On 19/06/17 20:41, Tavis Ormandy via dev-security-policy wrote:
Thanks Alex, I took a look, it looks like the check pings crt.sh - is doing
that for a large number of certificates acceptable Rob?
Hi Tavis. Yes, Alex's tool uses https://crt.sh/gen-add-chain to find a
suitable cert chain and build the JSON that can then be submitted to a
log's /ct/v1/add-chain. It should be fine to do that for a large number
of certs. crt.sh exists to be used. ;-)
I made a smaller set, the certificates that have 'SSL server: Yes' or 'Any
Purpose : Yes', there were only a few thousand that verified, so I just
checked those and found 551 not in crt.sh.
(The *vast* majority are code signing certificates, many are individual
apple developer certificates)
Is this useful? if not, what key usage is interesting?
https://lock.cmpxchg8b.com/ServerOrAny.zip
Thanks for this, Tavis. I pointed my certscraper
(https://github.com/robstradling/certscraper) at this URL a couple of
days ago. This submitted many of the certs to the Dodo and Rocketeer logs.
However, it didn't manage to build chains for all of them. I haven't
yet had a chance to investigate why.
Tavis.
On Mon, Jun 19, 2017 at 7:03 AM, Alex Gaynor <agay...@mozilla.com> wrote:
If you're interested in playing around with submitting them yourself, or
checking if they're already submitted, I've got some random tools for
working with CT: https://github.com/alex/ct-tools
Specifically ct-tools check <cert1.pem, cert2.pem, ...> will get what you
want. It's all serial, so for 8M certs you probably want to Bring Your Own
Parallelism (I should fix this...)
Alex
On Mon, Jun 19, 2017 at 6:51 AM, Rob Stradling via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 16/06/17 20:11, Andrew Ayer via dev-security-policy wrote:
On Fri, 16 Jun 2017 10:29:45 -0700 Tavis Ormandy wrote:
<snip>
Is there an easy way to check which certificates from my set you're
missing? (I'm not a PKI guy, I was collecting unusual extension OIDs
for fuzzing).
I collected these from public sources, so can just give you my whole
set if you already have tools for importing them and don't mind
processing them, I have around ~8M (mostly leaf) certificates, the
set with isCa will be much smaller.
Please do post the whole set. I suspect there are several people on
this list (including myself and Rob) who have the tools and experience
to process large sets of certificates and post them to public
Certificate Transparency logs (whence they will be fed into crt.sh).
It would be useful to include the leaf certificates as well, to catch
CAs which are engaging in bad practices such as signing non-SSL certs
with SHA-1 under an intermediate that is capable of issuing SSL
certificates.
Thanks a bunch for this!
+1
Tavis, please do post the whole set. And thanks!
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
