Julien Vehent jvehent

## hat-example.yaml
profiles:
    #
    # this section manages developer accounts
    #
    - alias: cloudservices-developer
      people in: ((mozilla-ldap group cloudservices-developer) or (mozilla-ldap group svcops)) and (mozilla-slack channel engops)
      manage into:
          - environment: cloudservices-aws-dev
            give them:
                - account

## security checklist.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                jvehent
                / security checklist.md
            
            
              Created
              October 11, 2018 18:27
            
          
    Risk Management


 The service must have performed a Rapid Risk Assessment and have a Risk Record bug
 The service must be registered via a New Service issue

Infrastructure


 Access and application logs must be archived for a minimum of 90 days
 Use Modern or Intermediate TLS


## gist:5e3fbb6081143ab62a4459f7e2628f0b
-----BEGIN CERTIFICATE-----
MIIHXDCCBUSgAwIBAgITMwAAABJUrpYK5/U8CAAAAAAAEjANBgkqhkiG9w0BAQsF
ADB9MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMScwJQYDVQQD
Ex5NaWNyb3NvZnQgVExTIEVWIElzc3VpbmcgQ0EgMDEwHhcNMTgwNjI2MjE0NzI0
WhcNMTkwNjIxMjE0NzI0WjCB5TEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRp
b24xEzARBgsrBgEEAYI3PAIBAwwCVVMxGzAZBgsrBgEEAYI3PAIBAgwKV2FzaGlu
Z3RvbjESMBAGA1UEBRMJNjAwNDEzNDg1MRowGAYDVQQJDBFPbmUgTWljcm9zb2Z0
IFdheTEOMAwGA1UEEQwFOTgwNTIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNo
aW5ndG9uMRAwDgYDVQQHDAdSZWRtb25kMR4wHAYDVQQKDBVNaWNyb3NvZnQgQ29y

## gist:bfc3a3c06f6e117ebcda1b0e7b7b67f0
olololol=jolololololololol=jol=jololololol=jololol=jolol=jolololololololololololol=jololololol=jolololol=j=jyol=jolj=yol=joly=ololol=jololol=jj=yol=olol=j=jolj=yj=olol=jolol=jyolol=jyol=jyol=jyol=j=jyoljy=ol=jyj=yol=jol=jy=jyoljy=o

## recurly.js
/**
 * @license
 array-unique <https://github.com/jonschlinkert/array-unique>

 Copyright (c) 2014-2015, Jon Schlinkert.
 Licensed under the MIT License.
 Bowser - a browser detector
 https://github.com/ded/bowser
 MIT License | (c) Dustin Diaz 2015
*/

## pgpsig.json
[
  {
    "ref": "1jzsalnz7cq2e3ijx308f66iyd",
    "type": "pgp",
    "mode": "",
    "signer_id": "randompgp",
    "public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nxsBNBFuW9xABCACzCLYHwgGba7hi+lwhD/Hr5qqpg+UuN+88NclYgLWyl1nPpx2D\nJvH6p7ASj2P9BzEp0XatXLO4/uPQY2UX9UpWLT5wDGOdX4QCvZvFk4whcXHtcamr\nIQFTUjxRSIqvrq4t1h/4z635ztN0C6h5fWCxrCsoPJNQwEG/ZSDNXfwrJbsTIgus\nX037WXAzCYKzDZg9dGcUon4F2DHGGGqjOqLsyaGvOvOPddhorESuAJRe6Tl9ijzT\nNGc1uXIVEjEa5v9L4DJDqXYJqG35e0UuLkg0Wz4V9RVW/QP5DgnJAMQ8DUkXNHpa\neD1H9Zg/EBt3/85BGCR7u7J6MYvhuVnLIXQ1ABEBAAHNK01vemlsbGEgQXV0b2dy\nYXBoIERldiA8bm9yZXBseUBleGFtcGxlLm5ldD7CwJQEEwEIAD4WIQSikQ5PvqB2\nAJvN5TbdCl2ZqqsfGgUCW5b3EAIbAwUJA8JnAAULCQgHAwUVCgkICwUWAgMBAAIe\nAQIXgAAKCRDdCl2ZqqsfGqBWB/9oAUHcQjn+OMnaCQHgFFI14b7C3SbYMvKasB7S\n75oH077GPBUA7LtI9ghGN4O+nlGAu7KOLmZm5GRHZBLKcvYBUD0LdybGzSuEKGgz\nK3ufNeZ5uLZ4JxIw8LCns62mfffdCq7A+B4UBzI7Kk19VnqsrbRtiLKdHH+KSZ/k\n2/+Ji/25Phj+sjTi8v7eZkT/vaX7knb/PKYA96cVcsyL4qn+eBiQ4CRHVZ9PGxhX\nw0bxl9MZ0t90+ulYynktLics5O8SoxangWdkIdfdKWIldYNjClJkmCJM2NGqO

## gist:786b60a91cde71df1ea12ba65fe36760
$ go run client.go -k randompgp -d Y2FyaWJvdW1hdXJpY2UK -o /tmp/pgpsig.asc
2018/09/11 08:45:20 signing data "Y2FyaWJvdW1hdXJpY2UK"
2018/09/11 08:45:20 signature 0 from signer "randompgp" passes
2018/09/11 08:45:20 response written to /tmp/pgpsig.asc

ulfr@gator4[12:45UTC]:autograph-client[pgpX]$ cat /tmp/pgpsig.asc
-----BEGIN PGP SIGNATURE-----

wsBcBAABCAAQBQJbl7jgCRDdCl2ZqqsfGgAAJ9sIAGznXKeOCnxPZoTSveUXfDqu
bGSxe743dnON3bq9KLvNjX6th8s5Ub4fXkie8LgPy8MGPY7+PUW52Eo65O7+5iWn

## gist:af97f570939e41362bda05874a2716f0
$ LD_LIBRARY_PATH=lib/ ./signmar -T /tmp/partial1-signed.mar
Signature block found with 1 signature
1 additional block found:
  - Product Information Block:
    - MAR channel name: firefox-mozilla-central
    - Product version: 58.0a1

SIZE    MODE    NAME
164     0644    application.ini.patch
960     0644    libnssdbm3.chk

## sigverify.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                jvehent
                / sigverify.md
            
            
              Created
              August 30, 2018 18:55
            
          
    export pubkey from certificate

openssl x509 -inform DER -in dep2.der -pubkey -noout  > nss_pub.pem
sign with hsm

openssl dgst -engine cloudhsm -sha256 -sign dep2_private_hsm.pem -out test.sig test.plain
verify with public key without hsm


## gist:d15b008373bfce17b2ed7a07bf251158
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMLfI7WnpteoFyIz9YVg6LaRn72uDrdltp6WcSi7xfF/PzkAAiXMKgi7RN3ohOvNE0yaArfDMsEQ8qD1q6Wm2uIDFKwi4RIFVAKWablJReefSuZTZ6v70hq/AlDyAUK8anExEbPR0kr6UeZwLibMUYg/KgeWiNeNPhBCFhlbWG7ADRltta1h575XkirO5SlIHBqAfs3bX7XyGiKgf3O7PwuD0bboQq48QIySLT+3HIUPJiAqWBliROHUdCqWTpWzjhayQwisa6ScnoJ5X/VVMx4RRT78QhtohAsxQ4+sOgcxcMXHLqfJ5w7gXnF6fM617eNsdj/ypST21j2vO03rbiVG4rTuvcjArEKbqyp0xAme7i6gim+1S9COiCvl8b3zbG8YoOqpNJ5tFN718eszCUVJ7xA5k/vfQsJQftGqRmr6T1XfNZhyUXUhEBU38X7fUkFNAFaIDGTFlPuKCMVzCRWpw+0NAyeQ4LLehqmMsFnNXjDdUynKVydlI1GnjmpXEwA2rCvZXdie0P3hy3k+cVQlY2BLuVNFmc3IqxSc+zO0yUIL3kKR1DfmUGF4lgu/HsppnQFoXInr0YteuZMjdMmCRa3aF89/c4tfeP39YEoF5Z5Hjj/zaBC/oh9k9eQfNe//ZwPeMrTLIkHKxNuTwhFOIMWIg/GKcO2Pc1/XhEvw== ulfr@gator4
	profiles:
	#
	# this section manages developer accounts
	#
	- alias: cloudservices-developer
	people in: ((mozilla-ldap group cloudservices-developer) or (mozilla-ldap group svcops)) and (mozilla-slack channel engops)
	manage into:
	- environment: cloudservices-aws-dev
	give them:
	- account
	-----BEGIN CERTIFICATE-----
	MIIHXDCCBUSgAwIBAgITMwAAABJUrpYK5/U8CAAAAAAAEjANBgkqhkiG9w0BAQsF
	ADB9MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
	UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMScwJQYDVQQD
	Ex5NaWNyb3NvZnQgVExTIEVWIElzc3VpbmcgQ0EgMDEwHhcNMTgwNjI2MjE0NzI0
	WhcNMTkwNjIxMjE0NzI0WjCB5TEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRp
	b24xEzARBgsrBgEEAYI3PAIBAwwCVVMxGzAZBgsrBgEEAYI3PAIBAgwKV2FzaGlu
	Z3RvbjESMBAGA1UEBRMJNjAwNDEzNDg1MRowGAYDVQQJDBFPbmUgTWljcm9zb2Z0
	IFdheTEOMAwGA1UEEQwFOTgwNTIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNo
	aW5ndG9uMRAwDgYDVQQHDAdSZWRtb25kMR4wHAYDVQQKDBVNaWNyb3NvZnQgQ29y
	/**
	* @license
	array-unique <https://github.com/jonschlinkert/array-unique>

