Initial commit

Author: picoHz

.gitignore

@@ -0,0 +1,15 @@
+# Generated by Cargo
+# will have compiled files and executables
+/target/
+
+# Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
+# More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
+Cargo.lock
+
+# These are backup files generated by rustfmt
+**/*.rs.bk
+
+
+# Added by cargo
+
+/target

Cargo.toml

@@ -0,0 +1,31 @@
+[package]
+name = "pawprint"
+version = "0.1.0"
+description = "A simple web app for inspecting TLS fingerprints"
+edition = "2021"
+authors = ["picoHz <[email protected]>"]
+keywords = ["tls", "ja3", "fingerprint"]
+categories = ["network-programming", "cryptography"]
+repository = "https://github.com/picoHz/pawprint"
+homepage = "https://pawprint.dev"
+license = "AGPL-3.0"
+
+[dependencies]
+anyhow = "1.0.69"
+clap = { version = "4.1.4", features = ["derive"] }
+http = "0.2.8"
+hyper = { version = "0.14.24", features = ["server", "http1", "http2", "tcp"] }
+include_dir = "0.7.3"
+md5 = "0.7.0"
+pin-project-lite = "0.2.9"
+rustls = "0.20.8"
+rustls-pemfile = "1.0.2"
+sailfish = "0.6.0"
+serde = "1.0.152"
+serde_derive = "1.0.152"
+serde_json = "1.0.93"
+tokio = { version = "1.25.0", features = ["macros", "rt-multi-thread", "net"] }
+tokio-rustls = "0.23.4"
+
+[profile.release]
+strip = true

LICENSE

@@ -0,0 +1,45 @@
+# Pawprint
+
+🐾 A simple web app for inspecting TLS fingerprints.
+
+## Demo
+
+Visit https://pawprint.dev/
+
+## Installation
+
+```bash
+cargo install pawprint
+```
+
+## Starting the server
+
+```bash
+pawprint 0.0.0.0:443 --certs path/to/certs.pem --key path/to/key.pem
+```
+
+## Development
+
+```bash
+# Generate a self-signed certificate
+cargo install rcgen
+rcgen
+
+cargo r -- 127.0.0.1:8443 --certs certs/cert.pem --key certs/key.pem
+```
+
+## Credit
+
+This program is inspired by the following sites / libraries.
+
+- [TLS fingerprinting: How it works, where it is used and how to control your signature](https://lwthiker.com/networks/2022/06/17/tls-fingerprinting.html)
+
+- [TLSFingerprint.io](https://tlsfingerprint.io/)
+
+- [salesforce/ja3](https://github.com/salesforce/ja3)
+
+- [ja3-rustls](https://crates.io/crates/ja3-rustls)
+
+## License
+
+This software is licensed under the AGPLv3.

README.md

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBfTCCASOgAwIBAgIICehBgSxAhTEwCgYIKoZIzj0EAwIwMDEYMBYGA1UECgwP
+Q3JhYiB3aWRnaXRzIFNFMRQwEgYDVQQDDAtNYXN0ZXIgQ2VydDAgFw03NTAxMDEw
+MDAwMDBaGA80MDk2MDEwMTAwMDAwMFowMDEYMBYGA1UECgwPQ3JhYiB3aWRnaXRz
+IFNFMRQwEgYDVQQDDAtNYXN0ZXIgQ2VydDBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABPWtBaFMHK5Ofr4iEG3yyUm3q0NnwXjkunvXm1yQ47z/5pM4exKfM4xZjjVB
+nCE1gv7KmShUsLHa8bu1/VvgKTijJTAjMCEGA1UdEQQaMBiCC2NyYWJzLmNyYWJz
+gglsb2NhbGhvc3QwCgYIKoZIzj0EAwIDSAAwRQIhAOKg0EHC+oBf/E2MSJMMnDAX
+9HueMwSFFomD+dQqU0gUAiAE99Q/eXybUKHCOKSrY+Iwq1ePAHkH4URNpQqKGyJP
+HQ==
+-----END CERTIFICATE-----

certs/cert.pem

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg+Lig6wJYoVemIErz
+iZw/S4SjWR0TBtCO1hqIhyx1ynuhRANCAAT1rQWhTByuTn6+IhBt8slJt6tDZ8F4
+5Lp715tckOO8/+aTOHsSnzOMWY41QZwhNYL+ypkoVLCx2vG7tf1b4Ck4
+-----END PRIVATE KEY-----

