First running version of mailing script added
[cacert-devel.git] / scripts / mail-weak-keys.php
1 #!/usr/bin/php -q
2 <? # Companion script to DumpWeakCerts.pl, takes output and sends a mail to each owner of a weak cert
3
4 function SendServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) {
5 $mail_text =
6 "Dear $owner_name,
7
8 CAcert recently became aware that some of the certificates signed by CAcert pose a security
9 risk because they are backed by private keys that are vulnerable to attack.
10
11 The security issues identified are:
12 Private keys with a small key size. These keys are vulnerable to brute force attack.
13 Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks.
14 Private keys generated by a compromised version of OpenSSL distributed by Debian.
15
16 You received this email because a certificate issued to you is vulnerable:
17
18 Server Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN
19
20 To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date.
21 CAcert will no longer accept vulnerable certificate requests for signing. In future all Certficate
22 Signing Requests must be backed by private keys with a key length at least 2048 bits and no other known vulnerabilities.
23
24 You should submit a new Certificate Signing Request of acceptable strength as soon as possible
25 and replace your existing certificate.
26
27 If you are interested in background information on this change please refer to this document:
28 http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf
29
30 Kind regards
31 CAcert Suport Team
32 ";
33 mail($cert_email, "[CAcert.org]CAcert Server Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org");
34 }
35
36 function SendClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) {
37 $mail_text =
38 "Dear $owner_name,
39
40 CAcert recently became aware that some of the certificates signed by CAcert pose a security
41 risk because they are backed by private keys that are vulnerable to attack.
42
43 The security issues identified are:
44 Private keys with a small key size. These keys are vulnerable to brute force attack.
45 Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks.
46 Private keys generated by a compromised version of OpenSSL distributed by Debian.
47
48 You received this email because a certificate issued to you is vulnerable:
49
50 Client Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN
51
52 To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date.
53 CAcert will no longer accept vulnerable certificate requests for signing. In future all
54 client certficates must be backed by private keys with a key length at least 1024 bits
55 and no other known vulnerabilities.
56
57 This means that you should replace your current certificate with a new one of acceptable strength.
58 If you use Firefox or Chrome, select 'Keysize: High Grade' before 'Create Certificate Request'.
59 If you use Internet Explorer, select 'Microsoft Strong Cryptographic Provider'. If you select an
60 option that generates a weak key (eg 'Microsoft Base Cryptographic Provider v1.0') your certficate
61 request will be rejected.
62
63 Kind regards
64 CAcert Suport Team
65 ";
66 mail($cert_email, "[CAcert.org]CAcert Client Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org");
67 }
68
69 function SendOrgServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) {
70 $mail_text =
71 "Dear $owner_name,
72
73 CAcert recently became aware that some of the certificates signed by CAcert pose a security
74 risk because they are backed by private keys that are vulnerable to attack.
75
76 The security issues identified are:
77 Private keys with a small key size. These keys are vulnerable to brute force attack.
78 Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks.
79 Private keys generated by a compromised version of OpenSSL distributed by Debian.
80
81 You received this email because a certificate issued to you is vulnerable:
82
83 Organisation Server Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN
84
85 To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date.
86 CAcert will no longer accept vulnerable certificate requests for signing. In future all Certficate
87 Signing Requests must be backed by private keys with a key length at least 2048 bits and no other known vulnerabilities.
88
89 You should submit a new Certificate Signing Request of acceptable strength as soon as possible
90 and replace your existing certificate.
91
92 If you are interested in background information on this change please refer to this document:
93 http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf
94
95 Kind regards
96 CAcert Suport Team
97 ";
98 mail($cert_email, "[CAcert.org]CAcert Organisation Server Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org");
99 }
100
101 function SendOrgClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) {
102 $mail_text =
103 "Dear $owner_name,
104
105 CAcert recently became aware that some of the certificates signed by CAcert pose a security
106 risk because they are backed by private keys that are vulnerable to attack.
107
108 The security issues identified are:
109 Private keys with a small key size. These keys are vulnerable to brute force attack.
110 Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks.
111 Private keys generated by a compromised version of OpenSSL distributed by Debian.
112
113 You received this email because a certificate issued to you is vulnerable:
114
115 Organisation Client Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN
116
117 To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date.
118 CAcert will no longer accept vulnerable certificate requests for signing. In future all
119 client certficates must be backed by private keys with a key length at least 1024 bits
120 and no other known vulnerabilities.
121
122 This means that you should replace your current certificate with a new one of acceptable strength.
123 If you use Firefox or Chrome, select 'Keysize: High Grade' before 'Create Certificate Request'.
124 If you use Internet Explorer, select 'Microsoft Strong Cryptographic Provider'. If you select an
125 option that generates a weak key (eg 'Microsoft Base Cryptographic Provider v1.0') your certficate
126 request will be rejected.
127
128 Kind regards
129 CAcert Suport Team
130 ";
131 mail($cert_email, "[CAcert.org]CAcert Organisation Client Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org");
132 }
133
134 # Main
135
136 $num_domain = 0;
137 $num_client = 0;
138 $num_orgdomain = 0;
139 $num_orgclient = 0;
140 $action_date = '2011-04-??';
141 $in = fopen("php://stdin", "r");
142 while($in_string = rtrim(fgets($in, 255))) {
143 list($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial) = explode("\t", $in_string);
144
145 if ($cert_type == "DomainCert") {
146 SendServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date);
147 $num_domain++;
148 } else if ($cert_type == "EmailCert") {
149 SendClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date);
150 $num_client++;
151 } else if ($cert_type == "OrgServerCert") {
152 SendOrgServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date);
153 $num_orgdomain++;
154 } else if ($cert_type == "OrgEmailCert") {
155 SendOrgClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date);
156 $num_orgclient++;
157 }
158 }
159 fclose($in);
160 echo "Mails sent: $num_domain server certs, $num_client client certs, $num_orgdomain Org server certs, $num_orgclient Org client certs.\n";
161 ?>