caSign(){ # csr,ca,config,start,end
start="$4"
end="$5"
- [ "$start" != "" ] && start="-startdate $start"
- [ "$end" != "" ] && end="-enddate $end"
- [ "$start" == "" -a "$end" == "" ] && start="-days 366"
+ [[ "$start" != "" ]] && start="-startdate $start"
+ [[ "$end" != "" ]] && end="-enddate $end"
+ [[ "$start" == "" && "$end" == "" ]] && start="$ROOT_VALIDITY"
BASE="$PWD"
echo "Signing: $1 with $2"
echo "$start $end"
pushd $2.ca > /dev/null
- openssl ca -cert key.crt -keyfile key.key -in "$BASE/$1.csr" -out "$BASE/$1.crt" -batch -config "$BASE/selfsign.config" -extfile "$BASE/$3" $start $end
+ if [[ "$2" == "root" && "$1" == root.* ]]; then
+ signkey="-selfsign"
+ else
+ signkey="-cert key.crt"
+ fi
+ openssl ca $signkey -keyfile key.key -in "$BASE/$1.csr" -out "$BASE/$1.crt" -batch -config "$BASE/selfsign.config" -extfile "$BASE/$3" $start $end
popd > /dev/null
echo "Signed"
}
# Generate the super Root CA
genca "/CN=Cacert-gigi testCA" root
-openssl x509 -req -days 365 -in root.ca/key.csr -signkey root.ca/key.key -out root.ca/key.crt -extfile ca.cnf
+#echo openssl x509 -req $ROOT_VALIDITY -in root.ca/key.csr -signkey root.ca/key.key -out root.ca/key.crt -extfile ca.cnf
+rootSign root
# generate the various sub-CAs
for ca in $STRUCT_CAS; do
mkdir -p signer-config
for ca in $STRUCT_CAS; do
[ "$ca" == "env" ] && continue
- mkdir -p signer-config/ca/${ca}_${year}_1
- cp ${year}/ca/${ca}_${year}_1.crt signer-config/ca/${ca}_${year}_1/ca.crt
+ for i in $TIME_IDX; do
+ mkdir -p signer-config/ca/${ca}_${year}_${i}
+ cp ${year}/ca/${ca}_${year}_${i}.crt signer-config/ca/${ca}_${year}_${i}/ca.crt
+ done
done
installCommKeys client
for ca in $STRUCT_CAS; do
[ "$ca" == "env" ] && continue
- cp ${year}/ca/${ca}_${year}_1.key signer-config/ca/${ca}_${year}_1/ca.key
+ for i in $TIME_IDX; do
+ cp ${year}/ca/${ca}_${year}_${i}.key signer-config/ca/${ca}_${year}_${i}/ca.key
+ done
done
installCommKeys server
mkdir -p $year/ca
-STARTDATE="${year:2}0101000000Z"
-ENDDATE="$((${year:2} + 2))0101000000Z"
-. CAs/env
-genca "/CN=$name ${year}-1" $year/ca/env_${year}_1
-genTimeCA $year/ca/env_${year}_1.ca/key env "$STARTDATE" "$ENDDATE"
+STARTDATE="${year:2}"
+ENDDATE="$((${year:2} + 2))"
-for ca in $STRUCT_CAS; do
- [ "$ca" == "env" ] && continue
- . CAs/$ca
- genKey "/CN=$name ${year}-1" $year/ca/${ca}_${year}_1
- genTimeCA $year/ca/${ca}_${year}_1 $ca "$STARTDATE" "$ENDDATE"
+for i in $TIME_IDX; do
+ point=${points[${i}]}
+ . CAs/env
+ genca "/CN=$name ${year}-${i}" $year/ca/env_${year}_${i}
+ genTimeCA $year/ca/env_${year}_${i}.ca/key env "$STARTDATE$point" "$ENDDATE$point"
+
+ for ca in $STRUCT_CAS; do
+ [ "$ca" == "env" ] && continue
+ . CAs/$ca
+ genKey "/CN=$name ${year}-${i}" $year/ca/${ca}_${year}_${i}
+ genTimeCA $year/ca/${ca}_${year}_${i} $ca "$STARTDATE$point" "$ENDDATE$point"
+ done
done
STRUCT_CAS="env unassured assured codesign orga orgaSign"
SERVER_KEYS="api secure www static signer_server signer_client"
+TIME_IDX="1 2"
+points[1]="0101000000Z"
+points[2]="0601000000Z"
+
+ROOT_VALIDITY="-startdate 150101000000Z -enddate 300101000000Z"
. structure
-verify(){ # CAfile, crt
- openssl verify -CAfile "$1" "$2" || error "$2 did not verify"
+verify(){ # crt, [untrusted], additional
+ untrusted="$2"
+ [[ "$untrusted" != "" ]] && untrusted="-untrusted $untrusted"
+ openssl verify $3 -CAfile root.ca/key.crt $untrusted "$1" || error "$1 did not verify"
}
error() { # message
}
# Verify root
-verify root.ca/key.crt root.ca/key.crt
+verify root.ca/key.crt
# Verify level-1 structure
-for i in $STRUCT_CAS; do
- verify root.ca/key.crt $i.ca/key.crt
+for ca in $STRUCT_CAS; do
+ verify $ca.ca/key.crt
done
# Verify level-2 (time) structure
-for i in $STRUCT_CAS; do
- . CAs/$i
- if [ "$i" == "env" ]; then
- CA_FILE=$year/ca/${i}_${year}_1.ca/key.crt
- else
- CA_FILE=$year/ca/${i}_${year}_1.crt
- fi
- verify <(cat root.ca/key.crt $i.ca/key.crt) "$CA_FILE"
- openssl x509 -in "$CA_FILE" -noout -text | grep "CA Issuers" | grep "/$i.crt" > /dev/null || error "CA Issuers field is wrong for $i"
- openssl x509 -in "$CA_FILE" -noout -text | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify"
+for ca in ${STRUCT_CAS}; do
+ for i in $TIME_IDX; do
+ . CAs/$ca
+ if [ "$ca" == "env" ]; then
+ CA_FILE=$year/ca/${ca}_${year}_${i}.ca/key.crt
+ else
+ CA_FILE=$year/ca/${ca}_${year}_${i}.crt
+ fi
+ time=${year:2}${points[${i}]}
+ timestamp=$(date --date="${time:2:2}/${time:4:2}/${time:0:2} 03:00:00 UTC" +"%s")
+ verify "$CA_FILE" "$ca.ca/key.crt" "-attime ${timestamp}"
+ openssl x509 -in "$CA_FILE" -noout -text | grep "CA Issuers" | grep "/$ca.crt" > /dev/null || error "CA Issuers field is wrong for $ca"
+ openssl x509 -in "$CA_FILE" -noout -text | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify"
+ done
done
# Verify infra keys
-cat root.ca/key.crt env.ca/key.crt $year/ca/env_${year}_1.ca/key.crt > envChain.crt
+cat env.ca/key.crt $year/ca/env_${year}_1.ca/key.crt > envChain.crt
-for i in $SERVER_KEYS; do
- verify envChain.crt ${year}/keys/$i.crt
+for key in $SERVER_KEYS; do
+ verify ${year}/keys/$key.crt envChain.crt
done
rm envChain.crt