summaryrefslogtreecommitdiff
path: root/scripts/DumpWeakCerts.pl
diff options
context:
space:
mode:
authorBernhard Fröhlich <bernhard@cacert.org>2011-03-29 21:47:29 +0200
committerBernhard Fröhlich <bernhard@cacert.org>2011-03-29 21:47:29 +0200
commitcac190c8d1f78f9ae8fcf2019f96ec9d16ab1284 (patch)
tree07c40420b8c06c6144925fbaa09c211b9ea0c835 /scripts/DumpWeakCerts.pl
parentab74a1333cb130bdb19f4fddd6f96c55d1473234 (diff)
downloadcacert-devel-cac190c8d1f78f9ae8fcf2019f96ec9d16ab1284.tar.gz
cacert-devel-cac190c8d1f78f9ae8fcf2019f96ec9d16ab1284.tar.xz
cacert-devel-cac190c8d1f78f9ae8fcf2019f96ec9d16ab1284.zip
Added reason column to output. Call to openssl-vulnkey as comment
Diffstat (limited to 'scripts/DumpWeakCerts.pl')
-rwxr-xr-xscripts/DumpWeakCerts.pl37
1 files changed, 27 insertions, 10 deletions
diff --git a/scripts/DumpWeakCerts.pl b/scripts/DumpWeakCerts.pl
index 7b648b9..9f6a3df 100755
--- a/scripts/DumpWeakCerts.pl
+++ b/scripts/DumpWeakCerts.pl
@@ -29,6 +29,8 @@ my $cert_filename;
my $user_email;
my $user_firstname;
+my $reason;
+
my @row;
sub IsWeak($) {
@@ -37,7 +39,8 @@ sub IsWeak($) {
my $ModulusSize = 0;
my $Exponent = 0;
my $result = 0;
-
+
+ # Do key size and exponent checking for RSA keys
open(CERTTEXT, '-|', "openssl x509 -in $CertFileName -noout -text") || die "Cannot start openssl";
while (<CERTTEXT>) {
if (/^ +([^ ]+) Public Key:/) {
@@ -54,9 +57,19 @@ sub IsWeak($) {
close(CERTTEXT);
if ($ModulusSize > 0 && $Exponent > 0) {
if ($ModulusSize < 1024 || $Exponent==3) {
- $result = 1;
+ $result = "SmallKey";
}
}
+
+ if (!$result) {
+ # Check with openssl-vulnkey
+ # This is currently not tested, if you don't know what you are doing leave it commented!
+ #if (system("openssl-vulnkey -q$CertFileName") != 0) {
+ # $result = "openssl-vulnkey";
+ #}
+ }
+
+ return $result;
}
# Select only certificates expiring in more than two weeks, since two weeks will probably be needed as turnaround time
@@ -74,10 +87,11 @@ $sth_userdata = $dbh->prepare(
while(($cert_domid, $cert_CN, $cert_expire, $cert_filename) = $sth_certs->fetchrow_array) {
if (-f $cert_filename) {
- if (IsWeak($cert_filename)) {
+ $reason = IsWeak($cert_filename);
+ if ($reason) {
$sth_userdata->execute($cert_domid);
($user_email, $user_firstname) = $sth_userdata->fetchrow_array();
- print join("\t", ('DomainCert', $user_email, $user_firstname, $cert_expire, $cert_CN)). "\n";
+ print join("\t", ('DomainCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason)). "\n";
$sth_userdata->finish();
}
}
@@ -98,10 +112,11 @@ $sth_userdata = $dbh->prepare(
while(($cert_userid, $cert_CN, $cert_expire, $cert_filename) = $sth_certs->fetchrow_array) {
if (-f $cert_filename) {
- if (IsWeak($cert_filename)) {
+ $reason = IsWeak($cert_filename);
+ if ($reason) {
$sth_userdata->execute($cert_userid);
($user_email, $user_firstname) = $sth_userdata->fetchrow_array();
- print join("\t", ('EmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN)). "\n";
+ print join("\t", ('EmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason)). "\n";
$sth_userdata->finish();
}
}
@@ -122,10 +137,11 @@ $sth_userdata = $dbh->prepare(
while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename) = $sth_certs->fetchrow_array) {
if (-f $cert_filename) {
- if (IsWeak($cert_filename)) {
+ $reason = IsWeak($cert_filename);
+ if ($reason) {
$sth_userdata->execute($cert_orgid);
while(($user_email, $user_firstname) = $sth_userdata->fetchrow_array()) {
- print join("\t", ('OrgServerCert', $user_email, $user_firstname, $cert_expire, $cert_CN)). "\n";
+ print join("\t", ('OrgServerCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason)). "\n";
}
$sth_userdata->finish();
}
@@ -147,10 +163,11 @@ $sth_userdata = $dbh->prepare(
while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename) = $sth_certs->fetchrow_array) {
if (-f $cert_filename) {
- if (IsWeak($cert_filename)) {
+ $reason = IsWeak($cert_filename);
+ if ($reason) {
$sth_userdata->execute($cert_orgid);
while(($user_email, $user_firstname) = $sth_userdata->fetchrow_array()) {
- print join("\t", ('OrgEmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN)). "\n";
+ print join("\t", ('OrgEmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason)). "\n";
}
$sth_userdata->finish();
}