cacert/cacert-webdb
9
0
Fork 0
Code Issues Pull requests 3 Projects Releases 4 Wiki Activity

Fix for https://bugs.cacert.org/view.php?id=954 which has been requested by

Browse source 
Arbitration Case https://wiki.cacert.org/Arbitrations/a20110312.1
This commit is contained in:
Wytze van der Raay 2011-07-28 07:58:45 +00:00
parent da58aac918
commit 5e1c4114af
2 changed files with 119 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
scripts/DumpWeakCerts.pl
View file

@ -1,6 +1,7 @@
#!/usr/bin/perl #!/usr/bin/perl
# Script to dump weak RSA certs (Exponent 3 or Modulus size < 1024) according to https://bugs.cacert.org/view.php?id=918 # Script to dump weak RSA certs (Exponent 3 or Modulus size < 1024) according to https://bugs.cacert.org/view.php?id=918
# and https://wiki.cacert.org/Arbitrations/a20110312.1 # and https://wiki.cacert.org/Arbitrations/a20110312.1
# Extended to be used for https://bugs.cacert.org/view.php?id=954
use strict; use strict;
use warnings; use warnings;
@ -26,12 +27,15 @@ my $cert_CN;
my $cert_expire; my $cert_expire;
my $cert_filename; my $cert_filename;
my $cert_serial; my $cert_serial;
my $cert_recid;
my $user_email; my $user_email;
my $user_firstname; my $user_firstname;
my $reason; my $reason;
my $grace_time_days = 0; # 14 used for bug#918
my @row; my @row;
sub IsWeak($) { sub IsWeak($) {
@ -40,6 +44,16 @@ sub IsWeak($) {
my $ModulusSize = 0; my $ModulusSize = 0;
my $Exponent = 0; my $Exponent = 0;
my $result = 0; my $result = 0;
# Code for Testing only! Hardcoding some filenames to fail the tests.
#
# if ($CertFileName eq '../crt/server/301/server-301988.crt' ||
# $CertFileName eq '../crt/client/258/client-258856.crt' ||
# $CertFileName eq '../crt/orgserver/2/orgserver-2635.crt' ||
# $CertFileName eq '../crt/orgclient/0/orgclient-808.crt') {
# return "Test";
# }
# Do key size and exponent checking for RSA keys # Do key size and exponent checking for RSA keys
open(CERTTEXT, '-|', "openssl x509 -in $CertFileName -noout -text") || die "Cannot start openssl"; open(CERTTEXT, '-|', "openssl x509 -in $CertFileName -noout -text") || die "Cannot start openssl";
@ -76,9 +90,9 @@ sub IsWeak($) {
# Select only certificates expiring in more than two weeks, since two weeks will probably be needed as turnaround time # Select only certificates expiring in more than two weeks, since two weeks will probably be needed as turnaround time
# Get all domain certificates # Get all domain certificates
$sth_certs = $dbh->prepare( $sth_certs = $dbh->prepare(
"SELECT `dc`.`domid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial` ". "SELECT `dc`.`domid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial`, `dc`.`id` ".
" FROM `domaincerts` AS `dc` ". " FROM `domaincerts` AS `dc` ".
" WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)"); " WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
$sth_certs->execute(); $sth_certs->execute();
$sth_userdata = $dbh->prepare( $sth_userdata = $dbh->prepare(
@ -86,13 +100,13 @@ $sth_userdata = $dbh->prepare(
" FROM `domains` AS `d`, `users` AS `u` ". " FROM `domains` AS `d`, `users` AS `u` ".
" WHERE `d`.`memid`=`u`.`id` AND `d`.`id`=?"); " WHERE `d`.`memid`=`u`.`id` AND `d`.`id`=?");
while(($cert_domid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) { while(($cert_domid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
if (-f $cert_filename) { if (-f $cert_filename) {
$reason = IsWeak($cert_filename); $reason = IsWeak($cert_filename);
if ($reason) { if ($reason) {
$sth_userdata->execute($cert_domid); $sth_userdata->execute($cert_domid);
($user_email, $user_firstname) = $sth_userdata->fetchrow_array(); ($user_email, $user_firstname) = $sth_userdata->fetchrow_array();
print join("\t", ('DomainCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n"; print join("\t", ('DomainCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
$sth_userdata->finish(); $sth_userdata->finish();
} }
} }
@ -101,9 +115,9 @@ $sth_certs->finish();
# Get all email certificates # Get all email certificates
$sth_certs = $dbh->prepare( $sth_certs = $dbh->prepare(
"SELECT `ec`.`memid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial` ". "SELECT `ec`.`memid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial`, `ec`.`id` ".
" FROM `emailcerts` AS `ec` ". " FROM `emailcerts` AS `ec` ".
" WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)"); " WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
$sth_certs->execute(); $sth_certs->execute();
$sth_userdata = $dbh->prepare( $sth_userdata = $dbh->prepare(
@ -111,13 +125,13 @@ $sth_userdata = $dbh->prepare(
" FROM `users` AS `u` ". " FROM `users` AS `u` ".
" WHERE `u`.`id`=?"); " WHERE `u`.`id`=?");
while(($cert_userid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) { while(($cert_userid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
if (-f $cert_filename) { if (-f $cert_filename) {
$reason = IsWeak($cert_filename); $reason = IsWeak($cert_filename);
if ($reason) { if ($reason) {
$sth_userdata->execute($cert_userid); $sth_userdata->execute($cert_userid);
($user_email, $user_firstname) = $sth_userdata->fetchrow_array(); ($user_email, $user_firstname) = $sth_userdata->fetchrow_array();
print join("\t", ('EmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n"; print join("\t", ('EmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
$sth_userdata->finish(); $sth_userdata->finish();
} }
} }
@ -126,9 +140,9 @@ $sth_certs->finish();
# Get all Org Server certificates, notify all admins of the Org! # Get all Org Server certificates, notify all admins of the Org!
$sth_certs = $dbh->prepare( $sth_certs = $dbh->prepare(
"SELECT `dc`.`orgid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial` ". "SELECT `dc`.`orgid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial`, `dc`.`id` ".
" FROM `orgdomaincerts` AS `dc` ". " FROM `orgdomaincerts` AS `dc` ".
" WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)"); " WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
$sth_certs->execute(); $sth_certs->execute();
$sth_userdata = $dbh->prepare( $sth_userdata = $dbh->prepare(
@ -136,13 +150,13 @@ $sth_userdata = $dbh->prepare(
" FROM `users` AS `u`, `org` ". " FROM `users` AS `u`, `org` ".
" WHERE `u`.`id`=`org`.`memid` and `org`.`orgid`=?"); " WHERE `u`.`id`=`org`.`memid` and `org`.`orgid`=?");
while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) { while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
if (-f $cert_filename) { if (-f $cert_filename) {
$reason = IsWeak($cert_filename); $reason = IsWeak($cert_filename);
if ($reason) { if ($reason) {
$sth_userdata->execute($cert_orgid); $sth_userdata->execute($cert_orgid);
while(($user_email, $user_firstname) = $sth_userdata->fetchrow_array()) { while(($user_email, $user_firstname) = $sth_userdata->fetchrow_array()) {
print join("\t", ('OrgServerCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n"; print join("\t", ('OrgServerCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
} }
$sth_userdata->finish(); $sth_userdata->finish();
} }
@ -152,9 +166,9 @@ $sth_certs->finish();
# Get all Org Email certificates, notify all admins of the Org! # Get all Org Email certificates, notify all admins of the Org!
$sth_certs = $dbh->prepare( $sth_certs = $dbh->prepare(
"SELECT `ec`.`orgid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial` ". "SELECT `ec`.`orgid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial`, `ec`.`id` ".
" FROM `orgemailcerts` AS `ec` ". " FROM `orgemailcerts` AS `ec` ".
" WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)"); " WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
$sth_certs->execute(); $sth_certs->execute();
$sth_userdata = $dbh->prepare( $sth_userdata = $dbh->prepare(
@ -162,13 +176,13 @@ $sth_userdata = $dbh->prepare(
" FROM `users` AS `u`, `org` ". " FROM `users` AS `u`, `org` ".
" WHERE `u`.`id`=`org`.`memid` and `org`.`orgid`=?"); " WHERE `u`.`id`=`org`.`memid` and `org`.`orgid`=?");
while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) { while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
if (-f $cert_filename) { if (-f $cert_filename) {
$reason = IsWeak($cert_filename); $reason = IsWeak($cert_filename);
if ($reason) { if ($reason) {
$sth_userdata->execute($cert_orgid); $sth_userdata->execute($cert_orgid);
while(($user_email, $user_firstname) = $sth_userdata->fetchrow_array()) { while(($user_email, $user_firstname) = $sth_userdata->fetchrow_array()) {
print join("\t", ('OrgEmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n"; print join("\t", ('OrgEmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
} }
$sth_userdata->finish(); $sth_userdata->finish();
} }

