From 7db1e2dfecec7510b83ef7949d6c8600b27fa738 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20D=C3=B6rre?= Date: Fri, 22 Apr 2016 18:01:12 +0200 Subject: [PATCH] del: also do not collect gigi keys as they are not generated anymore --- collectGigiConfig | 7 +------ collectSignerConfig | 5 ++--- generateCRLs | 6 ------ verify | 35 +++++++++++++++-------------------- 4 files changed, 18 insertions(+), 35 deletions(-) diff --git a/collectGigiConfig b/collectGigiConfig index 241a2cd..7104115 100755 --- a/collectGigiConfig +++ b/collectGigiConfig @@ -18,11 +18,6 @@ done cp -R ../profiles gigi-config/config -mkdir -p gigi-config/keys -for k in ${year}/keys/{api,mail,secure,static,www}.pkcs12; do - cp $k gigi-config/keys -done - -tar czf gigi-$year.tar.gz -C gigi-config config keys +tar czf gigi-$year.tar.gz -C gigi-config config rm -Rf gigi-config diff --git a/collectSignerConfig b/collectSignerConfig index 740f7a8..f00b088 100755 --- a/collectSignerConfig +++ b/collectSignerConfig @@ -15,10 +15,9 @@ for ca in $STRUCT_CAS; do done done -tar czf signer-client-$year.tar.gz -C .. profiles -C generated/signer-config keys ca +tar czf signer-client-$year.tar.gz -C .. profiles -C generated/signer-config ca # Updating for server -rm signer-config/keys/signer_* for ca in $STRUCT_CAS; do for i in $TIME_IDX; do @@ -26,6 +25,6 @@ for ca in $STRUCT_CAS; do done done -tar czf signer-server-$year.tar.gz -C .. profiles -C generated/signer-config keys ca +tar czf signer-server-$year.tar.gz -C .. profiles -C generated/signer-config ca rm -R signer-config diff --git a/generateCRLs b/generateCRLs index e31bb54..ff2338b 100755 --- a/generateCRLs +++ b/generateCRLs @@ -46,9 +46,3 @@ generateCRLs root for ca in $STRUCT_CAS; do generateCRLs $ca done - -for i in ${TIME_IDX}; do -generateYearCRLs $year/ca/env_${year}_$i $i -generateYearCRLs $year/ca/env_${year}_$i $i - -done diff --git a/verify b/verify index b8e568d..092e52e 100755 --- a/verify +++ b/verify @@ -19,50 +19,45 @@ error() { # message } verifyExtlist() { # ext - EXTLIST=`echo "$1" | grep "X509v3\|Authority Information" | sed "s/^[ \t]*//"` - BASIC=$2 - if [[ $BASIC == "" ]]; then - BASIC="critical" - else - BASIC="critical, $BASIC" - fi - VAR="X509v3 extensions: -X509v3 Basic Constraints: $BASIC + EXTLIST=`echo "$1" | grep "X509v3\|Authority Information" | sed "s/^[ \t]*//"` + ADD=" +X509v3 Certificate Policies: " + if [[ $2 == "root" ]]; then + ADD="" + fi + VAR="X509v3 extensions: +X509v3 Basic Constraints: critical X509v3 Key Usage: critical -${3}X509v3 Subject Key Identifier: +X509v3 Subject Key Identifier: X509v3 Authority Key Identifier: X509v3 CRL Distribution Points: -Authority Information Access: " +Authority Information Access: $ADD" - diff <(echo "$EXTLIST") <(echo "$VAR") || error "Extensions order is wrong for $ca" + diff <(echo "$EXTLIST") <(echo "$VAR") || error "Extensions order is wrong for $2" } # Verify root verify root.ca/key.crt -verifyExtlist "$(openssl x509 -in "root.ca/key.crt" -noout -text)" +verifyExtlist "$(openssl x509 -in "root.ca/key.crt" -noout -text)" root # Verify level-1 structure for ca in $STRUCT_CAS; do verify $ca.ca/key.crt - verifyExtlist "$(openssl x509 -in "$ca.ca/key.crt" -noout -text)" + verifyExtlist "$(openssl x509 -in "$ca.ca/key.crt" -noout -text)" "$ca" done # Verify level-2 (time) structure for ca in ${STRUCT_CAS}; do for i in $TIME_IDX; do . ../CAs/$ca - if [ "$ca" == "env" ]; then - CA_FILE=$year/ca/${ca}_${year}_${i}.ca/key.crt - else - CA_FILE=$year/ca/${ca}_${year}_${i}.crt - fi + CA_FILE=$year/ca/${ca}_${year}_${i}.crt time=${points[${i}]} timestamp=$(date --date="${time:0:2}/${time:2:2}/${year} 03:00:00 UTC" +"%s") verify "$CA_FILE" "$ca.ca/key.crt" "-attime ${timestamp}" EXT=`openssl x509 -in "$CA_FILE" -noout -text` - verifyExtlist "$EXT" + verifyExtlist "$EXT" "$ca-$i" echo "$EXT" | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify" -- 2.39.2