From 2fb5146f6c10e59e1f01234e623965bb288bae15 Mon Sep 17 00:00:00 2001 From: Ian Young Date: Mon, 7 Jan 2013 16:45:19 +0000 Subject: [PATCH] Summarise certificate issuers for embedded certificates, including a system of marks used to classify them. Add a warning for those embedded certificates issued by intermediates attached to the 1024-bit roots we need to consider removing. --- build/check_embedded.pl | 77 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 71 insertions(+), 6 deletions(-) diff --git a/build/check_embedded.pl b/build/check_embedded.pl index d6cec530..bdcfa9ca 100755 --- a/build/check_embedded.pl +++ b/build/check_embedded.pl @@ -26,6 +26,32 @@ # my $longExpiredDays = 30*3; # about three months +# +# Request verbose tabulation of certificate issuers. +# +my $verboseIssuers = 0; + +# +# Issuer marks (only shown in the absence of verboseIssuers) +# +my %issuerMark; + +# From master.xml +$issuerMark{'AddTrust External CA Root'} = 'R'; +$issuerMark{'UTN-USERFirst-Hardware'} = 'i'; +$issuerMark{'TERENA SSL CA'} = 'i'; +$issuerMark{'VeriSign Class 3 Secure Server CA'} = '<'; # has unnamed 1024 bit root +$issuerMark{'VeriSign Class 3 Secure Server CA - G2'} = '<'; # has unnamed 1024 bit root +$issuerMark{'VeriSign Class 3 Public Primary Certification Authority - G3'} = 'R'; # root alone +$issuerMark{'GlobalSign Root CA'} = 'R'; +$issuerMark{'GlobalSign Organization Validation CA'} = 'i'; +$issuerMark{'GlobalSign Primary Secure Server CA'} = 'i'; +$issuerMark{'GlobalSign ServerSign CA'} = 'i'; +$issuerMark{'Thawte Premium Server CA'} = '*'; # root directly signs + +# NOT from master.xml +$issuerMark{'Cybertrust Educational CA'} = 'x'; # ex trust root + # # Load RSA key blacklists. # @@ -185,7 +211,7 @@ sub comment { # # Use openssl to convert the certificate to text # - my(@lines, $issuer, $subjectCN, $issuerCN); + my(@lines, $subject, $issuer, $subjectCN, $issuerCN); $cmd = "openssl x509 -in $filename -noout -text -nameopt RFC2253 -modulus |"; open(SSL, $cmd) || die "could not open openssl subcommand"; while () { @@ -201,10 +227,14 @@ sub comment { next; } - if (/^\s*Subject:\s*.*?CN=([a-zA-Z0-9\-\.]+).*$/) { - $subjectCN = $1; - $names{lc $subjectCN}++; - # print "subjectCN = $subjectCN\n"; + if (/^\s*Subject:\s*(.*)$/) { + $subject = $1; + if ($subject =~ /CN=([^,]+)/) { + $subjectCN = $1; + $names{lc $subjectCN}++; + } else { + $subjectCN = $1; + } next; } @@ -421,7 +451,7 @@ sub comment { } if ($error eq 'unable to get local issuer certificate') { - $error = "unknown issuer: $issuerCN"; + $error = "non trust fabric issuer: $issuerCN"; } if ($error eq 'certificate has expired' && $days < 0) { @@ -459,6 +489,29 @@ sub comment { # close $fh; + # + # Add a warning for certain issuers. + # + if (defined $issuerMark{$issuerCN}) { + my $mark = $issuerMark{$issuerCN}; + if ($mark eq '<') { + warning("issuer '$issuerCN' associated with a 1024-bit root, expiry $notAfter"); + } + } + + # + # Count issuers. + # + if ($issuer eq $subject) { + $issuers{'(self-signed certificate)'}++; + } else { + if ($verboseIssuers) { + $issuers{$issuer}++; + } else { + $issuers{$issuerCN}++; + } + } + # # Print any interesting things related to this certificate. # @@ -468,6 +521,7 @@ sub comment { } print "\n"; } + } } @@ -476,15 +530,26 @@ sub comment { if ($distinct_certs != $total_certs) { print "Distinct certificates: $distinct_certs\n"; } + print "\n"; + print "Key size distribution:\n"; for $pubSize (sort keys %pubSizeCount) { $count = $pubSizeCount{$pubSize}; print " $pubSize: $count\n"; } + print "\n"; print "Most distant certificate expiry: $lastNotAfter on $lastNotAfterEntity\n"; print "Maximum certificate expiry year: $maxYear\n"; if ($num2038 > 0) { print "Certificates expiring during or after 2038: $num2038\n"; } + print "\n"; + + print "Certificate issuers:\n"; + foreach $issuer (sort keys %issuers) { + my $count = $issuers{$issuer}; + my $mark = $issuerMark{$issuer} ? $issuerMark{$issuer}: ' '; + print " $mark $issuer: $count\n"; + } }