Use tkinter for PIN entry

marginaltool

@@ -9,7 +9,6 @@ import pathlib
 import subprocess
 import sys
 import urllib.parse
-import getpass
 
 # use requests instead of urllib.request for keep-alive connection
 import requests
@@ -35,13 +34,18 @@ def init(args):
             if not args.keyfile or not args.certfile:
                 raise Exception('key or certificate file not specified')
             args.cert = ''.join(line.strip() for line in open(args.certfile) if not line.startswith('-----'))
+
         case 'pkcs11':
             if not args.id:
                 args.id = config.get(args.url, 'id', fallback=None)
             if not args.id:
                 raise Exception('key ID not specified')
             args.cert = base64.b64encode(subprocess.run(['pkcs11-tool', '--read-object', '--type', 'cert', '--id', args.id], capture_output=True).stdout).decode()
-            args.pin = getpass.getpass('PIN: ')
+
+            # read the PIN once to avoid prompting for each document
+            import tkinter.simpledialog # only needed for PIN entry
+            args.pin = tkinter.simpledialog.askstring('marginaltool', 'PIN', show="*")
+
         case '_':
             raise Exception(f'invalid engine {args.engine}')
 
@@ -53,6 +57,7 @@ def sign(b64data, args):
             cmd = ['openssl', 'pkeyutl', '-sign', '-inkey', args.keyfile, '-pkeyopt', 'digest:sha256']
             env = None
             data = base64.b64decode(b64data)
+
         case 'pkcs11':
             if not args.id:
                 raise Exception('key ID not specified')
@@ -67,6 +72,7 @@ def sign(b64data, args):
             cmd = ['pkcs11-tool', '--id', args.id, '-s', '-m', 'RSA-PKCS', '-p', 'env:PIN']
             env = {'PIN': args.pin}
             data = bytes.fromhex(digest_info['SHA-256']) + base64.b64decode(b64data)
+
         case '_':
             raise Exception(f'invalid engine {args.engine}')