summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
authorBernhard Fröhlich <bernhard@cacert.org>2011-04-08 22:56:32 +0200
committerBernhard Fröhlich <bernhard@cacert.org>2011-04-08 22:56:32 +0200
commit8b8426f275e842492af6a729c97da35424415ba9 (patch)
treed62e8a7a496dc9e6758a878a57e72ad6df078253 /scripts
parent6dd75856f30923879eb01bc94ae7a735dc413063 (diff)
downloadcacert-devel-8b8426f275e842492af6a729c97da35424415ba9.tar.gz
cacert-devel-8b8426f275e842492af6a729c97da35424415ba9.tar.xz
cacert-devel-8b8426f275e842492af6a729c97da35424415ba9.zip
First running version of mailing script added
Diffstat (limited to 'scripts')
-rwxr-xr-xscripts/mail-weak-keys.php150
1 files changed, 139 insertions, 11 deletions
diff --git a/scripts/mail-weak-keys.php b/scripts/mail-weak-keys.php
index f8909c9..018bd64 100755
--- a/scripts/mail-weak-keys.php
+++ b/scripts/mail-weak-keys.php
@@ -1,15 +1,109 @@
#!/usr/bin/php -q
<? # Companion script to DumpWeakCerts.pl, takes output and sends a mail to each owner of a weak cert
- $action_date = '2011-04-??';
- $in = fopen("php://stdin", "r");
- while($in_string = rtrim(fgets($in, 255))) {
- list($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial) = explode("\t", $in_string);
+ function SendServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) {
+ $mail_text =
+"Dear $owner_name,
+
+CAcert recently became aware that some of the certificates signed by CAcert pose a security
+risk because they are backed by private keys that are vulnerable to attack.
+
+The security issues identified are:
+Private keys with a small key size. These keys are vulnerable to brute force attack.
+Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks.
+Private keys generated by a compromised version of OpenSSL distributed by Debian.
+
+You received this email because a certificate issued to you is vulnerable:
+
+Server Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN
+
+To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date.
+CAcert will no longer accept vulnerable certificate requests for signing. In future all Certficate
+Signing Requests must be backed by private keys with a key length at least 2048 bits and no other known vulnerabilities.
+
+You should submit a new Certificate Signing Request of acceptable strength as soon as possible
+and replace your existing certificate.
+
+If you are interested in background information on this change please refer to this document:
+http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf
+
+Kind regards
+CAcert Suport Team
+";
+ mail($cert_email, "[CAcert.org]CAcert Server Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org");
+ }
+
+ function SendClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) {
+ $mail_text =
+"Dear $owner_name,
+
+CAcert recently became aware that some of the certificates signed by CAcert pose a security
+risk because they are backed by private keys that are vulnerable to attack.
+
+The security issues identified are:
+Private keys with a small key size. These keys are vulnerable to brute force attack.
+Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks.
+Private keys generated by a compromised version of OpenSSL distributed by Debian.
+
+You received this email because a certificate issued to you is vulnerable:
+Client Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN
+
+To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date.
+CAcert will no longer accept vulnerable certificate requests for signing. In future all
+client certficates must be backed by private keys with a key length at least 1024 bits
+and no other known vulnerabilities.
+
+This means that you should replace your current certificate with a new one of acceptable strength.
+If you use Firefox or Chrome, select 'Keysize: High Grade' before 'Create Certificate Request'.
+If you use Internet Explorer, select 'Microsoft Strong Cryptographic Provider'. If you select an
+option that generates a weak key (eg 'Microsoft Base Cryptographic Provider v1.0') your certficate
+request will be rejected.
+
+Kind regards
+CAcert Suport Team
+";
+ mail($cert_email, "[CAcert.org]CAcert Client Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org");
+ }
+
+ function SendOrgServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) {
+ $mail_text =
+"Dear $owner_name,
+
+CAcert recently became aware that some of the certificates signed by CAcert pose a security
+risk because they are backed by private keys that are vulnerable to attack.
+
+The security issues identified are:
+Private keys with a small key size. These keys are vulnerable to brute force attack.
+Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks.
+Private keys generated by a compromised version of OpenSSL distributed by Debian.
+
+You received this email because a certificate issued to you is vulnerable:
+
+Organisation Server Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN
+
+To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date.
+CAcert will no longer accept vulnerable certificate requests for signing. In future all Certficate
+Signing Requests must be backed by private keys with a key length at least 2048 bits and no other known vulnerabilities.
+
+You should submit a new Certificate Signing Request of acceptable strength as soon as possible
+and replace your existing certificate.
+
+If you are interested in background information on this change please refer to this document:
+http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf
+
+Kind regards
+CAcert Suport Team
+";
+ mail($cert_email, "[CAcert.org]CAcert Organisation Server Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org");
+ }
+
+ function SendOrgClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) {
$mail_text =
"Dear $owner_name,
-CAcert recently became aware that some of the server certficates signed by CAcert =pose a security risk because they are backed by private keys that are vulnerable to attack.
+CAcert recently became aware that some of the certificates signed by CAcert pose a security
+risk because they are backed by private keys that are vulnerable to attack.
The security issues identified are:
Private keys with a small key size. These keys are vulnerable to brute force attack.
@@ -18,16 +112,50 @@ Private keys generated by a compromised version of OpenSSL distributed by Debian
You received this email because a certificate issued to you is vulnerable:
-Serial $cert_serial, expiring $cert_expire, CN $cert_CN
+Organisation Client Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN
-To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date. CAcert will no longer accept vulnerable certificate requests for signing. In future all Certficate Signing Requests must be backed by private keys with a key length at least 2048 bits and no other known vulnerabilities.
+To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date.
+CAcert will no longer accept vulnerable certificate requests for signing. In future all
+client certficates must be backed by private keys with a key length at least 1024 bits
+and no other known vulnerabilities.
-You should submit a new Certificate Signing Request of acceptable strength as soon as possible and replace your existing certificate.
+This means that you should replace your current certificate with a new one of acceptable strength.
+If you use Firefox or Chrome, select 'Keysize: High Grade' before 'Create Certificate Request'.
+If you use Internet Explorer, select 'Microsoft Strong Cryptographic Provider'. If you select an
+option that generates a weak key (eg 'Microsoft Base Cryptographic Provider v1.0') your certficate
+request will be rejected.
-If you are interested in background information on this change please refer to this document http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf
---------------------
+Kind regards
+CAcert Suport Team
";
- echo $mail_text;
+ mail($cert_email, "[CAcert.org]CAcert Organisation Client Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org");
+ }
+
+ # Main
+
+ $num_domain = 0;
+ $num_client = 0;
+ $num_orgdomain = 0;
+ $num_orgclient = 0;
+ $action_date = '2011-04-??';
+ $in = fopen("php://stdin", "r");
+ while($in_string = rtrim(fgets($in, 255))) {
+ list($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial) = explode("\t", $in_string);
+
+ if ($cert_type == "DomainCert") {
+ SendServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date);
+ $num_domain++;
+ } else if ($cert_type == "EmailCert") {
+ SendClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date);
+ $num_client++;
+ } else if ($cert_type == "OrgServerCert") {
+ SendOrgServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date);
+ $num_orgdomain++;
+ } else if ($cert_type == "OrgEmailCert") {
+ SendOrgClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date);
+ $num_orgclient++;
+ }
}
fclose($in);
+ echo "Mails sent: $num_domain server certs, $num_client client certs, $num_orgdomain Org server certs, $num_orgclient Org client certs.\n";
?>