diff options
| author | Rob Austein <sra@hactrn.net> | 2017-07-06 22:42:23 -0400 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2017-07-06 22:42:23 -0400 |
| commit | 3cb262f5af1b431eb1303f349dac6f28aec24d78 (patch) | |
| tree | 251ee63641569364d8bd16c17c0e3a3c42e3aaba | |
| parent | 254bf4a64d6e3acdd47cd9e15a1e282e5fc0ec4c (diff) | |
TLS example.
| -rw-r--r-- | README.md | 8 | ||||
| -rwxr-xr-x | https-client.sh | 7 | ||||
| -rwxr-xr-x | https-server.sh | 27 | ||||
| -rwxr-xr-x | issue-certificates.sh | 10 |
4 files changed, 50 insertions, 2 deletions
@@ -2,7 +2,7 @@ Packages you need (on Debian Jessie, anyway): - sudo apt-get install opensc cryptech-alpha + sudo apt-get install opensc cryptech-alpha stunnel micro-httpd w3m sudo apt-get install -t jessie-backports libengine-pkcs11-openssl We're using the backported version of libengine-pkcs11-openssl because @@ -47,6 +47,12 @@ useful things with those keys. * `smime-signature.sh` generates and verifies a signed S/MIME message; this also depends on `issue-certificates.sh`. +* `https-server.sh` runs a toy https server, using keys and certificates + generated by `create-keys.sh` and `issue-certificates.sh`. + +* `https-client.sh` uses w3m as a client to talk to the toy server + run by `https-server.sh` (and therefore has the same dependencies). + ## References and notes * <https://www.nlnetlabs.nl/downloads/publications/hsm/> diff --git a/https-client.sh b/https-client.sh new file mode 100755 index 0000000..b308978 --- /dev/null +++ b/https-client.sh @@ -0,0 +1,7 @@ +#!/bin/sh - + +exec w3m \ + -o ssl_forbid_method=23 \ + -o ssl_verify_server=true \ + -o ssl_ca_file=$(pwd)/leader.cer \ + https://localhost:4443/ diff --git a/https-server.sh b/https-server.sh new file mode 100755 index 0000000..ea105cd --- /dev/null +++ b/https-server.sh @@ -0,0 +1,27 @@ +#!/bin/sh - + +. ./environment.sh + +stunnel -fd 0 <<EOF + +engine = dynamic +engineCtrl = SO_PATH:${ENGINE_MODULE} +engineCtrl = ID:pkcs11 +engineCtrl = LIST_ADD:1 +engineCtrl = LOAD +engineCtrl = MODULE_PATH:${PKCS11_MODULE} +engineCtrl = PIN:${PKCS11_PIN} +engineCtrl = INIT + +foreground = yes +pid = + +[https] +accept = :::4443 +cert = $(pwd)/nogoodnik.cer +engineNum = 1 +key = label_boris +exec = /usr/sbin/micro-httpd +execargs = micro-httpd $(pwd) + +EOF diff --git a/issue-certificates.sh b/issue-certificates.sh index 39e64d9..1a00992 100755 --- a/issue-certificates.sh +++ b/issue-certificates.sh @@ -24,4 +24,12 @@ openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60 \ -CAkey label_leader -CA leader.cer \ -out boris.cer -openssl verify -verbose -CAfile leader.cer boris.cer natasha.cer +openssl req -batch -new -engine pkcs11 -keyform ENGINE \ + -subj "/GN=Hilary/SN=Pushemoff/CN=localhost" \ + -key label_boris | +openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60 \ + -set_serial `date +%s` -extfile $OPENSSL_CONF -extensions ext_ee \ + -CAkey label_leader -CA leader.cer \ + -out nogoodnik.cer + +openssl verify -verbose -CAfile leader.cer boris.cer natasha.cer nogoodnik.cer |