Add a tool to check public key size of key authorities (not embedded …

…certificates, but our trusted roots).
InCommon · May 30, 2008 · 879f2a8 · 879f2a8
1 parent ae42fc7
commit 879f2a8
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 0 deletions.
diff --git a/build.xml b/build.xml
@@ -379,6 +379,17 @@
 			x="extract_authorities.xsl"/>
 	</target>
 
+	<!--
+		Check authorities
+	-->
+	<target name="check.authorities">
+		<echo>Checking authority certificates</echo>
+		<exec executable="perl" dir="${xml.dir}"
+			input="${xml.dir}/authorities.pem">
+			<arg value="${build.dir}/check_authorities.pl"/>
+		</exec>
+	</target>
+
 	<!--
 		Extract member list for joining date backfill.
 	-->

diff --git a/build/check_authorities.pl b/build/check_authorities.pl
@@ -0,0 +1,78 @@
+#!/usr/bin/perl -w
+use File::Temp qw(tempfile);
+
+while (<>) {
+
+	#
+	# Handle certificate header line.
+	#
+	if (/BEGIN CERTIFICATE/) {
+
+		#
+		# Output header line.
+		#
+		print "Authority certificate:\n";
+
+		#
+		# Create a temporary file for this certificate in PEM format.
+		#
+		($fh, $filename) = tempfile(UNLINK => 1);
+		#print "temp file is: $filename\n";
+
+		# do not buffer output to the temporary file
+		select((select($fh), $|=1)[0]);
+	}
+
+	#
+	# Put all lines into a temporary file.
+	#
+	print $fh $_;
+
+	#
+	# If this is the last line of the certificate, actually do
+	# something with it.
+	#
+	if (/END CERTIFICATE/) {
+		#
+		# Don't close the temporary file yet, because that would cause it
+		# to be deleted.  We've already arranged for buffering to be
+		# disabled, so the file can simply be passed to other applications
+		# as input, perhaps multiple times.
+		#
+
+		#
+		# Use openssl to convert the certificate to text
+		#
+		my(@lines, $issuer, $subjectCN, $issuerCN, $pubSize);
+		$cmd = "openssl x509 -in $filename -noout -text -nameopt RFC2253 |";
+		open(SSL, $cmd) || die "could not open openssl subcommand";
+		while (<SSL>) {
+			push @lines, $_;
+			if (/^\s*Issuer:\s*(.*)$/) {
+				$issuer = $1;
+				print "   Issuer: $issuer\n";
+			}
+			if (/^\s*Subject:\s*(.*)$/) {
+				$subject = $1;
+				print "   Subject: $subject\n";
+			}
+			if (/RSA Public Key: \((\d+) bit\)/) {
+				$pubSize = $1;
+				print "   Public key size: $pubSize\n";
+				if ($pubSize < 1024) {
+					print "      *** PUBLIC KEY TOO SHORT ***\n";
+				}
+			}
+		}
+		close SSL;
+		#print "   text lines: $#lines\n";
+
+		#
+		# Close the temporary file, which will also cause
+		# it to be deleted.
+		#
+		close $fh;
+
+		print "\n";
+	}
+}