From 5273eaa897206e18775f939d2f426189fc383e21 Mon Sep 17 00:00:00 2001
From: Jeroen Dekkers <jeroen@dekkers.ch>
Date: Mon, 8 Apr 2024 15:22:42 +0200
Subject: [PATCH] Use public cryptography API in SSL certificate normalizer
 (#2796)

Co-authored-by: Jan Klopper <janklopper+underdark@gmail.com>
---
 .../plugins/kat_ssl_certificates/normalize.py |   6 +-
 .../examples/ssl-certificates-normalize.json  |  62 ++++-
 boefjes/tests/examples/ssl-certificates.json  |  13 -
 boefjes/tests/examples/ssl-certificates.txt   | 243 ++++++++++++++++++
 .../tests/test_sslcertificate_normalizer.py   |  11 +
 5 files changed, 310 insertions(+), 25 deletions(-)
 delete mode 100644 boefjes/tests/examples/ssl-certificates.json
 create mode 100644 boefjes/tests/examples/ssl-certificates.txt
 create mode 100644 boefjes/tests/test_sslcertificate_normalizer.py

diff --git a/boefjes/boefjes/plugins/kat_ssl_certificates/normalize.py b/boefjes/boefjes/plugins/kat_ssl_certificates/normalize.py
index 1ffd6edca63..40797787028 100644
--- a/boefjes/boefjes/plugins/kat_ssl_certificates/normalize.py
+++ b/boefjes/boefjes/plugins/kat_ssl_certificates/normalize.py
@@ -4,9 +4,9 @@
 import re
 from collections.abc import Iterable
 
-import cryptography
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.asymmetric import ec, rsa
 from dateutil.parser import parse
 
 from boefjes.job_models import NormalizerMeta
@@ -126,11 +126,11 @@ def read_certificates(
         logging.info("Parsing certificate of type %s", type(cert.public_key()))
         if isinstance(
             cert.public_key(),
-            cryptography.hazmat.backends.openssl.rsa.RSAPublicKey,
+            rsa.RSAPublicKey,
         ):
             pk_algorithm = str(AlgorithmType.RSA)
             pk_number = cert.public_key().public_numbers().n.to_bytes(pk_size // 8, "big").hex()
-        elif isinstance(cert.public_key(), cryptography.hazmat.backends.openssl.ec._EllipticCurvePublicKey):
+        elif isinstance(cert.public_key(), ec.EllipticCurvePublicKey):
             pk_algorithm = str(AlgorithmType.ECC)
             pk_number = hex(cert.public_key().public_numbers().x) + hex(cert.public_key().public_numbers().y)
         else:
diff --git a/boefjes/tests/examples/ssl-certificates-normalize.json b/boefjes/tests/examples/ssl-certificates-normalize.json
index 1afb20bfd14..fe5efb96bde 100644
--- a/boefjes/tests/examples/ssl-certificates-normalize.json
+++ b/boefjes/tests/examples/ssl-certificates-normalize.json
@@ -1,13 +1,57 @@
 {
-  "id": "10f392a7-a21b-428a-9ba1-7d39018d58a7",
-  "organization": "_dev",
-  "arguments": {
-    "domain": "example.nl"
+  "id": "7134430c-8509-4944-b0be-27cb9bfb4bc2",
+  "raw_data": {
+    "id": "cf06e5fa-d038-43ca-848f-08528d1b5eb7",
+    "boefje_meta": {
+      "id": "b3806b37-f51e-448b-901a-5fa9c78607bc",
+      "started_at": "2024-04-05T08:12:14.001600Z",
+      "ended_at": "2024-04-05T08:12:14.647053Z",
+      "boefje": {
+        "id": "ssl-certificates",
+        "version": null
+      },
+      "input_ooi": "Website|internet|134.209.85.72|tcp|443|https|internet|mispo.es",
+      "arguments": {
+        "input": {
+          "object_type": "Website",
+          "scan_profile": "scan_profile_type='inherited' reference=Reference('Website|internet|134.209.85.72|tcp|443|https|internet|mispo.es') level=<ScanLevel.L2: 2>",
+          "primary_key": "Website|internet|134.209.85.72|tcp|443|https|internet|mispo.es",
+          "ip_service": {
+            "ip_port": {
+              "address": {
+                "network": {
+                  "name": "internet"
+                },
+                "address": "134.209.85.72"
+              },
+              "protocol": "tcp",
+              "port": "443"
+            },
+            "service": {
+              "name": "https"
+            }
+          },
+          "hostname": {
+            "network": {
