aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRob Austein <sra@hactrn.net>2017-07-06 22:42:23 -0400
committerRob Austein <sra@hactrn.net>2017-07-06 22:42:23 -0400
commit3cb262f5af1b431eb1303f349dac6f28aec24d78 (patch)
tree251ee63641569364d8bd16c17c0e3a3c42e3aaba
parent254bf4a64d6e3acdd47cd9e15a1e282e5fc0ec4c (diff)
TLS example.
-rw-r--r--README.md8
-rwxr-xr-xhttps-client.sh7
-rwxr-xr-xhttps-server.sh27
-rwxr-xr-xissue-certificates.sh10
4 files changed, 50 insertions, 2 deletions
diff --git a/README.md b/README.md
index 9af8bf7..a349537 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
Packages you need (on Debian Jessie, anyway):
- sudo apt-get install opensc cryptech-alpha
+ sudo apt-get install opensc cryptech-alpha stunnel micro-httpd w3m
sudo apt-get install -t jessie-backports libengine-pkcs11-openssl
We're using the backported version of libengine-pkcs11-openssl because
@@ -47,6 +47,12 @@ useful things with those keys.
* `smime-signature.sh` generates and verifies a signed S/MIME message;
this also depends on `issue-certificates.sh`.
+* `https-server.sh` runs a toy https server, using keys and certificates
+ generated by `create-keys.sh` and `issue-certificates.sh`.
+
+* `https-client.sh` uses w3m as a client to talk to the toy server
+ run by `https-server.sh` (and therefore has the same dependencies).
+
## References and notes
* <https://www.nlnetlabs.nl/downloads/publications/hsm/>
diff --git a/https-client.sh b/https-client.sh
new file mode 100755
index 0000000..b308978
--- /dev/null
+++ b/https-client.sh
@@ -0,0 +1,7 @@
+#!/bin/sh -
+
+exec w3m \
+ -o ssl_forbid_method=23 \
+ -o ssl_verify_server=true \
+ -o ssl_ca_file=$(pwd)/leader.cer \
+ https://localhost:4443/
diff --git a/https-server.sh b/https-server.sh
new file mode 100755
index 0000000..ea105cd
--- /dev/null
+++ b/https-server.sh
@@ -0,0 +1,27 @@
+#!/bin/sh -
+
+. ./environment.sh
+
+stunnel -fd 0 <<EOF
+
+engine = dynamic
+engineCtrl = SO_PATH:${ENGINE_MODULE}
+engineCtrl = ID:pkcs11
+engineCtrl = LIST_ADD:1
+engineCtrl = LOAD
+engineCtrl = MODULE_PATH:${PKCS11_MODULE}
+engineCtrl = PIN:${PKCS11_PIN}
+engineCtrl = INIT
+
+foreground = yes
+pid =
+
+[https]
+accept = :::4443
+cert = $(pwd)/nogoodnik.cer
+engineNum = 1
+key = label_boris
+exec = /usr/sbin/micro-httpd
+execargs = micro-httpd $(pwd)
+
+EOF
diff --git a/issue-certificates.sh b/issue-certificates.sh
index 39e64d9..1a00992 100755
--- a/issue-certificates.sh
+++ b/issue-certificates.sh
@@ -24,4 +24,12 @@ openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60 \
-CAkey label_leader -CA leader.cer \
-out boris.cer
-openssl verify -verbose -CAfile leader.cer boris.cer natasha.cer
+openssl req -batch -new -engine pkcs11 -keyform ENGINE \
+ -subj "/GN=Hilary/SN=Pushemoff/CN=localhost" \
+ -key label_boris |
+openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60 \
+ -set_serial `date +%s` -extfile $OPENSSL_CONF -extensions ext_ee \
+ -CAkey label_leader -CA leader.cer \
+ -out nogoodnik.cer
+
+openssl verify -verbose -CAfile leader.cer boris.cer natasha.cer nogoodnik.cer