Skip to content

Less obvious fake TLS certificate generation#1928

Merged
HelloZeroNet merged 1 commit intoHelloZeroNet:masterfrom
ValdikSS:crypt-obf
Mar 27, 2019
Merged

Less obvious fake TLS certificate generation#1928
HelloZeroNet merged 1 commit intoHelloZeroNet:masterfrom
ValdikSS:crypt-obf

Conversation

@ValdikSS
Copy link

@ValdikSS ValdikSS commented Mar 19, 2019
edited
Loading

This patch adds the following:

  • Pre-defined CA certificate subjects
  • Pre-defined popular website domain names
  • Fake certificate generation for pre-defined popular website domain signed by fake CA with pre-defined subject

It should look less suspicious than "example.com" certificates.
NOTE: tested only on Linux, with OpenSSL 1.1.1b.

Example:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            17:ad:55:4c:62:17:ec:40:4c:3a:f5:6b:d3:aa:3c:8d:2c:66:cb:1e
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
        Validity
            Not Before: Mar 19 15:20:14 2019 GMT
            Not After : Mar 18 15:20:14 2021 GMT
        Subject: CN = bing.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b8:83:71:6a:d0:51:20:3c:68:9e:df:92:82:12:
                    2f:0c:72:bc:b9:d3:35:27:5d:d8:12:e3:4f:41:d6:
                    eb:74:56:ab:1b:5f:89:c1:95:fc:9f:2c:4e:1f:f8:
                    8e:4d:2d:0c:7a:6d:22:79:d0:d1:93:cf:1a:75:12:
                    40:df:c3:83:d4:0c:c7:67:4a:5e:86:9e:2c:b7:b7:
                    8a:d7:06:98:4e:69:4d:56:50:05:a3:af:ea:7d:b9:
                    12:d8:c3:70:c0:de:6b:cb:98:bc:9f:e7:09:89:5c:
                    31:4b:bf:14:81:4d:10:e6:f4:ab:ca:8d:f3:81:71:
                    2d:75:97:6d:b3:57:7c:dd:bb:0a:e7:5b:df:6a:c8:
                    9e:df:4e:c8:4b:9f:56:37:a2:30:e3:5e:80:76:88:
                    9c:2f:db:4b:84:ca:b2:c0:cd:4e:ff:9a:81:90:a0:
                    9f:8b:6f:39:d7:2a:93:65:dc:a5:e7:42:9a:3e:b8:
                    73:a1:f1:6b:31:ea:d6:b9:26:b8:66:d4:dd:b4:4e:
                    e5:6c:1f:99:24:28:05:d9:f6:8d:47:d9:0d:b8:f9:
                    a6:c2:6a:e4:10:94:eb:ca:e7:e0:7d:7c:c3:66:30:
                    e8:82:64:3b:23:0f:4c:9e:cb:84:ff:9a:94:b8:15:
                    34:ae:06:f5:72:77:d6:40:07:7f:3a:09:c7:4b:ec:
                    3e:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                68:57:03:F0:26:78:CA:F4:76:88:2F:30:B1:62:44:54:F5:62:86:A6
            X509v3 Authority Key Identifier: 
                keyid:DA:B6:2F:E7:8D:C7:AF:C3:26:F3:87:9C:35:46:DA:0F:E7:62:A9:81

            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:bing.com, DNS:www.bing.com
    Signature Algorithm: sha256WithRSAEncryption

@ValdikSS ValdikSS mentioned this pull request Mar 19, 2019
Closed
3 tasks
@HelloZeroNet
Copy link
Owner

HelloZeroNet commented Mar 26, 2019
edited
Loading

It would be a nice addition, but unfortunately on windows / openssl 1.0.2 the generated cert still issued to the subject in the config file and not the one got defined in the -subj parameter. Try to find a way to fix it...

> dist\openssl\openssl.exe req -new -newkey rsa:2048 -days 3650 -nodes -x509 -config "src/lib/openssl/openssl.cnf" -subj "/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3" -keyout "data-test/cakey-rsa.pem" -out "data-test/cacert-rsa.pem" -batch
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Generating a RSA private key
.......+++++
...............................+++++
unable to write 'random state'
writing new private key to 'data-test/cakey-rsa.pem'
-----

> dist\openssl\openssl.exe x509 -in data-test\cacert-rsa.pem -text -noout
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            af:d4:38:e7:6b:0a:f8:a9
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=NY, L=New York, O=Example, LLC, CN=Example Company/emailAddress=test@example.com
        Validity
            Not Before: Mar 26 02:30:27 2019 GMT
            Not After : Mar 23 02:30:27 2029 GMT
        Subject: C=US, ST=NY, L=New York, O=Example, LLC, CN=Example Company/emailAddress=test@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
...

@ValdikSS
Less obvious fake TLS certificate generation
f66cfc9 
This patch adds the following:
 * Pre-defined CA certificate subjects
 * Pre-defined popular website domain names
 * Fake certificate generation for pre-defined popular website domain signed by fake CA with pre-defined subject

It should look less suspicious than "example.com" certificates
@ValdikSS
Copy link
Author

ValdikSS commented Mar 26, 2019

@HelloZeroNet fixed it. The problem was in prompt = no.

@HelloZeroNet HelloZeroNet merged commit 91b2f6a into HelloZeroNet:master Mar 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ValdikSS @HelloZeroNet