Skip to content

Commit

Permalink
Remove binning by fixed-width bins. Correct calendar quarter binning …
Browse files Browse the repository at this point in the history 
…algorithm by fixing the comparison date for certificate expiry, and by correcting the calendar binning display (which was using the fixed-width bins by accident).
  • Loading branch information
@iay
iay committed Sep 21, 2012
1 parent 4bc17e3 commit 8a4d529
Showing 1 changed file with 32 additions and 42 deletions.
74 changes: 32 additions & 42 deletions charting/shortkeys_inner.pl
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
#!/usr/bin/perl -w
use POSIX qw(floor);
use File::Temp qw(tempfile);
use Date::Format;
use Date::Parse;
use Digest::SHA1 qw(sha1 sha1_hex sha1_base64);

Expand All @@ -9,7 +10,7 @@
# UK federation metadata.
#
# The certificates are provided on standard input in PEM format with header lines
# indicating the entity with which they are associated.
# indicating the entity with which they are associated.
#
# Command line options:
#
Expand Down Expand Up @@ -55,11 +56,6 @@ sub comment {
#
my $blob;

#
# Size of fixed-width expiry statistical bins.
#
my $binSize = 90;

my @quarterStartDays = (
"2012-10-01", # 4Q2012
"2013-01-01", # 1Q2013
Expand All @@ -85,6 +81,8 @@ sub comment {
#print "startDay is $startDay\n";
my $endTime = str2time($startDay . "T00:00:00")-1;
push(@quarterEndTimes, $endTime);
# local $endTimeText = time2str('%Y-%m-%dT%H:%M:%S', $endTime);
# print "end time corresponding to $startDay is $endTime ($endTimeText)\n";
}

#
Expand All @@ -93,6 +91,15 @@ sub comment {
my $deadline = "2014-01-01T00:00:00";
my $deadlineTime = str2time($deadline);

#
# Start of the current month, as an approximation of what we want
# to regard as an "expired" certificate. Ideally, this would be
# passed in as a parameter.
#
#my $nowYearMonth = '2012-08-01T00:00:00';
my $nowYearMonth = time2str('%Y-%m-01T00:00:00', time());
my $validStart = str2time($nowYearMonth);

my $excessThreshold = 5; # years

while (<>) {
Expand All @@ -113,7 +120,7 @@ sub comment {
$keyname = $args[3];

#
# Output header line.
# Output header line.
#
$oline = "Entity $entity ";
$hasKeyName = !($keyname eq '(none)');
Expand Down Expand Up @@ -177,7 +184,7 @@ sub comment {
my %names;

#
# Use openssl to convert the certificate to text
# Use openssl to convert the certificate to text
#
my(@lines, $issuer, $subjectCN, $issuerCN);
$cmd = "openssl x509 -in $filename -noout -text -nameopt RFC2253 -modulus |";
Expand Down Expand Up @@ -210,15 +217,15 @@ sub comment {
if (/RSA Public Key: \((\d+) bit\)/) { # OpenSSL 0.9x
$pubSize = $1;
$pubSizeCount{$pubSize}++;
# print " Public key size: $pubSize\n";
# print " Public key size: $pubSize\n";
if ($pubSize < 1024) {
error('PUBLIC KEY TOO SHORT');
}
next;
} elsif (/^\s*Public-Key: \((\d+) bit\)/) { # OpenSSL 1.0
$pubSize = $1;
$pubSizeCount{$pubSize}++;
# print " Public key size: $pubSize\n";
# print " Public key size: $pubSize\n";
if ($pubSize < 1024) {
error('PUBLIC KEY TOO SHORT');
}
Expand All @@ -233,7 +240,7 @@ sub comment {
if (/Not After : (.*)$/) {
$notAfter = $1;
$notAfterTime = str2time($notAfter);
$days = ($notAfterTime-time())/86400.0;
$days = ($notAfterTime-$validStart)/86400.0;
next;
}

Expand Down Expand Up @@ -276,7 +283,7 @@ sub comment {

#
# Complain about keys with an excessive cryptoperiod (more than
# about three years).
# about three years for a 1024-bit key).
#
my $validYears = ($notAfterTime - $notBeforeTime)/(86400.0*365.0);
my $years = sprintf "%.1f", $validYears;
Expand All @@ -286,35 +293,22 @@ sub comment {
}

#
# First expiry binning is on the basis of number of days left to
# run. Bin -1 is for expired certificates, bin 99 is for those that
# expire on or after 2014-01-01T00:00:00.
# Complain about expired 1024-bit certificates.
#
if ($days < 0) {
$expiryBin = -1;
if ($days < -180) {
my $d = floor(-$days);
error("long-expired ($d days) 1024-bit certificate");
} else {
warning("expired 1024-bit certificate");
}
} else {
$expiryBin = floor($days/$binSize);
}
if ($expiryBin == 0) {
# print "Expiry bin 0 dated $notAfter on $entity\n";
} elsif ($notAfterTime > $deadlineTime) {
warning("long expiry dated $notAfter");
$expiryBin = 99;
comment("issued by $issuerCN");
if ($validYears >= $excessThreshold) {
$excessPlusDeadline++;
}
}
$expiryBinned{$expiryBin}++;

#
# Second expiry binning is on the basis of calendar quarter bins.
# Expiry binning is on the basis of calendar quarter bins.
#
# Bin -1 is for expired certificates, bin 99 is for those that
# expire on or after 2014-01-01T00:00:00.
#
if ($days < 0) {
$expiryBin = -1;
Expand All @@ -329,6 +323,7 @@ sub comment {
$bin++;
}
}
# print "date $notAfter gets bin $expiryBin\n";
$expiryQuarterCount{$expiryBin}++;
}

Expand All @@ -349,30 +344,26 @@ sub numerically {
}

if ($total_certs > 1) {

print "Total certificates: $total_certs\n";
if ($distinct_certs != $total_certs) {
print "Distinct certificates: $distinct_certs\n";
}

print "Key size distribution:\n";
for $pubSize (sort keys %pubSizeCount) {
$count = $pubSizeCount{$pubSize};
print " $pubSize: $count\n";
}

print "\nExpiry bins:\n";
$total = 0;
for $bin (sort numerically keys %expiryBinned) {
$days = $binSize * $bin;
$count = $expiryBinned{$bin};
$total += $count;
print " $bin: $count\n";
}
print "Total: $total\n";

print "\nExpiry quarters:\n";
$total = 0;
for $bin (sort numerically keys %expiryQuarterCount) {
$count = $expiryBinned{$bin};
if (defined($expiryQuarterCount{$bin})) {
$count = $expiryQuarterCount{$bin};
} else {
$count = 0; # nothing was put in that bin
}
$total += $count;
if ($bin == 99) {
$binName = ">=2014";
Expand All @@ -386,6 +377,5 @@ sub numerically {
print "\n";
print "Excess cryptoperiod threshold: $excessThreshold\n";
print "Excess cryptoperiod: $excessCount\n";
print "Excess plus deadline: $excessPlusDeadline\n";
print "Expired, other key sizes: $expiredOther\n";
}

0 comments on commit 8a4d529

Please sign in to comment.