From 7d04aa3d86b9564f01242a347e2a861afae7c05d Mon Sep 17 00:00:00 2001 From: polz Date: Wed, 6 Dec 2023 14:49:17 +0100 Subject: [PATCH 01/11] Add support for smartcards --- README.md | 27 +++++++++++++++++++++++++- margfools | 57 ++++++++++++++++++++++++++++++++++++++++++------------- 2 files changed, 70 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 3e354fb..b0a9e13 100644 --- a/README.md +++ b/README.md @@ -4,12 +4,37 @@ Python script to replace [MargTools](https://businessconnect.margis.si/output/#o ## Usage -Create the configuration file `~/.margfools` with the paths to your TLS private key and certificate in PEM format: + +### Configure certificates and sites + +Create the configuration file `~/.margfools`. The contents are described in the sections below. + +#### Certificates in files +If you are using certificate files, add the paths to your TLS private key and certificate in PEM format: [https://gcsign.example.com/BCSign/] user-key = user-cert = +#### Certificates on smartcards +If you have your certificate on a PIV-II smart card (e.g. Yubikey), first determine the slot on your card which contains the certificate you wish to use: + + pkcs11-tool -O + +Look for "ID:" in the output. + +Assuming the ID of your certificate was 07, specify the engine and certificate slot in your config file: + + + [https://gcsign.example.com/BCSign/] + engine=pkcs11 + user-key = 07 + + +You will be asked for your pin during signing. + +### Add URL schema + Section name is the percent-decoded value of `baseURL` in bc-digsign://sign?accessToken=…&baseUrl=https%3a%2f%2fgcsign.example.com%2fBCSign%2f&…' diff --git a/margfools b/margfools index fed38bf..5df99a2 100755 --- a/margfools +++ b/margfools @@ -10,14 +10,33 @@ import subprocess import sys import traceback import urllib.parse +import getpass # use requests instead of urllib.request for keep-alive connection import requests -def sign(data, keyfile): +def sign(data, keyfile, unlock_key=None, engine=None): + # pkcs11-tool --id 02 -s -p $PIN -m RSA-PKCS + if engine is None: + cmd = ['openssl', 'pkeyutl', '-sign', '-inkey', keyfile, '-pkeyopt', 'digest:sha256'] + raw_data = base64.b64decode(data) + env = None + elif engine == 'pkcs11': + env = {'PIN': unlock_key} + """magic_prefix is ASN.1 DER for + DigestInfo ::= SEQUENCE { + digestAlgorithm DigestAlgorithm, + digest OCTET STRING + } + """ + magic_prefix = bytes.fromhex("3031300d060960864801650304020105000420") + raw_data = magic_prefix + base64.b64decode(data) + cmd = ['pkcs11-tool', '--id', keyfile, '-s', '-m', 'RSA-PKCS', '-p', 'env:PIN'] + # cmd = ['openssl', 'pkeyutl', '-sign', '-pkeyopt', 'digest:sha256', '-engine', 'pkcs11', '-keyform', 'engine', '-inkey', keyfile] p = subprocess.run( - ['openssl', 'pkeyutl', '-sign', '-inkey', keyfile, '-pkeyopt', 'digest:sha256'], - input=base64.b64decode(data), + cmd, + env=env, + input=raw_data, capture_output=True) return base64.b64encode(p.stdout).decode() @@ -26,6 +45,7 @@ if __name__ == '__main__': parser.add_argument('url', type=urllib.parse.urlparse, help='bc-digsign:// url') parser.add_argument('-k', '--user-key', type=pathlib.Path, help='key file') parser.add_argument('-c', '--user-cert', type=pathlib.Path, help='certificate file') + parser.add_argument('-e', '--engine', type=str, help='"pkcs11" for smart card') args = parser.parse_args() try: @@ -40,14 +60,24 @@ if __name__ == '__main__': if not args.user_key: args.user_key = config.get(url, 'user-key') if not args.user_cert: - args.user_cert = config.get(url, 'user-cert') - if not args.user_key or not args.user_cert: - print('user key and/or certificate not specified', file=sys.stderr) + args.user_cert = config.get(url, 'user-cert', fallback=None) + if not args.user_key: + print('user key not specified', file=sys.stderr) sys.exit(1) - + if not args.engine: + args.engine = config.get(url, 'engine') + engine = args.engine user_keyfile = args.user_key - user_cert = ''.join(line.strip() for line in open(args.user_cert) if not line.startswith('-----')) - + # base64.b64encode + unlock_key = None + if engine is None: + if not args.user_cert: + print('user