Skip to content

Instantly share code, notes, and snippets.

Andrew Ayer AGWA

Block or report user

Report or block AGWA

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@AGWA
AGWA / openssl-rekey.sh
Last active Aug 29, 2015
Generate a new key and CSR for each of the SSL certificate files specified on the command line. Submit the new CSRs to your certificate authority for a free reissue. Useful for rekeying after a compromise such as Heartbleed. See https://www.agwa.name/blog/post/responding_to_heartbleed_a_script_to_regenerate_ssl_certs_en_masse
View openssl-rekey.sh
#!/bin/sh
#
# openssl-rekey -- generate a new key and CSR for each of the certificate
# files specified on the command line. Submit the new
# CSRs to your certificate authority for a free reissue.
# Useful for rekeying after a compromise such as Heartbleed.
#
# See https://www.agwa.name/blog/post/responding_to_heartbleed_a_script_to_regenerate_ssl_certs_en_masse
#
@AGWA
AGWA / migrate-revamp-key.cpp
Created Jul 5, 2014
Tool to migrate a git-crypt revamp branch key
View migrate-revamp-key.cpp
// Migrate an old-style git-crypt revamp branch key to a new-style git-crypt revamp branch key.
// Reads old key from stdin and writes new key to stdout.
// Compile with: c++ -o migrate-revamp-key migrate-revamp-key.cpp
#include <iostream>
#include <cstdlib>
#include <cstring>
static void grab (char* p, std::streamsize len)
{
@AGWA
AGWA / apt.diff
Created Sep 23, 2014
Diff between apt-0.9.7.9+deb7u4 and apt-0.9.7.9+deb7u5
View apt.diff
diff -ru _1/apt-0.9.7.9+deb7u4/apt-pkg/acquire-item.cc _2/apt-0.9.7.9+deb7u5/apt-pkg/acquire-item.cc
--- _1/apt-0.9.7.9+deb7u4/apt-pkg/acquire-item.cc 2014-09-17 07:30:35.000000000 -0700
+++ _2/apt-0.9.7.9+deb7u5/apt-pkg/acquire-item.cc 2014-09-22 23:56:57.000000000 -0700
@@ -970,6 +970,12 @@
else
Local = true;
+ // do not reverify cdrom sources as apt-cdrom may rewrite the Packages
+ // file when its doing the indexcopy
+ if (RealURI.substr(0,6) == "cdrom:" &&
@AGWA
AGWA / PKGBUILD
Created May 12, 2015
Fixed PKGBUILD for git-crypt
View PKGBUILD
pkgname=git-crypt
pkgver=0.4.2
pkgrel=1
pkgdesc="Transparent file encryption in Git"
arch=('i686' 'x86_64')
url="https://www.agwa.name/projects/${pkgname}/"
license=('GPL3')
depends=('git' 'openssl')
provides=("$pkgname")
conflicts=("${pkgname}-git")
@AGWA
AGWA / readlink.cpp
Last active Oct 8, 2015
C++ readlink wrapper
View readlink.cpp
@AGWA
AGWA / name_constrain.go
Last active Dec 3, 2015
Go program to add name constraints to a certificate
View name_constrain.go
/*
* Adds name constraints to a certificate. Useful if you need to
* import your organization's private CA into your web browser, but
* you only want to trust it for your organization's domains and not
* the Internet at large.
*
* The certificate is re-signed by an ephemeral issuer with a random
* key so you don't need access to the private key. A random serial number
* is placed in the Issuer DN so browsers don't attempt to verify the
* signature when you import the certificate.
@AGWA
AGWA / gist:bf0aad23c931f8e1063f
Created Dec 14, 2015
Email-only CAs trusted by Debian for TLS authentication
View gist:bf0aad23c931f8e1063f
AC Ra\xC3\xADz Certic\xC3\xA1mara S.A. (server trust = CKT_NSS_MUST_VERIFY_TRUST)
ComSign CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)
Equifax Secure CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)
Equifax Secure Global eBusiness CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)
Equifax Secure eBusiness CA 1 (server trust = CKT_NSS_MUST_VERIFY_TRUST)
NetLock Business (Class B) Root (server trust = CKT_NSS_MUST_VERIFY_TRUST)
NetLock Express (Class C) Root (server trust = CKT_NSS_MUST_VERIFY_TRUST)
NetLock Qualified (Class QA) Root (server trust = CKT_NSS_MUST_VERIFY_TRUST)
S-TRUST Authentication and Encryption Root CA 2005 PN (server trust = CKT_NSS_MUST_VERIFY_TRUST)
S-TRUST Universal Root CA (server trust = CKT_NSS_MUST_VERIFY_TRUST)
@AGWA
AGWA / all_client_options
Last active Jan 14, 2016
Investigation into undocumented ssh_config and sshd_config options, as of https://github.com/openssh/openssh-portable/tree/e6c85f8889c5c9eb04796fdb76d2807636b9eef5 Scroll to bottom for the upshot
View all_client_options
addkeystoagent
addressfamily
afstokenpassing
batchmode
bindaddress
canonicaldomains
canonicalizefallbacklocal
canonicalizehostname
canonicalizemaxdots
canonicalizepermittedcnames
@AGWA
AGWA / ocsp_stapling_robustness.md
Last active Oct 31, 2016
OCSP Stapling Robustness in Apache and nginx
View ocsp_stapling_robustness.md

Date: Mon, 5 Oct 2015 16:34:03 -0700

Apache caches an OCSP response for one hour by default. Unfortunately, once the hour is up, the response is purged from the cache, and Apache doesn't attempt to retrieve a new one until the next TLS handshake takes place. That means that if there's a problem contacting the OCSP responder at that moment, Apache is left without an OCSP response to staple. Furthermore, it caches the non-response for 10 minutes (by default), so for the next 10 minutes, no OCSP response will be stapled to your

@AGWA
AGWA / cook_rsa_key.go
Last active Oct 11, 2018
Demonstrates that an RSA signature does not uniquely identify a public key.
View cook_rsa_key.go
/*
* Demonstrates that an RSA signature does not uniquely identify a public key.
* Given a signature, s, and a message m, it's possible to construct a new RSA key
* pair such that s is a valid signature for m under the new key pair.
*
* Requires Go version >= 1.5. Go <= 1.4 doesn't work due to a bug in the bignum
* package: https://github.com/golang/go/issues/9826
*
* Written in 2015 by Andrew Ayer <agwa@andrewayer.name>
*
You can’t perform that action at this time.