for arg in "$@"; do
if [[ "$arg" == "root" ]]; then
- echo "========== Generating Root ======="
- ./clear
- ./generateKeys
+ echo "========== Generating Root ======="
+ ./clear
+ ./generateKeys
else
- echo "========== Generating Year $arg ======="
- ./generateTime "$arg"
- echo "========== Generating Infra for Year $arg ======="
- ./generateInfra "$arg"
- echo "========== Generating CRLs for Year $arg ======="
- ./generateCRLs "$arg"
-
-
- echo "========== Verifying Year $arg ======="
- ./verify "$arg"
-
-
- echo "========== Collection things ======="
- ./collectCRLs "$arg"
- ./collectGigiConfig "$arg"
- ./collectOffline "$arg"
- ./collectSignerConfig "$arg"
-
- ./summary "$arg"
+ echo "========== Generating Year $arg ======="
+ ./generateTime "$arg"
+ echo "========== Generating Infra for Year $arg ======="
+ ./generateInfra "$arg"
+ echo "========== Generating CRLs for Year $arg ======="
+ ./generateCRLs "$arg"
+
+
+ echo "========== Verifying Year $arg ======="
+ ./verify "$arg"
+
+
+ echo "========== Collection things ======="
+ ./collectCRLs "$arg"
+ ./collectGigiConfig "$arg"
+ ./collectOffline "$arg"
+ ./collectSignerConfig "$arg"
+
+ ./summary "$arg"
fi
done
mkdir -p $BASE
cp root.ca/${year}_${month}.crl $BASE/root.crl
for ca in $STRUCT_CAS; do
- cp $ca.ca/${year}_${month}.crl $BASE/$ca.crl
+ cp $ca.ca/${year}_${month}.crl $BASE/$ca.crl
done
done
cp ${ca}.ca/key.crt gigi-config/config/ca/${ca}.crt
[ "$ca" == "env" ] && continue
for i in $TIME_IDX; do
- cp ${year}/ca/${ca}_${year}_${i}.crt gigi-config/config/ca/${ca}_${year}_${i}.crt
+ cp ${year}/ca/${ca}_${year}_${i}.crt gigi-config/config/ca/${ca}_${year}_${i}.crt
done
done
mkdir -p signer-config/keys
cat ${year}/ca/env_${year}_1.ca/key.crt env.ca/key.crt root.ca/key.crt > signer-config/keys/ca.crt
for file in signer_${peer}.{crt,key}; do
- cp ${year}/keys/$file signer-config/keys/$file
+ cp ${year}/keys/$file signer-config/keys/$file
done
}
for ca in $STRUCT_CAS; do
[ "$ca" == "env" ] && continue
for i in $TIME_IDX; do
- mkdir -p signer-config/ca/${ca}_${year}_${i}
- cp ${year}/ca/${ca}_${year}_${i}.crt signer-config/ca/${ca}_${year}_${i}/ca.crt
+ mkdir -p signer-config/ca/${ca}_${year}_${i}
+ cp ${year}/ca/${ca}_${year}_${i}.crt signer-config/ca/${ca}_${year}_${i}/ca.crt
done
done
for ca in $STRUCT_CAS; do
[ "$ca" == "env" ] && continue
for i in $TIME_IDX; do
- cp ${year}/ca/${ca}_${year}_${i}.key signer-config/ca/${ca}_${year}_${i}/ca.key
+ cp ${year}/ca/${ca}_${year}_${i}.key signer-config/ca/${ca}_${year}_${i}/ca.key
done
done
echo "$start $end"
pushd $2.ca > /dev/null
if [[ "$2" == "root" && "$1" == root.* ]]; then
- signkey="-selfsign"
+ signkey="-selfsign"
else
- signkey="-cert key.crt"
+ signkey="-cert key.crt"
fi
openssl ca $signkey -keyfile key.key -in "$BASE/$1.csr" -out "$BASE/$1.crt" -batch -config "$BASE/../selfsign.config" -extfile "$BASE/$3" $start $end
popd > /dev/null
[[ "$2" == "" ]] && start=$(echo {01..12})
[[ "$2" == "07" ]] && start=$(echo {07..12})
for month in $start; do
- generateCRL "$1" "$year" "$month"
+ generateCRL "$1" "$year" "$month"
done
}
[[ "$2" == "1" ]] && start=$(echo {01..12})
[[ "$2" == "2" ]] && start=$(echo {07..12})
for month in $start; do
- generateCRL "$1" "$year" "$month"
+ generateCRL "$1" "$year" "$month"
done
[[ "$2" == "1" ]] && start=$(echo {01..12})
[[ "$2" == "2" ]] && start=$(echo {01..12})
for month in $start; do
- generateCRL "$1" "$((year+1))" "$month"
+ generateCRL "$1" "$((year+1))" "$month"
done
[[ "$2" == "1" ]] && return
[[ "$2" == "2" ]] && start=$(echo {01..06})
for month in $start; do
- generateCRL "$1" "$((year+2))" "$month"
+ generateCRL "$1" "$((year+2))" "$month"
done
}
generateCRLs root
for ca in $STRUCT_CAS; do
[[ "$ca" == "env" ]] && continue
for i in $TIME_IDX; do
- cp $year/ca/${ca}_${year}_${i}.crt htdocs/crt/g2/$year/${ca}-${i}.crt
+ cp $year/ca/${ca}_${year}_${i}.crt htdocs/crt/g2/$year/${ca}-${i}.crt
done
done
rootSign(){ # csr
POLICY=ca.cnf
if [[ "$1" != "root" ]] ; then
- KNAME=$1
- POLICY=subca.cnf
