feat(prober-cert): capture leaf TLS cert after successful JARM

JARM probes are crafted ClientHellos with weird ciphers — they never complete a real handshake, so the peer cert isn't reachable from those sockets. After a non-empty JARM hash proves the port speaks TLS, do a separate ssl.wrap_socket() against the same (ip, port) to fetch and parse the leaf cert. - decnet/prober/tlscert.py: fetch + parse via cryptography lib; swallows all connect/handshake/parse failures (returns None). - decnet/prober/worker.py::_capture_tls_cert: emits a tls_certificate event with subject_cn / issuer / SANs / validity / SHA-256 + publishes on the bus. Wired from _jarm_phase only when JARM succeeds, so non-TLS ports never trigger a second connect. - Tests cover happy path, cert-fetch failure, defense-in-depth crash, empty-JARM skip, publish_fn, and parser edge cases (garbage DER, empty bytes, missing SAN extension, non-self-signed).
2026-04-28 11:14:44 -04:00
parent 4749c972e5
commit 5f8149daee
4 changed files with 534 additions and 2 deletions
--- a/decnet/prober/worker.py
+++ b/decnet/prober/worker.py
@@ -39,6 +39,7 @@ from decnet.logging import get_logger
 from decnet.prober.hassh import hassh_server
 from decnet.prober.jarm import JARM_EMPTY_HASH, jarm_hash
 from decnet.prober.tcpfp import tcp_fingerprint
+from decnet.prober.tlscert import fetch_leaf_cert
 from decnet.telemetry import traced as _traced

 logger = get_logger("prober")
@@ -305,6 +306,10 @@ def _jarm_phase(
                    "jarm",
                    {"attacker_ip": ip, "port": port, "jarm_hash": h},
                )
+            # Cert capture: a non-empty JARM hash proves the port speaks
+            # TLS, so a follow-up real handshake is worth attempting.
+            # Failures are silent — the next probe target must not stall.
+            _capture_tls_cert(ip, port, log_path, json_path, timeout, publish_fn)
        except Exception as exc:
            done.add(port)
            _write_event(
@@ -319,6 +324,60 @@ def _jarm_phase(
            logger.warning("prober: JARM probe failed %s:%d: %s", ip, port, exc)


+@_traced("prober.tls_cert_capture")
+def _capture_tls_cert(
+    ip: str,
+    port: int,
+    log_path: Path,
+    json_path: Path,
+    timeout: float,
+    publish_fn: ProbePublishFn | None,
+) -> None:
+    """Fetch the leaf TLS cert from ``ip:port`` and emit a tls_certificate
+    event. No-op when the handshake fails (silent — JARM already proved
+    the port responds, but the real handshake can still fail for many
+    reasons: cipher mismatch, SNI gating, mTLS requirement)."""
+    try:
+        cert = fetch_leaf_cert(ip, port, timeout=timeout)
+    except Exception as exc:
+        # fetch_leaf_cert is supposed to swallow errors; defense in depth.
+        logger.warning("prober: TLS cert fetch crashed %s:%d: %s", ip, port, exc)
+        return
+    if cert is None:
+        return
+
+    sans_csv = ",".join(cert["sans"])
+    _write_event(
+        log_path, json_path,
+        "tls_certificate",
+        target_ip=ip,
+        target_port=str(port),
+        subject_cn=cert["subject_cn"],
+        issuer=cert["issuer"],
+        self_signed=str(cert["self_signed"]).lower(),
+        not_before=cert["not_before"],
+        not_after=cert["not_after"],
+        sans=sans_csv,
+        cert_sha256=cert["cert_sha256"],
+        msg=f"TLS cert {ip}:{port} CN={cert['subject_cn']} sha256={cert['cert_sha256'][:16]}...",
+    )
+    logger.info(
+        "prober: TLS cert %s:%d CN=%s sha256=%s",
+        ip, port, cert["subject_cn"], cert["cert_sha256"],
+    )
+    if publish_fn is not None:
+        publish_fn(
+            "tls_certificate",
+            {
+                "attacker_ip": ip,
+                "port": port,
+                "subject_cn": cert["subject_cn"],
+                "cert_sha256": cert["cert_sha256"],
+                "self_signed": cert["self_signed"],
+            },
+        )
+
+
@_traced("prober.hassh_phase")
 def _hassh_phase(
    ip: str,