cert not specified', file=sys.stderr) + sys.exit(1) + user_cert = ''.join(line.strip() for line in open(args.user_cert) if not line.startswith('-----')) + elif engine == 'pkcs11': + user_cert = base64.b64encode(subprocess.run(["pkcs11-tool", "--read-object", "--type", "cert", "--id", user_keyfile], capture_output=True).stdout).decode() + unlock_key = getpass.getpass("PIN:") session = requests.Session() headers={'Authorization': f'Bearer {token}'} @@ -66,19 +96,20 @@ if __name__ == '__main__': request = json.loads(r.text) request['AuthenticationToken'] = token request['CertificatePublicKey'] = user_cert - # keep signing whatever they send us while True: for name in ('AttachmentHashes', 'XmlHashes'): if request.get(name) is not None: - request[f'Signed{name}'] = [sign(e, user_keyfile) for e in request[name]] - + request[f'Signed{name}'] = [sign(e, user_keyfile, unlock_key, engine=engine) for e in request[name]] + d = json.dumps(request) + d = d.encode() r = session.put(f'{url}signatures/{request["SignatureRequestId"]}', headers=headers | {'Content-Type': 'application/json; charset=utf-8'}, data=json.dumps(request).encode()) if not r.text: break request |= json.loads(r.text) - except: traceback.print_exc() + # Don't close terminal immediately on fail + input() From 8af9546e60a996d18b9cbeb43f44875d24b8cdcd Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Tue, 16 Jan 2024 21:51:45 +0100 Subject: [PATCH 02/11] Minor tweaks --- README.md | 13 +++++-------- margfools | 34 +++++++++++++++------------------- 2 files changed, 20 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index b0a9e13..79eb765 100644 --- a/README.md +++ b/README.md @@ -4,19 +4,18 @@ Python script to replace [MargTools](https://businessconnect.margis.si/output/#o ## Usage - -### Configure certificates and sites - Create the configuration file `~/.margfools`. The contents are described in the sections below. -#### Certificates in files +### Certificates in files + If you are using certificate files, add the paths to your TLS private key and certificate in PEM format: [https://gcsign.example.com/BCSign/] user-key = user-cert = -#### Certificates on smartcards +### Certificates on smartcards + If you have your certificate on a PIV-II smart card (e.g. Yubikey), first determine the slot on your card which contains the certificate you wish to use: pkcs11-tool -O @@ -25,12 +24,10 @@ Look for "ID:" in the output. Assuming the ID of your certificate was 07, specify the engine and certificate slot in your config file: - [https://gcsign.example.com/BCSign/] - engine=pkcs11 + engine = pkcs11 user-key = 07 - You will be asked for your pin during signing. ### Add URL schema diff --git a/margfools b/margfools index 5df99a2..7f6adfa 100755 --- a/margfools +++ b/margfools @@ -15,14 +15,16 @@ import getpass # use requests instead of urllib.request for keep-alive connection import requests -def sign(data, keyfile, unlock_key=None, engine=None): - # pkcs11-tool --id 02 -s -p $PIN -m RSA-PKCS +def sign(data, key, pin=None, engine=None): if engine is None: - cmd = ['openssl', 'pkeyutl', '-sign', '-inkey', keyfile, '-pkeyopt', 'digest:sha256'] + # key in file + cmd = ['openssl', 'pkeyutl', '-sign', '-inkey', key, '-pkeyopt', 'digest:sha256'] raw_data = base64.b64decode(data) env = None elif engine == 'pkcs11': - env = {'PIN': unlock_key} + # key on smartcard + cmd = ['pkcs11-tool', '--id', key, '-s', '-m', 'RSA-PKCS', '-p', 'env:PIN'] + env = {'PIN': pin} """magic_prefix is ASN.1 DER for DigestInfo ::= SEQUENCE { digestAlgorithm DigestAlgorithm, @@ -31,13 +33,7 @@ def sign(data, keyfile, unlock_key=None, engine=None): """ magic_prefix = bytes.fromhex("3031300d060960864801650304020105000420") raw_data = magic_prefix + base64.b64decode(data) - cmd = ['pkcs11-tool', '--id', keyfile, '-s', '-m', 'RSA-PKCS', '-p', 'env:PIN'] - # cmd = ['openssl', 'pkeyutl', '-sign', '-pkeyopt', 'digest:sha256', '-engine', 'pkcs11', '-keyform', 'engine', '-inkey', keyfile] - p = subprocess.run( - cmd, - env=env, - input=raw_data, - capture_output=True) + p = subprocess.run(cmd, env=env, input=raw_data, capture_output=True) return