Allow for short keys other than those with exactly 1024 bit modulus.

Warn for every short key, and include certificate expiry date. (Bugzilla 770)
InCommon · Feb 28, 2013 · ca05041 · ca05041
1 parent fe0b74f
commit ca05041
Showing 1 changed file with 12 additions and 14 deletions.
diff --git a/build/check_embedded.pl b/build/check_embedded.pl
@@ -249,19 +249,9 @@ sub comment {
 			#
 			if (/RSA Public Key: \((\d+) bit\)/) { # OpenSSL 0.9x
 				$pubSize = $1;
-				$pubSizeCount{$pubSize}++;
-				# print "   Public key size: $pubSize\n";
-				if ($pubSize < 1024) {
-					error('PUBLIC KEY TOO SHORT');
-				}
 				next;
 			} elsif (/^\s*Public-Key: \((\d+) bit\)/) { # OpenSSL 1.0
 				$pubSize = $1;
-				$pubSizeCount{$pubSize}++;
-				# print "   Public key size: $pubSize\n";
-				if ($pubSize < 1024) {
-					error('PUBLIC KEY TOO SHORT');
-				}
 				next;
 			}
 
@@ -471,12 +461,20 @@ sub comment {
 		}
 
 		#
-		# Some more detailed reporting for 1024-bit keys.
+		# Handle public key size.
 		#
-		if ($pubSize == 1024) {
+		$pubSizeCount{$pubSize}++;
+		# print "   Public key size: $pubSize\n";
+		if ($pubSize < 1024) {
+
+			error('PUBLIC KEY TOO SHORT');
+
+		} elsif ($pubSize < 2048) {
 
 			if ($days < 0) {
-				error("1024 bit expired certificate");
+				error("short key ($pubSize bit) in expired certificate");
+			} else {
+				warning("short key ($pubSize bit) in certificate; expires $notAfter");
 			}
 
 			#
@@ -486,7 +484,7 @@ sub comment {
 			my $validYears = ($notAfterTime - $notBeforeTime)/(86400.0*365.0);
 			my $years = sprintf "%.1f", $validYears;
 			if ($validYears >= $excessThreshold) {
-				warning("excess cryptoperiod $years years for 1024-bit key; expires $notAfter");
+				warning("excess cryptoperiod $years years for short ($pubSize bit) key; expires $notAfter");
 			}
 		}