certs/key.pem

@@ -0,0 +1,67 @@
+use crate::report::Report;
+use http::{Request, Response, StatusCode};
+use hyper::Body;
+use include_dir::{include_dir, Dir};
+use sailfish::TemplateOnce;
+use std::{convert::Infallible, path::Path, sync::Arc};
+
+static STATIC_DIR: Dir<'_> = include_dir!("$CARGO_MANIFEST_DIR/static");
+
+#[derive(TemplateOnce)]
+#[template(path = "index.stpl")]
+struct IndexTemplate {
+    report: Arc<Report>,
+}
+
+pub async fn handle_request(
+    req: Request<Body>,
+    report: Arc<Report>,
+) -> Result<Response<Body>, Infallible> {
+    let path = req.uri().path();
+    match path {
+        "/" => {
+            let ctx = IndexTemplate { report };
+            return Ok(Response::builder()
+                .header("Content-Type", "text/html")
+                .body(Body::from(ctx.render_once().unwrap()))
+                .unwrap());
+        }
+        "/index.json" => {
+            return Ok(Response::builder()
+                .header("Content-Type", "application/json")
+                .body(Body::from(
+                    serde_json::to_string_pretty(report.as_ref()).unwrap(),
+                ))
+                .unwrap())
+        }
+        _ => {}
+    }
+
+    if let Some(file) = STATIC_DIR.get_file(path.trim_start_matches('/')) {
+        return Ok(Response::builder()
+            .header("Content-Type", path_to_mime(path))
+            .body(Body::from(file.contents()))
+            .unwrap());
+    }
+
+    Ok(Response::builder()
+        .status(StatusCode::NOT_FOUND)
+        .body(Body::from("404"))
+        .unwrap())
+}
+
+fn path_to_mime(path: &str) -> &'static str {
+    let ext = Path::new(path)
+        .extension()
+        .unwrap_or_default()
+        .to_str()
+        .unwrap_or_default();
+    match ext {
+        "css" => "text/css",
+        "png" => "image/png",
+        "svg" => "image/svg+xml",
+        "ico" => "image/x-icon",
+        "xml" | "webmanifest" => "application/xml",
+        _ => "application/octet-stream",
+    }
+}

src/handler.rs

@@ -0,0 +1,75 @@
+use rustls::internal::msgs::handshake::{ClientExtension, ClientHelloPayload};
+use serde_derive::Serialize;
+
+#[derive(Serialize)]
+pub struct Ja3 {
+    pub md5: String,
+    pub str: String,
+}
+
+impl Ja3 {
+    pub fn new(hello: &ClientHelloPayload, sort_ext: bool) -> Self {
+        let version = hello.client_version.get_u16();
+        let ciphers = hello
+            .cipher_suites
+            .iter()
+            .map(|cipher| cipher.get_u16())
+            .filter(is_not_grease)
+            .map(|n| n.to_string())
+            .collect::<Vec<_>>();
+        let ciphers = ciphers.join("-");
+
+        let mut extensions = hello
+            .extensions
+            .iter()
+            .map(|ext| ext.get_type().get_u16())
+            .filter(is_not_grease)
+            .map(|n| n.to_string())
+            .collect::<Vec<_>>();
+
+        if sort_ext {
+            extensions.sort();
+        }
+
+        let extensions = extensions.join("-");
+
+        let curves = hello
+            .extensions
+            .iter()
+            .filter_map(|ext| match ext {
+                ClientExtension::NamedGroups(curves) => Some(curves),
+                _ => None,
+            })
+            .flatten()
+            .map(|curve| curve.get_u16())
+            .filter(is_not_grease)
+            .map(|n| n.to_string())
+            .collect::<Vec<_>>();
+        let curves = curves.join("-");
+
+        let points = hello
+            .extensions
+            .iter()
+            .filter_map(|ext| match ext {
+                ClientExtension::ECPointFormats(points) => Some(points),
+                _ => None,
+            })
+            .flatten()
+            .map(|points| points.get_u8())
+            .map(|n| n.to_string())
+            .collect::<Vec<_>>();
+        let points = points.join("-");
+
+        let ja3 = format!("{version},{ciphers},{extensions},{curves},{points}");
+        let md5 = md5::compute(&ja3);
+
+        Self {
+            md5: format!("{md5:x}"),
+            str: ja3,
+        }
+    }
+}
+
+fn is_not_grease(v: &u16) -> bool {
+    *v & 0x0f0f != 0x0a0a
+}

