commit 2547e348b87646b2f5350285090ec5cfa33e4e93 Author: nervuri Date: Sat Aug 28 10:27:55 2021 +0000 init diff --git a/CA.sh b/CA.sh new file mode 100755 index 0000000..4d69d4d --- /dev/null +++ b/CA.sh @@ -0,0 +1,106 @@ +#!/bin/sh + +# Generate CA + wildcard cert for any hostname + +CA_name='local CA' + +helptext='Usage: +./CA.sh Generate a CA and sign a wildacrd cert for with it.' + +set -o errexit # (-e) exit immediately if any command has a non-zero exit status +set -o nounset # (-u) don't accept undefined variables +#set -o xtrace # for debugging + +# Check input. +if [ "$#" -lt 1 ] || [ "$#" -gt 1 ]; then + >&2 echo "$helptext" + exit 1 +fi + +host="$1" + +# Check if host is an IP address. +ip=0 +# If `ipcalc-ng` is available, use it. +if command -v ipcalc-ng >/dev/null; then + if ipcalc-ng -sc "$host"; then + ip=1 + fi +# Else if `ip` is available, use it. +# Note: a simple number also passes this check, +# but it's good enough for our purposes. +elif command -v ip >/dev/null; then + if ip route get "$host" >/dev/null 2>&1; then + ip=1 + fi +fi + +# If host is an IDN, convert it to punycode. +# Use the `idn` command, if available. +if command -v idn >/dev/null; then + host=$(echo "$host" | idn) +fi + +# Create CA directory, if it does not exist. +mkdir -p CA +cd CA + +# Generate CA. +if [ ! -f "ca.key" ] && [ ! -f "ca.crt" ]; then + openssl genrsa -out ca.key 2048 + openssl req -new -x509 -key ca.key -out ca.crt -subj "/CN=$CA_name" -days 30 + openssl x509 -in ca.crt -noout -text + + # Copy the CA cert under a new name, allowing it to be accepted in the + # Android trust store (/system/etc/security/cacerts/). + mkdir -p android + filename=$(openssl x509 -inform PEM -subject_hash_old -in ca.crt | head -1) + cp ca.crt "android/$filename.0" +fi + +# Generate wildcard cert. +if [ ! -f "$host.key" ] && [ ! -f "$host.crt" ]; then + + # Set the Subject Alternative Name based on whether + # the host is an IP address or not. + if [ $ip -eq 1 ]; then + SAN1="IP:$host" + SAN2="IP = $host" + else + SAN1="DNS:*.$host, DNS:$host" + SAN2="DNS.1 = *.$host +DNS.2 = $host" + fi + + openssl genrsa -out "$host.key" 2048 + openssl req -new -key "$host.key" -out "$host.csr" -subj "/CN=$host" \ + -addext "subjectAltName = $SAN1" + #openssl req -in "$host.csr" -noout -text + + # Prepare X.509 extensions file. + echo "basicConstraints=CA:FALSE +subjectAltName=@my_subject_alt_names +subjectKeyIdentifier = hash + +[ my_subject_alt_names ] +$SAN2" > ext.conf + + # Sign the cert. + openssl x509 -req -in "$host.csr" -out "$host.crt" -days 30 \ + -CA ca.crt -CAkey ca.key -extfile ext.conf -CAcreateserial + openssl x509 -in "$host.crt" -noout -text + rm "$host.csr" + + # Remove X.509 extensions file. + rm ext.conf +fi + +# Create bundle (probably not be required). +#cat "$host.crt" ca.crt > "$host.bundle.crt" + +# Show generated files. +if command -v tree >/dev/null; then + cd .. + echo '=== Generated files ===' + tree CA +fi diff --git a/LICENSE.txt b/LICENSE.txt new file mode 100644 index 0000000..670154e --- /dev/null +++ b/LICENSE.txt @@ -0,0 +1,116 @@ +CC0 1.0 Universal + +Statement of Purpose + +The laws of most jurisdictions throughout the world automatically confer +exclusive Copyright and Related Rights (defined below) upon the creator and +subsequent owner(s) (each and all, an "owner") of an original work of +authorship and/or a database (each, a "Work"). + +Certain owners wish to permanently relinquish those rights to a Work for the +purpose of contributing to a commons of creative, cultural and scientific +works ("Commons") that the public can reliably and without fear of later +claims of infringement build upon, modify, incorporate in other works, reuse +and redistribute as freely as possible in any form whatsoever and for any +purposes, including without limitation commercial purposes. These owners may +contribute to the Commons to promote the ideal of a free culture and the +further production of creative, cultural and scientific works, or to gain +reputation or greater distribution for