#! /bin/sh

set -eu

SIGFILE="$1"; shift
P11_PROVIDER="$1"; shift
OPENSSL_CONF="$1"; shift
SERVER_PROVIDER=
[ $# -ge 1 ] && { SERVER_PROVIDER="$1"; shift; }


if [ -n "$SERVER_PROVIDER" ]; then
	P11_KIT_ENV=$(p11-kit server $SERVER_PROVIDER)
	eval "$P11_KIT_ENV"
fi    

openssl dgst -sha256 -engine pkcs11 -keyform ENGINE \
	-prverify "$(p11tool --login --provider=$P11_PROVIDER --list-token-urls)" \
	-signature $SIGFILE | egrep "^Verified OK$"

if [ -n "$SERVER_PROVIDER" ]; then
	p11-kit server --kill > /dev/null
fi