d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4eead3e53fecdb2b7e629bb9f56b22ff92c61d2e
proxmox/scripts/omnl/apply-qes-tsa-to-staging.sh
defiQUG 95522d3bca
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
feat(omnl): HYBX-BATCH-001 package, rail scripts, regulatory docs, CI 
- Add OMNL/CBK Indonesia submission and audit binder docs, manifests, attestations
- Add scripts/omnl transaction-package pipeline, LEI/PvP helpers, jq/lib fixtures
- Update entity master data, MASTER_INDEX, TODOS, dbis-rail docs and rulebook
- Add proof_package/regulatory skeleton and transaction package zip + snapshot JSON
- validate-omnl-rail workflow, forge-verification-proxy tweak, .gitignore hygiene
- Bump smom-dbis-138 (cronos verify docs/scripts) and explorer-monorepo (SPA + env report)

Made-with: Cursor
2026-03-24 18:11:36 -07:00

67 lines
2.8 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Apply RFC 3161 TSA timestamp and/or CMS detached signature to HASH_NOTARIZATION_ANCHOR.txt in staging.
# Env: TSA_URL, TSA_TIMESTAMP_TARGET, TSA_VERIFY_CAFILE, TSA_CURL_*,
# QES_SIGN_CERT, QES_SIGN_KEY, QES_SIGN_CHAIN
# Usage: apply-qes-tsa-to-staging.sh <staging-dir> [--tsa-only|--qes-only]
set -euo pipefail
STAGING="${1:?usage: $0 <staging-dir> [--tsa-only|--qes-only]}"
shift
MODE="all"
while [ $# -gt 0 ]; do
case "$1" in
--tsa-only) MODE="tsa" ;;
--qes-only) MODE="qes" ;;
*) echo "Unknown: $1" >&2; exit 2 ;;
esac
shift
done
run_tsa() {
local url="${TSA_URL:-}"
[ -n "$url" ] || { echo "TSA_URL not set; skip TSA" >&2; return 0; }
local tgt="${TSA_TIMESTAMP_TARGET:-00_Cover/HASH_NOTARIZATION_ANCHOR.txt}"
local data="$STAGING/$tgt"
[ -f "$data" ] || { echo "Missing $data" >&2; return 1; }
command -v openssl >/dev/null || { echo "openssl required" >&2; return 1; }
command -v curl >/dev/null || { echo "curl required" >&2; return 1; }
local req="$STAGING/00_Cover/TSA_RFC3161_REQUEST.tsq"
local tsr="$STAGING/00_Cover/TSA_RFC3161_RESPONSE.tsr"
local txt="$STAGING/00_Cover/TSA_RFC3161_RESPONSE.txt"
openssl ts -query -data "$data" -cert -out "$req"
curl -sS --fail --connect-timeout "${TSA_CURL_CONNECT_TIMEOUT:-30}" --max-time "${TSA_CURL_MAX_TIME:-120}" \
-H "Content-Type: application/timestamp-query" --data-binary @"$req" -o "$tsr" "$url"
openssl ts -reply -in "$tsr" -text >"$txt" 2>/dev/null || true
if [ -n "${TSA_VERIFY_CAFILE:-}" ] && [ -f "$TSA_VERIFY_CAFILE" ]; then
openssl ts -verify -data "$data" -in "$tsr" -CAfile "$TSA_VERIFY_CAFILE" \
>"$STAGING/00_Cover/TSA_RFC3161_VERIFY.txt" 2>&1 || true
else
echo "TSA verify skipped (set TSA_VERIFY_CAFILE for openssl ts -verify)." \
>"$STAGING/00_Cover/TSA_RFC3161_VERIFY.txt"
fi
echo "TSA: wrote $tsr" >&2
}
run_qes() {
local cert="${QES_SIGN_CERT:-}"
local key="${QES_SIGN_KEY:-}"
[ -n "$cert" ] && [ -n "$key" ] || { echo "QES_SIGN_CERT / QES_SIGN_KEY not set; skip QES CMS" >&2; return 0; }
[ -f "$cert" ] && [ -f "$key" ] || { echo "QES cert/key not found" >&2; return 1; }
local anchor="$STAGING/00_Cover/HASH_NOTARIZATION_ANCHOR.txt"
local out="$STAGING/00_Cover/QES_CMS_ANCHOR_DETACHED.p7s"
local log="$STAGING/00_Cover/QES_CMS_VERIFY_LOG.txt"
openssl cms -sign -binary -in "$anchor" -signer "$cert" -inkey "$key" -outform DER -out "$out"
if [ -n "${QES_SIGN_CHAIN:-}" ] && [ -f "$QES_SIGN_CHAIN" ]; then
openssl cms -verify -binary -content "$anchor" -inform DER -in "$out" -CAfile "$QES_SIGN_CHAIN" >"$log" 2>&1 || true
else
openssl cms -verify -noverify -binary -content "$anchor" -inform DER -in "$out" >"$log" 2>&1 || true
fi
}
case "$MODE" in
all) run_tsa; run_qes ;;
tsa) run_tsa ;;
qes) run_qes ;;
esac
exit 0
Reference in New Issue View Git Blame Copy Permalink