autograph-mar.yaml
server:
listen: "0.0.0.0:8000"
noncecachesize: 524288
signers:
- id: testmar
type: mar
privatekey: |
Julien Vehent jvehent
jvehent
/ SigningMARHashes.md
Last active
August 29, 2018 12:26
jvehent
/ gist:e77724620031bd0a233f24f8b45b1c7b
Created
August 28, 2018 17:58
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| firefox-10.0esr-10.0.1esr.partial.mar | |
| null | |
| firefox-1.5rc2-1.5.partial.mar | |
| null | |
| firefox-2.0.0.1.complete.mar | |
| null | |
| firefox-2.0-2.0.0.1.partial.mar |
jvehent
/ gist:4c193bc53a7fd9de35065ca503dd74f0
Created
July 6, 2018 21:49
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ curl -s http://localhost:8080/__heartbeat__|jq | |
| { | |
| "status": false, | |
| "checks": { | |
| "check_autograph_heartbeat": false | |
| }, | |
| "details": "failed to request autograph heartbeat from http://localhost:8000/__heartbeat__: Get http://localhost:8000/__heartbeat__: dial tcp [::1]:8000: connect: connection refused" | |
| } |
jvehent
/ extract_apk_cert_sha256.sh
Last active
June 27, 2018 19:36
Extract the SHA256 fingerprint of an APK signing cert. Run with $ ./extract_apk_cert_sha256.sh <something.apk>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -e | |
| [ ! -r "$1" ] && echo "usage: $0 <apk>" && exit 1 | |
| tmpdir="$(mktemp -d)" | |
| tmpcrt="$(mktemp)" | |
| # unzip the apk into a temporary directory | |
| unzip -qq "$1" -d "$tmpdir" | |
| # extract the public cert from the pkcs7 detached signature |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "bytes" | |
| "encoding/json" | |
| "fmt" | |
| "io/ioutil" | |
| "log" | |
| "net/http" | |
| "strings" |
jvehent
/ gist:e6e6ddd986a77239cd31233e1d2d274a
Created
June 22, 2018 20:26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| go.mozilla.org/autograph | |
| ├ context | |
| ├ crypto/rand | |
| ├ crypto/sha256 | |
| ├ encoding/base64 | |
| ├ encoding/json | |
| ├ flag | |
| ├ fmt | |
| ├ io/ioutil | |
| ├ math/big |
jvehent
/ signmar strace
Last active
June 19, 2018 12:46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ LD_LIBRARY_PATH=tools/signmar-sha384/lib/ strace tools/signmar-sha384/bin/signmar \ | |
| -d . \ | |
| -n testmar \ | |
| -v /tmp/resigned.mar | |
| execve("tools/signmar-sha384/bin/signmar", ["tools/signmar-sha384/bin/signmar", "-d", ".", "-n", "testmar", "-v", "/tmp/resigned.mar"], 0x7fff51914f90 /* 62 vars */) = 0 | |
| brk(NULL) = 0xc64000 | |
| access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) | |
| openat(AT_FDCWD, "tools/signmar-sha384/lib/tls/haswell/x86_64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) |
jvehent
/ autograph.testmar.yaml
Created
June 14, 2018 16:46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server: | |
| listen: "0.0.0.0:8000" | |
| # cache 500k nonces to protect from authorization replay attacks | |
| noncecachesize: 524288 | |
| # The keys below are testing keys that do not grant any power | |
| signers: | |
| - id: testmar | |
| type: mar | |
| privatekey: | |
jvehent
/ crypto11_sign.go
Created
June 11, 2018 17:07
RSA PKCSA1v15 using CloudHSM and the Crypto11 package
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // This code requires a configuration file to initialize the crypto11 | |
| // library. Use the following config in crypto11.config: | |
| // { | |
| // "Path" : "/opt/cloudhsm/lib/libcloudhsm_pkcs11.so", | |
| // "TokenLabel": "cavium", | |
| // "Pin" : "$CRYPTO_USER:$PASSWORD" | |
| // } | |
| // then invoke the program with: | |
| // !CKNFAST_DEBUG=2 CRYPTO11_CONFIG_PATH=crypto11.config go run crypto11_sign.go | |
| package main |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "encoding/base64" | |
| "fmt" | |
| "github.com/miekg/pkcs11" | |
| ) | |
| func main() { |