Created
April 14, 2016 14:58
-
-
Save lnattrass/a8981bea7f874e7856af78c14999ae24 to your computer and use it in GitHub Desktop.
Create a CA that fails integrity check
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import OpenSSL | |
| key = OpenSSL.crypto.PKey() | |
| key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048) | |
| ca = OpenSSL.crypto.X509() | |
| ca.set_version(3) | |
| ca.set_serial_number(1) | |
| ca.get_subject().CN = "ca.example.com" | |
| ca.gmtime_adj_notBefore(0) | |
| ca.gmtime_adj_notAfter(24 * 60 * 60) | |
| ca.set_issuer(ca.get_subject()) | |
| ca.set_pubkey(key) | |
| ca.sign(key, "sha1") | |
| ca.add_extensions([ | |
| OpenSSL.crypto.X509Extension(b"basicConstraints", True, | |
| b"CA:TRUE, pathlen:0"), | |
| OpenSSL.crypto.X509Extension(b"keyUsage", True, | |
| b"keyCertSign, cRLSign"), | |
| OpenSSL.crypto.X509Extension(b"subjectKeyIdentifier", False, b"hash", | |
| subject=ca), | |
| ]) | |
| out = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, ca) | |
| print(out.decode('ASCII')) | |
| ''' | |
| -----BEGIN CERTIFICATE----- | |
| MIIC8jCCAdqgAwIBAwIBATANBgkqhkiG9w0BAQUFADAZMRcwFQYDVQQDDA5jYS5l | |
| eGFtcGxlLmNvbTAeFw0xNjA0MTQxNDU3MTBaFw0xNjA0MTUxNDU3MTBaMBkxFzAV | |
| BgNVBAMMDmNhLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB | |
| CgKCAQEAvGauGccuAtmkRbJ+g8yD/so6FrkvtHP8JCuoBio255aeJx3HTkKIDoID | |
| TzQ8n5DzrOIQJeafLrZqp5iLpAv0YSTsLrmgcMwXk9I7K08MaIXFdNjJ5eBZdC4b | |
| HFWV5ASTMBXhd+z2YchHtiaX3xZGIu2YlQROGaFIoml+yD2MtMO3C5nEmfb4XQ+g | |
| zAHKUgEe3GaTulVwNX/uvlcaXZzYMgEB4S7jzO+uMZN+uggZUE0Abvyu5PLYYA+a | |
| WdPdqj2UBA2u9HGXSSU58jjTwFRbXiSr08cHJa2PGghgvqWjl7RA82/VN8KqmnOc | |
| 9doi2oNgFa4KjK9KRBahPvT6wxfYHwIDAQABo0UwQzASBgNVHRMBAf8ECDAGAQH/ | |
| AgEAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUXfzbUvQ+S4RlsNNPEY9EPqvU | |
| wOAwDQYJKoZIhvcNAQEFBQADggEBABc2BKnw9+cZDV352EMAl0F3kUqApJ7k9zhq | |
| OcRs7fxxFYZcVfrsYgbo+YO2nt6DpIIQ9zWra+V1YtLuCFHpNf3vsGEVbpsUpwwk | |
| fqdfrWktz2fTbZmMWYNt2F9e3NfH0ZV1NnUsEkBk5T96ELK+vtqXfa8GjVSVqUiZ | |
| mpaAm+JjkISWuw53dVmqBXozWk09Hv/eqrmnDP0N/dzbD39maiZarszuVHjob1Yj | |
| wW4tjt9QokiaMap+mYoEhlzCgZFs8se+RsLxsyyPnUYiFvlmcTnWKl8thGL5Tw3N | |
| baRMas8iwC2o+57jmEn8+OvYr1O2Hqc4LQhY6r+o0uZwXjqySxQ= | |
| -----END CERTIFICATE----- | |
| ''' |
Moving the signing to occur after the extensions resolves this.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I haven't yet found a command to verify the integrity on the certificate here, but the above shows on windows as:
The integrity of this certificate cannot be guaranteedand
This certificate has an invalid digital signature.