init
This commit is contained in:
commit
2547e348b8
|
@ -0,0 +1,106 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# Generate CA + wildcard cert for any hostname
|
||||||
|
|
||||||
|
CA_name='local CA'
|
||||||
|
|
||||||
|
helptext='Usage:
|
||||||
|
./CA.sh <host> Generate a CA and sign a wildacrd cert for <host> with it.'
|
||||||
|
|
||||||
|
set -o errexit # (-e) exit immediately if any command has a non-zero exit status
|
||||||
|
set -o nounset # (-u) don't accept undefined variables
|
||||||
|
#set -o xtrace # for debugging
|
||||||
|
|
||||||
|
# Check input.
|
||||||
|
if [ "$#" -lt 1 ] || [ "$#" -gt 1 ]; then
|
||||||
|
>&2 echo "$helptext"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
host="$1"
|
||||||
|
|
||||||
|
# Check if host is an IP address.
|
||||||
|
ip=0
|
||||||
|
# If `ipcalc-ng` is available, use it.
|
||||||
|
if command -v ipcalc-ng >/dev/null; then
|
||||||
|
if ipcalc-ng -sc "$host"; then
|
||||||
|
ip=1
|
||||||
|
fi
|
||||||
|
# Else if `ip` is available, use it.
|
||||||
|
# Note: a simple number also passes this check,
|
||||||
|
# but it's good enough for our purposes.
|
||||||
|
elif command -v ip >/dev/null; then
|
||||||
|
if ip route get "$host" >/dev/null 2>&1; then
|
||||||
|
ip=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# If host is an IDN, convert it to punycode.
|
||||||
|
# Use the `idn` command, if available.
|
||||||
|
if command -v idn >/dev/null; then
|
||||||
|
host=$(echo "$host" | idn)
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create CA directory, if it does not exist.
|
||||||
|
mkdir -p CA
|
||||||
|
cd CA
|
||||||
|
|
||||||
|
# Generate CA.
|
||||||
|
if [ ! -f "ca.key" ] && [ ! -f "ca.crt" ]; then
|
||||||
|
openssl genrsa -out ca.key 2048
|
||||||
|
openssl req -new -x509 -key ca.key -out ca.crt -subj "/CN=$CA_name" -days 30
|
||||||
|
openssl x509 -in ca.crt -noout -text
|
||||||
|
|
||||||
|
# Copy the CA cert under a new name, allowing it to be accepted in the
|
||||||
|
# Android trust store (/system/etc/security/cacerts/).
|
||||||
|
mkdir -p android
|
||||||
|
filename=$(openssl x509 -inform PEM -subject_hash_old -in ca.crt | head -1)
|
||||||
|
cp ca.crt "android/$filename.0"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Generate wildcard cert.
|
||||||
|
if [ ! -f "$host.key" ] && [ ! -f "$host.crt" ]; then
|
||||||
|
|
||||||
|
# Set the Subject Alternative Name based on whether
|
||||||
|
# the host is an IP address or not.
|
||||||
|
if [ $ip -eq 1 ]; then
|
||||||
|
SAN1="IP:$host"
|
||||||
|
SAN2="IP = $host"
|
||||||
|
else
|
||||||
|
SAN1="DNS:*.$host, DNS:$host"
|
||||||
|
SAN2="DNS.1 = *.$host
|
||||||
|
DNS.2 = $host"
|
||||||
|
fi
|
||||||
|
|
||||||
|
openssl genrsa -out "$host.key" 2048
|
||||||
|
openssl req -new -key "$host.key" -out "$host.csr" -subj "/CN=$host" \
|
||||||
|
-addext "subjectAltName = $SAN1"
