rapid7 · cdelafuente-r7 · Dec 16, 2024 · Feb 6, 2025 · Feb 6, 2025 · Feb 10, 2025
diff --git a/Gemfile b/Gemfile
@@ -5,6 +5,8 @@ source "https://rubygems.org"
 # development dependencies will be added by default to the :development group.
 gemspec
 
+gem 'metasploit-model', git: 'https://github.com/cdelafuente-r7/metasploit-model', branch: 'feat/model/search/operation/jsonb'
+
 group :development do
   # Entity-Relationship diagrams for developers that need to access database using SQL directly.
   gem 'rails-erd'

diff --git a/app/models/metasploit/credential/pkcs12.rb b/app/models/metasploit/credential/pkcs12.rb
@@ -3,6 +3,7 @@
 
 # A private Pkcs12 file.
 class Metasploit::Credential::Pkcs12 < Metasploit::Credential::Private
+
   #
   # Attributes
   #
@@ -12,6 +13,14 @@ class Metasploit::Credential::Pkcs12 < Metasploit::Credential::Private
   #
   #   @return [String]
 
+  # @!attribute metadata
+  #   Metadata for this Pkcs12:
+  #     adcs_ca: The Certificate Authority that issued the certificate
+  #     adcs_template: The certificate template used to issue the certificate
+  #     pkcs12_password: The password to decrypt the Pkcs12
+  #
+  #   @return [JSONB]
+
   #
   #
   # Validations
@@ -24,15 +33,49 @@ class Metasploit::Credential::Pkcs12 < Metasploit::Credential::Private
 
   validates :data,
             presence: true
+
   #
   # Method Validations
   #
 
   validate :readable
 
+  #
+  # Class methods
+  #
+
   #
   # Instance Methods
   #
+  #
+
+  # The CA that issued the certificate
+  #
+  # @return [String]
+  def adcs_ca
+    metadata['adcs_ca']
+  end
+
+  # The certificate template used to issue the certificate
+  #
+  # @return [String]
+  def adcs_template
+    metadata['adcs_template']
+  end
+
+  # The password to decrypt the Pkcs12
+  #
+  # @return [String]
+  def pkcs12_password
+    metadata['pkcs12_password']
+  end
+
+  # The status if the certificate (active or inactive)
+  #
+  # @return [String]
+  def status
+    metadata['status']
+  end
 
   # Converts the private pkcs12 data in {#data} to an `OpenSSL::PKCS12` instance.
   #
@@ -41,7 +84,7 @@ class Metasploit::Credential::Pkcs12 < Metasploit::Credential::Private
   def openssl_pkcs12
     if data
       begin
-        password = ''
+        password = metadata.fetch('pkcs12_password', '')
         OpenSSL::PKCS12.new(Base64.strict_decode64(data), password)
       rescue OpenSSL::PKCS12::PKCS12Error => error
         raise ArgumentError.new(error)
@@ -50,7 +93,7 @@ def openssl_pkcs12
   end
 
   # The {#data key data}'s fingerprint, suitable for displaying to the
-  # user.
+  # user. The Pkcs12 password is voluntarily not included.
   #
   # @return [String]
   def to_s
@@ -60,9 +103,12 @@ def to_s
     result = []
     result << "subject:#{cert.subject.to_s}"
     result << "issuer:#{cert.issuer.to_s}"
+    result << "ADCS CA:#{metadata['adcs_ca']}" if metadata['adcs_ca']
+    result << "ADCS template:#{metadata['adcs_template']}" if metadata['adcs_template']
     result.join(',')
   end
 
+
   private
 
   #
@@ -80,5 +126,8 @@ def readable
     end
   end
 
+
+  public
+
   Metasploit::Concern.run(self)
 end
diff --git a/app/models/metasploit/credential/private.rb b/app/models/metasploit/credential/private.rb
@@ -50,6 +50,11 @@ class Metasploit::Credential::Private < ApplicationRecord
   #
   #   @return [DateTime]
 
+  # @!attribute metadata
+  #   Metadata related to the private data. The data contained in this JSONB structure varies based on the subclass.
+  #
+  #   @return [JSONB]
+
   #
   #
   # Search
@@ -63,6 +68,9 @@ class Metasploit::Credential::Private < ApplicationRecord
   search_attribute :data,
                    type: :string
 
+  search_attribute :metadata,
+                   type: :jsonb
+
   #
   # Search Withs
   #

diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -87,7 +87,7 @@ en:
         metasploit/credential/pkcs12:
           attributes:
             data:
-              format: "is not a Base64 encoded pkcs12 file without a password"
+              format: "is not a serialized data containing Base64 encoded pkcs12 file without a password and metadata"
         metasploit/credential/ssh_key:
           attributes:
             data:

diff --git a/db/migrate/20250204172657_add_metadata_to_metasploit_credential_privates.rb b/db/migrate/20250204172657_add_metadata_to_metasploit_credential_privates.rb
@@ -0,0 +1,5 @@
+class AddMetadataToMetasploitCredentialPrivates < ActiveRecord::Migration[7.0]
+  def change
+    add_column :metasploit_credential_privates, :metadata, :jsonb, null: false, default: {}
+  end
+end
diff --git a/lib/metasploit/credential/creation.rb b/lib/metasploit/credential/creation.rb
@@ -480,7 +480,7 @@ def create_credential_private(opts={})
         when :ssh_key
           private_object = Metasploit::Credential::SSHKey.where(data: private_data).first_or_create
         when :pkcs12
-          private_object = Metasploit::Credential::Pkcs12.where(data: private_data).first_or_create
+          private_object = Metasploit::Credential::Pkcs12.where(data: private_data, metadata: opts.fetch(:private_metadata, {})).first_or_create
         when :krb_enc_key
           private_object = Metasploit::Credential::KrbEncKey.where(data: private_data).first_or_create
         when :ntlm_hash