extract public key from Certificate Signing Request

Hi is there a way where we can extract public key from certificate signing request ? if so can this be done using python3 ? here is the sample csr from https://www.digicert.com/order/sample-csr.php as an example. I have some POC regarding this, please let me know the steps of extracting public key from CSR, or do I need to provide more information.

-----BEGIN CERTIFICATE REQUEST----- MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c 1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/ ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w= -----END CERTIFICATE REQUEST----- 

Robocalls after signing up for Gsuite and Amazon?

I have a number and phone that rarely use and rings in the last 9 months. It doesn’t have any contacts in it. I don’t think I have used it to sign up for anything in the last 9 months either.

Recently, just the beginning of the week, as I started to explore VPC services, I used it to sign up for 2FA with AWS, download a google authenticator and use it to register for Gsuite. Out of a sudden, it started to receive robocalls. Unless is purely coincidental and perfect timing, I wonder if it says anything about security and confidentiality?

I do not know much about security, but if phone number that is used for signing up products and services that are meant as security measures is not encrypted or kept confidential, what does it mean?

If this is not the right SE to ask this question, please kindly direct me to one. Thanks.

How to report false positive to Google Safe Browsing without signing up with Google?

I was wondering how to report a false positive to Google Safe Browsing without having to create a Google account and feeding their insatiable hunger for more data?

I have not found such a way as of yet. Google pretty much seems intent on preventing any contact in this matter or others.

Background

My domain – yep whole one, including subdomains – was reported as (two examples):

Firefox blocked this page because it might try to trick you into installing programs that harm your browsing experience (for example, by changing your homepage or showing extra ads on sites you visit).

… and:

This site is unsafe

The site https://***********.net/ contains harmful content, including pages that:

Install unwanted or malicious software on visitors’ computers

I won’t disclose my domain here, but given I have a list of digests for all the files located on my (private) website and the list is signed with my PGP key and I verified the hashes and the signature and all checked out, I am sufficiently certain that this is a false positive. None of these files have changed in the last four years, because my current software development activities are going on elsewhere.

Unfortunately there is no useful information to be had from the “details” provided by Google Safe Browsing. A full URL to the alleged malicious content would have been helpful; heck even a file name or something like MIME-type plus cryptographic hash …

I have two pieces of content on my website where one could debate whether they are PUA/PUP (as it’s called these days). Both are executables inside a ZIP file and alongside the respective source code which was used to create those executables. So in no way would any of that attempt to install anything on a visitors computer, unless we imagine a fictitious browser hellbent on putting its user at risk by requesting to run at highest privileges upon start and then unpacking every download and running found executables without user interaction. And even then one of the two pieces of software would fail and the other would be visible.

  1. One is a Proof of Concept for an exploit of Windows debug ports which has been patched for well over a decade and so will hardly be a danger to anyone.
  2. The other is a tutorial which includes a keylogger which – when run – is clearly visible to the user. So no shady dealings here either.

But since these two items came up in the past, I thought I should mention them.

Anyway, a cursory check on VirusTotal showed one out of seventy engines giving a “malicious” for my domain. Given Google bought VT some time ago, it stands to reason they use it for Google Safe Browsing.

The mysterious engine with the detection is listed as “CRDF” and I still have been unable to find out who or what that refers to. So obviously there is no way to appeal, request a review or whatever … seems Google is judge, jury and executioner in this one.

So how do I “appeal”?

What is the use case of request signing in this mobile app?

The API of a mobile app I was testing is receiving the AWS AccessKeyId and SecretKey used for request signing from the AWS Cognito server unencrypted (apart from the regular TLS encryption). Making it possible to re-sign all requests to their AWS Lambda API, e.g. using Burp’s “AWS Signer” extension.

With this, a Man-In-The-Middle could sign all altered requests, so I wonder what the actual use case of request signing is, in this instance?

Shouldn’t the AccessKeyID and SecretKey be kept secret?

The owner of the app is telling me that this is not an issue because they are following the AWS guidelines.

Is that correct? Or are they doing something wrong?

Why would they sign the requests in the first place in their mobile app? What is the use case of signing the requests, when the ‘secrets’ for creating a signature are distributed via the same connection in clear (except TLS)?

Is this conform with best practices, when using AWS Lambda for serverless mobile app APIs? Is request signing even useful in this instance? Most apps I have tested didn’t use request signing.

How to verify that Google’s apt signing key change is not malicious?

I have an Ansible script that setup google chrome apt repo. I keep Google’s signing key together with the scripts (rather than download it every time) because I think it minimizes the chance of getting malicious key (TOFU security model).

Now the key no longer works:

W: GPG error: http://dl.google.com/linux/chrome/deb stable Release:     The following signatures couldn't be verified because the public key    is not available: NO_PUBKEY 78BD65473CB3BD13 E: The repository 'http://dl.google.com/linux/chrome/deb stable Release' is not signed. 

The url from which I’ve originally downloaded it points to a different key (as in: the files differ). Moreover, I tried getting the key by fingerprint from a different source:

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 78BD65473CB3BD13 apt-key export 78BD65473CB3BD13 

And I got yet another, different file. Which one should I use? How do I make sure that I can trust it? Is there a way to check that the old key just expired and the new one is a valid successor?

Confirming the validity/ownership of a Android Signing Certificate

I have a certificate that says the application was signed by Google, but on multiple searches I have reason to believe that it’s not actually a google signing certificate.

Is there a way to query google for their approved signing certificates to check the validity?

- Issuer: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US - Serial number: c2e08746644a308d - Valid from: Thu Aug 21 17:13:34 MDT 2008 until: Mon Jan 07 16:13:34 MST 2036 - Certificate fingerprints: - SHA1: 38:91:8A:45:3D:07:19:93:54:F8:B1:9A:F0:5E:C6:56:2C:ED:57:88 - SHA256: F0:FD:6C:5B:41:0F:25:CB:25:C3:B5:33:46:C8:97:2F:AE:30:F8:EE:74:11:DF:91:04:80:AD:6B:2D:60:DB:83 - Signature algorithm name: MD5withRSA (weak) - Subject Public Key Algorithm: 2048-bit RSA key - Version: 3 

I am signing (HMAC) outgoing webhooks to allow users to verify their source, should I also sign outgoing responses?

To allow api users to verify the authenticity of outgoing webhooks, I am using a similar model to slack:

  • Concatenate timestamp and body, HMAC with pre-shared key, add timestamp and HMAC digest to headers.

  • Recipient does the same, and compares to the digest in the header.

I can either implement this exclusively on outgoing webhooks, or I can implement it as middleware that performs this process on both outgoing webhooks, and responses to requests.

Is doing the latter good practice? A good idea?

Is any key signing party directory – or a mean to facilitate such meetings, exists?

I need to develop my web of trust. I don’t live in or near a metropolitan area and as such it is a bit difficult to find possible local people to sign. I assume I must not be alone in that context.

My question: is there any directory/listings of upcoming gpg-signing party per area, or any existing infrastructure to facilitate such meetings? Or alternative ways to find / meet people who can sign?