|
||||||
|
#openssl req -in "$host.csr" -noout -text
|
||||||
|
|
||||||
|
# Prepare X.509 extensions file.
|
||||||
|
echo "basicConstraints=CA:FALSE
|
||||||
|
subjectAltName=@my_subject_alt_names
|
||||||
|
subjectKeyIdentifier = hash
|
||||||
|
|
||||||
|
[ my_subject_alt_names ]
|
||||||
|
$SAN2" > ext.conf
|
||||||
|
|
||||||
|
# Sign the cert.
|
||||||
|
openssl x509 -req -in "$host.csr" -out "$host.crt" -days 30 \
|
||||||
|
-CA ca.crt -CAkey ca.key -extfile ext.conf -CAcreateserial
|
||||||
|
openssl x509 -in "$host.crt" -noout -text
|
||||||
|
rm "$host.csr"
|
||||||
|
|
||||||
|
# Remove X.509 extensions file.
|
||||||
|
rm ext.conf
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create bundle (probably not be required).
|
||||||
|
#cat "$host.crt" ca.crt > "$host.bundle.crt"
|
||||||
|
|
||||||
|
# Show generated files.
|
||||||
|
if command -v tree >/dev/null; then
|
||||||
|
cd ..
|
||||||
|
echo '=== Generated files ==='
|
||||||
|
tree CA
|
||||||
|
fi
|
|
@ -0,0 +1,116 @@
|
||||||
|
CC0 1.0 Universal
|
||||||
|
|
||||||
|
Statement of Purpose
|
||||||
|
|
||||||
|
The laws of most jurisdictions throughout the world automatically confer
|
||||||
|
exclusive Copyright and Related Rights (defined below) upon the creator and
|
||||||
|
subsequent owner(s) (each and all, an "owner") of an original work of
|
||||||
|
authorship and/or a database (each, a "Work").
|
||||||
|
|
||||||
|
Certain owners wish to permanently relinquish those rights to a Work for the
|
||||||
|
purpose of contributing to a commons of creative, cultural and scientific
|
||||||
|
works ("Commons") that the public can reliably and without fear of later
|
||||||
|
claims of infringement build upon, modify, incorporate in other works, reuse
|
||||||
|
and redistribute as freely as possible in any form whatsoever and for any
|
||||||
|
purposes, including without limitation commercial purposes. These owners may
|
||||||
|
contribute to the Commons to promote the ideal of a free culture and the
|
||||||
|
further production of creative, cultural and scientific works, or to gain
|
||||||
|
reputation or greater distribution for their Work in part through the use and
|
||||||
|
efforts of others.
|
||||||
|
|
||||||
|
For these and/or other purposes and motivations, and without any expectation
|
||||||
|
of additional consideration or compensation, the person associating CC0 with a
|
||||||
|
Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
|
||||||
|
and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
|
||||||
|
and publicly distribute the Work under its terms, with knowledge of his or her
|
||||||
|
Copyright and Related Rights in the Work and the meaning and intended legal
|
||||||
|
effect of CC0 on those rights.
|
||||||
|
|
||||||
|
1. Copyright and Related Rights. A Work made available under CC0 may be
|
||||||
|
protected by copyright and related or neighboring rights ("Copyright and
|
||||||
|
Related Rights"). Copyright and Related Rights include, but are not limited
|
||||||
|
to, the following:
|
||||||
|
|
||||||
|
i. the right to reproduce, adapt, distribute, perform, display, communicate,
|
||||||
|
and translate a Work;
|
||||||
|
|
||||||
|
ii. moral rights retained by the original author(s) and/or performer(s);
|
||||||
|
|
||||||
|
iii. publicity and privacy rights pertaining to a person's image or likeness
|
||||||
|
depicted in a Work;
|
||||||
|
|
||||||
|
iv. rights protecting against unfair competition in regards to a Work,
|
||||||
|
subject to the limitations in paragraph 4(a), below;
|
||||||
|
|
||||||
|
v. rights protecting the extraction, dissemination, use and reuse of data in
|
||||||
|
a Work;
|
||||||
|
|
||||||
|
vi. database rights (such as those arising under Directive 96/9/EC of the
|
||||||
|
European Parliament and of the Council of 11 March 1996 on the legal
|
||||||
|
protection of databases, and under any national implementation thereof,
|
||||||
|
including any amended or successor version of such directive); and
|
||||||
|
|
||||||
|
vii. other similar, equivalent or corresponding rights throughout the world
|
||||||
|
based on applicable law or treaty, and any national implementations thereof.
