Created
March 4, 2015 18:14
-
-
Save 0xhaven/37da7b848cbc79b1a4e2 to your computer and use it in GitHub Desktop.
Root CAs with Weak Public Keys
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "crypto/rsa" | |
| "crypto/x509" | |
| "encoding/asn1" | |
| "fmt" | |
| "io/ioutil" | |
| "log" | |
| "net/http" | |
| "github.com/cloudflare/cfssl/helpers" | |
| ) | |
| const ( | |
| rootURL = "https://raw.githubusercontent.com/cloudflare/cfssl_trust/master/ca-bundle.crt" | |
| weakBitLen = 1024 | |
| ) | |
| var organizationalUnitName asn1.ObjectIdentifier = []int{2, 5, 4, 11} | |
| func getCertName(cert *x509.Certificate) string { | |
| name := cert.Subject.CommonName | |
| if name == "" { | |
| for _, typeAndValue := range cert.Subject.Names { | |
| if typeAndValue.Type.Equal(organizationalUnitName) { | |
| name = typeAndValue.Value.(string) | |
| } | |
| } | |
| } | |
| return name | |
| } | |
| func main() { | |
| fmt.Printf("Downloading Root CAs from %s\n", rootURL) | |
| resp, err := http.Get(rootURL) | |
| if err != nil { | |
| log.Fatalln(err) | |
| } | |
| rootCerts, err := ioutil.ReadAll(resp.Body) | |
| if err != nil { | |
| log.Fatalln(err) | |
| } | |
| certs, err := helpers.ParseCertificatesPEM(rootCerts) | |
| if err != nil { | |
| log.Fatalln(err) | |
| } | |
| fmt.Printf("Parsed %d root CAs\n", len(certs)) | |
| var weakCount int | |
| for _, cert := range certs { | |
| if rsaPub, ok := cert.PublicKey.(*rsa.PublicKey); ok { | |
| if rsaPub.N.BitLen() <= weakBitLen { | |
| fmt.Printf("%s has a %d-bit RSA Modulus\n", getCertName(cert), rsaPub.N.BitLen()) | |
| weakCount++ | |
| } | |
| } | |
| } | |
| fmt.Printf("\n%d weak CA Public Keys found\n", weakCount) | |
| } |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is intentionally very basic. Extending to check for specific platform support is also really easy with the CFSSL ubiquity package and the right metadata/trust stores.