Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

Internet death sentence for DigiNotar's Root CA!

By: a guest on Aug 29th, 2011  |  syntax: None  |  size: 10.79 KB  |  views: 26,796  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
This paste has a previous version, view the difference. Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. This paste contains information on how you can verify that the latest diginotar.nl *.google.com cert is real. This CA should receive an internet death sentence as their carelessness may have resulted in deaths in Iran - this cert was issued in JULY of 2011 and it is now just a few days before SEPTEMBER. It is being used in the wild against real people in Iran *right* now.
  2.  
  3. tl;dr:
  4.  
  5.  
  6. openssl verify -verbose -CApath /etc/ssl/certs/ -CAfile /etc/ssl/certs/DigiNotar_Root_CA.pem -CAfile inter.crt -purpose any google.com.crt google.com.crt: OK
  7.  
  8.  
  9.  Verify the cert below.
  10.  
  11.  
  12. Put this in inter.crt:
  13.  
  14.  -----BEGIN CERTIFICATE-----
  15. MIIGAzCCA+ugAwIBAgIQHn16Uz1FMEGWQA9xSB9FBDANBgkqhkiG9w0BAQUFADBf
  16. MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp
  17. Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww
  18. HhcNMDYwMjA2MTYwNzAyWhcNMjUwMzI4MTYwNzAyWjBmMQswCQYDVQQGEwJOTDES
  19. MBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdpTm90YXIgUHVibGljIENB
  20. IDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5vdGFyLm5sMIIBIjANBgkq
  21. hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/2eu/I5fMG8lbvPph3e8zfJpZQtg/72
  22. Yx29+ivtKehiF6A3n785XyoY6IT3vlCrhy1CbMOY3M0x1n4YQlv17B0XZ/DqHyBA
  23. SQvnDNbkM9j4NoSy/sRtGsP6PetIFFjrhE9whZuvuSUC1PY4PruEEJp8zOCx4+wU
  24. Zt9xvjy4Xra+bSia5rwccQ/R5FYTGKrYCthOy9C9ud5Fhd++rlVhgdA/78w+Cs2s
  25. xS4i0MAxG75P3/e/bATJKepbydHdDjkyz9o3RW/wdPUXhzEw4EwUjYg6XJrDzMad
  26. 6aL9M/eaxDjgz6o48EaWRDrGptaE2uJRuErVz7oOO0p/wYKq/BU+/wIDAQABo4IB
  27. sjCCAa4wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vdmFsaWRh
  28. dGlvbi5kaWdpbm90YXIubmwwHwYDVR0jBBgwFoAUiGi/4I41xDs4a2L3KDuEgcgM
  29. 100wEgYDVR0TAQH/BAgwBgEB/wIBADCBxgYDVR0gBIG+MIG7MIG4Bg5ghBABh2kB
  30. AQEBBQIGBDCBpTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpbm90YXIubmwv
  31. Y3BzMHoGCCsGAQUFBwICMG4abENvbmRpdGlvbnMsIGFzIG1lbnRpb25lZCBvbiBv
  32. dXIgd2Vic2l0ZSAod3d3LmRpZ2lub3Rhci5ubCksIGFyZSBhcHBsaWNhYmxlIHRv
  33. IGFsbCBvdXIgcHJvZHVjdHMgYW5kIHNlcnZpY2VzLjBDBgNVHR8EPDA6MDigNqA0
  34. hjJodHRwOi8vc2VydmljZS5kaWdpbm90YXIubmwvY3JsL3Jvb3QvbGF0ZXN0Q1JM
  35. LmNybDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFN8zwK+S/jf8ttgWFtDZsZHV
  36. +m6lMA0GCSqGSIb3DQEBBQUAA4ICAQCfV1rmBd9QStEyQ40lT0tqby0/3ez0STuJ
  37. ESBQLQD56XYdb4VFSuqA6xTtiuSVHLoiv2xyISN9FvX3A5VtifkJ00JEaLQJiSsE
  38. wGDkYGl1DT7SsqtAVKdMAuCM+e0j0/RV3hZ6kcrM7/wFccHwM+/TiurR9lgZDzB4
  39. a7++A4XrYyKx9vc9ZwBEnD1nrAe7++gg9cuZgP7e+QL0FBHMjpw+gnCDjr2dzBZC
  40. 4r+b8SOqlbPRPexBuNghlc7PfcPIyFis2LJXDRMWiAd3TcfdALwRsuKMR/T+cwyr
  41. asy69OEGHplLT57otQ524BDctDXNzlH9bHEh52QzqkWvIDqs42910IUy1nYNPIUG
  42. yYJV/T7H8Jb6vfMZWe47iUFvtNZCi8+b542gRUwdi+ca+hGviBC9Qr4Wv1pl7CBQ
  43. Hy1axTkHiQawUo/hgmoetCpftugl9yJTfvsBorUV1ZMxn9B1JLSGtWnbUsFRla7G
  44. fNa0IsUkzmmha8XCzvNu0d1PDGtcQyUqmDOE1Hx4cIBeuF8ipuIXkrVCr9zAZ4ZC
  45. hgz6aA1gDTW8whSRJqYEYEQ0pcMEFLyXE+Nz3O8NinO2AuxqKhjMk13203xA7lPY
  46. MnBQ0v7S3qqbp/pvPMiUhOz/VaYted6QmOY5EATBnFiLCuw87JXoAyp382eJ3WX1
  47. hOiR4IX9Tg==
  48. -----END CERTIFICATE-----
  49.  
  50. Put this in google.com.crt:
  51.  
  52. -----BEGIN CERTIFICATE-----
  53. MIIFKDCCBBCgAwIBAgIQBeLmpM0J6lTWZbB1/iKiVjANBgkqhkiG9w0BAQUFADBm
  54. MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdp
  55. Tm90YXIgUHVibGljIENBIDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5v
  56. dGFyLm5sMB4XDTExMDcxMDE5MDYzMFoXDTEzMDcwOTE5MDYzMFowajELMAkGA1UE
  57. BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxFjAUBgNVBAcTDU1vdW50YWluIFZp
  58. ZXcxFzAVBgNVBAUTDlBLMDAwMjI5MjAwMDAyMRUwEwYDVQQDEwwqLmdvb2dsZS5j
  59. b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNbeKubCV0aCxhOiOS
  60. CSQ/w9HXTYuD5BLKuiqXNw3setdTymeJz2L8aWOHo3nicFNDVwWTgwWomGNr2J6Q
  61. 7g1iINNSW0rR4E1l2szRkcnAY6c6i/Eke93nF4i2hDsnIBveolF5yjpuRm73uQQD
  62. ulHjA3BFRF/PTi0fw2/Yt+8ieoMuNcMWN6Eou5Gqt5YZkWv176ofeCbsBmMrP87x
  63. OhhtTDckCapk4VQZG2XrfzZcV6tdzCp5TI8uHdu17cdzXm1imZ8tyvzFeiCEOQN8
  64. vPNzB/fIr3CJQ5q4uM5aKT3DD5PeVzf4rfJKQNgCTWiIBc9XcWEUuszwAsnmg7e2
  65. EJRdAgMBAAGjggHMMIIByDA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0
  66. dHA6Ly92YWxpZGF0aW9uLmRpZ2lub3Rhci5ubDAfBgNVHSMEGDAWgBTfM8Cvkv43
  67. /LbYFhbQ2bGR1fpupTAJBgNVHRMEAjAAMIHGBgNVHSAEgb4wgbswgbgGDmCEEAGH
  68. aQEBAQIEAQICMIGlMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2lub3Rhci5u
  69. bC9jcHMwegYIKwYBBQUHAgIwbhpsQ29uZGl0aW9ucywgYXMgbWVudGlvbmVkIG9u
  70. IG91ciB3ZWJzaXRlICh3d3cuZGlnaW5vdGFyLm5sKSwgYXJlIGFwcGxpY2FibGUg
  71. dG8gYWxsIG91ciBwcm9kdWN0cyBhbmQgc2VydmljZXMuMEkGA1UdHwRCMEAwPqA8
  72. oDqGOGh0dHA6Ly9zZXJ2aWNlLmRpZ2lub3Rhci5ubC9jcmwvcHVibGljMjAyNS9s
  73. YXRlc3RDUkwuY3JsMA4GA1UdDwEB/wQEAwIEsDAbBgNVHREEFDASgRBhZG1pbkBn
  74. b29nbGUuY29tMB0GA1UdDgQWBBQHSn0WJzIo0eMBMQUNsMqN6eF/7TANBgkqhkiG
  75. 9w0BAQUFAAOCAQEAAs5dL7N9wzRJkI4Aq4lC5t8j5ZadqnqUcgYLADzSv4ExytNH
  76. UY2nH6iVTihC0UPSsILWraoeApdT7Rphz/8DLQEBRGdeKWAptNM3EbiXtQaZT2uB
  77. pidL8UoafX0kch3f71Y1scpBEjvu5ZZLnjg0A8AL0tnsereOVdDpU98bKqdbbrnM
  78. FRmBlSf7xdaNca6JJHeEpga4E9Ty683CmccrSGXdU2tTCuHEJww+iOAUtPIZcsum
  79. U7/eYeY1pMyGLyIjbNgRY7nDzRwvM/BsbL9eh4/mSQj/4nncqJd22sVQpCggQiVK
  80. baB2sVGcVNBkK55bT8gPqnx8JypubyUvayzZGg==
  81. -----END CERTIFICATE-----
  82.  
  83. Run this:
  84.  
  85. openssl verify -verbose -CApath /etc/ssl/certs/ -CAfile /etc/ssl/certs/DigiNotar_Root_CA.pem -CAfile inter.crt -purpose any google.com.crt
  86.  
  87. Cry about this:
  88.  
  89. google.com.crt: OK
  90.  
  91.     Certificate:
  92.     Data:
  93.         Version: 3 (0x2)
  94.         Serial Number:
  95.             05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56
  96.         Signature Algorithm: sha1WithRSAEncryption
  97.         Issuer:
  98.             emailAddress              = info@diginotar.nl
  99.             commonName                = DigiNotar Public CA 2025
  100.             organizationName          = DigiNotar
  101.             countryName               = NL
  102.         Validity
  103.             Not Before: Jul 10 19:06:30 2011 GMT
  104.             Not After : Jul  9 19:06:30 2013 GMT
  105.         Subject:
  106.             commonName                = *.google.com
  107.             serialNumber              = PK000229200002
  108.             localityName              = Mountain View
  109.             organizationName          = Google Inc
  110.             countryName               = US
  111.         Subject Public Key Info:
  112.             Public Key Algorithm: rsaEncryption
  113.             RSA Public Key: (2048 bit)
  114.                 Modulus (2048 bit):
  115.                     00:cd:6d:e2:ae:6c:25:74:68:2c:61:3a:23:92:09:
  116.                     24:3f:c3:d1:d7:4d:8b:83:e4:12:ca:ba:2a:97:37:
  117.                     0d:ec:7a:d7:53:ca:67:89:cf:62:fc:69:63:87:a3:
  118.                     79:e2:70:53:43:57:05:93:83:05:a8:98:63:6b:d8:
  119.                     9e:90:ee:0d:62:20:d3:52:5b:4a:d1:e0:4d:65:da:
  120.                     cc:d1:91:c9:c0:63:a7:3a:8b:f1:24:7b:dd:e7:17:
  121.                     88:b6:84:3b:27:20:1b:de:a2:51:79:ca:3a:6e:46:
  122.                     6e:f7:b9:04:03:ba:51:e3:03:70:45:44:5f:cf:4e:
  123.                     2d:1f:c3:6f:d8:b7:ef:22:7a:83:2e:35:c3:16:37:
  124.                     a1:28:bb:91:aa:b7:96:19:91:6b:f5:ef:aa:1f:78:
  125.                     26:ec:06:63:2b:3f:ce:f1:3a:18:6d:4c:37:24:09:
  126.                     aa:64:e1:54:19:1b:65:eb:7f:36:5c:57:ab:5d:cc:
  127.                     2a:79:4c:8f:2e:1d:db:b5:ed:c7:73:5e:6d:62:99:
  128.                     9f:2d:ca:fc:c5:7a:20:84:39:03:7c:bc:f3:73:07:
  129.                     f7:c8:af:70:89:43:9a:b8:b8:ce:5a:29:3d:c3:0f:
  130.                     93:de:57:37:f8:ad:f2:4a:40:d8:02:4d:68:88:05:
  131.                     cf:57:71:61:14:ba:cc:f0:02:c9:e6:83:b7:b6:10:
  132.                     94:5d
  133.                 Exponent: 65537 (0x10001)
  134.         X509v3 extensions:
  135.             Authority Information Access:
  136.                 OCSP - URI:http://validation.diginotar.nl
  137.  
  138.             X509v3 Authority Key Identifier:
  139.                 keyid:DF:33:C0:AF:92:FE:37:FC:B6:D8:16:16:D0:D9:B1:91:D5:FA:6E:A5
  140.  
  141.             X509v3 Basic Constraints:
  142.                 CA:FALSE
  143.             X509v3 Certificate Policies:
  144.                 Policy: 2.16.528.1.1001.1.1.1.2.4.1.2.2
  145.                   CPS: http://www.diginotar.nl/cps
  146.                   User Notice:
  147.                     Explicit Text: Conditions, as mentioned on our website (www.diginotar.nl), are applicable to all our products and services.
  148.  
  149.             X509v3 CRL Distribution Points:
  150.                 URI:http://service.diginotar.nl/crl/public2025/latestCRL.crl
  151.  
  152.             X509v3 Key Usage: critical
  153.                 Digital Signature, Key Encipherment, Data Encipherment
  154.             X509v3 Subject Alternative Name:
  155.                 email:admin@google.com
  156.             X509v3 Subject Key Identifier:
  157.                 07:4A:7D:16:27:32:28:D1:E3:01:31:05:0D:B0:CA:8D:E9:E1:7F:ED
  158.     Signature Algorithm: sha1WithRSAEncryption
  159.         02:ce:5d:2f:b3:7d:c3:34:49:90:8e:00:ab:89:42:e6:df:23:
  160.         e5:96:9d:aa:7a:94:72:06:0b:00:3c:d2:bf:81:31:ca:d3:47:
  161.         51:8d:a7:1f:a8:95:4e:28:42:d1:43:d2:b0:82:d6:ad:aa:1e:
  162.         02:97:53:ed:1a:61:cf:ff:03:2d:01:01:44:67:5e:29:60:29:
  163.         b4:d3:37:11:b8:97:b5:06:99:4f:6b:81:a6:27:4b:f1:4a:1a:
  164.         7d:7d:24:72:1d:df:ef:56:35:b1:ca:41:12:3b:ee:e5:96:4b:
  165.         9e:38:34:03:c0:0b:d2:d9:ec:7a:b7:8e:55:d0:e9:53:df:1b:
  166.         2a:a7:5b:6e:b9:cc:15:19:81:95:27:fb:c5:d6:8d:71:ae:89:
  167.         24:77:84:a6:06:b8:13:d4:f2:eb:cd:c2:99:c7:2b:48:65:dd:
  168.         53:6b:53:0a:e1:c4:27:0c:3e:88:e0:14:b4:f2:19:72:cb:a6:
  169.         53:bf:de:61:e6:35:a4:cc:86:2f:22:23:6c:d8:11:63:b9:c3:
  170.         cd:1c:2f:33:f0:6c:6c:bf:5e:87:8f:e6:49:08:ff:e2:79:dc:
  171.         a8:97:76:da:c5:50:a4:28:20:42:25:4a:6d:a0:76:b1:51:9c:
  172.         54:d0:64:2b:9e:5b:4f:c8:0f:aa:7c:7c:27:2a:6e:6f:25:2f:
