aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md11
-rwxr-xr-xbasic-signature.sh8
-rwxr-xr-xissue-certificates.sh27
-rwxr-xr-xsmime-signature.sh24
4 files changed, 44 insertions, 26 deletions
diff --git a/README.md b/README.md
index 0943cb1..bc647a5 100644
--- a/README.md
+++ b/README.md
@@ -31,13 +31,18 @@ useful things with those keys.
* `delete-keys.sh` uses `pkcs11-tool` to delete the keys which
`create-keys.sh` created.
+* `issue-certificates.sh` generates a small X.509v3 certificate tree.
+ As a sanity check, it also verifies the issued certificates.
+ This depends on the keys created by `create-keys.sh`.
+
* `basic-signature.sh` performs a basic hash-and-sign of a data file
using the `openssl dgst` command, writing a detached signature out
as a binary file. As a sanity check, it also verifies the resulting
- signature using the corresponding public key.
+ signature using the public key extracted from the corresponding
+ certificate (so this depends on `issue-certificates.sh`).
-* `smime-signature.sh` generates a small X.509v3 certificate tree and
- uses that to generate a signed S/MIME message.
+* `smime-signature.sh` generates and verifies a signed S/MIME message;
+ this also depends on `issue-certificates.sh`.
## References and notes
diff --git a/basic-signature.sh b/basic-signature.sh
index 16b663a..48b1b93 100755
--- a/basic-signature.sh
+++ b/basic-signature.sh
@@ -4,5 +4,9 @@
set -x
-openssl dgst -keyform ENGINE -sha256 -engine pkcs11 -sign label_boris -out message.sig message.txt
-openssl dgst -keyform ENGINE -sha256 -engine pkcs11 -verify label_boris -signature message.sig message.txt
+openssl dgst -sha256 -keyform ENGINE -engine pkcs11 -sign label_boris -out message.sig message.txt
+
+openssl verify -CAfile leader.cer boris.cer
+
+openssl x509 -noout -in boris.cer -pubkey |
+openssl dgst -sha256 -verify /dev/stdin -signature message.sig message.txt
diff --git a/issue-certificates.sh b/issue-certificates.sh
new file mode 100755
index 0000000..39e64d9
--- /dev/null
+++ b/issue-certificates.sh
@@ -0,0 +1,27 @@
+#!/bin/sh -
+
+. ./environment.sh
+
+set -x
+
+openssl req -batch -new -engine pkcs11 -keyform ENGINE -x509 -days 365 \
+ -subj "/C=PV/O=Pottsylvanian Ministry of Offense/GN=Fearless/SN=Leader" \
+ -key label_leader -out leader.cer
+
+openssl req -batch -new -engine pkcs11 -keyform ENGINE \
+ -subj "/GN=Natasha/SN=Fatale" \
+ -key label_natasha |
+openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60 \
+ -set_serial `date +%s` -extfile $OPENSSL_CONF -extensions ext_ee \
+ -CAkey label_leader -CA leader.cer \
+ -out natasha.cer
+
+openssl req -batch -new -engine pkcs11 -keyform ENGINE \
+ -subj "/GN=Boris/SN=Badenov" \
+ -key label_boris |
+openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60 \
+ -set_serial `date +%s` -extfile $OPENSSL_CONF -extensions ext_ee \
+ -CAkey label_leader -CA leader.cer \
+ -out boris.cer
+
+openssl verify -verbose -CAfile leader.cer boris.cer natasha.cer
diff --git a/smime-signature.sh b/smime-signature.sh
index fb2f815..7b58bf4 100755
--- a/smime-signature.sh
+++ b/smime-signature.sh
@@ -4,29 +4,11 @@
set -x
-openssl req -batch -new -engine pkcs11 -keyform ENGINE -x509 -days 365 \
- -subj "/C=PV/O=Pottsylvanian Ministry of Offense/GN=Fearless/SN=Leader" \
- -key label_leader -out leader.cer
-
-openssl req -batch -new -engine pkcs11 -keyform ENGINE \
- -subj "/GN=Natasha/SN=Fatale" \
- -key label_natasha |
-openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60 \
- -set_serial `date +%s` -extfile $OPENSSL_CONF -extensions ext_ee \
- -CAkey label_leader -CA leader.cer \
- -out natasha.cer
-
-openssl req -batch -new -engine pkcs11 -keyform ENGINE \
- -subj "/GN=Boris/SN=Badenov" \
- -key label_boris |
-openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60 \
- -set_serial `date +%s` -extfile $OPENSSL_CONF -extensions ext_ee \
- -CAkey label_leader -CA leader.cer \
- -out boris.cer
-
openssl smime -engine pkcs11 -sign -text -keyform ENGINE \
- -inkey label_natasha -signer natasha.cer -certfile leader.cer \
+ -inkey label_natasha -signer natasha.cer \
-from "Natasha Fatale <natasha@moo.pv>" \
-to "Boris Badenov <boris@moo.pv>" \
-subject "Fiendish plot" \
-in message.txt -out message.smime
+
+openssl smime -verify -in message.smime -CAfile leader.cer -out /dev/null