diff options
author | Linus Nordberg <linus@nordberg.se> | 2021-12-08 09:55:37 +0100 |
---|---|---|
committer | Linus Nordberg <linus@nordberg.se> | 2021-12-08 09:55:37 +0100 |
commit | 7576a1ebd03e1d7e68bd1701b8bff8159230fe19 (patch) | |
tree | 34a6b53a432b842c5aa93fdb97cb17971515280e /tools/sigsum-verify-leaf.py | |
parent | b06f07550957ba8ba4ff237332f16147a29a6dd2 (diff) |
add tooling for signing
There's tools for key generation and conversion and there's tools for
signing and verifying a tree leaf. Note that the leaf signing tools
use the yet to be decided about SSH signing format, with message (ie
signers checksum) being hashed with SHA-512 to match SSH
tooling (ssh-keygen -Y).
Diffstat (limited to 'tools/sigsum-verify-leaf.py')
-rwxr-xr-x | tools/sigsum-verify-leaf.py | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/tools/sigsum-verify-leaf.py b/tools/sigsum-verify-leaf.py new file mode 100755 index 0000000..d8a15fa --- /dev/null +++ b/tools/sigsum-verify-leaf.py @@ -0,0 +1,32 @@ +#! /usr/bin/env python3 + +# Input: vkeyfile shard_hint signature [checksum] +# Example: echo foo | ./sigsum-verify-leaf.py nacl.vk 0 $(echo foo | ./sigsum-sign-leaf.py nacl.sk 0) +# OK + +import sys +from nacl.signing import VerifyKey +from nacl.encoding import HexEncoder +from libsigntools import checksum_stdin, ssh_to_sign + +alg = 'sha512' + +def main(): + keyfile = sys.argv[1] + shard_hint = int(sys.argv[2]) + sig = bytes.fromhex(sys.argv[3]) + + with open(keyfile, 'r') as f: + vkey = VerifyKey(f.readline().strip(), encoder=HexEncoder) + if len(sys.argv) > 4: + checksum = bytes.fromhex(sys.argv[4]) + else: + checksum = checksum_stdin(hashalg=alg) + + namespace = 'tree_leaf:v0:{}@sigsum.org'.format(shard_hint) + data = ssh_to_sign(namespace, alg, checksum) + vkey.verify(data, signature=sig) + print("OK") + +if __name__ == '__main__': + main() |