|
||||||
|
|
||||||
|
2. Waiver. To the greatest extent permitted by, but not in contravention of,
|
||||||
|
applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
|
||||||
|
unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
|
||||||
|
and Related Rights and associated claims and causes of action, whether now
|
||||||
|
known or unknown (including existing as well as future claims and causes of
|
||||||
|
action), in the Work (i) in all territories worldwide, (ii) for the maximum
|
||||||
|
duration provided by applicable law or treaty (including future time
|
||||||
|
extensions), (iii) in any current or future medium and for any number of
|
||||||
|
copies, and (iv) for any purpose whatsoever, including without limitation
|
||||||
|
commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
|
||||||
|
the Waiver for the benefit of each member of the public at large and to the
|
||||||
|
detriment of Affirmer's heirs and successors, fully intending that such Waiver
|
||||||
|
shall not be subject to revocation, rescission, cancellation, termination, or
|
||||||
|
any other legal or equitable action to disrupt the quiet enjoyment of the Work
|
||||||
|
by the public as contemplated by Affirmer's express Statement of Purpose.
|
||||||
|
|
||||||
|
3. Public License Fallback. Should any part of the Waiver for any reason be
|
||||||
|
judged legally invalid or ineffective under applicable law, then the Waiver
|
||||||
|
shall be preserved to the maximum extent permitted taking into account
|
||||||
|
Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
|
||||||
|
is so judged Affirmer hereby grants to each affected person a royalty-free,
|
||||||
|
non transferable, non sublicensable, non exclusive, irrevocable and
|
||||||
|
unconditional license to exercise Affirmer's Copyright and Related Rights in
|
||||||
|
the Work (i) in all territories worldwide, (ii) for the maximum duration
|
||||||
|
provided by applicable law or treaty (including future time extensions), (iii)
|
||||||
|
in any current or future medium and for any number of copies, and (iv) for any
|
||||||
|
purpose whatsoever, including without limitation commercial, advertising or
|
||||||
|
promotional purposes (the "License"). The License shall be deemed effective as
|
||||||
|
of the date CC0 was applied by Affirmer to the Work. Should any part of the
|
||||||
|
License for any reason be judged legally invalid or ineffective under
|
||||||
|
applicable law, such partial invalidity or ineffectiveness shall not
|
||||||
|
invalidate the remainder of the License, and in such case Affirmer hereby
|
||||||
|
affirms that he or she will not (i) exercise any of his or her remaining
|
||||||
|
Copyright and Related Rights in the Work or (ii) assert any associated claims
|
||||||
|
and causes of action with respect to the Work, in either case contrary to
|
||||||
|
Affirmer's express Statement of Purpose.
|
||||||
|
|
||||||
|
4. Limitations and Disclaimers.
|
||||||
|
|
||||||
|
a. No trademark or patent rights held by Affirmer are waived, abandoned,
|
||||||
|
surrendered, licensed or otherwise affected by this document.
|
||||||
|
|
||||||
|
b. Affirmer offers the Work as-is and makes no representations or warranties
|
||||||
|
of any kind concerning the Work, express, implied, statutory or otherwise,
|
||||||
|
including without limitation warranties of title, merchantability, fitness
|
||||||
|
for a particular purpose, non infringement, or the absence of latent or
|
||||||
|
other defects, accuracy, or the present or absence of errors, whether or not
|
||||||
|
discoverable, all to the greatest extent permissible under applicable law.
|
||||||
|
|
||||||
|
c. Affirmer disclaims responsibility for clearing rights of other persons
|
||||||
|
that may apply to the Work or any use thereof, including without limitation
|
||||||
|
any person's Copyright and Related Rights in the Work. Further, Affirmer
|
||||||
|
disclaims responsibility for obtaining any necessary consents, permissions
|
||||||
|
or other rights required for any use of the Work.
