLS_RSA_WITH_AES_128_CBC_SHA256": 0x003c, 140 | "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256": 0x00c1, 141 | "TLS_ECDHE_RSA_WITH_NULL_SHA": 0xc010, 142 | "TLS_RSA_WITH_AES_256_CBC_SHA256": 0x003d, 143 | "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256": 0x009e, 144 | "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256": 0x00c2, 145 | "TLS_ECDHE_RSA_WITH_RC4_128_SHA": 0xc011, 146 | "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256": 0x00c3, 147 | "TLS_DH_DSS_WITH_AES_128_CBC_SHA256": 0x003e, 148 | "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": 0xc012, 149 | "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256": 0x00c4, 150 | "TLS_DH_RSA_WITH_AES_128_CBC_SHA256": 0x003f, 151 | "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": 0xc013, 152 | "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256": 0x0040, 153 | "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256": 0x00c5, 154 | "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": 0xc014, 155 | "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA": 0x0041, 156 | "TLS_ECDH_anon_WITH_NULL_SHA": 0xc015, 157 | "TLS_SM4_GCM_SM3": 0x00c6, 158 | "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA": 0x0042, 159 | "TLS_ECDH_anon_WITH_RC4_128_SHA": 0xc016, 160 | "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA": 0x0043, 161 | "TLS_SM4_CCM_SM3": 0x00c7, 162 | "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA": 0xc017, 163 | "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA": 0x0044, 164 | "TLS_ECDH_anon_WITH_AES_128_CBC_SHA": 0xc018, 165 | "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA": 0x0045, 166 | "TLS_FALLBACK_SCSV": 0x5600, 167 | "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA": 0x0046, 168 | "TLS_EMPTY_RENEGOTIATION_INFO_SCSV": 0x00ff, 169 | "TLS_CHACHA20_POLY1305_SHA256": 0x1303, 170 | "TLS_AES_128_CCM_SHA256": 0x1304, 171 | "TLS_AES_128_CCM_8_SHA256": 0x1305, 172 | "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256": 0x0067, 173 | "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384": 0xc07f, 174 | "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256": 0xc044, 175 | "TLS_DH_anon_WITH_AES_128_CBC_SHA256": 0x006c, 176 | "TLS_DH_anon_WITH_AES_256_CBC_SHA256": 0x006d, 177 | "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384": 0xc045, 178 | "TLS_DH_DSS_WITH_AES_256_CBC_SHA256": 0x0068, 179 | "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256": 0xc046, 180 | "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA": 0xc01a, 181 | "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA": 0x0084, 182 | "TLS_AES_128_GCM_SHA256": 0x1301, 183 | "TLS_DH_RSA_WITH_AES_256_CBC_SHA256": 0x0069, 184 | "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384": 0xc047, 185 | "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA": 0x0085, 186 | "TLS_AES_256_GCM_SHA384": 0x1302, 187 | "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256": 0x006a, 188 | "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": 0xc02f, 189 | "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256": 0xc048, 190 | "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256": 0x006b, 191 | "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384": 0xc063, 192 | "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA": 0xc01b, 193 | "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384": 0xc055, 194 | "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA": 0xc01c, 195 | "TLS_PSK_WITH_ARIA_128_CBC_SHA256": 0xc064, 196 | "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256": 0xc04e, 197 | "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384": 0xc071, 198 | "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256": 0xc072, 199 | "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384": 0xc026, 200 | "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256": 0xc025, 201 | "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384": 0xc073, 202 | "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384": 0xc049, 203 | "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": 0xc027, 204 | "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256": 0xc074, 205 | "TLS_SRP_SHA_WITH_AES_128_CBC_SHA": 0xc01d, 206 | "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384": 0xc04f, 207 | "TLS_PSK_WITH_ARIA_256_CBC_SHA384": 0xc065, 208 | "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384": 0xc028, 209 | "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA": 0xc01e, 210 | "TLS_RSA_WITH_ARIA_128_GCM_SHA256": 