From af62cc41a96cc70a844293a10a2ae3fb84c0866e Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@araneo.si>
Date: Tue, 16 Jan 2024 21:51:47 +0100
Subject: [PATCH] Drop user- prefix from key and cert arguments and config
 options

---
 README.md |  6 +++---
 margfools | 36 +++++++++++++++++-------------------
 2 files changed, 20 insertions(+), 22 deletions(-)

diff --git a/README.md b/README.md
index 79eb765..a74658d 100644
--- a/README.md
+++ b/README.md
@@ -11,8 +11,8 @@ Create the configuration file `~/.margfools`. The contents are described in the
 If you are using certificate files, add the paths to your TLS private key and certificate in PEM format:
 
     [https://gcsign.example.com/BCSign/]
-    user-key = <path/to/key.pem>
-    user-cert = <path/to/cert.pem>
+    key = <path/to/key.pem>
+    cert = <path/to/cert.pem>
 
 ### Certificates on smartcards
 
@@ -26,7 +26,7 @@ Assuming the ID of your certificate was 07, specify the engine and certificate s
 
     [https://gcsign.example.com/BCSign/]
     engine = pkcs11
-    user-key = 07
+    key = 07
 
 You will be asked for your pin during signing.
 
diff --git a/margfools b/margfools
index 9524abe..25b34f0 100755
--- a/margfools
+++ b/margfools
@@ -40,8 +40,8 @@ def sign(data, key, pin=None, engine=None):
 if __name__ == '__main__':
     parser = argparse.ArgumentParser(description='Fake the MargTools application.')
     parser.add_argument('url', type=urllib.parse.urlparse, help='bc-digsign:// url')
-    parser.add_argument('-k', '--user-key', type=pathlib.Path, help='key file')
-    parser.add_argument('-c', '--user-cert', type=pathlib.Path, help='certificate file')
+    parser.add_argument('-k', '--key', type=pathlib.Path, help='key file')
+    parser.add_argument('-c', '--cert', type=pathlib.Path, help='certificate file')
     parser.add_argument('-e', '--engine', type=str, help='"pkcs11" for smart card')
     args = parser.parse_args()
 
@@ -51,30 +51,28 @@ if __name__ == '__main__':
         url = params['baseUrl'][0]
         token = params['accessToken'][0]
 
-        # if missing, get user key and cert from section [url] in ~/.margfools
+        # if missing, get key and cert from section [url] in ~/.margfools
         config = configparser.ConfigParser()
         config.read(os.path.expanduser('~') + '/.margfools')
-        if not args.user_key:
-            args.user_key = config.get(url, 'user-key')
-        if not args.user_cert:
-            args.user_cert = config.get(url, 'user-cert', fallback=None)
-        if not args.user_key:
-            print('user key not specified', file=sys.stderr)
+        if not args.key:
+            args.key = config.get(url, 'key')
+        if not args.cert:
+            args.cert = config.get(url, 'cert', fallback=None)
+        if not args.key:
+            print('key not specified', file=sys.stderr)
             sys.exit(1)
         if not args.engine:
             args.engine = config.get(url, 'engine')
 
-        engine = args.engine
-        user_keyfile = args.user_key
         pin = None
 
-        if engine is None:
-            if not args.user_cert:
-                print('user cert not specified', file=sys.stderr)
+        if args.engine is None:
+            if not args.cert:
+                print('certificate not specified', file=sys.stderr)
                 sys.exit(1)
-            user_cert = ''.join(line.strip() for line in open(args.user_cert) if not line.startswith('-----'))
-        elif engine == 'pkcs11':
-            user_cert = base64.b64encode(subprocess.run(['pkcs11-tool', '--read-object', '--type', 'cert', '--id', user_keyfile], capture_output=True).stdout).decode()
+            args.cert = ''.join(line.strip() for line in open(args.cert) if not line.startswith('-----'))
+        elif args.engine == 'pkcs11':
+            args.cert = base64.b64encode(subprocess.run(['pkcs11-tool', '--read-object', '--type', 'cert', '--id', args.key], capture_output=True).stdout).decode()
             pin = getpass.getpass('PIN: ')
         session = requests.Session()
         headers = {'Authorization': f'Bearer {token}'}
@@ -93,12 +91,12 @@ if __name__ == '__main__':
         # get signature request and mix in my secrets and publics
         request = json.loads(r.text)
         request['AuthenticationToken'] = token
-        request['CertificatePublicKey'] = user_cert
+        request['CertificatePublicKey'] = args.cert
         # keep signing whatever they send us
         while True:
             for name in ('AttachmentHashes', 'XmlHashes'):
                 if request.get(name) is not None:
-                    request[f'Signed{name}'] = [sign(e, user_keyfile, pin, engine=engine) for e in request[name]]
+                    request[f'Signed{name}'] = [sign(e, args.key, pin, engine=args.engine) for e in request[name]]
             d = json.dumps(request)
             d = d.encode()
             r = session.put(f'{url}signatures/{request["SignatureRequestId"]}',