From 42e94236e9f4bf2179d2aae00a68278462af16fb Mon Sep 17 00:00:00 2001
From: April King <april@twoevils.org>
Date: Mon, 28 Dec 2015 16:26:21 -0600
Subject: [PATCH] Add invalid-signature.badssl.com

---
 certs/cert-generator/cert-generator.sh        | 18 +++++++++++
 .../cert-signature-invalidator.py             | 30 +++++++++++++++++++
 domains/cert/invalid-signature.conf           | 19 ++++++++++++
 domains/cert/invalid-signature/index.html     | 16 ++++++++++
 domains/misc/badssl.com/index.html            |  3 +-
 .../wildcard.invalid-signature.conf           |  6 ++++
 6 files changed, 91 insertions(+), 1 deletion(-)
 create mode 100755 certs/cert-generator/cert-signature-invalidator.py
 create mode 100644 domains/cert/invalid-signature.conf
 create mode 100644 domains/cert/invalid-signature/index.html
 create mode 100644 nginx-includes/wildcard.invalid-signature.conf

diff --git a/certs/cert-generator/cert-generator.sh b/certs/cert-generator/cert-generator.sh
index 6a8dbc25..a6683db8 100755
--- a/certs/cert-generator/cert-generator.sh
+++ b/certs/cert-generator/cert-generator.sh
@@ -10,6 +10,11 @@ dnow=$(date +%s)
 du2016=$(( (d2016-dnow)/(3600*24) ))
 du2017=$((du2016+365))
 
+# Create the self-signed directory, since jekyll doesn't clone empty directories
+if [[ ! -d ../self-signed ]]; then
+  mkdir ../self-signed
+fi
+
 # Ask to regenerate keys if not invoked from make keys
 if [[ $# -gt 0 ]]; then
   regen=${1}
@@ -72,6 +77,19 @@ cp out.pem ../self-signed/wildcard.incomplete-chain.pem
 rm out.pem
 echo
 
+echo "Signing BadSSL Invalid Signature Certificate"
+openssl x509 -req -days 730 -sha256 -CAcreateserial \
+  -in badssl-wildcard.csr \
+  -CA ../self-signed/badssl-intermediate.pem \
+  -CAkey ../self-signed/badssl-intermediate.key \
+  -extfile badssl-wildcard.conf \
+  -extensions req_v3_usr \
+  -out out.pem
+echo "Running the certificate invalidator to break the signature on the certificate"
+./cert-signature-invalidator.py out.pem
+cat out.pem ../self-signed/badssl-intermediate.pem ../self-signed/badssl-root.pem > ../self-signed/wildcard.invalid-signature.pem
+echo
+
 echo "Signing BadSSL SHA-1 Certificate, expiring 2016"
 openssl x509 -req -days $du2016 -sha1 -CAcreateserial \
   -in badssl-wildcard.csr \
diff --git a/certs/cert-generator/cert-signature-invalidator.py b/certs/cert-generator/cert-signature-invalidator.py
new file mode 100755
index 00000000..6496abdf
--- /dev/null
+++ b/certs/cert-generator/cert-signature-invalidator.py
@@ -0,0 +1,30 @@
+#!/usr/bin/env python
+
+import sys
+
+# Because actually parsing X.509/ASN.1 is for chumpy-chumps
+
+if len(sys.argv) != 2:
+    print sys.argv[0] + ' <certificate to corrupt>'
+    sys.exit(1)
+
+with open(sys.argv[1], 'rb+') as certf:
+    # Seek to the last part of the cert that's not padded with '='
+    certf.seek(-28, 2)
+    while certf.read(1) == '=':
+        certf.seek(-2, 1)
+
+    # Then seek back 5 from the cursor position of the last read
+    certf.seek(-6, 1)
+
+    # Make sure we're not on a line ending
+    while certf.read(1) in ('\r', '\n'):
+        certf.seek(-2, 1)
+    certf.seek(-1, 1)
+
+    # Read in that value
+    value = certf.read(1)
+    certf.seek(-1, 1)
+
+    # And overwrite it
+    certf.write('0') if value != '0' else certf.write('1')
diff --git a/domains/cert/invalid-signature.conf b/domains/cert/invalid-signature.conf
new file mode 100644
index 00000000..cbbefb15
--- /dev/null
+++ b/domains/cert/invalid-signature.conf
@@ -0,0 +1,19 @@
+---
+---
+server {
+  listen 80;
+  server_name invalid-signature.{{ site.domain }};
+  
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443;
+  server_name invalid-signature.{{ site.domain }};
+
+  include {{ site.serving-path }}/nginx-includes/wildcard.invalid-signature.conf;
+  include {{ site.serving-path }}/nginx-includes/tls-defaults.conf;
+  include {{ site.serving-path }}/common/common.conf;
+
+  root {{ site.serving-path }}/domains/cert/invalid-signature;
+}
diff --git a/domains/cert/invalid-signature/index.html b/domains/cert/invalid-signature/index.html
new file mode 100644
index 00000000..f0998cbf
--- /dev/null
+++ b/domains/cert/invalid-signature/index.html
@@ -0,0 +1,16 @@
+---
+subdomain: invalid-signature
+layout: page
+favicon: red
+background: red
+---
+
+<div id="content">
+  <h1 style="font-size: 12vw;">
+    {{ page.subdomain }}.<br>{{ site.domain }}
+  </h1>
+</div>
+
+<div id="footer">
+  This site's certificate contains an invalid digital signature.
+</div>
diff --git a/domains/misc/badssl.com/index.html b/domains/misc/badssl.com/index.html
index c54ab5de..d977f573 100644
--- a/domains/misc/badssl.com/index.html
+++ b/domains/misc/badssl.com/index.html
@@ -214,8 +214,9 @@
   <div id="links">
     <h2>Certificate:</h2>
       <a href="https://expired.{{ site.domain }}/" class="bad">expired</a>
-      <a href="https://wrong.host.{{ site.domain }}/" class="bad">wrong.host</a>
+      <a href="https://invalid-signature.{{ site.domain }}/" class="bad">invalid-signature</a>
       <a href="https://self-signed.{{ site.domain }}/" class="bad">self-signed</a>
+      <a href="https://wrong.host.{{ site.domain }}/" class="bad">wrong.host</a>
       <hr>
       <a href="https://sha1-2016.{{ site.domain }}/" class="dubious">sha1-2016</a>
       <a href="https://sha1-2017.{{ site.domain }}/" class="bad">sha1-2017</a>
diff --git a/nginx-includes/wildcard.invalid-signature.conf b/nginx-includes/wildcard.invalid-signature.conf
new file mode 100644
index 00000000..995b7dee
--- /dev/null
+++ b/nginx-includes/wildcard.invalid-signature.conf
@@ -0,0 +1,6 @@
+---
+---
+
+ssl on;
+ssl_certificate {{ site.serving-path }}/certs/wildcard.invalid-signature.pem;
+ssl_certificate_key /etc/keys/badssl.com.key;