From 384b57dc57b90c01b6c376be8c2b564470d042cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20T=C3=A4nzer?= Date: Thu, 7 Apr 2011 05:44:35 +0200 Subject: #918: More sophisticated error handling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #918: "Weak keys in certificates" Signed-off-by: Michael Tänzer --- includes/account_stuff.php | 65 ++++++++++++++++++++++++++++++---------------- 1 file changed, 43 insertions(+), 22 deletions(-) (limited to 'includes/account_stuff.php') diff --git a/includes/account_stuff.php b/includes/account_stuff.php index e19879c..0299ead 100644 --- a/includes/account_stuff.php +++ b/includes/account_stuff.php @@ -285,6 +285,27 @@ function hideall() { support@cacert.org", + $errorId); + } + /** * Checks whether the given CSR contains a vulnerable key * @@ -446,9 +467,8 @@ function hideall() { if (!preg_match('/^\s*Public Key Algorithm: ([^\s]+)$/m', $text, $algorithm)) { - trigger_error("checkWeakKeyText(): Couldn't extract the public ". - "key algorithm used", E_USER_WARNING); - return ""; + return failWithId("checkWeakKeyText(): Couldn't extract the ". + "public key algorithm used"); } else { $algorithm = $algorithm[1]; } @@ -459,32 +479,33 @@ function hideall() { if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text, $keysize)) { - trigger_error("checkWeakKeyText(): Couldn't parse the RSA key ". - "size", E_USER_WARNING); + return failWithId("checkWeakKeyText(): Couldn't parse the RSA ". + "key size"); } else { $keysize = intval($keysize[1]); - - if ($keysize < 1024) - { - return sprintf(_("The keys that you use are very small ". - "and therefore insecure. Please generate stronger ". - "keys. More information about this issue can be ". - "found in %sthe wiki%s"), - "", - ""); - } elseif ($keysize < 2048) { - // not critical but log so we have some statistics about - // affected users - trigger_error("checkWeakKeyText(): Certificate for small ". - "key (< 2048 bit) requested", E_USER_NOTICE); - } } + if ($keysize < 1024) + { + return sprintf(_("The keys that you use are very small ". + "and therefore insecure. Please generate stronger ". + "keys. More information about this issue can be ". + "found in %sthe wiki%s"), + "", + ""); + } elseif ($keysize < 2048) { + // not critical but log so we have some statistics about + // affected users + trigger_error("checkWeakKeyText(): Certificate for small ". + "key (< 2048 bit) requested", E_USER_NOTICE); + } + + if (!preg_match('/^\s*Exponent: (\d+) \(0x[0-9a-fA-F]+\)$/m', $text, $exponent)) { - trigger_error("checkWeakKeyText(): Couldn't parse the RSA ". - "exponent", E_USER_WARNING); + return failWithId("checkWeakKeyText(): Couldn't parse the RSA ". + "exponent"); } else { $exponent = $exponent[1]; // exponent might be very big => //handle as string using bc*() -- cgit v1.2.1