»Home
»News
»Download
»Documentation
     »oathtool(1)
     »pskctool(1)
     »Liboath API
     »PSKC Tutorial
     »Libpskc API
     »pam_oath
»Contribute
OATH Toolkit
One-time password components

Digitally sign PSKC data

The library can also digitally sign PSKC data using a X.509 private key and certificate, both stored in files. Below is a minimal example illustring how to read a PSKC file, digitally sign it and then print the signed XML to stdout.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#include <stdio.h>
#include <pskc/pskc.h>

/*
 * $ cc -o pskcsign pskcsign.c $(pkg-config --cflags --libs libpskc)
 * $ ./pskcsign pskc-hotp.xml pskc-ee-key.pem pskc-ee-crt.pem > signed.xml
 */

#define PSKC_CHECK_RC					   \
  if (rc != PSKC_OK) {					   \
    printf ("%s (%d): %s\n", pskc_strerror_name (rc),	   \
	    rc, pskc_strerror (rc));			   \
    return 1;						   \
  }

int
main (int argc, const char *argv[])
{
  char buffer[4096];
  FILE *fh;
  size_t len;
  pskc_t *container;
  char *out;
  int rc;

  if (argc != 4)
    {
      printf ("Usage: %s <PSKCFILE> <X509KEY> <X509CERT>\n", argv[0]);
      return 1;
    }
  fh = fopen (argv[1], "r");
  if (!fh)
    {
      perror ("fopen");
      return 1;
    }
  len = fread (buffer, 1, sizeof (buffer), fh);
  fclose (fh);

  rc = pskc_global_init ();
  PSKC_CHECK_RC;

  rc = pskc_init (&container);
  PSKC_CHECK_RC;
  rc = pskc_parse_from_memory (container, len, buffer);
  PSKC_CHECK_RC;

  rc = pskc_sign_x509 (container, argv[2], argv[3]);
  PSKC_CHECK_RC;

  rc = pskc_output (container, PSKC_OUTPUT_XML, &out, &len);
  PSKC_CHECK_RC;
  fwrite (out, 1, len, stdout);
  pskc_free (out);

  pskc_done (container);
  pskc_global_done ();

  return 0;
}

You would compile and use the example like this.

1
2
3
jas@latte:~$ cc -o pskcsign pskcsign.c $(pkg-config --cflags --libs libpskc)
jas@latte:~$ ./pskcsign pskc-hotp.xml pskc-ee-key.pem pskc-ee-crt.pem > signed.xml
jas@latte:~$

The next section illustrate how to verify the content of "signed.xml". For more background and information on how to generate the necessary private key and certificates, see the "pskctool" command line tool documentation.