From 6ba8d258f7f3601d8e0be4425f790210b4ea4a87 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Felix=20D=C3=B6rre?= <felix@dogcraft.de>
Date: Sun, 5 Apr 2015 11:26:43 +0200
Subject: [PATCH] adding multiple time-CAs per year

---
 commonFunctions         | 13 +++++++++----
 generateKeys.sh         |  3 ++-
 generateSignerConfig.sh | 10 +++++++---
 generateTime.sh         | 24 +++++++++++++----------
 structure               |  5 +++++
 verify.sh               | 42 +++++++++++++++++++++++------------------
 6 files changed, 61 insertions(+), 36 deletions(-)

diff --git a/commonFunctions b/commonFunctions
index aa1daff..8b12bf4 100755
--- a/commonFunctions
+++ b/commonFunctions
@@ -22,14 +22,19 @@ genca(){ #subj, internalName
 caSign(){ # csr,ca,config,start,end
     start="$4"
     end="$5"
-    [ "$start" != "" ] && start="-startdate $start"
-    [ "$end" != "" ] && end="-enddate $end"
-    [ "$start" == "" -a "$end" == "" ] && start="-days 366"
+    [[ "$start" != "" ]] && start="-startdate $start"
+    [[ "$end" != "" ]] && end="-enddate $end"
+    [[ "$start" == "" && "$end" == "" ]] && start="$ROOT_VALIDITY"
     BASE="$PWD"
     echo "Signing: $1 with $2"
     echo "$start $end"
     pushd $2.ca > /dev/null
-    openssl ca -cert key.crt -keyfile key.key -in "$BASE/$1.csr" -out "$BASE/$1.crt" -batch -config "$BASE/selfsign.config" -extfile "$BASE/$3" $start $end
+    if [[ "$2" == "root" && "$1" == root.* ]]; then
+	signkey="-selfsign"
+    else
+	signkey="-cert key.crt"
+    fi
+    openssl ca $signkey -keyfile key.key -in "$BASE/$1.csr" -out "$BASE/$1.crt" -batch -config "$BASE/selfsign.config" -extfile "$BASE/$3" $start $end
     popd > /dev/null
     echo "Signed"
 }
diff --git a/generateKeys.sh b/generateKeys.sh
index 8ddc79c..353acb1 100755
--- a/generateKeys.sh
+++ b/generateKeys.sh
@@ -31,7 +31,8 @@ rootSign(){ # csr
 
 # Generate the super Root CA
 genca "/CN=Cacert-gigi testCA" root
-openssl x509 -req -days 365 -in root.ca/key.csr -signkey root.ca/key.key -out root.ca/key.crt -extfile ca.cnf
+#echo openssl x509 -req $ROOT_VALIDITY -in root.ca/key.csr -signkey root.ca/key.key -out root.ca/key.crt -extfile ca.cnf
+rootSign root
 
 # generate the various sub-CAs
 for ca in $STRUCT_CAS; do
diff --git a/generateSignerConfig.sh b/generateSignerConfig.sh
index c054500..8a5921c 100755
--- a/generateSignerConfig.sh
+++ b/generateSignerConfig.sh
@@ -19,8 +19,10 @@ installCommKeys() { # peer (server,client)
 mkdir -p signer-config
 for ca in $STRUCT_CAS; do
     [ "$ca" == "env" ] && continue
-    mkdir -p signer-config/ca/${ca}_${year}_1
-    cp ${year}/ca/${ca}_${year}_1.crt  signer-config/ca/${ca}_${year}_1/ca.crt
+    for i in $TIME_IDX; do
+	mkdir -p signer-config/ca/${ca}_${year}_${i}
+	cp ${year}/ca/${ca}_${year}_${i}.crt  signer-config/ca/${ca}_${year}_${i}/ca.crt
+    done
 done
 
 installCommKeys client
@@ -32,7 +34,9 @@ rm signer-config/keys/signer_*
 
 for ca in $STRUCT_CAS; do
     [ "$ca" == "env" ] && continue
-    cp ${year}/ca/${ca}_${year}_1.key  signer-config/ca/${ca}_${year}_1/ca.key
+    for i in $TIME_IDX; do
+	cp ${year}/ca/${ca}_${year}_${i}.key  signer-config/ca/${ca}_${year}_${i}/ca.key
+    done
 done
 
 installCommKeys server
diff --git a/generateTime.sh b/generateTime.sh
index c7a98de..572d27d 100755
--- a/generateTime.sh
+++ b/generateTime.sh
@@ -20,16 +20,20 @@ TESTCA
 
 mkdir -p $year/ca
 
-STARTDATE="${year:2}0101000000Z"
-ENDDATE="$((${year:2} + 2))0101000000Z"
 
-. CAs/env
-genca "/CN=$name ${year}-1" $year/ca/env_${year}_1
-genTimeCA $year/ca/env_${year}_1.ca/key env "$STARTDATE" "$ENDDATE"
+STARTDATE="${year:2}"
+ENDDATE="$((${year:2} + 2))"
 