- . ../CAs/${KNAME}
- cat <<TESTCA > subca.cnf
+ KNAME=$1
+ POLICY=subca.cnf
+ . ../CAs/${KNAME}
+ cat <<TESTCA > subca.cnf
basicConstraints =critical, CA:true
keyUsage =critical, keyCertSign, cRLSign
point=${year}${points[${i}]}
nextp=${points[$((${i} + 1))]}
if [[ "$nextp" == "" ]]; then
- epoint=$((${year} + 3 ))${epoints[${i}]}
+ epoint=$((${year} + 3 ))${epoints[${i}]}
else
- epoint=$((${year} + 2 ))${epoints[${i}]}
+ epoint=$((${year} + 2 ))${epoints[${i}]}
fi
. ../CAs/env
genTimeCA $year/ca/env_${year}_${i}.ca/key env "$point" "$epoint"
for ca in $STRUCT_CAS; do
- [ "$ca" == "env" ] && continue
- . ../CAs/$ca
- genKey "/CN=$name ${year}-${i}" $year/ca/${ca}_${year}_${i}
- genTimeCA $year/ca/${ca}_${year}_${i} $ca "$point" "$epoint"
+ [ "$ca" == "env" ] && continue
+ . ../CAs/$ca
+ genKey "/CN=$name ${year}-${i}" $year/ca/${ca}_${year}_${i}
+ genTimeCA $year/ca/${ca}_${year}_${i} $ca "$point" "$epoint"
done
done
}
verifyExtlist() { # ext
- EXTLIST=`echo "$1" | grep "X509v3\|Authority Information" | sed "s/^[ \t]*//"`
- BASIC=$2
- if [[ $BASIC == "" ]]; then
- BASIC="critical"
- else
- BASIC="critical, $BASIC"
- fi
- VAR="X509v3 extensions:
+ EXTLIST=`echo "$1" | grep "X509v3\|Authority Information" | sed "s/^[ \t]*//"`
+ BASIC=$2
+ if [[ $BASIC == "" ]]; then
+ BASIC="critical"
+ else
+ BASIC="critical, $BASIC"
+ fi
+ VAR="X509v3 extensions:
X509v3 Basic Constraints: $BASIC
X509v3 Key Usage: critical
${3}X509v3 Subject Key Identifier:
X509v3 CRL Distribution Points:
Authority Information Access: "
- diff <(echo "$EXTLIST") <(echo "$VAR") || error "Extensions order is wrong for $ca"
+ diff <(echo "$EXTLIST") <(echo "$VAR") || error "Extensions order is wrong for $ca"
}
# Verify level-2 (time) structure
for ca in ${STRUCT_CAS}; do
for i in $TIME_IDX; do
- . ../CAs/$ca
- if [ "$ca" == "env" ]; then
- CA_FILE=$year/ca/${ca}_${year}_${i}.ca/key.crt
- else
- CA_FILE=$year/ca/${ca}_${year}_${i}.crt
- fi
- time=${points[${i}]}
- timestamp=$(date --date="${time:0:2}/${time:2:2}/${year} 03:00:00 UTC" +"%s")
- verify "$CA_FILE" "$ca.ca/key.crt" "-attime ${timestamp}"
- EXT=`openssl x509 -in "$CA_FILE" -noout -text`
-
- verifyExtlist "$EXT"
-
- echo "$EXT" | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify"
-
- echo "$EXT" | grep -A 2 "Basic Constraints" | grep "CA:TRUE" > /dev/null || error "Basic Constraints field is wrong for $ca"
- echo "$EXT" | grep -A 2 "Key Usage" | grep "^ *Certificate Sign, CRL Sign$" > /dev/null || error "KeyUsage field is wrong for $ca"
-
- echo "$EXT" | grep -A 4 "CRL Distribution" | grep "g2.crl.${DOMAIN}/g2/$ca.crl" > /dev/null || error "CRL field is wrong for $ca"
- echo "$EXT" | grep "CA Issuers" | grep "/$ca.crt" | grep "g2.crt.${DOMAIN}/g2/" > /dev/null || error "CA Issuers field is wrong for $ca"
- echo "$EXT" | grep "OCSP" | grep "http://g2.ocsp.${DOMAIN}" > /dev/null || error "OCSP field is wrong for $ca"
+ . ../CAs/$ca
+ if [ "$ca" == "env" ]; then
+ CA_FILE=$year/ca/${ca}_${year}_${i}.ca/key.crt
+ else
+ CA_FILE=$year/ca/${ca}_${year}_${i}.crt
+ fi
+ time=${points[${i}]}
+ timestamp=$(date --date="${time:0:2}/${time:2:2}/${year} 03:00:00 UTC" +"%s")
+ verify "$CA_FILE" "$ca.ca/key.crt" "-attime ${timestamp}"
+ EXT=`openssl x509 -in "$CA_FILE" -noout -text`
+
+ verifyExtlist "$EXT"
+
+ echo "$EXT" | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify"
+
+ echo "$EXT" | grep -A 2 "Basic Constraints" | grep "CA:TRUE" > /dev/null || error "Basic Constraints field is wrong for $ca"
+ echo "$EXT" | grep -A 2 "Key Usage" | grep "^ *Certificate Sign, CRL Sign$" > /dev/null || error "KeyUsage field is wrong for $ca"
+
+ echo "$EXT" | grep -A 4 "CRL Distribution" | grep "g2.crl.${DOMAIN}/g2/$ca.crl" > /dev/null || error "CRL field is wrong for $ca"
+ echo "$EXT" | grep "CA Issuers" | grep "/$ca.crt" | grep "g2.crt.${DOMAIN}/g2/" > /dev/null || error "CA Issuers field is wrong for $ca"
+ echo "$EXT" | grep "OCSP" | grep "http://g2.ocsp.${DOMAIN}" > /dev/null || error "OCSP field is wrong for $ca"
done
done