View Issue Details

IDProjectCategoryView StatusLast Update
0000954Main CAcert Websitecertificate issuingpublic2014-03-07 12:35
ReporterUli60 Assigned ToTed  
PriorityurgentSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Fixed in Version2011 Q3 
Summary0000954: script to bulk revoke weak keys
Descriptionbased on https://wiki.cacert.org/Arbitrations/a20110312.1
and https://bugs.cacert.org/view.php?id=918
a script for bulk revocation of weak keys needs to developed
Additional Information/pages/account/5.php lists current/valid certs
form submit revoke ->
$query = "select UNIX_TIMESTAMP(`emailcerts`.`created`) as `created`,
UNIX_TIMESTAMP(`emailcerts`.`expire`) - UNIX_TIMESTAMP() as `timeleft`,
UNIX_TIMESTAMP(`emailcerts`.`expire`) as `expired`,
`emailcerts`.`expire` as `expires`, `emailcerts`.`revoked` as `revoke`,
UNIX_TIMESTAMP(`emailcerts`.`revoked`) as `revoked`, `emailcerts`.`id`,
`emailcerts`.`CN`, emailcerts.disablelogin as `disablelogin`
from `emailcerts` where `emailcerts`.`memid`='".$_SESSION['profile']['id']."'";

<? if($verified != _("Pending") && $verified != _("Revoked")) { ?>
    <td class="DataTD"><input type="checkbox" name="revokeid[]" value="<?=$row['id']?>"></td>

<input type="submit" name="revoke" value="<?=_("Revoke/Delete")?>"></td>

<input type="hidden" name="oldid" value="<?=$id?>">
<input type="hidden" name="csrf" value="<?=make_csrf('clicerchange')?>" />

to script account.php

/www/account.php
include /includes/account.php
require_once /includes/loggedin.php

server key revoke see /includes/account.php l. 908 ff.
email cert revoke see /includes/account.php l. 1048 ff. (pending request)
orgemail certs revoke see /includes/account.php l. 1640 ff.


TagsNo tags attached.
Reviewed byTed, NEOatNHNG
Test Instructions

Relationships

related to 0000918 closedNEOatNHNG Weak keys in certificates 
related to 0001255 closedwytze DSA certificate issuing ignores key strength 

Activities

Ted

2011-06-28 12:08

administrator   ~0002065

Affected certificates have to be selected as in scripts/DumpWeakCerts.pl (bug#918), since we did not store a list of weak certs...

Ted

2011-06-29 21:03

administrator   ~0002072

Revocation in website code is done in includes\account.php:

Email certs ($oldid=5):
mysql_query("update `emailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'");

Server certs ($oldid=12):
mysql_query("update `domaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'");

Org Server ($oldid=22):
mysql_query("update `orgdomaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'");

Org Client ($oldid=18):
mysql_query("update `orgemailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'");

Ted

2011-06-29 22:06

administrator   ~0002073

Created branch bug-954 in git.

Roadmap:
- Extend DumpWeakKeys.pl to also dump record IDs (done)
- Create a little script mass-revocate.php which takes certificate type and record ID from stdin and does the database updates
- pipe DumpWeakKeys.pl into mass-revocate.php, strip unneeded columns using sed

Ted

2011-07-10 21:46

administrator   ~0002108

Last edited: 2011-07-12 06:44

Checked in mass-revoke.php to GIT branch bug-954

Make the scripts executable (chmod 755 ...) and call with "./DumpWeakCerts.pl | ./mass-revoke.php", maybe modify DumpWeakCerts.pl to report some specific certificates of your test account.

NEOatNHNG

2011-07-21 00:17

administrator   ~0002168

Reviewed, looks good in general. Had to do some formatting to better be able to read it, this is a whitespace adjustment commit only (diff looks huge but actual change should be almost non-existant) and also got rid of the extra parameter of fgets() in a separate commit as without it just as many characters as needed will be read and the given value looks quite arbitrary.

Please rereview (I suggest you do that commit by commit). I guess testing is not really possible without shell access.

Ted

2011-07-27 21:14

administrator   ~0002215

Sent patch request to critical admins, merged into release branch

wytze

2011-07-28 08:03

developer   ~0002216

Fix applied to production system on July 28, 2011, as documented here:
https://lists.cacert.org/wws/arc/cacert-systemlog/2011-07/msg00010.html

Execution of the mass_revoke script will be documented through Arbitration Case
https://wiki.cacert.org/Arbitrations/a20110312.1

Issue History

Date Modified Username Field Change
2011-06-28 09:51 Uli60 New Issue
2011-06-28 09:52 Uli60 Relationship added related to 0000918
2011-06-28 12:08 Ted Note Added: 0002065
2011-06-28 14:07 Uli60 Additional Information Updated
2011-06-28 14:26 Uli60 Additional Information Updated
2011-06-28 14:33 Uli60 Additional Information Updated
2011-06-29 21:03 Ted Note Added: 0002072
2011-06-29 21:18 Ted Assigned To => Ted
2011-06-29 21:18 Ted Status new => needs work
2011-06-29 22:06 Ted Note Added: 0002073
2011-07-10 21:46 Ted Note Added: 0002108
2011-07-10 21:46 Ted Assigned To Ted =>
2011-07-10 21:46 Ted Status needs work => needs review & testing
2011-07-12 06:44 Ted Note Edited: 0002108
2011-07-19 23:19 NEOatNHNG Reviewed by => Ted
2011-07-20 23:50 NEOatNHNG Source_changeset_attached => cacert-devel master 50620e55
2011-07-20 23:50 NEOatNHNG Source_changeset_attached => cacert-devel master 900d6e06
2011-07-20 23:50 NEOatNHNG Source_changeset_attached => cacert-devel master f0db9d78
2011-07-21 00:17 NEOatNHNG Note Added: 0002168
2011-07-21 00:17 NEOatNHNG Assigned To => NEOatNHNG
2011-07-21 00:17 NEOatNHNG Status needs review & testing => needs review
2011-07-21 00:17 NEOatNHNG Reviewed by Ted => NEOatNHNG
2011-07-26 22:27 Ted Assigned To NEOatNHNG => Ted
2011-07-26 22:27 Ted Status needs review => needs work
2011-07-26 22:28 Ted Status needs work => needs review & testing
2011-07-26 22:28 Ted Status needs review & testing => needs review
2011-07-27 21:14 Ted Reviewed by NEOatNHNG => Ted, NEOatNHNG
2011-07-27 21:14 Ted Note Added: 0002215
2011-07-27 21:14 Ted Status needs review => ready to deploy
2011-07-27 21:15 Ted Source_changeset_attached => cacert-devel release adf56e3d
2011-07-28 08:03 wytze Note Added: 0002216
2011-07-28 08:03 wytze Status ready to deploy => closed
2011-07-28 08:03 wytze Resolution open => fixed
2013-01-15 17:31 Werner Dworak Fixed in Version => 2011 Q3
2014-03-07 12:35 INOPIAE Relationship added related to 0001255