Coder Social home page Coder Social logo

apostille's Introduction

This is a tool to clone X509 certificate chains.

Call it with a host:port that will present an SSL certificate chain, and Apostille will retrieve the chain, and output a key, and a chain of certificates that matches the certs that were retrieved.

Obviously, we are not breaking RSA/DSA/EC here, so the PrivateKey will be freshly generated, along with its PublicKey, and an X509Certificate[] chain that matches the source chain in every respect EXCEPT the key values.

If you provide a keystore and passwords, all private keys and certificates generated will be stored in the keystore, as well as being output in PEM form on stdout. This will include the keys for all the intermediate certificates, which would not otherwise be output or saved.

Automatically generated "parents" of the chain will be named by their CN.

To run it, install Maven, package it with

mvn package

Then run either:

java -jar target/apostille-1.0-SNAPSHOT.jar example.com:443 > example.com.key+chain

Or

java -jar target/apostille-1.0-SNAPSHOT.jar example.com:443 keystore.jks password password > example.com.key+chain

Alternatively, you can provide a file containing the certificate chain, which will be cloned. This supports the case where the certificate is not directly reachable via a socket connection, or is not TLS.

Provide a certificate chain similar to what is generated by:

openssl s_client -connect example.com:443 -showcerts < /dev/null > example.com.pem

NB: The certificate chain must either contain a complete chain right up to the last certificate authority, or the certificate authority must be available in the Java trust store, or the provided keystore. There is no special alias required for the CA certificate in the keystore, all trusted certificates are checked for a matching CN. Note that if the CA certificate is installed using an alias of its CN, it will be overwritten with the cloned CA certificate and key.

Then clone it using:

java -jar target/apostille-1.0-SNAPSHOT.jar example.com.pem > example.com.key+chain

Or

java -jar target/apostille-1.0-SNAPSHOT.jar example.com.pem keystore password password > example.com.key+chain

apostille's People

Contributors

cablethief avatar dependabot[bot] avatar reelix avatar rogandawes avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

w00t3k minkione epinna mgcfish killvxk 3n39m4 ivanwork chubbymaggie mickeystone lagartoplastico imulmul cainwise t0mcat3r cablethief red-infosec jarlob ilpl ekmixon reelix

apostille's Issues

NullPointerException when source certificate has no extensions

It will throw a NullPointerException when source certificate has no extensions.

Exception in thread "main" java.lang.NullPointerException
        at net.za.dawes.apostille.Apostille.getExtensions(Apostille.java:313)
        at net.za.dawes.apostille.Apostille.copyAndSign(Apostille.java:252)
        at net.za.dawes.apostille.Apostille.cloneCertificates(Apostille.java:200)
        at net.za.dawes.apostille.Apostille.cloneCertificates(Apostille.java:151)
        at net.za.dawes.apostille.Main.main(Main.java:152)

Checking null in Apostille.java line 313 works for me:

if (criticalExtensionOids == null){
    return extensions;
}

Tests failing due to google.com old certificate expiring

Caused by: java.security.cert.CertificateExpiredException: NotAfter: Tue Jul 23 21:02:00 NZST 2019

Easy to bypass in the interim by commenting out lines 57 and 58 in ApostilleTest.java:
//testSite(apostille, "google.com.pem");
//dumpKeystore(ks);

Build error

Both local builds and the docker container fail on your tests repeatedly, error included below:

[INFO] -------------------------------------------------------
[INFO]  T E S T S
[INFO] -------------------------------------------------------
[INFO] Running net.za.dawes.apostille.ApostilleTest
WARNING: Cannot find certificate details for 'CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2, will self-sign instead.
If this is not what you want, find the CA certificate for 'null', and add it to the keystore passed as a parameter on the command line
Could not find keystore entry for CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2, self-signing CN=Google Internet Authority G3, O=Google Trust Services, C=US
[ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.471 s <<< FAILURE! - in net.za.dawes.apostille.ApostilleTest
[ERROR] net.za.dawes.apostille.ApostilleTest.test  Time elapsed: 0.444 s  <<< FAILURE!
java.lang.AssertionError: expected:<1> but was:<2>
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.failNotEquals(Assert.java:835)
	at org.junit.Assert.assertEquals(Assert.java:647)
	at org.junit.Assert.assertEquals(Assert.java:633)
	at net.za.dawes.apostille.ApostilleTest.testSite(ApostilleTest.java:73)
	at net.za.dawes.apostille.ApostilleTest.test(ApostilleTest.java:59)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
	at java.base/java.lang.reflect.Method.invoke(Method.java:578)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
	at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
	at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63)
	at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
	at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66)
	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293)
	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
	at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
	at org.junit.runners.ParentRunner.run(ParentRunner.java:413)
	at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:377)
	at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:284)
	at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:248)
	at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:167)
	at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:456)
	at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:169)
	at org.apache.maven.surefire.booter.ForkedBooter.run(ForkedBooter.java:595)
	at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:581)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.