Skip to content

Instantly share code, notes, and snippets.

@mtvbrianking

mtvbrianking/sign.sh

Last active January 20, 2022 02:25
Show Gist options
  • Save mtvbrianking/c891522d889362cd265a4f9a3cd34a30 to your computer and use it in GitHub Desktop.
Save mtvbrianking/c891522d889362cd265a4f9a3cd34a30 to your computer and use it in GitHub Desktop.
Download ZIP
OpenSSL Digital Signing
Raw
sign.sh
#!/bin/bash
payload=""
privateKey=""
base64EncodedSignatureFile=""
function diy() {
cat <<EOF
printf %s "jdoe:23571113" > payload.txt
openssl dgst -sha256 -sign ssl/client.key -out payload.sha256 payload.txt
openssl enc -base64 -A -in payload.sha256 -out payload.sha256.base64
EOF
}
function usage() {
# ./sign.sh -p "jdoe:23571113" -k "ssl/client.key" -o "payload.sha256.base64"
cat <<EOF
Usage: $0 [ -p PAYLOAD ] [ -k PRIVATE_KEY ] [ -o OUTPUT ]
Options:
-p [Payload] to sign.
-k [Private key] file to be used for signing.
-o [Output] file to write the Base64 encoded signature. (optional)
-h [Help] to usage.
EOF
}
function abort() {
errcho "Usage: $0 [ -p PAYLOAD ] [ -k PRIVATE_KEY ] [ -o OUTPUT ] [ -h HELP ]" 1>&2
exit 1
}
function errcho() {
>&2 echo $@;
}
while getopts ":p:k:o:h" options
do
case $options in
p)
payload="$OPTARG"
;;
k)
privateKey="$OPTARG"
;;
o)
base64EncodedSignatureFile="$OPTARG"
;;
h)
usage
exit 0
;;
:)
errcho "Option: [ -${OPTARG} ] requires an argument."
abort
;;
*)
abort
;;
esac
done
if [ -z "$payload" ]; then
errcho "[ -p PAYLOAD ] is required"
exit 1
fi
if [ -z "$privateKey" ]; then
errcho "[ -k PRIVATE_KEY ] is required"
exit 1
fi
if [ ! -f "$privateKey" ]; then
errcho "Private key file: '$privateKey' doesn't exist."
exit 1
fi
printf "%s" $payload > /tmp/payload.txt
openssl dgst -sha256 -sign $privateKey -out /tmp/payload.sha256 /tmp/payload.txt
if [ "$base64EncodedSignatureFile" ]; then
openssl enc -base64 -A -in /tmp/payload.sha256 -out $base64EncodedSignatureFile
else
openssl enc -base64 -A -in /tmp/payload.sha256
fi
rm -f /tmp/payload.txt
rm -f /tmp/payload.sha256
exit 0
Raw
verify.sh
#!/bin/bash
payload=""
base64EncodedSignatureFile=""
publicKey=""
function diy() {
cat <<EOF
openssl x509 -pubkey -noout -in ssl/client.crt > ssl/client.pub
openssl enc -base64 -A -d -in payload.sha256.base64 -out payload.sha256
openssl dgst -sha256 -verify ssl/client.pub -signature payload.sha256 payload.txt
EOF
}
function usage() {
# ./verify.sh -p "jdoe:23571113" -s "payload.sha256.base64" -k "ssl/client.pub"
cat <<EOF
Usage: $0 [ -p PAYLOAD ] [ -s SIGNATURE ] [ -k PUBLIC_KEY ]
Options:
-p [Payload] to verify.
-s [Base64 encoded signature] file to compare against.
-k [Public key] file to be used for verification.
-h [Help] to usage
EOF
}
function abort() {
errcho "Usage: $0 [ -p PAYLOAD ] [ -s SIGNATURE ] [ -k PUBLIC_KEY ] [ -h HELP ]" 1>&2
exit 1
}
function errcho() {
>&2 echo $@;
}
while getopts ":p:s:k:h" options
do
case $options in
p)
payload="$OPTARG"
;;
s)
base64EncodedSignatureFile="$OPTARG"
;;
k)
publicKey="$OPTARG"
;;
h)
usage
exit 0
;;
:)
errcho "Option: [ -${OPTARG} ] requires an argument."
abort
;;
*)
abort
;;
esac
done
if [ -z "$payload" ]; then
errcho "[ -p PAYLOAD ] is required"
exit 1
fi
if [ -z "$base64EncodedSignatureFile" ]; then
errcho "[ -s SIGNATURE ] is required"
exit 1
fi
if [ -z "$publicKey" ]; then
errcho "[ -k PUBLIC_KEY ] is required"
exit 1
fi
if [ ! -f "$publicKey" ]; then
errcho "Public key file: '$publicKey' doesn't exist."
exit 1
fi
printf "%s" $payload > /tmp/payload.txt
openssl enc -base64 -A -d -in $base64EncodedSignatureFile -out /tmp/payload.sha256
openssl dgst -sha256 -verify $publicKey -signature /tmp/payload.sha256 /tmp/payload.txt
# rm -f /tmp/payload.sha256.base64
rm -f /tmp/payload.sha256
rm -f /tmp/payload.txt
exit 0
@mtvbrianking
Copy link
Author

mtvbrianking commented Dec 26, 2021
edited
Loading

Generate CSR & private key

openssl req -new -sha256 -nodes -newkey rsa:2048 -keyout client.key -out client.csr

CA signs the CSR and issues the signed cert

Extract public key

openssl x509 -pubkey -noout -in client.crt > client.pub

Usage

./sign.sh -p "jdoe:31117532" -k client.key -o payload.sha256.base64

./verify.sh -p "jdoe:31117532" -s payload.sha256.base64 -k client.pub
Verified OK

./verify.sh -p "jdoe:Qw3rty" -s payload.sha256.base64 -k client.pub
Verification Failure

@mtvbrianking
Copy link
Author

mtvbrianking commented Jan 20, 2022
edited
Loading

Good reads...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment