[mirror_edk2.git] / BaseTools / Source / Python / Rsa2048Sha256Sign / Rsa2048Sha256Sign.py

## @file\r
# This tool encodes and decodes GUIDed FFS sections or FMP capsule for a GUID type of\r
# EFI_CERT_TYPE_RSA2048_SHA256_GUID defined in the UEFI 2.4 Specification as\r
#   {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf}}\r
# This tool has been tested with OpenSSL 1.0.1e 11 Feb 2013\r
#\r
# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
# This program and the accompanying materials\r
# are licensed and made available under the terms and conditions of the BSD License\r
# which accompanies this distribution.  The full text of the license may be found at\r
# http://opensource.org/licenses/bsd-license.php\r
#\r
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
#\r
\r
'''\r
Rsa2048Sha256Sign\r
'''\r
from __future__ import print_function\r
\r
import os\r
import sys\r
import argparse \r
import subprocess\r
import uuid\r
import struct\r
import collections\r
from Common.BuildVersion import gBUILD_VERSION\r
\r
#\r
# Globals for help information\r
#\r
__prog__      = 'Rsa2048Sha256Sign'\r
__version__   = '%s Version %s' % (__prog__, '0.9 ' + gBUILD_VERSION)\r
__copyright__ = 'Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.'\r
__usage__     = '%s -e|-d [options] <input_file>' % (__prog__)\r
\r
#\r
# GUID for SHA 256 Hash Algorithm from UEFI Specification\r
#\r
EFI_HASH_ALGORITHM_SHA256_GUID = uuid.UUID('{51aa59de-fdf2-4ea3-bc63-875fb7842ee9}')\r
\r
#\r
# Structure defintion to unpack EFI_CERT_BLOCK_RSA_2048_SHA256 from UEFI 2.4 Specification\r
#\r
#   typedef struct _EFI_CERT_BLOCK_RSA_2048_SHA256 {\r
#     EFI_GUID HashType;\r
#     UINT8 PublicKey[256];\r
#     UINT8 Signature[256];\r
#   } EFI_CERT_BLOCK_RSA_2048_SHA256;\r
#\r
EFI_CERT_BLOCK_RSA_2048_SHA256        = collections.namedtuple('EFI_CERT_BLOCK_RSA_2048_SHA256', ['HashType','PublicKey','Signature'])\r
EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT = struct.Struct('16s256s256s')\r
\r
#\r
# Filename of test signing private key that is stored in same directory as this tool\r
#\r
TEST_SIGNING_PRIVATE_KEY_FILENAME = 'TestSigningPrivateKey.pem'\r
\r
if __name__ == '__main__':\r
  #\r
  # Create command line argument parser object\r
  #  \r
  parser = argparse.ArgumentParser(prog=__prog__, version=__version__, usage=__usage__, description=__copyright__, conflict_handler='resolve')\r
  group = parser.add_mutually_exclusive_group(required=True)\r
  group.add_argument("-e", action="store_true", dest='Encode', help='encode file')\r
  group.add_argument("-d", action="store_true", dest='Decode', help='decode file')\r
  parser.add_argument("-o", "--output", dest='OutputFile', type=str, metavar='filename', help="specify the output filename", required=True)\r
  parser.add_argument("--monotonic-count", dest='MonotonicCountStr', type=str, help="specify the MonotonicCount in FMP capsule.")\r
  parser.add_argument("--private-key", dest='PrivateKeyFile', type=argparse.FileType('rb'), help="specify the private key filename.  If not specified, a test signing key is used.")\r
  parser.add_argument("-v", "--verbose", dest='Verbose', action="store_true", help="increase output messages")\r
  parser.add_argument("-q", "--quiet", dest='Quiet', action="store_true", help="reduce output messages")\r
  parser.add_argument("--debug", dest='Debug', type=int, metavar='[0-9]', choices=range(0,10), default=0, help="set debug level")\r
  parser.add_argument(metavar="input_file", dest='InputFile', type=argparse.FileType('rb'), help="specify the input filename")\r
\r
  #\r
  # Parse command line arguments\r
  #  \r
  args = parser.parse_args()\r
\r
  #\r
  # Generate file path to Open SSL command\r
  #\r
  OpenSslCommand = 'openssl'\r
  try:\r
    OpenSslPath = os.environ['OPENSSL_PATH']\r
    OpenSslCommand = os.path.join(OpenSslPath, OpenSslCommand)\r
    if ' ' in OpenSslCommand:\r
      OpenSslCommand = '"' + OpenSslCommand + '"'\r
  except:\r
    pass\r
\r
  #\r
  # Verify that Open SSL command is available\r
  #\r
  try:\r
    Process = subprocess.Popen('%s version' % (OpenSslCommand), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
  except:  \r
    print('ERROR: Open SSL command not available.  Please verify PATH or set OPENSSL_PATH')\r
    sys.exit(1)\r
    \r
  Version = Process.communicate()\r
  if Process.returncode != 0:\r
    print('ERROR: Open SSL command not available.  Please verify PATH or set OPENSSL_PATH')\r
    sys.exit(Process.returncode)\r
  print(Version[0])\r
  \r
  #\r
  # Read input file into a buffer and save input filename\r
  #  \r
  args.InputFileName   = args.InputFile.name\r
  args.InputFileBuffer = args.InputFile.read()\r
  args.InputFile.close()\r
\r
  #\r
  # Save output filename and check if path exists\r
  #\r
  OutputDir = os.path.dirname(args.OutputFile)\r
  if not os.path.exists(OutputDir):\r
    print('ERROR: The output path does not exist: %s' % OutputDir)\r
    sys.exit(1)\r
  args.OutputFileName = args.OutputFile\r
\r
  #\r
  # Save private key filename and close private key file\r
  #\r
  try:\r
    args.PrivateKeyFileName = args.PrivateKeyFile.name\r
    args.PrivateKeyFile.close()\r
  except:\r
    try:\r
      #\r
      # Get path to currently executing script or executable\r
      #\r
      if hasattr(sys, 'frozen'):\r
          RsaToolPath = sys.executable\r
      else:\r
          RsaToolPath = sys.argv[0]\r
      if RsaToolPath.startswith('"'):\r
          RsaToolPath = RsaToolPath[1:]\r
      if RsaToolPath.endswith('"'):\r
          RsaToolPath = RsaToolPath[:-1]\r
      args.PrivateKeyFileName = os.path.join(os.path.dirname(os.path.realpath(RsaToolPath)), TEST_SIGNING_PRIVATE_KEY_FILENAME)\r
      args.PrivateKeyFile = open(args.PrivateKeyFileName, 'rb')\r
      args.PrivateKeyFile.close()\r
    except:\r
      print('ERROR: test signing private key file %s missing' % (args.PrivateKeyFileName))\r
      sys.exit(1)\r
\r
  #\r
  # Extract public key from private key into STDOUT\r
  #\r
  Process = subprocess.Popen('%s rsa -in "%s" -modulus -noout' % (OpenSslCommand, args.PrivateKeyFileName), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
  PublicKeyHexString = Process.communicate()[0].split('=')[1].strip()\r
  PublicKey = ''\r
  while len(PublicKeyHexString) > 0:\r
    PublicKey = PublicKey + chr(int(PublicKeyHexString[0:2],16))\r
    PublicKeyHexString=PublicKeyHexString[2:]\r
  if Process.returncode != 0:\r
    sys.exit(Process.returncode)\r
\r
  if args.MonotonicCountStr:\r
    try:\r
      if args.MonotonicCountStr.upper().startswith('0X'):\r
        args.MonotonicCountValue = (long)(args.MonotonicCountStr, 16)\r
