diff options
| author | aJuvan <andraz.juvan@heimdall.si> | 2025-12-15 16:44:05 +0100 |
|---|---|---|
| committer | aJuvan <andraz.juvan@heimdall.si> | 2025-12-15 16:44:05 +0100 |
| commit | 898fd4caaa93d6a96f397e3cedc42bb62def5e85 (patch) | |
| tree | 4b5d999131cd2ebe58348b80b76c267b41541ebb | |
| parent | c481d0933cce20c1db091ff76b05a58e19d8b99e (diff) | |
Fixed python 3.14 requiring string array in submodule, fixed env not being forwarded, added pkcs11 module setting
| -rwxr-xr-x | marginaltool | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/marginaltool b/marginaltool index d62aea9..d92f0c9 100755 --- a/marginaltool +++ b/marginaltool @@ -43,7 +43,10 @@ def init(args): args.id = config.get(args.url, 'id', fallback=None) if not args.id: raise Exception('key ID not specified') - args.cert = base64.b64encode(subprocess.run(['pkcs11-tool', '--read-object', '--type', 'cert', '--id', args.id], capture_output=True).stdout).decode() + if not args.module: + args.module = config.get(args.module, 'module') + args.module = ["--module", str(pathlib.Path(args.module))] if args.module else [] + args.cert = base64.b64encode(subprocess.run(['pkcs11-tool'] + args.module + ['--read-object', '--type', 'cert', '--id', args.id], capture_output=True).stdout).decode() # read the PIN once to avoid prompting for each document import tkinter.simpledialog # only needed for PIN entry @@ -58,7 +61,7 @@ def sign(b64data, args): if not args.keyfile: raise Exception('keyfile not specified') cmd = ['openssl', 'pkeyutl', '-sign', '-inkey', args.keyfile, '-pkeyopt', 'digest:sha256'] - env = None + env = {} data = base64.b64decode(b64data) case 'pkcs11': @@ -72,14 +75,14 @@ def sign(b64data, args): 'SHA-384': '3041300d060960864801650304020205000430', 'SHA-512': '3051300d060960864801650304020305000440' } - cmd = ['pkcs11-tool', '--id', args.id, '-s', '-m', 'RSA-PKCS', '-p', 'env:PIN'] + cmd = ['pkcs11-tool'] + args.module + ['--id', args.id, '-s', '-m', 'RSA-PKCS', '-p', 'env:PIN'] env = {'PIN': args.pin} data = bytes.fromhex(digest_info['SHA-256']) + base64.b64decode(b64data) case '_': raise Exception(f'invalid engine {args.engine}') - p = subprocess.run(cmd, env=env, input=data, capture_output=True) + p = subprocess.run(cmd, env=os.environ | env, input=data, capture_output=True) if p.returncode != 0: raise Exception(f'could not sign data: {p.stderr.decode()}') @@ -91,7 +94,8 @@ if __name__ == '__main__': parser.add_argument('-e', '--engine', choices=('file', 'pkcs11'), help='use key file or PKCS11 token?') parser.add_argument('-k', '--keyfile', type=pathlib.Path, help='key file') parser.add_argument('-c', '--certfile', type=pathlib.Path, help='certificate file') - parser.add_argument('-i', '--id', type=int, metavar='<KEY ID>', help='key ID on PKCS11 token') + parser.add_argument('-m', '--module', type=pathlib.Path, help='PKCS11 module file') + parser.add_argument('-i', '--id', type=str, metavar='<KEY ID>', help='key ID on PKCS11 token') args = parser.parse_args() try: |