yubikey

Signed-off-by: Jessica Frazelle <acidburn@docker.com>

yubikey/Dockerfile

@@ -0,0 +1,75 @@
+# Usage:
+#
+# docker build --rm --force-rm -t jess/yubikey .
+#
+# docker run --rm -it --device /dev/usb \
+# 	--device /dev/bus/usb \
+# 	jess/yubikey
+#
+FROM debian:sid
+MAINTAINER Jessica Frazelle <jess@docker.com>
+
+RUN apt-get update && apt-get install -y \
+	ca-certificates \
+	curl \
+	opensc \
+	opensc-pkcs11 \
+	openssl \
+	usbutils \
+	--no-install-recommends \
+	&& rm -rf /var/lib/apt/lists/*
+
+ENV CCID_VERSION 1.4.20
+ENV PCSC_LITE_VERSION 1.8.14
+RUN buildDeps=' \
+		autoconf \
+		bzip2 \
+		clang \
+		file \
+		libssl-dev \
+		libusb-1.0-0-dev \
+		make \
+		pkg-config \
+	' \
+	&& set -x \
+	&& gpg --keyserver pgp.mit.edu --recv-key E8F9C57E \
+	&& apt-get update && apt-get install -y $buildDeps --no-install-recommends \
+	&& rm -rf /var/lib/apt/lists/* \
+	&& curl -sSL "https://alioth.debian.org/frs/download.php/file/4138/pcsc-lite-${PCSC_LITE_VERSION}.tar.bz2" -o /tmp/pcsc-lite.tar.bz2 \
+	&& curl -sSL "https://alioth.debian.org/frs/download.php/file/4139/pcsc-lite-${PCSC_LITE_VERSION}.tar.bz2.asc" -o /tmp/pcsc-lite.tar.bz2.asc \
+	&& gpg --verify /tmp/pcsc-lite.tar.bz2.asc \
+	&& mkdir -p /usr/src/pcsc-lite \
+	&& tar -xjf /tmp/pcsc-lite.tar.bz2 -C /usr/src/pcsc-lite --strip-components 1 \
+	&& rm /tmp/pcsc-lite.tar.bz2* \
+	&& cd /usr/src/pcsc-lite \
+	&& ./configure --prefix="/usr" \
+		--enable-libusb \
+		--disable-libudev \
+	&& make \
+	&& make install \
+	&& cd /usr/src && rm -rf /usr/src/pcsc-lite* \
+	&& curl -sSL "https://alioth.debian.org/frs/download.php/file/4140/ccid-${CCID_VERSION}.tar.bz2" -o /tmp/ccid.tar.bz2 \
+	&& curl -sSL "https://alioth.debian.org/frs/download.php/file/4141/ccid-${CCID_VERSION}.tar.bz2.asc" -o /tmp/ccid.tar.bz2.asc \
+	&& gpg --verify /tmp/ccid.tar.bz2.asc \
+	&& mkdir -p /usr/src/ccid \
+	&& ls /tmp/ \
+	&& tar -xjf /tmp/ccid.tar.bz2 -C /usr/src/ccid --strip-components 1 \
+	&& rm /tmp/ccid.tar.bz2* \
+	&& cd /usr/src/ccid \
+	&& ./configure --prefix="/usr" \
+	&& make \
+	&& make install \
+	&& cp src/92_pcscd_ccid.rules /etc/udev/rules.d/ \
+	&& cd /usr/src && rm -rf /usr/src/ccid* \
+	&& mkdir -p /usr/src/yubico-piv-tool \
+	&& curl -sSL "https://jesss.s3.amazonaws.com/tmp/yubico-piv-tool-1.0.2.tar.gz" | tar -xz -C /usr/src/yubico-piv-tool --strip-components 1 \
+	&& cd /usr/src/yubico-piv-tool \
+	&& ./configure --prefix="/usr" \
+	&& make \
+	&& make install \
+	&& cd ~ && rm -rf /usr/src/yubico-piv-tool* \
+	&& apt-get purge -y --auto-remove $buildDeps
+
+COPY testsign.sh /usr/local/bin/testsign.sh
+
+CMD ["/usr/local/bin/testsign.sh"]

yubikey/testsign.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+set -e
+
+pkcslib="/usr/lib/libykcs11.so"
+#pkcslib="/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so"
+
+init(){
+	local pcscd_running=$(ps -aux | grep [p]cscd)
+	if [ -z "$pcscd_running" ]; then
+		echo "starting pcscd in backgroud"
+		pcscd --debug --apdu
+		pcscd --hotplug
+	else
+		echo "pcscd is running in already: ${pcscd_running}"
+	fi
+
+	clean
+}
+
+clean(){
+	# Delete Slots
+	yubico-piv-tool -a delete -s 9a
+	yubico-piv-tool -a delete -s 9c
+	yubico-piv-tool -a delete -s 9d
+	yubico-piv-tool -a delete -s 9e
+}
+
+setup(){
+	cd $(mktemp -d)
+
+	# Create some data to sign
+	echo "Hello World!" > in.txt
+}
+
+9a1024sha1() {
+	(
+	setup
+
+	# Generate a key in slot 9a
+	pkcs11-tool --module $pkcslib -k --key-type rsa:1024 -l --login-type so --so-pin 010203040506070801020304050607080102030405060708 -d 0
+
+	# Extract the certificate with the public key
+	yubico-piv-tool -a read -s 9a > 9a.pem
+
+	# Extract the public key from the certificate
+	openssl x509 -pubkey -noout -in 9a.pem > pubkey9a.pem
+
+	# Sign the data using sha1WithRSA
+	pkcs11-tool --module $pkcslib -s -l -p 123456 -d 0 -m SHA1-RSA-PKCS -o sign9a.dat -i in.txt
+
+	# Verify the signature
+	openssl dgst -sha1 -verify pubkey9a.pem -signature sign9a.dat in.txt
+	)
+}
+
+9e2048sha256() {
+	(
+	setup
+
+	# Generate a key in slot 9e
+	pkcs11-tool --module $pkcslib -k --key-type rsa:2048 -l --login-type so --so-pin 010203040506070801020304050607080102030405060708 -d 1
+
+	# Extract the certificate with the public key
+	yubico-piv-tool -a read -s 9e > 9e.pem
+
+	# Extract the public key from the certificate
+	openssl x509 -pubkey -noout -in 9e.pem > pubkey9e.pem
+
+	# Sign the data using sha256WithRSA
+	pkcs11-tool --module $pkcslib -s -l -p 123456 -d 1 -m SHA256-RSA-PKCS -o sign9e.dat -i in.txt
+
+	# Verify the signature
+	openssl dgst -sha256 -verify pubkey9e.pem -signature sign9e.dat in.txt
+	)
+}
+
+9c256sha1() {
+	(
+	setup
+
+	# Generate a key in slot 9c
+	pkcs11-tool --module $pkcslib -k --key-type EC:prime256v1 -l --login-type so --so-pin 010203040506070801020304050607080102030405060708 -d 2
+
+	# Extract the certificate with the public key
+	yubico-piv-tool -a read -s 9c > 9c.pem
+
+	# Extract the public key from the certificate
+	openssl x509 -pubkey -noout -in 9c.pem > pubkey9c.pem
+
+	# Sign the data using sha256WithECDSA
+	pkcs11-tool --module $pkcslib -s -l -p 123456 -d 2 -m ECDSA-SHA1 -o sign9c.dat -i in.txt
+
+	# Verify the signature
+	openssl dgst -ecdsa-with-SHA1 -verify pubkey9c.pem -signature sign9c.dat in.txt
+	)
+}
+
+init
+
+9a1024sha1
+9e2048sha256
+9c256sha1