rot(NSG): add 12 new certs (#106)

Author: loicsikidi

.github/workflows/sanity-check.yaml

@@ -90,6 +90,14 @@ jobs:
             vendor-id: IFX
             cert-type: intermediate
             config-file: .tpm-intermediates.yaml
+          - vendor: nsg
+            vendor-id: NSG
+            cert-type: root
+            config-file: .tpm-roots.yaml
+          - vendor: nsg
+            vendor-id: NSG
+            cert-type: intermediate
+            config-file: .tpm-intermediates.yaml
           - vendor: stm
             vendor-id: STM
             cert-type: root

.tpm-intermediates.yaml

@@ -818,6 +818,59 @@ vendors:
           validation:
             fingerprint:
                 sha256: "EF:3A:56:45:E8:5C:87:82:34:43:19:4F:52:05:AC:59:0E:A9:D6:B9:B9:CE:06:58:74:91:F9:56:35:F0:EE:59"
+    - id: "NSG"
+      name: "NSING"
+      certificates:
+        - name: "NSING TPM ECC EK CA 001"
+          url: "https://pki.nsing.com.sg/NSEccEkCA001/NSEccEkCA001.crt"
+          validation:
+            fingerprint:
+                sha256: "C3:4A:98:41:22:F0:92:2F:A0:BA:06:7A:12:5D:68:BF:1F:2A:26:07:AD:94:01:CD:03:E5:65:55:0F:32:8A:8E"
+        - name: "NSING TPM ECC EK CA 002"
+          url: "https://pki.nsing.com.sg/NSEccEkCA002/NSEccEkCA002.crt"
+          validation:
+            fingerprint:
+                sha256: "2A:D7:14:FE:3F:C7:FC:00:90:5D:7E:8D:0B:6E:73:81:FA:A4:E3:E8:E0:09:AC:BE:A7:91:56:65:F3:CD:58:AD"
+        - name: "NSING TPM ECC EK CA 003"
+          url: "https://pki.nsing.com.sg/NSEccEkCA003/NSEccEkCA003.crt"
+          validation:
+            fingerprint:
+                sha256: "25:3B:E9:61:F9:B4:FF:7C:8A:F7:67:2C:AA:A1:5D:DA:D9:5A:CD:D3:E1:02:97:C8:BC:36:D1:27:9C:AF:6D:93"
+        - name: "NSING TPM ECC EK CA 004"
+          url: "https://pki.nsing.com.sg/NSEccEkCA004/NSEccEkCA004.crt"
+          validation:
+            fingerprint:
+                sha256: "FB:5E:2B:64:9E:9E:D0:79:85:31:FC:6D:85:2E:0F:45:E0:D7:60:82:B9:65:28:C1:04:02:9F:0A:75:BB:82:1B"
+        - name: "NSING TPM ECC EK CA 005"
+          url: "https://pki.nsing.com.sg/NSEccEkCA005/NSEccEkCA005.crt"
+          validation:
+            fingerprint:
+                sha256: "92:52:34:EA:37:B6:B2:4C:0A:36:64:57:0C:9A:07:BB:E8:AB:54:45:DD:56:C6:04:DB:D9:52:E3:C0:EC:01:BF"
+        - name: "NSING TPM RSA EK CA 001"
+          url: "https://pki.nsing.com.sg/NSRsaEkCA001/NSRsaEkCA001.crt"
+          validation:
+            fingerprint:
+                sha256: "0A:46:61:6F:DC:D3:42:F7:85:D3:3A:9F:DA:50:07:57:3D:5A:C0:C9:96:57:9B:6E:25:DB:FC:15:B0:82:AD:1F"
+        - name: "NSING TPM RSA EK CA 002"
+          url: "https://pki.nsing.com.sg/NSRsaEkCA002/NSRsaEkCA002.crt"
+          validation:
+            fingerprint:
+                sha256: "79:A4:C2:18:09:BE:1C:7B:9B:CB:0B:C7:64:72:93:C5:F3:14:CD:19:5A:29:BD:02:27:FA:74:C6:FD:D9:55:45"
+        - name: "NSING TPM RSA EK CA 003"
+          url: "https://pki.nsing.com.sg/NSRsaEkCA003/NSRsaEkCA003.crt"
+          validation:
+            fingerprint:
+                sha256: "AC:21:E6:55:A5:D7:09:5B:53:D9:E5:A1:2B:F3:CA:42:32:06:DB:A1:63:43:AF:57:A8:10:54:C8:01:20:73:B1"
+        - name: "NSING TPM RSA EK CA 004"
+          url: "https://pki.nsing.com.sg/NSRsaEkCA004/NSRsaEkCA004.crt"
+          validation:
+            fingerprint:
+                sha256: "05:D6:F6:60:49:8D:DD:6A:89:F7:88:63:03:59:13:A9:9F:22:F3:1A:BF:76:E1:56:53:F9:2A:82:B5:D7:4B:D2"
+        - name: "NSING TPM RSA EK CA 005"
+          url: "https://pki.nsing.com.sg/NSRsaEkCA005/NSRsaEkCA005.crt"
+          validation:
+            fingerprint:
+                sha256: "F4:2C:E7:14:8B:56:38:32:90:F1:44:A5:77:00:DB:05:D3:CF:BB:6A:31:7E:7C:88:2E:83:69:50:DE:27:32:79"
     - id: "NTC"
       name: "Nuvoton Technology"
       certificates:

.tpm-roots.yaml

@@ -73,6 +73,19 @@ vendors:
           validation:
             fingerprint:
                 sha256: "87:0C:7A:35:CE:AB:3D:59:97:9F:2C:6A:52:40:42:D4:04:CB:71:51:80:04:35:09:25:FB:2C:ED:79:A9:99:DA"
+    - id: "NSG"
+      name: "NSING"
+      certificates:
+        - name: "NSING TPM ECC ROOT CA 001"
+          url: "https://pki.nsing.com.sg/NSEccRootCA001/NSEccRootCA001.crt"
+          validation:
+            fingerprint:
+                sha256: "6C:CF:8A:8A:80:3D:07:A0:02:A1:5D:48:89:FF:A0:B1:25:E4:A8:2A:1F:E4:21:1D:B3:C6:E8:59:29:19:F9:DC"
+        - name: "NSING TPM RSA ROOT CA 001"
+          url: "https://pki.nsing.com.sg/NSRsaRootCA001/NSRsaRootCA001.crt"
+          validation:
+            fingerprint:
+                sha256: "72:CA:00:61:23:95:AF:02:7C:D8:4C:55:14:21:9F:11:0E:96:4D:FA:0B:FC:1E:FB:B3:AC:14:7E:3B:17:39:71"
     - id: "NTC"
       name: "Nuvoton Technology"
       certificates:

scripts/predict-new-urls.gos

@@ -116,12 +116,46 @@ var vendors = map[string]VendorConfig{
 			},
 		},
 	},
+	"nsg": {
+		ID:   "NSG",
+		Name: "NSING",
+		Patterns: []VendorPattern{
+			{
+				Name:        "ECC Root",
+				CertType:    CertTypeRoot,
+				URLTemplate: "https://pki.nsing.com.sg/NSEccRootCA%03d/NSEccRootCA%03d.crt",
+				MaxCount:    10,
+				StartIndex:  1,
+			},
+			{
+				Name:        "RSA Root",
+				CertType:    CertTypeRoot,
+				URLTemplate: "https://pki.nsing.com.sg/NSRsaRootCA%03d/NSRsaRootCA%03d.crt",
+				MaxCount:    10,
+				StartIndex:  1,
+			},
+			{
+				Name:        "ECC EK Intermediate",
+				CertType:    CertTypeIntermediate,
+				URLTemplate: "https://pki.nsing.com.sg/NSEccEkCA%03d/NSEccEkCA%03d.crt",
+				MaxCount:    10,
+				StartIndex:  1,
+			},
+			{
+				Name:        "RSA EK Intermediate",
+				CertType:    CertTypeIntermediate,
+				URLTemplate: "https://pki.nsing.com.sg/NSRsaEkCA%03d/NSRsaEkCA%03d.crt",
+				MaxCount:    10,
+				StartIndex:  1,
+			},
+		},
+	},
 }
 