0xc050, 211 | "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256": 0xc04a, 212 | "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256": 0xc029, 213 | "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256": 0xc066, 214 | "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384": 0xc075, 215 | "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA": 0xc01f, 216 | "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384": 0xc02a, 217 | "TLS_SRP_SHA_WITH_AES_256_CBC_SHA": 0xc020, 218 | "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256": 0xc056, 219 | "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": 0xc02b, 220 | "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384": 0xc04b, 221 | "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA": 0xc021, 222 | "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384": 0xc067, 223 | "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256": 0xc076, 224 | "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384": 0xc057, 225 | "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": 0xc02c, 226 | "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA": 0xc022, 227 | "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256": 0xc058, 228 | "TLS_RSA_WITH_ARIA_256_GCM_SHA384": 0xc051, 229 | "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256": 0xc02d, 230 | "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": 0xc023, 231 | "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384": 0xc059, 232 | "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384": 0xc02e, 233 | "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256": 0xc068, 234 | "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384": 0xc024, 235 | "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384": 0xc077, 236 | "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256": 0xc05a, 237 | "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256": 0xc052, 238 | "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384": 0xc05b, 239 | "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384": 0xc069, 240 | "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384": 0xc053, 241 | "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256": 0xc05c, 242 | "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256": 0xc078, 243 | "TLS_PSK_WITH_ARIA_128_GCM_SHA256": 0xc06a, 244 | "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256": 0xc054, 245 | "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384": 0xc079, 246 | "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384": 0xc05d, 247 | "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256": 0xc084, 248 | "TLS_PSK_WITH_ARIA_256_GCM_SHA384": 0xc06b, 249 | "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256": 0xc07a, 250 | "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256": 0xc05e, 251 | "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256": 0xc06c, 252 | "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256": 0xc04c, 253 | "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384": 0xc07b, 254 | "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384": 0xc06f, 255 | "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384": 0xc04d, 256 | "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": 0xc030, 257 | "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256": 0xc070, 258 | "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384": 0xc05f, 259 | "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256": 0xc07c, 260 | "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256": 0xc06e, 261 | "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256": 0xc060, 262 | "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384": 0xc061, 263 | "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256": 0xc031, 264 | "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256": 0xc062, 265 | "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384": 0xc032, 266 | "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384": 0xc06d, 267 | "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384": 0xc07d, 268 | "TLS_RSA_WITH_ARIA_256_CBC_SHA384": 0xc03d, 269 | "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384": 0xc043, 270 | "TLS_ECDHE_PSK_WITH_RC4_128_SHA": 0xc033, 271 | "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256": 0xc07e, 272 | "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384": 0xc038, 273 | "TLS_ECDHE_PSK_WITH_NULL_SHA": 0xc039, 274 | "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA": 0xc034, 