Skip to content

Instantly share code, notes, and snippets.

View CBonnell's full-sized avatar

Corey Bonnell CBonnell

  • Pittsburgh, PA
  • 01:43 (UTC -04:00)
View GitHub Profile
@CBonnell
CBonnell / csr-attr.py
Last active November 30, 2023 14:50
Generate a CSR Attributes with AcpNodeName in SAN
from pyasn1_alt_modules import rfc2986, rfc2985, rfc5280, rfc8994, rfc7030
from pyasn1.codec.der.encoder import encode
import base64
gn = rfc5280.GeneralName()
acp_name = gn['otherName']
acp_name['type-id'] = rfc8994.id_on_AcpNodeName
acp_name['value'] = rfc8994.AcpNodeName('fd89b714f3db00000200000064000000+area51.research@acp.example.com')
@CBonnell
CBonnell / gist:5658d3ba006718e7c6161221ad3b15dd
Last active March 23, 2022 13:16
CABF Validation SC Trello to Github issue migration
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 7.
Trello Title,Trello Description,State,GitHub Issue,Action,Comments
"Peter's registrar challenge-response validation method (""Method 13"" in validation summit document)",This is partially mitigated by the email-based methods which were added to get around WHOIS unavailability.,Backlog,,Create GitHub,
Require DNSSEC validation for CAA records when the domain is DNSSEC enabled,"Consider removing exceptions for DNSSEC failures on CAA lookup, and fail-closed instead.",Backlog,,Create GitHub,
Define standard CAA semantics for limiting cert issuance to DV/OV/IV/EV,,Backlog,,Create GitHub,
Permit the inclusion of LEIs in Subject fields,,Backlog,,Create GitHub,
Create allow-list of Registration agencies used by CAs for EV JOI,Needs to include process for rapid updates,Backlog,,Create GitHub,
Improve CAA logging requirements as discussed: https://groups.google.com/d/msg/mozilla.dev.security.policy/7AcHi_MgKWE/-E3z-ifLBQAJ,"The current requirement is:
""The CA SHALL log all actions taken, if any, consistent with its
@CBonnell
CBonnell / gutmann_testkeys.py
Last active March 7, 2022 14:11
Converts the private keys listed in https://datatracker.ietf.org/doc/draft-gutmann-testkeys/ to OpenSSL-consumable format
import base64
import lark
import binascii
from cryptography.hazmat.primitives.asymmetric import ec, rsa, dsa
from cryptography.hazmat.primitives import serialization
from pyasn1.codec.der.encoder import encode
from pyasn1.type import univ
from pyasn1.type.namedtype import NamedTypes, NamedType
Fetch errors:
HTTPConnectionPool(host='crl.comodo.net', port=80): Max retries exceeded with url: /AAACertificateServices.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object
at 0x0000025BA14EE0D0>: Failed to establish a new connection: [Errno 11001] getaddrinfo failed'))
403 Client Error: Forbidden for url: http://crl.tuntrust.tn/tntrustrootca.crl
HTTPConnectionPool(host='atospki', port=80): Max retries exceeded with url: /crl/Atos_TrustedRoot_CA_2011.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x000001B43D5D87C0>: Failed to establish a new connection: [Errno 11001] getaddrinfo failed'))
@CBonnell
CBonnell / shellcode_modulus.txt
Last active December 5, 2021 00:03
Vanity RSA key with Windows bind shellcode in modulus
_ _ _, __, _, _ _ _, _ _,
| | / \ |_) |\ | | |\ | / _
|/\| |~| | \ | \| | | \| \ /
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
This key is extremely weak and should not be used for anything
Vanity RSA-3072 key with Windows bind shellcode in modulus. DER encoding of the CSR below detected by ClamAV as a trojan: https://www.virustotal.com/gui/file/b757330297ddccd7ec1fdac846dc7a69b1e75541b53ba8b8a508b0370c7b23da/detection
