Skip to content

Instantly share code, notes, and snippets.

@lspgn

lspgn/yubi-piv-sign.md

Last active April 12, 2020 00:39
Show Gist options
  • Save lspgn/95fc966f5af708a378011582ca5ff3c9 to your computer and use it in GitHub Desktop.
Save lspgn/95fc966f5af708a378011582ca5ff3c9 to your computer and use it in GitHub Desktop.
Download ZIP
Yubikey PIV sign and verify file
Raw
yubi-piv-sign.md

Sign a file with a Yubikey PIV

First you have to install ykman and opensc. We assume there is already a certificate in slot 9c.

Extract public key from 9c slot of the Yubikey

$ ykman piv export-certificate 9c - | openssl x509 -noout -pubkey > pubkey.pem

Create message and generate sha256

$ echo -n 'hello gist' > message.txt
$ openssl dgst -sha256 -binary message.txt > message.txt.sha256

Pass the hash to be signed

$ pkcs15-crypt -i message.txt.sha256 -s -f openssl -o message.txt.sha256.sig

If the key is RSA, you will need to pad output (256 bytes required while SHA-256 is only 32 bytes) with --pkcs1.

Check openssl

If the key is ECDSA:

$ openssl dgst -sha256 -verify pubkey.pem -signature message.txt.sha256.sig message.txt
Verified OK

If the key is RSA:

$ openssl rsautl -verify -pubin -inkey pubkey.pem -in message.txt.sha256.sig > compare.sha256
$ diff compare.sha256 message.txt.sha256

Hashes must be the same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment