[mirror_edk2.git] / BaseTools / Source / Python / Rsa2048Sha256Sign / Rsa2048Sha256Sign.py

## @file\r
# This tool encodes and decodes GUIDed FFS sections or FMP capsule for a GUID type of\r
# EFI_CERT_TYPE_RSA2048_SHA256_GUID defined in the UEFI 2.4 Specification as\r
#   {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf}}\r
# This tool has been tested with OpenSSL 1.0.1e 11 Feb 2013\r
#\r
# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
# SPDX-License-Identifier: BSD-2-Clause-Patent\r
#\r
\r
'''\r
Rsa2048Sha256Sign\r
'''\r
from __future__ import print_function\r
\r
import os\r
import sys\r
import argparse\r
import subprocess\r
import uuid\r
import struct\r
import collections\r
from Common.BuildVersion import gBUILD_VERSION\r
\r
#\r
# Globals for help information\r
#\r
__prog__      = 'Rsa2048Sha256Sign'\r
__version__   = '%s Version %s' % (__prog__, '0.9 ' + gBUILD_VERSION)\r
__copyright__ = 'Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.'\r
__usage__     = '%s -e|-d [options] <input_file>' % (__prog__)\r
\r
#\r
# GUID for SHA 256 Hash Algorithm from UEFI Specification\r
#\r
EFI_HASH_ALGORITHM_SHA256_GUID = uuid.UUID('{51aa59de-fdf2-4ea3-bc63-875fb7842ee9}')\r
\r
#\r
# Structure definition to unpack EFI_CERT_BLOCK_RSA_2048_SHA256 from UEFI 2.4 Specification\r
#\r
#   typedef struct _EFI_CERT_BLOCK_RSA_2048_SHA256 {\r
#     EFI_GUID HashType;\r
#     UINT8 PublicKey[256];\r
#     UINT8 Signature[256];\r
#   } EFI_CERT_BLOCK_RSA_2048_SHA256;\r
#\r
EFI_CERT_BLOCK_RSA_2048_SHA256        = collections.namedtuple('EFI_CERT_BLOCK_RSA_2048_SHA256', ['HashType', 'PublicKey', 'Signature'])\r
EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT = struct.Struct('16s256s256s')\r
\r
#\r
# Filename of test signing private key that is stored in same directory as this tool\r
#\r
TEST_SIGNING_PRIVATE_KEY_FILENAME = 'TestSigningPrivateKey.pem'\r
\r
if __name__ == '__main__':\r
  #\r
  # Create command line argument parser object\r
  #\r
  parser = argparse.ArgumentParser(prog=__prog__, usage=__usage__, description=__copyright__, conflict_handler='resolve')\r
  group = parser.add_mutually_exclusive_group(required=True)\r
  group.add_argument("-e", action="store_true", dest='Encode', help='encode file')\r
  group.add_argument("-d", action="store_true", dest='Decode', help='decode file')\r
  group.add_argument("--version", action='version', version=__version__)\r
  parser.add_argument("-o", "--output", dest='OutputFile', type=str, metavar='filename', help="specify the output filename", required=True)\r
  parser.add_argument("--monotonic-count", dest='MonotonicCountStr', type=str, help="specify the MonotonicCount in FMP capsule.")\r
  parser.add_argument("--private-key", dest='PrivateKeyFile', type=argparse.FileType('rb'), help="specify the private key filename.  If not specified, a test signing key is used.")\r
  parser.add_argument("-v", "--verbose", dest='Verbose', action="store_true", help="increase output messages")\r
  parser.add_argument("-q", "--quiet", dest='Quiet', action="store_true", help="reduce output messages")\r
  parser.add_argument("--debug", dest='Debug', type=int, metavar='[0-9]', choices=range(0, 10), default=0, help="set debug level")\r
  parser.add_argument(metavar="input_file", dest='InputFile', type=argparse.FileType('rb'), help="specify the input filename")\r
