Skip to content
This repository has been archived by the owner. It is now read-only.

Commit

Permalink
Rework short keys charting to track certificates with KeyNames instead.
Browse files Browse the repository at this point in the history
  • Loading branch information
@iay
iay committed Jan 3, 2014
1 parent 3c5ec76 commit 827d831
Show file tree
Hide file tree
Showing 2 changed files with 100 additions and 139 deletions.
21 changes: 11 additions & 10 deletions charting/shortkeys.pl → charting/keynames.pl
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
#!/usr/bin/env perl -w

#
# shortkeys.pl
# keynames.pl
#
# Extracts statistics about short embedded keys from the published metadata.
# Extracts statistics about KeyName elements from the published metadata.
#
use lib "../build";
use Xalan;
Expand All @@ -29,19 +29,20 @@
# print "command is $command\n";
system($command); # || print "ignoring claimed failure in sub command\n";
#print "Xalan run on $fn\n";
open(TXT, "perl shortkeys_inner.pl -q <temp.tmp|") || die "could not open input file";
my $count = 0;
open(TXT, "perl keynames_inner.pl -q <temp.tmp|") || die "could not open input file";
while (<TXT>) {
if (/^ 1024: (\d+)$/) {
if (/^Total: (\d+)$/) {
$count = $1;
}
#print $_;
print $_ unless $allMonths;
}
push @counts, "$month: $count";
close TXT;
push @counts, "$month: $count";
}

print "Key count:\n";
foreach $count (@counts) {
print "$count\n";
if ($allMonths) {
print "KeyName count:\n";
foreach $count (@counts) {
print "$count\n";
}
}
218 changes: 89 additions & 129 deletions charting/shortkeys_inner.pl → charting/keynames_inner.pl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,18 +5,6 @@
use Date::Parse;
use Digest::SHA1 qw(sha1 sha1_hex sha1_base64);

#
# Perform checks on a series of certificates that are to be, or have been, embedded in the
# UK federation metadata.
#
# The certificates are provided on standard input in PEM format with header lines
# indicating the entity with which they are associated.
#
# Command line options:
#
# -q quiet don't print anything out if there are no problems detected
#

sub error {
my($s) = @_;
push(@olines, ' *** ' . $s . ' ***');
Expand Down Expand Up @@ -56,39 +44,73 @@ sub comment {
#
my $blob;

my @quarterStartDays = (
"2012-10-01", # 4Q2012
"2013-01-01", # 1Q2013
"2013-04-01", # 2Q2013
"2013-07-01", # 3Q2013
"2013-10-01", # 4Q2013
"2014-01-01" # 1Q2014
#
# The day that follows the end of each bin.
#
# Bin 0, running from 2014-01-01 to 2014-01-31,
# is followed by the start of bin 1 on 2014-02-01.
#
my @binNextDays = (
"2014-02-01",
"2014-03-01",
"2014-04-01",
"2014-05-01",
"2014-06-01",
"2014-07-01",
"2014-08-01",
"2014-09-01",
"2014-10-01",
"2014-11-01",
"2014-12-01",
"2015-01-01", # 1Q2015
"2015-04-01", # 2Q2015
"2015-07-01", # 3Q2015
"2015-10-01", # 4Q2015
"2016-01-01", # 2016
"2017-01-01", # 2017
"2018-01-01", # 2018...
);

#
# Names for bins. The index into this array is
# displaced by 1, so that the first element (index 0)
# gives the name for bin -1 ("expired").
#
my @binNames = (
"expired",
"3Q2012",
"4Q2012",
"1Q2013",
"2Q2013",
"3Q2013",
"4Q2013",
"2014...",
"Jan 14",
"Feb 14",
"Mar 14",
"Apr 14",
"May 14",
"Jun 14",
"Jul 14",
"Aug 14",
"Sep 14",
"Oct 14",
"Nov 14",
"Dec 14",
"2015Q1",
"2015Q2",
"2015Q3",
"2015Q4",
"2016",
"2017",
);

my $quarterEndTimes = ();
for $startDay (@quarterStartDays) {
my $binEndTimes = ();
for $startDay (@binNextDays) {
#print "startDay is $startDay\n";
my $endTime = str2time($startDay . "T00:00:00")-1;
push(@quarterEndTimes, $endTime);
push(@binEndTimes, $endTime);
# local $endTimeText = time2str('%Y-%m-%dT%H:%M:%S', $endTime);
# print "end time corresponding to $startDay is $endTime ($endTimeText)\n";
}

#
# Proposed evolution deadline.
#
my $deadline = "2014-01-01T00:00:00";
my $deadline = "2015-01-01T00:00:00";
my $deadlineTime = str2time($deadline);

#
Expand All @@ -100,8 +122,6 @@ sub comment {
my $nowYearMonth = time2str('%Y-%m-01T00:00:00', time());
my $validStart = str2time($nowYearMonth);

my $excessThreshold = 5; # years

while (<>) {

#
Expand Down Expand Up @@ -130,7 +150,12 @@ sub comment {
$oline .= "has no KeyName";
}
push(@olines, $oline);
$blob = $oline; # start building a new blob

