Joost van Dijk joostd

## recoverRSA.py
# recover RSA private key file using public key (n,e) and private exponent d
# python recover.py | openssl asn1parse -genconf - -out key.der

from math import gcd

# example Private-Key (512 bit, 2 primes)
modulus=0x00bacb716af4a701ea525c1fc45c7798598a966432a44a347d53054c691bd5a7c60fe717b5f55de46ea8afd1525a4b08b098b7eb0f51d58daf690ae85fcb9254b9
publicExponent=0x10001
privateExponent=0x217051f9679a8e09387d2d62a57af356f42c3ffba0d577d80788a74919a681c5f02b3e8422e79737fd9aff15046a91509788023aad60c39492ceddb301f0bcd1

## Makefile
# DEMO for hmac-secret - generate a static secret based on a FIDO credential and a salt
# Uses libfido2 tools: https://github.com/Yubico/libfido2

HID="$(shell fido2-token -L | head -1 | cut -d: -f1-2)"

all: secret

cred.in:
	# challenge:
	cat /dev/urandom | head -c32 | base64 > cred.in

## build-libsk-libfido2.sh
# See https://gist.github.com/thelastlin/c45b96cf460919e39ab5807b6d20ac2a

set -e

# get source
if [[ ! -d openssh-portable ]] ; then
  git clone https://github.com/openssh/openssh-portable.git
fi
cd openssh-portable

## ssh-sk-attest.py
#!/usr/bin/env python

# verify attestation information to cryptographically prove that a given key is hardware-backed.
# For instance:
#
# ./ssh-sk-attest.py --key id.pub --attestation attestation.bin --challenge challenge.bin --mds mds.jwt

# To generate an SSH pubkey, a challenge, and an attestation:
# openssl rand 128 > challenge.bin
# ssh-keygen -t ${KEYTYPE} -f ./id -N "" -O challenge=challenge.bin -O write-attestation=attestation.bin

## validate_otp.py
#!/usr/bin/env python

# validate Yubico OTP

# To get your API key:
# https://upgrade.yubico.com/getapikey/

from sys import exit, stderr
from argparse import ArgumentParser
from requests import get

## attestation.b64
AAAAEXNzaC1zay1hdHRlc3QtdjAxAAAC3TCCAtkwggHBoAMCAQICCQDI54lFd4md
/DANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0Eg
U2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAw
MFowbzELMAkGA1UEBhMCU0UxEjAQBgNVBAoMCVl1YmljbyBBQjEiMCAGA1UECwwZ
QXV0aGVudGljYXRvciBBdHRlc3RhdGlvbjEoMCYGA1UEAwwfWXViaWNvIFUyRiBF
RSBTZXJpYWwgMTE2NjY2NTY3MjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHKW
vRw3kwE/lp8mrPEzDdQvsLMcyuerIQl/Y7nSqNQMsKT5A1ITgvQ/r2l86jaYQVOe
CBwvwKQNyD9n+vjtrt2jgYEwfzATBgorBgEEAYLECg0BBAUEAwUEAzAiBgkrBgEE
AYLECgIEFTEuMy42LjEuNC4xLjQxNDgyLjEuNzATBgsrBgEEAYLlHAIBAQQEAwIF
IDAhBgsrBgEEAYLlHAEBBAQSBBDuiCh5chxJE5d1PfzOlwcqMAwGA1UdEwEB/wQC

## yubikey-sign-jwt.sh
#!/bin/bash

# step 1 - generate a new key pair on a YubiKey

yubico-piv-tool -a generate -s 9c -A ECCP256 -o pub.pem

# step 2 - generate data to be signed

jo iss=issuer aud=audience > payload.json
jo alg=ES256 typ=JWT > header.json

## ctap1.py
# Run with a single argument: a /dev/hidrawX path.
# If you don't have udev setup to allow access to U2F tokens, you may need to
# chown the device to your user before running this script.
# If you don't know which hidraw to use, try removing and reinserting your
# token. Then the device with the most recent ctime is the one you want.
#
# Once running, press the token's button twice. The first press will trigger a
# registration, the second an authentication.
#
# Python3 version of https://www.imperialviolet.org/binary/ctap1.py

## check_yubikey_attestation.py
#!/usr/bin/env python3

# Show attributes for a YubiKey PIV attestation certificate
#
# Use ykman to generate a PIV attestation certificate for a slot (for instance 9a):
#     ykman piv keys attest 9a attestation.pem
#
# To show the attributes in the generated attestation certificate:
#     ykman script ./check_yubikey_attestation.py attestation.pem

## check_yubihsm_attestation.py
#!/usr/bin/env python3

# NOTE:
# requires cryptography (pip install cryptography)

from cryptography import x509
from cryptography.hazmat.backends import default_backend
import sys

