verify.sh

   1 #!/bin/bash
   2 set -e
   3 [ "$1" == "" ] && echo "Usage: $0 <year>" && exit 1
   4 year=$1
   5
   6 . structure
   7
   8 verify(){ # crt, [untrusted], additional
   9     untrusted="$2"
  10     [[ "$untrusted" != "" ]] && untrusted="-untrusted $untrusted"
  11     openssl verify $3 -CAfile root.ca/key.crt $untrusted "$1" || error "$1 did not verify"
  12 }
  13
  14 error() { # message
  15     echo $1
  16     exit -1
  17 }
  18
  19 verifyExtlist() { # ext
  20         EXTLIST=`echo "$1" | grep "X509v3\|Authority Information" | sed "s/^[ \t]*//"`
  21         VAR="X509v3 extensions:
  22 X509v3 Basic Constraints: $2
  23 X509v3 Key Usage:
  24 ${3}X509v3 Subject Key Identifier:
  25 X509v3 Authority Key Identifier:
  26 X509v3 CRL Distribution Points:
  27 Authority Information Access: "
  28
  29         diff <(echo "$EXTLIST" | dos2unix) <(echo "$VAR" | dos2unix) || error "Extensions order is wrong for $ca"
  30
  31 }
  32
  33 # Verify root
  34 verify root.ca/key.crt
  35 verifyExtlist "$(openssl x509 -in "root.ca/key.crt" -noout -text)"
  36
  37 # Verify level-1 structure
  38 for ca in $STRUCT_CAS; do
  39     verify $ca.ca/key.crt
  40     verifyExtlist "$(openssl x509 -in "$ca.ca/key.crt" -noout -text)"
  41 done
  42
  43 # Verify level-2 (time) structure
  44 for ca in ${STRUCT_CAS}; do
  45     for i in $TIME_IDX; do
  46         . CAs/$ca
  47         if [ "$ca" == "env" ]; then
  48             CA_FILE=$year/ca/${ca}_${year}_${i}.ca/key.crt
  49         else
  50             CA_FILE=$year/ca/${ca}_${year}_${i}.crt
  51         fi
  52         time=${points[${i}]}
  53         timestamp=$(date --date="${time:0:2}/${time:2:2}/${year} 03:00:00 UTC" +"%s")
  54         verify "$CA_FILE" "$ca.ca/key.crt" "-attime ${timestamp}"
  55         EXT=`openssl x509 -in "$CA_FILE" -noout -text`
  56
  57         verifyExtlist "$EXT"
  58
  59         echo "$EXT" | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify"
  60
  61         echo "$EXT" | grep -A 2 "Basic Constraints" | grep "CA:TRUE" > /dev/null || error "Basic Constraints field is wrong for $ca"
  62         echo "$EXT" | grep -A 2 "Key Usage" | grep "^ *Certificate Sign, CRL Sign$" > /dev/null || error "KeyUsage field is wrong for $ca"
  63
  64         echo "$EXT" | grep -A 4 "CRL Distribution" | grep "g2.crl.cacert.org/g2/$ca.crl" > /dev/null || error "CRL field is wrong for $ca"
  65         echo "$EXT" | grep "CA Issuers" | grep "/$ca.crt" | grep "g2.crt.cacert.org/g2/" > /dev/null || error "CA Issuers field is wrong for $ca"
  66         echo "$EXT" | grep "OCSP" | grep "http://g2.ocsp.cacert.org" > /dev/null || error "OCSP field is wrong for $ca"
  67     done
  68 done
  69
  70 # Verify infra keys
  71 cat env.ca/key.crt $year/ca/env_${year}_1.ca/key.crt > envChain.crt
  72
  73 for key in $SERVER_KEYS; do
  74     verify ${year}/keys/$key.crt envChain.crt
  75     verifyExtlist "$(openssl x509 -in "${year}/keys/$key.crt" -noout -text)" critical "X509v3 Extended Key Usage:
  76 "
  77 done
  78
  79 rm envChain.crt
  80