-----BEGIN CERTIFICATE REQUEST-----
We can make this file beautiful and searchable if this error is corrected: It looks like row 6 should actually have 1 column, instead of 2. in line 5.
CRL URI: intermediate cert subject (ASN.1 version)
http://g.symcb.com/crls/gtglobal.crl: /C=DE/O=CertCenter AG/OU=Domain Validated SSL/CN=AlwaysOnSSL CA - G2 (0)
http://g.symcb.com/crls/gtglobal.crl: /CN=Apple IST CA 2 - G1/OU=Certification Authority/O=Apple Inc./C=US (0)
http://s.symcb.com/pca3-g5.crl: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2 (0)
http://s.symcb.com/pca3-g5.crl: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2 (0)
http://g.symcb.com/crls/gtglobal.crl: /C=US/O=DigiCert, Inc./OU=www.digicert.com/CN=DigiCert TLS ICA GeoTrust Global (0)
http://s.symcb.com/pca3-g5.crl: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Transition RSA Root (0)
http://crl.geotrust.com/crls/gtglobal.crl: /C=JP/O=NTT DOCOMO, INC./OU=GeoRoot Certification Authority/CN=DKHS Device CA (0)
http://g.symcb.com/crls/gtglobal.crl: /C=JP/O=NTT DOCOMO, INC./OU=GeoRoot Certification Authority/CN=DKHS Device CA - G2 (0)
http://crl.geotrust.com/crls/gtglobal.crl: /C=US/O=GeoTrust Inc
@CBonnell
CBonnell / jurisST.txt
Last active August 20, 2019 02:25
EV certificates, C=US with non-existent ST and jurisST RDN values
(tags.raw:"ev" and parsed.subject.jurisdiction_country:US and parsed.subject.jurisdiction_province:* and not parsed.subject.jurisdiction_province:"Alabama" and not parsed.subject.jurisdiction_province:"AL" and not parsed.subject.jurisdiction_province:"Alaska" and not parsed.subject.jurisdiction_province:"AK" and not parsed.subject.jurisdiction_province:"Arizona" and not parsed.subject.jurisdiction_province:"AZ" and not parsed.subject.jurisdiction_province:"Arkansas" and not parsed.subject.jurisdiction_province:"AR" and not parsed.subject.jurisdiction_province:"California" and not parsed.subject.jurisdiction_province:"CA" and not parsed.subject.jurisdiction_province:"Colorado" and not parsed.subject.jurisdiction_province:"CO" and not parsed.subject.jurisdiction_province:"Connecticut" and not parsed.subject.jurisdiction_province:"CT" and not parsed.subject.jurisdiction_province:"Delaware" and not parsed.subject.jurisdiction_province:"DE" and not parsed.subject.jurisdiction_province:"Florida" and not parsed.subj
@CBonnell
CBonnell / gist:1f01ccd93667c37800b67e518340c606
Last active February 23, 2019 14:10
DarkMatter-issued certificates, notBefore >= 2016-09-30
QuoVadis
"crt.sh URL(s)", notBefore, "serial number", "highest set bit", "issuer CN"
"https://crt.sh/?id=85497938 (precert)", 2017-02-06, 5B:FC:72:86:43:23:99:6B, 63, "DarkMatter High Assurance CA"
"https://crt.sh/?id=85497941 (precert)", 2017-02-06, 04:9E:3C:E1:F1:4B:C1:A1, 59, "DarkMatter High Assurance CA"
"https://crt.sh/?id=85497942 (precert)", 2017-02-06, 3E:1D:03:8A:F2:73:F3:E9, 62, "DarkMatter High Assurance CA"
"https://crt.sh/?id=85498180 (precert)", 2017-02-06, 9A:45:0C:14:16:BB:B4, 56, "DarkMatter High Assurance CA"
"https://crt.sh/?id=85498184 (precert)", 2017-02-06, 79:76:12:FE:31:58:53:99, 63, "DarkMatter High Assurance CA"
"https://crt.sh/?id=85498186 (precert)", 2017-02-06, 42:2A:F0:A8:25:EC:14:34, 63, "DarkMatter High Assurance CA"
"https://crt.sh/?id=85283194 (precert); https://crt.sh/?id=266919536 (final)", 2017-02-06, 2F:90:D6:AA:A7:2B:D1:9D, 62, "DarkMatter High Assurance CA"
"https://crt.sh/?id=85667726 (precert); https://crt.sh/?id=269941290 (final)", 2017-02-07, 1A:CD:66:B2:4B:2B:07:8