275 | "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256": 0xc042, 276 | "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384": 0xc03f, 277 | "TLS_ECDHE_PSK_WITH_NULL_SHA256": 0xc03a, 278 | "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA": 0xc035, 279 | "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256": 0xc03e, 280 | "TLS_ECDHE_PSK_WITH_NULL_SHA384": 0xc03b, 281 | "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384": 0xc085, 282 | "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA": 0xc036, 283 | "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256": 0xc037, 284 | "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256": 0xc080, 285 | "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256": 0xc040, 286 | "TLS_RSA_WITH_ARIA_128_CBC_SHA256": 0xc03c, 287 | "TLS_SHA384_SHA384": 0xc0b5, 288 | "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256": 0xc082, 289 | "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384": 0xc081, 290 | "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384": 0xc041, 291 | "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384": 0xc083, 292 | "TLS_RSA_WITH_AES_256_CCM": 0xc09d, 293 | "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC": 0xc100, 294 | "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC": 0xc101, 295 | "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256": 0xd001, 296 | "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384": 0xc087, 297 | "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT": 0xc102, 298 | "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384": 0xd002, 299 | "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256": 0xc088, 300 | "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L": 0xc103, 301 | "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256": 0xd003, 302 | "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384": 0xc089, 303 | "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L": 0xc104, 304 | "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256": 0xc08a, 305 | "TLS_PSK_WITH_AES_256_CCM_8": 0xc0a9, 306 | "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256": 0xd005, 307 | "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384": 0xc08b, 308 | "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256": 0xc08c, 309 | "TLS_DHE_RSA_WITH_AES_128_CCM": 0xc09e, 310 | "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384": 0xc08d, 311 | "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256": 0xc086, 312 | "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S": 0xc105, 313 | "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256": 0xc08e, 314 | "TLS_PSK_DHE_WITH_AES_128_CCM_8": 0xc0aa, 315 | "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384": 0xc08f, 316 | "TLS_DHE_RSA_WITH_AES_256_CCM": 0xc09f, 317 | "TLS_PSK_DHE_WITH_AES_256_CCM_8": 0xc0ab, 318 | "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256": 0xc090, 319 | "TLS_RSA_WITH_AES_128_CCM_8": 0xc0a0, 320 | "TLS_ECDHE_ECDSA_WITH_AES_128_CCM": 0xc0ac, 321 | "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S": 0xc106, 322 | "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384": 0xc091, 323 | "TLS_RSA_WITH_AES_256_CCM_8": 0xc0a1, 324 | "TLS_ECDHE_ECDSA_WITH_AES_256_CCM": 0xc0ad, 325 | "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256": 0xccab, 326 | "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256": 0xc092, 327 | "TLS_ECCPWD_WITH_AES_128_CCM_SHA256": 0xc0b2, 328 | "TLS_DHE_RSA_WITH_AES_128_CCM_8": 0xc0a2, 329 | "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384": 0xc093, 330 | "TLS_ECCPWD_WITH_AES_256_CCM_SHA384": 0xc0b3, 331 | "TLS_DHE_RSA_WITH_AES_256_CCM_8": 0xc0a3, 332 | "TLS_ECCPWD_WITH_AES_256_GCM_SHA384": 0xc0b1, 333 | "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256": 0xc094, 334 | "TLS_PSK_WITH_AES_128_CCM": 0xc0a4, 335 | "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384": 0xc095, 336 | "TLS_PSK_WITH_AES_256_CCM": 0xc0a5, 337 | "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256": 0xc096, 338 | "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256": 0xcca9, 339 | "TLS_DHE_PSK_WITH_AES_128_CCM": 0xc0a6, 340 | "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8": 0xc0ae, 341 | "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384": 0xc097, 342 | "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256": 0xcca8, 343 | "TLS_DHE_PSK_WITH_AES_256_CCM": 0xc0a7, 344 | "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256": 0xc098, 345 | "TLS_SHA256_SHA256": 