Verify digitally signed PSKC data

To verify signed PSKC data you use the --verify parameter. It requires another parameter, --verify-crt, which should contain a trusted X.509 certificate. The signature will be validated against the end-entity X.509 certificate inside the PSKC file, and the end-entity certificate will be verified against the indicated --verify-crt trust root. Using the files "pskc-hotp-signed.xml" and "pskc-root-crt.pem" prepared in the previous section, below we illustrate how verifying signatures work.

1
2
3
jas@latte:~$ pskctool --verify --verify-crt pskc-root-crt.pem pskc-hotp-signed.xml
OK
jas@latte:~$

If verification fails, it prints "FAIL" to standard output. Note that the exit code from pskctool --verify is 0 (indicating success) even when FAIL is printed. Use --quiet to suppress output and let the exit code correspond to validation result.