JG127
commented
5 years ago Got it! To answer my own question: Yes it does. The signature is different when the certificate chain was modified by the MITM decryption. And indeed the login succeeds when the new signature is added. (Although I am not certain this is the best way to solve such an issue. But in the meantime it gets me going.)
For posterity then:
- Run the command openssl s_client -servername www.lastpass.com -connect www.lastpass.com:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 and see the signature on the screen.
- Download and extract the project's zip file into a directory.
- Open pins.h in your text editor and add the following lines to the already present signatures.
/* mitm modified certificate of www.lastpass.com */ "< signature from step 1 >", - Save pins.h and exit editor.
- Run sudo sudo apt-get --no-install-recommends -yqq install bash-completion build-essential cmake libcurl4 libcurl4-openssl-dev libssl-dev libxml2 libxml2-dev libssl1.1 pkg-config ca-certificates xclip to install the compiler and its dependencies.
- Run make to compile the source code.
- Run sudo make install to install the executable into the system's path.
- Run lpass login < user id > to log into LP.
- Delete the downloaded source zip file and the extracted content.
Hope this helps somebody else on its way too.
In my case lpass login immediately fails with the error "Error: Peer certificate cannot be authenticated with given CA certificates." I've upgraded to the 1.3.3 release and checked pins.h for missing signatures. The signatures are all there. So it can't be the usual cause.
According to the certificate chain I see from https://www.lastpass.com my company's CA has issued the Lastpass certificate. MITM.
Could it be this also changes the signature ? It would explain the error.
If this is the case, can somebody tell me how I can compute the signature ? I'll add it into pins.h and recompile.