ryu1kn/Makefile

## Makefile
SHELL := /bin/bash
openssl := /usr/local/opt/openssl@1.1/bin/openssl

work_dir := __work
message_digest_type := sha256

ifneq ($(wildcard __override.mk),)
include __override.mk
endif

assert_nonempty = [[ "$1" != '' ]] || { echo "Is Empty"; exit 1; }

$(shell mkdir -p $(work_dir))

vpath % $(work_dir)

.PHONY: verify
verify: digest-from-cert-body.txt digest-from-signature.txt
	diff $^

$(work_dir)/digest-from-cert-body.txt: server.tbs
	$(openssl) dgst -$(message_digest_type) $< | awk -F'= ' '{print $$2}' | tr -d '\n' > $@

$(work_dir)/server.tbs: $(server_cert)
	@$(call assert_nonempty,$<)
	body_start=$$($(openssl) asn1parse -i -in $< | awk -F: 'NR==2 {print $$1}') \
	&& $(openssl) asn1parse -in $< -strparse $$body_start -out $@ -noout

$(work_dir)/digest-from-signature.txt: server-cert.sig issuer.pub
	$(openssl) rsautl -in $< -verify -asn1parse -inkey $(word 2,$^) -pubin \
	| awk '{if (enabled) {x=substr($$0,14,47); gsub(/[ -]/,"",x); print x}}; /OCTET STRING/ {enabled=1}' ORS='' > $@

$(work_dir)/server-cert.sig: $(server_cert)
	@$(call assert_nonempty,$<)
	signature_start=$$($(openssl) asn1parse -i -in $< | awk -F: '/BIT STRING/ {x=$$1}; END {print x}') \
	&& $(openssl) asn1parse -in $< -strparse $$signature_start -out $@ -noout

$(work_dir)/issuer.pub: $(issuer_cert)
	@$(call assert_nonempty,$<)
	$(openssl) x509 -in $< -pubkey -out $@ -noout

.PHONY: clean
clean:
	rm -rf $(work_dir)

# --- Utilities
.PHONY: print-certificates
print-certificates:
	@$(call assert_nonempty,$(server_name))
	@$(openssl) s_client -showcerts -connect $(server_name):443 < /dev/null

.PHONY: print-signature
print-signature: $(server_cert)
	@$(openssl) x509 -in $< -text -noout \
		-certopt ca_default \
		-certopt no_validity \
		-certopt no_serial \
		-certopt no_subject \
		-certopt no_extensions \
		-certopt no_signame


# cf.
#
* https://www.openssl.org/docs/man1.1.1/man1/
* https://linuxctl.com/2017/02/x509-certificate-manual-signature-verification/
* https://stackoverflow.com/questions/5140425/openssl-command-line-to-verify-the-signature
* https://security.stackexchange.com/questions/98263/verifying-digest-signed-with-private-key-using-a-c-program
* https://tech.nikkeibp.co.jp/it/article/COLUMN/20071012/284426/
* https://qiita.com/kunichiko/items/12cbccaadcbf41c72735
* https://security.stackexchange.com/questions/127095/manually-walking-through-the-signature-validation-of-a-certificate
* https://stackoverflow.com/questions/18257185/how-does-a-public-key-verify-a-signature
	SHELL := /bin/bash
	openssl := /usr/local/opt/openssl@1.1/bin/openssl

	work_dir := __work
	message_digest_type := sha256

	ifneq ($(wildcard __override.mk),)
	include __override.mk
	endif

	assert_nonempty = [[ "$1" != '' ]] \|\| { echo "Is Empty"; exit 1; }

	$(shell mkdir -p $(work_dir))

	vpath % $(work_dir)

	.PHONY: verify
	verify: digest-from-cert-body.txt digest-from-signature.txt
	diff $^

	$(work_dir)/digest-from-cert-body.txt: server.tbs
	$(openssl) dgst -$(message_digest_type) $< \| awk -F'= ' '{print $$2}' \| tr -d '\n' > $@

	$(work_dir)/server.tbs: $(server_cert)
	@$(call assert_nonempty,$<)
	body_start=$$($(openssl) asn1parse -i -in $< \| awk -F: 'NR==2 {print $$1}') \
	&& $(openssl) asn1parse -in $< -strparse $$body_start -out $@ -noout

	$(work_dir)/digest-from-signature.txt: server-cert.sig issuer.pub
	$(openssl) rsautl -in $< -verify -asn1parse -inkey $(word 2,$^) -pubin \
	\| awk '{if (enabled) {x=substr($$0,14,47); gsub(/[ -]/,"",x); print x}}; /OCTET STRING/ {enabled=1}' ORS='' > $@

	$(work_dir)/server-cert.sig: $(server_cert)
	@$(call assert_nonempty,$<)
	signature_start=$$($(openssl) asn1parse -i -in $< \| awk -F: '/BIT STRING/ {x=$$1}; END {print x}') \
	&& $(openssl) asn1parse -in $< -strparse $$signature_start -out $@ -noout

	$(work_dir)/issuer.pub: $(issuer_cert)
	@$(call assert_nonempty,$<)
	$(openssl) x509 -in $< -pubkey -out $@ -noout

	.PHONY: clean
	clean:
	rm -rf $(work_dir)

	# --- Utilities
	.PHONY: print-certificates
	print-certificates:
	@$(call assert_nonempty,$(server_name))
	@$(openssl) s_client -showcerts -connect $(server_name):443 < /dev/null

	.PHONY: print-signature
	print-signature: $(server_cert)
	@$(openssl) x509 -in $< -text -noout \
	-certopt ca_default \
	-certopt no_validity \
	-certopt no_serial \
	-certopt no_subject \
	-certopt no_extensions \
	-certopt no_signame


	# cf.
	#
	* https://www.openssl.org/docs/man1.1.1/man1/
	* https://linuxctl.com/2017/02/x509-certificate-manual-signature-verification/
	* https://stackoverflow.com/questions/5140425/openssl-command-line-to-verify-the-signature
	* https://security.stackexchange.com/questions/98263/verifying-digest-signed-with-private-key-using-a-c-program
	* https://tech.nikkeibp.co.jp/it/article/COLUMN/20071012/284426/
	* https://qiita.com/kunichiko/items/12cbccaadcbf41c72735
	* https://security.stackexchange.com/questions/127095/manually-walking-through-the-signature-validation-of-a-certificate
	* https://stackoverflow.com/questions/18257185/how-does-a-public-key-verify-a-signature