diff options
| author | Rob Austein <sra@hactrn.net> | 2006-08-22 22:27:25 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2006-08-22 22:27:25 +0000 |
| commit | 823d6f34328d4fe1fe006fb4d3174f8e84126f97 (patch) | |
| tree | bd92f3cc67e999d28711bbff462ad9ff87dec198 | |
| parent | 17a030000ae7cf55e233d40f4da143087b67d894 (diff) | |
# on 2006/08/09 19:59:58, sra did:
Well, it triggers interesting core dumps now anyway...
svn path=/scripts/gen-verify-test.pl; revision=186
| -rw-r--r-- | scripts/gen-verify-test.pl | 38 |
1 files changed, 30 insertions, 8 deletions
diff --git a/scripts/gen-verify-test.pl b/scripts/gen-verify-test.pl index 34466b1c..04e5a47a 100644 --- a/scripts/gen-verify-test.pl +++ b/scripts/gen-verify-test.pl @@ -12,7 +12,7 @@ open(F, "-|", "find", @ARGV, qw(-type f -name *.cer)) chomp(my @files = <F>); close(F); -# Convert files to PEM (openssl verify is lame) +# Convert to PEM ("openssl verify" is lame) for (@files) { my $f = $_; @@ -22,6 +22,8 @@ for (@files) { or die("Couldn't convert $f to PEM format: $!\n"); } +# Snarf all the AKI and SKI values from the certs we're examining + my %aki; my %ski; @@ -45,15 +47,35 @@ for my $f (@files) { close(F); } -# This isn't a full test yet, this only tests one level (total chain -# two certs deep). What we really need, after this much of it is -# working, is to build up a %daddy hash based on the following tests, -# then build up and test full chains from that. +# Figure out who everybody's parents are + +my %daddy; for my $f (@files) { next unless ($aki{$f}); my @daddy = grep({ $ski{$_} eq $aki{$f} } @files); - next unless (@daddy == 1); - print("$openssl verify -verbose -issuer_checks \\\n\t-CAfile ", - $daddy[0], " \\\n\t\t", $f, "\n"); + $daddy{$f} = $daddy[0] + if (@daddy == 1 && $daddy[0] ne $f); +} + +# Generate a test script based on all of the above + +for my $f (@files) { + my @parents; + for (my $d = $daddy{$f}; $d; $d = $daddy{$d}) { + push(@parents, $d); + } + next unless (@parents); + print("echo ", "=" x 40, "\n", + "echo Checking chain:\n"); + print("echo ' File: $f'\n", + "$openssl x509 -noout -text -certopt no_header,no_signame,no_validity,no_pubkey,no_sigdump,no_version -in $_\n") + foreach (($f, @parents)); + print("cat >CAfile.pem"); + print(" $_") + foreach (@parents); + print("\n", + "$openssl verify -verbose -CAfile CAfile.pem \\\n", + "\t$f\n", + "rm CAfile.pem\n"); } |