del: also do not collect gigi keys

author Felix Dörre <felix@dogcraft.de>

Fri, 22 Apr 2016 16:01:12 +0000 (18:01 +0200)

committer Lucas Werkmeister <mail@lucaswerkmeister.de>

Fri, 22 Apr 2016 16:21:26 +0000 (18:21 +0200)
author Felix Dörre <felix@dogcraft.de>
Fri, 22 Apr 2016 16:01:12 +0000 (18:01 +0200)
committer Lucas Werkmeister <mail@lucaswerkmeister.de>
Fri, 22 Apr 2016 16:21:26 +0000 (18:21 +0200)
diff --git a/collectGigiConfig b/collectGigiConfig

index 241a2cdab3a3cb9d6e050492a556baad201423cd..710411596a99d9486e006c972840b2a97c6624f1 100755 (executable)
--- a/collectGigiConfig
+++ b/collectGigiConfig
@@ -18,11 +18,6 @@ done
  
  cp -R ../profiles gigi-config/config
  
-mkdir -p gigi-config/keys
-for k in ${year}/keys/{api,mail,secure,static,www}.pkcs12; do
-   cp $k gigi-config/keys
-done
-
-tar czf gigi-$year.tar.gz -C gigi-config config keys
+tar czf gigi-$year.tar.gz -C gigi-config config
  
  rm -Rf gigi-config
diff --git a/collectSignerConfig b/collectSignerConfig

index 740f7a8e5d7748a595bb7d53f02d73d6360a01d9..f00b0880f7555e36b63539482b9f2bb1457377cb 100755 (executable)
--- a/collectSignerConfig
+++ b/collectSignerConfig
@@ -15,10 +15,9 @@ for ca in $STRUCT_CAS; do
      done
  done
  
-tar czf signer-client-$year.tar.gz -C .. profiles -C generated/signer-config keys ca
+tar czf signer-client-$year.tar.gz -C .. profiles -C generated/signer-config ca
  
  # Updating for server
-rm signer-config/keys/signer_*
  
  for ca in $STRUCT_CAS; do
      for i in $TIME_IDX; do
@@ -26,6 +25,6 @@ for ca in $STRUCT_CAS; do
      done
  done
  
-tar czf signer-server-$year.tar.gz -C .. profiles -C generated/signer-config keys ca
+tar czf signer-server-$year.tar.gz -C .. profiles -C generated/signer-config ca
  
  rm -R signer-config
diff --git a/generateCRLs b/generateCRLs

index e31bb54e8ac3d311cd7facbf530bd21f8eb910e1..ff2338b7b9b745ce8517d504d764a5be7516b0bc 100755 (executable)
--- a/generateCRLs
+++ b/generateCRLs
@@ -46,9 +46,3 @@ generateCRLs root
  for ca in $STRUCT_CAS; do
      generateCRLs $ca
  done
-
-for i in ${TIME_IDX}; do
-generateYearCRLs $year/ca/env_${year}_$i $i
-generateYearCRLs $year/ca/env_${year}_$i $i
-
-done
diff --git a/verify b/verify

index b8e568d54ccbcb2d84089d6ed104fd98f3daf82d..092e52eed7ba732a222ccd1a07b3a7cc8cf6baa2 100755 (executable)
--- a/verify
+++ b/verify
@@ -19,50 +19,45 @@ error() { # message
  }
  
  verifyExtlist() { # ext
-        EXTLIST=`echo "$1" | grep "X509v3\|Authority Information" | sed "s/^[ \t]*//"`
-        BASIC=$2
-        if [[ $BASIC == "" ]]; then
-            BASIC="critical"
-        else
-            BASIC="critical, $BASIC"
-        fi
-        VAR="X509v3 extensions:
-X509v3 Basic Constraints: $BASIC
+    EXTLIST=`echo "$1" | grep "X509v3\|Authority Information" | sed "s/^[ \t]*//"`
+    ADD="
+X509v3 Certificate Policies: "
+    if [[ $2 == "root" ]]; then
+        ADD=""
+    fi
+    VAR="X509v3 extensions:
+X509v3 Basic Constraints: critical
  X509v3 Key Usage: critical
-${3}X509v3 Subject Key Identifier: 
+X509v3 Subject Key Identifier: 
  X509v3 Authority Key Identifier: 
  X509v3 CRL Distribution Points: 
-Authority Information Access: "
+Authority Information Access: $ADD"
  
-        diff <(echo "$EXTLIST") <(echo "$VAR") || error "Extensions order is wrong for $ca"
+    diff <(echo "$EXTLIST") <(echo "$VAR") || error "Extensions order is wrong for $2"
  
  }
  
  # Verify root
  verify root.ca/key.crt
-verifyExtlist "$(openssl x509 -in "root.ca/key.crt" -noout -text)"
+verifyExtlist "$(openssl x509 -in "root.ca/key.crt" -noout -text)" root
  
  # Verify level-1 structure
  for ca in $STRUCT_CAS; do
      verify $ca.ca/key.crt
-    verifyExtlist "$(openssl x509 -in "$ca.ca/key.crt" -noout -text)"
+    verifyExtlist "$(openssl x509 -in "$ca.ca/key.crt" -noout -text)" "$ca"
  done
  
  # Verify level-2 (time) structure
  for ca in ${STRUCT_CAS}; do
      for i in $TIME_IDX; do
          . ../CAs/$ca
-        if [ "$ca" == "env" ]; then
-            CA_FILE=$year/ca/${ca}_${year}_${i}.ca/key.crt
-        else
-            CA_FILE=$year/ca/${ca}_${year}_${i}.crt
-        fi
+        CA_FILE=$year/ca/${ca}_${year}_${i}.crt
          time=${points[${i}]}
          timestamp=$(date --date="${time:0:2}/${time:2:2}/${year} 03:00:00 UTC" +"%s")
          verify "$CA_FILE" "$ca.ca/key.crt" "-attime ${timestamp}"
          EXT=`openssl x509 -in "$CA_FILE" -noout -text`
  
-        verifyExtlist "$EXT"
+        verifyExtlist "$EXT" "$ca-$i"
  
          echo "$EXT" | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify"
author	Felix Dörre <felix@dogcraft.de>
	Fri, 22 Apr 2016 16:01:12 +0000 (18:01 +0200)
committer	Lucas Werkmeister <mail@lucaswerkmeister.de>
	Fri, 22 Apr 2016 16:21:26 +0000 (18:21 +0200)
collectGigiConfig		patch \| blob \| history
collectSignerConfig		patch \| blob \| history
generateCRLs		patch \| blob \| history
verify		patch \| blob \| history