base64.b64encode(p.stdout).decode() if __name__ == '__main__': @@ -66,20 +62,21 @@ if __name__ == '__main__': sys.exit(1) if not args.engine: args.engine = config.get(url, 'engine') + engine = args.engine user_keyfile = args.user_key - # base64.b64encode - unlock_key = None + pin = None + if engine is None: if not args.user_cert: print('user cert not specified', file=sys.stderr) sys.exit(1) user_cert = ''.join(line.strip() for line in open(args.user_cert) if not line.startswith('-----')) elif engine == 'pkcs11': - user_cert = base64.b64encode(subprocess.run(["pkcs11-tool", "--read-object", "--type", "cert", "--id", user_keyfile], capture_output=True).stdout).decode() - unlock_key = getpass.getpass("PIN:") + user_cert = base64.b64encode(subprocess.run(['pkcs11-tool', '--read-object', '--type', 'cert', '--id', user_keyfile], capture_output=True).stdout).decode() + pin = getpass.getpass('PIN: ') session = requests.Session() - headers={'Authorization': f'Bearer {token}'} + headers = {'Authorization': f'Bearer {token}'} # delete old signing session r = session.delete(f'{url}/signatures/{params["startSigningToken"][0]}', headers=headers) @@ -100,7 +97,7 @@ if __name__ == '__main__': while True: for name in ('AttachmentHashes', 'XmlHashes'): if request.get(name) is not None: - request[f'Signed{name}'] = [sign(e, user_keyfile, unlock_key, engine=engine) for e in request[name]] + request[f'Signed{name}'] = [sign(e, user_keyfile, pin, engine=engine) for e in request[name]] d = json.dumps(request) d = d.encode() r = session.put(f'{url}signatures/{request["SignatureRequestId"]}', @@ -111,5 +108,4 @@ if __name__ == '__main__': request |= json.loads(r.text) except: traceback.print_exc() - # Don't close terminal immediately on fail - input() + input('press enter to exit') # don’t close terminal immediately on fail From bfaa9c25654e1e7b9caf1602ebabdb622005cd42 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Tue, 16 Jan 2024 21:51:47 +0100 Subject: [PATCH 03/11] Replace magic number with magic dict --- margfools | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/margfools b/margfools index 7f6adfa..9524abe 100755 --- a/margfools +++ b/margfools @@ -23,16 +23,17 @@ def sign(data, key, pin=None, engine=None): env = None elif engine == 'pkcs11': # key on smartcard + digest_info = { # from RFC 3447 + 'MD2': '3020300c06082a864886f70d020205000410', + 'MD5': '3020300c06082a864886f70d020505000410', + 'SHA-1': '3021300906052b0e03021a05000414', + 'SHA-256': '3031300d060960864801650304020105000420', + 'SHA-384': '3041300d060960864801650304020205000430', + 'SHA-512': '3051300d060960864801650304020305000440' + } cmd = ['pkcs11-tool', '--id', key, '-s', '-m', 'RSA-PKCS', '-p', 'env:PIN'] env = {'PIN': pin} - """magic_prefix is ASN.1 DER for - DigestInfo ::= SEQUENCE { - digestAlgorithm DigestAlgorithm, - digest OCTET STRING - } - """ - magic_prefix = bytes.fromhex("3031300d060960864801650304020105000420") - raw_data = magic_prefix + base64.b64decode(data) + raw_data = bytes.fromhex(digest_info['SHA-256']) + base64.b64decode(data) p = subprocess.run(cmd, env=env, input=raw_data, capture_output=True) return base64.b64encode(p.stdout).decode() From af62cc41a96cc70a844293a10a2ae3fb84c0866e Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Tue, 16 Jan 2024 21:51:47 +0100 Subject: [PATCH 04/11] Drop user- prefix from key and cert arguments and config options --- README.md | 6 +++--- margfools | 36 +++++++++++++++++------------------- 2 files changed, 20 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 79eb765..a74658d 100644 --- a/README.md +++ b/README.md @@ -11,8 +11,8 @@ Create the configuration file `~/.margfools`. The contents are described in the If you are using certificate files, add the paths to your TLS private key and certificate in PEM format: [https://gcsign.example.com/BCSign/] - user-key = - user-cert = + key = + cert = ### Certificates on smartcards @@ -26,7 +26,7 @@ Assuming the ID of your certificate was 07, specify the engine and certificate s [https://gcsign.example.com/BCSign/] engine = pkcs11 - user-key = 07 + key = 07 You will be asked