From b906e7be66956be8914939322df612331b2b171b Mon Sep 17 00:00:00 2001 From: Ian Young Date: Thu, 2 Aug 2012 16:48:14 +0000 Subject: [PATCH] Add quarterly calendar-based bins to the fixed-width ones. Use the existing error/warning mechanism instead of just prints. --- charting/shortkeys_inner.pl | 117 ++++++++++++++++++++++++++++++++---- 1 file changed, 105 insertions(+), 12 deletions(-) diff --git a/charting/shortkeys_inner.pl b/charting/shortkeys_inner.pl index f9d535e0..bbf780f2 100755 --- a/charting/shortkeys_inner.pl +++ b/charting/shortkeys_inner.pl @@ -56,16 +56,45 @@ sub comment { my $blob; # -# Size of expiry statistical bins. +# Size of fixed-width expiry statistical bins. # my $binSize = 90; +my @quarterStartDays = ( + "2012-10-01", # 4Q2012 + "2013-01-01", # 1Q2013 + "2013-04-01", # 2Q2013 + "2013-07-01", # 3Q2013 + "2013-10-01", # 4Q2013 + "2014-01-01" # 1Q2014 +); + +my @binNames = ( + "expired", + "3Q2012", + "4Q2012", + "1Q2013", + "2Q2013", + "3Q2013", + "4Q2013", + "2014...", +); + +my $quarterEndTimes = (); +for $startDay (@quarterStartDays) { + #print "startDay is $startDay\n"; + my $endTime = str2time($startDay . "T00:00:00")-1; + push(@quarterEndTimes, $endTime); +} + # # Proposed evolution deadline. # my $deadline = "2014-01-01T00:00:00"; my $deadlineTime = str2time($deadline); +my $excessThreshold = 5; # years + while (<>) { # @@ -230,34 +259,77 @@ sub comment { # close $fh; + # + # For non-1024-bit keys, just look at whether it is expired. + # + if ($pubSize != 1024) { + if ($days < 0) { + error("EXPIRED"); + $expiredOther++; + } + } + # # Record expiry bin if 1024-bit key. # if ($pubSize == 1024) { - $validYears = ($notAfterTime - $noteBeforeTime)/(86400.0*365.0); + + # + # Complain about keys with an excessive cryptoperiod (more than + # about three years). + # + my $validYears = ($notAfterTime - $noteBeforeTime)/(86400.0*365.0); + my $years = sprintf "%.1f", $validYears; + if ($validYears >= $excessThreshold) { + error("excess cryptoperiod $years years expires $notAfter"); + $excessCount++; + } + + # + # First expiry binning is on the basis of number of days left to + # run. Bin -1 is for expired certificates, bin 99 is for those that + # expire on or after 2014-01-01T00:00:00. + # if ($days < 0) { $expiryBin = -1; if ($days < -180) { my $d = floor(-$days); - print "*** long-expired ($d days) 1024-bit certificate on $entity\n"; + error("long-expired ($d days) 1024-bit certificate"); } else { - print "expired 1024-bit certificate on $entity\n"; + warning("expired 1024-bit certificate"); } } else { $expiryBin = floor($days/$binSize); } - if ($validYears > 3.1) { - my $years = sprintf "%.1f", $validYears; - print "excess cryptoperiod $years on $entity\n"; - } if ($expiryBin == 0) { - print "Expiry bin 0 dated $notAfter on $entity\n"; + # print "Expiry bin 0 dated $notAfter on $entity\n"; } elsif ($notAfterTime > $deadlineTime) { - print "Long expiry dated $notAfter on $entity\n"; + warning("long expiry dated $notAfter"); $expiryBin = 99; - print " issued by $issuerCN\n"; + comment("issued by $issuerCN"); + if ($validYears >= $excessThreshold) { + $excessPlusDeadline++; + } } $expiryBinned{$expiryBin}++; + + # + # Second expiry binning is on the basis of calendar quarter bins. + # + if ($days < 0) { + $expiryBin = -1; + } else { + $expiryBin = 99; + my $bin = 0; + for $quarterEndTime (@quarterEndTimes) { + if ($notAfterTime <= $quarterEndTime) { + $expiryBin = $bin; + last; + } + $bin++; + } + } + $expiryQuarterCount{$expiryBin}++; } # @@ -286,7 +358,8 @@ sub numerically { $count = $pubSizeCount{$pubSize}; print " $pubSize: $count\n"; } - print "Expiry bins:\n"; + + print "\nExpiry bins:\n"; $total = 0; for $bin (sort numerically keys %expiryBinned) { $days = $binSize * $bin; @@ -295,4 +368,24 @@ sub numerically { print " $bin: $count\n"; } print "Total: $total\n"; + + print "\nExpiry quarters:\n"; + $total = 0; + for $bin (sort numerically keys %expiryQuarterCount) { + $count = $expiryBinned{$bin}; + $total += $count; + if ($bin == 99) { + $binName = ">=2014"; + } else { + $binName = $binNames[$bin+1]; + } + print " $binName: $count\n"; + } + print "Total: $total\n"; + + print "\n"; + print "Excess cryptoperiod threshold: $excessThreshold\n"; + print "Excess cryptoperiod: $excessCount\n"; + print "Excess plus deadline: $excessPlusDeadline\n"; + print "Expired, other key sizes: $expiredOther\n"; }