diff options
| author | Michael Tänzer <neo@nhng.de> | 2011-04-07 05:44:35 +0200 |
|---|---|---|
| committer | Michael Tänzer <neo@nhng.de> | 2011-04-07 05:44:35 +0200 |
| commit | 384b57dc57b90c01b6c376be8c2b564470d042cb (patch) | |
| tree | febc090ddba276f1ad5b583a90123264824c1a17 | |
| parent | 2faeb0030546e42418a24d8343f42e4888bd3dee (diff) | |
| download | cacert-devel-384b57dc57b90c01b6c376be8c2b564470d042cb.tar.gz cacert-devel-384b57dc57b90c01b6c376be8c2b564470d042cb.tar.xz cacert-devel-384b57dc57b90c01b6c376be8c2b564470d042cb.zip | |
#918: More sophisticated error handling
#918: "Weak keys in certificates"
Signed-off-by: Michael Tänzer <neo@nhng.de>
| -rw-r--r-- | includes/account_stuff.php | 65 |
1 files changed, 43 insertions, 22 deletions
diff --git a/includes/account_stuff.php b/includes/account_stuff.php index e19879c..0299ead 100644 --- a/includes/account_stuff.php +++ b/includes/account_stuff.php @@ -286,6 +286,27 @@ function hideall() { } /** + * Produces a log entry with the error message with log level E_USER_WARN + * and a random ID an returns a message that can be displayed to the user + * including the generated ID + * + * @param $errormessage string + * The error message that should be logged + * @return string containing the generated ID that can be displayed to the + * user + */ + function failWithId($errormessage) { + $errorId = rand(); + trigger_error("$errormessage. ID: $errorId", E_USER_WARNING); + return sprintf(_("Something went wrong when processing your request. ". + "Please contact %s for help and provide them with the ". + "following ID: %d"), + "<a href='mailto:support@cacert.org?subject=System%20Error%20-%20". + "ID%3A%20$errorId'>support@cacert.org</a>", + $errorId); + } + + /** * Checks whether the given CSR contains a vulnerable key * * @param $csr string @@ -446,9 +467,8 @@ function hideall() { if (!preg_match('/^\s*Public Key Algorithm: ([^\s]+)$/m', $text, $algorithm)) { - trigger_error("checkWeakKeyText(): Couldn't extract the public ". - "key algorithm used", E_USER_WARNING); - return ""; + return failWithId("checkWeakKeyText(): Couldn't extract the ". + "public key algorithm used"); } else { $algorithm = $algorithm[1]; } @@ -459,32 +479,33 @@ function hideall() { if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text, $keysize)) { - trigger_error("checkWeakKeyText(): Couldn't parse the RSA key ". - "size", E_USER_WARNING); + return failWithId("checkWeakKeyText(): Couldn't parse the RSA ". + "key size"); } else { $keysize = intval($keysize[1]); - - if ($keysize < 1024) - { - return sprintf(_("The keys that you use are very small ". - "and therefore insecure. Please generate stronger ". - "keys. More information about this issue can be ". - "found in %sthe wiki%s"), - "<a href='//wiki.cacert.org/WeakKeys#SmallKey'>", - "</a>"); - } elseif ($keysize < 2048) { - // not critical but log so we have some statistics about - // affected users - trigger_error("checkWeakKeyText(): Certificate for small ". - "key (< 2048 bit) requested", E_USER_NOTICE); - } } + if ($keysize < 1024) + { + return sprintf(_("The keys that you use are very small ". + "and therefore insecure. Please generate stronger ". + "keys. More information about this issue can be ". + "found in %sthe wiki%s"), + "<a href='//wiki.cacert.org/WeakKeys#SmallKey'>", + "</a>"); + } elseif ($keysize < 2048) { + // not critical but log so we have some statistics about + // affected users + trigger_error("checkWeakKeyText(): Certificate for small ". + "key (< 2048 bit) requested", E_USER_NOTICE); + } + + if (!preg_match('/^\s*Exponent: (\d+) \(0x[0-9a-fA-F]+\)$/m', $text, $exponent)) { - trigger_error("checkWeakKeyText(): Couldn't parse the RSA ". - "exponent", E_USER_WARNING); + return failWithId("checkWeakKeyText(): Couldn't parse the RSA ". + "exponent"); } else { $exponent = $exponent[1]; // exponent might be very big => //handle as string using bc*() |