在Freebuf看到一篇文章
技术讨论 | Apostille:让假证书以假乱真的证书伪造工具

使用Java开发的工具 需要用到JDK来运行
用Maven构建jar package mvn package

[INFO] Copying bctls-jdk15on-1.58.jar to /root/apostille/target/bctls-jdk15on-1.58.jar
[INFO] Copying hamcrest-core-1.3.jar to /root/apostille/target/hamcrest-core-1.3.jar
[INFO] Copying bcprov-jdk15on-1.58.jar to /root/apostille/target/bcprov-jdk15on-1.58.jar
[INFO] Copying bcpkix-jdk15on-1.58.jar to /root/apostille/target/bcpkix-jdk15on-1.58.jar
[INFO] Copying junit-4.12.jar to /root/apostille/target/junit-4.12.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  03:11 min
[INFO] Finished at: 2019-05-07T14:52:12+08:00
[INFO] ------------------------------------------------------------------------

成功构建jar

README用法 java -jar target/apostille-1.0-SNAPSHOT.jar example.com:443 dstkeystore.jks kspassword keypassword > example.com.key+chain

克隆证书链试试

# java -jar target/apostille-1.0-SNAPSHOT.jar feng.cmd.gd:443 fake-cert-feng.cmd.gd.jks kspassword keypassword > fake-feng.cmd.gd.key+chain
Provided keystore now has the following aliases:
Alias: dst root ca x3, added Tue May 07 14:56:35 HKT 2019
Alias: cmd.gd, added Tue May 07 14:56:36 HKT 2019

fake-feng.cmd.gd.key+chain:

Key for cmd.gd
-----BEGIN EC PRIVATE KEY-----
MD...2g==
-----END EC PRIVATE KEY-----
Certificate 1: Subject = CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Certificate 1: Issuer  = CN=DST Root CA X3, O=Digital Signature Trust Co.
-----BEGIN CERTIFICATE-----
MI...zQ==
-----END CERTIFICATE-----
Certificate 0: Subject = CN=cmd.gd
Certificate 0: Issuer  = CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
-----BEGIN CERTIFICATE-----
MI...Ai
-----END CERTIFICATE-----

note: output的certificate调转了, Nginx部署的方式是certificate->rootCA->subCA

来看看certificate的属性, 左边是正常由Let's Encrypt颁发的certificate, 右边是clone fake的certificate
fake4.png
fake1.png

对比下两个证书的序列号和fingerprint
fake2.png
fake3.png

安装到nginx看看
克隆ECC貌似有问题 key和certificate校验不过, RSA正常

Google Chrome 版本 76.0.3799.0(正式版本)canary (64 位)
QQ截图20190520094820.png

较低版的Chrome可能可绕过 lol

Github: https://github.com/sensepost/apostille
Archive: apostille-master(Commits on Jul 23, 2018).zip

标签: none

添加新评论