Suppress "certificate has expired" error if we have already issued so…

…mething similar. Additional error message if an expired certificate has a 1024-bit key. Add warning (for now) about 1024-bit keys whose certificates have long (>5y) cryptoperiods.
InCommon · Sep 5, 2012 · 77c9d4d · 77c9d4d
1 parent 3859625
commit 77c9d4d
Showing 1 changed file with 38 additions and 1 deletion.
diff --git a/build/check_embedded.pl b/build/check_embedded.pl
@@ -16,6 +16,11 @@
 #	-q	quiet		don't print anything out if there are no problems detected
 #
 
+#
+# Maximum cryptoperiod for 1024-bit keys.
+#
+my $excessThreshold = 5; # years
+
 #
 # Load RSA key blacklists.
 #
@@ -202,9 +207,16 @@ sub comment {
 				next;
 			}
 
+			if (/Not Before: (.*)$/) {
+				$notBefore = $1;
+				$noteBeforeTime = str2time($notBefore);
+				next;
+			}
+
 			if (/Not After : (.*)$/) {
 				$notAfter = $1;
-				$days = (str2time($notAfter)-time())/86400.0;
+				$notAfterTime = str2time($notAfter);
+				$days = ($notAfterTime-time())/86400.0;
 				if ($days < -180) {
 					my $d = floor(-$days);
 					error("EXPIRED LONG AGO ($d days)");
@@ -365,10 +377,35 @@ sub comment {
 			$error = "unknown issuer: $issuerCN";
 		}
 
+		if ($error eq 'certificate has expired' && $days < 0) {
+			# an equivalent message has already been issued
+			$error = '';
+		}
+
 		if ($error ne '') {
 			error($error);
 		}
 
+		#
+		# Some more detailed reporting for 1024-bit keys.
+		#
+		if ($pubSize == 1024) {
+
+			if ($days < 0) {
+				error("1024 bit expired certificate");
+			}
+
+			#
+			# Complain about keys with an excessive cryptoperiod (more than
+			# some given number of years).
+			#
+			my $validYears = ($notAfterTime - $noteBeforeTime)/(86400.0*365.0);
+			my $years = sprintf "%.1f", $validYears;
+			if ($validYears >= $excessThreshold) {
+				warning("excess cryptoperiod $years years for 1024-bit key; expires $notAfter");
+			}
+		}
+
 		#
 		# Close the temporary file, which will also cause
 		# it to be deleted.