From 073146883bff64780ea79d8d54cdc8b8084e5233 Mon Sep 17 00:00:00 2001 From: Ian Young Date: Tue, 20 Sep 2016 16:50:11 +0100 Subject: [PATCH] Simplify weekly embedded certificate summary Resolves #35. --- utilities/check_embedded.pl | 63 +++++++++---------------------------- 1 file changed, 15 insertions(+), 48 deletions(-) diff --git a/utilities/check_embedded.pl b/utilities/check_embedded.pl index cd502c00..8f324cef 100755 --- a/utilities/check_embedded.pl +++ b/utilities/check_embedded.pl @@ -31,25 +31,6 @@ # my $longExpiredDays = 30*3; # about three months -# -# Request verbose tabulation of certificate issuers. -# -my $verboseIssuers = 0; - -# -# Issuer marks (only shown in the absence of verboseIssuers) -# -my %issuerMark; - -# ex-roots -$issuerMark{'AddTrust External CA Root'} = 'X'; -$issuerMark{'UTN-USERFirst-Hardware'} = 'x'; -$issuerMark{'TERENA SSL CA'} = 'x'; -$issuerMark{'GlobalSign Root CA'} = 'X'; -$issuerMark{'GlobalSign Organization Validation CA'} = 'x'; -$issuerMark{'GlobalSign Primary Secure Server CA'} = 'x'; -$issuerMark{'GlobalSign ServerSign CA'} = 'x'; - # # Load expiry whitelist. # @@ -131,7 +112,7 @@ sub comment { # Discard blank lines. # next if /^\s*$/; - + # # Handle Entity/KeyName header line. # @@ -148,7 +129,7 @@ sub comment { if ($entity =~ /^\[(.+)\](.+)$/) { $entity = $2 . ' (' . $1 . ')'; } - + # # Output header line. # @@ -178,13 +159,13 @@ sub comment { select((select($fh), $|=1)[0]); next; } - + # # Put other lines into a temporary file. # print $fh $_; $blob .= '|' . $_; - + # # If this is the last line of the certificate, actually do # something with it. @@ -200,7 +181,7 @@ sub comment { close $fh; next; } - + # # Otherwise, remember this blob so that we won't process it again. # @@ -213,12 +194,12 @@ sub comment { # disabled, so the file can simply be passed to other applications # as input, perhaps multiple times. # - + # # Collection of names this certificate contains # my %names; - + # # Use openssl to convert the certificate to text # @@ -239,7 +220,7 @@ sub comment { } next; } - + if (/^\s*Subject:\s*(.*)$/) { $subject = $1; if ($subject =~ /CN=([^,]+)/) { @@ -250,7 +231,7 @@ sub comment { } next; } - + # # Extract the certificate fingerprint. # @@ -272,7 +253,7 @@ sub comment { $pubSize = $1; next; } - + if (/Not After : (.*)$/) { $notAfter = $1; $notAfterTime = str2time($notAfter); @@ -314,7 +295,7 @@ sub comment { # DNS:www.example.co.uk, DNS:example.co.uk, URI:http://example.co.uk/ # my $next = ; - + # # Make an array of components, each something like "DNS:example.co.uk" # @@ -322,17 +303,17 @@ sub comment { my @altNames = split /\s*,\s*/, $next; # my $altSet = "{" . join(", ", @altNames) . "}"; # print "Alt set: $altSet\n"; - + # # Each "DNS" component is an additional name for this certificate. # while (@altNames) { my ($type, $altName) = split(":", pop @altNames); - $names{lc $altName}++ if $type eq 'DNS'; + $names{lc $altName}++ if $type eq 'DNS'; } next; } - + } close SSL; #print " text lines: $#lines\n"; @@ -376,27 +357,13 @@ sub comment { # close $fh; - # - # Add a warning for certain issuers. - # - if (defined $issuerMark{$issuerCN}) { - my $mark = $issuerMark{$issuerCN}; - if ($mark eq '?') { - warning("issuer '$issuerCN' suspect; verify"); - } - } - # # Count issuers. # if ($issuer eq $subject) { $issuers{'(self-signed certificate)'}++; } else { - if ($verboseIssuers) { - $issuers{$issuer}++; - } else { - $issuers{$issuerCN}++; - } + $issuers{'Other'}++; } #