      else:\r
        args.MonotonicCountValue = (long)(args.MonotonicCountStr)\r
    except:\r
        pass\r
\r
  if args.Encode:\r
    FullInputFileBuffer = args.InputFileBuffer\r
    if args.MonotonicCountStr:\r
      format = "%dsQ" % len(args.InputFileBuffer)\r
      FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)\r
    # \r
    # Sign the input file using the specified private key and capture signature from STDOUT\r
    #\r
    Process = subprocess.Popen('%s dgst -sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
    Signature = Process.communicate(input=FullInputFileBuffer)[0]\r
    if Process.returncode != 0:\r
      sys.exit(Process.returncode)\r
      \r
    #\r
    # Write output file that contains hash GUID, Public Key, Signature, and Input data\r
    #    \r
    args.OutputFile = open(args.OutputFileName, 'wb')\r
    args.OutputFile.write(EFI_HASH_ALGORITHM_SHA256_GUID.get_bytes_le())\r
    args.OutputFile.write(PublicKey)\r
    args.OutputFile.write(Signature)\r
    args.OutputFile.write(args.InputFileBuffer)\r
    args.OutputFile.close()\r
\r
  if args.Decode:\r
    #\r
    # Parse Hash Type, Public Key, and Signature from the section header\r
    #\r
    Header = EFI_CERT_BLOCK_RSA_2048_SHA256._make(EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT.unpack_from(args.InputFileBuffer))\r
    args.InputFileBuffer = args.InputFileBuffer[EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT.size:]\r
    \r
    #\r
    # Verify that the Hash Type matches the expected SHA256 type\r
    #\r
    if uuid.UUID(bytes_le = Header.HashType) != EFI_HASH_ALGORITHM_SHA256_GUID:\r
      print('ERROR: unsupport hash GUID')\r
      sys.exit(1)\r
\r
    #\r
    # Verify the public key\r
    #\r
    if Header.PublicKey != PublicKey:\r
      print('ERROR: Public key in input file does not match public key from private key file')\r
      sys.exit(1)\r
\r
    FullInputFileBuffer = args.InputFileBuffer\r
    if args.MonotonicCountStr:\r
      format = "%dsQ" % len(args.InputFileBuffer)\r
      FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)\r
\r
    #\r
    # Write Signature to output file\r
    #\r
    open(args.OutputFileName, 'wb').write(Header.Signature)\r
      \r
    #\r
    # Verify signature\r
    #    \r
    Process = subprocess.Popen('%s dgst -sha256 -prverify "%s" -signature %s' % (OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
    Process.communicate(input=FullInputFileBuffer)\r
    if Process.returncode != 0:\r
      print('ERROR: Verification failed')\r
      os.remove (args.OutputFileName)\r
      sys.exit(Process.returncode)\r
\r
    #\r
    # Save output file contents from input file \r
    #    \r
    open(args.OutputFileName, 'wb').write(args.InputFileBuffer)\r
Commit	Line	Data
65ce860e	1	## @file\r
9b98c416	2	# This tool encodes and decodes GUIDed FFS sections or FMP capsule for a GUID type of\r
65ce860e MK	3	# EFI_CERT_TYPE_RSA2048_SHA256_GUID defined in the UEFI 2.4 Specification as\r
	4	# {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf}}\r
	5	# This tool has been tested with OpenSSL 1.0.1e 11 Feb 2013\r
	6	#\r
d1b77744	7	# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
65ce860e MK	8	# This program and the accompanying materials\r
