[mirror_edk2.git] / BaseTools / Source / Python / Rsa2048Sha256Sign / Rsa2048Sha256Sign.py

## @file\r
# This tool encodes and decodes GUIDed FFS sections or FMP capsule for a GUID type of\r
# EFI_CERT_TYPE_RSA2048_SHA256_GUID defined in the UEFI 2.4 Specification as\r
#   {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf}}\r
# This tool has been tested with OpenSSL 1.0.1e 11 Feb 2013\r
#\r
# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
# This program and the accompanying materials\r
# are licensed and made available under the terms and conditions of the BSD License\r
# which accompanies this distribution.  The full text of the license may be found at\r
# http://opensource.org/licenses/bsd-license.php\r
#\r
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
#\r
\r
'''\r
Rsa2048Sha256Sign\r
'''\r
from __future__ import print_function\r
\r
import os\r
import sys\r
import argparse\r
import subprocess\r
import uuid\r
import struct\r
import collections\r
from Common.BuildVersion import gBUILD_VERSION\r
\r
#\r
# Globals for help information\r
#\r
__prog__      = 'Rsa2048Sha256Sign'\r
__version__   = '%s Version %s' % (__prog__, '0.9 ' + gBUILD_VERSION)\r
__copyright__ = 'Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.'\r
__usage__     = '%s -e|-d [options] <input_file>' % (__prog__)\r
\r
#\r
# GUID for SHA 256 Hash Algorithm from UEFI Specification\r
#\r
EFI_HASH_ALGORITHM_SHA256_GUID = uuid.UUID('{51aa59de-fdf2-4ea3-bc63-875fb7842ee9}')\r
\r
#\r
# Structure defintion to unpack EFI_CERT_BLOCK_RSA_2048_SHA256 from UEFI 2.4 Specification\r
#\r
#   typedef struct _EFI_CERT_BLOCK_RSA_2048_SHA256 {\r
#     EFI_GUID HashType;\r
#     UINT8 PublicKey[256];\r
#     UINT8 Signature[256];\r
#   } EFI_CERT_BLOCK_RSA_2048_SHA256;\r
#\r
EFI_CERT_BLOCK_RSA_2048_SHA256        = collections.namedtuple('EFI_CERT_BLOCK_RSA_2048_SHA256', ['HashType', 'PublicKey', 'Signature'])\r
EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT = struct.Struct('16s256s256s')\r
\r
#\r
# Filename of test signing private key that is stored in same directory as this tool\r
#\r
TEST_SIGNING_PRIVATE_KEY_FILENAME = 'TestSigningPrivateKey.pem'\r
\r
if __name__ == '__main__':\r
  #\r
  # Create command line argument parser object\r
  #\r
  parser = argparse.ArgumentParser(prog=__prog__, usage=__usage__, description=__copyright__, conflict_handler='resolve')\r
  group = parser.add_mutually_exclusive_group(required=True)\r
  group.add_argument("-e", action="store_true", dest='Encode', help='encode file')\r
  group.add_argument("-d", action="store_true", dest='Decode', help='decode file')\r
  group.add_argument("--version", action='version', version=__version__)\r
  parser.add_argument("-o", "--output", dest='OutputFile', type=str, metavar='filename', help="specify the output filename", required=True)\r
  parser.add_argument("--monotonic-count", dest='MonotonicCountStr', type=str, help="specify the MonotonicCount in FMP capsule.")\r
  parser.add_argument("--private-key", dest='PrivateKeyFile', type=argparse.FileType('rb'), help="specify the private key filename.  If not specified, a test signing key is used.")\r
  parser.add_argument("-v", "--verbose", dest='Verbose', action="store_true", help="increase output messages")\r
  parser.add_argument("-q", "--quiet", dest='Quiet', action="store_true", help="reduce output messages")\r
  parser.add_argument("--debug", dest='Debug', type=int, metavar='[0-9]', choices=range(0, 10), default=0, help="set debug level")\r
  parser.add_argument(metavar="input_file", dest='InputFile', type=argparse.FileType('rb'), help="specify the input filename")\r
\r
  #\r
  # Parse command line arguments\r
  #\r
  args = parser.parse_args()\r
\r
  #\r
  # Generate file path to Open SSL command\r
  #\r
  OpenSslCommand = 'openssl'\r
  try:\r
    OpenSslPath = os.environ['OPENSSL_PATH']\r
    OpenSslCommand = os.path.join(OpenSslPath, OpenSslCommand)\r
    if ' ' in OpenSslCommand:\r
      OpenSslCommand = '"' + OpenSslCommand + '"'\r
  except:\r
    pass\r
\r
  #\r
  # Verify that Open SSL command is available\r
  #\r
  try:\r
    Process = subprocess.Popen('%s version' % (OpenSslCommand), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
  except:\r
    print('ERROR: Open SSL command not available.  Please verify PATH or set OPENSSL_PATH')\r
    sys.exit(1)\r
\r
  Version = Process.communicate()\r
  if Process.returncode != 0:\r
    print('ERROR: Open SSL command not available.  Please verify PATH or set OPENSSL_PATH')\r
    sys.exit(Process.returncode)\r
  print(Version[0])\r
\r
  #\r
  # Read input file into a buffer and save input filename\r
  #\r
  args.InputFileName   = args.InputFile.name\r
  args.InputFileBuffer = args.InputFile.read()\r
  args.InputFile.close()\r
\r
  #\r
  # Save output filename and check if path exists\r
  #\r
  OutputDir = os.path.dirname(args.OutputFile)\r
  if not os.path.exists(OutputDir):\r
    print('ERROR: The output path does not exist: %s' % OutputDir)\r
    sys.exit(1)\r
  args.OutputFileName = args.OutputFile\r
\r
  #\r
  # Save private key filename and close private key file\r
  #\r
  try:\r
    args.PrivateKeyFileName = args.PrivateKeyFile.name\r
    args.PrivateKeyFile.close()\r
  except:\r
    try:\r
      #\r
      # Get path to currently executing script or executable\r
      #\r
      if hasattr(sys, 'frozen'):\r
          RsaToolPath = sys.executable\r
      else:\r
          RsaToolPath = sys.argv[0]\r
      if RsaToolPath.startswith('"'):\r
          RsaToolPath = RsaToolPath[1:]\r
      if RsaToolPath.endswith('"'):\r
          RsaToolPath = RsaToolPath[:-1]\r
      args.PrivateKeyFileName = os.path.join(os.path.dirname(os.path.realpath(RsaToolPath)), TEST_SIGNING_PRIVATE_KEY_FILENAME)\r
      args.PrivateKeyFile = open(args.PrivateKeyFileName, 'rb')\r
      args.PrivateKeyFile.close()\r
    except:\r
      print('ERROR: test signing private key file %s missing' % (args.PrivateKeyFileName))\r
      sys.exit(1)\r
\r
  #\r
  # Extract public key from private key into STDOUT\r
  #\r
  Process = subprocess.Popen('%s rsa -in "%s" -modulus -noout' % (OpenSslCommand, args.PrivateKeyFileName), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
  PublicKeyHexString = Process.communicate()[0].split('=')[1].strip()\r
  PublicKey = ''\r
  while len(PublicKeyHexString) > 0:\r
    PublicKey = PublicKey + PublicKeyHexString[0:2]\r
    PublicKeyHexString=PublicKeyHexString[2:]\r
  if Process.returncode != 0:\r
    sys.exit(Process.returncode)\r
\r
  if args.MonotonicCountStr:\r
    try:\r
      if args.MonotonicCountStr.upper().startswith('0X'):\r
        args.MonotonicCountValue = int(args.MonotonicCountStr, 16)\r
      else:\r
        args.MonotonicCountValue = int(args.MonotonicCountStr)\r
    except:\r
        pass\r
\r
  if args.Encode:\r
    FullInputFileBuffer = args.InputFileBuffer\r
    if args.MonotonicCountStr:\r
      format = "%dsQ" % len(args.InputFileBuffer)\r
      FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)\r
    #\r
    # Sign the input file using the specified private key and capture signature from STDOUT\r
    #\r
    Process = subprocess.Popen('%s dgst -sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
    Signature = Process.communicate(input=FullInputFileBuffer)[0]\r
    if Process.returncode != 0:\r
      sys.exit(Process.returncode)\r
\r
    #\r
    # Write output file that contains hash GUID, Public Key, Signature, and Input data\r
    #\r
    args.OutputFile = open(args.OutputFileName, 'wb')\r
    args.OutputFile.write(EFI_HASH_ALGORITHM_SHA256_GUID.bytes_le)\r
    args.OutputFile.write(bytearray.fromhex(str(PublicKey)))\r
    args.OutputFile.write(Signature)\r
    args.OutputFile.write(args.InputFileBuffer)\r
    args.OutputFile.close()\r
\r
  if args.Decode:\r
    #\r
    # Parse Hash Type, Public Key, and Signature from the section header\r
    #\r
    Header = EFI_CERT_BLOCK_RSA_2048_SHA256._make(EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT.unpack_from(args.InputFileBuffer))\r
    args.InputFileBuffer = args.InputFileBuffer[EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT.size:]\r
\r
    #\r
    # Verify that the Hash Type matches the expected SHA256 type\r
    #\r
    if uuid.UUID(bytes_le = Header.HashType) != EFI_HASH_ALGORITHM_SHA256_GUID:\r
      print('ERROR: unsupport hash GUID')\r
      sys.exit(1)\r
\r
    #\r
    # Verify the public key\r
    #\r
    if Header.PublicKey != PublicKey:\r
      print('ERROR: Public key in input file does not match public key from private key file')\r
      sys.exit(1)\r
\r
    FullInputFileBuffer = args.InputFileBuffer\r
    if args.MonotonicCountStr:\r
      format = "%dsQ" % len(args.InputFileBuffer)\r
      FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)\r
\r
    #\r
    # Write Signature to output file\r
    #\r
    open(args.OutputFileName, 'wb').write(Header.Signature)\r
\r
    #\r
    # Verify signature\r
    #\r
    Process = subprocess.Popen('%s dgst -sha256 -prverify "%s" -signature %s' % (OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
    Process.communicate(input=FullInputFileBuffer)\r
    if Process.returncode != 0:\r
      print('ERROR: Verification failed')\r
      os.remove (args.OutputFileName)\r
      sys.exit(Process.returncode)\r
\r
    #\r
    # Save output file contents from input file\r
    #\r
    open(args.OutputFileName, 'wb').write(args.InputFileBuffer)\r
Commit	Line	Data
65ce860e	1	## @file\r
9b98c416	2	# This tool encodes and decodes GUIDed FFS sections or FMP capsule for a GUID type of\r
65ce860e MK	3	# EFI_CERT_TYPE_RSA2048_SHA256_GUID defined in the UEFI 2.4 Specification as\r
	4	# {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf}}\r
	5	# This tool has been tested with OpenSSL 1.0.1e 11 Feb 2013\r
	6	#\r
d1b77744	7	# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
65ce860e MK	8	# This program and the accompanying materials\r
	9	# are licensed and made available under the terms and conditions of the BSD License\r
	10	# which accompanies this distribution. The full text of the license may be found at\r
	11	# http://opensource.org/licenses/bsd-license.php\r
	12	#\r
	13	# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
	14	# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
	15	#\r
	16	\r
	17	'''\r
	18	Rsa2048Sha256Sign\r
	19	'''\r
1ccc4d89	20	from __future__ import print_function\r
65ce860e MK	21	\r
	22	import os\r
	23	import sys\r
f7496d71	24	import argparse\r
65ce860e MK	25	import subprocess\r
	26	import uuid\r
	27	import struct\r
	28	import collections\r
c9df168f MK	29	from Common.BuildVersion import gBUILD_VERSION\r
	30	\r
	31	#\r
	32	# Globals for help information\r
	33	#\r
	34	__prog__ = 'Rsa2048Sha256Sign'\r
