joostd

#!/bin/bash

# use a key and certificate stored on a smartcard to access a website that requires TLS client authentication from the command line on macos
# 
# uses curl compiled agains openssl with engine support
# a pkcs11 engine is used together with a generic pkcs11 module for smartcards to interface with the smartcard

# INSTALL

echo installing required software...

joostd

import sys
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import padding

def verify_signature(parent, child):
    parent.public_key().verify(
        child.signature,
        child.tbs_certificate_bytes,
        padding.PKCS1v15(),

joostd

<!DOCTYPE html>
<html>
<head>
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
<style>
.button {
  color: white;
  background-color: teal;
  padding: 15px 15px;
  margin: 4px 2px;

joostd

Signing EFI images with keys generated on a YubiHSM 2 device.

Using an Ubuntu VM with the YubiHSM connector running on the SSH client, tunneled over SSH:

$ ssh -i key.pem ubuntu@jammy -R 12345:localhost:12345
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-1031-aws x86_64)
...

joostd

# install dependencies:
# brew install step jq

.PHONY: all
all: aaguid.tsv
	cat aaguid.tsv | sort -k2

md.jwt:
	curl -Ls https://mds3.fidoalliance.org/ --output md.jwt

joostd

<script>

let abortController;

function start() {
    abortController = new AbortController();
    // setTimeout(() => abortController.abort(), 5000); // automatically abort after 5 seconds
    abortController.signal.addEventListener( 'abort', () => {
        if(abortController.signal.aborted) console.log("event: signal aborted");
    });

joostd

# LargeBlog demo: storing an SSH certificate on a FIDO security key

HID="$(shell fido2-token -L | head -1 | cut -d: -f1-2)"
# uses the first key listed
# note: this is probably specific to an M1 mac

# check if largeBlobs are supported on your key
# Use for instance a YubiKey with 5.5+ firmware
check:
	fido2-token -I ${HID} | grep largeBlobs

joostd

cbor = Dissector.get("cbor")
iso7816 = Dissector.get("iso7816")
ctap_proto = Proto("ctaphid","ctap hid")
-- Field Extractor
direction_fe = Field.new("usb.endpoint_address.direction")
udp_srcport_fe = Field.new("udp.srcport")

CTAPHID_COMMAND_CODE = {
    [0x03]='CTAPHID_MSG',
    [0x10]='CTAPHID_CBOR',

joostd

{
  "issuer": "https://connect.test.surfconext.nl",
  "authorization_endpoint": "https://connect.test.surfconext.nl/oidc/authorize?response_mode=query&claims=%7B%22id_token%22%3A%7B%22email%22%3Anull%7D%7D",
  "token_endpoint": "https://connect.test.surfconext.nl/oidc/token",
  "userinfo_endpoint": "https://connect.test.surfconext.nl/oidc/userinfo",
  "introspect_endpoint": "https://connect.test.surfconext.nl/oidc/introspect",
  "jwks_uri": "https://connect.test.surfconext.nl/oidc/certs",
  "response_types_supported": [
    "code",
    "token",

joostd

EMAIL=you@example.edu
CN=www.example.edu

ssl-types.json:
	curl -s https://cert-manager.com/api/ssl/v1/types -H @headers > ssl-types.json

key.pem:
	openssl genrsa -out key.pem 2048

csr.pem: key.pem