|
||||||
|
|
||||||
|
d. Affirmer understands and acknowledges that Creative Commons is not a
|
||||||
|
party to this document and has no duty or obligation with respect to this
|
||||||
|
CC0 or use of the Work.
|
||||||
|
|
||||||
|
For more information, please see
|
||||||
|
<http://creativecommons.org/publicdomain/zero/1.0/>
|
|
@ -0,0 +1,57 @@
|
||||||
|
# CA.sh
|
||||||
|
|
||||||
|
## Generate CA + wildcard cert for any hostname
|
||||||
|
|
||||||
|
`CA.sh` takes a domain name as input and outputs a directory named "CA", containing:
|
||||||
|
|
||||||
|
- a certificate authority (private key + cert + serial number file + a copy of the cert appropriately named for inclusion in the Android trust store);
|
||||||
|
- a CA-signed cert for the provided hostname;
|
||||||
|
- if the hostname is a domain, then a wildcard cert is generated, matching `domain.tld` and `*.domain.tld`;
|
||||||
|
- the hostname can also be an IP address.
|
||||||
|
|
||||||
|
Both the CA and the cert are valid for 30 days.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
```
|
||||||
|
./CA.sh example.org
|
||||||
|
```
|
||||||
|
|
||||||
|
## Optional dependencies
|
||||||
|
|
||||||
|
- `ipcalc-ng`, for detecting if the supplied hostname is an IP address.
|
||||||
|
- `idn`, for converting [IDNs](https://en.wikipedia.org/wiki/Internationalized_domain_name) to punycode.
|
||||||
|
|
||||||
|
## Adding the CA to the Android trust store
|
||||||
|
|
||||||
|
The reason I wrote this script was to intercept an Android app's TLS-encrypted traffic. In order to do this, the CA cert must be added to the Android trust store. Here's how:
|
||||||
|
|
||||||
|
In Android versions prior to 4, see http://wiki.cacert.org/FAQ/ImportRootCertAndroidPreICS
|
||||||
|
|
||||||
|
In Android versions 4, 5 and 6, you can simply copy the file to your phone and add it from the Android UI.
|
||||||
|
|
||||||
|
In Android 7+, in order for the CA to be trusted by all apps, you need to have a rooted phone. Allow USB debugging, grant root access for ADB, connect the phone to a computer and run the following commands:
|
||||||
|
|
||||||
|
```
|
||||||
|
# restart ADB as root
|
||||||
|
adb root
|
||||||
|
# remount the /system partition as read+write
|
||||||
|
adb remount
|
||||||
|
# copy the CA file to the root store
|
||||||
|
adb push CA/android/*.0 /system/etc/security/cacerts/
|
||||||
|
```
|
||||||
|
|
||||||
|
Then you can spoof a domain's IP address by adding it to the Android system's hosts file:
|
||||||
|
|
||||||
|
```
|
||||||
|
adb shell 'echo "192.168.0.2 example.org" >> /system/etc/hosts'
|
||||||
|
```
|
||||||
|
|
||||||
|
To allow TLS interception on a non-rooted phone, you need to slightly modify the app you are snooping on, as described in:
|
||||||
|
|
||||||
|
- https://medium.com/androgoat/intercept-https-traffic-from-android-app-androgoat-part-2-60f7777b237d
|
||||||
|
- https://stackoverflow.com/a/22040887
|
||||||
|
|
||||||
|
If the app uses certificate pinning, you may need a program like [Apktool](https://ibotpeaches.github.io/Apktool/), [Frida](https://frida.re/docs/android/) or [baksmali](https://github.com/JesusFreke/smali).
|
||||||
|
|
||||||
|
Thanks to Soarez for his [OpenSSL CA guide](https://gist.github.com/Soarez/9688998)!
|
Loading…
Reference in New Issue