	35	__version__ = '%s Version %s' % (__prog__, '0.9 ' + gBUILD_VERSION)\r
f7496d71	36	__copyright__ = 'Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.'\r
c9df168f	37	__usage__ = '%s -e\|-d [options] <input_file>' % (__prog__)\r
65ce860e MK	38	\r
	39	#\r
	40	# GUID for SHA 256 Hash Algorithm from UEFI Specification\r
	41	#\r
	42	EFI_HASH_ALGORITHM_SHA256_GUID = uuid.UUID('{51aa59de-fdf2-4ea3-bc63-875fb7842ee9}')\r
	43	\r
	44	#\r
	45	# Structure defintion to unpack EFI_CERT_BLOCK_RSA_2048_SHA256 from UEFI 2.4 Specification\r
	46	#\r
	47	# typedef struct _EFI_CERT_BLOCK_RSA_2048_SHA256 {\r
	48	# EFI_GUID HashType;\r
	49	# UINT8 PublicKey[256];\r
	50	# UINT8 Signature[256];\r
	51	# } EFI_CERT_BLOCK_RSA_2048_SHA256;\r
	52	#\r
ccaa7754	53	EFI_CERT_BLOCK_RSA_2048_SHA256 = collections.namedtuple('EFI_CERT_BLOCK_RSA_2048_SHA256', ['HashType', 'PublicKey', 'Signature'])\r
65ce860e MK	54	EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT = struct.Struct('16s256s256s')\r
	55	\r
	56	#\r
	57	# Filename of test signing private key that is stored in same directory as this tool\r
	58	#\r
	59	TEST_SIGNING_PRIVATE_KEY_FILENAME = 'TestSigningPrivateKey.pem'\r
	60	\r
	61	if __name__ == '__main__':\r
65ce860e MK	62	#\r
65ce860e MK	63	# Create command line argument parser object\r
f7496d71	64	#\r
56ad03a5	65	parser = argparse.ArgumentParser(prog=__prog__, usage=__usage__, description=__copyright__, conflict_handler='resolve')\r
65ce860e MK	66	group = parser.add_mutually_exclusive_group(required=True)\r
	67	group.add_argument("-e", action="store_true", dest='Encode', help='encode file')\r
	68	group.add_argument("-d", action="store_true", dest='Decode', help='decode file')\r
56ad03a5	69	group.add_argument("--version", action='version', version=__version__)\r
b40286bb	70	parser.add_argument("-o", "--output", dest='OutputFile', type=str, metavar='filename', help="specify the output filename", required=True)\r
9b98c416	71	parser.add_argument("--monotonic-count", dest='MonotonicCountStr', type=str, help="specify the MonotonicCount in FMP capsule.")\r
65ce860e MK	72	parser.add_argument("--private-key", dest='PrivateKeyFile', type=argparse.FileType('rb'), help="specify the private key filename. If not specified, a test signing key is used.")\r
	73	parser.add_argument("-v", "--verbose", dest='Verbose', action="store_true", help="increase output messages")\r
	74	parser.add_argument("-q", "--quiet", dest='Quiet', action="store_true", help="reduce output messages")\r
ccaa7754	75	parser.add_argument("--debug", dest='Debug', type=int, metavar='[0-9]', choices=range(0, 10), default=0, help="set debug level")\r
65ce860e MK	76	parser.add_argument(metavar="input_file", dest='InputFile', type=argparse.FileType('rb'), help="specify the input filename")\r
	77	\r
	78	#\r
	79	# Parse command line arguments\r
f7496d71	80	#\r
65ce860e MK	81	args = parser.parse_args()\r
	82	\r
	83	#\r
	84	# Generate file path to Open SSL command\r
	85	#\r
	86	OpenSslCommand = 'openssl'\r
	87	try:\r
	88	OpenSslPath = os.environ['OPENSSL_PATH']\r
	89	OpenSslCommand = os.path.join(OpenSslPath, OpenSslCommand)\r
a3607b26 YZ	90	if ' ' in OpenSslCommand:\r
a3607b26 YZ	91	OpenSslCommand = '"' + OpenSslCommand + '"'\r
65ce860e MK	92	except:\r
	93	pass\r
	94	\r
	95	#\r
	96	# Verify that Open SSL command is available\r
	97	#\r
	98	try:\r
8a0933f4	99	Process = subprocess.Popen('%s version' % (OpenSslCommand), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
f7496d71	100	except:\r
72443dd2	101	print('ERROR: Open SSL command not available. Please verify PATH or set OPENSSL_PATH')\r
65ce860e	102	sys.exit(1)\r
