Fix for https://bugs.cacert.org/view.php?id=954 which has been requested by

Arbitration Case https://wiki.cacert.org/Arbitrations/a20110312.1
This commit is contained in:
Wytze van der Raay 2011-07-28 07:58:45 +00:00
parent da58aac918
commit 5e1c4114af
2 changed files with 119 additions and 16 deletions

View file

@ -1,6 +1,7 @@
#!/usr/bin/perl
# Script to dump weak RSA certs (Exponent 3 or Modulus size < 1024) according to https://bugs.cacert.org/view.php?id=918
# and https://wiki.cacert.org/Arbitrations/a20110312.1
# Extended to be used for https://bugs.cacert.org/view.php?id=954
use strict;
use warnings;
@ -26,12 +27,15 @@ my $cert_CN;
my $cert_expire;
my $cert_filename;
my $cert_serial;
my $cert_recid;
my $user_email;
my $user_firstname;
my $reason;
my $grace_time_days = 0; # 14 used for bug#918
my @row;
sub IsWeak($) {
@ -41,6 +45,16 @@ sub IsWeak($) {
my $Exponent = 0;
my $result = 0;
# Code for Testing only! Hardcoding some filenames to fail the tests.
#
# if ($CertFileName eq '../crt/server/301/server-301988.crt' ||
# $CertFileName eq '../crt/client/258/client-258856.crt' ||
# $CertFileName eq '../crt/orgserver/2/orgserver-2635.crt' ||
# $CertFileName eq '../crt/orgclient/0/orgclient-808.crt') {
# return "Test";
# }
# Do key size and exponent checking for RSA keys
open(CERTTEXT, '-|', "openssl x509 -in $CertFileName -noout -text") || die "Cannot start openssl";
while (<CERTTEXT>) {
@ -76,9 +90,9 @@ sub IsWeak($) {
# Select only certificates expiring in more than two weeks, since two weeks will probably be needed as turnaround time
# Get all domain certificates
$sth_certs = $dbh->prepare(
"SELECT `dc`.`domid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial` ".
"SELECT `dc`.`domid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial`, `dc`.`id` ".
" FROM `domaincerts` AS `dc` ".
" WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
" WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
$sth_certs->execute();
$sth_userdata = $dbh->prepare(
@ -86,13 +100,13 @@ $sth_userdata = $dbh->prepare(
" FROM `domains` AS `d`, `users` AS `u` ".
" WHERE `d`.`memid`=`u`.`id` AND `d`.`id`=?");
while(($cert_domid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
while(($cert_domid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
if (-f $cert_filename) {
$reason = IsWeak($cert_filename);
if ($reason) {
$sth_userdata->execute($cert_domid);
($user_email, $user_firstname) = $sth_userdata->fetchrow_array();
print join("\t", ('DomainCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
print join("\t", ('DomainCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
$sth_userdata->finish();
}
}
@ -101,9 +115,9 @@ $sth_certs->finish();
# Get all email certificates
$sth_certs = $dbh->prepare(
"SELECT `ec`.`memid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial` ".
"SELECT `ec`.`memid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial`, `ec`.`id` ".
" FROM `emailcerts` AS `ec` ".
" WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
" WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
$sth_certs->execute();
$sth_userdata = $dbh->prepare(
@ -111,13 +125,13 @@ $sth_userdata = $dbh->prepare(
" FROM `users` AS `u` ".
" WHERE `u`.`id`=?");
while(($cert_userid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
while(($cert_userid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
if (-f $cert_filename) {
$reason = IsWeak($cert_filename);
if ($reason) {
$sth_userdata->execute($cert_userid);
($user_email, $user_firstname) = $sth_userdata->fetchrow_array();
print join("\t", ('EmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
print join("\t", ('EmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
$sth_userdata->finish();
}
}
@ -126,9 +140,9 @@ $sth_certs->finish();
# Get all Org Server certificates, notify all admins of the Org!
$sth_certs = $dbh->prepare(
"SELECT `dc`.`orgid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial` ".
"SELECT `dc`.`orgid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial`, `dc`.`id` ".
" FROM `orgdomaincerts` AS `dc` ".
" WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
" WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
$sth_certs->execute();
$sth_userdata = $dbh->prepare(
@ -136,13 +150,13 @@ $sth_userdata = $dbh->prepare(
" FROM `users` AS `u`, `org` ".
" WHERE `u`.`id`=`org`.`memid` and `org`.`orgid`=?");
while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
if (-f $cert_filename) {
$reason = IsWeak($cert_filename);
if ($reason) {
$sth_userdata->execute($cert_orgid);
while(($user_email, $user_firstname) = $sth_userdata->fetchrow_array()) {
print join("\t", ('OrgServerCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
print join("\t", ('OrgServerCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
}
$sth_userdata->finish();
}
@ -152,9 +166,9 @@ $sth_certs->finish();
# Get all Org Email certificates, notify all admins of the Org!
$sth_certs = $dbh->prepare(
"SELECT `ec`.`orgid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial` ".
"SELECT `ec`.`orgid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial`, `ec`.`id` ".
" FROM `orgemailcerts` AS `ec` ".
" WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)");
" WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL $grace_time_days DAY)");
$sth_certs->execute();
$sth_userdata = $dbh->prepare(
@ -162,13 +176,13 @@ $sth_userdata = $dbh->prepare(
" FROM `users` AS `u`, `org` ".
" WHERE `u`.`id`=`org`.`memid` and `org`.`orgid`=?");
while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) {
while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial, $cert_recid) = $sth_certs->fetchrow_array) {
if (-f $cert_filename) {
$reason = IsWeak($cert_filename);
if ($reason) {
$sth_userdata->execute($cert_orgid);
while(($user_email, $user_firstname) = $sth_userdata->fetchrow_array()) {
print join("\t", ('OrgEmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n";
print join("\t", ('OrgEmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial, $cert_recid)). "\n";
}
$sth_userdata->finish();
}

