Skip to content

Instantly share code, notes, and snippets.

View jvehent's full-sized avatar

Julien Vehent jvehent

285 followers · 0 following
View GitHub Profile
@jvehent
jvehent / wosign startcom.md
Created October 14, 2016 01:06 
select count(distinct(sha256_fingerprint)), issuer
from certificates inner join trust on (certificates.id=trust.cert_id)
where trusted_mozilla='true'
and is_ca='false'
and not_valid_after > NOW()
and issuer_id in (
   select certificates.id from certificates inner join trust on (certificates.id=trust.cert_id)
   where issuer_id in (
      select id from certificates
@jvehent
jvehent / age demo.md
Created January 6, 2020 15:53
age-encryption.org demo

Download & install

$ wget https://github.com/FiloSottile/age/releases/download/v1.0.0-beta2/age-v1.0.0-beta2-linux-amd64.tar.gz
$ tar -xzvf age-v1.0.0-beta2-linux-amd64.tar.gz
$ sudo cp age/* /usr/local/bin/

Generate a keypair

$ age-keygen -o ~/.age/(date +%s)-(hostname).key
@jvehent
jvehent / security checklist.md
Created October 11, 2018 18:27

Risk Management

  • The service must have performed a Rapid Risk Assessment and have a Risk Record bug
  • The service must be registered via a New Service issue

Infrastructure

  • Access and application logs must be archived for a minimum of 90 days
  • Use Modern or Intermediate TLS
@jvehent
jvehent / gist:1629798
Created January 17, 2012 23:40
check-rbl.sh
#!/usr/bin/env bash
DEBUG="$1"
SRV="smtp.example.net smtp2.example.net smtp.example.com"
# RBL list from http://www.anti-abuse.org/multi-rbl-check/
RBL="bl.spamcop.net cbl.abuseat.org b.barracudacentral.org dnsbl.invaluement.com ddnsbl.internetdefensesystems.com dnsbl.sorbs.net http.dnsbl.sorbs.net dul.dnsbl.sorbs.net misc.dnsbl.sorbs.net smtp.dnsbl.sorbs.net socks.dnsbl.sorbs.net spam.dnsbl.sorbs.net web.dnsbl.sorbs.net zombie.dnsbl.sorbs.net dnsbl-1.uceprotect.net dnsbl-2.uceprotect.net dnsbl-3.uceprotect.net pbl.spamhaus.org sbl.spamhaus.org xbl.spamhaus.org zen.spamhaus.org bl.spamcannibal.org psbl.surriel.com ubl.unsubscore.com dnsbl.njabl.org combined.njabl.org rbl.spamlab.com dnsbl.ahbl.org ircbl.ahbl.org dyna.spamrats.com noptr.spamrats.com spam.spamrats.com cbl.anti-spam.org.cn cdl.anti-spam.org.cn dnsbl.inps.de drone.abuse.ch httpbl.abuse.ch dul.ru korea.services.net short.rbl.jp virus.rbl.jp spamrbl.imp.ch wormrbl.imp.ch virbl.bit.nl rbl.suresupport.com dsn.rfc-ignorant.org ips.backscatterer.org sp
@jvehent
jvehent / gist:6a0ab115cfe3c6772cdf0685a937c868
Created February 26, 2020 15:19
$(subst go.mozilla.org/autograph/signer/autograph,
go.mozilla.org/autograph,
$(subst go.mozilla.org/autograph/signer/monitor,
go.mozilla.org/autograph/tools/autograph-monitor,
$(subst go.mozilla.org/autograph/signer/signer,
go.mozilla.org/autograph/signer,
$(subst go.mozilla.org/autograph/signer/formats,
go.mozilla.org/autograph/formats,
$(subst go.mozilla.org/autograph/signer/database,
go.mozilla.org/autograph/database,
@jvehent
jvehent / Makefile
Created August 28, 2019 12:45
vendor:
govend -u --prune
#go get -u github.com/golang/dep/...
#dep ensure -update
rm -rf vendor/go.mozilla.org/autograph/ # don't vendor ourselves
git add vendor/
@jvehent
jvehent / makecsr.go
Created February 1, 2019 16:29
Small Go program that makes a CSR using a private key in cloudhsm
// This code requires a configuration file to initialize the crypto11
// library. Use the following config in a file named "crypto11.config"
// {
// "Path" : "/opt/cloudhsm/lib/libcloudhsm_pkcs11.so",
// "TokenLabel": "cavium",
// "Pin" : "$CRYPTO_USER:$PASSWORD"
// }
package main
import (
@jvehent
jvehent / test duplicate key on hsm.md
Created January 14, 2019 14:11

SoftHSM

$ go run testdupkeys.go
2019/01/14 09:07:36 starting routine 2
2019/01/14 09:07:36 starting routine 0
2019/01/14 09:07:36 starting routine 1
2019/01/14 09:08:00 routine 0 made ECDSA Key named "testdup1547474856": &{PKCS11PrivateKey:{PKCS11Object:{Handle:8 Slot:1623786617} PubKey:0xc000106600}} &{P:+39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319 N:+39402006196394479212279040100143613805079739270465446667946905279627659399113263569398956308152294913554433653942643 B:+27580193559959705877849011840389048093056905856361568521428707301988689241309860865136260764883745107765439761230575 Gx:+26247035095799689268623156744566981891852923491109213387815615900925518854738050089022388053975719786650872476732087 Gy:+8325710961489029985546751289520108179287853048861315594709205902480503199884419224438643760392947333078086511627871 BitSize:384 Name:P-384}
2019/01/14 09:08:00 routine 2 made ECDSA Key named "testdup1547474856": &{PKCS11PrivateK
@jvehent
jvehent / gist:8d62d817895730b0725d47dacd9c5cfd
Created January 11, 2019 21:21
2019/01/11 16:19:00 routine 2 make ECDSA Key named "testdup1547241500": &{PKCS11PrivateKey:{PKCS11Object:{Handle:8 Slot:1623786617} PubKey:0xc00011c600}}
&{P:+39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319
N:+39402006196394479212279040100143613805079739270465446667946905279627659399113263569398956308152294913554433653942643
B:+27580193559959705877849011840389048093056905856361568521428707301988689241309860865136260764883745107765439761230575
Gx:+26247035095799689268623156744566981891852923491109213387815615900925518854738050089022388053975719786650872476732087
Gy:+8325710961489029985546751289520108179287853048861315594709205902480503199884419224438643760392947333078086511627871
BitSize:384 Name:P-384}
2019/01/11 16:19:00 routine 0 make ECDSA Key named "testdup1547241500": &{PKCS11PrivateKey:{PKCS11Object:{Handle:9 Slot:1623786617} PubKey:0xc00011c7a0}}
@jvehent
jvehent / genpki.go
Created January 4, 2019 15:44
package main
import (
"bytes"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt"