blob: 8ad57007cc187ad4720ca4207fc0eb1f43de382c [file] [log] [blame]
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS-IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""A command-line utility for using digital signature for a file.
It loads cleartext keys from disk - this is not recommended!
It requires 3 or 4 arguments:
mode: either 'sign' or 'verify'
keyset-file: name of the file with the keyset to be used for the digital
signature
data-file: name of the file with the input data to be signed / verified
[optional] expected-signature-file: name of the file containing a hexadecimal
signature with which to compare to
"""
from __future__ import absolute_import
from __future__ import division
# Placeholder for import for type annotations
from __future__ import print_function
import binascii
# Special imports
from absl import app
from absl import flags
from absl import logging
import tink
from tink import cleartext_keyset_handle
from tink import signature
FLAGS = flags.FLAGS
def main(argv):
if len(argv) not in (4, 5):
raise app.UsageError(
'Expected 3 or 4 arguments, got %d.\n Usage: %s sign/verify keyset-file'
' data-file [expected-signature-file]' %
(len(argv) - 1, argv[0]))
mode = argv[1]
keyset_filename = argv[2]
data_filename = argv[3]
if mode not in ['sign', 'verify']:
logging.error('Incorrect mode. Please select "sign" or "verify".')
return 1
# Initialise Tink.
try:
signature.register()
except tink.TinkError as e:
logging.error('Error initialising Tink: %s', e)
return 1
# Read the keyset into a keyset_handle.
with open(keyset_filename, 'rt') as keyset_file:
try:
text = keyset_file.read()
keyset_handle = cleartext_keyset_handle.read(tink.JsonKeysetReader(text))
except tink.TinkError as e:
logging.error('Error reading key: %s', e)
return 1
# Get the primitive.
try:
if mode == 'sign':
cipher = keyset_handle.primitive(signature.PublicKeySign)
else:
cipher = keyset_handle.primitive(signature.PublicKeyVerify)
except tink.TinkError as e:
logging.error('Error creating primitive: %s', e)
return 1
with open(data_filename, 'rb') as data_file:
data = data_file.read()
# Compute the signature.
if mode == 'sign':
if len(argv) != 4:
logging.error('Invalid number of parameters for signing.'
'Expected 3 arguments, got %d.\n Usage: %s sign '
'keyset-file data-file')
return 1
code = cipher.sign(data)
logging.info('Signature output is %s',
binascii.hexlify(code).decode('utf-8'))
return 0
if mode == 'verify':
if len(argv) != 5:
logging.error('Invalid number of parameters for verification.'
'Expected 4 arguments, got %d.\n Usage: %s verify '
'keyset-file data-file [expected-signature-file]')
return 1
expected_code_filename = argv[4]
with open(expected_code_filename, 'rb') as expected_code_file:
expected_code_hex = expected_code_file.read().strip()
logging.info(
'Using keyset from file %s to verify file %s against expected signature on %s',
keyset_filename, data_filename, expected_code_hex.decode('utf-8'))
try:
expected_signature = binascii.unhexlify(expected_code_hex)
except binascii.Error as e:
logging.error('Error reading expected signature: %s', e)
return 1
try:
cipher.verify(expected_signature, data)
logging.info('Signature outputs matched. Success!')
return 0
except tink.TinkError as e:
logging.info('Signature outputs did not match!')
return 1
if __name__ == '__main__':
app.run(main)