This commit is contained in:
nervuri 2021-08-28 10:27:55 +00:00
commit 2547e348b8
3 changed files with 279 additions and 0 deletions

106
CA.sh Executable file
View File

@ -0,0 +1,106 @@
#!/bin/sh
# Generate CA + wildcard cert for any hostname
CA_name='local CA'
helptext='Usage:
./CA.sh <host> Generate a CA and sign a wildacrd cert for <host> with it.'
set -o errexit # (-e) exit immediately if any command has a non-zero exit status
set -o nounset # (-u) don't accept undefined variables
#set -o xtrace # for debugging
# Check input.
if [ "$#" -lt 1 ] || [ "$#" -gt 1 ]; then
>&2 echo "$helptext"
exit 1
fi
host="$1"
# Check if host is an IP address.
ip=0
# If `ipcalc-ng` is available, use it.
if command -v ipcalc-ng >/dev/null; then
if ipcalc-ng -sc "$host"; then
ip=1
fi
# Else if `ip` is available, use it.
# Note: a simple number also passes this check,
# but it's good enough for our purposes.
elif command -v ip >/dev/null; then
if ip route get "$host" >/dev/null 2>&1; then
ip=1
fi
fi
# If host is an IDN, convert it to punycode.
# Use the `idn` command, if available.
if command -v idn >/dev/null; then
host=$(echo "$host" | idn)
fi
# Create CA directory, if it does not exist.
mkdir -p CA
cd CA
# Generate CA.
if [ ! -f "ca.key" ] && [ ! -f "ca.crt" ]; then
openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -out ca.crt -subj "/CN=$CA_name" -days 30
openssl x509 -in ca.crt -noout -text
# Copy the CA cert under a new name, allowing it to be accepted in the
# Android trust store (/system/etc/security/cacerts/).
mkdir -p android
filename=$(openssl x509 -inform PEM -subject_hash_old -in ca.crt | head -1)
cp ca.crt "android/$filename.0"
fi
# Generate wildcard cert.
if [ ! -f "$host.key" ] && [ ! -f "$host.crt" ]; then
# Set the Subject Alternative Name based on whether
# the host is an IP address or not.
if [ $ip -eq 1 ]; then
SAN1="IP:$host"
SAN2="IP = $host"
else
SAN1="DNS:*.$host, DNS:$host"
SAN2="DNS.1 = *.$host
DNS.2 = $host"
fi
openssl genrsa -out "$host.key" 2048
openssl req -new -key "$host.key" -out "$host.csr" -subj "/CN=$host" \
-addext "subjectAltName = $SAN1"
#openssl req -in "$host.csr" -noout -text
# Prepare X.509 extensions file.
echo "basicConstraints=CA:FALSE
subjectAltName=@my_subject_alt_names
subjectKeyIdentifier = hash
[ my_subject_alt_names ]
$SAN2" > ext.conf
# Sign the cert.
openssl x509 -req -in "$host.csr" -out "$host.crt" -days 30 \
-CA ca.crt -CAkey ca.key -extfile ext.conf -CAcreateserial
openssl x509 -in "$host.crt" -noout -text
rm "$host.csr"
# Remove X.509 extensions file.
rm ext.conf
fi
# Create bundle (probably not be required).
#cat "$host.crt" ca.crt > "$host.bundle.crt"
# Show generated files.
if command -v tree >/dev/null; then
cd ..
echo '=== Generated files ==='
tree CA
fi

116
LICENSE.txt Normal file
View File

@ -0,0 +1,116 @@
CC0 1.0 Universal
Statement of Purpose
The laws of most jurisdictions throughout the world automatically confer
exclusive Copyright and Related Rights (defined below) upon the creator and
subsequent owner(s) (each and all, an "owner") of an original work of
authorship and/or a database (each, a "Work").
Certain owners wish to permanently relinquish those rights to a Work for the
purpose of contributing to a commons of creative, cultural and scientific
works ("Commons") that the public can reliably and without fear of later
claims of infringement build upon, modify, incorporate in other works, reuse
and redistribute as freely as possible in any form whatsoever and for any
purposes, including without limitation commercial purposes. These owners may
contribute to the Commons to promote the ideal of a free culture and the
further production of creative, cultural and scientific works, or to gain
reputation or greater distribution for their Work in part through the use and
efforts of others.
For these and/or other purposes and motivations, and without any expectation
of additional consideration or compensation, the person associating CC0 with a
Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
and publicly distribute the Work under its terms, with knowledge of his or her
Copyright and Related Rights in the Work and the meaning and intended legal
effect of CC0 on those rights.
1. Copyright and Related Rights. A Work made available under CC0 may be
protected by copyright and related or neighboring rights ("Copyright and
Related Rights"). Copyright and Related Rights include, but are not limited
to, the following:
i. the right to reproduce, adapt, distribute, perform, display, communicate,
and translate a Work;
ii. moral rights retained by the original author(s) and/or performer(s);
iii. publicity and privacy rights pertaining to a person's image or likeness
depicted in a Work;
iv. rights protecting against unfair competition in regards to a Work,
subject to the limitations in paragraph 4(a), below;
v. rights protecting the extraction, dissemination, use and reuse of data in
a Work;
vi. database rights (such as those arising under Directive 96/9/EC of the
European Parliament and of the Council of 11 March 1996 on the legal
protection of databases, and under any national implementation thereof,
including any amended or successor version of such directive); and
vii. other similar, equivalent or corresponding rights throughout the world
based on applicable law or treaty, and any national implementations thereof.
2. Waiver. To the greatest extent permitted by, but not in contravention of,
applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
and Related Rights and associated claims and causes of action, whether now
known or unknown (including existing as well as future claims and causes of
action), in the Work (i) in all territories worldwide, (ii) for the maximum
duration provided by applicable law or treaty (including future time
extensions), (iii) in any current or future medium and for any number of
copies, and (iv) for any purpose whatsoever, including without limitation
commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
the Waiver for the benefit of each member of the public at large and to the
detriment of Affirmer's heirs and successors, fully intending that such Waiver
shall not be subject to revocation, rescission, cancellation, termination, or
any other legal or equitable action to disrupt the quiet enjoyment of the Work
by the public as contemplated by Affirmer's express Statement of Purpose.
3. Public License Fallback. Should any part of the Waiver for any reason be
judged legally invalid or ineffective under applicable law, then the Waiver
shall be preserved to the maximum extent permitted taking into account
Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
is so judged Affirmer hereby grants to each affected person a royalty-free,
non transferable, non sublicensable, non exclusive, irrevocable and
unconditional license to exercise Affirmer's Copyright and Related Rights in
the Work (i) in all territories worldwide, (ii) for the maximum duration
provided by applicable law or treaty (including future time extensions), (iii)
in any current or future medium and for any number of copies, and (iv) for any
purpose whatsoever, including without limitation commercial, advertising or
promotional purposes (the "License"). The License shall be deemed effective as
of the date CC0 was applied by Affirmer to the Work. Should any part of the
License for any reason be judged legally invalid or ineffective under
applicable law, such partial invalidity or ineffectiveness shall not
invalidate the remainder of the License, and in such case Affirmer hereby
affirms that he or she will not (i) exercise any of his or her remaining
Copyright and Related Rights in the Work or (ii) assert any associated claims
and causes of action with respect to the Work, in either case contrary to
Affirmer's express Statement of Purpose.
4. Limitations and Disclaimers.
a. No trademark or patent rights held by Affirmer are waived, abandoned,
surrendered, licensed or otherwise affected by this document.
b. Affirmer offers the Work as-is and makes no representations or warranties
of any kind concerning the Work, express, implied, statutory or otherwise,
including without limitation warranties of title, merchantability, fitness
for a particular purpose, non infringement, or the absence of latent or
other defects, accuracy, or the present or absence of errors, whether or not
discoverable, all to the greatest extent permissible under applicable law.
c. Affirmer disclaims responsibility for clearing rights of other persons
that may apply to the Work or any use thereof, including without limitation
any person's Copyright and Related Rights in the Work. Further, Affirmer
disclaims responsibility for obtaining any necessary consents, permissions
or other rights required for any use of the Work.
d. Affirmer understands and acknowledges that Creative Commons is not a
party to this document and has no duty or obligation with respect to this
CC0 or use of the Work.
For more information, please see
<http://creativecommons.org/publicdomain/zero/1.0/>

57
README.md Normal file
View File

@ -0,0 +1,57 @@
# CA.sh
## Generate CA + wildcard cert for any hostname
`CA.sh` takes a domain name as input and outputs a directory named "CA", containing:
- a certificate authority (private key + cert + serial number file + a copy of the cert appropriately named for inclusion in the Android trust store);
- a CA-signed cert for the provided hostname;
- if the hostname is a domain, then a wildcard cert is generated, matching `domain.tld` and `*.domain.tld`;
- the hostname can also be an IP address.
Both the CA and the cert are valid for 30 days.
## Usage
```
./CA.sh example.org
```
## Optional dependencies
- `ipcalc-ng`, for detecting if the supplied hostname is an IP address.
- `idn`, for converting [IDNs](https://en.wikipedia.org/wiki/Internationalized_domain_name) to punycode.
## Adding the CA to the Android trust store
The reason I wrote this script was to intercept an Android app's TLS-encrypted traffic. In order to do this, the CA cert must be added to the Android trust store. Here's how:
In Android versions prior to 4, see http://wiki.cacert.org/FAQ/ImportRootCertAndroidPreICS
In Android versions 4, 5 and 6, you can simply copy the file to your phone and add it from the Android UI.
In Android 7+, in order for the CA to be trusted by all apps, you need to have a rooted phone. Allow USB debugging, grant root access for ADB, connect the phone to a computer and run the following commands:
```
# restart ADB as root
adb root
# remount the /system partition as read+write
adb remount
# copy the CA file to the root store
adb push CA/android/*.0 /system/etc/security/cacerts/
```
Then you can spoof a domain's IP address by adding it to the Android system's hosts file:
```
adb shell 'echo "192.168.0.2 example.org" >> /system/etc/hosts'
```
To allow TLS interception on a non-rooted phone, you need to slightly modify the app you are snooping on, as described in:
- https://medium.com/androgoat/intercept-https-traffic-from-android-app-androgoat-part-2-60f7777b237d
- https://stackoverflow.com/a/22040887
If the app uses certificate pinning, you may need a program like [Apktool](https://ibotpeaches.github.io/Apktool/), [Frida](https://frida.re/docs/android/) or [baksmali](https://github.com/JesusFreke/smali).
Thanks to Soarez for his [OpenSSL CA guide](https://gist.github.com/Soarez/9688998)!