+              "name": "internet"
+            },
+            "name": "mispo.es"
+          },
+          "certificate": "None"
+        }
+      },
+      "organization": "test",
+      "runnable_hash": "31425d58d153e0cafcf8a0e558b690d48217fce6378acc65b3e361ae568802f2",
+      "environment": {}
+    },
+    "mime_types": [
+      {
+        "value": "boefje/ssl-certificates"
+      }
+    ]
   },
-  "started_at": "2021-07-27T11:26:42.679000+00:00",
-  "ended_at": "2021-07-27T11:26:44.679000+00:00",
-  "dispatches": {
-    "normalizers": [],
-    "boefjes": []
+  "normalizer": {
+    "id": "kat_dns_normalize",
+    "version": null
   }
 }
diff --git a/boefjes/tests/examples/ssl-certificates.json b/boefjes/tests/examples/ssl-certificates.json
deleted file mode 100644
index 27993dfb13e..00000000000
--- a/boefjes/tests/examples/ssl-certificates.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-  "id": "3c9ded6e-b314-4d4c-9dbb-1b95254647d6",
-  "organization": "_dev",
-  "arguments": {
-    "domain": "example.nl"
-  },
-  "dispatches": {
-    "normalizers": [
-      "kat_ssl_certificates.normalize"
-    ],
-    "boefjes": []
-  }
-}
diff --git a/boefjes/tests/examples/ssl-certificates.txt b/boefjes/tests/examples/ssl-certificates.txt
new file mode 100644
index 00000000000..16f2ef8d346
--- /dev/null
+++ b/boefjes/tests/examples/ssl-certificates.txt
@@ -0,0 +1,243 @@
+CONNECTED(00000003)
+---
+Certificate chain
+ 0 s:CN = mispo.es
+   i:C = US, O = Let's Encrypt, CN = R3
+-----BEGIN CERTIFICATE-----
+MIIFKjCCBBKgAwIBAgISBIEgUTAliVGEWSjvwigTdO8TMA0GCSqGSIb3DQEBCwUA
+MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+EwJSMzAeFw0yMjExMTUwODUyNTdaFw0yMzAyMTMwODUyNTZaMBMxETAPBgNVBAMT
+CG1pc3BvLmVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoHAjzeGB
+jt/YWunF+X50xzCgTh6Fs71+QWckk17j6jFVB9YdKGdnkQOYaBoZdqjFs2ojtWZI
+eqrSPEzHfS4mk5XlYllgQomR966Ly2IrPQkzqHo9xqpaILxiJIXa7K2cUbL9rdpB
+il+7QtCCAWcmTBJItgdvj8r/jCNsUrrWp+Io4ojaVQs4VaYWcIbftSs5nnVtJ41/
+i6OgrfvNthRfGT9W3afNqrAzAkLsGI/Qa3KT9KPEikItuEpa2VZEYRPBUY+KlhfK
+dgCDBD1uIGAd8rlFwfMq65rRBPk8sYlT9eaBvoKde2oDI3oXfwv2lDUgts5i+hdk
+R9VFOqcrPp2VUQIDAQABo4ICVzCCAlMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
+MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRd
+UBy7LJ4dkCYqDP4fDk1a+BTKwjAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDmH6+d
+ixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxl
+bmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAnBgNV
+HREEIDAegghtaXNwby5lc4ISdnVpbGUuc3RpbGxla2F0Lm5sMEwGA1UdIARFMEMw
+CAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
+cHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAejKM
+VNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGEerTBaQAABAMASDBGAiEA
+pPIOE9cqiRsOXUGyFjDG6+WteI7U5e8ZEUFP5DvcPNACIQDWgqHT74Y8f13IM7bV
+74rXaLbIbTaLAlSzyqBOOScO0wB1AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nh
+d31tBr1uAAABhHq0wcwAAAQDAEYwRAIgEvvznbl7HfU1FI9HThTz4OpJh5L+0YpQ
+SqeJw1TYcrUCIAjuTcePt5n9zAEzV0nKY3Knw+GJ40HS3fOjh3FXsa8BMA0GCSqG
+SIb3DQEBCwUAA4IBAQAR6t0xjTZ3djYvafy9iDAYnrbq76xcViq58mAgZxcQIZ0x
+LQyxKe44skPFaf9GgHJImqnL41twdZfvnidE4pIaYE5NIjbEA/lloMaMrzJ/f8ux
+iC5doo1/r6wvRJqRmoIF4aC8y+WpTxogf01Ea4rV6rHMugBUfJLjx2gkxloMEguw
+RElnErM9aL36GQz0j8yY4FHppzkcRerjRe/p9OALu81nWxG0K+7Xp42JzylYXvCj
+idLA7MOqakHLt+O6Uf8DaJOIXdHYbhyijcqANzzG1jSixjHaBoM6inGVhJI+Mh5t
+qXe6YQpcZ1a7Hdns92sUt1d8/6dihdDd1vVxcVmP
+-----END CERTIFICATE-----
+ 1 s:C = US, O = Let's Encrypt, CN = R3
+   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
+ 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
+   i:O = Digital Signature Trust Co., CN = DST Root CA X3
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----
+---
+Server certificate
+subject=CN = mispo.es
+
+issuer=C = US, O = Let's Encrypt, CN = R3
+
+---
+No client certificate CA names sent
+Peer signing digest: SHA256
+Peer signature type: RSA-PSS
+Server Temp Key: X25519, 253 bits