 func main() {
 	count := flag.Int("count", defaultCount, "maximum number to check")
 	out := flag.String("out", "", "output file (default: stdout)")
-	vendor := flag.String("vendor", "ifx", "vendor to scan (ifx, all)")
+	vendor := flag.String("vendor", "ifx", "vendor to scan (ifx, stm, nsg, all)")
 	certType := flag.String("type", "", "filter by certificate type: 'root' or 'intermediate' (empty = no filter)")
 	flag.Parse()
 

src/NSG/NSINGTPMEKcertificatesv1.0.pdf

@@ -0,0 +1,33 @@
+# NSING (NSG)
+
+## Certificate Inventory
+
+| Certificate Name | Type | Source Document | Does the source references a fingerprint? |
+|------------------|------|-----------------|:-----------------------------------------:|
+| NSING TPM ECC ROOT CA 001 | Root | [NSINGTPMEKcertificatesv1.0.pdf](NSINGTPMEKcertificatesv1.0.pdf) | No |
+| NSING TPM RSA ROOT CA 001 | Root | [NSINGTPMEKcertificatesv1.0.pdf](NSINGTPMEKcertificatesv1.0.pdf) | No |
+| NSING TPM ECC EK CA 001 | Intermediate | [NSINGTPMEKcertificatesv1.0.pdf](NSINGTPMEKcertificatesv1.0.pdf) | No |
+| NSING TPM ECC EK CA 002 | Intermediate | [NSINGTPMEKcertificatesv1.0.pdf](NSINGTPMEKcertificatesv1.0.pdf) | No |
+| NSING TPM ECC EK CA 003 | Intermediate | URL Discovery | No |
+| NSING TPM ECC EK CA 004 | Intermediate | URL Discovery | No |
+| NSING TPM ECC EK CA 005 | Intermediate | URL Discovery | No |
+| NSING TPM RSA EK CA 001 | Intermediate | [NSINGTPMEKcertificatesv1.0.pdf](NSINGTPMEKcertificatesv1.0.pdf) | No |
+| NSING TPM RSA EK CA 002 | Intermediate | [NSINGTPMEKcertificatesv1.0.pdf](NSINGTPMEKcertificatesv1.0.pdf) | No |
+| NSING TPM RSA EK CA 003 | Intermediate | URL Discovery | No |
+| NSING TPM RSA EK CA 004 | Intermediate | URL Discovery | No |
+| NSING TPM RSA EK CA 005 | Intermediate | URL Discovery | No |
+
+## Source Information
+
+The certificate details were initially retrieved from the official NSING documentation:
+- **Web Page**: https://nsing.com.sg/product/tpm/trustedcomputing/NS350/
+- **Documentation PDF**: [NSINGTPMEKcertificatesv1.0.pdf](NSINGTPMEKcertificatesv1.0.pdf)
+- **Screenshot Reference**: 
+![](nsing_website.png)
+
+> [!NOTE]
+> The PDF document has been archived locally as [NSINGTPMEKcertificatesv1.0.pdf](NSINGTPMEKcertificatesv1.0.pdf) for reference.
+
+## Note
+
+1. **URL Discovery**: The PDF documentation only references intermediate CAs 001 and 002. Additional intermediate certificates (003, 004, 005) were discovered by testing incremental URL patterns against the NSING PKI infrastructure at `https://pki.nsing.com.sg/`.

src/NSG/README.md

@@ -11,6 +11,7 @@ This directory contains the evidence and documentation proving how the URLs for
 | IFX | Infineon | [README](IFX/) | B |
 | MSFT | Microsoft | [README](MSFT/) | C |
 | NTC | Nuvoton Technology | [README](NTC/) | A |
+| NSG | NSING | [README](NSG/) | B |
 | STM | STMicroelectronics | [README](STM/) | A |
 
 ### Accessibility Score Legend