First you have to install ykman
and opensc
.
We assume there is already a certificate in slot 9c.
$ ykman piv export-certificate 9c - | openssl x509 -noout -pubkey > pubkey.pem
$ echo -n 'hello gist' > message.txt
$ openssl dgst -sha256 -binary message.txt > message.txt.sha256
$ pkcs15-crypt -i message.txt.sha256 -s -f openssl -o message.txt.sha256.sig
If the key is RSA, you will need to pad output (256 bytes required while SHA-256 is only 32 bytes) with --pkcs1
.
If the key is ECDSA:
$ openssl dgst -sha256 -verify pubkey.pem -signature message.txt.sha256.sig message.txt
Verified OK
If the key is RSA:
$ openssl rsautl -verify -pubin -inkey pubkey.pem -in message.txt.sha256.sig > compare.sha256
$ diff compare.sha256 message.txt.sha256
Hashes must be the same.