-for ca in $STRUCT_CAS; do
-    [ "$ca" == "env" ] && continue
-    . CAs/$ca
-    genKey "/CN=$name ${year}-1" $year/ca/${ca}_${year}_1
-    genTimeCA $year/ca/${ca}_${year}_1 $ca "$STARTDATE" "$ENDDATE"
+for i in $TIME_IDX; do
+    point=${points[${i}]}
+    . CAs/env
+    genca "/CN=$name ${year}-${i}" $year/ca/env_${year}_${i}
+    genTimeCA $year/ca/env_${year}_${i}.ca/key env "$STARTDATE$point" "$ENDDATE$point"
+    
+    for ca in $STRUCT_CAS; do
+	[ "$ca" == "env" ] && continue
+	. CAs/$ca
+	genKey "/CN=$name ${year}-${i}" $year/ca/${ca}_${year}_${i}
+	genTimeCA $year/ca/${ca}_${year}_${i} $ca "$STARTDATE$point" "$ENDDATE$point"
+    done
 done
diff --git a/structure b/structure
index 12e4653..9bf7bcc 100755
--- a/structure
+++ b/structure
@@ -7,3 +7,8 @@ PRIVATEPW="changeit"
 
 STRUCT_CAS="env unassured assured codesign orga orgaSign"
 SERVER_KEYS="api secure www static signer_server signer_client"
+TIME_IDX="1 2"
+points[1]="0101000000Z"
+points[2]="0601000000Z"
+
+ROOT_VALIDITY="-startdate 150101000000Z -enddate 300101000000Z"
diff --git a/verify.sh b/verify.sh
index 472720c..6423eb9 100755
--- a/verify.sh
+++ b/verify.sh
@@ -5,8 +5,10 @@ year=$1
 
 . structure
 
-verify(){ # CAfile, crt
-    openssl verify -CAfile "$1" "$2" || error "$2 did not verify"
+verify(){ # crt, [untrusted], additional
+    untrusted="$2"
+    [[ "$untrusted" != "" ]] && untrusted="-untrusted $untrusted"
+    openssl verify $3 -CAfile root.ca/key.crt $untrusted "$1" || error "$1 did not verify"
 }
 
 error() { # message
@@ -15,31 +17,35 @@ error() { # message
 }
 
 # Verify root
-verify root.ca/key.crt root.ca/key.crt
+verify root.ca/key.crt
 
 # Verify level-1 structure
-for i in $STRUCT_CAS; do
-    verify root.ca/key.crt $i.ca/key.crt
+for ca in $STRUCT_CAS; do
+    verify $ca.ca/key.crt
 done
 
 # Verify level-2 (time) structure
-for i in $STRUCT_CAS; do
-    . CAs/$i
-    if [ "$i" == "env" ]; then
-	CA_FILE=$year/ca/${i}_${year}_1.ca/key.crt
-    else
-	CA_FILE=$year/ca/${i}_${year}_1.crt
-    fi
-    verify <(cat root.ca/key.crt $i.ca/key.crt) "$CA_FILE"
-    openssl x509 -in "$CA_FILE" -noout -text | grep "CA Issuers" | grep "/$i.crt" > /dev/null || error "CA Issuers field is wrong for $i"
-    openssl x509 -in "$CA_FILE" -noout -text | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify"
+for ca in ${STRUCT_CAS}; do
+    for i in $TIME_IDX; do
+	. CAs/$ca
+	if [ "$ca" == "env" ]; then
+	    CA_FILE=$year/ca/${ca}_${year}_${i}.ca/key.crt
+	else
+	    CA_FILE=$year/ca/${ca}_${year}_${i}.crt
+	fi
+	time=${year:2}${points[${i}]}
+	timestamp=$(date --date="${time:2:2}/${time:4:2}/${time:0:2} 03:00:00 UTC" +"%s")
+	verify "$CA_FILE" "$ca.ca/key.crt" "-attime ${timestamp}"
+	openssl x509 -in "$CA_FILE" -noout -text | grep "CA Issuers" | grep "/$ca.crt" > /dev/null || error "CA Issuers field is wrong for $ca"
+	openssl x509 -in "$CA_FILE" -noout -text | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify"
+    done
 done
 
 # Verify infra keys
-cat root.ca/key.crt env.ca/key.crt $year/ca/env_${year}_1.ca/key.crt > envChain.crt
+cat env.ca/key.crt $year/ca/env_${year}_1.ca/key.crt > envChain.crt
 
-for i in $SERVER_KEYS; do
-    verify envChain.crt ${year}/keys/$i.crt
+for key in $SERVER_KEYS; do
+    verify ${year}/keys/$key.crt envChain.crt
 done
 
 rm envChain.crt
-- 
2.39.2