\r
  #\r
  # Parse command line arguments\r
  #\r
  args = parser.parse_args()\r
\r
  #\r
  # Generate file path to Open SSL command\r
  #\r
  OpenSslCommand = 'openssl'\r
  try:\r
    OpenSslPath = os.environ['OPENSSL_PATH']\r
    OpenSslCommand = os.path.join(OpenSslPath, OpenSslCommand)\r
    if ' ' in OpenSslCommand:\r
      OpenSslCommand = '"' + OpenSslCommand + '"'\r
  except:\r
    pass\r
\r
  #\r
  # Verify that Open SSL command is available\r
  #\r
  try:\r
    Process = subprocess.Popen('%s version' % (OpenSslCommand), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
  except:\r
    print('ERROR: Open SSL command not available.  Please verify PATH or set OPENSSL_PATH')\r
    sys.exit(1)\r
\r
  Version = Process.communicate()\r
  if Process.returncode != 0:\r
    print('ERROR: Open SSL command not available.  Please verify PATH or set OPENSSL_PATH')\r
    sys.exit(Process.returncode)\r
  print(Version[0].decode('utf-8'))\r
\r
  #\r
  # Read input file into a buffer and save input filename\r
  #\r
  args.InputFileName   = args.InputFile.name\r
  args.InputFileBuffer = args.InputFile.read()\r
  args.InputFile.close()\r
\r
  #\r
  # Save output filename and check if path exists\r
  #\r
  OutputDir = os.path.dirname(args.OutputFile)\r
  if not os.path.exists(OutputDir):\r
    print('ERROR: The output path does not exist: %s' % OutputDir)\r
    sys.exit(1)\r
  args.OutputFileName = args.OutputFile\r
\r
  #\r
  # Save private key filename and close private key file\r
  #\r
  try:\r
    args.PrivateKeyFileName = args.PrivateKeyFile.name\r
    args.PrivateKeyFile.close()\r
  except:\r
    try:\r
      #\r
      # Get path to currently executing script or executable\r
      #\r
      if hasattr(sys, 'frozen'):\r
          RsaToolPath = sys.executable\r
      else:\r
          RsaToolPath = sys.argv[0]\r
      if RsaToolPath.startswith('"'):\r
          RsaToolPath = RsaToolPath[1:]\r
      if RsaToolPath.endswith('"'):\r
          RsaToolPath = RsaToolPath[:-1]\r
      args.PrivateKeyFileName = os.path.join(os.path.dirname(os.path.realpath(RsaToolPath)), TEST_SIGNING_PRIVATE_KEY_FILENAME)\r
      args.PrivateKeyFile = open(args.PrivateKeyFileName, 'rb')\r
      args.PrivateKeyFile.close()\r
    except:\r
      print('ERROR: test signing private key file %s missing' % (args.PrivateKeyFileName))\r
      sys.exit(1)\r
\r
  #\r
  # Extract public key from private key into STDOUT\r
  #\r
  Process = subprocess.Popen('%s rsa -in "%s" -modulus -noout' % (OpenSslCommand, args.PrivateKeyFileName), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
  PublicKeyHexString = Process.communicate()[0].split(b'=')[1].strip()\r
  PublicKeyHexString = PublicKeyHexString.decode('utf-8')\r
  PublicKey = ''\r
  while len(PublicKeyHexString) > 0:\r
    PublicKey = PublicKey + PublicKeyHexString[0:2]\r
    PublicKeyHexString=PublicKeyHexString[2:]\r
  if Process.returncode != 0:\r
    sys.exit(Process.returncode)\r
\r
  if args.MonotonicCountStr:\r
    try:\r
      if args.MonotonicCountStr.upper().startswith('0X'):\r
        args.MonotonicCountValue = int(args.MonotonicCountStr, 16)\r
      else:\r
        args.MonotonicCountValue = int(args.MonotonicCountStr)\r
    except:\r
        pass\r
\r
  if args.Encode:\r
    FullInputFileBuffer = args.InputFileBuffer\r
