From 7d139175f8175778faf1381d850848b0120868e5 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20D=C3=B6rre?= Date: Fri, 22 Apr 2016 17:53:28 +0200 Subject: [PATCH] del: remaining of infra-keys --- all | 2 -- collectGigiConfig | 1 - collectSignerConfig | 16 ---------- generateInfra | 77 --------------------------------------------- verify | 12 ------- 5 files changed, 108 deletions(-) delete mode 100755 generateInfra diff --git a/all b/all index 1157a75..d812b65 100755 --- a/all +++ b/all @@ -11,8 +11,6 @@ for arg in "$@"; do else echo "========== Generating Year $arg =======" ./generateTime "$arg" - echo "========== Generating Infra for Year $arg =======" - ./generateInfra "$arg" echo "========== Generating CRLs for Year $arg =======" ./generateCRLs "$arg" diff --git a/collectGigiConfig b/collectGigiConfig index bc769f5..241a2cd 100755 --- a/collectGigiConfig +++ b/collectGigiConfig @@ -11,7 +11,6 @@ mkdir -p gigi-config/config/ca cp root.ca/key.crt gigi-config/config/ca/root.crt for ca in $STRUCT_CAS; do cp ${ca}.ca/key.crt gigi-config/config/ca/${ca}.crt - [ "$ca" == "env" ] && continue for i in $TIME_IDX; do cp ${year}/ca/${ca}_${year}_${i}.crt gigi-config/config/ca/${ca}_${year}_${i}.crt done diff --git a/collectSignerConfig b/collectSignerConfig index 66e7e5b..740f7a8 100755 --- a/collectSignerConfig +++ b/collectSignerConfig @@ -7,41 +7,25 @@ year=$1 . structure.bash cd generated -installCommKeys() { # peer (server,client) - peer="$1" - mkdir -p signer-config/keys - cat ${year}/ca/env_${year}_1.ca/key.crt env.ca/key.crt root.ca/key.crt > signer-config/keys/ca.crt - for file in signer_${peer}.{crt,key}; do - cp ${year}/keys/$file signer-config/keys/$file - done - -} - mkdir -p signer-config for ca in $STRUCT_CAS; do - [ "$ca" == "env" ] && continue for i in $TIME_IDX; do mkdir -p signer-config/ca/${ca}_${year}_${i} cp ${year}/ca/${ca}_${year}_${i}.crt signer-config/ca/${ca}_${year}_${i}/ca.crt done done -installCommKeys client - tar czf signer-client-$year.tar.gz -C .. profiles -C generated/signer-config keys ca # Updating for server rm signer-config/keys/signer_* for ca in $STRUCT_CAS; do - [ "$ca" == "env" ] && continue for i in $TIME_IDX; do cp ${year}/ca/${ca}_${year}_${i}.key signer-config/ca/${ca}_${year}_${i}/ca.key done done -installCommKeys server - tar czf signer-server-$year.tar.gz -C .. profiles -C generated/signer-config keys ca rm -R signer-config diff --git a/generateInfra b/generateInfra deleted file mode 100755 index 819635f..0000000 --- a/generateInfra +++ /dev/null @@ -1,77 +0,0 @@ -#!/bin/bash -# -set -e - -[ "$1" == "" ] && echo "Usage: $0 " && exit 1 -year=$1 - -. structure.bash -. commonFunctions.bash - -cd generated - -CRL=" -crlDistributionPoints=URI:http://g2.crl.${DOMAIN}/g2/$year/env-1.crl -authorityInfoAccess = OCSP;URI:http://g2.ocsp.${DOMAIN},caIssuers;URI:http://g2.crt.${DOMAIN}/g2/$year/env-1.crt" - -cat < req.cnf -basicConstraints = critical,CA:false -keyUsage = keyEncipherment, digitalSignature -extendedKeyUsage=serverAuth - -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always -$CRL -TESTCA - -cat < reqClient.cnf -basicConstraints = critical,CA:false -keyUsage = keyEncipherment, digitalSignature -extendedKeyUsage=clientAuth - -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always -$CRL -TESTCA - -cat < reqMail.cnf -basicConstraints = critical,CA:false -keyUsage = keyEncipherment, digitalSignature -extendedKeyUsage=emailProtection - -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always -$CRL -TESTCA - -genserver(){ #key, subject, config - openssl genrsa -out $1.key ${KEYSIZE} - openssl req -new -key $1.key -out $1.csr -subj "$2" - caSign $1 $year/ca/env_${year}_1 "$3" "${year}${points[1]}" "$((${year} + 2))${points[1]}" - - TZ=UTC LD_PRELOAD="$(findLibfaketime)" FAKETIME="${year}-01-01 00:00:00" openssl pkcs12 -inkey $1.key -in $1.crt -CAfile env.chain.crt -chain -name $1 -export -passout pass:changeit -out $1.pkcs12 -name "$4" - -} - -mkdir -p $year/keys - -cat $year/ca/env_${year}_1.ca/key.crt env.ca/key.crt root.ca/key.crt > env.chain.crt - -# generate environment-keys specific to gigi. -# first the server keys -genserver $year/keys/www "/CN=www.${DOMAIN}" req.cnf www -genserver $year/keys/secure "/CN=secure.${DOMAIN}" req.cnf secure -genserver $year/keys/static "/CN=static.${DOMAIN}" req.cnf static -genserver $year/keys/api "/CN=api.${DOMAIN}" req.cnf api - -# then the email signing key -genserver $year/keys/mail "/emailAddress=support@${DOMAIN}" reqMail.cnf mail - -# then environment-keys for cassiopeia -genserver $year/keys/signer_client "/CN=CAcert signer handler 1" reqClient.cnf signer_client -genserver $year/keys/signer_server "/CN=CAcert signer 1" req.cnf signer_server - -rm req.cnf reqMail.cnf reqClient.cnf - - -rm env.chain.crt diff --git a/verify b/verify index eb13404..b8e568d 100755 --- a/verify +++ b/verify @@ -74,15 +74,3 @@ for ca in ${STRUCT_CAS}; do echo "$EXT" | grep "OCSP" | grep "http://g2.ocsp.${DOMAIN}" > /dev/null || error "OCSP field is wrong for $ca" done done - -# Verify infra keys -cat env.ca/key.crt $year/ca/env_${year}_1.ca/key.crt > envChain.crt - -for key in $SERVER_KEYS signer_client signer_server; do - verify ${year}/keys/$key.crt envChain.crt - verifyExtlist "$(openssl x509 -in "${year}/keys/$key.crt" -noout -text)" critical "X509v3 Extended Key Usage: -" -done - -rm envChain.crt - -- 2.39.2