89
scripts/mass-revoke.php Normal file
View file

@ -0,0 +1,89 @@
#!/usr/bin/php -q
<? /*
LibreSSL - CAcert web application
Copyright (C) 2004-2011 CAcert Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
# Companion script to DumpWeakCerts.pl, takes output and revokes weak certs
# Only first and last column ($cert_type and $cert_recid) are used, the others
# are ignored
include_once("../includes/mysql.php");
# Main
$num_domain = 0;
$num_client = 0;
$num_orgdomain = 0;
$num_orgclient = 0;
$num_failures = 0;
$in = fopen("php://stdin", "r");
# The restriction on revoked timestamp os only "to be sure" for non-Org certs,
# but Org certs (email and serer) may be included multiple times in the output
# of DumpWeakCerts.pl (once for each OrgAdmin).
while($in_string = rtrim(fgets($in))) {
list($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason,
$cert_serial, $cert_recid) = explode("\t", $in_string);
if ($cert_type == "DomainCert") {
$query = "UPDATE `domaincerts` SET `revoked`='1970-01-01 10:00:01'
where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
if (!mysql_query($query)) {
$num_failures++;
}
$num_domain+=mysql_affected_rows();
} else if ($cert_type == "EmailCert") {
$query = "UPDATE `emailcerts` SET `revoked`='1970-01-01 10:00:01'
where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
if (!mysql_query($query)) {
$num_failures++;
}
$num_client+=mysql_affected_rows();
} else if ($cert_type == "OrgServerCert") {
$query = "UPDATE `orgdomaincerts` SET `revoked`='1970-01-01 10:00:01'
where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
if (!mysql_query($query)) {
$num_failures++;
}
$num_orgdomain+=mysql_affected_rows();
} else if ($cert_type == "OrgEmailCert") {
$query = "UPDATE `orgemailcerts` SET `revoked`='1970-01-01 10:00:01'
where `id`='$cert_recid' AND `revoked`<'1970-01-01 10:00:01'";
if (!mysql_query($query)) {
$num_failures++;
}
$num_orgclient+=mysql_affected_rows();
}
}
fclose($in);
echo "Certificates revoked: ".
"$num_domain server certs, ".
"$num_client client certs, ".
"$num_orgdomain Org server certs, ".
"$num_orgclient Org client certs.\n";
echo "Update failures: $num_failures\n";
?>