    if args.MonotonicCountStr:\r
      format = "%dsQ" % len(args.InputFileBuffer)\r
      FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)\r
    #\r
    # Sign the input file using the specified private key and capture signature from STDOUT\r
    #\r
    Process = subprocess.Popen('%s dgst -sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
    Signature = Process.communicate(input=FullInputFileBuffer)[0]\r
    if Process.returncode != 0:\r
      sys.exit(Process.returncode)\r
\r
    #\r
    # Write output file that contains hash GUID, Public Key, Signature, and Input data\r
    #\r
    args.OutputFile = open(args.OutputFileName, 'wb')\r
    args.OutputFile.write(EFI_HASH_ALGORITHM_SHA256_GUID.bytes_le)\r
    args.OutputFile.write(bytearray.fromhex(str(PublicKey)))\r
    args.OutputFile.write(Signature)\r
    args.OutputFile.write(args.InputFileBuffer)\r
    args.OutputFile.close()\r
\r
  if args.Decode:\r
    #\r
    # Parse Hash Type, Public Key, and Signature from the section header\r
    #\r
    Header = EFI_CERT_BLOCK_RSA_2048_SHA256._make(EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT.unpack_from(args.InputFileBuffer))\r
    args.InputFileBuffer = args.InputFileBuffer[EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT.size:]\r
\r
    #\r
    # Verify that the Hash Type matches the expected SHA256 type\r
    #\r
    if uuid.UUID(bytes_le = Header.HashType) != EFI_HASH_ALGORITHM_SHA256_GUID:\r
      print('ERROR: unsupport hash GUID')\r
      sys.exit(1)\r
\r
    #\r
    # Verify the public key\r
    #\r
    if Header.PublicKey != bytearray.fromhex(PublicKey):\r
      print('ERROR: Public key in input file does not match public key from private key file')\r
      sys.exit(1)\r
\r
    FullInputFileBuffer = args.InputFileBuffer\r
    if args.MonotonicCountStr:\r
      format = "%dsQ" % len(args.InputFileBuffer)\r
      FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)\r
\r
    #\r
    # Write Signature to output file\r
    #\r
    open(args.OutputFileName, 'wb').write(Header.Signature)\r
\r
    #\r
    # Verify signature\r
    #\r
    Process = subprocess.Popen('%s dgst -sha256 -prverify "%s" -signature %s' % (OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
    Process.communicate(input=FullInputFileBuffer)\r
    if Process.returncode != 0:\r
      print('ERROR: Verification failed')\r
      os.remove (args.OutputFileName)\r
      sys.exit(Process.returncode)\r
\r
    #\r
    # Save output file contents from input file\r
    #\r
    open(args.OutputFileName, 'wb').write(args.InputFileBuffer)\r
Commit	Line	Data
65ce860e	1	## @file\r
9b98c416	2	# This tool encodes and decodes GUIDed FFS sections or FMP capsule for a GUID type of\r
65ce860e MK	3	# EFI_CERT_TYPE_RSA2048_SHA256_GUID defined in the UEFI 2.4 Specification as\r
	4	# {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf}}\r
	5	# This tool has been tested with OpenSSL 1.0.1e 11 Feb 2013\r
	6	#\r
d1b77744	7	# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
2e351cbe	8	# SPDX-License-Identifier: BSD-2-Clause-Patent\r
65ce860e MK	9	#\r
	10	\r
	11	'''\r
	12	Rsa2048Sha256Sign\r
	13	'''\r
1ccc4d89	14	from __future__ import print_function\r
65ce860e MK	15	\r
	16	import os\r
	17	import sys\r
f7496d71	18	import argparse\r
65ce860e MK	19	import subprocess\r
	20	import uuid\r
	21	import struct\r
	22	import collections\r
c9df168f MK	23	from Common.BuildVersion import gBUILD_VERSION\r
	24	\r
	25	#\r
	26	# Globals for help information\r
	27	#\r
	28	__prog__ = 'Rsa2048Sha256Sign'\r
	29	__version__ = '%s Version %s' % (__prog__, '0.9 ' + gBUILD_VERSION)\r
f7496d71	30	__copyright__ = 'Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.'\r
c9df168f	31	__usage__ = '%s -e\|-d [options] <input_file>' % (__prog__)\r
65ce860e MK	32	\r
	33	#\r
	34	# GUID for SHA 256 Hash Algorithm from UEFI Specification\r
	35	#\r
	36	EFI_HASH_ALGORITHM_SHA256_GUID = uuid.UUID('{51aa59de-fdf2-4ea3-bc63-875fb7842ee9}')\r
	37	\r
	38	#\r
fb0b35e0	39	# Structure definition to unpack EFI_CERT_BLOCK_RSA_2048_SHA256 from UEFI 2.4 Specification\r
65ce860e MK	40	#\r
	41	# typedef struct _EFI_CERT_BLOCK_RSA_2048_SHA256 {\r
	42	# EFI_GUID HashType;\r
	43	# UINT8 PublicKey[256];\r
	44	# UINT8 Signature[256];\r
	45	# } EFI_CERT_BLOCK_RSA_2048_SHA256;\r
	46	#\r
ccaa7754	47	EFI_CERT_BLOCK_RSA_2048_SHA256 = collections.namedtuple('EFI_CERT_BLOCK_RSA_2048_SHA256', ['HashType', 'PublicKey', 'Signature'])\r
65ce860e MK	48	EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT = struct.Struct('16s256s256s')\r
	49	\r
	50	#\r
	51	# Filename of test signing private key that is stored in same directory as this tool\r
	52	#\r
	53	TEST_SIGNING_PRIVATE_KEY_FILENAME = 'TestSigningPrivateKey.pem'\r
	54	\r
	55	if __name__ == '__main__':\r
65ce860e MK	56	#\r
65ce860e MK	57	# Create command line argument parser object\r
f7496d71	58	#\r
56ad03a5	59	parser = argparse.ArgumentParser(prog=__prog__, usage=__usage__, description=__copyright__, conflict_handler='resolve')\r
65ce860e MK	60	group = parser.add_mutually_exclusive_group(required=True)\r
	61	group.add_argument("-e", action="store_true", dest='Encode', help='encode file')\r
	62	group.add_argument("-d", action="store_true", dest='Decode', help='decode file')\r
56ad03a5	63	group.add_argument("--version", action='version', version=__version__)\r
b40286bb	64	parser.add_argument("-o", "--output", dest='OutputFile', type=str, metavar='filename', help="specify the output filename", required=True)\r
9b98c416	65	parser.add_argument("--monotonic-count", dest='MonotonicCountStr', type=str, help="specify the MonotonicCount in FMP capsule.")\r
65ce860e MK	66	parser.add_argument("--private-key", dest='PrivateKeyFile', type=argparse.FileType('rb'), help="specify the private key filename. If not specified, a test signing key is used.")\r
	67	parser.add_argument("-v", "--verbose", dest='Verbose', action="store_true", help="increase output messages")\r
	68	parser.add_argument("-q", "--quiet", dest='Quiet', action="store_true", help="reduce output messages")\r
ccaa7754	69	parser.add_argument("--debug", dest='Debug', type=int, metavar='[0-9]', choices=range(0, 10), default=0, help="set debug level")\r
65ce860e MK	70	parser.add_argument(metavar="input_file", dest='InputFile', type=argparse.FileType('rb'), help="specify the input filename")\r
	71	\r
	72	#\r
	73	# Parse command line arguments\r
f7496d71	74	#\r
65ce860e MK	75	args = parser.parse_args()\r
	76	\r
	77	#\r
	78	# Generate file path to Open SSL command\r
	79	#\r
	80	OpenSslCommand = 'openssl'\r
	81	try:\r
	82	OpenSslPath = os.environ['OPENSSL_PATH']\r