89
scripts/mass-revoke.php Normal file
View file

@ -0,0 +1,89 @@
#!/usr/bin/php -q
<? /*
LibreSSL - CAcert web application
Copyright (C) 2004-2011 CAcert Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
# Companion script to DumpWeakCerts.pl, takes output and revokes weak certs
# Only first and last column ($cert_type and $cert_recid) are used, the others
# are ignored
include_once("../includes/mysql.php");
# Main
$num_domain = 0;
$num_client = 0;
$num_orgdomain = 0;
$num_orgclient = 0;
$num_failures = 0;
$in = fopen("php://stdin", "r");
# The restriction on revoked timestamp os only "to be sure" for non-Org certs,
# but Org certs (email and serer) may be included multiple times in the output
# of DumpWeakCerts.pl (once for each OrgAdmin).
while($in_string = rtrim(fgets($in))) {
list($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason,
$cert_serial, $cert_recid) = explode("\t", $in_string);
if ($cert_type == "DomainCert") {
$query = "UPDATE `domaincerts` SET `revoked`='1970-01-01 10:00:01'
where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
if (!mysql_query($query)) {
$num_failures++;
}
$num_domain+=mysql_affected_rows();
} else if ($cert_type == "EmailCert") {
$query = "UPDATE `emailcerts` SET `revoked`='1970-01-01 10:00:01'
where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
if (!mysql_query($query)) {
$num_failures++;
}
$num_client+=mysql_affected_rows();
} else if ($cert_type == "OrgServerCert") {
$query = "UPDATE `orgdomaincerts` SET `revoked`='1970-01-01 10:00:01'
where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
if (!mysql_query($query)) {
$num_failures++;
}
$num_orgdomain+=mysql_affected_rows();
} else if ($cert_type == "OrgEmailCert") {
$query = "UPDATE `orgemailcerts` SET `revoked`='1970-01-01 10:00:01'
where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
if (!mysql_query($query)) {
$num_failures++;
}
$num_orgclient+=mysql_affected_rows();
}
}
fclose($in);
echo "Certificates revoked: ".
"$num_domain server certs, ".
"$num_client client certs, ".
"$num_orgdomain Org server certs, ".
"$num_orgclient Org client certs.\n";
echo "Update failures: $num_failures\n";
?>