From 7cf70d6d3609e8a84eef37835da4944256b587b6 Mon Sep 17 00:00:00 2001 From: Ian Young Date: Tue, 5 Feb 2013 22:38:01 +0000 Subject: [PATCH] Add a warning when we see a <2048 bit key on the endpoint; include the certificate expiry time. --- build/probe_nk_certs.pl | 26 ++++++++++++++++++++++++++ build/probe_nk_nocerts.pl | 26 ++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/build/probe_nk_certs.pl b/build/probe_nk_certs.pl index 6d44f298..36554355 100755 --- a/build/probe_nk_certs.pl +++ b/build/probe_nk_certs.pl @@ -101,6 +101,28 @@ sub comment { $subject = $1; } + # + # Extract the public key size. This is displayed differently + # in different versions of OpenSSL. + # + if (/RSA Public Key: \((\d+) bit\)/) { # OpenSSL 0.9x + $pubSize = $1; + $pubSizeCount{$pubSize}++; + # print " Public key size: $pubSize\n"; + if ($pubSize < 1024) { + error('PUBLIC KEY TOO SHORT'); + } + next; + } elsif (/^\s*Public-Key: \((\d+) bit\)/) { # OpenSSL 1.0 + $pubSize = $1; + $pubSizeCount{$pubSize}++; + # print " Public key size: $pubSize\n"; + if ($pubSize < 1024) { + error('PUBLIC KEY TOO SHORT'); + } + next; + } + if (/Not After : (.*)$/) { $notAfter = $1; $notAfterTime = str2time($notAfter); @@ -122,6 +144,10 @@ sub comment { } + if ($pubSize < 2048) { + warning("short public key: $pubSize bits, certificate expires $notAfter"); + } + if ($subject eq $issuer) { $issuer = "(self-signed certificate)"; } diff --git a/build/probe_nk_nocerts.pl b/build/probe_nk_nocerts.pl index 9d850118..808f6ac6 100755 --- a/build/probe_nk_nocerts.pl +++ b/build/probe_nk_nocerts.pl @@ -107,6 +107,28 @@ sub comment { $subject = $1; } + # + # Extract the public key size. This is displayed differently + # in different versions of OpenSSL. + # + if (/RSA Public Key: \((\d+) bit\)/) { # OpenSSL 0.9x + $pubSize = $1; + $pubSizeCount{$pubSize}++; + # print " Public key size: $pubSize\n"; + if ($pubSize < 1024) { + error('PUBLIC KEY TOO SHORT'); + } + next; + } elsif (/^\s*Public-Key: \((\d+) bit\)/) { # OpenSSL 1.0 + $pubSize = $1; + $pubSizeCount{$pubSize}++; + # print " Public key size: $pubSize\n"; + if ($pubSize < 1024) { + error('PUBLIC KEY TOO SHORT'); + } + next; + } + if (/Not After : (.*)$/) { $notAfter = $1; $notAfterTime = str2time($notAfter); @@ -128,6 +150,10 @@ sub comment { } + if ($pubSize < 2048) { + warning("short public key: $pubSize bits, certificate expires $notAfter"); + } + if ($subject eq $issuer) { $issuer = "(self-signed certificate)"; }