#! /bin/sh

set -eu

SIGFILE="$1"; shift
P11_PROVIDER="$1"; shift
OPENSSL_CONF="$1"; shift
SERVER_PROVIDER=
[ $# -ge 1 ] && { SERVER_PROVIDER="$1"; shift; }

cleanup() {
    if [ -n "$SERVER_PROVIDER" ]; then
	p11-kit server --kill > /dev/null
    fi
}
trap cleanup EXIT

if [ -n "$SERVER_PROVIDER" ]; then
	P11_KIT_ENV=$(p11-kit server $SERVER_PROVIDER)
	eval "$P11_KIT_ENV"
fi    

token_urls="$(p11tool --batch --login --provider=$P11_PROVIDER --list-token-urls)"
export OPENSSL_CONF
for url in $token_urls; do
    openssl dgst -sha256 -engine pkcs11 -keyform ENGINE \
	    -prverify "${url};pin-value=ffff" \
	    -signature $SIGFILE | egrep "^Verified OK$"
done