verify.sh

   1 #!/bin/bash
   2 set -e
   3 [ "$1" == "" ] && echo "Usage: $0 <year>" && exit 1
   4 year=$1
   5
   6 . structure
   7
   8 verify(){ # crt, [untrusted], additional
   9     untrusted="$2"
  10     [[ "$untrusted" != "" ]] && untrusted="-untrusted $untrusted"
  11     openssl verify $3 -CAfile root.ca/key.crt $untrusted "$1" || error "$1 did not verify"
  12 }
  13
  14 error() { # message
  15     echo $1
  16     exit -1
  17 }
  18
  19 # Verify root
  20 verify root.ca/key.crt
  21
  22 # Verify level-1 structure
  23 for ca in $STRUCT_CAS; do
  24     verify $ca.ca/key.crt
  25 done
  26
  27 # Verify level-2 (time) structure
  28 for ca in ${STRUCT_CAS}; do
  29     for i in $TIME_IDX; do
  30         . CAs/$ca
  31         if [ "$ca" == "env" ]; then
  32             CA_FILE=$year/ca/${ca}_${year}_${i}.ca/key.crt
  33         else
  34             CA_FILE=$year/ca/${ca}_${year}_${i}.crt
  35         fi
  36         time=${points[${i}]}
  37         timestamp=$(date --date="${time:0:2}/${time:2:2}/${year} 03:00:00 UTC" +"%s")
  38         verify "$CA_FILE" "$ca.ca/key.crt" "-attime ${timestamp}"
  39         openssl x509 -in "$CA_FILE" -noout -text | grep "CA Issuers" | grep "/$ca.crt" > /dev/null || error "CA Issuers field is wrong for $ca"
  40         openssl x509 -in "$CA_FILE" -noout -text | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify"
  41     done
  42 done
  43
  44 # Verify infra keys
  45 cat env.ca/key.crt $year/ca/env_${year}_1.ca/key.crt > envChain.crt
  46
  47 for key in $SERVER_KEYS; do
  48     verify ${year}/keys/$key.crt envChain.crt
  49 done
  50
  51 rm envChain.crt
  52