Skip to content

Instantly share code, notes, and snippets.

@andrewxhill

andrewxhill/Chain Of Trust (but verify).ipynb

Last active November 8, 2023 06:14
Show Gist options
  • Save andrewxhill/107e343e676351b39db65910aa3d78d7 to your computer and use it in GitHub Desktop.
Save andrewxhill/107e343e676351b39db65910aa3d78d7 to your computer and use it in GitHub Desktop.
Download ZIP
Chain of Trust - but verify...
Raw
README.md

Provide a domain and a TXT content flag you want to discover and then verify all the way to ICANN.

On boom.fyi, we have a TXT record with data-cert=hello_world

domain = "boom.fyi"

Collect data for our target TXT record flag (including all sigs etc). Then collect data for the entire chain back to root.

chain_data = collect_record(domain, 'data-cert=')
chain_data = collect_chain_data(domain, chain_data)

This all is stored off in chain_data.json

Now, verify.

  • Check that the TXT record was signed correct
  • Check that the key that signed it came from the parent zoon
  • Check that that signature was correct
  • And check that it's key came from the parent zoon
  • Uncover the turtles
  • All the way down to the root
verify_chain(domain, data)

Finally, it makes sure the last step was signed by keys that came from the root we already know. Stored in root_rrset.json Since no exceptions were thrown, we'll finally show what the value of our flag was set to:

