Report error when signing fails

margfools

@@ -15,12 +15,12 @@ import getpass
 # use requests instead of urllib.request for keep-alive connection
 import requests
 
-def sign(data, key, pin=None, engine=None):
+def sign(b64data, key, pin=None, engine=None):
     if engine is None:
         # key in file
         cmd = ['openssl', 'pkeyutl', '-sign', '-inkey', key, '-pkeyopt', 'digest:sha256']
-        raw_data = base64.b64decode(data)
         env = None
+        data = base64.b64decode(b64data)
     elif engine == 'pkcs11':
         # key on smartcard
         digest_info = { # from RFC 3447
@@ -33,8 +33,12 @@ def sign(data, key, pin=None, engine=None):
         }
         cmd = ['pkcs11-tool', '--id', key, '-s', '-m', 'RSA-PKCS', '-p', 'env:PIN']
         env = {'PIN': pin}
-        raw_data = bytes.fromhex(digest_info['SHA-256']) + base64.b64decode(data)
-    p = subprocess.run(cmd, env=env, input=raw_data, capture_output=True)
+        data = bytes.fromhex(digest_info['SHA-256']) + base64.b64decode(b64data)
+
+    p = subprocess.run(cmd, env=env, input=data, capture_output=True)
+    if p.returncode != 0:
+        raise RuntimeError('could not sign data')
+
     return base64.b64encode(p.stdout).decode()
 
 if __name__ == '__main__':