Fix for https://bugs.cacert.org/view.php?id=954 which has been requested by
Arbitration Case https://wiki.cacert.org/Arbitrations/a20110312.1
This commit is contained in:
parent
da58aac918
commit
5e1c4114af
2 changed files with 119 additions and 16 deletions
|
@ -1,6 +1,7 @@
|
|||
#!/usr/bin/perl
|
||||
# Script to dump weak RSA certs (Exponent 3 or Modulus size < 1024) according to https://bugs.cacert.org/view.php?id=918
|
||||
# and https://wiki.cacert.org/Arbitrations/a20110312.1
|
||||
# Extended to be used for https://bugs.cacert.org/view.php?id=954
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
|
@ -26,12 +27,15 @@ my $cert_CN;
|
|||
my $cert_expire;
|
||||
my $cert_filename;
|
||||
my $cert_serial;
|
||||
my $cert_recid;
|
||||
|
||||
my $user_email;
|
||||
my $user_firstname;
|
||||
|
||||
my $reason;
|
||||
|
||||
my $grace_time_days = 0; # 14 used for bug#918
|
||||
|
||||
my @row;
|
||||
|
||||
sub IsWeak($) {
|
||||
|
@ -41,6 +45,16 @@ sub IsWeak($) {
|
|||
my $Exponent = 0;
|
||||
my $result = 0;
|
||||
|
||||
|
||||
# Code for Testing only! Hardcoding some filenames to fail the tests.
|
||||
#
|
||||
# if ($CertFileName eq '../crt/server/301/server-301988.crt' ||
|
||||
# $CertFileName eq '../crt/client/258/client-258856.crt' ||
|
||||
# $CertFileName eq '../crt/orgserver/2/orgserver-2635.crt' ||
|
||||
# $CertFileName eq '../crt/orgclient/0/orgclient-808.crt') {
|
||||
# return "Test";
|
||||
# }
|
||||
|
||||
# Do key size and exponent checking for RSA keys
|
||||
open(CERTTEXT, '-|', "openssl x509 -in $CertFileName -noout -text") || die "Cannot start openssl";
|
||||
while (<CERTTEXT>) {
|
||||
|
@ -76,9 +90,9 @@ sub IsWeak($) {
|
|||
# Select only certificates expiring in more than two weeks, since two weeks will probably be needed as turnaround time
|
||||
# Get all domain certificates
|
||||
$sth_certs = $dbh->prepare(
|
||||
"SELECT `dc`.`domid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial` ".
|
||||
"SELECT `dc`.`domid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial`, `dc`.`id` ".
|
||||
" FROM `domaincerts` AS `dc` ".
|
||||
" WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
|
||||
" WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
|
||||
$sth_certs->execute();
|
||||
|
||||
$sth_userdata = $dbh->prepare(
|
||||
|
@ -86,13 +100,13 @@ $sth_userdata = $dbh->prepare(
|
|||
" FROM `domains` AS `d`, `users` AS `u` ".
|
||||
" WHERE `d`.`memid`=`u`.`id` AND `d`.`id`=?");
|
||||
|
||||
while(($cert_domid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
|
||||
while(($cert_domid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
|
||||
if (-f $cert_filename) {
|
||||
$reason = IsWeak($cert_filename);
|
||||
if ($reason) {
|
||||
$sth_userdata->execute($cert_domid);
|
||||
($user_email, $user_firstname) = $sth_userdata->fetchrow_array();
|
||||
print join("\t", ('DomainCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
|
||||
print join("\t", ('DomainCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
|
||||
$sth_userdata->finish();
|
||||
}
|
||||
}
|
||||
|
@ -101,9 +115,9 @@ $sth_certs->finish();
|
|||
|
||||
# Get all email certificates
|
||||
$sth_certs = $dbh->prepare(
|
||||
"SELECT `ec`.`memid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial` ".
|
||||
"SELECT `ec`.`memid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial`, `ec`.`id` ".
|
||||
" FROM `emailcerts` AS `ec` ".
|
||||
" WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
|
||||
" WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
|
||||
$sth_certs->execute();
|
||||
|
||||
$sth_userdata = $dbh->prepare(
|
||||
|
@ -111,13 +125,13 @@ $sth_userdata = $dbh->prepare(
|
|||
" FROM `users` AS `u` ".
|
||||
" WHERE `u`.`id`=?");
|
||||
|
||||
while(($cert_userid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
|
||||
while(($cert_userid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
|
||||
if (-f $cert_filename) {
|
||||
$reason = IsWeak($cert_filename);
|
||||
if ($reason) {
|
||||
$sth_userdata->execute($cert_userid);
|
||||
($user_email, $user_firstname) = $sth_userdata->fetchrow_array();
|
||||
print join("\t", ('EmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
|
||||
print join("\t", ('EmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
|
||||
$sth_userdata->finish();
|
||||
}
|
||||
}
|
||||
|
@ -126,9 +140,9 @@ $sth_certs->finish();
|
|||
|
||||
# Get all Org Server certificates, notify all admins of the Org!
|
||||
$sth_certs = $dbh->prepare(
|
||||
"SELECT `dc`.`orgid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial` ".
|
||||
"SELECT `dc`.`orgid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial`, `dc`.`id` ".
|
||||
" FROM `orgdomaincerts` AS `dc` ".
|
||||
" WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
|
||||
" WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
|
||||
$sth_certs->execute();
|
||||
|
||||
$sth_userdata = $dbh->prepare(
|
||||
|
@ -136,13 +150,13 @@ $sth_userdata = $dbh->prepare(
|
|||
" FROM `users` AS `u`, `org` ".