0xc0b4, 346 | "TLS_PSK_WITH_AES_128_CCM_8": 0xc0a8, 347 | "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8": 0xc0af, 348 | "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384": 0xc09b, 349 | "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256": 0xc09a, 350 | "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256": 0xccaa, 351 | "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384": 0xc099, 352 | "TLS_RSA_WITH_AES_128_CCM": 0xc09c, 353 | "TLS_ECCPWD_WITH_AES_128_GCM_SHA256": 0xc0b0, 354 | "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256": 0xccae, 355 | "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256": 0xccac, 356 | "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256": 0xccad, 357 | } 358 | -------------------------------------------------------------------------------- /net/table_net_certificate.go: -------------------------------------------------------------------------------- 1 | package net 2 | 3 | import ( 4 | "bytes" 5 | "context" 6 | "crypto/ecdsa" 7 | "crypto/rand" 8 | "crypto/rsa" 9 | "crypto/tls" 10 | "crypto/x509" 11 | "encoding/json" 12 | "errors" 13 | "fmt" 14 | "io" 15 | "net" 16 | "net/http" 17 | "syscall" 18 | "time" 19 | 20 | "golang.org/x/crypto/ocsp" 21 | 22 | "github.com/turbot/steampipe-plugin-sdk/v5/grpc/proto" 23 | "github.com/turbot/steampipe-plugin-sdk/v5/plugin" 24 | "github.com/turbot/steampipe-plugin-sdk/v5/plugin/transform" 25 | ) 26 | 27 | type OCSP struct { 28 | StatusString string `json:"status"` 29 | RevokedAt *time.Time `json:"revoked_at,omitempty"` 30 | RevocationReasonString string `json:"revocation_reason,omitempty"` 31 | } 32 | 33 | //// TABLE DEFINITION 34 | 35 | func tableNetCertificate(ctx context.Context) *plugin.Table { 36 | return &plugin.Table{ 37 | Name: "net_certificate", 38 | Description: "Certificate details for a domain.", 39 | List: &plugin.ListConfig{ 40 | Hydrate: tableNetCertificateList, 41 | KeyColumns: plugin.AnyColumn([]string{"domain", "address"}), 42 | }, 43 | Columns: []*plugin.Column{ 44 | // Top columns 45 | {Name: "domain", Type: proto.ColumnType_STRING, Description: "[DEPRECATED] This column has been deprecated and will be removed in a future release, use address instead. Domain name the certificate represents."}, 46 | {Name: "address", Type: proto.ColumnType_STRING, Description: "Address to connect to, as specified in https://golang.org/pkg/net/#Dial.", Transform: transform.FromQual("address")}, 47 | {Name: "common_name", Type: proto.ColumnType_STRING, Description: "Common name for the certificate."}, 48 | {Name: "not_after", Type: proto.ColumnType_TIMESTAMP, Description: "Time when the certificate expires. Also see not_before."}, 49 | {Name: "revoked", Type: proto.ColumnType_BOOL, Hydrate: getRevocationInformation, Description: "True if the certificate was revoked."}, 50 | {Name: "transparent", Type: proto.ColumnType_BOOL, Hydrate: getCertificateTransparencyLogs, Transform: transform.FromValue(), Description: "True if the certificate is visible in certificate transparency logs."}, 51 | {Name: "is_ca", Type: proto.ColumnType_BOOL, Transform: transform.FromField("IsCertificateAuthority"), Description: "True if the certificate represents a certificate authority."}, 52 | // Other columns 53 | {Name: "serial_number", Type: proto.ColumnType_STRING, Description: "Serial number of the certificate."}, 54 | {Name: "subject", Type: proto.ColumnType_STRING, Description: "Subject of the certificate."}, 55 | {Name: "public_key_algorithm", Type: proto.ColumnType_STRING, Description: "Public key algorithm used by the certificate."}, 56 | {Name: "public_key_length", Type: proto.ColumnType_INT, Description: "Specifies the size of the key."}, 57 | {Name: "signature_algorithm", Type: proto.ColumnType_STRING, Description: "Signature algorithm of the certificate."}, 58 | {Name: "ip_address", Type: proto.ColumnType_IPADDR, Transform: transform.FromField("IPAddress"), Description: "IP address associated with the domain."}, 59 | {Name: "issuer", Type: proto.ColumnType_STRING, Description: "Issuer of the certificate."}, 60 | {Name: "issuer_name", Type: proto.ColumnType_STRING, Description: "Common name for the issuer of the certificate."}, 61 | {Name: "chain", Type: proto.ColumnType_JSON, Description: "Certificate chain."}, 62 | {Name: "country", Type: proto.ColumnType_STRING, Description: "Country for the certificate."}, 63 | {Name: "dns_names", Type: proto.ColumnType_JSON, Transform: transform.FromField("DNSNames"), Description: "DNS names for the certificate."