summaryrefslogtreecommitdiff
path: root/scripts/DumpWeakCerts.pl
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/DumpWeakCerts.pl')
-rw-r--r--scripts/DumpWeakCerts.pl46
1 files changed, 30 insertions, 16 deletions
diff --git a/scripts/DumpWeakCerts.pl b/scripts/DumpWeakCerts.pl
index 85648fe..580390e 100644
--- a/scripts/DumpWeakCerts.pl
+++ b/scripts/DumpWeakCerts.pl
@@ -1,6 +1,7 @@
#!/usr/bin/perl
# Script to dump weak RSA certs (Exponent 3 or Modulus size < 1024) according to https://bugs.cacert.org/view.php?id=918
# and https://wiki.cacert.org/Arbitrations/a20110312.1
+# Extended to be used for https://bugs.cacert.org/view.php?id=954
use strict;
use warnings;
@@ -26,12 +27,15 @@ my $cert_CN;
my $cert_expire;
my $cert_filename;
my $cert_serial;
+my $cert_recid;
my $user_email;
my $user_firstname;
my $reason;
+my $grace_time_days = 0; # 14 used for bug#918
+
my @row;
sub IsWeak($) {
@@ -40,6 +44,16 @@ sub IsWeak($) {
my $ModulusSize = 0;
my $Exponent = 0;
my $result = 0;
+
+
+# Code for Testing only! Hardcoding some filenames to fail the tests.
+#
+# if ($CertFileName eq '../crt/server/301/server-301988.crt' ||
+# $CertFileName eq '../crt/client/258/client-258856.crt' ||
+# $CertFileName eq '../crt/orgserver/2/orgserver-2635.crt' ||
+# $CertFileName eq '../crt/orgclient/0/orgclient-808.crt') {
+# return "Test";
+# }
# Do key size and exponent checking for RSA keys
open(CERTTEXT, '-|', "openssl x509 -in $CertFileName -noout -text") || die "Cannot start openssl";
@@ -76,9 +90,9 @@ sub IsWeak($) {
# Select only certificates expiring in more than two weeks, since two weeks will probably be needed as turnaround time
# Get all domain certificates
$sth_certs = $dbh->prepare(
- "SELECT `dc`.`domid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial` ".
+ "SELECT `dc`.`domid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial`, `dc`.`id` ".
" FROM `domaincerts` AS `dc` ".
- " WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
+ " WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
$sth_certs->execute();
$sth_userdata = $dbh->prepare(
@@ -86,13 +100,13 @@ $sth_userdata = $dbh->prepare(
" FROM `domains` AS `d`, `users` AS `u` ".
" WHERE `d`.`memid`=`u`.`id` AND `d`.`id`=?");
-while(($cert_domid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
+while(($cert_domid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
if (-f $cert_filename) {
$reason = IsWeak($cert_filename);
if ($reason) {
$sth_userdata->execute($cert_domid);
($user_email, $user_firstname) = $sth_userdata->fetchrow_array();
- print join("\t", ('DomainCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
+ print join("\t", ('DomainCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
$sth_userdata->finish();
}
}
@@ -101,9 +115,9 @@ $sth_certs->finish();
# Get all email certificates
$sth_certs = $dbh->prepare(
- "SELECT `ec`.`memid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial` ".
+ "SELECT `ec`.`memid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial`, `ec`.`id` ".
" FROM `emailcerts` AS `ec` ".
- " WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
+ " WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
$sth_certs->execute();
$sth_userdata = $dbh->prepare(
@@ -111,13 +125,13 @@ $sth_userdata = $dbh->prepare(
" FROM `users` AS `u` ".
" WHERE `u`.`id`=?");
-while(($cert_userid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
+while(($cert_userid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
if (-f $cert_filename) {
$reason = IsWeak($cert_filename);
if ($reason) {
$sth_userdata->execute($cert_userid);
($user_email, $user_firstname) = $sth_userdata->fetchrow_array();
- print join("\t", ('EmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
+ print join("\t", ('EmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
$sth_userdata->finish();
}
}
@@ -126,9 +140,9 @@ $sth_certs->finish();
# Get all Org Server certificates, notify all admins of the Org!
$sth_certs = $dbh->prepare(
- "SELECT `dc`.`orgid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial` ".
+ "SELECT `dc`.`orgid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial`, `dc`.`id` ".
" FROM `orgdomaincerts` AS `dc` ".
- " WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
+ " WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
$sth_certs->execute();
$sth_userdata = $dbh->prepare(
@@ -136,13 +150,13 @@ $sth_userdata = $dbh->prepare(
" FROM `users` AS `u`, `org` ".
" WHERE `u`.`id`=`org`.`memid` and `org`.`orgid`=?");
-while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
+while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
if (-f $cert_filename) {
$reason = IsWeak($cert_filename);
if ($reason) {
$sth_userdata->execute($cert_orgid);
while(($user_email, $user_firstname) = $sth_userdata->fetchrow_array()) {
- print join("\t", ('OrgServerCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
+ print join("\t", ('OrgServerCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
}
$sth_userdata->finish();
}
@@ -152,9 +166,9 @@ $sth_certs->finish();
# Get all Org Email certificates, notify all admins of the Org!
$sth_certs = $dbh->prepare(
- "SELECT `ec`.`orgid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial` ".
+ "SELECT `ec`.`orgid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial`, `ec`.`id` ".
" FROM `orgemailcerts` AS `ec` ".
- " WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
+ " WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
$sth_certs->execute();
$sth_userdata = $dbh->prepare(
@@ -162,13 +176,13 @@ $sth_userdata = $dbh->prepare(
" FROM `users` AS `u`, `org` ".
" WHERE `u`.`id`=`org`.`memid` and `org`.`orgid`=?");
-while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
+while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
if (-f $cert_filename) {
$reason = IsWeak($cert_filename);
if ($reason) {
$sth_userdata->execute($cert_orgid);
while(($user_email, $user_firstname) = $sth_userdata->fetchrow_array()) {
- print join("\t", ('OrgEmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
+ print join("\t", ('OrgEmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
}
$sth_userdata->finish();
}
generated by cgit v1.2.1 (git 2.18.0) at 2023-04-01 05:28:50 +0000