Add support for smartcards

2023-12-06 14:49:17 +01:00 · 2023-12-06 14:49:17 +01:00 · 7d04aa3d86
commit 7d04aa3d86
parent 89eabe9f87
2 changed files with 70 additions and 14 deletions
--- a/57
+++ b/57
@ -10,14 +10,33 @@ import subprocess
 import sys
 import traceback
 import urllib.parse
+import getpass

 # use requests instead of urllib.request for keep-alive connection
 import requests

-def sign(data, keyfile):
+def sign(data, keyfile, unlock_key=None, engine=None):
+    #  pkcs11-tool --id 02 -s -p $PIN -m RSA-PKCS
+    if engine is None:
+        cmd = ['openssl', 'pkeyutl', '-sign', '-inkey', keyfile, '-pkeyopt', 'digest:sha256']
+        raw_data = base64.b64decode(data)
+        env = None
+    elif engine == 'pkcs11':
+        env = {'PIN': unlock_key}
+        """magic_prefix is ASN.1 DER for
+           DigestInfo ::= SEQUENCE {
+               digestAlgorithm DigestAlgorithm,
+               digest OCTET STRING
+           }
+        """
+        magic_prefix = bytes.fromhex("3031300d060960864801650304020105000420")
+        raw_data = magic_prefix + base64.b64decode(data)
+        cmd = ['pkcs11-tool', '--id', keyfile, '-s', '-m', 'RSA-PKCS', '-p', 'env:PIN']
+        # cmd = ['openssl', 'pkeyutl', '-sign', '-pkeyopt', 'digest:sha256', '-engine', 'pkcs11', '-keyform', 'engine', '-inkey', keyfile]
    p = subprocess.run(
-        ['openssl', 'pkeyutl', '-sign', '-inkey', keyfile, '-pkeyopt', 'digest:sha256'],
-        input=base64.b64decode(data),
+        cmd,
+        env=env,
+        input=raw_data,
        capture_output=True)
    return base64.b64encode(p.stdout).decode()

@ -26,6 +45,7 @@ if __name__ == '__main__':
    parser.add_argument('url', type=urllib.parse.urlparse, help='bc-digsign:// url')
    parser.add_argument('-k', '--user-key', type=pathlib.Path, help='key file')
    parser.add_argument('-c', '--user-cert', type=pathlib.Path, help='certificate file')
+    parser.add_argument('-e', '--engine', type=str, help='"pkcs11" for smart card')
    args = parser.parse_args()

    try:
@ -40,14 +60,24 @@ if __name__ == '__main__':
        if not args.user_key:
            args.user_key = config.get(url, 'user-key')
        if not args.user_cert:
-            args.user_cert = config.get(url, 'user-cert')
-        if not args.user_key or not args.user_cert:
-            print('user key and/or certificate not specified', file=sys.stderr)
+            args.user_cert = config.get(url, 'user-cert', fallback=None)
+        if not args.user_key:
+            print('user key not specified', file=sys.stderr)
            sys.exit(1)
-
+        if not args.engine:
+            args.engine = config.get(url, 'engine')
+        engine = args.engine
        user_keyfile = args.user_key
-        user_cert = ''.join(line.strip() for line in open(args.user_cert) if not line.startswith('-----'))
-
+        # base64.b64encode
+        unlock_key = None
+        if engine is None:
+            if not args.user_cert:
+                print('user cert not specified', file=sys.stderr)
+                sys.exit(1)
+            user_cert = ''.join(line.strip() for line in open(args.user_cert) if not line.startswith('-----'))
+        elif engine == 'pkcs11':
+            user_cert = base64.b64encode(subprocess.run(["pkcs11-tool", "--read-object", "--type", "cert", "--id", user_keyfile], capture_output=True).stdout).decode()
+            unlock_key = getpass.getpass("PIN:")
        session = requests.Session()
        headers={'Authorization': f'Bearer {token}'}

@ -66,19 +96,20 @@ if __name__ == '__main__':
        request = json.loads(r.text)
        request['AuthenticationToken'] = token
        request['CertificatePublicKey'] = user_cert
-
        # keep signing whatever they send us
        while True:
            for name in ('AttachmentHashes', 'XmlHashes'):
                if request.get(name) is not None:
-                    request[f'Signed{name}'] = [sign(e, user_keyfile) for e in request[name]]
-
+                    request[f'Signed{name}'] = [sign(e, user_keyfile, unlock_key, engine=engine) for e in request[name]]
+            d = json.dumps(request)
+            d = d.encode()
            r = session.put(f'{url}signatures/{request["SignatureRequestId"]}',
                headers=headers | {'Content-Type': 'application/json; charset=utf-8'},
                data=json.dumps(request).encode())
            if not r.text:
                break
            request |= json.loads(r.text)
-
    except:
        traceback.print_exc()
+        # Don't close terminal immediately on fail
+        input()