+---
+SSL handshake has read 4582 bytes and written 390 bytes
+Verification error: certificate has expired
+---
+New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
+Server public key is 2048 bit
+Secure Renegotiation IS NOT supported
+No ALPN negotiated
+Early data was not sent
+Verify return code: 10 (certificate has expired)
+---
+---
+Certificate chain
+ 0 s:CN = mispo.es
+   i:C = US, O = Let's Encrypt, CN = R3
+-----BEGIN CERTIFICATE-----
+MIIFKjCCBBKgAwIBAgISBIEgUTAliVGEWSjvwigTdO8TMA0GCSqGSIb3DQEBCwUA
+MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+EwJSMzAeFw0yMjExMTUwODUyNTdaFw0yMzAyMTMwODUyNTZaMBMxETAPBgNVBAMT
+CG1pc3BvLmVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoHAjzeGB
+jt/YWunF+X50xzCgTh6Fs71+QWckk17j6jFVB9YdKGdnkQOYaBoZdqjFs2ojtWZI
+eqrSPEzHfS4mk5XlYllgQomR966Ly2IrPQkzqHo9xqpaILxiJIXa7K2cUbL9rdpB
+il+7QtCCAWcmTBJItgdvj8r/jCNsUrrWp+Io4ojaVQs4VaYWcIbftSs5nnVtJ41/
+i6OgrfvNthRfGT9W3afNqrAzAkLsGI/Qa3KT9KPEikItuEpa2VZEYRPBUY+KlhfK
+dgCDBD1uIGAd8rlFwfMq65rRBPk8sYlT9eaBvoKde2oDI3oXfwv2lDUgts5i+hdk
+R9VFOqcrPp2VUQIDAQABo4ICVzCCAlMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
+MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRd
+UBy7LJ4dkCYqDP4fDk1a+BTKwjAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDmH6+d
+ixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxl
+bmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAnBgNV
+HREEIDAegghtaXNwby5lc4ISdnVpbGUuc3RpbGxla2F0Lm5sMEwGA1UdIARFMEMw
+CAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
+cHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAejKM
+VNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGEerTBaQAABAMASDBGAiEA
+pPIOE9cqiRsOXUGyFjDG6+WteI7U5e8ZEUFP5DvcPNACIQDWgqHT74Y8f13IM7bV
+74rXaLbIbTaLAlSzyqBOOScO0wB1AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nh
+d31tBr1uAAABhHq0wcwAAAQDAEYwRAIgEvvznbl7HfU1FI9HThTz4OpJh5L+0YpQ
+SqeJw1TYcrUCIAjuTcePt5n9zAEzV0nKY3Knw+GJ40HS3fOjh3FXsa8BMA0GCSqG
+SIb3DQEBCwUAA4IBAQAR6t0xjTZ3djYvafy9iDAYnrbq76xcViq58mAgZxcQIZ0x
+LQyxKe44skPFaf9GgHJImqnL41twdZfvnidE4pIaYE5NIjbEA/lloMaMrzJ/f8ux
+iC5doo1/r6wvRJqRmoIF4aC8y+WpTxogf01Ea4rV6rHMugBUfJLjx2gkxloMEguw
+RElnErM9aL36GQz0j8yY4FHppzkcRerjRe/p9OALu81nWxG0K+7Xp42JzylYXvCj
+idLA7MOqakHLt+O6Uf8DaJOIXdHYbhyijcqANzzG1jSixjHaBoM6inGVhJI+Mh5t
+qXe6YQpcZ1a7Hdns92sUt1d8/6dihdDd1vVxcVmP
+-----END CERTIFICATE-----
+ 1 s:C = US, O = Let's Encrypt, CN = R3
+   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
+ 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
+   i:O = Digital Signature Trust Co., CN = DST Root CA X3
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----
+---
+Server certificate
+subject=CN = mispo.es
+
+issuer=C = US, O = Let's Encrypt, CN = R3
+
+---
+No client certificate CA names sent
+Peer signing digest: SHA256
+Peer signature type: RSA-PSS
+Server Temp Key: X25519, 253 bits
+---
+SSL handshake has read 4740 bytes and written 414 bytes
+Verification error: certificate has expired
+---
+New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
+Server public key is 2048 bit
+Secure Renegotiation IS NOT supported
+No ALPN negotiated
+Early data was not sent
+Verify return code: 10 (certificate has expired)
+---
diff --git a/boefjes/tests/test_sslcertificate_normalizer.py b/boefjes/tests/test_sslcertificate_normalizer.py
new file mode 100644
index 00000000000..afd2b99a4ef
--- /dev/null
+++ b/boefjes/tests/test_sslcertificate_normalizer.py
@@ -0,0 +1,11 @@
+from boefjes.job_models import NormalizerMeta
+from boefjes.plugins.kat_ssl_certificates.normalize import run
+from tests.loading import get_dummy_data
+
+
+def test_ssl_certificates_normalizer():
+    meta = NormalizerMeta.model_validate_json(get_dummy_data("ssl-certificates-normalize.json"))
+
+    output = list(run(meta, get_dummy_data("ssl-certificates.txt")))
+
+    assert len([ooi for ooi in output if ooi.object_type == "X509Certificate"]) == 3