# Start the blob like this if you want per-entity deduplication
# $blob = $oline; # start building a new blob

# Start the blob like this if you want global deduplication
$blob = "";

#
# Create a temporary file for this certificate in PEM format.
Expand All @@ -154,6 +179,17 @@ sub comment {
# something with it.
#
if (/END CERTIFICATE/) {

#
# If the certificate is not associated with a KeyName,
# we ignore it entirely.
#
if (!$hasKeyName) {
# print "ignoring certificate with no KeyName\n";
close $fh;
next;
}

#
# Have we seen this blob before? If so, close (and delete) the
# temporary file, and go and look for a new certificate to process.
Expand Down Expand Up @@ -209,41 +245,13 @@ sub comment {
# print "subjectCN = $subjectCN\n";
next;
}

#
# Extract the public key size. This is displayed differently
# in different versions of OpenSSL.
#
if (/RSA Public Key: \((\d+) bit\)/) { # OpenSSL 0.9x
$pubSize = $1;
$pubSizeCount{$pubSize}++;
# print " Public key size: $pubSize\n";
if ($pubSize < 1024) {
error('PUBLIC KEY TOO SHORT');
}
next;
} elsif (/^\s*Public-Key: \((\d+) bit\)/) { # OpenSSL 1.0
$pubSize = $1;
$pubSizeCount{$pubSize}++;
# print " Public key size: $pubSize\n";
if ($pubSize < 1024) {
error('PUBLIC KEY TOO SHORT');
}
next;
}

if (/Not Before: (.*)$/) {
$notBefore = $1;
$notBeforeTime = str2time($notBefore);
}

if (/Not After : (.*)$/) {
$notAfter = $1;
$notAfterTime = str2time($notAfter);
$days = ($notAfterTime-$validStart)/86400.0;
next;
}

}
close SSL;

Expand All @@ -267,65 +275,26 @@ sub comment {
close $fh;

#
# For non-1024-bit keys, just look at whether it is expired.
#
if ($pubSize != 1024) {
if ($days < 0) {
error("EXPIRED");
$expiredOther++;
}
}

# Expiry binning is on the basis of calendar period bins.
#
# Record expiry bin if 1024-bit key.
# Bin -1 is for expired certificates, bin 99 is for those that
# expire on or after 2018-01-01T00:00:00.
#
if ($pubSize == 1024) {

#
# Complain about keys with an excessive cryptoperiod (more than
# about three years for a 1024-bit key).
#
my $validYears = ($notAfterTime - $notBeforeTime)/(86400.0*365.0);
my $years = sprintf "%.1f", $validYears;
if ($validYears >= $excessThreshold) {
error("excess cryptoperiod $years years expires $notAfter");
$excessCount++;
}

#
# Complain about expired 1024-bit certificates.
#
if ($days < 0) {
if ($days < -180) {
my $d = floor(-$days);
error("long-expired ($d days) 1024-bit certificate");
} else {
warning("expired 1024-bit certificate");
}
}

#
# Expiry binning is on the basis of calendar quarter bins.
#
# Bin -1 is for expired certificates, bin 99 is for those that
# expire on or after 2014-01-01T00:00:00.
#
if ($days < 0) {
$expiryBin = -1;
} else {
$expiryBin = 99;
my $bin = 0;
for $quarterEndTime (@quarterEndTimes) {
if ($notAfterTime <= $quarterEndTime) {
$expiryBin = $bin;
last;
}
$bin++;
if ($days < 0) {
$expiryBin = -1;
} else {
$expiryBin = 99;
my $bin = 0;
for $binEndTime (@binEndTimes) {
if ($notAfterTime <= $binEndTime) {
$expiryBin = $bin;
last;
}
$bin++;
}
# print "date $notAfter gets bin $expiryBin\n";
$expiryQuarterCount{$expiryBin}++;
}
# print "date $notAfter gets bin $expiryBin\n";
$expiryBinCount{$expiryBin}++;

#
# Print any interesting things related to this certificate.
Expand All @@ -350,23 +319,17 @@ sub numerically {
print "Distinct certificates: $distinct_certs\n";
}

print "Key size distribution:\n";
for $pubSize (sort keys %pubSizeCount) {
$count = $pubSizeCount{$pubSize};
print " $pubSize: $count\n";
}

print "\nExpiry quarters:\n";
print "\nExpiry bins:\n";
$total = 0;
for $bin (sort numerically keys %expiryQuarterCount) {
if (defined($expiryQuarterCount{$bin})) {
$count = $expiryQuarterCount{$bin};
for $bin (sort numerically keys %expiryBinCount) {
if (defined($expiryBinCount{$bin})) {
$count = $expiryBinCount{$bin};
} else {
$count = 0; # nothing was put in that bin
}
$total += $count;
if ($bin == 99) {
$binName = ">=2014";
$binName = ">=2018";
} else {
$binName = $binNames[$bin+1];
}
Expand All @@ -375,7 +338,4 @@ sub numerically {
print "Total: $total\n";

print "\n";
print "Excess cryptoperiod threshold: $excessThreshold\n";
print "Excess cryptoperiod: $excessCount\n";
print "Expired, other key sizes: $expiredOther\n";
}

0 comments on commit 827d831

Please sign in to comment.