their Work in part through the use and +efforts of others. + +For these and/or other purposes and motivations, and without any expectation +of additional consideration or compensation, the person associating CC0 with a +Work (the "Affirmer"), to the extent that he or she is an owner of Copyright +and Related Rights in the Work, voluntarily elects to apply CC0 to the Work +and publicly distribute the Work under its terms, with knowledge of his or her +Copyright and Related Rights in the Work and the meaning and intended legal +effect of CC0 on those rights. + +1. Copyright and Related Rights. A Work made available under CC0 may be +protected by copyright and related or neighboring rights ("Copyright and +Related Rights"). Copyright and Related Rights include, but are not limited +to, the following: + + i. the right to reproduce, adapt, distribute, perform, display, communicate, + and translate a Work; + + ii. moral rights retained by the original author(s) and/or performer(s); + + iii. publicity and privacy rights pertaining to a person's image or likeness + depicted in a Work; + + iv. rights protecting against unfair competition in regards to a Work, + subject to the limitations in paragraph 4(a), below; + + v. rights protecting the extraction, dissemination, use and reuse of data in + a Work; + + vi. database rights (such as those arising under Directive 96/9/EC of the + European Parliament and of the Council of 11 March 1996 on the legal + protection of databases, and under any national implementation thereof, + including any amended or successor version of such directive); and + + vii. other similar, equivalent or corresponding rights throughout the world + based on applicable law or treaty, and any national implementations thereof. + +2. Waiver. To the greatest extent permitted by, but not in contravention of, +applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and +unconditionally waives, abandons, and surrenders all of Affirmer's Copyright +and Related Rights and associated claims and causes of action, whether now +known or unknown (including existing as well as future claims and causes of +action), in the Work (i) in all territories worldwide, (ii) for the maximum +duration provided by applicable law or treaty (including future time +extensions), (iii) in any current or future medium and for any number of +copies, and (iv) for any purpose whatsoever, including without limitation +commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes +the Waiver for the benefit of each member of the public at large and to the +detriment of Affirmer's heirs and successors, fully intending that such Waiver +shall not be subject to revocation, rescission, cancellation, termination, or +any other legal or equitable action to disrupt the quiet enjoyment of the Work +by the public as contemplated by Affirmer's express Statement of Purpose. + +3. Public License Fallback. Should any part of the Waiver for any reason be +judged legally invalid or ineffective under applicable law, then the Waiver +shall be preserved to the maximum extent permitted taking into account +Affirmer's express Statement of Purpose. In addition, to the extent the Waiver +is so judged Affirmer hereby grants to each affected person a royalty-free, +non transferable, non sublicensable, non exclusive, irrevocable and +unconditional license to exercise Affirmer's Copyright and Related Rights in +the Work (i) in all territories worldwide, (ii) for the maximum duration +provided by applicable law or treaty (including future time extensions), (iii) +in any current or future medium and for any number of copies, and (iv) for any +purpose whatsoever, including without limitation commercial, advertising or +promotional purposes (the "License"). The License shall be deemed effective as +of the date CC0 was applied by Affirmer to the Work. Should any part of the +License for any reason be judged legally invalid or ineffective under +applicable law, such partial invalidity or ineffectiveness shall not +invalidate the remainder