#!/usr/bin/env python3 import argparse import base64 import configparser import json import os import pathlib import subprocess import sys import traceback import urllib.parse import getpass # use requests instead of urllib.request for keep-alive connection import requests def sign(data, keyfile, unlock_key=None, engine=None): # pkcs11-tool --id 02 -s -p $PIN -m RSA-PKCS if engine is None: cmd = ['openssl', 'pkeyutl', '-sign', '-inkey', keyfile, '-pkeyopt', 'digest:sha256'] raw_data = base64.b64decode(data) env = None elif engine == 'pkcs11': env = {'PIN': unlock_key} """magic_prefix is ASN.1 DER for DigestInfo ::= SEQUENCE { digestAlgorithm DigestAlgorithm, digest OCTET STRING } """ magic_prefix = bytes.fromhex("3031300d060960864801650304020105000420") raw_data = magic_prefix + base64.b64decode(data) cmd = ['pkcs11-tool', '--id', keyfile, '-s', '-m', 'RSA-PKCS', '-p', 'env:PIN'] # cmd = ['openssl', 'pkeyutl', '-sign', '-pkeyopt', 'digest:sha256', '-engine', 'pkcs11', '-keyform', 'engine', '-inkey', keyfile] p = subprocess.run( cmd, env=env, input=raw_data, capture_output=True) return base64.b64encode(p.stdout).decode() if __name__ == '__main__': parser = argparse.ArgumentParser(description='Fake the MargTools application.') parser.add_argument('url', type=urllib.parse.urlparse, help='bc-digsign:// url') parser.add_argument('-k', '--user-key', type=pathlib.Path, help='key file') parser.add_argument('-c', '--user-cert', type=pathlib.Path, help='certificate file') parser.add_argument('-e', '--engine', type=str, help='"pkcs11" for smart card') args = parser.parse_args() try: # parse query string params = urllib.parse.parse_qs(args.url.query) url = params['baseUrl'][0] token = params['accessToken'][0] # if missing, get user key and cert from section [url] in ~/.margfools config = configparser.ConfigParser() config.read(os.path.expanduser('~') + '/.margfools') if not args.user_key: args.user_key = config.get(url, 'user-key') if not args.user_cert: args.user_cert = config.get(url, 'user-cert', fallback=None) if not args.user_key: print('user key not specified', file=sys.stderr) sys.exit(1) if not args.engine: args.engine = config.get(url, 'engine') engine = args.engine user_keyfile = args.user_key # base64.b64encode unlock_key = None if engine is None: if not args.user_cert: print('user cert not specified', file=sys.stderr) sys.exit(1) user_cert = ''.join(line.strip() for line in open(args.user_cert) if not line.startswith('-----')) elif engine == 'pkcs11': user_cert = base64.b64encode(subprocess.run(["pkcs11-tool", "--read-object", "--type", "cert", "--id", user_keyfile], capture_output=True).stdout).decode() unlock_key = getpass.getpass("PIN:") session = requests.Session() headers={'Authorization': f'Bearer {token}'} # delete old signing session r = session.delete(f'{url}/signatures/{params["startSigningToken"][0]}', headers=headers) # register a certificate or sign a document, makes no difference to us if params.get('registerCertificate'): q = {'registerCertificate': 1} else: q = {'documentId': [i for i in params['documentId'][0].split(',')]} qs = urllib.parse.urlencode(q, doseq=True) r = session.post(f'{url}/signatures?{qs}', headers=headers) # get signature request and mix in my secrets and publics request = json.loads(r.text) request['AuthenticationToken'] = token request['CertificatePublicKey'] = user_cert # keep signing whatever they send us while True: for name in ('AttachmentHashes', 'XmlHashes'): if request.get(name) is not None: request[f'Signed{name}'] = [sign(e, user_keyfile, unlock_key, engine=engine) for e in request[name]] d = json.dumps(request) d = d.encode() r = session.put(f'{url}signatures/{request["SignatureRequestId"]}', headers=headers | {'Content-Type': 'application/json; charset=utf-8'}, data=json.dumps(request).encode()) if not r.text: break request |= json.loads(r.text) except: traceback.print_exc() # Don't close terminal immediately on fail input()