]> WPIA git - nre.git/blob - verify.sh
projects / nre.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
upd: generate drop-in-able configs for gigi
[nre.git] / verify.sh
1 #!/bin/bash
2 set -e
3 [ "$1" == "" ] && echo "Usage: $0 <year>" && exit 1
4 year=$1
5
6 . structure
7 cd generated
8
9 verify(){ # crt, [untrusted], additional
10     untrusted="$2"
11     [[ "$untrusted" != "" ]] && untrusted="-untrusted $untrusted"
12     openssl verify $3 -CAfile root.ca/key.crt $untrusted "$1" || error "$1 did not verify"
13     echo openssl verify $3 -CAfile root.ca/key.crt $untrusted "$1" || error "$1 did not verify"
14 }
15
16 error() { # message
17     echo $1
18     exit -1
19 }
20
21 verifyExtlist() { # ext
22         EXTLIST=`echo "$1" | grep "X509v3\|Authority Information" | sed "s/^[ \t]*//"`
23         VAR="X509v3 extensions:
24 X509v3 Basic Constraints: $2
25 X509v3 Key Usage: 
26 ${3}X509v3 Subject Key Identifier: 
27 X509v3 Authority Key Identifier: 
28 X509v3 CRL Distribution Points: 
29 Authority Information Access: "
30
31         diff <(echo "$EXTLIST") <(echo "$VAR") || error "Extensions order is wrong for $ca"
32
33 }
34
35 # Verify root
36 verify root.ca/key.crt
37 verifyExtlist "$(openssl x509 -in "root.ca/key.crt" -noout -text)"
38
39 # Verify level-1 structure
40 for ca in $STRUCT_CAS; do
41     verify $ca.ca/key.crt
42     verifyExtlist "$(openssl x509 -in "$ca.ca/key.crt" -noout -text)"
43 done
44
45 # Verify level-2 (time) structure
46 for ca in ${STRUCT_CAS}; do
47     for i in $TIME_IDX; do
48         . ../CAs/$ca
49         if [ "$ca" == "env" ]; then
50             CA_FILE=$year/ca/${ca}_${year}_${i}.ca/key.crt
51         else
52             CA_FILE=$year/ca/${ca}_${year}_${i}.crt
53         fi
54         time=${points[${i}]}
55         timestamp=$(date --date="${time:0:2}/${time:2:2}/${year} 03:00:00 UTC" +"%s")
56         verify "$CA_FILE" "$ca.ca/key.crt" "-attime ${timestamp}"
57         EXT=`openssl x509 -in "$CA_FILE" -noout -text`
58
59         verifyExtlist "$EXT"
60
61         echo "$EXT" | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify"
62
63         echo "$EXT" | grep -A 2 "Basic Constraints" | grep "CA:TRUE" > /dev/null || error "Basic Constraints field is wrong for $ca"
64         echo "$EXT" | grep -A 2 "Key Usage" | grep "^ *Certificate Sign, CRL Sign$" > /dev/null || error "KeyUsage field is wrong for $ca"
65
66         echo "$EXT" | grep -A 4 "CRL Distribution" | grep "g2.crl.${DOMAIN}/g2/$ca.crl" > /dev/null || error "CRL field is wrong for $ca"
67         echo "$EXT" | grep "CA Issuers" | grep "/$ca.crt" | grep "g2.crt.${DOMAIN}/g2/" > /dev/null || error "CA Issuers field is wrong for $ca"
68         echo "$EXT" | grep "OCSP" | grep "http://g2.ocsp.${DOMAIN}" > /dev/null || error "OCSP field is wrong for $ca"
69     done
70 done
71
72 # Verify infra keys
73 cat env.ca/key.crt $year/ca/env_${year}_1.ca/key.crt > envChain.crt
74
75 for key in $SERVER_KEYS signer_client signer_server; do
76     verify ${year}/keys/$key.crt envChain.crt
77     verifyExtlist "$(openssl x509 -in "${year}/keys/$key.crt" -noout -text)" critical "X509v3 Extended Key Usage: 
78 "
79 done
80
81 rm envChain.crt
82
WPIA Root Certificate Generation Procedure