From 5e1c4114af56ccdcbe70355796f6c187d5705ee7 Mon Sep 17 00:00:00 2001
From: Wytze van der Raay <wytze@cacert.org>
Date: Thu, 28 Jul 2011 07:58:45 +0000
Subject: [PATCH] Fix for https://bugs.cacert.org/view.php?id=954 which has
 been requested by Arbitration Case
 https://wiki.cacert.org/Arbitrations/a20110312.1

---
 scripts/DumpWeakCerts.pl | 46 +++++++++++++--------
 scripts/mass-revoke.php  | 89 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 119 insertions(+), 16 deletions(-)
 create mode 100644 scripts/mass-revoke.php

diff --git a/scripts/DumpWeakCerts.pl b/scripts/DumpWeakCerts.pl
index 85648fe..580390e 100644
--- a/scripts/DumpWeakCerts.pl
+++ b/scripts/DumpWeakCerts.pl
@@ -1,6 +1,7 @@
 #!/usr/bin/perl
 # Script to dump weak RSA certs (Exponent 3 or Modulus size < 1024) according to https://bugs.cacert.org/view.php?id=918
 # and https://wiki.cacert.org/Arbitrations/a20110312.1
+# Extended to be used for https://bugs.cacert.org/view.php?id=954
 
 use strict;
 use warnings;
@@ -26,12 +27,15 @@ my $cert_CN;
 my $cert_expire;
 my $cert_filename;
 my $cert_serial;
+my $cert_recid;
 
 my $user_email;
 my $user_firstname;
 
 my $reason;
 
+my $grace_time_days = 0; # 14 used for bug#918
+
 my @row;
 
 sub IsWeak($) {
@@ -40,6 +44,16 @@ sub IsWeak($) {
   my $ModulusSize = 0;
   my $Exponent = 0;
   my $result = 0;
+
+
+# Code for Testing only! Hardcoding some filenames to fail the tests.
+#
+#  if ($CertFileName eq '../crt/server/301/server-301988.crt' ||
+#      $CertFileName eq '../crt/client/258/client-258856.crt' ||
+#      $CertFileName eq '../crt/orgserver/2/orgserver-2635.crt' ||
+#      $CertFileName eq '../crt/orgclient/0/orgclient-808.crt') {
+#    return "Test";
+#  }
   
   # Do key size and exponent checking for RSA keys
   open(CERTTEXT, '-|', "openssl x509 -in $CertFileName -noout -text") || die "Cannot start openssl";
@@ -76,9 +90,9 @@ sub IsWeak($) {
 # Select only certificates expiring in more than two weeks, since two weeks will probably be needed as turnaround time
 # Get all domain certificates
 $sth_certs = $dbh->prepare(
-  "SELECT `dc`.`domid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial` ".
+  "SELECT `dc`.`domid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial`, `dc`.`id` ".
   "  FROM `domaincerts` AS `dc` ".
-  "  WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
+  "  WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
 $sth_certs->execute();
 
 $sth_userdata = $dbh->prepare(
@@ -86,13 +100,13 @@ $sth_userdata = $dbh->prepare(
   "  FROM `domains` AS `d`, `users` AS `u` ".
   "  WHERE `d`.`memid`=`u`.`id` AND `d`.`id`=?");
   
-while(($cert_domid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
+while(($cert_domid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
   if (-f $cert_filename) {
     $reason = IsWeak($cert_filename);
     if ($reason) {
       $sth_userdata->execute($cert_domid);
       ($user_email, $user_firstname) = $sth_userdata->fetchrow_array();
-      print join("\t", ('DomainCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
+      print join("\t", ('DomainCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
       $sth_userdata->finish();
     }
   }
@@ -101,9 +115,9 @@ $sth_certs->finish();
 
 # Get all email certificates
 $sth_certs = $dbh->prepare(
-  "SELECT `ec`.`memid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial` ".
+  "SELECT `ec`.`memid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial`, `ec`.`id` ".
   "  FROM `emailcerts` AS `ec` ".
-  "  WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
+  "  WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
 $sth_certs->execute();
 
 $sth_userdata = $dbh->prepare(
@@ -111,13 +125,13 @@ $sth_userdata = $dbh->prepare(
   "  FROM `users` AS `u` ".
   "  WHERE `u`.`id`=?");
   
-while(($cert_userid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
+while(($cert_userid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
   if (-f $cert_filename) {
     $reason = IsWeak($cert_filename);
     if ($reason) {
       $sth_userdata->execute($cert_userid);
       ($user_email, $user_firstname) = $sth_userdata->fetchrow_array();
-      print join("\t", ('EmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
+      print join("\t", ('EmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
       $sth_userdata->finish();
     }
   }
@@ -126,9 +140,9 @@ $sth_certs->finish();
 
 # Get all Org Server certificates, notify all admins of the Org!
 $sth_certs = $dbh->prepare(
-  "SELECT `dc`.`orgid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial` ".
+  "SELECT `dc`.`orgid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial`, `dc`.`id` ".
   "  FROM `orgdomaincerts` AS `dc` ".
-  "  WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
+  "  WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
 $sth_certs->execute();
 
 $sth_userdata = $dbh->prepare(
@@ -136,13 +150,13 @@ $sth_userdata = $dbh->prepare(
   "  FROM `users` AS `u`, `org` ".
   "  WHERE `u`.`id`=`org`.`memid` and `org`.`orgid`=?");
   
-while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
+while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
   if (-f $cert_filename) {
     $reason = IsWeak($cert_filename);
     if ($reason) {
       $sth_userdata->execute($cert_orgid);
       while(($user_email, $user_firstname) = $sth_userdata->fetchrow_array()) {
-        print join("\t", ('OrgServerCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
+        print join("\t", ('OrgServerCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
       }
       $sth_userdata->finish();
     }
@@ -152,9 +166,9 @@ $sth_certs->finish();
 
 # Get all Org Email certificates, notify all admins of the Org!
 $sth_certs = $dbh->prepare(
-  "SELECT `ec`.`orgid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial` ".
+  "SELECT `ec`.`orgid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial`, `ec`.`id` ".
   "  FROM `orgemailcerts` AS `ec` ".
-  "  WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
+  "  WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
 $sth_certs->execute();
 
 $sth_userdata = $dbh->prepare(
@@ -162,13 +176,13 @@ $sth_userdata = $dbh->prepare(
   "  FROM `users` AS `u`, `org` ".
   "  WHERE `u`.`id`=`org`.`memid` and `org`.`orgid`=?");
   
-while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
+while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
   if (-f $cert_filename) {
     $reason = IsWeak($cert_filename);
     if ($reason) {
       $sth_userdata->execute($cert_orgid);
       while(($user_email, $user_firstname) = $sth_userdata->fetchrow_array()) {
-        print join("\t", ('OrgEmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
+        print join("\t", ('OrgEmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
       }
       $sth_userdata->finish();
     }
diff --git a/scripts/mass-revoke.php b/scripts/mass-revoke.php
new file mode 100644
index 0000000..18c036b
--- /dev/null
+++ b/scripts/mass-revoke.php
@@ -0,0 +1,89 @@
+#!/usr/bin/php -q
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2011  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+# Companion script to DumpWeakCerts.pl, takes output and revokes weak certs
+# Only first and last column ($cert_type and $cert_recid) are used, the others
+# are ignored
+
+include_once("../includes/mysql.php");
+# Main
+
+$num_domain = 0;
+$num_client = 0;
+$num_orgdomain = 0;
+$num_orgclient = 0;
+
+$num_failures = 0;
+
+$in = fopen("php://stdin", "r");
+
+# The restriction on revoked timestamp os only "to be sure" for non-Org certs,
+# but Org certs (email and serer) may be included multiple times in the output
+# of DumpWeakCerts.pl (once for each OrgAdmin).
+while($in_string = rtrim(fgets($in))) {
+	list($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason,
+		$cert_serial, $cert_recid) = explode("\t", $in_string);
+	
+	if ($cert_type == "DomainCert") {
+		$query = "UPDATE `domaincerts` SET `revoked`='1970-01-01 10:00:01'
+			where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
+		
+		if (!mysql_query($query)) {
+			$num_failures++;
+		}
+		$num_domain+=mysql_affected_rows();
+		
+	} else if ($cert_type == "EmailCert") {
+		$query = "UPDATE `emailcerts` SET `revoked`='1970-01-01 10:00:01'
+			where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
+		
+		if (!mysql_query($query)) {
+			$num_failures++;
+		}
+		$num_client+=mysql_affected_rows();
+		
+	} else if ($cert_type == "OrgServerCert") {
+		$query = "UPDATE `orgdomaincerts` SET `revoked`='1970-01-01 10:00:01'
+			where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
+		
+		if (!mysql_query($query)) {
+			$num_failures++;
+		}
+		$num_orgdomain+=mysql_affected_rows();
+		
+	} else if ($cert_type == "OrgEmailCert") {
+		$query = "UPDATE `orgemailcerts` SET `revoked`='1970-01-01 10:00:01'
+			where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
+		
+		if (!mysql_query($query)) {
+			$num_failures++;
+		}
+		$num_orgclient+=mysql_affected_rows();
+	}
+}
+
+fclose($in);
+
+echo "Certificates revoked: ".
+	"$num_domain server certs, ".
+	"$num_client client certs, ".
+	"$num_orgdomain Org server certs, ".
+	"$num_orgclient Org client certs.\n";
+echo "Update failures: $num_failures\n";
+?>