for your pin during signing. diff --git a/margfools b/margfools index 9524abe..25b34f0 100755 --- a/margfools +++ b/margfools @@ -40,8 +40,8 @@ def sign(data, key, pin=None, engine=None): if __name__ == '__main__': parser = argparse.ArgumentParser(description='Fake the MargTools application.') parser.add_argument('url', type=urllib.parse.urlparse, help='bc-digsign:// url') - parser.add_argument('-k', '--user-key', type=pathlib.Path, help='key file') - parser.add_argument('-c', '--user-cert', type=pathlib.Path, help='certificate file') + parser.add_argument('-k', '--key', type=pathlib.Path, help='key file') + parser.add_argument('-c', '--cert', type=pathlib.Path, help='certificate file') parser.add_argument('-e', '--engine', type=str, help='"pkcs11" for smart card') args = parser.parse_args() @@ -51,30 +51,28 @@ if __name__ == '__main__': url = params['baseUrl'][0] token = params['accessToken'][0] - # if missing, get user key and cert from section [url] in ~/.margfools + # if missing, get key and cert from section [url] in ~/.margfools config = configparser.ConfigParser() config.read(os.path.expanduser('~') + '/.margfools') - if not args.user_key: - args.user_key = config.get(url, 'user-key') - if not args.user_cert: - args.user_cert = config.get(url, 'user-cert', fallback=None) - if not args.user_key: - print('user key not specified', file=sys.stderr) + if not args.key: + args.key = config.get(url, 'key') + if not args.cert: + args.cert = config.get(url, 'cert', fallback=None) + if not args.key: + print('key not specified', file=sys.stderr) sys.exit(1) if not args.engine: args.engine = config.get(url, 'engine') - engine = args.engine - user_keyfile = args.user_key pin = None - if engine is None: - if not args.user_cert: - print('user cert not specified', file=sys.stderr) + if args.engine is None: + if not args.cert: + print('certificate not specified', file=sys.stderr) sys.exit(1) - user_cert = ''.join(line.strip() for line in open(args.user_cert) if not line.startswith('-----')) - elif engine == 'pkcs11': - user_cert = base64.b64encode(subprocess.run(['pkcs11-tool', '--read-object', '--type', 'cert', '--id', user_keyfile], capture_output=True).stdout).decode() + args.cert = ''.join(line.strip() for line in open(args.cert) if not line.startswith('-----')) + elif args.engine == 'pkcs11': + args.cert = base64.b64encode(subprocess.run(['pkcs11-tool', '--read-object', '--type', 'cert', '--id', args.key], capture_output=True).stdout).decode() pin = getpass.getpass('PIN: ') session = requests.Session() headers = {'Authorization': f'Bearer {token}'} @@ -93,12 +91,12 @@ if __name__ == '__main__': # get signature request and mix in my secrets and publics request = json.loads(r.text) request['AuthenticationToken'] = token - request['CertificatePublicKey'] = user_cert + request['CertificatePublicKey'] = args.cert # keep signing whatever they send us while True: for name in ('AttachmentHashes', 'XmlHashes'): if request.get(name) is not None: - request[f'Signed{name}'] = [sign(e, user_keyfile, pin, engine=engine) for e in request[name]] + request[f'Signed{name}'] = [sign(e, args.key, pin, engine=args.engine) for e in request[name]] d = json.dumps(request) d = d.encode() r = session.put(f'{url}signatures/{request["SignatureRequestId"]}', From 0578bdffcb0599d2c4f06998281ad968bec43ac0 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Tue, 16 Jan 2024 21:51:47 +0100 Subject: [PATCH 05/11] Use file-based certificates by default --- margfools | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/margfools b/margfools index 25b34f0..71634ad 100755 --- a/margfools +++ b/margfools @@ -40,9 +40,9 @@ def sign(data, key, pin=None, engine=None): if __name__ == '__main__': parser = argparse.ArgumentParser(description='Fake the MargTools application.') parser.add_argument('url', type=urllib.parse.urlparse, help='bc-digsign:// url') + parser.add_argument('-e', '--engine', type=str, help='"pkcs11" for smart card') parser.add_argument('-k', '--key', type=pathlib.Path, help='key file') parser.add_argument('-c', '--cert', type=pathlib.Path, help='certificate