diff options
Diffstat (limited to 'scripts/Old/gen-verify-test.pl')
| -rw-r--r-- | scripts/Old/gen-verify-test.pl | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/scripts/Old/gen-verify-test.pl b/scripts/Old/gen-verify-test.pl new file mode 100644 index 00000000..e1b53579 --- /dev/null +++ b/scripts/Old/gen-verify-test.pl @@ -0,0 +1,104 @@ +: +# $Id$ +eval 'exec perl -w -S $0 ${1+"$@"}' + if 0; + +use strict; + +my $openssl = "/u/sra/isc/route-pki/subvert-rpki.hactrn.net/openssl/openssl/apps/openssl"; + +my $verify_options = "-verbose -crl_check_all -policy_check -explicit_policy -policy 1.3.6.1.5.5.7.14.2 -x509_strict"; + +my $verbose = 1; + +my $debug = $ENV{DEBUG}; + +exit unless (@ARGV); + +# Find all certificates in the repository + +open(F, "-|", "find", @ARGV, qw(-type f -name *.cer)) + or die("Couldn't run find: $!\n"); +chomp(my @files = <F>); +close(F); +@ARGV = (); + +# Snarf all the AIA and CDP values from the certs we're examining. +# Icky screen scraping, better mechanism needed. + +my %aia; +my %cdp; + +for my $f (@files) { + my ($a, $c) = (0, 0); + open(F, "-|", $openssl, qw(x509 -noout -text -inform DER -in), $f) + or die("Couldn't run openssl x509 on $f: $!\n"); + while (<F>) { + chomp; + s{^.+URI:rsync://}{}; + $a = $. + 1 + if (/Authority Information Access:/); + $c = $. + 1 + if (/X509v3 CRL Distribution Points:/); + $aia{$f} = $_ + if ($a && $. == $a); + $cdp{$f} = $_ + if ($c && $. == $c); + } + print(STDERR $f, " ", ($aia{$f} || "-"), " ", ($cdp{$f} || "-"), "\n") + if ($debug); + close(F); +} + +# Sort out ancestry + +my %daddy; + +for my $f (@files) { + next unless ($aia{$f}); + my @daddy = grep({ $_ eq $aia{$f} } @files); + die("Can't figure out who my daddy is! $f @{[join(' ', @daddy)]}\n") + if (@daddy > 1); + $daddy{$f} = $daddy[0] + if (@daddy && $daddy[0] ne $f); + print(STDERR "me: $f, daddy: $daddy[0]\n") + if ($debug); +} + +# Generate a test script based on all of the above + +for my $f (@files) { + my @ancestors; + for (my $d = $daddy{$f}; $d; $d = $daddy{$d}) { + push(@ancestors, $d); + } + next unless (@ancestors); + my @crls; + for my $c (map {$cdp{$_}} ($f, @ancestors)) { + push(@crls, $c) + unless (grep {$_ eq $c} @crls); + } + print("echo ", "=" x 40, "\n", + "echo Checking chain:\n") + if ($verbose > 0); + for (($f, @ancestors)) { + print("echo ' Certificate: $_'\n") + if ($verbose > 0); + print("$openssl x509 -noout -text -inform DER -certopt no_header,no_signame,no_validity,no_pubkey,no_sigdump,no_version -in $_\n") + if ($verbose > 1); + } + for (@crls) { + print("echo ' CRL: $_'\n") + if ($verbose > 0); + print("$openssl crl -noout -text -inform DER -in $_\n") + if ($verbose > 1); + } + print("rm -f CAfile.pem cert-in-hand.pem\n"); + print("$openssl x509 -inform DER -outform PEM >>CAfile.pem -in $_\n") + foreach (@ancestors); + print("$openssl crl -inform DER -outform PEM >>CAfile.pem -in $_\n") + foreach (@crls); + print("$openssl x509 -inform DER -outform PEM -out cert-in-hand.pem -in $f\n", + "$openssl verify -CAfile CAfile.pem $verify_options cert-in-hand.pem\n", + "rm -f CAfile.pem cert-in-hand.pem\n"); +} |