thank you @hannes - that got me over the hill to a final
let test_sign_sha256 () =
let open Lwt in
let p =
(*
$ openssl genrsa -out private.pem 2048
$ openssl rsa -in private.pem -outform PEM -pubout -out public.pem
*)
(* https://mirleft.github.io/ocaml-tls/doc/tls/X509_lwt/#val-private_of_pems *)
X509_lwt.private_of_pems ~cert:"public.pem" ~priv_key:"private.pem"
>>= fun (_, priv) ->
let data : string = "to-be-signed-data" in
let signature : string =
(*
https://mirleft.github.io/ocaml-x509/doc/x509/X509/Private_key/#cryptographic-sign-operation
*)
X509.Private_key.sign `SHA256 ~scheme:`RSA_PKCS1 priv
(`Message (Cstruct.of_string data))
|> Result.get_ok |> Cstruct.to_string |> Base64.encode_exn
in
signature
|> Assert2.equals_string "sig 256"
"TVMQvS8OZ94BFvMn8ToL0jG01L1T3Dww4o7R6NwcJd7KsOmZtUKzzCezbnY5gjSECj/cfXxs2mrZlk9xGntTKqhJ6YIZmM3BBdXuPl8IyWms/ qtqZ4d+NVfMVDhYeGm43+j2HTegpcH2px9auXSThd2WcJmc7J98g9hx5+pEr6hA2UjawzOPYxIyyhNHzX9L1hTu6Xyjq6OkPWgqK9aHnAnGG1f3LgH+ YTR0T/l5ODPCyKboFMfvmnQ2PDNRPgsz82j9YuMVF2sE/TCdpTg+T6dX99Hmp35lomXnf1GSTrVAWBcx6mFEOABMrFSRRcMzGo9zCWPb/ y8V3xWaSpjroQ==";
return ()
in
Lwt_main.run p
Feels good.