Bugzilla 1016 (partial): remove some hard checks that are now perform…

…ed in the MDA code. Intention is to gradually whittle this script down and then replace it with something more robust.
InCommon · Dec 12, 2013 · 6b35d09 · 6b35d09
1 parent cb9cf09
commit 6b35d09
Showing 1 changed file with 0 additions and 69 deletions.
diff --git a/build/check_embedded.pl b/build/check_embedded.pl
@@ -58,24 +58,6 @@
 $issuerMark{'Cybertrust Educational CA'} = 'x'; # ex trust root
 $issuerMark{'Thawte Premium Server CA'} = 'x'; # ex trust root; directly signs; 1024 bit key
 
-#
-# Load RSA key blacklists.
-#
-#print "Loading key blacklists...\n";
-open KEYS, '../build/blacklist.RSA-1024' || die "can't open RSA 1024 blacklist";
-while (<KEYS>) {
-	chomp;
-	$rsa1024{$_} = 1;
-}
-close KEYS;
-open KEYS, '../build/blacklist.RSA-2048' || die "can't open RSA 2048 blacklist";
-while (<KEYS>) {
-	chomp;
-	$rsa2048{$_} = 1;
-}
-close KEYS;
-#print "Blacklists loaded.\n";
-
 #
 # Load expiry whitelist.
 #
@@ -317,44 +299,6 @@ sub comment {
 				next;
 			}
 
-			#
-			# Check for weak (Debian) keys
-			#
-			# Weak key fingerprints loaded from files are hex SHA-1 digests of the
-			# line you get from "openssl x509 -modulus", including the "Modulus=".
-			#
-			if (/^Modulus=(.*)$/) {
-				$modulus = $_;
-				# print "   modulus: $modulus\n";
-				$fpr = sha1_hex($modulus);
-				# print "   fpr: $fpr\n";
-				if ($pubSize == 1024) {
-					if (defined($rsa1024{$fpr})) {
-						error("WEAK DEBIAN KEY");
-					}
-				} elsif ($pubSize == 2048) {
-					if (defined($rsa2048{$fpr})) {
-						error("WEAK DEBIAN KEY");
-					}
-				}
-				next;
-			}
-
-			#
-			# Look for reasonable public exponent values.
-			#
-			if (/Exponent: (\d+)/) {
-				$exponent = $1;
-				# print "   exponent: $exponent\n";
-				if (($exponent & 1) == 0) {
-					error("RSA public exponent $exponent is even");
-				} elsif ($exponent <= 3) {
-					error("insecure RSA public exponent $exponent");
-				} elsif ($exponent < 65537) {
-					warning("small RSA public exponent $exponent")
-				}
-			}
-
 			#
 			# subjectAlternativeName
 			#
@@ -505,19 +449,6 @@ sub comment {
 		#
 		$pubSizeCount{$pubSize}++;
 		# print "   Public key size: $pubSize\n";
-		if ($pubSize < 1024) {
-
-			error('PUBLIC KEY TOO SHORT');
-
-		} elsif ($pubSize < 2048) {
-
-			if ($days < 0) {
-				error("short key ($pubSize bit) in expired certificate");
-			} else {
-				warning("short key ($pubSize bit) in certificate; expires $notAfter");
-			}
-
-		}
 
 		#
 		# Close the temporary file, which will also cause