115 lines
4.6 KiB
Python
Executable file
115 lines
4.6 KiB
Python
Executable file
#!/usr/bin/env python3
|
|
|
|
import argparse
|
|
import base64
|
|
import configparser
|
|
import json
|
|
import os
|
|
import pathlib
|
|
import subprocess
|
|
import sys
|
|
import traceback
|
|
import urllib.parse
|
|
import getpass
|
|
|
|
# use requests instead of urllib.request for keep-alive connection
|
|
import requests
|
|
|
|
def sign(b64data, key, pin=None, engine=None):
|
|
if engine is None:
|
|
# key in file
|
|
cmd = ['openssl', 'pkeyutl', '-sign', '-inkey', key, '-pkeyopt', 'digest:sha256']
|
|
env = None
|
|
data = base64.b64decode(b64data)
|
|
elif engine == 'pkcs11':
|
|
# key on smartcard
|
|
digest_info = { # from RFC 3447
|
|
'MD2': '3020300c06082a864886f70d020205000410',
|
|
'MD5': '3020300c06082a864886f70d020505000410',
|
|
'SHA-1': '3021300906052b0e03021a05000414',
|
|
'SHA-256': '3031300d060960864801650304020105000420',
|
|
'SHA-384': '3041300d060960864801650304020205000430',
|
|
'SHA-512': '3051300d060960864801650304020305000440'
|
|
}
|
|
cmd = ['pkcs11-tool', '--id', key, '-s', '-m', 'RSA-PKCS', '-p', 'env:PIN']
|
|
env = {'PIN': pin}
|
|
data = bytes.fromhex(digest_info['SHA-256']) + base64.b64decode(b64data)
|
|
|
|
p = subprocess.run(cmd, env=env, input=data, capture_output=True)
|
|
if p.returncode != 0:
|
|
raise RuntimeError('could not sign data')
|
|
|
|
return base64.b64encode(p.stdout).decode()
|
|
|
|
if __name__ == '__main__':
|
|
parser = argparse.ArgumentParser(description='Fake the MargTools application.')
|
|
parser.add_argument('url', type=urllib.parse.urlparse, help='bc-digsign:// url')
|
|
parser.add_argument('-e', '--engine', type=str, help='"pkcs11" for smart card')
|
|
parser.add_argument('-k', '--key', type=pathlib.Path, help='key file')
|
|
parser.add_argument('-c', '--cert', type=pathlib.Path, help='certificate file')
|
|
args = parser.parse_args()
|
|
|
|
try:
|
|
# parse query string
|
|
params = urllib.parse.parse_qs(args.url.query)
|
|
url = params['baseUrl'][0]
|
|
token = params['accessToken'][0]
|
|
|
|
# if missing, get options from section [url] in ~/.margfools
|
|
config = configparser.ConfigParser()
|
|
config.read(os.path.expanduser('~') + '/.margfools')
|
|
if not args.engine:
|
|
args.engine = config.get(url, 'engine', fallback=None)
|
|
if not args.key:
|
|
args.key = config.get(url, 'key')
|
|
if not args.cert:
|
|
args.cert = config.get(url, 'cert', fallback=None)
|
|
if not args.key:
|
|
print('key not specified', file=sys.stderr)
|
|
sys.exit(1)
|
|
|
|
pin = None
|
|
|
|
if args.engine is None:
|
|
if not args.cert:
|
|
print('certificate not specified', file=sys.stderr)
|
|
sys.exit(1)
|
|
args.cert = ''.join(line.strip() for line in open(args.cert) if not line.startswith('-----'))
|
|
elif args.engine == 'pkcs11':
|
|
args.cert = base64.b64encode(subprocess.run(['pkcs11-tool', '--read-object', '--type', 'cert', '--id', args.key], capture_output=True).stdout).decode()
|
|
pin = getpass.getpass('PIN: ')
|
|
session = requests.Session()
|
|
headers = {'Authorization': f'Bearer {token}'}
|
|
|
|
# delete old signing session
|
|
r = session.delete(f'{url}/signatures/{params["startSigningToken"][0]}', headers=headers)
|
|
|
|
# register a certificate or sign a document, makes no difference to us
|
|
if params.get('registerCertificate'):
|
|
q = {'registerCertificate': 1}
|
|
else:
|
|
q = {'documentId': [i for i in params['documentId'][0].split(',')]}
|
|
qs = urllib.parse.urlencode(q, doseq=True)
|
|
r = session.post(f'{url}/signatures?{qs}', headers=headers)
|
|
|
|
# get signature request and mix in my secrets and publics
|
|
request = json.loads(r.text)
|
|
request['AuthenticationToken'] = token
|
|
request['CertificatePublicKey'] = args.cert
|
|
# keep signing whatever they send us
|
|
while True:
|
|
for name in ('AttachmentHashes', 'XmlHashes'):
|
|
if request.get(name) is not None:
|
|
request[f'Signed{name}'] = [sign(e, args.key, pin, engine=args.engine) for e in request[name]]
|
|
d = json.dumps(request)
|
|
d = d.encode()
|
|
r = session.put(f'{url}signatures/{request["SignatureRequestId"]}',
|
|
headers=headers | {'Content-Type': 'application/json; charset=utf-8'},
|
|
data=json.dumps(request).encode())
|
|
if not r.text:
|
|
break
|
|
request |= json.loads(r.text)
|
|
except:
|
|
traceback.print_exc()
|
|
input('press enter to exit') # don’t close terminal immediately on fail
|