diff --git a/build/check_embedded.pl b/build/check_embedded.pl index 64141a90..8c96ea17 100755 --- a/build/check_embedded.pl +++ b/build/check_embedded.pl @@ -128,6 +128,7 @@ sub comment { # Have we seen this blob before? If so, close (and delete) the # temporary file, and go and look for a new certificate to process. # + $total_certs++; if (defined($blobs{$blob})) { # print "skipping a blob\n"; close SSL; @@ -138,6 +139,7 @@ sub comment { # Otherwise, remember this blob so that we won't process it again. # $blobs{$blob} = 1; + $distinct_certs++; # # Don't close the temporary file yet, because that would cause it @@ -183,6 +185,7 @@ sub comment { # if (/RSA Public Key: \((\d+) bit\)/) { # OpenSSL 0.9x $pubSize = $1; + $pubSizeCount{$pubSize}++; # print " Public key size: $pubSize\n"; if ($pubSize < 1024) { error('PUBLIC KEY TOO SHORT'); @@ -190,6 +193,7 @@ sub comment { next; } elsif (/^\s*Public-Key: \((\d+) bit\)/) { # OpenSSL 1.0 $pubSize = $1; + $pubSizeCount{$pubSize}++; # print " Public key size: $pubSize\n"; if ($pubSize < 1024) { error('PUBLIC KEY TOO SHORT'); @@ -235,6 +239,21 @@ sub comment { next; } + # + # Look for reasonable public exponent values. + # + if (/Exponent: (\d+)/) { + $exponent = $1; + # print " exponent: $exponent\n"; + if (($exponent & 1) == 0) { + error("RSA public exponent $exponent is even"); + } elsif ($exponent <= 3) { + error("insecure RSA public exponent $exponent"); + } elsif ($exponent < 65537) { + warning("small RSA public exponent $exponent") + } + } + # # subjectAlternativeName # @@ -363,3 +382,15 @@ sub comment { } } } + +if ($total_certs > 1) { + print "Total certificates: $total_certs\n"; + if ($distinct_certs != $total_certs) { + print "Distinct certificates: $distinct_certs\n"; + } + print "Key size distribution:\n"; + for $pubSize (sort keys %pubSizeCount) { + $count = $pubSizeCount{$pubSize}; + print " $pubSize: $count\n"; + } +}