}, 64 | {Name: "crl_distribution_points", Type: proto.ColumnType_JSON, Transform: transform.FromField("CRLDistributionPoints"), Description: "A CRL distribution point (CDP) is a location on an LDAP directory server or Web server where a CA publishes CRLs."}, 65 | {Name: "ocsp_servers", Type: proto.ColumnType_JSON, Transform: transform.FromField("OCSPServers"), Description: "A list of OCSP URLs that are contacted by all end entity certificates to determine revocation status."}, 66 | {Name: "ocsp", Type: proto.ColumnType_JSON, Hydrate: getRevocationInformation, Transform: transform.FromField("OCSP"), Description: "Describes OCSP revocation status of the certificate."}, 67 | {Name: "email_addresses", Type: proto.ColumnType_JSON, Description: "Email addresses for the certificate."}, 68 | {Name: "ip_addresses", Type: proto.ColumnType_JSON, Transform: transform.FromField("IPAddresses"), Description: "Array of IP addresses associated with the domain."}, 69 | {Name: "issuing_certificate_url", Type: proto.ColumnType_JSON, Transform: transform.FromField("IssuingCertificateURL"), Description: "List of URLs of the issuing certificates."}, 70 | {Name: "locality", Type: proto.ColumnType_STRING, Description: "Locality of the certificate."}, 71 | {Name: "not_before", Type: proto.ColumnType_TIMESTAMP, Description: "Time when the certificate is valid from. Also see not_after."}, 72 | {Name: "organization", Type: proto.ColumnType_STRING, Description: "Organization of the certificate."}, 73 | {Name: "ou", Type: proto.ColumnType_JSON, Transform: transform.FromField("OU"), Description: "Organizational Unit of the certificate."}, 74 | {Name: "state", Type: proto.ColumnType_STRING, Description: "State of the certificate."}, 75 | }, 76 | } 77 | } 78 | 79 | // Define our own structure for certificate information since the cert 80 | // package has multiple partial structures 81 | type tableNetCertificateRow struct { 82 | // Common 83 | Domain string `json:"domain,omitempty"` 84 | CommonName string `json:"common_name,omitempty"` 85 | NotAfter time.Time `json:"not_after,omitempty"` 86 | // Other 87 | Chain []tableNetCertificateRow `json:"chain,omitempty"` 88 | Country string `json:"country,omitempty"` 89 | DNSNames []string `json:"dns_names,omitempty"` 90 | EmailAddresses []string `json:"email_addresses,omitempty"` 91 | IPAddress string `json:"ip_address,omitempty"` 92 | IPAddresses []net.IP `json:"ip_addresses,omitempty"` 93 | IsCertificateAuthority bool `json:"is_certificate_authority,omitempty"` 94 | Issuer string `json:"issuer,omitempty"` 95 | IssuerName string `json:"issuer_name,omitempty"` 96 | IssuingCertificateURL []string `json:"issuing_certificate_url,omitempty"` 97 | Locality string `json:"locality,omitempty"` 98 | NotBefore time.Time `json:"not_before,omitempty"` 99 | Organization string `json:"organization,omitempty"` 100 | OU []string `json:"ou,omitempty"` 101 | PublicKeyAlgorithm string `json:"public_key_algorithm,omitempty"` 102 | PublicKeyLength int `json:"public_key_length,omitempty"` 103 | SignatureAlgorithm string `json:"signature_algorithm,omitempty"` 104 | SerialNumber string `json:"serial_number,omitempty"` 105 | State string `json:"state,omitempty"` 106 | Subject string `json:"subject,omitempty"` 107 | CRLDistributionPoints []string `json:"crl_distribution_points,omitempty"` 108 | OCSPServers []string `json:"ocsp_server,omitempty"` 109 | 110 | rawCert *x509.Certificate `json:"-"` 111 | } 112 | 113 | type Cert struct { 114 | IssuerCaID int `json:"issuer_ca_id"` 115 | IssuerName string `json:"issuer_name"` 116 | NameValue string `json:"name_value"` 117 | ID int64 `json:"id"` 118 | EntryTimestamp string `json:"entry_timestamp"` 119 | NotBefore string `json:"not_before"` 120 | NotAfter string `json:"not_after"` 121 | SerialNumber string `json:"serial_number"` 122 | } 123 | 124 | //// LIST FUNCTION 125 | 126 | func tableNetCertificateList(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { 127 | 128 | plugin.Logger(ctx).Trace("tableNetCertificateList") 129 | 130 | // Create TLS config 131 | cfg := tls.Config{ 132 | Rand: rand.Reader, 133 | InsecureSkipVerify: true, 134 | } 135 | 136 | // Use `address` column first and fall back to `domain` column 137 | addr := d.EqualsQualString("address") 138 | dn := d.EqualsQualString("domain") 139 | if addr == "" { 140 | addr = net.JoinHostPort(dn, "443") 141 | } 142 | 143 | tcpConnectionCreated := false 144 | dialer := &net.Dialer{ 145 | Timeout: time.Duration(3) * time.Second, // short, certificates should be fast 146 | Control: func(network, address string, c syscall.RawConn) error { // This gets called once the TCP connection gets opened before handshake 147 | tcpConnectionCreated = true 148 | return nil 149 | }, 150 | } 151 | 152 | conn, err := tls.DialWithDialer(dialer, "tcp", addr, &cfg) 153 | if err != nil { 154 | if tcpConnectionCreated { 155 | plugin.Logger(ctx).Error("net_certificate.tableNetCertificateList", "failed to perform TLS handshake:", err) 156 | return nil, nil 157 | } 158 | // Return nil, if the given host couldn't be found 159 | if opErr, ok := err.