Minor improvement to openssl-blacklist
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The diff below lets one not just check the private keys - but also
check the public part thereof. This is useful - as the latter can
also be obtained with:
openssl s_client -connect fqdn:443 -showcerts
or be ran over a store, say the 'issued' store of a Certificate
Authority.
Dw
*** openssl-vulnkey 2008-05-14 12:41:00.000000000 -0400
- --- openssl-vulnkey.fix 2008-05-16 06:39:20.000000000 -0400
***************
*** 57,62 ****
- --- 57,65 ----
'''Find bit length of file'''
rc, report = cmd(['openssl', 'rsa', '-text', '-in', file])
if rc != 0:
+ rc, report = cmd(['openssl', 'x509', '-text', '-in', file])
+
+ if rc != 0:
try:
print >> sys.stderr, "ERROR:\n%s" % (report)
except IOError:
***************
*** 68,73 ****
- --- 71,80 ----
return "1024"
elif "Private-Key: (2048" in report:
return "2048"
+ if "Modulus (1024" in report:
+ return "1024"
+ elif "Modulus (2048" in report:
+ return "2048"
return ""
***************
*** 75,80 ****
- --- 82,90 ----
'''Find modulus of file'''
rc, report = cmd(['openssl', 'rsa', '-noout', '-modulus', '-
in', file])
if rc != 0:
+ rc, report = cmd(['openssl', 'x509', '-noout', '-modulus', '-
in', file])
+
+ if rc != 0:
try:
print >> sys.stderr, "ERROR: %d:\n%s" % (rc, report)
except IOError:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iQCVAwUBSC1mNjGmPZbsFAuBAQLlMQP/fH5GeAeq/j8CZ9lgTd6J9+3c3e5Q1cVP
p03YjUH5KglX0XydyoyE4L4djbtgPAEoYdMrsjfB3xbyNi/GCUnx9c0mHttPfrxI
ni8HmS3d1IG3bXSo6FGJXSsPfFdRF67JieV99q8DRPc8fxq2l5RNYwG1uaNiWQoX
/4DVdz8Px0o=
=P6Dh
-----END PGP SIGNATURE-----
Reply to: