From 77c9d4de723ff33cb4caca7fe60c955085daed00 Mon Sep 17 00:00:00 2001 From: Ian Young Date: Wed, 5 Sep 2012 14:32:29 +0000 Subject: [PATCH] Suppress "certificate has expired" error if we have already issued something similar. Additional error message if an expired certificate has a 1024-bit key. Add warning (for now) about 1024-bit keys whose certificates have long (>5y) cryptoperiods. --- build/check_embedded.pl | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/build/check_embedded.pl b/build/check_embedded.pl index 1bcd5c44..69291d95 100755 --- a/build/check_embedded.pl +++ b/build/check_embedded.pl @@ -16,6 +16,11 @@ # -q quiet don't print anything out if there are no problems detected # +# +# Maximum cryptoperiod for 1024-bit keys. +# +my $excessThreshold = 5; # years + # # Load RSA key blacklists. # @@ -202,9 +207,16 @@ sub comment { next; } + if (/Not Before: (.*)$/) { + $notBefore = $1; + $noteBeforeTime = str2time($notBefore); + next; + } + if (/Not After : (.*)$/) { $notAfter = $1; - $days = (str2time($notAfter)-time())/86400.0; + $notAfterTime = str2time($notAfter); + $days = ($notAfterTime-time())/86400.0; if ($days < -180) { my $d = floor(-$days); error("EXPIRED LONG AGO ($d days)"); @@ -365,10 +377,35 @@ sub comment { $error = "unknown issuer: $issuerCN"; } + if ($error eq 'certificate has expired' && $days < 0) { + # an equivalent message has already been issued + $error = ''; + } + if ($error ne '') { error($error); } + # + # Some more detailed reporting for 1024-bit keys. + # + if ($pubSize == 1024) { + + if ($days < 0) { + error("1024 bit expired certificate"); + } + + # + # Complain about keys with an excessive cryptoperiod (more than + # some given number of years). + # + my $validYears = ($notAfterTime - $noteBeforeTime)/(86400.0*365.0); + my $years = sprintf "%.1f", $validYears; + if ($validYears >= $excessThreshold) { + warning("excess cryptoperiod $years years for 1024-bit key; expires $notAfter"); + } + } + # # Close the temporary file, which will also cause # it to be deleted.