	9	# are licensed and made available under the terms and conditions of the BSD License\r
	10	# which accompanies this distribution. The full text of the license may be found at\r
	11	# http://opensource.org/licenses/bsd-license.php\r
	12	#\r
	13	# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
	14	# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
	15	#\r
	16	\r
	17	'''\r
	18	Rsa2048Sha256Sign\r
	19	'''\r
72443dd2	20	from __future__ import print_function\r
65ce860e MK	21	\r
	22	import os\r
	23	import sys\r
	24	import argparse \r
	25	import subprocess\r
	26	import uuid\r
	27	import struct\r
	28	import collections\r
c9df168f MK	29	from Common.BuildVersion import gBUILD_VERSION\r
	30	\r
	31	#\r
	32	# Globals for help information\r
	33	#\r
	34	__prog__ = 'Rsa2048Sha256Sign'\r
	35	__version__ = '%s Version %s' % (__prog__, '0.9 ' + gBUILD_VERSION)\r
9b98c416	36	__copyright__ = 'Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.'\r
c9df168f	37	__usage__ = '%s -e\|-d [options] <input_file>' % (__prog__)\r
65ce860e MK	38	\r
	39	#\r
	40	# GUID for SHA 256 Hash Algorithm from UEFI Specification\r
	41	#\r
	42	EFI_HASH_ALGORITHM_SHA256_GUID = uuid.UUID('{51aa59de-fdf2-4ea3-bc63-875fb7842ee9}')\r
	43	\r
	44	#\r
	45	# Structure defintion to unpack EFI_CERT_BLOCK_RSA_2048_SHA256 from UEFI 2.4 Specification\r
	46	#\r
	47	# typedef struct _EFI_CERT_BLOCK_RSA_2048_SHA256 {\r
	48	# EFI_GUID HashType;\r
	49	# UINT8 PublicKey[256];\r
	50	# UINT8 Signature[256];\r
	51	# } EFI_CERT_BLOCK_RSA_2048_SHA256;\r
	52	#\r
	53	EFI_CERT_BLOCK_RSA_2048_SHA256 = collections.namedtuple('EFI_CERT_BLOCK_RSA_2048_SHA256', ['HashType','PublicKey','Signature'])\r
	54	EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT = struct.Struct('16s256s256s')\r
	55	\r
	56	#\r
	57	# Filename of test signing private key that is stored in same directory as this tool\r
	58	#\r
	59	TEST_SIGNING_PRIVATE_KEY_FILENAME = 'TestSigningPrivateKey.pem'\r
	60	\r
	61	if __name__ == '__main__':\r
65ce860e MK	62	#\r
	63	# Create command line argument parser object\r
	64	# \r
c9df168f	65	parser = argparse.ArgumentParser(prog=__prog__, version=__version__, usage=__usage__, description=__copyright__, conflict_handler='resolve')\r
65ce860e MK	66	group = parser.add_mutually_exclusive_group(required=True)\r
	67	group.add_argument("-e", action="store_true", dest='Encode', help='encode file')\r
	68	group.add_argument("-d", action="store_true", dest='Decode', help='decode file')\r
b40286bb	69	parser.add_argument("-o", "--output", dest='OutputFile', type=str, metavar='filename', help="specify the output filename", required=True)\r
9b98c416	70	parser.add_argument("--monotonic-count", dest='MonotonicCountStr', type=str, help="specify the MonotonicCount in FMP capsule.")\r
65ce860e MK	71	parser.add_argument("--private-key", dest='PrivateKeyFile', type=argparse.FileType('rb'), help="specify the private key filename. If not specified, a test signing key is used.")\r
	72	parser.add_argument("-v", "--verbose", dest='Verbose', action="store_true", help="increase output messages")\r
	73	parser.add_argument("-q", "--quiet", dest='Quiet', action="store_true", help="reduce output messages")\r
	74	parser.add_argument("--debug", dest='Debug', type=int, metavar='[0-9]', choices=range(0,10), default=0, help="set debug level")\r
