rc/marginaltool
2
0
Fork 1
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Drop user- prefix from key and cert arguments and config options

Browse source
This commit is contained in:
Timotej Lazar 2024-01-16 21:51:47 +01:00
parent bfaa9c2565
commit af62cc41a9
2 changed files with 20 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -11,8 +11,8 @@ Create the configuration file `~/.margfools`. The contents are described in the
If you are using certificate files, add the paths to your TLS private key and certificate in PEM format:
[https://gcsign.example.com/BCSign/]
user-key = <path/to/key.pem>
user-cert = <path/to/cert.pem>
key = <path/to/key.pem>
cert = <path/to/cert.pem>
### Certificates on smartcards
@ -26,7 +26,7 @@ Assuming the ID of your certificate was 07, specify the engine and certificate s
[https://gcsign.example.com/BCSign/]
engine = pkcs11
user-key = 07
key = 07
You will be asked for your pin during signing.

36
margfools
View file

@ -40,8 +40,8 @@ def sign(data, key, pin=None, engine=None):
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Fake the MargTools application.')
parser.add_argument('url', type=urllib.parse.urlparse, help='bc-digsign:// url')
parser.add_argument('-k', '--user-key', type=pathlib.Path, help='key file')
parser.add_argument('-c', '--user-cert', type=pathlib.Path, help='certificate file')
parser.add_argument('-k', '--key', type=pathlib.Path, help='key file')
parser.add_argument('-c', '--cert', type=pathlib.Path, help='certificate file')
parser.add_argument('-e', '--engine', type=str, help='"pkcs11" for smart card')
args = parser.parse_args()
@ -51,30 +51,28 @@ if __name__ == '__main__':
url = params['baseUrl'][0]
token = params['accessToken'][0]
# if missing, get user key and cert from section [url] in ~/.margfools
# if missing, get key and cert from section [url] in ~/.margfools
config = configparser.ConfigParser()
config.read(os.path.expanduser('~') + '/.margfools')
if not args.user_key:
args.user_key = config.get(url, 'user-key')
if not args.user_cert:
args.user_cert = config.get(url, 'user-cert', fallback=None)
if not args.user_key:
print('user key not specified', file=sys.stderr)
if not args.key:
args.key = config.get(url, 'key')
if not args.cert:
args.cert = config.get(url, 'cert', fallback=None)
if not args.key:
print('key not specified', file=sys.stderr)
sys.exit(1)
if not args.engine:
args.engine = config.get(url, 'engine')
engine = args.engine
user_keyfile = args.user_key
pin = None
if engine is None:
if not args.user_cert:
print('user cert not specified', file=sys.stderr)
if args.engine is None:
if not args.cert:
print('certificate not specified', file=sys.stderr)
sys.exit(1)
user_cert = ''.join(line.strip() for line in open(args.user_cert) if not line.startswith('-----'))
elif engine == 'pkcs11':
user_cert = base64.b64encode(subprocess.run(['pkcs11-tool', '--read-object', '--type', 'cert', '--id', user_keyfile], capture_output=True).stdout).decode()
args.cert = ''.join(line.strip() for line in open(args.cert) if not line.startswith('-----'))
elif args.engine == 'pkcs11':
args.cert = base64.b64encode(subprocess.run(['pkcs11-tool', '--read-object', '--type', 'cert', '--id', args.key], capture_output=True).stdout).decode()
pin = getpass.getpass('PIN: ')
session = requests.Session()
headers = {'Authorization': f'Bearer {token}'}
@ -93,12 +91,12 @@ if __name__ == '__main__':
# get signature request and mix in my secrets and publics
request = json.loads(r.text)
request['AuthenticationToken'] = token
request['CertificatePublicKey'] = user_cert
request['CertificatePublicKey'] = args.cert
# keep signing whatever they send us
while True:
for name in ('AttachmentHashes', 'XmlHashes'):
if request.get(name) is not None:
request[f'Signed{name}'] = [sign(e, user_keyfile, pin, engine=engine) for e in request[name]]
request[f'Signed{name}'] = [sign(e, args.key, pin, engine=args.engine) for e in request[name]]
d = json.dumps(request)
d = d.encode()
r = session.put(f'{url}signatures/{request["SignatureRequestId"]}',