file') - parser.add_argument('-e', '--engine', type=str, help='"pkcs11" for smart card') args = parser.parse_args() try: @@ -51,9 +51,11 @@ if __name__ == '__main__': url = params['baseUrl'][0] token = params['accessToken'][0] - # if missing, get key and cert from section [url] in ~/.margfools + # if missing, get options from section [url] in ~/.margfools config = configparser.ConfigParser() config.read(os.path.expanduser('~') + '/.margfools') + if not args.engine: + args.engine = config.get(url, 'engine', fallback=None) if not args.key: args.key = config.get(url, 'key') if not args.cert: @@ -61,8 +63,6 @@ if __name__ == '__main__': if not args.key: print('key not specified', file=sys.stderr) sys.exit(1) - if not args.engine: - args.engine = config.get(url, 'engine') pin = None From 188567a42942dba1078ac7384ee9d9fe864594fa Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Tue, 16 Jan 2024 21:51:47 +0100 Subject: [PATCH 06/11] Report error when signing fails --- margfools | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/margfools b/margfools index 71634ad..cf4de00 100755 --- a/margfools +++ b/margfools @@ -15,12 +15,12 @@ import getpass # use requests instead of urllib.request for keep-alive connection import requests -def sign(data, key, pin=None, engine=None): +def sign(b64data, key, pin=None, engine=None): if engine is None: # key in file cmd = ['openssl', 'pkeyutl', '-sign', '-inkey', key, '-pkeyopt', 'digest:sha256'] - raw_data = base64.b64decode(data) env = None + data = base64.b64decode(b64data) elif engine == 'pkcs11': # key on smartcard digest_info = { # from RFC 3447 @@ -33,8 +33,12 @@ def sign(data, key, pin=None, engine=None): } cmd = ['pkcs11-tool', '--id', key, '-s', '-m', 'RSA-PKCS', '-p', 'env:PIN'] env = {'PIN': pin} - raw_data = bytes.fromhex(digest_info['SHA-256']) + base64.b64decode(data) - p = subprocess.run(cmd, env=env, input=raw_data, capture_output=True) + data = bytes.fromhex(digest_info['SHA-256']) + base64.b64decode(b64data) + + p = subprocess.run(cmd, env=env, input=data, capture_output=True) + if p.returncode != 0: + raise RuntimeError('could not sign data') + return base64.b64encode(p.stdout).decode() if __name__ == '__main__': From d3d72791cf2ffecf7ee564180e6b190226d692ed Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Tue, 16 Jan 2024 21:51:47 +0100 Subject: [PATCH 07/11] Omit traceback from error output --- margfools | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/margfools b/margfools index cf4de00..759968e 100755 --- a/margfools +++ b/margfools @@ -8,7 +8,6 @@ import os import pathlib import subprocess import sys -import traceback import urllib.parse import getpass @@ -109,6 +108,6 @@ if __name__ == '__main__': if not r.text: break request |= json.loads(r.text) - except: - traceback.print_exc() + except Exception as ex: + print(ex, file=sys.stderr) input('press enter to exit') # don’t close terminal immediately on fail From f38fc807aadf14b72301cb2622c2cd62b84ed02e Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Tue, 16 Jan 2024 21:51:47 +0100 Subject: [PATCH 08/11] Remove unused variable --- margfools | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/margfools b/margfools index 759968e..0d4ca07 100755 --- a/margfools +++ b/margfools @@ -95,19 +95,20 @@ if __name__ == '__main__': request = json.loads(r.text) request['AuthenticationToken'] = token request['CertificatePublicKey'] = args.cert + # keep signing whatever they send us while True: for name in ('AttachmentHashes', 'XmlHashes'): if request.get(name) is not None: request[f'Signed{name}'] = [sign(e, args.key, pin, engine=args.engine) for e in request[name]] - d = json.dumps(request) - d = d.encode() + r = session.put(f'{url}signatures/{request["SignatureRequestId"]}', headers=headers | {'Content-Type': 'application/json; charset=utf-8'}, data=json.dumps(request).encode()) if not r.text: break request |= json.loads(r.text) + except Exception as ex: print(ex, file=sys.stderr) input('press enter to exit') # don’t close terminal immediately on fail From 816171f23522f6200d3af538146a9740f45f439e Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Tue, 16 Jan 2024 21:51:47 +0100 Subject: [PATCH 09/11] Use more exceptions --- margfools | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/margfools b/margfools index 0d4ca07..5b70fd4 100755 --- a/margfools +++ b/margfools @@ -36,7 +36,7 @@ def sign(b64data, key, pin=None, engine=None): p = subprocess.run(cmd, env=env, input=data, capture_output=True) if p.returncode != 0: - raise RuntimeError('could not sign data') + raise Exception(f'could not sign data: {p.stderr.decode()}') return base64.b64encode(p.stdout).decode() @@ -64,15 +64,13 @@ if __name__ == '__main__': if not args.cert: args.cert = config.get(url, 'cert', fallback=None) if not args.key: - print('key not specified', file=sys.stderr) - sys.exit(1) + raise Exception('key not specified') pin = None if args.engine is None: if not args.cert: - print('certificate not specified', file=sys.stderr) - sys.exit(1) + raise Exception('certificate not specified') args.cert = ''.join(line.strip() for line in open(args.cert) if not line.startswith('-----')) elif args.engine == 'pkcs11': args.cert = base64.b64encode(subprocess.run(['pkcs11-tool', '--read-object', '--type', 'cert', '--id', args.key], capture_output=True).stdout).decode() @@ -110,5 +108,5 @@ if __name__ == '__main__': request |= json.loads(r.text) except Exception as ex: - print(ex, file=sys.stderr) + print(f'error: {ex}', file=sys.stderr) input('press enter to exit') # don’t close terminal immediately on fail From 5f0ceead2408003559310054789eccce271d3f52 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Tue, 16 Jan 2024 21:51:47 +0100 Subject: [PATCH 10/11] Use more Python --- margfools | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/margfools b/margfools index 5b70fd4..5fc52a9 100755 --- a/margfools +++ b/margfools @@ -97,8 +97,8 @@ if __name__ == '__main__': # keep signing whatever they send us while True: for name in ('AttachmentHashes', 'XmlHashes'): - if request.get(name) is not None: - request[f'Signed{name}'] = [sign(e, args.key, pin, engine=args.engine) for e in request[name]] + if values := request.get(name, []): + request[f'Signed{name}'] = [sign(v, args.key, pin, engine=args.engine) for v in values] r = session.put(f'{url}signatures/{request["SignatureRequestId"]}', headers=headers | {'Content-Type': 'application/json; charset=utf-8'}, From 79958bb100cfed36e4fdcc9b468201ef768d95b2 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Tue, 16 Jan 2024 21:51:47 +0100 Subject: [PATCH 11/11] Rework argument processing And also README. --- README.md | 55 ++++++++++++------------ margfools | 124 ++++++++++++++++++++++++++++++------------------------ 2 files changed, 98 insertions(+), 81 deletions(-) diff --git a/README.md b/README.md index a74658d..c54d551 100644 --- a/README.md +++ b/README.md @@ -4,40 +4,43 @@ Python script to replace [MargTools](https://businessconnect.margis.si/output/#o ## Usage -Create the configuration file `~/.margfools`. The contents are described in the sections below. +Run `margfools -h` for a synopsis of command‐line arguments. Allowed arguments are -### Certificates in files + margfools [-h] [-e {file,pkcs11}] [-k KEYFILE] [-c CERTFILE] [-i ] URL -If you are using certificate files, add the paths to your TLS private key and certificate in PEM format: +To use a signing key and certificate stored in PEM files, install `openssl` and run - [https://gcsign.example.com/BCSign/] - key = - cert = + margfools -e file -k KEYFILE -c CERTFILE bc-digsign://sign?… -### Certificates on smartcards +To sign using a PIV-II smartcard such as the Yubikey, install `pkcs11-tool` from [OpenSC](https://github.com/OpenSC/OpenSC) and run -If you have your certificate on a PIV-II smart card (e.g. Yubikey), first determine the slot on your card which contains the certificate you wish to use: + margfools -e pkcs11 -i bc-digsign://sign?