# NOTE: uses PEP 634: Structural Pattern Matching
	# recover RSA private key file using public key (n,e) and private exponent d
	# python recover.py \| openssl asn1parse -genconf - -out key.der

	from math import gcd

	# example Private-Key (512 bit, 2 primes)
	modulus=0x00bacb716af4a701ea525c1fc45c7798598a966432a44a347d53054c691bd5a7c60fe717b5f55de46ea8afd1525a4b08b098b7eb0f51d58daf690ae85fcb9254b9
	publicExponent=0x10001
	privateExponent=0x217051f9679a8e09387d2d62a57af356f42c3ffba0d577d80788a74919a681c5f02b3e8422e79737fd9aff15046a91509788023aad60c39492ceddb301f0bcd1
	# DEMO for hmac-secret - generate a static secret based on a FIDO credential and a salt
	# Uses libfido2 tools: https://github.com/Yubico/libfido2

	HID="$(shell fido2-token -L \| head -1 \| cut -d: -f1-2)"

	all: secret

	cred.in:
	# challenge:
	cat /dev/urandom \| head -c32 \| base64 > cred.in
	# See https://gist.github.com/thelastlin/c45b96cf460919e39ab5807b6d20ac2a

	set -e

	# get source
	if [[ ! -d openssh-portable ]] ; then
	git clone https://github.com/openssh/openssh-portable.git
	fi
	cd openssh-portable
	#!/usr/bin/env python

	# verify attestation information to cryptographically prove that a given key is hardware-backed.
	# For instance:
	#
	# ./ssh-sk-attest.py --key id.pub --attestation attestation.bin --challenge challenge.bin --mds mds.jwt

	# To generate an SSH pubkey, a challenge, and an attestation:
	# openssl rand 128 > challenge.bin
	# ssh-keygen -t ${KEYTYPE} -f ./id -N "" -O challenge=challenge.bin -O write-attestation=attestation.bin
	#!/usr/bin/env python

	# validate Yubico OTP

	# To get your API key:
	# https://upgrade.yubico.com/getapikey/

	from sys import exit, stderr
	from argparse import ArgumentParser
	from requests import get
	AAAAEXNzaC1zay1hdHRlc3QtdjAxAAAC3TCCAtkwggHBoAMCAQICCQDI54lFd4md
	/DANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0Eg
	U2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAw
	MFowbzELMAkGA1UEBhMCU0UxEjAQBgNVBAoMCVl1YmljbyBBQjEiMCAGA1UECwwZ
	QXV0aGVudGljYXRvciBBdHRlc3RhdGlvbjEoMCYGA1UEAwwfWXViaWNvIFUyRiBF
	RSBTZXJpYWwgMTE2NjY2NTY3MjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHKW
	vRw3kwE/lp8mrPEzDdQvsLMcyuerIQl/Y7nSqNQMsKT5A1ITgvQ/r2l86jaYQVOe
	CBwvwKQNyD9n+vjtrt2jgYEwfzATBgorBgEEAYLECg0BBAUEAwUEAzAiBgkrBgEE
	AYLECgIEFTEuMy42LjEuNC4xLjQxNDgyLjEuNzATBgsrBgEEAYLlHAIBAQQEAwIF
	IDAhBgsrBgEEAYLlHAEBBAQSBBDuiCh5chxJE5d1PfzOlwcqMAwGA1UdEwEB/wQC
	#!/bin/bash

	# step 1 - generate a new key pair on a YubiKey

	yubico-piv-tool -a generate -s 9c -A ECCP256 -o pub.pem

	# step 2 - generate data to be signed

	jo iss=issuer aud=audience > payload.json
	jo alg=ES256 typ=JWT > header.json
	# Run with a single argument: a /dev/hidrawX path.
	# If you don't have udev setup to allow access to U2F tokens, you may need to
	# chown the device to your user before running this script.
	# If you don't know which hidraw to use, try removing and reinserting your
	# token. Then the device with the most recent ctime is the one you want.
	#
	# Once running, press the token's button twice. The first press will trigger a
	# registration, the second an authentication.
	#
	# Python3 version of https://www.imperialviolet.org/binary/ctap1.py
	#!/usr/bin/env python3

	# Show attributes for a YubiKey PIV attestation certificate
	#
	# Use ykman to generate a PIV attestation certificate for a slot (for instance 9a):
	# ykman piv keys attest 9a attestation.pem
	#
	# To show the attributes in the generated attestation certificate:
	# ykman script ./check_yubikey_attestation.py attestation.pem
	#!/usr/bin/env python3

	# NOTE:
	# requires cryptography (pip install cryptography)

	from cryptography import x509
	from cryptography.hazmat.backends import default_backend
	import sys

	# NOTE: uses PEP 634: Structural Pattern Matching