(*net.OpError); ok { 160 | if dnsError, isDnsError := opErr.Err.(*net.DNSError); isDnsError { 161 | if dnsError.IsNotFound { 162 | plugin.Logger(ctx).Error("net_certificate.tableNetCertificateList", "failed to find the host:", err) 163 | return nil, nil 164 | } 165 | } 166 | } 167 | plugin.Logger(ctx).Error("net_certificate.tableNetCertificateList", "TLS connection failed:", err) 168 | 169 | return nil, errors.New("TLS connection failed: " + err.Error()) 170 | } 171 | defer conn.Close() 172 | 173 | items := conn.ConnectionState().PeerCertificates 174 | 175 | // Should not happen. If it does, then assume the cert was not found. 176 | if len(items) <= 0 { 177 | return nil, nil 178 | } 179 | 180 | chain := items 181 | if len(chain) <= 0 { 182 | return nil, errors.New("Certificate chain cannot be empty: " + dn) 183 | } 184 | 185 | certRows := []tableNetCertificateRow{} 186 | for _, i := range chain { 187 | c := tableNetCertificateRow{} 188 | 189 | // Multiple Subject fields are commonly used, so are elevated to 190 | // top level columns. 191 | // 192 | // In some cases (e.g. Country) multiple items are possible, but very very 193 | // rare, so we pull out the first item to the top level for convenience. 194 | // The full data is always available in the Subject field that these are 195 | // extracted from if needed. We considered making them into a comma separated 196 | // string, but decided on the simpler first item model. 197 | c.CommonName = i.Subject.CommonName 198 | if len(i.Subject.Country) > 0 { 199 | c.Country = i.Subject.Country[0] 200 | } 201 | if len(i.Subject.Province) > 0 { 202 | c.State = i.Subject.Province[0] 203 | } 204 | if len(i.Subject.Locality) > 0 { 205 | c.Locality = i.Subject.Locality[0] 206 | } 207 | if len(i.Subject.Organization) > 0 { 208 | c.Organization = i.Subject.Organization[0] 209 | } 210 | // OU is an array. Naming here is tricky, but ultimately ou feels simple 211 | // and common enough to be best. Also considered ous and organizational_unit(s). 212 | c.OU = i.Subject.OrganizationalUnit 213 | 214 | c.DNSNames = i.DNSNames 215 | c.EmailAddresses = i.EmailAddresses 216 | c.IPAddresses = i.IPAddresses 217 | c.IsCertificateAuthority = i.IsCA 218 | if i.Issuer.CommonName != "" { 219 | c.IssuerName = i.Issuer.CommonName 220 | } else { 221 | if len(i.Issuer.Organization) > 0 && len(i.Issuer.OrganizationalUnit) > 0 { 222 | c.IssuerName = fmt.Sprintf("%s / %s", i.Issuer.Organization[0], i.Issuer.OrganizationalUnit[0]) 223 | } 224 | } 225 | c.Issuer = i.Issuer.String() 226 | c.IssuingCertificateURL = i.IssuingCertificateURL 227 | c.NotAfter = i.NotAfter 228 | c.NotBefore = i.NotBefore 229 | c.PublicKeyAlgorithm = i.PublicKeyAlgorithm.String() 230 | // Represent the serial number as 32 hex characters, with leading zeros. 231 | // This appears to be consistent with the Qualys SSL display. 232 | c.SerialNumber = fmt.Sprintf("%032x", i.SerialNumber) 233 | c.SignatureAlgorithm = i.SignatureAlgorithm.String() 234 | c.Subject = i.Subject.String() 235 | c.CRLDistributionPoints = i.CRLDistributionPoints 236 | c.OCSPServers = i.OCSPServer 237 | 238 | var bitLen int 239 | switch publicKey := i.PublicKey.(type) { 240 | case *rsa.PublicKey: 241 | bitLen = publicKey.N.BitLen() 242 | case *ecdsa.PublicKey: 243 | bitLen = publicKey.Curve.Params().BitSize 244 | default: 245 | } 246 | c.PublicKeyLength = bitLen 247 | c.rawCert = i 248 | 249 | certRows = append(certRows, c) 250 | } 251 | 252 | // The first certificate in the chain is always the one we've requested. 253 | item := certRows[0] 254 | // Add the other dependent (e.g. certificate authority) certificates as a 255 | // single JSON array for reference. They have exactly the same format as 256 | // the table, so could possibly be returned as rows instead. It seemed 257 | // better to keep it focused on one row per domain, which is the main point 258 | // of certificate interaction. 