src/ja3.rs

@@ -0,0 +1,112 @@
+use anyhow::Result;
+use clap::Parser;
+use http::Request;
+use hyper::{server::conn::Http, service::service_fn, Body};
+use std::fs::File;
+use std::io::{self, BufReader};
+use std::net::SocketAddr;
+use std::path::{Path, PathBuf};
+use std::sync::Arc;
+use tokio::net::TcpListener;
+use tokio_rustls::rustls::{self, Certificate, PrivateKey};
+use tokio_rustls::TlsAcceptor;
+
+mod handler;
+mod ja3;
+mod report;
+mod tls;
+
+use handler::*;
+use report::*;
+use tls::*;
+
+#[derive(Parser, Debug)]
+#[command(author, version, about, long_about = None)]
+struct Args {
+    /// Socket address
+    addr: SocketAddr,
+
+    /// Certificate chain file
+    #[arg(long)]
+    certs: PathBuf,
+
+    /// Private key file
+    #[arg(long)]
+    key: PathBuf,
+}
+
+#[tokio::main]
+async fn main() -> Result<()> {
+    let args = Args::parse();
+    let certs = load_certs(&args.certs)?;
+    let key = load_key(&args.key)?;
+
+    let mut config = rustls::ServerConfig::builder()
+        .with_safe_defaults()
+        .with_no_client_auth()
+        .with_single_cert(certs, key)?;
+    config.alpn_protocols = vec!["h2".as_bytes().to_vec(), "http/1.1".as_bytes().to_vec()];
+
+    let acceptor = TlsAcceptor::from(Arc::new(config));
+
+    println!("🐾 Listening on {}", args.addr);
+    let listener = TcpListener::bind(&args.addr).await?;
+
+    loop {
+        let (stream, _peer_addr) = listener.accept().await?;
+        let acceptor = acceptor.clone();
+
+        let stream = TlsInspctor::new(stream);
+
+        let fut = async move {
+            let stream = acceptor.accept(stream).await?;
+            let ctx = Arc::new(Report::new(stream.get_ref().0.client_hello()));
+
+            tokio::task::spawn(async move {
+                if let Err(http_err) = Http::new()
+                    .serve_connection(
+                        stream,
+                        service_fn(|req: Request<Body>| {
+                            let ctx = ctx.clone();
+                            async move { handle_request(req, ctx.clone()).await }
+                        }),
+                    )
+                    .await
+                {
+                    eprintln!("Error while serving HTTP connection: {http_err}");
+                }
+            });
+
+            Ok(()) as io::Result<()>
+        };
+
+        tokio::spawn(async move {
+            if let Err(err) = fut.await {
+                eprintln!("Error: {err:?}");
+            }
+        });
+    }
+}
+
+fn load_certs(path: &Path) -> io::Result<Vec<Certificate>> {
+    let mut reader = BufReader::new(File::open(path)?);
+    let certs = rustls_pemfile::certs(&mut reader)?;
+    Ok(certs.into_iter().map(Certificate).collect())
+}
+
+fn load_key(path: &Path) -> Result<PrivateKey> {
+    use rustls_pemfile::Item;
+    let keyfile = std::fs::File::open(path)?;
+    let mut reader = BufReader::new(keyfile);
+
+    while let Some(key) = rustls_pemfile::read_one(&mut reader)? {
+        match key {
+            Item::RSAKey(key) | Item::PKCS8Key(key) | Item::ECKey(key) => {
+                return Ok(PrivateKey(key))
+            }
+            _ => {}
+        }
+    }
+
+    Err(anyhow::anyhow!("key not found"))
+}

src/main.rs

@@ -0,0 +1,25 @@
+use rustls::internal::msgs::handshake::ClientHelloPayload;
+use serde_derive::Serialize;
+
+use crate::ja3::Ja3;
+
+#[derive(Serialize)]
+pub struct Report {
+    pub tls: Option<TlsReport>,
+}
+
+#[derive(Serialize)]
+pub struct TlsReport {
+    pub ja3: Ja3,
+    pub ja3_sort_ext: Ja3,
+}
+
+impl Report {
+    pub fn new(hello: Option<&ClientHelloPayload>) -> Self {
+        let tls = hello.map(|hello| TlsReport {
+            ja3: Ja3::new(hello, false),
+            ja3_sort_ext: Ja3::new(hello, true),
+        });
+        Self { tls }
+    }
+}