. structure
cd generated
-mkdir -p gigi-config/ca
-cp root.ca/key.crt gigi-config/ca/root.crt
+mkdir -p gigi-config/config/ca
+cp root.ca/key.crt gigi-config/config/ca/root.crt
for ca in $STRUCT_CAS; do
- cp ${ca}.ca/key.crt gigi-config/ca/${ca}.crt
+ cp ${ca}.ca/key.crt gigi-config/config/ca/${ca}.crt
[ "$ca" == "env" ] && continue
for i in $TIME_IDX; do
- cp ${year}/ca/${ca}_${year}_${i}.crt gigi-config/ca/${ca}_${year}_${i}.crt
+ cp ${year}/ca/${ca}_${year}_${i}.crt gigi-config/config/ca/${ca}_${year}_${i}.crt
done
done
+cp -R ../profiles gigi-config/config
+
mkdir -p gigi-config/keys
for k in ${year}/keys/{api,mail,secure,static,www}.pkcs12; do
cp $k gigi-config/keys
done
-tar czf gigi-$year.tar.gz -C .. profiles -C generated/gigi-config ca keys
+tar czf gigi-$year.tar.gz -C gigi-config config keys
rm -Rf gigi-config
installCommKeys() { # peer (server,client)
peer="$1"
mkdir -p signer-config/keys
- cp ${year}/ca/env_${year}_1.ca/key.crt signer-config/keys/ca.crt
+ cat ${year}/ca/env_${year}_1.ca/key.crt env.ca/key.crt root.ca/key.crt > signer-config/keys/ca.crt
for file in signer_${peer}.{crt,key}; do
cp ${year}/keys/$file signer-config/keys/$file
done
untrusted="$2"
[[ "$untrusted" != "" ]] && untrusted="-untrusted $untrusted"
openssl verify $3 -CAfile root.ca/key.crt $untrusted "$1" || error "$1 did not verify"
+ echo openssl verify $3 -CAfile root.ca/key.crt $untrusted "$1" || error "$1 did not verify"
}
error() { # message
# Verify infra keys
cat env.ca/key.crt $year/ca/env_${year}_1.ca/key.crt > envChain.crt
-for key in $SERVER_KEYS; do
+for key in $SERVER_KEYS signer_client signer_server; do
verify ${year}/keys/$key.crt envChain.crt
verifyExtlist "$(openssl x509 -in "${year}/keys/$key.crt" -noout -text)" critical "X509v3 Extended Key Usage:
"