259 | item.Chain = certRows[1:] 260 | 261 | // The primary certificate in the request has extra details we can pull 262 | // out from the request. Add those now. 263 | item.Domain = dn 264 | host, _, err := net.SplitHostPort(conn.RemoteAddr().String()) 265 | if err != nil { 266 | plugin.Logger(ctx).Error("net_certificate.tableNetCertificateList", "error retrieving host from network address", err) 267 | return nil, fmt.Errorf("failed to extract host from network address: %v", err) 268 | } 269 | item.IPAddress = host 270 | 271 | d.StreamListItem(ctx, item) 272 | 273 | return nil, nil 274 | } 275 | 276 | //// HYDRATE FUNCTIONS 277 | 278 | // Check if certificate is transparent 279 | func getCertificateTransparencyLogs(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { 280 | data := h.Item.(tableNetCertificateRow) 281 | domainName := data.CommonName 282 | serialNumber := data.SerialNumber 283 | 284 | // crt.sh is a web interface to a distributed database called the certificate transparency logs. 285 | // To validate if domain certificate is transparent, check your certificate in certificate transparency logs 286 | var certs []Cert 287 | baseURL := "https://crt.sh/" 288 | url := fmt.Sprintf("%s?identity=%s&exclude=expired&match==&output=json", baseURL, domainName) 289 | 290 | req, err := http.NewRequest("GET", url, nil) 291 | if err != nil { 292 | return nil, err 293 | } 294 | req.Header.Add("Content-Type", "application/json") 295 | 296 | client := &http.Client{} 297 | resp, err := client.Do(req) 298 | if err != nil { 299 | return nil, fmt.Errorf("failed to retrieve certificate transparency log: %v", err) 300 | } 301 | 302 | statusOK := resp.StatusCode >= 200 && resp.StatusCode < 300 303 | if !statusOK { 304 | return nil, fmt.Errorf("failed to complete the request for %s: %v.", domainName, resp.Status) 305 | } 306 | defer resp.Body.Close() 307 | 308 | body, err := io.ReadAll(resp.Body) 309 | if err != nil { 310 | return nil, fmt.Errorf("failed to read certificate transparency log: %v", err) 311 | } 312 | 313 | err = json.Unmarshal(body, &certs) 314 | if err != nil { 315 | plugin.Logger(ctx).Error("net_certificate.getCertificateTransparencyLogs", "unmarshal_error", err) 316 | return nil, err 317 | } 318 | 319 | // If certificate record found in certificate transparency logs, return transparent as true 320 | isTransparent := false 321 | for _, c := range certs { 322 | if c.SerialNumber == serialNumber { 323 | isTransparent = true 324 | break 325 | } 326 | } 327 | return isTransparent, nil 328 | } 329 | 330 | // Check certificate revocation information 331 | // This function checks both CRL and OCSP server to check for certificate revocation status 332 | func getRevocationInformation(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) { 333 | plugin.Logger(ctx).Trace("net_certificate.getRevocationInformation") 334 | 335 | certRevocationInfo := map[string]interface{}{} 336 | data := h.Item.(tableNetCertificateRow) 337 | 338 | // Check Certificate Revocation List (CRL) to verify certificate revocation status 339 | isRevokedByCAOrOwner, err := isCertificateRevokedByCA(ctx, data.CRLDistributionPoints, data.SerialNumber) 340 | if err != nil { 341 | plugin.Logger(ctx).Error("net_certificate.getRevocationInformation", "error getting revocation information from CRL", err) 342 | } 343 | 344 | // Check Online Certificate Status Protocol (OCSP) to verify certificate revocation status 345 | ocspCertificateRevocationInfo, err := fetchOCSPDetails(ctx, data) 346 | if err != nil { 347 | plugin.Logger(ctx).Error("net_certificate.getRevocationInformation", "error getting revocation information from OCSP server", err) 348 | } 349 | 350 | if ocspCertificateRevocationInfo != nil { 351 | certRevocationInfo["OCSP"] = ocspCertificateRevocationInfo 352 | } 353 | 354 | if isRevokedByCAOrOwner == nil && ocspCertificateRevocationInfo == nil { 355 | return nil, errors.New("failed to retrieve certificate revocation information") 356 | } 357 | 358 | isRevoked := false 359 | if *isRevokedByCAOrOwner || ocspCertificateRevocationInfo.StatusString == "revoked" { 360 | isRevoked = true 361 | } 362 | certRevocationInfo["Revoked"] = isRevoked 363 | 364 | return certRevocationInfo, nil 365 | } 366 | 367 | // getOCSPDetails queries the ocsp_server as given in the certificate and fetches the ocsp status 368 | // adapted from https://github.com/crtsh/ocsp_monitor/blob/e5a2a490acb05dafb0d46f4d0f32c89b1e91a1b5/ocsp_monitor.go#L233 369 | func fetchOCSPDetails(ctx context.Context, data tableNetCertificateRow) (*OCSP, error) { 370 | 371 | plugin.Logger(ctx).Trace("net_certificate.fetchOCSPDetails") 372 | 373 | ocspData := OCSP{} 