scripts/mass-revoke.php


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

#!/usr/bin/php -q
<?	# Companion script to DumpWeakCerts.pl, takes output and revokes weak certs
    # Only first and last column ($cert_type and $cert_recid) are used, the others are ignored

	include_once("../includes/mysql.php");
  # Main

  $num_domain = 0;
  $num_client = 0;
  $num_orgdomain = 0;
  $num_orgclient = 0;
  
  $num_failures = 0;

	$in = fopen("php://stdin", "r");

  # The restriction on revoked timestamp os only "to be sure" for non-Org certs, 
  # but Org certs (email and serer) may be included multiple times in the output of DumpWeakCerts.pl (once for each OrgAdmin).
	while($in_string = rtrim(fgets($in, 255))) {
		list($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid) = explode("\t", $in_string);

    if ($cert_type == "DomainCert") {
			$query = "UPDATE `domaincerts` SET `revoked`='1970-01-01 10:00:01' where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
			
      if (!mysql_query($query)) {
        $num_failures++;
      }
			$num_domain+=mysql_affected_rows();
		} else if ($cert_type == "EmailCert") {
			$query = "UPDATE `emailcerts` SET `revoked`='1970-01-01 10:00:01' where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
			
      if (!mysql_query($query)) {
        $num_failures++;
      }
			$num_client+=mysql_affected_rows();
    } else if ($cert_type == "OrgServerCert") {
			$query = "UPDATE `orgdomaincerts` SET `revoked`='1970-01-01 10:00:01' where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
			
      if (!mysql_query($query)) {
        $num_failures++;
      }
			$num_orgdomain+=mysql_affected_rows();
    } else if ($cert_type == "OrgEmailCert") {
			$query = "UPDATE `orgemailcerts` SET `revoked`='1970-01-01 10:00:01' where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
			
      if (!mysql_query($query)) {
        $num_failures++;
      }
			$num_orgclient+=mysql_affected_rows();
    }
	}
	fclose($in);
	echo "Certificates revoked: $num_domain server certs, $num_client client certs, $num_orgdomain Org server certs, $num_orgclient Org client certs.\n";
	echo "Update failures: $num_failures\n";
?>