show_verified_message(domain, data)
Display the source blob
Display the rendered blob
Raw
Chain Of Trust (but verify).ipynb
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Raw
chain_data.json
{
"txt_data": [
"\"data-cert=hello_world\""
],
"txt_params": {
"name": "boom.fyi.",
"ttl": 300,
"rdclass": "IN",
"rdtype": "TXT",
"rdata": [
"\"data-cert=hello_world\""
]
},
"txt_rrsig_data": [
"TXT 13 2 300 20231104043233 20231102023233 34505 boom.fyi. TyfWfONX/ehwmC5NI+nmQ93cFHd1d0UN O9AL4fA4nSe1BF+WSlG6360/bKkoWMdG URLmVXVM64JdsPLF3F0CSQ=="
],
"txt_rrsig_params": {
"name": "boom.fyi.",
"ttl": 300,
"rdclass": "IN",
"rdtype": "RRSIG",
"rdata": [
"TXT 13 2 300 20231104043233 20231102023233 34505 boom.fyi. TyfWfONX/ehwmC5NI+nmQ93cFHd1d0UN O9AL4fA4nSe1BF+WSlG6360/bKkoWMdG URLmVXVM64JdsPLF3F0CSQ=="
]
},
"boom.fyi": {
"dnskey_data": [
"256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWz JaOau8XNEZeqCYKD5ar0IRd8KqXXFJkq mVfRvMGPmM1x8fGAa2XhSA==",
"257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0d xCjjnopKl+GqJxpVXckHAeF+KkxLbxIL fDLUT0rAK9iUzy1L53eKGQ=="
],
"dnskey_params": {
"name": "boom.fyi.",
"ttl": 619,
"rdclass": "IN",
"rdtype": "DNSKEY",
"rdata": [
"256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWz JaOau8XNEZeqCYKD5ar0IRd8KqXXFJkq mVfRvMGPmM1x8fGAa2XhSA==",
"257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0d xCjjnopKl+GqJxpVXckHAeF+KkxLbxIL fDLUT0rAK9iUzy1L53eKGQ=="
]
},
"ds_data": [
"2371 13 2 7c2bad06c3db075fb95f8cbc750d2f9ce96c088c0ca2b66eaf16d655b200fbdb"
],
"ds_params": {
"name": "boom.fyi.",
"ttl": 3600,
"rdclass": "IN",
"rdtype": "DS",
"rdata": [
"2371 13 2 7c2bad06c3db075fb95f8cbc750d2f9ce96c088c0ca2b66eaf16d655b200fbdb"
],
"digest_type": [
2
]
},
"ds_rrsig_data": [
"DS 8 2 3600 20231122154425 20231101144425 9855 fyi. pu+b6A8msuqQSUvRbEBeZHT9KAwf96bC EkTcXehzXTvWdvjGgZq+w7Mxp7BbA3uU ZXaxoRHJU2WwGUUDIK3RxLDjrKoD1iWX sRwGmwXz31kvZFQXJphxIhUKk+3/Ny84 503KYK8+eBEXeDKTxKN/8c7hA+ZhChsF 7gGiqxErxX4="
],
"ds_rrsig_params": {
"name": "boom.fyi.",
"ttl": 3600,
"rdclass": "IN",
"rdtype": "RRSIG",
"rdata": [
"DS 8 2 3600 20231122154425 20231101144425 9855 fyi. pu+b6A8msuqQSUvRbEBeZHT9KAwf96bC EkTcXehzXTvWdvjGgZq+w7Mxp7BbA3uU ZXaxoRHJU2WwGUUDIK3RxLDjrKoD1iWX sRwGmwXz31kvZFQXJphxIhUKk+3/Ny84 503KYK8+eBEXeDKTxKN/8c7hA+ZhChsF 7gGiqxErxX4="
]
}
},
"fyi": {
"dnskey_data": [
"256 3 8 AwEAAafOh6Ngub3lbBILGuzioMIQBBkB rQTvmBeFlYUNDQguL318ZwYoeIbZrxVo XVvcggw5bckHEFSSz2a0cAN063Sw11fl HAgbaUFtVOFBPmQ8Jxvvp0Y9BcepFA3k cfyLqN2mFFMcsrbxLgzK/dEC40G1SPtN yZKM8pKH1z28yHTH",
"256 3 8 AwEAAcTC0rO4M40wiDySfgS0AcQsJ72f haS0osWXnZOMw9yBOLDSJmffvGpQPyeA 9s/fFpE5HVp8tCOG3Wr+BO+3DPV4kCZo JWqOSuYXIIVJKxdIIBG/3sq2zZf8NzHr QHFmK7jsLfHKzYSCcHxXpq2EzKIY6bxZ Hdbqhb6rzYFTr4M3",
"257 3 8 AwEAAbTyOzbsbV/JFqJ9dDMOWletULAY 2enp0InxEpMMNE0MzO9x9TDhDHrEDagr AEZfY5yPobXlzfIJdYo1CPz4kNYPwE/t HGMfgErbrjIerMC77UmgiF8pP1Lrx7Mb J3T2ImXdwxnkgyA4RN3KENJgiP2pHQAr fsG5d7ASPB/8GVBO5Ad6yf74buqXlnGv oRzOYkLccG/AveUtuL3gdHaUcnhSLHXk lqKP/jbjToU1QYBvzJLDwGLEYxHUhDTj GvsiMSxFPjkLn/PYItWOEY6fUEGevHyv xPdiIdx4x+ZmoRy/jzOCjZ+ZKii4aZ51 444KgUJ6dn7M2psf0x7XLR9r5xs="
],
"dnskey_params": {
"name": "fyi.",
"ttl": 3059,
"rdclass": "IN",
"rdtype": "DNSKEY",
"rdata": [
"256 3 8 AwEAAafOh6Ngub3lbBILGuzioMIQBBkB rQTvmBeFlYUNDQguL318ZwYoeIbZrxVo XVvcggw5bckHEFSSz2a0cAN063Sw11fl HAgbaUFtVOFBPmQ8Jxvvp0Y9BcepFA3k cfyLqN2mFFMcsrbxLgzK/dEC40G1SPtN yZKM8pKH1z28yHTH",