|
||||
" WHERE `u`.`id`=`org`.`memid` and `org`.`orgid`=?");
|
||||
|
||||
while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
|
||||
while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
|
||||
if (-f $cert_filename) {
|
||||
$reason = IsWeak($cert_filename);
|
||||
if ($reason) {
|
||||
$sth_userdata->execute($cert_orgid);
|
||||
while(($user_email, $user_firstname) = $sth_userdata->fetchrow_array()) {
|
||||
print join("\t", ('OrgServerCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
|
||||
print join("\t", ('OrgServerCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
|
||||
}
|
||||
$sth_userdata->finish();
|
||||
}
|
||||
|
@ -152,9 +166,9 @@ $sth_certs->finish();
|
|||
|
||||
# Get all Org Email certificates, notify all admins of the Org!
|
||||
$sth_certs = $dbh->prepare(
|
||||
"SELECT `ec`.`orgid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial` ".
|
||||
"SELECT `ec`.`orgid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial`, `ec`.`id` ".
|
||||
" FROM `orgemailcerts` AS `ec` ".
|
||||
" WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
|
||||
" WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
|
||||
$sth_certs->execute();
|
||||
|
||||
$sth_userdata = $dbh->prepare(
|
||||
|
@ -162,13 +176,13 @@ $sth_userdata = $dbh->prepare(
|
|||
" FROM `users` AS `u`, `org` ".
|
||||
" WHERE `u`.`id`=`org`.`memid` and `org`.`orgid`=?");
|
||||
|
||||
while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
|
||||
while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
|
||||
if (-f $cert_filename) {
|
||||
$reason = IsWeak($cert_filename);
|
||||
if ($reason) {
|
||||
$sth_userdata->execute($cert_orgid);
|
||||
while(($user_email, $user_firstname) = $sth_userdata->fetchrow_array()) {
|
||||
print join("\t", ('OrgEmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
|
||||
print join("\t", ('OrgEmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
|
||||
}
|
||||
$sth_userdata->finish();
|
||||
}
|
||||
|
|
89
scripts/mass-revoke.php
Normal file
89
scripts/mass-revoke.php
Normal file
|
@ -0,0 +1,89 @@
|
|||
#!/usr/bin/php -q
|
||||
<? /*
|
||||
LibreSSL - CAcert web application
|
||||
Copyright (C) 2004-2011 CAcert Inc.
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; version 2 of the License.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License along
|
||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*/
|
||||
|
||||
# Companion script to DumpWeakCerts.pl, takes output and revokes weak certs
|
||||
# Only first and last column ($cert_type and $cert_recid) are used, the others
|
||||
# are ignored
|
||||
|
||||
include_once("../includes/mysql.php");
|
||||
# Main
|
||||
|
||||
$num_domain = 0;
|
||||
$num_client = 0;
|
||||
$num_orgdomain = 0;
|
||||
$num_orgclient = 0;
|
||||
|
||||
$num_failures = 0;
|
||||
|
||||
$in = fopen("php://stdin", "r");
|
||||
|
||||
# The restriction on revoked timestamp os only "to be sure" for non-Org certs,
|
||||
# but Org certs (email and serer) may be included multiple times in the output
|
||||
# of DumpWeakCerts.pl (once for each OrgAdmin).
|
||||
while($in_string = rtrim(fgets($in))) {
|
||||
list($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason,
|
||||
$cert_serial, $cert_recid) = explode("\t", $in_string);
|
||||
|
||||
if ($cert_type == "DomainCert") {
|
||||
$query = "UPDATE `domaincerts` SET `revoked`='1970-01-01 10:00:01'
|
||||
where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
|
||||
|
||||
if (!mysql_query($query)) {
|
||||
$num_failures++;
|
||||
}
|
||||
$num_domain+=mysql_affected_rows();
|
||||
|
||||
} else if ($cert_type == "EmailCert") {
|
||||
$query = "UPDATE `emailcerts` SET `revoked`='1970-01-01 10:00:01'
|
||||
where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
|
||||
|
||||
if (!mysql_query($query)) {
|
||||
$num_failures++;
|
||||
}
|
||||
$num_client+=mysql_affected_rows();
|
||||
|
||||
} else if ($cert_type == "OrgServerCert") {
|
||||
$query = "UPDATE `orgdomaincerts` SET `revoked`='1970-01-01 10:00:01'
|
||||
where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
|
||||
|
||||
if (!mysql_query($query)) {
|
||||
$num_failures++;
|
||||
}
|
||||
$num_orgdomain+=mysql_affected_rows();
|
||||
|
||||
} else if ($cert_type == "OrgEmailCert") {
|
||||
$query = "UPDATE `orgemailcerts` SET `revoked`='1970-01-01 10:00:01'
|
||||
where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
|
||||
|
||||
if (!mysql_query($query)) {
|
||||
$num_failures++;
|
||||
}
|
||||
$num_orgclient+=mysql_affected_rows();
|
||||
}
|
||||
}
|
||||
|
||||
fclose($in);
|
||||
|
||||
echo "Certificates revoked: ".
|
||||
"$num_domain server certs, ".
|
||||
"$num_client client certs, ".
|
||||
"$num_orgdomain Org server certs, ".
|
||||
"$num_orgclient Org client certs.\n";
|
||||
echo "Update failures: $num_failures\n";
|
||||
?>
|
Loading…
Reference in a new issue