View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000954 | Main CAcert Website | certificate issuing | public | 2011-06-28 09:51 | 2014-03-07 12:35 |
Reporter | Uli60 | Assigned To | Ted | ||
Priority | urgent | Severity | major | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Fixed in Version | 2011 Q3 | ||||
Summary | 0000954: script to bulk revoke weak keys | ||||
Description | based on https://wiki.cacert.org/Arbitrations/a20110312.1 and https://bugs.cacert.org/view.php?id=918 a script for bulk revocation of weak keys needs to developed | ||||
Additional Information | /pages/account/5.php lists current/valid certs form submit revoke -> $query = "select UNIX_TIMESTAMP(`emailcerts`.`created`) as `created`, UNIX_TIMESTAMP(`emailcerts`.`expire`) - UNIX_TIMESTAMP() as `timeleft`, UNIX_TIMESTAMP(`emailcerts`.`expire`) as `expired`, `emailcerts`.`expire` as `expires`, `emailcerts`.`revoked` as `revoke`, UNIX_TIMESTAMP(`emailcerts`.`revoked`) as `revoked`, `emailcerts`.`id`, `emailcerts`.`CN`, emailcerts.disablelogin as `disablelogin` from `emailcerts` where `emailcerts`.`memid`='".$_SESSION['profile']['id']."'"; <? if($verified != _("Pending") && $verified != _("Revoked")) { ?> <td class="DataTD"><input type="checkbox" name="revokeid[]" value="<?=$row['id']?>"></td> <input type="submit" name="revoke" value="<?=_("Revoke/Delete")?>"></td> <input type="hidden" name="oldid" value="<?=$id?>"> <input type="hidden" name="csrf" value="<?=make_csrf('clicerchange')?>" /> to script account.php /www/account.php include /includes/account.php require_once /includes/loggedin.php server key revoke see /includes/account.php l. 908 ff. email cert revoke see /includes/account.php l. 1048 ff. (pending request) orgemail certs revoke see /includes/account.php l. 1640 ff. | ||||
Tags | No tags attached. | ||||
Reviewed by | Ted, NEOatNHNG | ||||
Test Instructions | |||||
|
Affected certificates have to be selected as in scripts/DumpWeakCerts.pl (bug#918), since we did not store a list of weak certs... |
|
Revocation in website code is done in includes\account.php: Email certs ($oldid=5): mysql_query("update `emailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'"); Server certs ($oldid=12): mysql_query("update `domaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'"); Org Server ($oldid=22): mysql_query("update `orgdomaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'"); Org Client ($oldid=18): mysql_query("update `orgemailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'"); |
|
Created branch bug-954 in git. Roadmap: - Extend DumpWeakKeys.pl to also dump record IDs (done) - Create a little script mass-revocate.php which takes certificate type and record ID from stdin and does the database updates - pipe DumpWeakKeys.pl into mass-revocate.php, strip unneeded columns using sed |
|
Checked in mass-revoke.php to GIT branch bug-954 Make the scripts executable (chmod 755 ...) and call with "./DumpWeakCerts.pl | ./mass-revoke.php", maybe modify DumpWeakCerts.pl to report some specific certificates of your test account. |
|
Reviewed, looks good in general. Had to do some formatting to better be able to read it, this is a whitespace adjustment commit only (diff looks huge but actual change should be almost non-existant) and also got rid of the extra parameter of fgets() in a separate commit as without it just as many characters as needed will be read and the given value looks quite arbitrary. Please rereview (I suggest you do that commit by commit). I guess testing is not really possible without shell access. |
|
Sent patch request to critical admins, merged into release branch |
|
Fix applied to production system on July 28, 2011, as documented here: https://lists.cacert.org/wws/arc/cacert-systemlog/2011-07/msg00010.html Execution of the mass_revoke script will be documented through Arbitration Case https://wiki.cacert.org/Arbitrations/a20110312.1 |
Date Modified | Username | Field | Change |
---|---|---|---|
2011-06-28 09:51 | Uli60 | New Issue | |
2011-06-28 09:52 | Uli60 | Relationship added | related to 0000918 |
2011-06-28 12:08 | Ted | Note Added: 0002065 | |
2011-06-28 14:07 | Uli60 | Additional Information Updated | |
2011-06-28 14:26 | Uli60 | Additional Information Updated | |
2011-06-28 14:33 | Uli60 | Additional Information Updated | |
2011-06-29 21:03 | Ted | Note Added: 0002072 | |
2011-06-29 21:18 | Ted | Assigned To | => Ted |
2011-06-29 21:18 | Ted | Status | new => needs work |
2011-06-29 22:06 | Ted | Note Added: 0002073 | |
2011-07-10 21:46 | Ted | Note Added: 0002108 | |
2011-07-10 21:46 | Ted | Assigned To | Ted => |
2011-07-10 21:46 | Ted | Status | needs work => needs review & testing |
2011-07-12 06:44 | Ted | Note Edited: 0002108 | |
2011-07-19 23:19 | NEOatNHNG | Reviewed by | => Ted |
2011-07-20 23:50 | NEOatNHNG | Source_changeset_attached | => cacert-devel master 50620e55 |
2011-07-20 23:50 | NEOatNHNG | Source_changeset_attached | => cacert-devel master 900d6e06 |
2011-07-20 23:50 | NEOatNHNG | Source_changeset_attached | => cacert-devel master f0db9d78 |
2011-07-21 00:17 | NEOatNHNG | Note Added: 0002168 | |
2011-07-21 00:17 | NEOatNHNG | Assigned To | => NEOatNHNG |
2011-07-21 00:17 | NEOatNHNG | Status | needs review & testing => needs review |
2011-07-21 00:17 | NEOatNHNG | Reviewed by | Ted => NEOatNHNG |
2011-07-26 22:27 | Ted | Assigned To | NEOatNHNG => Ted |
2011-07-26 22:27 | Ted | Status | needs review => needs work |
2011-07-26 22:28 | Ted | Status | needs work => needs review & testing |
2011-07-26 22:28 | Ted | Status | needs review & testing => needs review |
2011-07-27 21:14 | Ted | Reviewed by | NEOatNHNG => Ted, NEOatNHNG |
2011-07-27 21:14 | Ted | Note Added: 0002215 | |
2011-07-27 21:14 | Ted | Status | needs review => ready to deploy |
2011-07-27 21:15 | Ted | Source_changeset_attached | => cacert-devel release adf56e3d |
2011-07-28 08:03 | wytze | Note Added: 0002216 | |
2011-07-28 08:03 | wytze | Status | ready to deploy => closed |
2011-07-28 08:03 | wytze | Resolution | open => fixed |
2013-01-15 17:31 | Werner Dworak | Fixed in Version | => 2011 Q3 |
2014-03-07 12:35 | INOPIAE | Relationship added | related to 0001255 |