#!/usr/bin/env python3
import argparse
import base64
import configparser
import json
import os
import pathlib
import subprocess
import sys
import urllib.parse
import getpass
# use requests instead of urllib.request for keep-alive connection
import requests
def sign(b64data, key, pin=None, engine=None):
if engine is None:
# key in file
cmd = ['openssl', 'pkeyutl', '-sign', '-inkey', key, '-pkeyopt', 'digest:sha256']
env = None
data = base64.b64decode(b64data)
elif engine == 'pkcs11':
# key on smartcard
digest_info = { # from RFC 3447
'MD2': '3020300c06082a864886f70d020205000410',
'MD5': '3020300c06082a864886f70d020505000410',
'SHA-1': '3021300906052b0e03021a05000414',
'SHA-256': '3031300d060960864801650304020105000420',
'SHA-384': '3041300d060960864801650304020205000430',
'SHA-512': '3051300d060960864801650304020305000440'
}
cmd = ['pkcs11-tool', '--id', key, '-s', '-m', 'RSA-PKCS', '-p', 'env:PIN']
env = {'PIN': pin}
data = bytes.fromhex(digest_info['SHA-256']) + base64.b64decode(b64data)
p = subprocess.run(cmd, env=env, input=data, capture_output=True)
if p.returncode != 0:
raise RuntimeError('could not sign data')
return base64.b64encode(p.stdout).decode()
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Fake the MargTools application.')
parser.add_argument('url', type=urllib.parse.urlparse, help='bc-digsign:// url')
parser.add_argument('-e', '--engine', type=str, help='"pkcs11" for smart card')
parser.add_argument('-k', '--key', type=pathlib.Path, help='key file')
parser.add_argument('-c', '--cert', type=pathlib.Path, help='certificate file')
args = parser.parse_args()
try:
# parse query string
params = urllib.parse.parse_qs(args.url.query)
url = params['baseUrl'][0]
token = params['accessToken'][0]
# if missing, get options from section [url] in ~/.margfools
config = configparser.ConfigParser()
config.read(os.path.expanduser('~') + '/.margfools')
if not args.engine:
args.engine = config.get(url, 'engine', fallback=None)
if not args.key:
args.key = config.get(url, 'key')
if not args.cert:
args.cert = config.get(url, 'cert', fallback=None)
if not args.key:
print('key not specified', file=sys.stderr)
sys.exit(1)
pin = None
if args.engine is None:
if not args.cert:
print('certificate not specified', file=sys.stderr)
sys.exit(1)
args.cert = ''.join(line.strip() for line in open(args.cert) if not line.startswith('-----'))
elif args.engine == 'pkcs11':
args.cert = base64.b64encode(subprocess.run(['pkcs11-tool', '--read-object', '--type', 'cert', '--id', args.key], capture_output=True).stdout).decode()
pin = getpass.getpass('PIN: ')
session = requests.Session()
headers = {'Authorization': f'Bearer {token}'}
# delete old signing session
r = session.delete(f'{url}/signatures/{params["startSigningToken"][0]}', headers=headers)
# register a certificate or sign a document, makes no difference to us
if params.get('registerCertificate'):
q = {'registerCertificate': 1}
else:
q = {'documentId': [i for i in params['documentId'][0].split(',')]}
qs = urllib.parse.urlencode(q, doseq=True)
r = session.post(f'{url}/signatures?{qs}', headers=headers)
# get signature request and mix in my secrets and publics
request = json.loads(r.text)
request['AuthenticationToken'] = token
request['CertificatePublicKey'] = args.cert
# keep signing whatever they send us
while True:
for name in ('AttachmentHashes', 'XmlHashes'):
if request.get(name) is not None:
request[f'Signed{name}'] = [sign(e, args.key, pin, engine=args.engine) for e in request[name]]
d = json.dumps(request)
d = d.encode()
r = session.put(f'{url}signatures/{request["SignatureRequestId"]}',
headers=headers | {'Content-Type': 'application/json; charset=utf-8'},
data=json.dumps(request).encode())
if not r.text:
break
request |= json.loads(r.text)
except Exception as ex:
print(ex, file=sys.stderr)
input('press enter to exit') # don’t close terminal immediately on fail