	83	OpenSslCommand = os.path.join(OpenSslPath, OpenSslCommand)\r
a3607b26 YZ	84	if ' ' in OpenSslCommand:\r
a3607b26 YZ	85	OpenSslCommand = '"' + OpenSslCommand + '"'\r
65ce860e MK	86	except:\r
	87	pass\r
	88	\r
	89	#\r
	90	# Verify that Open SSL command is available\r
	91	#\r
	92	try:\r
8a0933f4	93	Process = subprocess.Popen('%s version' % (OpenSslCommand), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
f7496d71	94	except:\r
72443dd2	95	print('ERROR: Open SSL command not available. Please verify PATH or set OPENSSL_PATH')\r
65ce860e	96	sys.exit(1)\r
f7496d71	97	\r
65ce860e	98	Version = Process.communicate()\r
87d2afd0	99	if Process.returncode != 0:\r
72443dd2	100	print('ERROR: Open SSL command not available. Please verify PATH or set OPENSSL_PATH')\r
65ce860e	101	sys.exit(Process.returncode)\r
d943b0c3	102	print(Version[0].decode('utf-8'))\r
f7496d71	103	\r
65ce860e MK	104	#\r
65ce860e MK	105	# Read input file into a buffer and save input filename\r
f7496d71	106	#\r
65ce860e MK	107	args.InputFileName = args.InputFile.name\r
	108	args.InputFileBuffer = args.InputFile.read()\r
	109	args.InputFile.close()\r
	110	\r
	111	#\r
b40286bb	112	# Save output filename and check if path exists\r
65ce860e	113	#\r
b40286bb YL	114	OutputDir = os.path.dirname(args.OutputFile)\r
b40286bb YL	115	if not os.path.exists(OutputDir):\r
72443dd2	116	print('ERROR: The output path does not exist: %s' % OutputDir)\r
b40286bb YL	117	sys.exit(1)\r
b40286bb YL	118	args.OutputFileName = args.OutputFile\r
65ce860e MK	119	\r
	120	#\r
	121	# Save private key filename and close private key file\r
	122	#\r
	123	try:\r
	124	args.PrivateKeyFileName = args.PrivateKeyFile.name\r
	125	args.PrivateKeyFile.close()\r
	126	except:\r
	127	try:\r
	128	#\r
	129	# Get path to currently executing script or executable\r
	130	#\r
	131	if hasattr(sys, 'frozen'):\r
	132	RsaToolPath = sys.executable\r
	133	else:\r
	134	RsaToolPath = sys.argv[0]\r
	135	if RsaToolPath.startswith('"'):\r
	136	RsaToolPath = RsaToolPath[1:]\r
	137	if RsaToolPath.endswith('"'):\r
	138	RsaToolPath = RsaToolPath[:-1]\r
	139	args.PrivateKeyFileName = os.path.join(os.path.dirname(os.path.realpath(RsaToolPath)), TEST_SIGNING_PRIVATE_KEY_FILENAME)\r
	140	args.PrivateKeyFile = open(args.PrivateKeyFileName, 'rb')\r
	141	args.PrivateKeyFile.close()\r
	142	except:\r
72443dd2	143	print('ERROR: test signing private key file %s missing' % (args.PrivateKeyFileName))\r
65ce860e MK	144	sys.exit(1)\r
	145	\r
	146	#\r
	147	# Extract public key from private key into STDOUT\r
	148	#\r
a5f26fef	149	Process = subprocess.Popen('%s rsa -in "%s" -modulus -noout' % (OpenSslCommand, args.PrivateKeyFileName), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
d943b0c3 FB	150	PublicKeyHexString = Process.communicate()[0].split(b'=')[1].strip()\r
d943b0c3 FB	151	PublicKeyHexString = PublicKeyHexString.decode('utf-8')\r
65ce860e MK	152	PublicKey = ''\r
65ce860e MK	153	while len(PublicKeyHexString) > 0:\r
4a3773e5	154	PublicKey = PublicKey + PublicKeyHexString[0:2]\r
65ce860e	155	PublicKeyHexString=PublicKeyHexString[2:]\r
87d2afd0	156	if Process.returncode != 0:\r
65ce860e	157	sys.exit(Process.returncode)\r
9b98c416 YZ	158	\r
	159	if args.MonotonicCountStr:\r
	160	try:\r
	161	if args.MonotonicCountStr.upper().startswith('0X'):\r
af881abc	162	args.MonotonicCountValue = int(args.MonotonicCountStr, 16)\r