65ce860e MK	75	parser.add_argument(metavar="input_file", dest='InputFile', type=argparse.FileType('rb'), help="specify the input filename")\r
	76	\r
	77	#\r
	78	# Parse command line arguments\r
	79	# \r
	80	args = parser.parse_args()\r
	81	\r
	82	#\r
	83	# Generate file path to Open SSL command\r
	84	#\r
	85	OpenSslCommand = 'openssl'\r
	86	try:\r
	87	OpenSslPath = os.environ['OPENSSL_PATH']\r
	88	OpenSslCommand = os.path.join(OpenSslPath, OpenSslCommand)\r
a3607b26 YZ	89	if ' ' in OpenSslCommand:\r
a3607b26 YZ	90	OpenSslCommand = '"' + OpenSslCommand + '"'\r
65ce860e MK	91	except:\r
	92	pass\r
	93	\r
	94	#\r
	95	# Verify that Open SSL command is available\r
	96	#\r
	97	try:\r
8a0933f4	98	Process = subprocess.Popen('%s version' % (OpenSslCommand), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
65ce860e	99	except: \r
72443dd2	100	print('ERROR: Open SSL command not available. Please verify PATH or set OPENSSL_PATH')\r
65ce860e MK	101	sys.exit(1)\r
	102	\r
	103	Version = Process.communicate()\r
87d2afd0	104	if Process.returncode != 0:\r
72443dd2	105	print('ERROR: Open SSL command not available. Please verify PATH or set OPENSSL_PATH')\r
65ce860e	106	sys.exit(Process.returncode)\r
72443dd2	107	print(Version[0])\r
65ce860e MK	108	\r
	109	#\r
	110	# Read input file into a buffer and save input filename\r
	111	# \r
	112	args.InputFileName = args.InputFile.name\r
	113	args.InputFileBuffer = args.InputFile.read()\r
	114	args.InputFile.close()\r
	115	\r
	116	#\r
b40286bb	117	# Save output filename and check if path exists\r
65ce860e	118	#\r
b40286bb YL	119	OutputDir = os.path.dirname(args.OutputFile)\r
b40286bb YL	120	if not os.path.exists(OutputDir):\r
72443dd2	121	print('ERROR: The output path does not exist: %s' % OutputDir)\r
b40286bb YL	122	sys.exit(1)\r
b40286bb YL	123	args.OutputFileName = args.OutputFile\r
65ce860e MK	124	\r
	125	#\r
	126	# Save private key filename and close private key file\r
	127	#\r
	128	try:\r
	129	args.PrivateKeyFileName = args.PrivateKeyFile.name\r
	130	args.PrivateKeyFile.close()\r
	131	except:\r
	132	try:\r
	133	#\r
	134	# Get path to currently executing script or executable\r
	135	#\r
	136	if hasattr(sys, 'frozen'):\r
	137	RsaToolPath = sys.executable\r
	138	else:\r
	139	RsaToolPath = sys.argv[0]\r
	140	if RsaToolPath.startswith('"'):\r
	141	RsaToolPath = RsaToolPath[1:]\r
	142	if RsaToolPath.endswith('"'):\r
	143	RsaToolPath = RsaToolPath[:-1]\r
	144	args.PrivateKeyFileName = os.path.join(os.path.dirname(os.path.realpath(RsaToolPath)), TEST_SIGNING_PRIVATE_KEY_FILENAME)\r
	145	args.PrivateKeyFile = open(args.PrivateKeyFileName, 'rb')\r
	146	args.PrivateKeyFile.close()\r
	147	except:\r
72443dd2	148	print('ERROR: test signing private key file %s missing' % (args.PrivateKeyFileName))\r
65ce860e MK	149	sys.exit(1)\r
	150	\r
	151	#\r
	152	# Extract public key from private key into STDOUT\r
	153	#\r
a5f26fef	154	Process = subprocess.Popen('%s rsa -in "%s" -modulus -noout' % (OpenSslCommand, args.PrivateKeyFileName), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
65ce860e MK	155	PublicKeyHexString = Process.communicate()[0].split('=')[1].strip()\r
	156	PublicKey = ''\r
	157	while len(PublicKeyHexString) > 0:\r
	158	PublicKey = PublicKey + chr(int(PublicKeyHexString[0:2],16))\r
	159	PublicKeyHexString=PublicKeyHexString[2:]\r
87d2afd0	160	if Process.returncode != 0:\r
