From 3cb262f5af1b431eb1303f349dac6f28aec24d78 Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Thu, 6 Jul 2017 22:42:23 -0400
Subject: TLS example.

---
 README.md             |  8 +++++++-
 https-client.sh       |  7 +++++++
 https-server.sh       | 27 +++++++++++++++++++++++++++
 issue-certificates.sh | 10 +++++++++-
 4 files changed, 50 insertions(+), 2 deletions(-)
 create mode 100755 https-client.sh
 create mode 100755 https-server.sh

diff --git a/README.md b/README.md
index 9af8bf7..a349537 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 Packages you need (on Debian Jessie, anyway):
 
-    sudo apt-get install opensc cryptech-alpha
+    sudo apt-get install opensc cryptech-alpha stunnel micro-httpd w3m
     sudo apt-get install -t jessie-backports libengine-pkcs11-openssl
 
 We're using the backported version of libengine-pkcs11-openssl because
@@ -47,6 +47,12 @@ useful things with those keys.
 * `smime-signature.sh` generates and verifies a signed S/MIME message;
   this also depends on `issue-certificates.sh`.
 
+* `https-server.sh` runs a toy https server, using keys and certificates
+  generated by `create-keys.sh` and `issue-certificates.sh`.
+
+* `https-client.sh` uses w3m as a client to talk to the toy server
+  run by `https-server.sh` (and therefore has the same dependencies).
+
 ## References and notes
 
 * <https://www.nlnetlabs.nl/downloads/publications/hsm/>
diff --git a/https-client.sh b/https-client.sh
new file mode 100755
index 0000000..b308978
--- /dev/null
+++ b/https-client.sh
@@ -0,0 +1,7 @@
+#!/bin/sh -
+
+exec w3m \
+     -o ssl_forbid_method=23 \
+     -o ssl_verify_server=true \
+     -o ssl_ca_file=$(pwd)/leader.cer \
+     https://localhost:4443/
diff --git a/https-server.sh b/https-server.sh
new file mode 100755
index 0000000..ea105cd
--- /dev/null
+++ b/https-server.sh
@@ -0,0 +1,27 @@
+#!/bin/sh -
+
+. ./environment.sh
+
+stunnel -fd 0 <<EOF
+
+engine		= dynamic
+engineCtrl	= SO_PATH:${ENGINE_MODULE}
+engineCtrl	= ID:pkcs11
+engineCtrl	= LIST_ADD:1
+engineCtrl	= LOAD
+engineCtrl	= MODULE_PATH:${PKCS11_MODULE}
+engineCtrl	= PIN:${PKCS11_PIN}
+engineCtrl	= INIT
+
+foreground	= yes
+pid		=
+
+[https]
+accept		= :::4443
+cert		= $(pwd)/nogoodnik.cer
+engineNum	= 1
+key		= label_boris
+exec		= /usr/sbin/micro-httpd
+execargs	= micro-httpd $(pwd)
+
+EOF
diff --git a/issue-certificates.sh b/issue-certificates.sh
index 39e64d9..1a00992 100755
--- a/issue-certificates.sh
+++ b/issue-certificates.sh
@@ -24,4 +24,12 @@ openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60			\
 	-CAkey label_leader -CA leader.cer					\
 	-out boris.cer
 
-openssl verify -verbose -CAfile leader.cer boris.cer natasha.cer
+openssl req -batch -new -engine pkcs11 -keyform ENGINE				\
+	-subj "/GN=Hilary/SN=Pushemoff/CN=localhost"				\
+	-key label_boris							|
+openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60			\
+	-set_serial `date +%s` -extfile $OPENSSL_CONF -extensions ext_ee	\
+	-CAkey label_leader -CA leader.cer					\
+	-out nogoodnik.cer
+
+openssl verify -verbose -CAfile leader.cer boris.cer natasha.cer nogoodnik.cer
-- 
cgit v1.2.3