3 ucert is a signature-chaining wrapper around usign using blob and blobmsg.
4 It's meant to be used for OpenWrt routers and uses libubox for most things, to allow dumping certificates in JSON format libjson-c and libblobmsg-json are used as well.
6 ## a few words about security
7 ucert inherits all its cryptographic properties from the underlying usign implementation which as such wasn't meant to be used in such a way.
8 To maintain a high cryptographic standard, it is likely that further optimization of the signed payload format (reduce known-plaintext by normalization, add salts in case usign doesn't, ...) has to be carried out.
12 Usage: ucert <command> <options>
14 -A: append signature (needs -c and -x)
16 -I: issue cert and revoker (needs -c and -p and -s)
17 -R: process revoker certificate (needs -c and -P)
18 -V: verify (needs -c and -p|-P, may have -m)
20 -c <file>: certificate file
21 -m <file>: message file (verify only)
22 -p <file>: public key file
23 -P <path>: public key directory (verify only)
24 -q: quiet (do not print verification result, use return code only)
25 -s <file>: secret key file (issue only)
26 -x <file>: signature file
32 # create root keypair (which never leaves airgap)
33 usign -G -p capubkey -s caseckey
34 # create delegate keypair
35 usign -G -p pubkey -s seckey
36 # create ca-signed delegate cert (and revoker)
37 ucert -I -p pubkey -s caseckey -c newcert
39 # eg. on buildbot worker
40 # got newcert and seckey from airgap
42 usign -S -m message.bin -s seckey -x message.bin.sig
43 # create cert for message
44 cp newcert message.bin.ucrt
45 ucert -A -c message.bin.ucrt -x message.bin.sig
48 ucert -V -P /etc/opkg/keys -m message.bin -c message.bin.ucrt && echo message.bin verified successfully