Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Less obvious fake TLS certificate generation #1928

Merged
merged 1 commit into from
Mar 27, 2019
Merged

Less obvious fake TLS certificate generation #1928

merged 1 commit into from
Mar 27, 2019

Conversation

ValdikSS
Copy link

@ValdikSS ValdikSS commented Mar 19, 2019
edited
Loading

This patch adds the following:

  • Pre-defined CA certificate subjects
  • Pre-defined popular website domain names
  • Fake certificate generation for pre-defined popular website domain signed by fake CA with pre-defined subject

It should look less suspicious than "example.com" certificates.
NOTE: tested only on Linux, with OpenSSL 1.1.1b.

Example:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            17:ad:55:4c:62:17:ec:40:4c:3a:f5:6b:d3:aa:3c:8d:2c:66:cb:1e
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
        Validity
            Not Before: Mar 19 15:20:14 2019 GMT
            Not After : Mar 18 15:20:14 2021 GMT
        Subject: CN = bing.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b8:83:71:6a:d0:51:20:3c:68:9e:df:92:82:12:
                    2f:0c:72:bc:b9:d3:35:27:5d:d8:12:e3:4f:41:d6:
                    eb:74:56:ab:1b:5f:89:c1:95:fc:9f:2c:4e:1f:f8:
                    8e:4d:2d:0c:7a:6d:22:79:d0:d1:93:cf:1a:75:12:
                    40:df:c3:83:d4:0c:c7:67:4a:5e:86:9e:2c:b7:b7:
                    8a:d7:06:98:4e:69:4d:56:50:05:a3:af:ea:7d:b9:
                    12:d8:c3:70:c0:de:6b:cb:98:bc:9f:e7:09:89:5c:
                    31:4b:bf:14:81:4d:10:e6:f4:ab:ca:8d:f3:81:71:
                    2d:75:97:6d:b3:57:7c:dd:bb:0a:e7:5b:df:6a:c8:
                    9e:df:4e:c8:4b:9f:56:37:a2:30:e3:5e:80:76:88:
                    9c:2f:db:4b:84:ca:b2:c0:cd:4e:ff:9a:81:90:a0:
                    9f:8b:6f:39:d7:2a:93:65:dc:a5:e7:42:9a:3e:b8:
                    73:a1:f1:6b:31:ea:d6:b9:26:b8:66:d4:dd:b4:4e:
                    e5:6c:1f:99:24:28:05:d9:f6:8d:47:d9:0d:b8:f9:
                    a6:c2:6a:e4:10:94:eb:ca:e7:e0:7d:7c:c3:66:30:
                    e8:82:64:3b:23:0f:4c:9e:cb:84:ff:9a:94:b8:15:
                    34:ae:06:f5:72:77:d6:40:07:7f:3a:09:c7:4b:ec:
                    3e:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                68:57:03:F0:26:78:CA:F4:76:88:2F:30:B1:62:44:54:F5:62:86:A6
            X509v3 Authority Key Identifier: 
                keyid:DA:B6:2F:E7:8D:C7:AF:C3:26:F3:87:9C:35:46:DA:0F:E7:62:A9:81

            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:bing.com, DNS:www.bing.com
    Signature Algorithm: sha256WithRSAEncryption

@ValdikSS ValdikSS mentioned this pull request Mar 19, 2019
Closed
3 tasks
@HelloZeroNet
Copy link
Owner

HelloZeroNet commented Mar 26, 2019
edited
Loading

It would be a nice addition, but unfortunately on windows / openssl 1.0.2 the generated cert still issued to the subject in the config file and not the one got defined in the -subj parameter. Try to find a way to fix it...

> dist\openssl\openssl.exe req -new -newkey rsa:2048 -days 3650 -nodes -x509 -config "src/lib/openssl/openssl.cnf" -subj "/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3" -keyout "data-test/cakey-rsa.pem" -out "data-test/cacert-rsa.pem" -batch
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Generating a RSA private key
.......+++++
...............................+++++
unable to write 'random state'
writing new private key to 'data-test/cakey-rsa.pem'
-----

> dist\openssl\openssl.exe x509 -in data-test\cacert-rsa.pem -text -noout
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            af:d4:38:e7:6b:0a:f8:a9
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=NY, L=New York, O=Example, LLC, CN=Example Company/emailAddress=test@example.com
        Validity
            Not Before: Mar 26 02:30:27 2019 GMT
            Not After : Mar 23 02:30:27 2029 GMT
        Subject: C=US, ST=NY, L=New York, O=Example, LLC, CN=Example Company/emailAddress=test@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
...

@ValdikSS
Less obvious fake TLS certificate generation
f66cfc9 
This patch adds the following:
 * Pre-defined CA certificate subjects
 * Pre-defined popular website domain names
 * Fake certificate generation for pre-defined popular website domain signed by fake CA with pre-defined subject

It should look less suspicious than "example.com" certificates
@ValdikSS
Copy link
Author

@HelloZeroNet fixed it. The problem was in prompt = no.

@HelloZeroNet HelloZeroNet merged commit 91b2f6a into HelloZeroNet:master Mar 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ValdikSS @HelloZeroNet