	Copyright (c) 2014-2015, Jon Schlinkert.
	Licensed under the MIT License.
	Bowser - a browser detector
	https://github.com/ded/bowser
	MIT License \| (c) Dustin Diaz 2015
	*/
	[
	{
	"ref": "1jzsalnz7cq2e3ijx308f66iyd",
	"type": "pgp",
	"mode": "",
	"signer_id": "randompgp",
	"public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nxsBNBFuW9xABCACzCLYHwgGba7hi+lwhD/Hr5qqpg+UuN+88NclYgLWyl1nPpx2D\nJvH6p7ASj2P9BzEp0XatXLO4/uPQY2UX9UpWLT5wDGOdX4QCvZvFk4whcXHtcamr\nIQFTUjxRSIqvrq4t1h/4z635ztN0C6h5fWCxrCsoPJNQwEG/ZSDNXfwrJbsTIgus\nX037WXAzCYKzDZg9dGcUon4F2DHGGGqjOqLsyaGvOvOPddhorESuAJRe6Tl9ijzT\nNGc1uXIVEjEa5v9L4DJDqXYJqG35e0UuLkg0Wz4V9RVW/QP5DgnJAMQ8DUkXNHpa\neD1H9Zg/EBt3/85BGCR7u7J6MYvhuVnLIXQ1ABEBAAHNK01vemlsbGEgQXV0b2dy\nYXBoIERldiA8bm9yZXBseUBleGFtcGxlLm5ldD7CwJQEEwEIAD4WIQSikQ5PvqB2\nAJvN5TbdCl2ZqqsfGgUCW5b3EAIbAwUJA8JnAAULCQgHAwUVCgkICwUWAgMBAAIe\nAQIXgAAKCRDdCl2ZqqsfGqBWB/9oAUHcQjn+OMnaCQHgFFI14b7C3SbYMvKasB7S\n75oH077GPBUA7LtI9ghGN4O+nlGAu7KOLmZm5GRHZBLKcvYBUD0LdybGzSuEKGgz\nK3ufNeZ5uLZ4JxIw8LCns62mfffdCq7A+B4UBzI7Kk19VnqsrbRtiLKdHH+KSZ/k\n2/+Ji/25Phj+sjTi8v7eZkT/vaX7knb/PKYA96cVcsyL4qn+eBiQ4CRHVZ9PGxhX\nw0bxl9MZ0t90+ulYynktLics5O8SoxangWdkIdfdKWIldYNjClJkmCJM2NGqO
	$ go run client.go -k randompgp -d Y2FyaWJvdW1hdXJpY2UK -o /tmp/pgpsig.asc
	2018/09/11 08:45:20 signing data "Y2FyaWJvdW1hdXJpY2UK"
	2018/09/11 08:45:20 signature 0 from signer "randompgp" passes
	2018/09/11 08:45:20 response written to /tmp/pgpsig.asc

	ulfr@gator4[12:45UTC]:autograph-client[pgpX]$ cat /tmp/pgpsig.asc
	-----BEGIN PGP SIGNATURE-----

	wsBcBAABCAAQBQJbl7jgCRDdCl2ZqqsfGgAAJ9sIAGznXKeOCnxPZoTSveUXfDqu
	bGSxe743dnON3bq9KLvNjX6th8s5Ub4fXkie8LgPy8MGPY7+PUW52Eo65O7+5iWn
	$ LD_LIBRARY_PATH=lib/ ./signmar -T /tmp/partial1-signed.mar
	Signature block found with 1 signature
	1 additional block found:
	- Product Information Block:
	- MAR channel name: firefox-mozilla-central
	- Product version: 58.0a1

	SIZE MODE NAME
	164 0644 application.ini.patch
	960 0644 libnssdbm3.chk