From 898fd4caaa93d6a96f397e3cedc42bb62def5e85 Mon Sep 17 00:00:00 2001
From: aJuvan <andraz.juvan@heimdall.si>
Date: Mon, 15 Dec 2025 16:44:05 +0100
Subject: [PATCH] Fixed python 3.14 requiring string array in submodule, fixed
 env not being forwarded, added pkcs11 module setting

---
 marginaltool | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/marginaltool b/marginaltool
index d62aea9..d92f0c9 100755
--- a/marginaltool
+++ b/marginaltool
@@ -43,7 +43,10 @@ def init(args):
                 args.id = config.get(args.url, 'id', fallback=None)
             if not args.id:
                 raise Exception('key ID not specified')
-            args.cert = base64.b64encode(subprocess.run(['pkcs11-tool', '--read-object', '--type', 'cert', '--id', args.id], capture_output=True).stdout).decode()
+            if not args.module:
+                args.module = config.get(args.module, 'module')
+            args.module = ["--module", str(pathlib.Path(args.module))] if args.module else []
+            args.cert = base64.b64encode(subprocess.run(['pkcs11-tool'] + args.module + ['--read-object', '--type', 'cert', '--id', args.id], capture_output=True).stdout).decode()
 
             # read the PIN once to avoid prompting for each document
             import tkinter.simpledialog # only needed for PIN entry
@@ -58,7 +61,7 @@ def sign(b64data, args):
             if not args.keyfile:
                 raise Exception('keyfile not specified')
             cmd = ['openssl', 'pkeyutl', '-sign', '-inkey', args.keyfile, '-pkeyopt', 'digest:sha256']
-            env = None
+            env = {}
             data = base64.b64decode(b64data)
 
         case 'pkcs11':
@@ -72,14 +75,14 @@ def sign(b64data, args):
                 'SHA-384': '3041300d060960864801650304020205000430',
                 'SHA-512': '3051300d060960864801650304020305000440'
             }
-            cmd = ['pkcs11-tool', '--id', args.id, '-s', '-m', 'RSA-PKCS', '-p', 'env:PIN']
+            cmd = ['pkcs11-tool'] + args.module + ['--id', args.id, '-s', '-m', 'RSA-PKCS', '-p', 'env:PIN']
             env = {'PIN': args.pin}
             data = bytes.fromhex(digest_info['SHA-256']) + base64.b64decode(b64data)
 
         case '_':
             raise Exception(f'invalid engine {args.engine}')
 
-    p = subprocess.run(cmd, env=env, input=data, capture_output=True)
+    p = subprocess.run(cmd, env=os.environ | env, input=data, capture_output=True)
     if p.returncode != 0:
         raise Exception(f'could not sign data: {p.stderr.decode()}')
 
@@ -91,7 +94,8 @@ if __name__ == '__main__':
     parser.add_argument('-e', '--engine', choices=('file', 'pkcs11'), help='use key file or PKCS11 token?')
     parser.add_argument('-k', '--keyfile', type=pathlib.Path, help='key file')
     parser.add_argument('-c', '--certfile', type=pathlib.Path, help='certificate file')
-    parser.add_argument('-i', '--id', type=int, metavar='<KEY ID>', help='key ID on PKCS11 token')
+    parser.add_argument('-m', '--module', type=pathlib.Path, help='PKCS11 module file')
+    parser.add_argument('-i', '--id', type=str, metavar='<KEY ID>', help='key ID on PKCS11 token')
     args = parser.parse_args()
 
     try: