Skip to content

Instantly share code, notes, and snippets.

@CBonnell
CBonnell / csr-attr.py
Last active Sep 30, 2022
Generate a CSR Attributes with AcpNodeName in SAN
View csr-attr.py
from pyasn1_alt_modules import rfc2986, rfc2985, rfc5280, rfc8994
from pyasn1.codec.der.encoder import encode
gn = rfc5280.GeneralName()
acp_name = gn['otherName']
acp_name['type-id'] = rfc8994.id_on_AcpNodeName
acp_name['value'] = rfc8994.AcpNodeName('rfc8994+fd739fc23c3440112233445500000000+@acp.example.com')
@CBonnell
CBonnell / gist:5658d3ba006718e7c6161221ad3b15dd
Last active Mar 23, 2022
CABF Validation SC Trello to Github issue migration
View gist:5658d3ba006718e7c6161221ad3b15dd
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 7.
Trello Title,Trello Description,State,GitHub Issue,Action,Comments
"Peter's registrar challenge-response validation method (""Method 13"" in validation summit document)",This is partially mitigated by the email-based methods which were added to get around WHOIS unavailability.,Backlog,,Create GitHub,
Require DNSSEC validation for CAA records when the domain is DNSSEC enabled,"Consider removing exceptions for DNSSEC failures on CAA lookup, and fail-closed instead.",Backlog,,Create GitHub,
Define standard CAA semantics for limiting cert issuance to DV/OV/IV/EV,,Backlog,,Create GitHub,
Permit the inclusion of LEIs in Subject fields,,Backlog,,Create GitHub,
Create allow-list of Registration agencies used by CAs for EV JOI,Needs to include process for rapid updates,Backlog,,Create GitHub,
Improve CAA logging requirements as discussed: https://groups.google.com/d/msg/mozilla.dev.security.policy/7AcHi_MgKWE/-E3z-ifLBQAJ,"The current requirement is:
""The CA SHALL log all actions taken, if any, consistent with its
@CBonnell
CBonnell / gutmann_testkeys.py
Last active Mar 7, 2022
Converts the private keys listed in https://datatracker.ietf.org/doc/draft-gutmann-testkeys/ to OpenSSL-consumable format
View gutmann_testkeys.py
import base64
import lark
import binascii
from cryptography.hazmat.primitives.asymmetric import ec, rsa, dsa
from cryptography.hazmat.primitives import serialization
from pyasn1.codec.der.encoder import encode
from pyasn1.type import univ
from pyasn1.type.namedtype import NamedTypes, NamedType
View SHA-1 CRLs
Fetch errors:
HTTPConnectionPool(host='crl.comodo.net', port=80): Max retries exceeded with url: /AAACertificateServices.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object
at 0x0000025BA14EE0D0>: Failed to establish a new connection: [Errno 11001] getaddrinfo failed'))
403 Client Error: Forbidden for url: http://crl.tuntrust.tn/tntrustrootca.crl
HTTPConnectionPool(host='atospki', port=80): Max retries exceeded with url: /crl/Atos_TrustedRoot_CA_2011.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x000001B43D5D87C0>: Failed to establish a new connection: [Errno 11001] getaddrinfo failed'))
@CBonnell
CBonnell / shellcode_modulus.txt
Last active Dec 5, 2021
Vanity RSA key with Windows bind shellcode in modulus
View shellcode_modulus.txt
_ _ _, __, _, _ _ _, _ _,
| | / \ |_) |\ | | |\ | / _
|/\| |~| | \ | \| | | \| \ /
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
This key is extremely weak and should not be used for anything
Vanity RSA-3072 key with Windows bind shellcode in modulus. DER encoding of the CSR below detected by ClamAV as a trojan: https://www.virustotal.com/gui/file/b757330297ddccd7ec1fdac846dc7a69b1e75541b53ba8b8a508b0370c7b23da/detection
-----BEGIN CERTIFICATE REQUEST-----
View v1 CRLs in MozillaIntermediateCerts.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 6 should actually have column, instead of 2. in line 5.
CRL URI: intermediate cert subject (ASN.1 version)
http://g.symcb.com/crls/gtglobal.crl: /C=DE/O=CertCenter AG/OU=Domain Validated SSL/CN=AlwaysOnSSL CA - G2 (0)
http://g.symcb.com/crls/gtglobal.crl: /CN=Apple IST CA 2 - G1/OU=Certification Authority/O=Apple Inc./C=US (0)
http://s.symcb.com/pca3-g5.crl: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2 (0)
http://s.symcb.com/pca3-g5.crl: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2 (0)
http://g.symcb.com/crls/gtglobal.crl: /C=US/O=DigiCert, Inc./OU=www.digicert.com/CN=DigiCert TLS ICA GeoTrust Global (0)
http://s.symcb.com/pca3-g5.crl: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Transition RSA Root (0)
http://crl.geotrust.com/crls/gtglobal.crl: /C=JP/O=NTT DOCOMO, INC./OU=GeoRoot Certification Authority/CN=DKHS Device CA (0)
http://g.symcb.com/crls/gtglobal.crl: /C=JP/O=NTT DOCOMO, INC./OU=GeoRoot Certification Authority/CN=DKHS Device CA - G2 (0)
http://crl.geotrust.com/crls/gtglobal.crl: /C=US/O=GeoTrust Inc
@CBonnell
CBonnell / jurisST.txt
Last active Aug 20, 2019
EV certificates, C=US with non-existent ST and jurisST RDN values
View jurisST.txt
(tags.raw:"ev" and parsed.subject.jurisdiction_country:US and parsed.subject.jurisdiction_province:* and not parsed.subject.jurisdiction_province:"Alabama" and not parsed.subject.jurisdiction_province:"AL" and not parsed.subject.jurisdiction_province:"Alaska" and not parsed.subject.jurisdiction_province:"AK" and not parsed.subject.jurisdiction_province:"Arizona" and not parsed.subject.jurisdiction_province:"AZ" and not parsed.subject.jurisdiction_province:"Arkansas" and not parsed.subject.jurisdiction_province:"AR" and not parsed.subject.jurisdiction_province:"California" and not parsed.subject.jurisdiction_province:"CA" and not parsed.subject.jurisdiction_province:"Colorado" and not parsed.subject.jurisdiction_province:"CO" and not parsed.subject.jurisdiction_province:"Connecticut" and not parsed.subject.jurisdiction_province:"CT" and not parsed.subject.jurisdiction_province:"Delaware" and not parsed.subject.jurisdiction_province:"DE" and not parsed.subject.jurisdiction_province:"Florida" and not parsed.subj
@CBonnell
CBonnell / gist:1f01ccd93667c37800b67e518340c606
Last active Feb 23, 2019
DarkMatter-issued certificates, notBefore >= 2016-09-30
View gist:1f01ccd93667c37800b67e518340c606
QuoVadis
"crt.sh URL(s)", notBefore, "serial number", "highest set bit", "issuer CN"
"https://crt.sh/?id=85497938 (precert)", 2017-02-06, 5B:FC:72:86:43:23:99:6B, 63, "DarkMatter High Assurance CA"
"https://crt.sh/?id=85497941 (precert)", 2017-02-06, 04:9E:3C:E1:F1:4B:C1:A1, 59, "DarkMatter High Assurance CA"
"https://crt.sh/?id=85497942 (precert)", 2017-02-06, 3E:1D:03:8A:F2:73:F3:E9, 62, "DarkMatter High Assurance CA"
"https://crt.sh/?id=85498180 (precert)", 2017-02-06, 9A:45:0C:14:16:BB:B4, 56, "DarkMatter High Assurance CA"
"https://crt.sh/?id=85498184 (precert)", 2017-02-06, 79:76:12:FE:31:58:53:99, 63, "DarkMatter High Assurance CA"
"https://crt.sh/?id=85498186 (precert)", 2017-02-06, 42:2A:F0:A8:25:EC:14:34, 63, "DarkMatter High Assurance CA"
"https://crt.sh/?id=85283194 (precert); https://crt.sh/?id=266919536 (final)", 2017-02-06, 2F:90:D6:AA:A7:2B:D1:9D, 62, "DarkMatter High Assurance CA"
"https://crt.sh/?id=85667726 (precert); https://crt.sh/?id=269941290 (final)", 2017-02-07, 1A:CD:66:B2:4B:2B:07:8