… + +The script will prompt for the PIN to unlock the smartcard. To find the key ID, run pkcs11-tool -O -Look for "ID:" in the output. - -Assuming the ID of your certificate was 07, specify the engine and certificate slot in your config file: - - [https://gcsign.example.com/BCSign/] - engine = pkcs11 - key = 07 - -You will be asked for your pin during signing. - -### Add URL schema - -Section name is the percent-decoded value of `baseURL` in - - bc-digsign://sign?accessToken=…&baseUrl=https%3a%2f%2fgcsign.example.com%2fBCSign%2f&…' - -You can set `margfools` as the default program for `bc-digsign` URLs by copying the `margfools.desktop` file to `~/.local/share/applications/` and running +To use `margfools` from the web app, set it as the default program for `x-scheme-handler/bc-digsign` URLs, or copy the `margfools.desktop` file to `~/.local/share/applications/` and run xdg-mime default margfools.desktop x-scheme-handler/bc-digsign -or by setting the default application in your browser. +For this to work, the script must be configured as described below. + +## Configuration + +Settings can be saved on a per‐site basis in `~/.margfools` using the [configparser](https://docs.python.org/3/library/configparser.html) format. + + [DEFAULT] + engine = pkcs11 + + [https://gcsign.example.org/BCSign/] + id = 02 + + [https://gcsign.example.com/BCSign/] + engine = file + keyfile = + certfile = + +All settings can be specified for all sites in the default section, or for individual sites. The section name should match the percent-decoded value of `baseURL` in + + bc-digsign://sign?…&baseUrl=https%3a%2f%2fgcsign.example.com%2fBCSign%2f&… diff --git a/margfools b/margfools index 5fc52a9..6f6d8d5 100755 --- a/margfools +++ b/margfools @@ -14,25 +14,61 @@ import getpass # use requests instead of urllib.request for keep-alive connection import requests -def sign(b64data, key, pin=None, engine=None): - if engine is None: - # key in file - cmd = ['openssl', 'pkeyutl', '-sign', '-inkey', key, '-pkeyopt', 'digest:sha256'] - env = None - data = base64.b64decode(b64data) - elif engine == 'pkcs11': - # key on smartcard - digest_info = { # from RFC 3447 - 'MD2': '3020300c06082a864886f70d020205000410', - 'MD5': '3020300c06082a864886f70d020505000410', - 'SHA-1': '3021300906052b0e03021a05000414', - 'SHA-256': '3031300d060960864801650304020105000420', - 'SHA-384': '3041300d060960864801650304020205000430', - 'SHA-512': '3051300d060960864801650304020305000440' - } - cmd = ['pkcs11-tool', '--id', key, '-s', '-m', 'RSA-PKCS', '-p', 'env:PIN'] - env = {'PIN': pin} - data = bytes.fromhex(digest_info['SHA-256']) + base64.b64decode(b64data) +def init(args): + args.params = urllib.parse.parse_qs(args.url.query) + args.access_token = args.params["accessToken"][0] + args.start_token = args.params["startSigningToken"][0] + args.url = args.params['baseUrl'][0] + + # if missing, get options from section [url] in ~/.margfools + config = configparser.ConfigParser() + config.read(os.path.expanduser('~') + '/.margfools') + if not args.engine: + args.engine = config.get(args.url, 'engine', fallback='file') + + match args.engine: + case 'file': + if not args.keyfile: + args.keyfile = config.get(args.url, 'keyfile', fallback=None) + if not args.certfile: + args.certfile = config.get(args.url, 'certfile', fallback=None) + if not args.keyfile or not args.certfile: + raise Exception('key or certificate file not specified') + args.cert = ''.join(line.strip() for line in open(args.certfile) if not line.startswith('-----')) + case 'pkcs11': + if not args.id: + args.id = config.get(args.url, 'id', fallback=None) + if not args.id: + raise Exception('key ID not specified') + args.cert = base64.b64encode(subprocess.run(['pkcs11-tool', '--read-object', '--type', 'cert', '--id', args.id], capture_output=True).stdout).decode() + args.pin = getpass.getpass('PIN: ') + case '_': + raise Exception(f'invalid engine {args.engine}') + +def sign(b64data, args): + match args.engine: + case 'file': + if not args.keyfile: + raise Exception('keyfile not specified') + cmd = ['openssl', 'pkeyutl', '-sign', '-inkey', args.keyfile, '-pkeyopt', 'digest:sha256'] + env = None + data = base64.b64decode(b64data) + case 'pkcs11': + if not args.id: + raise Exception('key ID not specified') + digest_info = { # from RFC 3447 + 'MD2': '3020300c06082a864886f70d020205000410', + 'MD5': '3020300c06082a864886f70d020505000410', + 