Nmap Development mailing list archives

Fwd: Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm

From: Tom Sellers <nmap () fadedcode net>
Date: Sat, 25 Oct 2014 06:40:33 -0500

Dan,

  Could you take a look at the updated patch for this?  Having this
functionality included would greatly help with some surveys I am
doing.

Thanks much,

Tom Sellers


-------- Original Message --------
Subject: Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm
Date: Sat, 11 Oct 2014 19:10:20 -0500
From: Tom Sellers <nmap () fadedcode net>
To: Nmap-dev <dev () nmap org>

On 10/11/2014 6:30 PM, David Fifield wrote:

On Sat, Oct 11, 2014 at 06:24:25PM -0500, Tom Sellers wrote:

All,
  There's been a lot of press recently about Google and Mozilla
  becoming more aggressive about how they handle x509 certificates
  that have been signed using SHA-1. To assist with detecting SHA-1
  signed certificates I have created and attached a patch that adds
  the signature algorithm that was used to sign the target's x509
  certificate to the output of the 'ssl-cert.nse'.  I am not a C coder
  so the modifications to 'nse_ssl_cert.cc' may need a bit of
  tweaking. Also, the ordering of elements may need to be adjusted.
  To reduce user confusion I purposely did not place the Signature
  Algorithm output near the MD5 and SHA-1 hashes.  Those values are
  'fingerprints', or for Microsoft products: thumbprints, and are
  generated by ssl-cert.nse.


Cool, what are the possible outputs? You have sha256WithRSAEncryption
and ecdsa-with-SHA384; what values should someone auditing for SHA-1
look for?

Be sure to update the @output and @xmloutput sections in the
documentation.



The standard SHA1 looks like 'sha1WithRSAEncryption'.  There doesn't
seem to a be a clean and easy to read list of the IDs that OpenSSL uses.
I will link a few docs with them at the end of the email.

Common ones appear to be:

md5WithRSAEncryption
sha1WithRSAEncryption
sha256WithRSAEncryption

I have updated the patch with the @output and @xmloutput changes.  Thanks
for pointing that out, I'm pretty rusty at this point.

Tom

Links -
https://github.com/openssl/openssl/blob/master/crypto/objects/objects.txt
https://github.com/openssl/openssl/blob/master/crypto/objects/objects.h

Attachment: ssl-cert_sig-algo-20141011.v2.patch
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Tom Sellers (Oct 11)
- Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm David Fifield (Oct 11)
  - Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Tom Sellers (Oct 11)
    - Fwd: Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Tom Sellers (Oct 25)
    - Re: Re: [NSE] ssl-cert.nse - Add x509 certificate Signature Algorithm Daniel Miller (Oct 25)