diff options
| author | Rob Austein <sra@hactrn.net> | 2016-08-21 15:40:34 -0400 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2016-08-21 15:40:34 -0400 |
| commit | f110c617c706e3a0b21daf29802e44668e202740 (patch) | |
| tree | bcf8f0e8fa9f3618215816e4d3d3a2170e3dbd4b | |
| parent | 3c65389a9c1473595ac9a7e315ccde42a0ee008c (diff) | |
Split out certificate creation; handle verification properly.
| -rw-r--r-- | README.md | 11 | ||||
| -rwxr-xr-x | basic-signature.sh | 8 | ||||
| -rwxr-xr-x | issue-certificates.sh | 27 | ||||
| -rwxr-xr-x | smime-signature.sh | 24 |
4 files changed, 44 insertions, 26 deletions
@@ -31,13 +31,18 @@ useful things with those keys. * `delete-keys.sh` uses `pkcs11-tool` to delete the keys which `create-keys.sh` created. +* `issue-certificates.sh` generates a small X.509v3 certificate tree. + As a sanity check, it also verifies the issued certificates. + This depends on the keys created by `create-keys.sh`. + * `basic-signature.sh` performs a basic hash-and-sign of a data file using the `openssl dgst` command, writing a detached signature out as a binary file. As a sanity check, it also verifies the resulting - signature using the corresponding public key. + signature using the public key extracted from the corresponding + certificate (so this depends on `issue-certificates.sh`). -* `smime-signature.sh` generates a small X.509v3 certificate tree and - uses that to generate a signed S/MIME message. +* `smime-signature.sh` generates and verifies a signed S/MIME message; + this also depends on `issue-certificates.sh`. ## References and notes diff --git a/basic-signature.sh b/basic-signature.sh index 16b663a..48b1b93 100755 --- a/basic-signature.sh +++ b/basic-signature.sh @@ -4,5 +4,9 @@ set -x -openssl dgst -keyform ENGINE -sha256 -engine pkcs11 -sign label_boris -out message.sig message.txt -openssl dgst -keyform ENGINE -sha256 -engine pkcs11 -verify label_boris -signature message.sig message.txt +openssl dgst -sha256 -keyform ENGINE -engine pkcs11 -sign label_boris -out message.sig message.txt + +openssl verify -CAfile leader.cer boris.cer + +openssl x509 -noout -in boris.cer -pubkey | +openssl dgst -sha256 -verify /dev/stdin -signature message.sig message.txt diff --git a/issue-certificates.sh b/issue-certificates.sh new file mode 100755 index 0000000..39e64d9 --- /dev/null +++ b/issue-certificates.sh @@ -0,0 +1,27 @@ +#!/bin/sh - + +. ./environment.sh + +set -x + +openssl req -batch -new -engine pkcs11 -keyform ENGINE -x509 -days 365 \ + -subj "/C=PV/O=Pottsylvanian Ministry of Offense/GN=Fearless/SN=Leader" \ + -key label_leader -out leader.cer + +openssl req -batch -new -engine pkcs11 -keyform ENGINE \ + -subj "/GN=Natasha/SN=Fatale" \ + -key label_natasha | +openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60 \ + -set_serial `date +%s` -extfile $OPENSSL_CONF -extensions ext_ee \ + -CAkey label_leader -CA leader.cer \ + -out natasha.cer + +openssl req -batch -new -engine pkcs11 -keyform ENGINE \ + -subj "/GN=Boris/SN=Badenov" \ + -key label_boris | +openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60 \ + -set_serial `date +%s` -extfile $OPENSSL_CONF -extensions ext_ee \ + -CAkey label_leader -CA leader.cer \ + -out boris.cer + +openssl verify -verbose -CAfile leader.cer boris.cer natasha.cer diff --git a/smime-signature.sh b/smime-signature.sh index fb2f815..7b58bf4 100755 --- a/smime-signature.sh +++ b/smime-signature.sh @@ -4,29 +4,11 @@ set -x -openssl req -batch -new -engine pkcs11 -keyform ENGINE -x509 -days 365 \ - -subj "/C=PV/O=Pottsylvanian Ministry of Offense/GN=Fearless/SN=Leader" \ - -key label_leader -out leader.cer - -openssl req -batch -new -engine pkcs11 -keyform ENGINE \ - -subj "/GN=Natasha/SN=Fatale" \ - -key label_natasha | -openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60 \ - -set_serial `date +%s` -extfile $OPENSSL_CONF -extensions ext_ee \ - -CAkey label_leader -CA leader.cer \ - -out natasha.cer - -openssl req -batch -new -engine pkcs11 -keyform ENGINE \ - -subj "/GN=Boris/SN=Badenov" \ - -key label_boris | -openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60 \ - -set_serial `date +%s` -extfile $OPENSSL_CONF -extensions ext_ee \ - -CAkey label_leader -CA leader.cer \ - -out boris.cer - openssl smime -engine pkcs11 -sign -text -keyform ENGINE \ - -inkey label_natasha -signer natasha.cer -certfile leader.cer \ + -inkey label_natasha -signer natasha.cer \ -from "Natasha Fatale <natasha@moo.pv>" \ -to "Boris Badenov <boris@moo.pv>" \ -subject "Fiendish plot" \ -in message.txt -out message.smime + +openssl smime -verify -in message.smime -CAfile leader.cer -out /dev/null |