Using an Ubuntu VM with the YubiHSM connector running on the SSH client, tunneled over SSH:
$ ssh -i key.pem ubuntu@jammy -R 12345:localhost:12345
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-1031-aws x86_64)
...
#!/bin/bash | |
# use a key and certificate stored on a smartcard to access a website that requires TLS client authentication from the command line on macos | |
# | |
# uses curl compiled agains openssl with engine support | |
# a pkcs11 engine is used together with a generic pkcs11 module for smartcards to interface with the smartcard | |
# INSTALL | |
echo installing required software... |
import sys | |
from cryptography import x509 | |
from cryptography.hazmat.backends import default_backend | |
from cryptography.hazmat.primitives.asymmetric import padding | |
def verify_signature(parent, child): | |
parent.public_key().verify( | |
child.signature, | |
child.tbs_certificate_bytes, | |
padding.PKCS1v15(), |
<!DOCTYPE html> | |
<html> | |
<head> | |
<meta name="viewport" content="width=device-width, initial-scale=1.0"> | |
<style> | |
.button { | |
color: white; | |
background-color: teal; | |
padding: 15px 15px; | |
margin: 4px 2px; |
# install dependencies: | |
# brew install step jq | |
.PHONY: all | |
all: aaguid.tsv | |
cat aaguid.tsv | sort -k2 | |
md.jwt: | |
curl -Ls https://mds3.fidoalliance.org/ --output md.jwt |
<script> | |
let abortController; | |
function start() { | |
abortController = new AbortController(); | |
// setTimeout(() => abortController.abort(), 5000); // automatically abort after 5 seconds | |
abortController.signal.addEventListener( 'abort', () => { | |
if(abortController.signal.aborted) console.log("event: signal aborted"); | |
}); |
# LargeBlog demo: storing an SSH certificate on a FIDO security key | |
HID="$(shell fido2-token -L | head -1 | cut -d: -f1-2)" | |
# uses the first key listed | |
# note: this is probably specific to an M1 mac | |
# check if largeBlobs are supported on your key | |
# Use for instance a YubiKey with 5.5+ firmware | |
check: | |
fido2-token -I ${HID} | grep largeBlobs |
cbor = Dissector.get("cbor") | |
iso7816 = Dissector.get("iso7816") | |
ctap_proto = Proto("ctaphid","ctap hid") | |
-- Field Extractor | |
direction_fe = Field.new("usb.endpoint_address.direction") | |
udp_srcport_fe = Field.new("udp.srcport") | |
CTAPHID_COMMAND_CODE = { | |
[0x03]='CTAPHID_MSG', | |
[0x10]='CTAPHID_CBOR', |
{ | |
"issuer": "https://connect.test.surfconext.nl", | |
"authorization_endpoint": "https://connect.test.surfconext.nl/oidc/authorize?response_mode=query&claims=%7B%22id_token%22%3A%7B%22email%22%3Anull%7D%7D", | |
"token_endpoint": "https://connect.test.surfconext.nl/oidc/token", | |
"userinfo_endpoint": "https://connect.test.surfconext.nl/oidc/userinfo", | |
"introspect_endpoint": "https://connect.test.surfconext.nl/oidc/introspect", | |
"jwks_uri": "https://connect.test.surfconext.nl/oidc/certs", | |
"response_types_supported": [ | |
"code", | |
"token", |
EMAIL=you@example.edu | |
CN=www.example.edu | |
ssl-types.json: | |
curl -s https://cert-manager.com/api/ssl/v1/types -H @headers > ssl-types.json | |
key.pem: | |
openssl genrsa -out key.pem 2048 | |
csr.pem: key.pem |