of the License, and in such case Affirmer hereby +affirms that he or she will not (i) exercise any of his or her remaining +Copyright and Related Rights in the Work or (ii) assert any associated claims +and causes of action with respect to the Work, in either case contrary to +Affirmer's express Statement of Purpose. + +4. Limitations and Disclaimers. + + a. No trademark or patent rights held by Affirmer are waived, abandoned, + surrendered, licensed or otherwise affected by this document. + + b. Affirmer offers the Work as-is and makes no representations or warranties + of any kind concerning the Work, express, implied, statutory or otherwise, + including without limitation warranties of title, merchantability, fitness + for a particular purpose, non infringement, or the absence of latent or + other defects, accuracy, or the present or absence of errors, whether or not + discoverable, all to the greatest extent permissible under applicable law. + + c. Affirmer disclaims responsibility for clearing rights of other persons + that may apply to the Work or any use thereof, including without limitation + any person's Copyright and Related Rights in the Work. Further, Affirmer + disclaims responsibility for obtaining any necessary consents, permissions + or other rights required for any use of the Work. + + d. Affirmer understands and acknowledges that Creative Commons is not a + party to this document and has no duty or obligation with respect to this + CC0 or use of the Work. + +For more information, please see + diff --git a/README.md b/README.md new file mode 100644 index 0000000..af8df97 --- /dev/null +++ b/README.md @@ -0,0 +1,57 @@ +# CA.sh + +## Generate CA + wildcard cert for any hostname + +`CA.sh` takes a domain name as input and outputs a directory named "CA", containing: + +- a certificate authority (private key + cert + serial number file + a copy of the cert appropriately named for inclusion in the Android trust store); +- a CA-signed cert for the provided hostname; + - if the hostname is a domain, then a wildcard cert is generated, matching `domain.tld` and `*.domain.tld`; + - the hostname can also be an IP address. + +Both the CA and the cert are valid for 30 days. + +## Usage + +``` +./CA.sh example.org +``` + +## Optional dependencies + +- `ipcalc-ng`, for detecting if the supplied hostname is an IP address. +- `idn`, for converting [IDNs](https://en.wikipedia.org/wiki/Internationalized_domain_name) to punycode. + +## Adding the CA to the Android trust store + +The reason I wrote this script was to intercept an Android app's TLS-encrypted traffic. In order to do this, the CA cert must be added to the Android trust store. Here's how: + +In Android versions prior to 4, see http://wiki.cacert.org/FAQ/ImportRootCertAndroidPreICS + +In Android versions 4, 5 and 6, you can simply copy the file to your phone and add it from the Android UI. + +In Android 7+, in order for the CA to be trusted by all apps, you need to have a rooted phone. Allow USB debugging, grant root access for ADB, connect the phone to a computer and run the following commands: + +``` +# restart ADB as root +adb root +# remount the /system partition as read+write +adb remount +# copy the CA file to the root store +adb push CA/android/*.0 /system/etc/security/cacerts/ +``` + +Then you can spoof a domain's IP address by adding it to the Android system's hosts file: + +``` +adb shell 'echo "192.168.0.2 example.org" >> /system/etc/hosts' +``` + +To allow TLS interception on a non-rooted phone, you need to slightly modify the app you are snooping on, as described in: + +- https://medium.com/androgoat/intercept-https-traffic-from-android-app-androgoat-part-2-60f7777b237d +- https://stackoverflow.com/a/22040887 + +If the app uses certificate pinning, you may need a program like [Apktool](https://ibotpeaches.github.io/Apktool/), [Frida](https://frida.re/docs/android/) or [baksmali](https://github.com/JesusFreke/smali). + +Thanks to Soarez for his [OpenSSL CA guide](https://gist.github.com/Soarez/9688998)!