aboutsummaryrefslogtreecommitdiff
path: root/tools/sigsum-verify-leaf.py
diff options
context:
space:
mode:
authorLinus Nordberg <linus@nordberg.se>2021-12-08 09:55:37 +0100
committerLinus Nordberg <linus@nordberg.se>2021-12-08 09:55:37 +0100
commit7576a1ebd03e1d7e68bd1701b8bff8159230fe19 (patch)
tree34a6b53a432b842c5aa93fdb97cb17971515280e /tools/sigsum-verify-leaf.py
parentb06f07550957ba8ba4ff237332f16147a29a6dd2 (diff)
add tooling for signing
There's tools for key generation and conversion and there's tools for signing and verifying a tree leaf. Note that the leaf signing tools use the yet to be decided about SSH signing format, with message (ie signers checksum) being hashed with SHA-512 to match SSH tooling (ssh-keygen -Y).
Diffstat (limited to 'tools/sigsum-verify-leaf.py')
-rwxr-xr-xtools/sigsum-verify-leaf.py32
1 files changed, 32 insertions, 0 deletions
diff --git a/tools/sigsum-verify-leaf.py b/tools/sigsum-verify-leaf.py
new file mode 100755
index 0000000..d8a15fa
--- /dev/null
+++ b/tools/sigsum-verify-leaf.py
@@ -0,0 +1,32 @@
+#! /usr/bin/env python3
+
+# Input: vkeyfile shard_hint signature [checksum]
+# Example: echo foo | ./sigsum-verify-leaf.py nacl.vk 0 $(echo foo | ./sigsum-sign-leaf.py nacl.sk 0)
+# OK
+
+import sys
+from nacl.signing import VerifyKey
+from nacl.encoding import HexEncoder
+from libsigntools import checksum_stdin, ssh_to_sign
+
+alg = 'sha512'
+
+def main():
+ keyfile = sys.argv[1]
+ shard_hint = int(sys.argv[2])
+ sig = bytes.fromhex(sys.argv[3])
+
+ with open(keyfile, 'r') as f:
+ vkey = VerifyKey(f.readline().strip(), encoder=HexEncoder)
+ if len(sys.argv) > 4:
+ checksum = bytes.fromhex(sys.argv[4])
+ else:
+ checksum = checksum_stdin(hashalg=alg)
+
+ namespace = 'tree_leaf:v0:{}@sigsum.org'.format(shard_hint)
+ data = ssh_to_sign(namespace, alg, checksum)
+ vkey.verify(data, signature=sig)
+ print("OK")
+
+if __name__ == '__main__':
+ main()