Skip to content

Commit

Permalink
Look for dodgy public exponent values.
Browse files Browse the repository at this point in the history 
When processing a batch of certificates, add some statistics to the output.
  • Loading branch information
@iay
iay committed Mar 16, 2012
1 parent 6278eb1 commit 1d56e0c
Showing 1 changed file with 31 additions and 0 deletions.
31 changes: 31 additions & 0 deletions build/check_embedded.pl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ sub comment {
# Have we seen this blob before? If so, close (and delete) the
# temporary file, and go and look for a new certificate to process.
#
$total_certs++;
if (defined($blobs{$blob})) {
# print "skipping a blob\n";
close SSL;
Expand All @@ -138,6 +139,7 @@ sub comment {
# Otherwise, remember this blob so that we won't process it again.
#
$blobs{$blob} = 1;
$distinct_certs++;

#
# Don't close the temporary file yet, because that would cause it
Expand Down Expand Up @@ -183,13 +185,15 @@ sub comment {
#
if (/RSA Public Key: \((\d+) bit\)/) { # OpenSSL 0.9x
$pubSize = $1;
$pubSizeCount{$pubSize}++;
# print " Public key size: $pubSize\n";
if ($pubSize < 1024) {
error('PUBLIC KEY TOO SHORT');
}
next;
} elsif (/^\s*Public-Key: \((\d+) bit\)/) { # OpenSSL 1.0
$pubSize = $1;
$pubSizeCount{$pubSize}++;
# print " Public key size: $pubSize\n";
if ($pubSize < 1024) {
error('PUBLIC KEY TOO SHORT');
Expand Down Expand Up @@ -235,6 +239,21 @@ sub comment {
next;
}

#
# Look for reasonable public exponent values.
#
if (/Exponent: (\d+)/) {
$exponent = $1;
# print " exponent: $exponent\n";
if (($exponent & 1) == 0) {
error("RSA public exponent $exponent is even");
} elsif ($exponent <= 3) {
error("insecure RSA public exponent $exponent");
} elsif ($exponent < 65537) {
warning("small RSA public exponent $exponent")
}
}

#
# subjectAlternativeName
#
Expand Down Expand Up @@ -363,3 +382,15 @@ sub comment {
}
}
}

if ($total_certs > 1) {
print "Total certificates: $total_certs\n";
if ($distinct_certs != $total_certs) {
print "Distinct certificates: $distinct_certs\n";
}
print "Key size distribution:\n";
for $pubSize (sort keys %pubSizeCount) {
$count = $pubSizeCount{$pubSize};
print " $pubSize: $count\n";
}
}

0 comments on commit 1d56e0c

Please sign in to comment.