"256 3 8 AwEAAcTC0rO4M40wiDySfgS0AcQsJ72f haS0osWXnZOMw9yBOLDSJmffvGpQPyeA 9s/fFpE5HVp8tCOG3Wr+BO+3DPV4kCZo JWqOSuYXIIVJKxdIIBG/3sq2zZf8NzHr QHFmK7jsLfHKzYSCcHxXpq2EzKIY6bxZ Hdbqhb6rzYFTr4M3",
"257 3 8 AwEAAbTyOzbsbV/JFqJ9dDMOWletULAY 2enp0InxEpMMNE0MzO9x9TDhDHrEDagr AEZfY5yPobXlzfIJdYo1CPz4kNYPwE/t HGMfgErbrjIerMC77UmgiF8pP1Lrx7Mb J3T2ImXdwxnkgyA4RN3KENJgiP2pHQAr fsG5d7ASPB/8GVBO5Ad6yf74buqXlnGv oRzOYkLccG/AveUtuL3gdHaUcnhSLHXk lqKP/jbjToU1QYBvzJLDwGLEYxHUhDTj GvsiMSxFPjkLn/PYItWOEY6fUEGevHyv xPdiIdx4x+ZmoRy/jzOCjZ+ZKii4aZ51 444KgUJ6dn7M2psf0x7XLR9r5xs="
]
},
"ds_data": [
"24340 8 2 853f208b5d528007d5b57bb498524364da3a2c43ad48444aae41d3afdb5b5aba"
],
"ds_params": {
"name": "fyi.",
"ttl": 86400,
"rdclass": "IN",
"rdtype": "DS",
"rdata": [
"24340 8 2 853f208b5d528007d5b57bb498524364da3a2c43ad48444aae41d3afdb5b5aba"
],
"digest_type": [
2
]
},
"ds_rrsig_data": [
"DS 8 1 86400 20231115200000 20231102190000 46780 . OECcmbAMpI4qw6yiiDemrDfuCw5ZAsj0 MRv5Dd8Y/DeGyTYgNtu5NhK8AfBC59OJ WnFGrskuNIsyNKmbGKtcs9BD/3P1fjPs obDSO5rDiV/XQ1RYqXeI5CzI2TrxBlR8 nuZlozj/9lMuDgve5M8pMSh7nlVK6Qe3 Fd1EbWDeG5YtmOO+2mCamtrRjzopFWdG r1tYvz3XNqvuOFe9ofHvSH8dvPBP9vIg 9JDcTfl5SsjJNAnzanQBQHr1l54NCuxF pwRtYQCHMnMVwia/Dw6pALqH2vamPP7G JTYSVxHVwnG6V8M38fp9XsrNgOkUzBKB F5JAHiF5f2MX/Z0H2rY0VA=="
],
"ds_rrsig_params": {
"name": "fyi.",
"ttl": 86400,
"rdclass": "IN",
"rdtype": "RRSIG",
"rdata": [
"DS 8 1 86400 20231115200000 20231102190000 46780 . OECcmbAMpI4qw6yiiDemrDfuCw5ZAsj0 MRv5Dd8Y/DeGyTYgNtu5NhK8AfBC59OJ WnFGrskuNIsyNKmbGKtcs9BD/3P1fjPs obDSO5rDiV/XQ1RYqXeI5CzI2TrxBlR8 nuZlozj/9lMuDgve5M8pMSh7nlVK6Qe3 Fd1EbWDeG5YtmOO+2mCamtrRjzopFWdG r1tYvz3XNqvuOFe9ofHvSH8dvPBP9vIg 9JDcTfl5SsjJNAnzanQBQHr1l54NCuxF pwRtYQCHMnMVwia/Dw6pALqH2vamPP7G JTYSVxHVwnG6V8M38fp9XsrNgOkUzBKB F5JAHiF5f2MX/Z0H2rY0VA=="
]
}
}
}
Raw
root_anchors.json
{
"TrustAnchor": {
"id": "380DC50D-484E-40D0-A3AE-68F2B18F61C7",
"source": "http://data.iana.org/root-anchors/root-anchors.xml",
"Zone": ".",
"KeyDigests": [
{
"id": "Kjqmt7v",
"validFrom": "2010-07-15T00:00:00+00:00",
"validUntil": "2019-01-11T00:00:00+00:00",
"KeyTag": 19036,
"Algorithm": 8,
"DigestType": 2,
"Digest": "49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
},
{
"id": "Klajeyz",
"validFrom": "2017-02-02T00:00:00+00:00",
"KeyTag": 20326,
"Algorithm": 8,
"DigestType": 2,
"Digest": "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D"
}
]
}
}
Raw
root_rrset.json
{
"name": ".",
"ttl": 3239,
"rdclass": "IN",
"rdtype": "DNSKEY",
"rdata": [
"256 3 8 AwEAAddS95RV5uUtkUCN7vyvpb0kDZgm tXwN5Sj/d08+X7ND2sgWBabKnFhftrOs Sx9DUhKR3gpMPIxac84Nou8Wzkiu2A/s TzP1F6KpCL8epgemdlZVd1ATHEjpB0KH IQmDjSEO/frGgi8ijQ2vDF3AMSrUwH7q ntL1E5ufPHGKRM+agGghcAYfJHJN1dw7 Ki3Fo22RDB3VZBxU9yJ3vl/T4hngeL7z K84vgl62tlJJw1rK5S/3U4p/bZarjtMF OHDfh0DEj1ywtRpkpPnge03gmINoa2tz +Kff67kbQb0NhHJYzPRpViaMEWZI9pgG H9ZyuFdNrNRx68XSiO7sya7/i+c=",
"257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexT BAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq 7HrxRixHlFlExOLAJr5emLvN7SWXgnLh 4+B5xQlNVz8Og8kvArMtNROxVQuCaSnI DdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLr jyBxWezF0jLHwVN8efS3rCj/EWgvIWgb 9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTId sIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6 +cn8HFRm+2hM8AnXGXws9555KrUB5qih ylGa8subX2Nn6UwNR1AkUTV74bU="
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment