Be carefull on who you trust your Ev-SSl cert. from

I was reading on a underground forum about a group trying to create a bogus EV-SSL certificate authority. <—something like that. (This is propably why you should only trust name brand cert’s)

This is intentionally edited and no where near complete for obvious reasons, but you need to be carefull on who you accept ev-ssl cert’s from :slight_smile:

1)needed to find a way to get a browser to accept a root CA that I created, and then get the browser to trust that root CA to issue EV certificates. This is harder than it sounds; regular SSL root certificates can be added easily to any browser, but the EV root certs can’t. This is to protect users from accidental or malicious installation of EV root certs

2)Firefox will let you “test” some CA certs as EV authorities, but you have to get your hands on a debugging build. Not only that, but unless you want to maintain a fresh CRL or OCSP server, you’ll have to modify the source code

3)Adding your own EV-SSL Root CA to Firefox
follow this link
http://evssl-trust.sidstamm.com/firefox-evca.html

4)Adding your own EV-SSL Root CA to Firefox
follow the link
http://evssl-trust.sidstamm.com/firefox-evca.html#sec-ca

5)This involves patching the Firefox source code to perform lazy freshness checks on certificates
The patch method

diff -r bfb03680c56d security/manager/ssl/src/nsIdentityChecking.cpp --- a/security/manager/ssl/src/nsIdentityChecking.cpp Thu Apr 09 12:43:15 2009 -0400 +++ b/security/manager/ssl/src/nsIdentityChecking.cpp Tue Apr 14 17:00:23 2009 -0700 [at][at] -932,12 +932,12 [at][at] CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_ALLOW_NETWORK_FETCHING | CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE - | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE + /*| CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE */ | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO;

PRUint64 revMethodIndependentFlags =
CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST

  • | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;
  • /| CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE/;

    PRUint64 methodFlags[2];
    methodFlags[cert_revocation_method_crl] = revMethodFlags;


and set it up to accept externally defined EV root authorities (you will list them in a text file). Then you must compile the source in debug mode to enable it

6)Install your CA and go. You have to extract the base-64 encoded subject and serial number out of your CA certificate
A possible patch method

diff -r bfb03680c56d security/nss/cmd/lib/secutil.c --- a/security/nss/cmd/lib/secutil.c Thu Apr 09 12:43:15 2009 -0400 +++ b/security/nss/cmd/lib/secutil.c Tue Apr 14 11:47:51 2009 -0700 [at][at] -789,7 +789,8 [at][at] }

void
-SECU_PrintAsHex(FILE *out, SECItem *data, const char *m, int level)
+SECU_PrintAsHexW(FILE *out, SECItem *data, const char *m, int level,

  •             int allowWrap)
    

{
unsigned i;
int column;
[at][at] -836,12 +837,13 [at][at]
column += 2;
break;
}

  • if (column > 76 || (i % 16 == limit)) {
  •    secu_Newline(out);
    
  •    SECU_Indent(out, level); 
    
  •    column = level*INDENT_MULT;
    
  •    limit = i % 16;
    
  • }
  •    if (allowWrap)
    
  •      if (column > 76 || (i % 16 == limit)) {
    
  •          secu_Newline(out);
    
  •          SECU_Indent(out, level); 
    
  •          column = level*INDENT_MULT;
    
  •          limit = i % 16;
    
  •      }
     }
     printedHex = PR_TRUE;
    
    }
    [at][at] -859,18 +861,28 [at][at]
    } else {
    column = 77;
    }
  •    if (column > 76) {
    
  •    secu_Newline(out);
    
  •        SECU_Indent(out, level); column = level*INDENT_MULT;
    
  •    }
    
  •        if (allowWrap)
    
  •          if (column > 76) {
    
  •              secu_Newline(out);
    
  •              SECU_Indent(out, level); column = level*INDENT_MULT;
    
  •          }
    

    }
    }

  • if (!allowWrap) {

  •  secu_Newline(out);
    
  • } else
    if (column != level*INDENT_MULT) {
    secu_Newline(out);
    }
    }

+void
+SECU_PrintAsHex(FILE *out, SECItem *data, const char *m, int level)
+{

  • SECU_PrintAsHexW(out, data, m, level, 1);
    +}

static const char *hex = “0123456789abcdef”;

static const char printable[257] = {
[at][at] -947,7 +959,8 [at][at]
** call SECU_PrintEncodedInteger();
*/
void
-SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level)
+SECU_PrintIntegerW(FILE *out, SECItem *i, char *m, int level,

  •               int allowWrap)
    

{
int iv;

[at][at] -959,7 +972,7 [at][at]
fprintf(out, “(null)\n”);
}
} else if (i->len > 4) {

  • SECU_PrintAsHex(out, i, m, level);
  • SECU_PrintAsHexW(out, i, m, level, allowWrap);
    } else {
    if (i->type == siUnsignedInteger && i->data & 0x80) {
    /
    Make sure i->data has zero in the highest bite
    [at][at] -984,8 +997,14 [at][at]
    }
    }

-static void
-secu_PrintRawString(FILE *out, SECItem *si, char *m, int level)
+void
+SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level)
+{

  • SECU_PrintIntegerW(out, i, m, level, 1);
    +}

+static void
+secu_PrintRawStringWithWrap(FILE *out, SECItem *si, char *m, int level)
{
int column;
unsigned int i;
[at][at] -1016,6 +1035,41 [at][at]
}
}

+static void
+secu_PrintRawStringNoWrap(FILE *out, SECItem *si, char *m, int level)
+{

  • unsigned int i;
  • if ( m ) {
  •    fprintf(out, "%s:", m);
    
  •    secu_Newline(out);
    
  •    SECU_Indent(out, level+1); 
    
  • }
  • for (i = 0; i < si->len; i++) {
  •    unsigned char val = si->data[i];
    
  •    fprintf(out,"%c", printable[val]);
    
  • }
  • secu_Newline(out);
    +}

+static void
+secu_PrintRawString(FILE *out, SECItem *si, char *m, int level)
+{

  • secu_PrintRawStringWithWrap(out, si, m, level);
    +}

+static void
+secu_PrintRawStringW(FILE *out, SECItem *si, char *m, int level,

  •                 int allowWrap)
    

+{

  • if (allowWrap) {
  •    secu_PrintRawStringWithWrap(out, si, m, level);
    
  • } else {
  •    secu_PrintRawStringNoWrap(out, si, m, level);
    
  • }
    +}

void
SECU_PrintString(FILE *out, SECItem *si, char *m, int level)
{
[at][at] -2349,7 +2403,7 [at][at]
}

void
-SECU_PrintName(FILE *out, CERTName *name, char *msg, int level)
+SECU_PrintNameW(FILE *out, CERTName *name, char *msg, int level, int allowWrap)
{
char *nameStr;
char *str;
[at][at] -2370,7 +2424,7 [at][at]
my.data = (unsigned char *)str;
my.len = PORT_Strlen(str);
#if 1

  • secu_PrintRawString(out, &my, msg, level);
  • secu_PrintRawStringW(out, &my, msg, level, allowWrap);
    #else
    SECU_Indent(out, level); fprintf(out, "%s: ", msg);
    fprintf(out, str);
    [at][at] -2380,6 +2434,12 [at][at]
    }

void
+SECU_PrintName(FILE *out, CERTName *name, char *msg, int level)
+{

  • SECU_PrintNameW(out, name, msg, level, 1);
    +}

+void
printflags(char *trusts, unsigned int flags)
{
if (flags & CERTDB_VALID_CA)
[at][at] -2603,6 +2663,43 [at][at]
}

int
+SECU_PrintDumpDerIssuerAndSerial(FILE *out, SECItem *der, char *m,

  •                             int level)
    

+{

  • PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
  • CERTCertificate *c;
  • int rv = SEC_ERROR_NO_MEMORY;
  • if (!arena)
  •    return rv;
    
  • /* Decode certificate */
  • c = PORT_ArenaZNew(arena, CERTCertificate);
  • if (!c)
  •    goto loser;
    
  • c->arena = arena;
  • rv = SEC_ASN1DecodeItem(arena, c,
  •                        SEC_ASN1_GET(CERT_CertificateTemplate), der);
    
  • if (rv) {
  •    SECU_PrintErrMsg(out, 0, "Error", "Parsing extension");
    
  •    goto loser;
    
  • }
  • SECU_PrintNameW(out, &c->subject, “Subject”, 0, 0);
  • SECU_PrintNameW(out, &c->issuer, “Issuer”, 0, 0);
  • SECU_PrintIntegerW(out, &c->serialNumber, “Serial Number”, 0, 0);
  • char *derIssuerB64 = BTOA_ConvertItemToAscii(&c->derIssuer);
  • char *derSerialB64 = BTOA_ConvertItemToAscii(&c->serialNumber);
  • fprintf(out, “Issuer DER Base64:\n%s\n”, derIssuerB64);
  • fprintf(out, “Serial DER Base64:\n%s\n”, derSerialB64);

+loser:

  • PORT_FreeArena(arena, PR_FALSE);
  • return rv;
    +}

+int
SECU_PrintRSAPublicKey(FILE *out, SECItem *der, char *m, int level)
{
PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
[at][at] -3252,8 +3349,10 [at][at]
printFlags(out, trust->objectSigningFlags, level+2);
}

-int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m,

  •           int level, SECU_PPFunc inner)
    

+int
+SECU_PrintSignedDataSigOpt(FILE *out, SECItem *der, const char *m,

  •                       int level, SECU_PPFunc inner,
    
  •                       int withSignature)
    

{
PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
CERTSignedData *sd;
[at][at] -3272,13 +3371,19 [at][at]
if (rv)
goto loser;

  • SECU_Indent(out, level); fprintf(out, “%s:\n”, m);
  • if(m) {
  •  SECU_Indent(out, level); fprintf(out, "%s:\n", m);
    
  • } else {
  •  level -= 1;
    
  • }
    rv = (*inner)(out, &sd->data, “Data”, level+1);
  • SECU_PrintAlgorithmID(out, &sd->signatureAlgorithm, “Signature Algorithm”,
  •          level+1);
    
  • DER_ConvertBitString(&sd->signature);
  • SECU_PrintAsHex(out, &sd->signature, “Signature”, level+1);
  • if(withSignature) {
  •  SECU_PrintAlgorithmID(out, &sd->signatureAlgorithm, "Signature Algorithm",
    
  •                        level+1);
    
  •  DER_ConvertBitString(&sd->signature);
    
  •  SECU_PrintAsHex(out, &sd->signature, "Signature", level+1);
    
  • }
    SECU_PrintFingerprints(out, der, “Fingerprint”, level+1);
    loser:
    PORT_FreeArena(arena, PR_FALSE);
    [at][at] -3286,6 +3391,20 [at][at]

}

+int
+SECU_PrintSignedData(FILE *out, SECItem *der, const char *m,

  •                 int level, SECU_PPFunc inner)
    

+{

  • return SECU_PrintSignedDataSigOpt(out, der, m, level, inner, 0);
    +}

+int
+SECU_PrintSignedContent(FILE *out, SECItem *der, const char *m,

  •                    int level, SECU_PPFunc inner)
    

+{

  • return SECU_PrintSignedDataSigOpt(out, der, m, level, inner, 0);
    +}

SECStatus
SEC_PrintCertificateAndTrust(CERTCertificate *cert,
const char *label,
diff -r bfb03680c56d security/nss/cmd/lib/secutil.h
— a/security/nss/cmd/lib/secutil.h Thu Apr 09 12:43:15 2009 -0400
+++ b/security/nss/cmd/lib/secutil.h Tue Apr 14 11:47:51 2009 -0700
[at][at] -205,6 +205,7 [at][at]

/* Print integer value and hex */
extern void SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level);
+extern void SECU_PrintIntegerW(FILE *out, SECItem *i, char *m, int level, int allowWrap);

/* Print ObjectIdentifier symbolically */
extern SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, char m, int level);
[at][at] -259,6 +260,13 [at][at]
/
Dump contents of certificate */
extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level);

+/*
+extern int SECU_PrintDumpDerIssuerAndSerial(FILE *out, CERTCertTrust *trust,

  •                                        char *m, int level);
    

+*/
+
+extern int SECU_PrintDumpDerIssuerAndSerial(FILE *out, SECItem *der, char *m,

  •                                        int level);
    

/* print trust flags on a cert */
extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m,
int level);
[at][at] -289,6 +297,9 [at][at]
extern int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m,
int level, SECU_PPFunc inner);

+extern int SECU_PrintSignedContent(FILE *out, SECItem *der, const char *m,

  •                               int level, SECU_PPFunc inner);
    

/* Print cert data and its trust flags */
extern SECStatus SEC_PrintCertificateAndTrust(CERTCertificate *cert,
const char *label,
diff -r bfb03680c56d security/nss/cmd/pp/pp.c
— a/security/nss/cmd/pp/pp.c Thu Apr 09 12:43:15 2009 -0400
+++ b/security/nss/cmd/pp/pp.c Tue Apr 14 11:47:51 2009 -0700
[at][at] -56,13 +56,15 [at][at]
static void Usage(char *progName)
{
fprintf(stderr,

  •    "Usage:  %s -t type [-a] [-i input] [-o output]\n",
    
  •    "Usage:  %s -t type [-x] [-a] [-i input] [-o output]\n",
       progName);
    

    fprintf(stderr, “%-20s Specify the input type (must be one of %s,\n”,
    “-t type”, SEC_CT_PRIVATE_KEY);
    fprintf(stderr, “%-20s %s, %s, %s,\n”, “”, SEC_CT_PUBLIC_KEY,
    SEC_CT_CERTIFICATE, SEC_CT_CERTIFICATE_REQUEST);
    fprintf(stderr, “%-20s %s or %s)\n”, “”, SEC_CT_PKCS7, SEC_CT_CRL);

  • fprintf(stderr, “%-20s When used with -t %s, dump ID information\n”,

  •        "-x", SEC_CT_CERTIFICATE);    
    

    fprintf(stderr, “%-20s Input is in ascii encoded form (RFC1113)\n”,
    “-a”);
    fprintf(stderr, “%-20s Define an input file to use (default is stdin)\n”,
    [at][at] -81,6 +83,7 [at][at]
    SECItem der, data;
    char *typeTag;
    PLOptState *optstate;

  • int dumpID;

    progName = strrchr(argv[0], ‘/’);
    progName = progName ? progName+1 : argv[0];
    [at][at] -89,7 +92,8 [at][at]
    inFile = 0;
    outFile = 0;
    typeTag = 0;

  • optstate = PL_CreateOptState(argc, argv, “at:i:o:”);
  • dumpID = 0;

  • optstate = PL_CreateOptState(argc, argv, “axt:i:o:”);
    while ( PL_GetNextOpt(optstate) == PL_OPT_OK ) {
    switch (optstate->option) {
    case ‘?’:
    [at][at] -100,6 +104,10 [at][at]
    ascii = 1;
    break;

  •      case 'x':
    
  •        dumpID = 1;
    
  •        break;
    
  •  case 'i':
       inFile = PR_Open(optstate->value, PR_RDONLY, 0);
       if (!inFile) {
    

[at][at] -150,8 +158,13 [at][at]

 /* Pretty print it */
 if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE) == 0) {
  • rv = SECU_PrintSignedData(outFile, &data, “Certificate”, 0,
  •             SECU_PrintCertificate);
    
  •  if (dumpID) {
    
  •      rv = SECU_PrintSignedData(outFile, &data, 0, 0,
    
  •                          SECU_PrintDumpDerIssuerAndSerial);
    
  •  } else {
    
  •      rv = SECU_PrintSignedData(outFile, &data, "Certificate", 0,
    
  •                          SECU_PrintCertificate);
    
  •  }
    
    } else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_REQUEST) == 0) {
    rv = SECU_PrintSignedData(outFile, &data, “Certificate Request”, 0,
    SECU_PrintCertificateRequest);

compiling the NSS tools, and running the pp tool on your root certificate. Once you’ve got that data, put it, the EV policy OID of your choice, and the CA cert fingerprint in a file called “test_ev_roots.txt”. That text file goes in your Firefox profile directory. Once that’s set up, you run Firefox, install the root CA as a regular SSL trusted authority, and you’re ready to go.

I think it was an interesting find. Seems some people have alot of time on there hands, I also PM’D melih on a few of the places like this where people might be working on stuff like this.