dockerfiles/yubikey/testsign.sh
Jessica Frazelle dac5a4ba6e yubikey
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-08-31 10:04:53 -07:00

103 lines
2.4 KiB
Bash
Executable File

#!/bin/bash
set -e
pkcslib="/usr/lib/libykcs11.so"
#pkcslib="/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so"
init(){
local pcscd_running=$(ps -aux | grep [p]cscd)
if [ -z "$pcscd_running" ]; then
echo "starting pcscd in backgroud"
pcscd --debug --apdu
pcscd --hotplug
else
echo "pcscd is running in already: ${pcscd_running}"
fi
clean
}
clean(){
# Delete Slots
yubico-piv-tool -a delete -s 9a
yubico-piv-tool -a delete -s 9c
yubico-piv-tool -a delete -s 9d
yubico-piv-tool -a delete -s 9e
}
setup(){
cd $(mktemp -d)
# Create some data to sign
echo "Hello World!" > in.txt
}
9a1024sha1() {
(
setup
# Generate a key in slot 9a
pkcs11-tool --module $pkcslib -k --key-type rsa:1024 -l --login-type so --so-pin 010203040506070801020304050607080102030405060708 -d 0
# Extract the certificate with the public key
yubico-piv-tool -a read -s 9a > 9a.pem
# Extract the public key from the certificate
openssl x509 -pubkey -noout -in 9a.pem > pubkey9a.pem
# Sign the data using sha1WithRSA
pkcs11-tool --module $pkcslib -s -l -p 123456 -d 0 -m SHA1-RSA-PKCS -o sign9a.dat -i in.txt
# Verify the signature
openssl dgst -sha1 -verify pubkey9a.pem -signature sign9a.dat in.txt
)
}
9e2048sha256() {
(
setup
# Generate a key in slot 9e
pkcs11-tool --module $pkcslib -k --key-type rsa:2048 -l --login-type so --so-pin 010203040506070801020304050607080102030405060708 -d 1
# Extract the certificate with the public key
yubico-piv-tool -a read -s 9e > 9e.pem
# Extract the public key from the certificate
openssl x509 -pubkey -noout -in 9e.pem > pubkey9e.pem
# Sign the data using sha256WithRSA
pkcs11-tool --module $pkcslib -s -l -p 123456 -d 1 -m SHA256-RSA-PKCS -o sign9e.dat -i in.txt
# Verify the signature
openssl dgst -sha256 -verify pubkey9e.pem -signature sign9e.dat in.txt
)
}
9c256sha1() {
(
setup
# Generate a key in slot 9c
pkcs11-tool --module $pkcslib -k --key-type EC:prime256v1 -l --login-type so --so-pin 010203040506070801020304050607080102030405060708 -d 2
# Extract the certificate with the public key
yubico-piv-tool -a read -s 9c > 9c.pem
# Extract the public key from the certificate
openssl x509 -pubkey -noout -in 9c.pem > pubkey9c.pem
# Sign the data using sha256WithECDSA
pkcs11-tool --module $pkcslib -s -l -p 123456 -d 2 -m ECDSA-SHA1 -o sign9c.dat -i in.txt
# Verify the signature
openssl dgst -ecdsa-with-SHA1 -verify pubkey9c.pem -signature sign9c.dat in.txt
)
}
init
9a1024sha1
9e2048sha256
9c256sha1