374 | 375 | if len(data.Chain) == 0 { 376 | plugin.Logger(ctx).Trace("could not find a certificate chain") 377 | return nil, nil 378 | } 379 | 380 | cert := data.rawCert 381 | // the first element of the chain is the certificate of the issuer 382 | issuerCert := data.Chain[0].rawCert 383 | 384 | if len(cert.OCSPServer) == 0 { 385 | plugin.Logger(ctx).Trace("could not find OCSP verification server") 386 | return nil, nil 387 | } 388 | 389 | for c, requestUrl := range cert.OCSPServer { 390 | ocspBytes, err := ocsp.CreateRequest(cert, issuerCert, &ocsp.RequestOptions{}) 391 | if err != nil { 392 | return nil, err 393 | } 394 | 395 | req, err := http.NewRequest("POST", requestUrl, bytes.NewReader(ocspBytes)) 396 | if err != nil { 397 | return nil, err 398 | } 399 | req.Header.Set("Content-Type", "application/ocsp-request") 400 | req.Header.Set("Connection", "close") 401 | req.Header.Set("User-Agent", "Steampipe") 402 | 403 | resp, err := http.DefaultClient.Do(req) 404 | if err != nil { 405 | return nil, err 406 | } 407 | 408 | body, err := io.ReadAll(resp.Body) 409 | if err != nil { 410 | plugin.Logger(ctx).Error("net_certificate.fetchOCSPDetails", "failed to read OCSP response: ", err) 411 | 412 | // If one URL fails, try other URLs in the list until certificate status is determined or this is the last URL in the list 413 | if c+1 == len(cert.OCSPServer) { 414 | return nil, fmt.Errorf("failed to read OCSP response: %v", err) 415 | } 416 | continue 417 | } 418 | 419 | ocspResponse, err := ocsp.ParseResponseForCert(body, cert, issuerCert) 420 | if err != nil { 421 | return nil, err 422 | } 423 | 424 | ocspData = OCSP{} 425 | switch ocspResponse.Status { 426 | case ocsp.Good: 427 | ocspData.StatusString = "good" 428 | case ocsp.Unknown: 429 | ocspData.StatusString = "unknown" 430 | case ocsp.Revoked: 431 | ocspData.RevokedAt = &ocspResponse.RevokedAt 432 | ocspData.RevocationReasonString = getOCSPRevocationReasonString(ocspResponse.RevocationReason) 433 | ocspData.StatusString = "revoked" 434 | default: 435 | ocspData.StatusString = "unexpected" 436 | } 437 | 438 | return &ocspData, nil 439 | } 440 | 441 | return nil, nil 442 | } 443 | 444 | // Checks if the certificate was revoked 445 | func isCertificateRevokedByCA(ctx context.Context, crlDistributionPoints []string, serialNumber string) (*bool, error) { 446 | plugin.Logger(ctx).Trace("isCertificateRevokedByCA") 447 | 448 | isRevoked := false 449 | 450 | for _, crlDistributionPoint := range crlDistributionPoints { 451 | crlInfo, err := fetchCRL(crlDistributionPoint) 452 | if err != nil { 453 | return nil, err 454 | } 455 | 456 | // Check CRL is not outdated 457 | if crlInfo.NextUpdate.Before(time.Now()) { 458 | return nil, errors.New("CRL is outdated") 459 | } 460 | 461 | // Check if the certificate is listed in Certificate Revocation List (CRL) 462 | for _, i := range crlInfo.RevokedCertificateEntries { 463 | if fmt.Sprintf("%032x", i.SerialNumber) == serialNumber { 464 | isRevoked = true 465 | return &isRevoked, nil 466 | } 467 | } 468 | } 469 | return &isRevoked, nil 470 | } 471 | 472 | // Fetch CRL list 473 | func fetchCRL(url string) (*x509.RevocationList, error) { 474 | resp, err := http.Get(url) 475 | if err != nil { 476 | return nil, err 477 | } else if resp.StatusCode >= 300 { 478 | return nil, errors.New("failed to retrieve CRL") 479 | } 480 | 481 | body, err := io.ReadAll(resp.Body) 482 | if err != nil { 483 | return nil, err 484 | } 485 | resp.Body.Close() 486 | 487 | parseBody, err := x509.ParseRevocationList(body) 488 | if err != nil { 489 | return nil, err 490 | } 491 | 492 | return parseBody, nil 493 | } 494 | 495 | // Parse OCSP revocation status to a human-readable format 496 | func getOCSPRevocationReasonString(reasonCode int) string { 497 | switch reasonCode { 498 | case ocsp.Unspecified: 499 | return "unspecified" 500 | case ocsp.KeyCompromise: 501 | return "key-compromise" 502 | case ocsp.CACompromise: 503 | return "ca-compromise" 504 | case ocsp.AffiliationChanged: 505 | return "affiliation-changed" 506 | case ocsp.Superseded: 507 | return "superseded" 508 | case ocsp.CessationOfOperation: 509 | return "cessation-of-operation" 510 | case ocsp.CertificateHold: 511 | return "certificate-hold" 512 | case ocsp.RemoveFromCRL: 513 | return "remove-from-crl" 514 | case ocsp.PrivilegeWithdrawn: 515 | return "privilefe-withdrawn" 516 | case ocsp.AACompromise: 517 | return "aa-compromise" 518 | } 519 | return "unknown" 520 | } 521 | --------------------------------------------------------------------------------