[Cryptech-Commits] [user/sra/openssl-engine] branch master updated: TLS example.
git at cryptech.is
git at cryptech.is
Fri Jul 7 02:42:44 UTC 2017
This is an automated email from the git hooks/post-receive script.
sra at hactrn.net pushed a commit to branch master
in repository user/sra/openssl-engine.
The following commit(s) were added to refs/heads/master by this push:
new 3cb262f TLS example.
3cb262f is described below
commit 3cb262f5af1b431eb1303f349dac6f28aec24d78
Author: Rob Austein <sra at hactrn.net>
AuthorDate: Thu Jul 6 22:42:23 2017 -0400
TLS example.
---
README.md | 8 +++++++-
https-client.sh | 7 +++++++
https-server.sh | 27 +++++++++++++++++++++++++++
issue-certificates.sh | 10 +++++++++-
4 files changed, 50 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 9af8bf7..a349537 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
Packages you need (on Debian Jessie, anyway):
- sudo apt-get install opensc cryptech-alpha
+ sudo apt-get install opensc cryptech-alpha stunnel micro-httpd w3m
sudo apt-get install -t jessie-backports libengine-pkcs11-openssl
We're using the backported version of libengine-pkcs11-openssl because
@@ -47,6 +47,12 @@ useful things with those keys.
* `smime-signature.sh` generates and verifies a signed S/MIME message;
this also depends on `issue-certificates.sh`.
+* `https-server.sh` runs a toy https server, using keys and certificates
+ generated by `create-keys.sh` and `issue-certificates.sh`.
+
+* `https-client.sh` uses w3m as a client to talk to the toy server
+ run by `https-server.sh` (and therefore has the same dependencies).
+
## References and notes
* <https://www.nlnetlabs.nl/downloads/publications/hsm/>
diff --git a/https-client.sh b/https-client.sh
new file mode 100755
index 0000000..b308978
--- /dev/null
+++ b/https-client.sh
@@ -0,0 +1,7 @@
+#!/bin/sh -
+
+exec w3m \
+ -o ssl_forbid_method=23 \
+ -o ssl_verify_server=true \
+ -o ssl_ca_file=$(pwd)/leader.cer \
+ https://localhost:4443/
diff --git a/https-server.sh b/https-server.sh
new file mode 100755
index 0000000..ea105cd
--- /dev/null
+++ b/https-server.sh
@@ -0,0 +1,27 @@
+#!/bin/sh -
+
+. ./environment.sh
+
+stunnel -fd 0 <<EOF
+
+engine = dynamic
+engineCtrl = SO_PATH:${ENGINE_MODULE}
+engineCtrl = ID:pkcs11
+engineCtrl = LIST_ADD:1
+engineCtrl = LOAD
+engineCtrl = MODULE_PATH:${PKCS11_MODULE}
+engineCtrl = PIN:${PKCS11_PIN}
+engineCtrl = INIT
+
+foreground = yes
+pid =
+
+[https]
+accept = :::4443
+cert = $(pwd)/nogoodnik.cer
+engineNum = 1
+key = label_boris
+exec = /usr/sbin/micro-httpd
+execargs = micro-httpd $(pwd)
+
+EOF
diff --git a/issue-certificates.sh b/issue-certificates.sh
index 39e64d9..1a00992 100755
--- a/issue-certificates.sh
+++ b/issue-certificates.sh
@@ -24,4 +24,12 @@ openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60 \
-CAkey label_leader -CA leader.cer \
-out boris.cer
-openssl verify -verbose -CAfile leader.cer boris.cer natasha.cer
+openssl req -batch -new -engine pkcs11 -keyform ENGINE \
+ -subj "/GN=Hilary/SN=Pushemoff/CN=localhost" \
+ -key label_boris |
+openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -days 60 \
+ -set_serial `date +%s` -extfile $OPENSSL_CONF -extensions ext_ee \
+ -CAkey label_leader -CA leader.cer \
+ -out nogoodnik.cer
+
+openssl verify -verbose -CAfile leader.cer boris.cer natasha.cer nogoodnik.cer
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Commits
mailing list