Add quarterly calendar-based bins to the fixed-width ones.

Use the existing error/warning mechanism instead of just prints.
internet2 · Aug 2, 2012 · b906e7b · b906e7b
1 parent 7ae469d
commit b906e7b
Showing 1 changed file with 105 additions and 12 deletions.
diff --git a/charting/shortkeys_inner.pl b/charting/shortkeys_inner.pl
@@ -56,16 +56,45 @@ sub comment {
 my $blob;
 
 #
-# Size of expiry statistical bins.
+# Size of fixed-width expiry statistical bins.
 #
 my $binSize = 90;
 
+my @quarterStartDays = (
+	"2012-10-01", # 4Q2012
+	"2013-01-01", # 1Q2013
+	"2013-04-01", # 2Q2013
+	"2013-07-01", # 3Q2013
+	"2013-10-01", # 4Q2013
+	"2014-01-01"  # 1Q2014
+);
+
+my @binNames = (
+	"expired",
+	"3Q2012",
+	"4Q2012",
+	"1Q2013",
+	"2Q2013",
+	"3Q2013",
+	"4Q2013",
+	"2014...",
+);
+
+my $quarterEndTimes = ();
+for $startDay (@quarterStartDays) {
+	#print "startDay is $startDay\n";
+	my $endTime = str2time($startDay . "T00:00:00")-1;
+	push(@quarterEndTimes, $endTime);
+}
+
 #
 # Proposed evolution deadline.
 #
 my $deadline = "2014-01-01T00:00:00";
 my $deadlineTime = str2time($deadline);
 
+my $excessThreshold = 5; # years
+
 while (<>) {
 
 	#
@@ -230,34 +259,77 @@ sub comment {
 		#
 		close $fh;
 
+		#
+		# For non-1024-bit keys, just look at whether it is expired.
+		#
+		if ($pubSize != 1024) {
+			if ($days < 0) {
+				error("EXPIRED");
+				$expiredOther++;
+			}
+		}
+
 		#
 		# Record expiry bin if 1024-bit key.
 		#
 		if ($pubSize == 1024) {
-			$validYears = ($notAfterTime - $noteBeforeTime)/(86400.0*365.0);
+
+			#
+			# Complain about keys with an excessive cryptoperiod (more than
+			# about three years).
+			#
+			my $validYears = ($notAfterTime - $noteBeforeTime)/(86400.0*365.0);
+			my $years = sprintf "%.1f", $validYears;
+			if ($validYears >= $excessThreshold) {
+				error("excess cryptoperiod $years years expires $notAfter");
+				$excessCount++;
+			}
+
+			#
+			# First expiry binning is on the basis of number of days left to
+			# run.  Bin -1 is for expired certificates, bin 99 is for those that
+			# expire on or after 2014-01-01T00:00:00.
+			#
 			if ($days < 0) {
 				$expiryBin = -1;
 				if ($days < -180) {
 					my $d = floor(-$days);
-					print "*** long-expired ($d days) 1024-bit certificate on $entity\n";
+					error("long-expired ($d days) 1024-bit certificate");
 				} else {
-					print "expired 1024-bit certificate on $entity\n";
+					warning("expired 1024-bit certificate");
 				}
 			} else {
 				$expiryBin = floor($days/$binSize);
 			}
-			if ($validYears > 3.1) {
-				my $years = sprintf "%.1f", $validYears;
-				print "excess cryptoperiod $years on $entity\n";
-			}
 			if ($expiryBin == 0) {
-				print "Expiry bin 0 dated $notAfter on $entity\n";
+				# print "Expiry bin 0 dated $notAfter on $entity\n";
 			} elsif ($notAfterTime > $deadlineTime) {
-				print "Long expiry dated $notAfter on $entity\n";
+				warning("long expiry dated $notAfter");
 				$expiryBin = 99;
-				print "   issued by $issuerCN\n";
+				comment("issued by $issuerCN");
+				if ($validYears >= $excessThreshold) {
+					$excessPlusDeadline++;
+				}
 			}
 			$expiryBinned{$expiryBin}++;
+
+			#
+			# Second expiry binning is on the basis of calendar quarter bins.
+			#
+			if ($days < 0) {
+				$expiryBin = -1;
+			} else {
+				$expiryBin = 99;
+				my $bin = 0;
+				for $quarterEndTime (@quarterEndTimes) {
+					if ($notAfterTime <= $quarterEndTime) {
+						$expiryBin = $bin;
+						last;
+					}
+					$bin++;
+				}
+			}
+			$expiryQuarterCount{$expiryBin}++;
 		}
 
 		#
@@ -286,7 +358,8 @@ sub numerically {
 		$count = $pubSizeCount{$pubSize};
 		print "   $pubSize: $count\n";
 	}
-	print "Expiry bins:\n";
+
+	print "\nExpiry bins:\n";
 	$total = 0;
 	for $bin (sort numerically keys %expiryBinned) {
 		$days = $binSize * $bin;
@@ -295,4 +368,24 @@ sub numerically {
 		print "   $bin: $count\n";
 	}
 	print "Total: $total\n";
+
+	print "\nExpiry quarters:\n";
+	$total = 0;
+	for $bin (sort numerically keys %expiryQuarterCount) {
+		$count = $expiryBinned{$bin};
+		$total += $count;
+		if ($bin == 99) {
+			$binName = ">=2014";
+		} else {
+			$binName = $binNames[$bin+1];
+		}
+		print "   $binName: $count\n";
+	}
+	print "Total: $total\n";
+
+	print "\n";
+	print "Excess cryptoperiod threshold: $excessThreshold\n";
+	print "Excess cryptoperiod: $excessCount\n";
+	print "Excess plus deadline: $excessPlusDeadline\n";
+	print "Expired, other key sizes: $expiredOther\n";
 }