[Cryptech-Commits] [user/sra/openssl-engine] branch master updated: Split out certificate creation; handle verification properly.

git at cryptech.is git at cryptech.is
Sun Aug 21 19:41:53 UTC 2016

Previous message (by thread): [Cryptech-Commits] [user/sra/openssl-engine] branch master updated: Better link to OpenSC Wiki in README.md.
Next message (by thread): [Cryptech-Commits] [releng/alpha] branch master updated: Catch up with recent updates to submodules.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is an automated email from the git hooks/post-receive script.

sra at hactrn.net pushed a commit to branch master
in repository user/sra/openssl-engine.

The following commit(s) were added to refs/heads/master by this push:
       new  f110c61   Split out certificate creation; handle verification properly.
f110c61 is described below

commit f110c617c706e3a0b21daf29802e44668e202740
Author: Rob Austein <sra at hactrn.net>
AuthorDate: Sun Aug 21 15:40:34 2016 -0400

    Split out certificate creation; handle verification properly.
---
 README.md                                   | 11 ++++++++---
 basic-signature.sh                          |  8 ++++++--
 smime-signature.sh => issue-certificates.sh |  7 +------
 smime-signature.sh                          | 24 +++---------------------
 4 files changed, 18 insertions(+), 32 deletions(-)

diff --git a/README.md b/README.md
index 0943cb1..bc647a5 100644
--- a/README.md
+++ b/README.md
@@ -31,13 +31,18 @@ useful things with those keys.
 * `delete-keys.sh` uses `pkcs11-tool` to delete the keys which
   `create-keys.sh` created.
 
+* `issue-certificates.sh` generates a small X.509v3 certificate tree.
+  As a sanity check, it also verifies the issued certificates.
+  This depends on the keys created by `create-keys.sh`.
+
 * `basic-signature.sh` performs a basic hash-and-sign of a data file
   using the `openssl dgst` command, writing a detached signature out
   as a binary file.  As a sanity check, it also verifies the resulting
-  signature using the corresponding public key.
+  signature using the public key extracted from the corresponding
+  certificate (so this depends on `issue-certificates.sh`).
 
-* `smime-signature.sh` generates a small X.509v3 certificate tree and
-  uses that to generate a signed S/MIME message.
+* `smime-signature.sh` generates and verifies a signed S/MIME message;
+  this also depends on `issue-certificates.sh`.
 
 ## References and notes
 
diff --git a/basic-signature.sh b/basic-signature.sh
index 16b663a..48b1b93 100755
--- a/basic-signature.sh
+++ b/basic-signature.sh
@@ -4,5 +4,9 @@
 
 set -x
 
-openssl dgst -keyform ENGINE -sha256 -engine pkcs11 -sign   label_boris -out       message.sig message.txt
-openssl dgst -keyform ENGINE -sha256 -engine pkcs11 -verify label_boris -signature message.sig message.txt
+openssl dgst -sha256 -keyform ENGINE -engine pkcs11 -sign label_boris -out message.sig message.txt
+
+openssl verify -CAfile leader.cer boris.cer
+
+openssl x509 -noout -in boris.cer -pubkey |
+openssl dgst -sha256 -verify /dev/stdin -signature message.sig message.txt
diff --git a/smime-signature.sh b/issue-certificates.sh
similarity index 74%
copy from smime-signature.sh
copy to issue-certificates.sh
index fb2f815..39e64d9 100755
--- a/smime-signature.sh
+++ b/issue-certificates.sh
@@ -24,9 +24,4 @@ openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60			\
 	-CAkey label_leader -CA leader.cer					\
 	-out boris.cer
 
-openssl smime -engine pkcs11 -sign -text -keyform ENGINE			\
-	-inkey label_natasha -signer natasha.cer -certfile leader.cer		\
-	-from "Natasha Fatale <natasha at moo.pv>"					\
-	-to   "Boris Badenov <boris at moo.pv>"					\
-	-subject "Fiendish plot"						\
-	-in message.txt -out message.smime
+openssl verify -verbose -CAfile leader.cer boris.cer natasha.cer
diff --git a/smime-signature.sh b/smime-signature.sh
index fb2f815..7b58bf4 100755
--- a/smime-signature.sh
+++ b/smime-signature.sh
@@ -4,29 +4,11 @@
 
 set -x
 
-openssl req -batch -new -engine pkcs11 -keyform ENGINE -x509 -days 365		\
-	-subj "/C=PV/O=Pottsylvanian Ministry of Offense/GN=Fearless/SN=Leader" \
-	-key label_leader -out leader.cer
-
-openssl req -batch -new -engine pkcs11 -keyform ENGINE				\
-	-subj "/GN=Natasha/SN=Fatale"						\
-	-key label_natasha							|
-openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60			\
-	-set_serial `date +%s` -extfile $OPENSSL_CONF -extensions ext_ee	\
-	-CAkey label_leader -CA leader.cer					\
-	-out natasha.cer
-
-openssl req -batch -new -engine pkcs11 -keyform ENGINE				\
-	-subj "/GN=Boris/SN=Badenov"						\
-	-key label_boris							|
-openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60			\
-	-set_serial `date +%s` -extfile $OPENSSL_CONF -extensions ext_ee	\
-	-CAkey label_leader -CA leader.cer					\
-	-out boris.cer
-
 openssl smime -engine pkcs11 -sign -text -keyform ENGINE			\
-	-inkey label_natasha -signer natasha.cer -certfile leader.cer		\
+	-inkey label_natasha -signer natasha.cer				\
 	-from "Natasha Fatale <natasha at moo.pv>"					\
 	-to   "Boris Badenov <boris at moo.pv>"					\
 	-subject "Fiendish plot"						\
 	-in message.txt -out message.smime
+
+openssl smime -verify -in message.smime -CAfile leader.cer -out /dev/null

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

Previous message (by thread): [Cryptech-Commits] [user/sra/openssl-engine] branch master updated: Better link to OpenSC Wiki in README.md.
Next message (by thread): [Cryptech-Commits] [releng/alpha] branch master updated: Catch up with recent updates to submodules.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Commits mailing list