From f110c617c706e3a0b21daf29802e44668e202740 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Sun, 21 Aug 2016 15:40:34 -0400 Subject: Split out certificate creation; handle verification properly. --- README.md | 11 ++++++++--- basic-signature.sh | 8 ++++++-- issue-certificates.sh | 27 +++++++++++++++++++++++++++ smime-signature.sh | 24 +++--------------------- 4 files changed, 44 insertions(+), 26 deletions(-) create mode 100755 issue-certificates.sh diff --git a/README.md b/README.md index 0943cb1..bc647a5 100644 --- a/README.md +++ b/README.md @@ -31,13 +31,18 @@ useful things with those keys. * `delete-keys.sh` uses `pkcs11-tool` to delete the keys which `create-keys.sh` created. +* `issue-certificates.sh` generates a small X.509v3 certificate tree. + As a sanity check, it also verifies the issued certificates. + This depends on the keys created by `create-keys.sh`. + * `basic-signature.sh` performs a basic hash-and-sign of a data file using the `openssl dgst` command, writing a detached signature out as a binary file. As a sanity check, it also verifies the resulting - signature using the corresponding public key. + signature using the public key extracted from the corresponding + certificate (so this depends on `issue-certificates.sh`). -* `smime-signature.sh` generates a small X.509v3 certificate tree and - uses that to generate a signed S/MIME message. +* `smime-signature.sh` generates and verifies a signed S/MIME message; + this also depends on `issue-certificates.sh`. ## References and notes diff --git a/basic-signature.sh b/basic-signature.sh index 16b663a..48b1b93 100755 --- a/basic-signature.sh +++ b/basic-signature.sh @@ -4,5 +4,9 @@ set -x -openssl dgst -keyform ENGINE -sha256 -engine pkcs11 -sign label_boris -out message.sig message.txt -openssl dgst -keyform ENGINE -sha256 -engine pkcs11 -verify label_boris -signature message.sig message.txt +openssl dgst -sha256 -keyform ENGINE -engine pkcs11 -sign label_boris -out message.sig message.txt + +openssl verify -CAfile leader.cer boris.cer + +openssl x509 -noout -in boris.cer -pubkey | +openssl dgst -sha256 -verify /dev/stdin -signature message.sig message.txt diff --git a/issue-certificates.sh b/issue-certificates.sh new file mode 100755 index 0000000..39e64d9 --- /dev/null +++ b/issue-certificates.sh @@ -0,0 +1,27 @@ +#!/bin/sh - + +. ./environment.sh + +set -x + +openssl req -batch -new -engine pkcs11 -keyform ENGINE -x509 -days 365 \ + -subj "/C=PV/O=Pottsylvanian Ministry of Offense/GN=Fearless/SN=Leader" \ + -key label_leader -out leader.cer + +openssl req -batch -new -engine pkcs11 -keyform ENGINE \ + -subj "/GN=Natasha/SN=Fatale" \ + -key label_natasha | +openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60 \ + -set_serial `date +%s` -extfile $OPENSSL_CONF -extensions ext_ee \ + -CAkey label_leader -CA leader.cer \ + -out natasha.cer + +openssl req -batch -new -engine pkcs11 -keyform ENGINE \ + -subj "/GN=Boris/SN=Badenov" \ + -key label_boris | +openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60 \ + -set_serial `date +%s` -extfile $OPENSSL_CONF -extensions ext_ee \ + -CAkey label_leader -CA leader.cer \ + -out boris.cer + +openssl verify -verbose -CAfile leader.cer boris.cer natasha.cer diff --git a/smime-signature.sh b/smime-signature.sh index fb2f815..7b58bf4 100755 --- a/smime-signature.sh +++ b/smime-signature.sh @@ -4,29 +4,11 @@ set -x -openssl req -batch -new -engine pkcs11 -keyform ENGINE -x509 -days 365 \ - -subj "/C=PV/O=Pottsylvanian Ministry of Offense/GN=Fearless/SN=Leader" \ - -key label_leader -out leader.cer - -openssl req -batch -new -engine pkcs11 -keyform ENGINE \ - -subj "/GN=Natasha/SN=Fatale" \ - -key label_natasha | -openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60 \ - -set_serial `date +%s` -extfile $OPENSSL_CONF -extensions ext_ee \ - -CAkey label_leader -CA leader.cer \ - -out natasha.cer - -openssl req -batch -new -engine pkcs11 -keyform ENGINE \ - -subj "/GN=Boris/SN=Badenov" \ - -key label_boris | -openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60 \ - -set_serial `date +%s` -extfile $OPENSSL_CONF -extensions ext_ee \ - -CAkey label_leader -CA leader.cer \ - -out boris.cer - openssl smime -engine pkcs11 -sign -text -keyform ENGINE \ - -inkey label_natasha -signer natasha.cer -certfile leader.cer \ + -inkey label_natasha -signer natasha.cer \ -from "Natasha Fatale " \ -to "Boris Badenov " \ -subject "Fiendish plot" \ -in message.txt -out message.smime + +openssl smime -verify -in message.smime -CAfile leader.cer -out /dev/null -- cgit v1.2.3