kabakaev · October 24, 2024 12:28
diff --git a/test-multi-key-signature.sh b/test-multi-key-signature.sh
 #!/bin/bash

 # This is a proof that an openssl CMS signature with multiple certificates works.
 # According to `man openssl-cms`, "-inkey: When signing this option can be used multiple times to specify successive keys."

 # The problem is described at https://groups.google.com/g/swupdate/c/pw6yfU8NYo0?pli=1

 set -xeuo pipefail

 test -f eu.key || openssl req -x509 -newkey rsa:4096 -days 3650 -nodes -subj "/C=DE/ST=*/L=*/O=KUKA/OU=*/CN=Europe/" -keyout eu.key -out eu.pub -addext "keyUsage=digitalSignature" -addext "extendedKeyUsage=emailProtection"
 test -f cn.key || openssl req -x509 -newkey rsa:4096 -days 3650 -nodes -subj "/C=DE/ST=*/L=*/O=KUKA/OU=*/CN=China/"  -keyout cn.key -out cn.pub -addext "keyUsage=digitalSignature" -addext "extendedKeyUsage=emailProtection"

 echo '- description: the swupdate manifest' > sw-description

 openssl cms -sign -in sw-description -out sw-description.sig \
            -signer eu.pub -inkey eu.key \
            -signer cn.pub -inkey cn.key \
            -outform DER -nosmimecap -binary -md sha256

 ls -al sw-description.sig

 # Check the signatures.
 # Here, "-noverify" means "Do not verify the signers certificate of a signed message."
 openssl smime -verify -binary -inform DER -in sw-description.sig -inform DER -content sw-description -certfile eu.pub -CAfile eu.pub -noverify || echo 'Signature cannot be verified with the eu.pub.'
 openssl smime -verify -binary -inform DER -in sw-description.sig -inform DER -content sw-description -certfile cn.pub -CAfile cn.pub -noverify || echo 'Signature cannot be verified with the cn.pub.'
 openssl smime -verify -binary -inform DER -in sw-description.sig -inform DER -content sw-description -CAfile eu.pub -CAfile cn.pub -noverify || echo 'Signature cannot be verified with both certs.'

 echo "The signature can be verified by any one of the certificate chains or both."
	#!/bin/bash

	# This is a proof that an openssl CMS signature with multiple certificates works.
	# According to `man openssl-cms`, "-inkey: When signing this option can be used multiple times to specify successive keys."

	# The problem is described at https://groups.google.com/g/swupdate/c/pw6yfU8NYo0?pli=1

	set -xeuo pipefail

	test -f eu.key \|\| openssl req -x509 -newkey rsa:4096 -days 3650 -nodes -subj "/C=DE/ST=/L=/O=KUKA/OU=*/CN=Europe/" -keyout eu.key -out eu.pub -addext "keyUsage=digitalSignature" -addext "extendedKeyUsage=emailProtection"
	test -f cn.key \|\| openssl req -x509 -newkey rsa:4096 -days 3650 -nodes -subj "/C=DE/ST=/L=/O=KUKA/OU=*/CN=China/" -keyout cn.key -out cn.pub -addext "keyUsage=digitalSignature" -addext "extendedKeyUsage=emailProtection"

	echo '- description: the swupdate manifest' > sw-description

	openssl cms -sign -in sw-description -out sw-description.sig \
	-signer eu.pub -inkey eu.key \
	-signer cn.pub -inkey cn.key \
	-outform DER -nosmimecap -binary -md sha256

	ls -al sw-description.sig

	# Check the signatures.
	# Here, "-noverify" means "Do not verify the signers certificate of a signed message."
	openssl smime -verify -binary -inform DER -in sw-description.sig -inform DER -content sw-description -certfile eu.pub -CAfile eu.pub -noverify \|\| echo 'Signature cannot be verified with the eu.pub.'
	openssl smime -verify -binary -inform DER -in sw-description.sig -inform DER -content sw-description -certfile cn.pub -CAfile cn.pub -noverify \|\| echo 'Signature cannot be verified with the cn.pub.'
	openssl smime -verify -binary -inform DER -in sw-description.sig -inform DER -content sw-description -CAfile eu.pub -CAfile cn.pub -noverify \|\| echo 'Signature cannot be verified with both certs.'

	echo "The signature can be verified by any one of the certificate chains or both."
No results found