verify.sh

   1 #!/bin/sh
   2 set -e
   3 [ "$1" == "" ] && echo "Usage: $0 <year>" && exit 1
   4 year=$1
   5
   6 . structure
   7
   8 verify(){ # CAfile, crt
   9     openssl verify -CAfile "$1" "$2" || error "$2 did not verify"
  10 }
  11
  12 error() { # message
  13     echo $1
  14     exit -1
  15 }
  16
  17 # Verify root
  18 verify root.ca/key.crt root.ca/key.crt
  19
  20 # Verify level-1 structure
  21 for i in $STRUCT_CAS; do
  22     verify root.ca/key.crt $i.ca/key.crt
  23 done
  24
  25 # Verify level-2 (time) structure
  26 for i in $STRUCT_CAS; do
  27     . CAs/$i
  28     if [ "$i" == "env" ]; then
  29         CA_FILE=$year/ca/${i}_${year}_1.ca/key.crt
  30     else
  31         CA_FILE=$year/ca/${i}_${year}_1.crt
  32     fi
  33     verify <(cat root.ca/key.crt $i.ca/key.crt) "$CA_FILE"
  34     openssl x509 -in "$CA_FILE" -noout -text | grep "CA Issuers" | grep "/$i.crt" > /dev/null || error "CA Issuers field is wrong for $i"
  35     openssl x509 -in "$CA_FILE" -noout -text | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify"
  36 done
  37
  38 # Verify infra keys
  39 cat root.ca/key.crt env.ca/key.crt $year/ca/env_${year}_1.ca/key.crt > envChain.crt
  40
  41 for i in $SERVER_KEYS; do
  42     verify envChain.crt ${year}/keys/$i.crt
  43 done
  44
  45 rm envChain.crt
  46