Signing things
I just saw that Thawte is ending their Web of Trust email keys program. I think they should have sold directory services in addition to providing keys, perhaps I'll write about that next. It got me thinking about SSL/TLS. I've always felt that the openssl program does a lot more than most people know to do with it.
For example:
openssl dst -sha1 yourfile
is about 20% faster than "sha1sum yourfile" on my OpenSuse 10.1 AMD Opteron system. That might not be terribly interesting but 20% adds up on bigger files, like DVD images.
Another thing is in this world of automatic updates and appstores, it's more important than ever to have a verification mechanism in place. OpenSSL provide all of the tools for some simple, yet strong, verification. A lot of people I know are confused by certificates and don't fully understand the different formats and what you can do with them but OpenSSL provides the raw basics to simply perform signing and verification.
Generate a 2048bit RSA key:
openssl genrsa -out rsapriv.pem 2048
Extract the public portion:
openssl rsa -in rsapriv.pem -pubout -out rsapub.pem
Sign a file and store the signature in testsig.bin:
openssl sha1 -sign rsapriv.pem -out testsig.bin yourfile
To verify:
openssl sha1 -verify rsapub.pem -signature testsig.bin yourfile
There you go, signing and verification without any of the "complicated" PKCS stuff. It's only marginally more work to actually add a CA to the mix.