  173.         6b:2c:d9:1a
  174. -----BEGIN CERTIFICATE-----
  175. MIIFKDCCBBCgAwIBAgIQBeLmpM0J6lTWZbB1/iKiVjANBgkqhkiG9w0BAQUFADBm
  176. MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdp
  177. Tm90YXIgUHVibGljIENBIDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5v
  178. dGFyLm5sMB4XDTExMDcxMDE5MDYzMFoXDTEzMDcwOTE5MDYzMFowajELMAkGA1UE
  179. BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxFjAUBgNVBAcTDU1vdW50YWluIFZp
  180. ZXcxFzAVBgNVBAUTDlBLMDAwMjI5MjAwMDAyMRUwEwYDVQQDEwwqLmdvb2dsZS5j
  181. b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNbeKubCV0aCxhOiOS
  182. CSQ/w9HXTYuD5BLKuiqXNw3setdTymeJz2L8aWOHo3nicFNDVwWTgwWomGNr2J6Q
  183. 7g1iINNSW0rR4E1l2szRkcnAY6c6i/Eke93nF4i2hDsnIBveolF5yjpuRm73uQQD
  184. ulHjA3BFRF/PTi0fw2/Yt+8ieoMuNcMWN6Eou5Gqt5YZkWv176ofeCbsBmMrP87x
  185. OhhtTDckCapk4VQZG2XrfzZcV6tdzCp5TI8uHdu17cdzXm1imZ8tyvzFeiCEOQN8
  186. vPNzB/fIr3CJQ5q4uM5aKT3DD5PeVzf4rfJKQNgCTWiIBc9XcWEUuszwAsnmg7e2
  187. EJRdAgMBAAGjggHMMIIByDA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0
  188. dHA6Ly92YWxpZGF0aW9uLmRpZ2lub3Rhci5ubDAfBgNVHSMEGDAWgBTfM8Cvkv43
  189. /LbYFhbQ2bGR1fpupTAJBgNVHRMEAjAAMIHGBgNVHSAEgb4wgbswgbgGDmCEEAGH
  190. aQEBAQIEAQICMIGlMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2lub3Rhci5u
  191. bC9jcHMwegYIKwYBBQUHAgIwbhpsQ29uZGl0aW9ucywgYXMgbWVudGlvbmVkIG9u
  192. IG91ciB3ZWJzaXRlICh3d3cuZGlnaW5vdGFyLm5sKSwgYXJlIGFwcGxpY2FibGUg
  193. dG8gYWxsIG91ciBwcm9kdWN0cyBhbmQgc2VydmljZXMuMEkGA1UdHwRCMEAwPqA8
  194. oDqGOGh0dHA6Ly9zZXJ2aWNlLmRpZ2lub3Rhci5ubC9jcmwvcHVibGljMjAyNS9s
  195. YXRlc3RDUkwuY3JsMA4GA1UdDwEB/wQEAwIEsDAbBgNVHREEFDASgRBhZG1pbkBn
  196. b29nbGUuY29tMB0GA1UdDgQWBBQHSn0WJzIo0eMBMQUNsMqN6eF/7TANBgkqhkiG
  197. 9w0BAQUFAAOCAQEAAs5dL7N9wzRJkI4Aq4lC5t8j5ZadqnqUcgYLADzSv4ExytNH
  198. UY2nH6iVTihC0UPSsILWraoeApdT7Rphz/8DLQEBRGdeKWAptNM3EbiXtQaZT2uB
  199. pidL8UoafX0kch3f71Y1scpBEjvu5ZZLnjg0A8AL0tnsereOVdDpU98bKqdbbrnM
  200. FRmBlSf7xdaNca6JJHeEpga4E9Ty683CmccrSGXdU2tTCuHEJww+iOAUtPIZcsum
  201. U7/eYeY1pMyGLyIjbNgRY7nDzRwvM/BsbL9eh4/mSQj/4nncqJd22sVQpCggQiVK
  202. baB2sVGcVNBkK55bT8gPqnx8JypubyUvayzZGg==
  203. -----END CERTIFICATE-----