From 7576a1ebd03e1d7e68bd1701b8bff8159230fe19 Mon Sep 17 00:00:00 2001
From: Linus Nordberg <linus@nordberg.se>
Date: Wed, 8 Dec 2021 09:55:37 +0100
Subject: add tooling for signing

There's tools for key generation and conversion and there's tools for
signing and verifying a tree leaf. Note that the leaf signing tools
use the yet to be decided about SSH signing format, with message (ie
signers checksum) being hashed with SHA-512 to match SSH
tooling (ssh-keygen -Y).
---
 tools/sigsum-verify-leaf.py | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100755 tools/sigsum-verify-leaf.py

(limited to 'tools/sigsum-verify-leaf.py')

diff --git a/tools/sigsum-verify-leaf.py b/tools/sigsum-verify-leaf.py
new file mode 100755
index 0000000..d8a15fa
--- /dev/null
+++ b/tools/sigsum-verify-leaf.py
@@ -0,0 +1,32 @@
+#! /usr/bin/env python3
+
+# Input: vkeyfile shard_hint signature [checksum]
+# Example: echo foo | ./sigsum-verify-leaf.py nacl.vk 0 $(echo foo | ./sigsum-sign-leaf.py nacl.sk 0)
+# OK
+
+import sys
+from nacl.signing import VerifyKey
+from nacl.encoding import HexEncoder
+from libsigntools import checksum_stdin, ssh_to_sign
+
+alg = 'sha512'
+
+def main():
+    keyfile = sys.argv[1]
+    shard_hint = int(sys.argv[2])
+    sig = bytes.fromhex(sys.argv[3])
+
+    with open(keyfile, 'r') as f:
+        vkey = VerifyKey(f.readline().strip(), encoder=HexEncoder)
+    if len(sys.argv) > 4:
+        checksum = bytes.fromhex(sys.argv[4])
+    else:
+        checksum = checksum_stdin(hashalg=alg)
+
+    namespace = 'tree_leaf:v0:{}@sigsum.org'.format(shard_hint)
+    data = ssh_to_sign(namespace, alg, checksum)
+    vkey.verify(data, signature=sig)
+    print("OK")
+
+if __name__ == '__main__':
+    main()
-- 
cgit v1.2.3