From 1d56e0c8474c85f9b2cdc0e8d66d3437f86b994a Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Fri, 16 Mar 2012 10:31:53 +0000
Subject: [PATCH] Look for dodgy public exponent values. When processing a
 batch of certificates, add some statistics to the output.

---
 build/check_embedded.pl | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/build/check_embedded.pl b/build/check_embedded.pl
index 64141a90..8c96ea17 100755
--- a/build/check_embedded.pl
+++ b/build/check_embedded.pl
@@ -128,6 +128,7 @@ sub comment {
 		# Have we seen this blob before?  If so, close (and delete) the
 		# temporary file, and go and look for a new certificate to process.
 		#
+		$total_certs++;
 		if (defined($blobs{$blob})) {
 			# print "skipping a blob\n";
 			close SSL;
@@ -138,6 +139,7 @@ sub comment {
 		# Otherwise, remember this blob so that we won't process it again.
 		#
 		$blobs{$blob} = 1;
+		$distinct_certs++;
 
 		#
 		# Don't close the temporary file yet, because that would cause it
@@ -183,6 +185,7 @@ sub comment {
 			#
 			if (/RSA Public Key: \((\d+) bit\)/) { # OpenSSL 0.9x
 				$pubSize = $1;
+				$pubSizeCount{$pubSize}++;
 				# print "   Public key size: $pubSize\n";
 				if ($pubSize < 1024) {
 					error('PUBLIC KEY TOO SHORT');
@@ -190,6 +193,7 @@ sub comment {
 				next;
 			} elsif (/^\s*Public-Key: \((\d+) bit\)/) { # OpenSSL 1.0
 				$pubSize = $1;
+				$pubSizeCount{$pubSize}++;
 				# print "   Public key size: $pubSize\n";
 				if ($pubSize < 1024) {
 					error('PUBLIC KEY TOO SHORT');
@@ -235,6 +239,21 @@ sub comment {
 				next;
 			}
 			
+			#
+			# Look for reasonable public exponent values.
+			#
+			if (/Exponent: (\d+)/) {
+				$exponent = $1;
+				# print "   exponent: $exponent\n";
+				if (($exponent & 1) == 0) {
+					error("RSA public exponent $exponent is even");
+				} elsif ($exponent <= 3) {
+					error("insecure RSA public exponent $exponent");
+				} elsif ($exponent < 65537) {
+					warning("small RSA public exponent $exponent")
+				}
+			}
+			
 			#
 			# subjectAlternativeName
 			#
@@ -363,3 +382,15 @@ sub comment {
 		}
 	}
 }
+
+if ($total_certs > 1) {
+	print "Total certificates: $total_certs\n";
+	if ($distinct_certs != $total_certs) {
+		print "Distinct certificates: $distinct_certs\n";
+	}
+	print "Key size distribution:\n";
+	for $pubSize (sort keys %pubSizeCount) {
+		$count = $pubSizeCount{$pubSize};
+		print "   $pubSize: $count\n";
+	}
+}