65ce860e	161	sys.exit(Process.returncode)\r
9b98c416 YZ	162	\r
	163	if args.MonotonicCountStr:\r
	164	try:\r
	165	if args.MonotonicCountStr.upper().startswith('0X'):\r
	166	args.MonotonicCountValue = (long)(args.MonotonicCountStr, 16)\r
	167	else:\r
	168	args.MonotonicCountValue = (long)(args.MonotonicCountStr)\r
	169	except:\r
	170	pass\r
	171	\r
65ce860e	172	if args.Encode:\r
9b98c416 YZ	173	FullInputFileBuffer = args.InputFileBuffer\r
9b98c416 YZ	174	if args.MonotonicCountStr:\r
245cda66 YZ	175	format = "%dsQ" % len(args.InputFileBuffer)\r
245cda66 YZ	176	FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)\r
65ce860e MK	177	# \r
	178	# Sign the input file using the specified private key and capture signature from STDOUT\r
	179	#\r
d1b77744	180	Process = subprocess.Popen('%s dgst -sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
9b98c416	181	Signature = Process.communicate(input=FullInputFileBuffer)[0]\r
87d2afd0	182	if Process.returncode != 0:\r
65ce860e MK	183	sys.exit(Process.returncode)\r
	184	\r
	185	#\r
	186	# Write output file that contains hash GUID, Public Key, Signature, and Input data\r
	187	# \r
	188	args.OutputFile = open(args.OutputFileName, 'wb')\r
	189	args.OutputFile.write(EFI_HASH_ALGORITHM_SHA256_GUID.get_bytes_le())\r
	190	args.OutputFile.write(PublicKey)\r
	191	args.OutputFile.write(Signature)\r
	192	args.OutputFile.write(args.InputFileBuffer)\r
	193	args.OutputFile.close()\r
	194	\r
	195	if args.Decode:\r
	196	#\r
	197	# Parse Hash Type, Public Key, and Signature from the section header\r
	198	#\r
	199	Header = EFI_CERT_BLOCK_RSA_2048_SHA256._make(EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT.unpack_from(args.InputFileBuffer))\r
	200	args.InputFileBuffer = args.InputFileBuffer[EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT.size:]\r
	201	\r
	202	#\r
	203	# Verify that the Hash Type matches the expected SHA256 type\r
	204	#\r
87d2afd0	205	if uuid.UUID(bytes_le = Header.HashType) != EFI_HASH_ALGORITHM_SHA256_GUID:\r
72443dd2	206	print('ERROR: unsupport hash GUID')\r
65ce860e MK	207	sys.exit(1)\r
	208	\r
	209	#\r
	210	# Verify the public key\r
	211	#\r
87d2afd0	212	if Header.PublicKey != PublicKey:\r
72443dd2	213	print('ERROR: Public key in input file does not match public key from private key file')\r
65ce860e MK	214	sys.exit(1)\r
65ce860e MK	215	\r
9b98c416 YZ	216	FullInputFileBuffer = args.InputFileBuffer\r
9b98c416 YZ	217	if args.MonotonicCountStr:\r
245cda66 YZ	218	format = "%dsQ" % len(args.InputFileBuffer)\r
245cda66 YZ	219	FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)\r
9b98c416	220	\r
65ce860e MK	221	#\r
	222	# Write Signature to output file\r
	223	#\r
	224	open(args.OutputFileName, 'wb').write(Header.Signature)\r
	225	\r
	226	#\r
	227	# Verify signature\r
	228	# \r
d1b77744	229	Process = subprocess.Popen('%s dgst -sha256 -prverify "%s" -signature %s' % (OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
9b98c416	230	Process.communicate(input=FullInputFileBuffer)\r
87d2afd0	231	if Process.returncode != 0:\r
72443dd2	232	print('ERROR: Verification failed')\r
65ce860e MK	233	os.remove (args.OutputFileName)\r
	234	sys.exit(Process.returncode)\r
	235	\r
	236	#\r
	237	# Save output file contents from input file \r
	238	# \r
	239	open(args.OutputFileName, 'wb').write(args.InputFileBuffer)\r