X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=verify;h=6e977098aedba5f77fc882685204a9767193f099;hb=116b2fa14bd3601413690ce713282f41d8b78aeb;hp=4239718e137513b15fb03367ac087bb0ad2f2bcc;hpb=ae9adf2685bacafbb15ad365b9837cd5ef56bb22;p=nre.git

diff --git a/verify b/verify
index 4239718..6e97709 100755
--- a/verify
+++ b/verify
@@ -19,70 +19,53 @@ error() { # message
 }
 
 verifyExtlist() { # ext
-	EXTLIST=`echo "$1" | grep "X509v3\|Authority Information" | sed "s/^[ \t]*//"`
-	BASIC=$2
-	if [[ $BASIC == "" ]]; then
-	    BASIC="critical"
-	else
-	    BASIC="critical, $BASIC"
-	fi
-	VAR="X509v3 extensions:
-X509v3 Basic Constraints: $BASIC
+    EXTLIST=`echo "$1" | grep "X509v3\|Authority Information" | sed "s/^[ \t]*//"`
+    ADD="
+X509v3 Certificate Policies: "
+    if [[ $2 == "root" ]]; then
+        ADD=""
+    fi
+    VAR="X509v3 extensions:
+X509v3 Basic Constraints: critical
 X509v3 Key Usage: critical
-${3}X509v3 Subject Key Identifier: 
+X509v3 Subject Key Identifier: 
 X509v3 Authority Key Identifier: 
 X509v3 CRL Distribution Points: 
-Authority Information Access: "
+Authority Information Access: $ADD"
 
-	diff <(echo "$EXTLIST") <(echo "$VAR") || error "Extensions order is wrong for $ca"
+    diff <(echo "$EXTLIST") <(echo "$VAR") || error "Extensions order is wrong for $2"
 
 }
 
 # Verify root
 verify root.ca/key.crt
-verifyExtlist "$(openssl x509 -in "root.ca/key.crt" -noout -text)"
+verifyExtlist "$(openssl x509 -in "root.ca/key.crt" -noout -text)" root
 
 # Verify level-1 structure
-for ca in $STRUCT_CAS; do
+for ca in "${STRUCT_CAS[@]}"; do
     verify $ca.ca/key.crt
-    verifyExtlist "$(openssl x509 -in "$ca.ca/key.crt" -noout -text)"
+    verifyExtlist "$(openssl x509 -in "$ca.ca/key.crt" -noout -text)" "$ca"
 done
 
 # Verify level-2 (time) structure
-for ca in ${STRUCT_CAS}; do
-    for i in $TIME_IDX; do
-	. ../CAs/$ca
-	if [ "$ca" == "env" ]; then
-	    CA_FILE=$year/ca/${ca}_${year}_${i}.ca/key.crt
-	else
-	    CA_FILE=$year/ca/${ca}_${year}_${i}.crt
-	fi
-	time=${points[${i}]}
-	timestamp=$(date --date="${time:0:2}/${time:2:2}/${year} 03:00:00 UTC" +"%s")
-	verify "$CA_FILE" "$ca.ca/key.crt" "-attime ${timestamp}"
-	EXT=`openssl x509 -in "$CA_FILE" -noout -text`
+for ca in "${STRUCT_CAS[@]}"; do
+    for i in "${TIME_IDX[@]}"; do
+        . ../CAs/$ca
+        CA_FILE=$year/ca/${ca}_${year}_${i}.crt
+        time=${points[${i}]}
+        timestamp=$(date --date="${time:0:2}/${time:2:2}/${year} 03:00:00 UTC" +"%s")
+        verify "$CA_FILE" "$ca.ca/key.crt" "-attime ${timestamp}"
+        EXT=`openssl x509 -in "$CA_FILE" -noout -text`
 
-	verifyExtlist "$EXT"
+        verifyExtlist "$EXT" "$ca-$i"
 
-	echo "$EXT" | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify"
+        echo "$EXT" | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify"
 
-	echo "$EXT" | grep -A 2 "Basic Constraints" | grep "CA:TRUE" > /dev/null || error "Basic Constraints field is wrong for $ca"
-	echo "$EXT" | grep -A 2 "Key Usage" | grep "^ *Certificate Sign, CRL Sign$" > /dev/null || error "KeyUsage field is wrong for $ca"
+        echo "$EXT" | grep -A 2 "Basic Constraints" | grep "CA:TRUE" > /dev/null || error "Basic Constraints field is wrong for $ca"
+        echo "$EXT" | grep -A 2 "Key Usage" | grep "^ *Certificate Sign, CRL Sign$" > /dev/null || error "KeyUsage field is wrong for $ca"
 
-	echo "$EXT" | grep -A 4 "CRL Distribution" | grep "g2.crl.${DOMAIN}/g2/$ca.crl" > /dev/null || error "CRL field is wrong for $ca"
-	echo "$EXT" | grep "CA Issuers" | grep "/$ca.crt" | grep "g2.crt.${DOMAIN}/g2/" > /dev/null || error "CA Issuers field is wrong for $ca"
-	echo "$EXT" | grep "OCSP" | grep "http://g2.ocsp.${DOMAIN}" > /dev/null || error "OCSP field is wrong for $ca"
+        echo "$EXT" | grep -A 4 "CRL Distribution" | grep "g2.crl.${DOMAIN}/g2/$ca.crl" > /dev/null || error "CRL field is wrong for $ca"
+        echo "$EXT" | grep "CA Issuers" | grep "/$ca.crt" | grep "g2.crt.${DOMAIN}/g2/" > /dev/null || error "CA Issuers field is wrong for $ca"
+        echo "$EXT" | grep "OCSP" | grep "http://g2.ocsp.${DOMAIN}" > /dev/null || error "OCSP field is wrong for $ca"
     done
 done
-
-# Verify infra keys
-cat env.ca/key.crt $year/ca/env_${year}_1.ca/key.crt > envChain.crt
-
-for key in $SERVER_KEYS signer_client signer_server; do
-    verify ${year}/keys/$key.crt envChain.crt
-    verifyExtlist "$(openssl x509 -in "${year}/keys/$key.crt" -noout -text)" critical "X509v3 Extended Key Usage: 
-"
-done
-
-rm envChain.crt
-