« July 2010 | Main | September 2010 »

8 posts from August 2010


New Vim v7.3 is Out

A new version of vim was released over the weekend!  The vim release announcement highlights some of the new features in this version and Andy Lester covered some of the neat, new Perl-specific fun that made it in as well, including syntax highlighting support for new Perl 5.1x keywords (and Perl 6!). Alas, groovy and java support appears to be unchanged from version 7.2.

Downloadable files are located at the vim.org ftp site and here is a direct link for the Windows version.

macvim was updated as well over the weekend for us snow leopard users who like Command-C over 'yank yank, (although 'yy' to copy works, too!)'.   


Helpful Information: 7 Common web.xml Security Misconfigurations

I came across this very useful post on the SANS Street Fighter Blog:  Seven Security (Mis)Configurations in Java web.xml Files.  I think a lot of people will find it interesting, too.  Several of these are easily identifiable as items that will alert on PCI compliance scans. 

Out of curiosity, how many of you out there roll your own tomcat implementations incorporating many of these types of changes into a custom build?  Or, do you use some other mechanism for making your tomcat or jboss builds "production-ready"?


Groovy: Extended Validation Certificate Determination

Many people come to this site looking for information on testing and verifying extended validation certificates.  Despite my low opinion of them, extended validation certificates are here to stay, so I thought it would be fun and interesting to see just how difficult it would be to write some script to determine whether a certificate is an extended validation one or not.  

The Wikipedia article on extended validation certificates suggests that all you really need to do is retrieve the Object ID (OID) for the Certificate Policy ID in the Certificate Policies extension section of the certificate.  If a certain pattern is matched, the certificate is an extended validation certificate.  If not, then it's a traditional cert.  The Wikipedia article even provides a listing of OID's to get started with.

Figuring out what needs to be done seemed to be fairly straightforward but based upon Firefox's problems with EV certs last year, perhaps my assumptions on determining whether an EV cert is actually an EV cert are way too simplistic:  Establish a connection to a remote host, download the certificate, parse the Certificate Policy Id from the Certificate Policies extension field, look it up within an array, map, or collection of known Certificate Policy ID's, and print out if it is EV or not.  Sounds simple, right?  It turns out that, for me, it was freakishly hard!  To give you an idea how hard, I first began writing this post in July 2009!  Granted, there have been lots of other things pulling me away from this over the past year but that's still quite a while.  I'm glad that no one was paying me for this!

Below is my first pass at a new script written in groovy, using no add-on modules other than what is available in a standard Groovy 1.7.4 installation.  For now, I'm calling the script evnark.  All you need to run it is a groovy installation and a jvm.  I've only tested this on a mac running groovy 1.7.4 and OS X's 1.6.20 JVM.  When run, the script will output the Certificate Policy Id found within the certificate.  If the certificate policy id matches known Certificate Policy Id's for Extended Validation certificates, then a second line of output is displayed:  "This is an EV cert."  If the certificate policy id is not matched, no additional output is provided.

I've spent much of my free time over the last couple of weeks really trying to get the parsing to work so there will probably be a revised version of this script in the future.  Right now, I'm not at all happy with how the script is comparing the value of the Certificate Policy Id to the the map and hope that someone out there reading this will comment with a better way of doing it.  Also, I'm wondering if there is some cleaner way of drilling down into the certificate polices section to retrieve the ID that doesn't involve 8 lines of code setting variables.  This version of the script will not fail gracefully with self-signed certificates, expired certificates, certificate names that do not match domain names, and other types of typical ssl warnings or errors.  I've saving the better exception handling for release 0.2.  Finally, the ev_oids map lists all known (to me) Certificate Authorities but many of these CA's either don't offer Extended Validation certificates at this time OR I was unable to determine what the Certificate Policy Id was for EV certs from those CA's.  That work is still ongoing.

Downloads are now available from the main EVNark page

#!/usr/bin/env groovy
// usage: 'evnark [-h/--host "hostname"] [-p/--port "port"]'

import java.security.*
import javax.net.ssl.*
import sun.security.x509.* 

/* This section sets up the command 
   line arguments portion of this script. */ 

def cli = new CliBuilder( usage: 'evnark [-h/--host "hostname"] [-p/--port "port"]' )
  cli.h( longOpt:'host', args:1, required:true, type:GString, 'The host or site you want to test' )
  cli.p( longOpt:'port', args:1, required:false, type:GString, 'Optional. Defaults to port 443')

def opt = cli.parse(args)
  if (!opt) return
  if (opt.h) host = opt.h

def port = 443
  if (opt.p) port = Integer.parseInt(opt.p)

// Create the socket
def factory = SSLSocketFactory.getDefault() 
def socket = factory.createSocket("$host", port)

try {
  socket.addHandshakeCompletedListener( new listener() )
  } catch(SSLHandshakeException ex) {
  } catch(SSLException ex) {
      println "The port number you specified (${port}) \ndoes not appear to be an ssl port"

  class listener implements HandshakeCompletedListener {
  void handshakeCompleted(HandshakeCompletedEvent e) {

  def ev_oids = [
    // 'A-Trust GmbH'  => ' Doesn't appear to offer them...yet ',
    // 'AC Camerfirma SA'  => ' Doesn't appear to offer them...yet ',
    'Buypass AS':'2.16.578.',
    // 'Certum':' Doesn't appear to offer them...yet ',
    'Comodo CA Limited':'',
    'Cybertrust, Inc':'',
    // 'D-TRUST GmbH':' Doesn't appear to offer them...yet ',
    // 'DanID':' Doesn't appear to offer them...yet ',
    'DigiCert Inc':'2.16.840.1.114412.2.1',
    // 'Echoworx Corporation':' Doesn't appear to offer them...yet ',
    'Entrust, Inc.':'2.16.840.1.114028.10.1.2',
    'GeoTrust Inc.':'',
    // 'Getronics PinkRoccade':'Doesn't appear to offer them...yet  ',
    'GlobalSign nv-sa':'',
    'The Go Daddy Group, Inc.':'2.16.840.1.114413.',
    // 'IdenTrust, Inc.':' Doesn't appear to offer them...yet ',
    // 'IpsCA, IPS Certification Authority s.l.':' ',
    // 'Izenpe S.A.':' ',
    'Network Solutions L.L.C.':'',
    'QuoVadis Limited':'',
    // 'RSA Security, Inc.':' ',
    'SECOM Trust Systems CO.,LTD.':'1.2.392.200091.100.721.1',
    'SecureTrust Corporation':'2.16.840.1.114404.',
    // 'Skaitmeninio sertifikavimo centras (SSC)':' ',
    'StartCom Ltd.':'',
    'Starfield Technologies':'2.16.840.1.114414.',
    'SwissSign AG':'2.16.756.',
    // 'T-Systems Enterprise Services GmbH':' ',
    // 'TC TrustCenter GMBh':' ',
    'thawte, Inc.':'2.16.840.1.113733.',
    // 'Trustis Limited':' ',
    'ValiCert, Inc.':'2.16.840.1.114414.',
    'VeriSign, Inc.':'2.16.840.1.113733.',
    'Wells Fargo WellsSecure':'2.16.840.1.114171.500.9'

  def certs = e.getPeerCertificates()
  def crt = certs[0]
  def intcrt = certs[1]

  def ext = crt.getCertificatePoliciesExtension()
  def policies = ext.get(CertificatePoliciesExtension.POLICIES)
    for ( PolicyInformation info in policies ) {
      CertificatePolicyId id = info.getPolicyIdentifier()
        def certpolicyid = id.getIdentifier().toString()
        println ""
        println "Found Certificate Policy ID: ${certpolicyid}"
        ev_oids.each {
            if (certpolicyid == it.value) {
              println "This is an EV Cert signed by ${it.key}"