'SHA-1': '3021300906052b0e03021a05000414', + 'SHA-256': '3031300d060960864801650304020105000420', + 'SHA-384': '3041300d060960864801650304020205000430', + 'SHA-512': '3051300d060960864801650304020305000440' + } + cmd = ['pkcs11-tool', '--id', args.id, '-s', '-m', 'RSA-PKCS', '-p', 'env:PIN'] + env = {'PIN': args.pin} + data = bytes.fromhex(digest_info['SHA-256']) + base64.b64decode(b64data) + case '_': + raise Exception(f'invalid engine {args.engine}') p = subprocess.run(cmd, env=env, input=data, capture_output=True) if p.returncode != 0: @@ -43,64 +79,42 @@ def sign(b64data, key, pin=None, engine=None): if __name__ == '__main__': parser = argparse.ArgumentParser(description='Fake the MargTools application.') parser.add_argument('url', type=urllib.parse.urlparse, help='bc-digsign:// url') - parser.add_argument('-e', '--engine', type=str, help='"pkcs11" for smart card') - parser.add_argument('-k', '--key', type=pathlib.Path, help='key file') - parser.add_argument('-c', '--cert', type=pathlib.Path, help='certificate file') + parser.add_argument('-e', '--engine', choices=('file', 'pkcs11'), help='use key file or PKCS11 token?') + parser.add_argument('-k', '--keyfile', type=pathlib.Path, help='key file') + parser.add_argument('-c', '--certfile', type=pathlib.Path, help='certificate file') + parser.add_argument('-i', '--id', type=int, metavar='', help='key ID on PKCS11 token') args = parser.parse_args() try: - # parse query string - params = urllib.parse.parse_qs(args.url.query) - url = params['baseUrl'][0] - token = params['accessToken'][0] + # parse query string and load certificates + init(args) - # if missing, get options from section [url] in ~/.margfools - config = configparser.ConfigParser() - config.read(os.path.expanduser('~') + '/.margfools') - if not args.engine: - args.engine = config.get(url, 'engine', fallback=None) - if not args.key: - args.key = config.get(url, 'key') - if not args.cert: - args.cert = config.get(url, 'cert', fallback=None) - if not args.key: - raise Exception('key not specified') - - pin = None - - if args.engine is None: - if not args.cert: - raise Exception('certificate not specified') - args.cert = ''.join(line.strip() for line in open(args.cert) if not line.startswith('-----')) - elif args.engine == 'pkcs11': - args.cert = base64.b64encode(subprocess.run(['pkcs11-tool', '--read-object', '--type', 'cert', '--id', args.key], capture_output=True).stdout).decode() - pin = getpass.getpass('PIN: ') session = requests.Session() - headers = {'Authorization': f'Bearer {token}'} + headers = {'Authorization': f'Bearer {args.access_token}'} # delete old signing session - r = session.delete(f'{url}/signatures/{params["startSigningToken"][0]}', headers=headers) + r = session.delete(f'{args.url}/signatures/{args.params["startSigningToken"][0]}', headers=headers) # register a certificate or sign a document, makes no difference to us - if params.get('registerCertificate'): + if args.params.get('registerCertificate'): q = {'registerCertificate': 1} else: - q = {'documentId': [i for i in params['documentId'][0].split(',')]} + q = {'documentId': [i for i in args.params['documentId'][0].split(',')]} qs = urllib.parse.urlencode(q, doseq=True) - r = session.post(f'{url}/signatures?{qs}', headers=headers) + r = session.post(f'{args.url}/signatures?{qs}', headers=headers) # get signature request and mix in my secrets and publics request = json.loads(r.text) - request['AuthenticationToken'] = token + request['AuthenticationToken'] = args.access_token request['CertificatePublicKey'] = args.cert # keep signing whatever they send us while True: for name in ('AttachmentHashes', 'XmlHashes'): if values := request.get(name, []): - request[f'Signed{name}'] = [sign(v, args.key, pin, engine=args.engine) for v in values] + request[f'Signed{name}'] = [sign(v, args) for v in values] - r = session.put(f'{url}signatures/{request["SignatureRequestId"]}', + r = session.put(f'{args.url}signatures/{request["SignatureRequestId"]}', headers=headers | {'Content-Type': 'application/json; charset=utf-8'}, data=json.dumps(request).encode()) if not r.text: