Add invalid-signature.badssl.com

certs/cert-generator/cert-generator.sh

@@ -10,6 +10,11 @@ dnow=$(date +%s)
 du2016=$(( (d2016-dnow)/(3600*24) ))
 du2017=$((du2016+365))
 
+# Create the self-signed directory, since jekyll doesn't clone empty directories
+if [[ ! -d ../self-signed ]]; then
+  mkdir ../self-signed
+fi
+
 # Ask to regenerate keys if not invoked from make keys
 if [[ $# -gt 0 ]]; then
   regen=${1}
@@ -72,6 +77,19 @@ cp out.pem ../self-signed/wildcard.incomplete-chain.pem
 rm out.pem
 echo
 
+echo "Signing BadSSL Invalid Signature Certificate"
+openssl x509 -req -days 730 -sha256 -CAcreateserial \
+  -in badssl-wildcard.csr \
+  -CA ../self-signed/badssl-intermediate.pem \
+  -CAkey ../self-signed/badssl-intermediate.key \
+  -extfile badssl-wildcard.conf \
+  -extensions req_v3_usr \
+  -out out.pem
+echo "Running the certificate invalidator to break the signature on the certificate"
+./cert-signature-invalidator.py out.pem
+cat out.pem ../self-signed/badssl-intermediate.pem ../self-signed/badssl-root.pem > ../self-signed/wildcard.invalid-signature.pem
+echo
+
 echo "Signing BadSSL SHA-1 Certificate, expiring 2016"
 openssl x509 -req -days $du2016 -sha1 -CAcreateserial \
   -in badssl-wildcard.csr \

certs/cert-generator/cert-signature-invalidator.py

@@ -0,0 +1,30 @@
+#!/usr/bin/env python
+
+import sys
+
+# Because actually parsing X.509/ASN.1 is for chumpy-chumps
+
+if len(sys.argv) != 2:
+    print sys.argv[0] + ' <certificate to corrupt>'
+    sys.exit(1)
+
+with open(sys.argv[1], 'rb+') as certf:
+    # Seek to the last part of the cert that's not padded with '='
+    certf.seek(-28, 2)
+    while certf.read(1) == '=':
+        certf.seek(-2, 1)
+
+    # Then seek back 5 from the cursor position of the last read
+    certf.seek(-6, 1)
+
+    # Make sure we're not on a line ending
+    while certf.read(1) in ('\r', '\n'):
+        certf.seek(-2, 1)
+    certf.seek(-1, 1)
+
+    # Read in that value
+    value = certf.read(1)
+    certf.seek(-1, 1)
+
+    # And overwrite it
+    certf.write('0') if value != '0' else certf.write('1')

domains/cert/invalid-signature.conf

@@ -0,0 +1,19 @@
+---
+---
+server {
+  listen 80;
+  server_name invalid-signature.{{ site.domain }};
+
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443;
+  server_name invalid-signature.{{ site.domain }};
+
+  include {{ site.serving-path }}/nginx-includes/wildcard.invalid-signature.conf;
+  include {{ site.serving-path }}/nginx-includes/tls-defaults.conf;
+  include {{ site.serving-path }}/common/common.conf;
+
+  root {{ site.serving-path }}/domains/cert/invalid-signature;
+}

domains/cert/invalid-signature/index.html

@@ -0,0 +1,16 @@
+---
+subdomain: invalid-signature
+layout: page
+favicon: red
+background: red
+---
+
+<div id="content">
+  <h1 style="font-size: 12vw;">
+    {{ page.subdomain }}.<br>{{ site.domain }}
+  </h1>
+</div>
+
+<div id="footer">
+  This site's certificate contains an invalid digital signature.
+</div>

domains/misc/badssl.com/index.html

@@ -214,8 +214,9 @@
   <div id="links">
     <h2>Certificate:</h2>
       <a href="https://expired.{{ site.domain }}/" class="bad">expired</a>
-      <a href="https://wrong.host.{{ site.domain }}/" class="bad">wrong.host</a>
+      <a href="https://invalid-signature.{{ site.domain }}/" class="bad">invalid-signature</a>
       <a href="https://self-signed.{{ site.domain }}/" class="bad">self-signed</a>
+      <a href="https://wrong.host.{{ site.domain }}/" class="bad">wrong.host</a>
       <hr>
       <a href="https://sha1-2016.{{ site.domain }}/" class="dubious">sha1-2016</a>
       <a href="https://sha1-2017.{{ site.domain }}/" class="bad">sha1-2017</a>

nginx-includes/wildcard.invalid-signature.conf

@@ -0,0 +1,6 @@
+---
+---
+
+ssl on;
+ssl_certificate {{ site.serving-path }}/certs/wildcard.invalid-signature.pem;
+ssl_certificate_key /etc/keys/badssl.com.key;