3 [ "$1" == "" ] && echo "Usage: $0 <year>" && exit 1
8 verify(){ # crt, [untrusted], additional
10 [[ "$untrusted" != "" ]] && untrusted="-untrusted $untrusted"
11 openssl verify $3 -CAfile root.ca/key.crt $untrusted "$1" || error "$1 did not verify"
20 verify root.ca/key.crt
22 # Verify level-1 structure
23 for ca in $STRUCT_CAS; do
27 # Verify level-2 (time) structure
28 for ca in ${STRUCT_CAS}; do
29 for i in $TIME_IDX; do
31 if [ "$ca" == "env" ]; then
32 CA_FILE=$year/ca/${ca}_${year}_${i}.ca/key.crt
34 CA_FILE=$year/ca/${ca}_${year}_${i}.crt
37 timestamp=$(date --date="${time:0:2}/${time:2:2}/${year} 03:00:00 UTC" +"%s")
38 verify "$CA_FILE" "$ca.ca/key.crt" "-attime ${timestamp}"
39 openssl x509 -in "$CA_FILE" -noout -text | grep "CA Issuers" | grep "/$ca.crt" > /dev/null || error "CA Issuers field is wrong for $ca"
40 openssl x509 -in "$CA_FILE" -noout -text | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify"
45 cat env.ca/key.crt $year/ca/env_${year}_1.ca/key.crt > envChain.crt
47 for key in $SERVER_KEYS; do
48 verify ${year}/keys/$key.crt envChain.crt