9b98c416	163	else:\r
af881abc	164	args.MonotonicCountValue = int(args.MonotonicCountStr)\r
9b98c416 YZ	165	except:\r
	166	pass\r
	167	\r
65ce860e	168	if args.Encode:\r
9b98c416 YZ	169	FullInputFileBuffer = args.InputFileBuffer\r
9b98c416 YZ	170	if args.MonotonicCountStr:\r
245cda66 YZ	171	format = "%dsQ" % len(args.InputFileBuffer)\r
245cda66 YZ	172	FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)\r
f7496d71	173	#\r
65ce860e MK	174	# Sign the input file using the specified private key and capture signature from STDOUT\r
65ce860e MK	175	#\r
d1b77744	176	Process = subprocess.Popen('%s dgst -sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
9b98c416	177	Signature = Process.communicate(input=FullInputFileBuffer)[0]\r
87d2afd0	178	if Process.returncode != 0:\r
65ce860e	179	sys.exit(Process.returncode)\r
f7496d71	180	\r
65ce860e MK	181	#\r
65ce860e MK	182	# Write output file that contains hash GUID, Public Key, Signature, and Input data\r
f7496d71	183	#\r
65ce860e	184	args.OutputFile = open(args.OutputFileName, 'wb')\r
00f86d89	185	args.OutputFile.write(EFI_HASH_ALGORITHM_SHA256_GUID.bytes_le)\r
4a3773e5	186	args.OutputFile.write(bytearray.fromhex(str(PublicKey)))\r
65ce860e MK	187	args.OutputFile.write(Signature)\r
	188	args.OutputFile.write(args.InputFileBuffer)\r
	189	args.OutputFile.close()\r
	190	\r
	191	if args.Decode:\r
	192	#\r
	193	# Parse Hash Type, Public Key, and Signature from the section header\r
	194	#\r
	195	Header = EFI_CERT_BLOCK_RSA_2048_SHA256._make(EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT.unpack_from(args.InputFileBuffer))\r
	196	args.InputFileBuffer = args.InputFileBuffer[EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT.size:]\r
f7496d71	197	\r
65ce860e MK	198	#\r
	199	# Verify that the Hash Type matches the expected SHA256 type\r
	200	#\r
87d2afd0	201	if uuid.UUID(bytes_le = Header.HashType) != EFI_HASH_ALGORITHM_SHA256_GUID:\r
72443dd2	202	print('ERROR: unsupport hash GUID')\r
65ce860e MK	203	sys.exit(1)\r
	204	\r
	205	#\r
	206	# Verify the public key\r
	207	#\r
d943b0c3	208	if Header.PublicKey != bytearray.fromhex(PublicKey):\r
72443dd2	209	print('ERROR: Public key in input file does not match public key from private key file')\r
65ce860e MK	210	sys.exit(1)\r
65ce860e MK	211	\r
9b98c416 YZ	212	FullInputFileBuffer = args.InputFileBuffer\r
9b98c416 YZ	213	if args.MonotonicCountStr:\r
245cda66 YZ	214	format = "%dsQ" % len(args.InputFileBuffer)\r
245cda66 YZ	215	FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)\r
9b98c416	216	\r
65ce860e MK	217	#\r
	218	# Write Signature to output file\r
	219	#\r
	220	open(args.OutputFileName, 'wb').write(Header.Signature)\r
f7496d71	221	\r
65ce860e MK	222	#\r
65ce860e MK	223	# Verify signature\r
f7496d71	224	#\r
d1b77744	225	Process = subprocess.Popen('%s dgst -sha256 -prverify "%s" -signature %s' % (OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
9b98c416	226	Process.communicate(input=FullInputFileBuffer)\r
87d2afd0	227	if Process.returncode != 0:\r
72443dd2	228	print('ERROR: Verification failed')\r
65ce860e MK	229	os.remove (args.OutputFileName)\r
	230	sys.exit(Process.returncode)\r
	231	\r
	232	#\r
f7496d71 LG	233	# Save output file contents from input file\r
f7496d71 LG	234	#\r
65ce860e	235	open(args.OutputFileName, 'wb').write(args.InputFileBuffer)\r