Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Less obvious fake TLS certificate generation #1928

Merged
merged 1 commit into from Mar 27, 2019

Conversation

@ValdikSS
Copy link

commented Mar 19, 2019

This patch adds the following:

  • Pre-defined CA certificate subjects
  • Pre-defined popular website domain names
  • Fake certificate generation for pre-defined popular website domain signed by fake CA with pre-defined subject

It should look less suspicious than "example.com" certificates.
NOTE: tested only on Linux, with OpenSSL 1.1.1b.

Example:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            17:ad:55:4c:62:17:ec:40:4c:3a:f5:6b:d3:aa:3c:8d:2c:66:cb:1e
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
        Validity
            Not Before: Mar 19 15:20:14 2019 GMT
            Not After : Mar 18 15:20:14 2021 GMT
        Subject: CN = bing.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b8:83:71:6a:d0:51:20:3c:68:9e:df:92:82:12:
                    2f:0c:72:bc:b9:d3:35:27:5d:d8:12:e3:4f:41:d6:
                    eb:74:56:ab:1b:5f:89:c1:95:fc:9f:2c:4e:1f:f8:
                    8e:4d:2d:0c:7a:6d:22:79:d0:d1:93:cf:1a:75:12:
                    40:df:c3:83:d4:0c:c7:67:4a:5e:86:9e:2c:b7:b7:
                    8a:d7:06:98:4e:69:4d:56:50:05:a3:af:ea:7d:b9:
                    12:d8:c3:70:c0:de:6b:cb:98:bc:9f:e7:09:89:5c:
                    31:4b:bf:14:81:4d:10:e6:f4:ab:ca:8d:f3:81:71:
                    2d:75:97:6d:b3:57:7c:dd:bb:0a:e7:5b:df:6a:c8:
                    9e:df:4e:c8:4b:9f:56:37:a2:30:e3:5e:80:76:88:
                    9c:2f:db:4b:84:ca:b2:c0:cd:4e:ff:9a:81:90:a0:
                    9f:8b:6f:39:d7:2a:93:65:dc:a5:e7:42:9a:3e:b8:
                    73:a1:f1:6b:31:ea:d6:b9:26:b8:66:d4:dd:b4:4e:
                    e5:6c:1f:99:24:28:05:d9:f6:8d:47:d9:0d:b8:f9:
                    a6:c2:6a:e4:10:94:eb:ca:e7:e0:7d:7c:c3:66:30:
                    e8:82:64:3b:23:0f:4c:9e:cb:84:ff:9a:94:b8:15:
                    34:ae:06:f5:72:77:d6:40:07:7f:3a:09:c7:4b:ec:
                    3e:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                68:57:03:F0:26:78:CA:F4:76:88:2F:30:B1:62:44:54:F5:62:86:A6
            X509v3 Authority Key Identifier: 
                keyid:DA:B6:2F:E7:8D:C7:AF:C3:26:F3:87:9C:35:46:DA:0F:E7:62:A9:81

            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:bing.com, DNS:www.bing.com
    Signature Algorithm: sha256WithRSAEncryption
@ValdikSS ValdikSS referenced this pull request Mar 19, 2019
0 of 3 tasks complete

@ValdikSS ValdikSS force-pushed the ValdikSS:crypt-obf branch from fa28627 to 8114233 Mar 19, 2019

@HelloZeroNet

This comment has been minimized.

Copy link
Owner

commented Mar 26, 2019

It would be a nice addition, but unfortunately on windows / openssl 1.0.2 the generated cert still issued to the subject in the config file and not the one got defined in the -subj parameter. Try to find a way to fix it...

> dist\openssl\openssl.exe req -new -newkey rsa:2048 -days 3650 -nodes -x509 -config "src/lib/openssl/openssl.cnf" -subj "/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3" -keyout "data-test/cakey-rsa.pem" -out "data-test/cacert-rsa.pem" -batch
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Generating a RSA private key
.......+++++
...............................+++++
unable to write 'random state'
writing new private key to 'data-test/cakey-rsa.pem'
-----

> dist\openssl\openssl.exe x509 -in data-test\cacert-rsa.pem -text -noout
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            af:d4:38:e7:6b:0a:f8:a9
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=NY, L=New York, O=Example, LLC, CN=Example Company/emailAddress=test@example.com
        Validity
            Not Before: Mar 26 02:30:27 2019 GMT
            Not After : Mar 23 02:30:27 2029 GMT
        Subject: C=US, ST=NY, L=New York, O=Example, LLC, CN=Example Company/emailAddress=test@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
...
Less obvious fake TLS certificate generation
This patch adds the following:
 * Pre-defined CA certificate subjects
 * Pre-defined popular website domain names
 * Fake certificate generation for pre-defined popular website domain signed by fake CA with pre-defined subject

It should look less suspicious than "example.com" certificates

@ValdikSS ValdikSS force-pushed the ValdikSS:crypt-obf branch from 8114233 to f66cfc9 Mar 26, 2019

@ValdikSS

This comment has been minimized.

Copy link
Author

commented Mar 26, 2019

@HelloZeroNet fixed it. The problem was in prompt = no.

@HelloZeroNet HelloZeroNet merged commit 91b2f6a into HelloZeroNet:master Mar 27, 2019

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.