f7496d71	103	\r
65ce860e	104	Version = Process.communicate()\r
87d2afd0	105	if Process.returncode != 0:\r
72443dd2	106	print('ERROR: Open SSL command not available. Please verify PATH or set OPENSSL_PATH')\r
65ce860e	107	sys.exit(Process.returncode)\r
1ccc4d89	108	print(Version[0])\r
f7496d71	109	\r
65ce860e MK	110	#\r
65ce860e MK	111	# Read input file into a buffer and save input filename\r
f7496d71	112	#\r
65ce860e MK	113	args.InputFileName = args.InputFile.name\r
	114	args.InputFileBuffer = args.InputFile.read()\r
	115	args.InputFile.close()\r
	116	\r
	117	#\r
b40286bb	118	# Save output filename and check if path exists\r
65ce860e	119	#\r
b40286bb YL	120	OutputDir = os.path.dirname(args.OutputFile)\r
b40286bb YL	121	if not os.path.exists(OutputDir):\r
72443dd2	122	print('ERROR: The output path does not exist: %s' % OutputDir)\r
b40286bb YL	123	sys.exit(1)\r
b40286bb YL	124	args.OutputFileName = args.OutputFile\r
65ce860e MK	125	\r
	126	#\r
	127	# Save private key filename and close private key file\r
	128	#\r
	129	try:\r
	130	args.PrivateKeyFileName = args.PrivateKeyFile.name\r
	131	args.PrivateKeyFile.close()\r
	132	except:\r
	133	try:\r
	134	#\r
	135	# Get path to currently executing script or executable\r
	136	#\r
	137	if hasattr(sys, 'frozen'):\r
	138	RsaToolPath = sys.executable\r
	139	else:\r
	140	RsaToolPath = sys.argv[0]\r
	141	if RsaToolPath.startswith('"'):\r
	142	RsaToolPath = RsaToolPath[1:]\r
	143	if RsaToolPath.endswith('"'):\r
	144	RsaToolPath = RsaToolPath[:-1]\r
	145	args.PrivateKeyFileName = os.path.join(os.path.dirname(os.path.realpath(RsaToolPath)), TEST_SIGNING_PRIVATE_KEY_FILENAME)\r
	146	args.PrivateKeyFile = open(args.PrivateKeyFileName, 'rb')\r
	147	args.PrivateKeyFile.close()\r
	148	except:\r
72443dd2	149	print('ERROR: test signing private key file %s missing' % (args.PrivateKeyFileName))\r
65ce860e MK	150	sys.exit(1)\r
	151	\r
	152	#\r
	153	# Extract public key from private key into STDOUT\r
	154	#\r
a5f26fef	155	Process = subprocess.Popen('%s rsa -in "%s" -modulus -noout' % (OpenSslCommand, args.PrivateKeyFileName), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
1ccc4d89	156	PublicKeyHexString = Process.communicate()[0].split('=')[1].strip()\r
65ce860e MK	157	PublicKey = ''\r
65ce860e MK	158	while len(PublicKeyHexString) > 0:\r
4a3773e5	159	PublicKey = PublicKey + PublicKeyHexString[0:2]\r
65ce860e	160	PublicKeyHexString=PublicKeyHexString[2:]\r
87d2afd0	161	if Process.returncode != 0:\r
65ce860e	162	sys.exit(Process.returncode)\r
9b98c416 YZ	163	\r
	164	if args.MonotonicCountStr:\r
	165	try:\r
	166	if args.MonotonicCountStr.upper().startswith('0X'):\r
af881abc	167	args.MonotonicCountValue = int(args.MonotonicCountStr, 16)\r
9b98c416	168	else:\r
af881abc	169	args.MonotonicCountValue = int(args.MonotonicCountStr)\r
9b98c416 YZ	170	except:\r
	171	pass\r
	172	\r
65ce860e	173	if args.Encode:\r
9b98c416 YZ	174	FullInputFileBuffer = args.InputFileBuffer\r
9b98c416 YZ	175	if args.MonotonicCountStr:\r
245cda66 YZ	176	format = "%dsQ" % len(args.InputFileBuffer)\r
245cda66 YZ	177	FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)\r
f7496d71	178	#\r
65ce860e MK	179	# Sign the input file using the specified private key and capture signature from STDOUT\r
65ce860e MK	180	#\r
d1b77744	181	Process = subprocess.Popen('%s dgst -sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
9b98c416	182	Signature = Process.communicate(input=FullInputFileBuffer)[0]\r
87d2afd0	183	if Process.returncode != 0:\r
65ce860e	184	sys.exit(Process.returncode)\r
f7496d71	185	\r
65ce860e MK	186	#\r
65ce860e MK	187	# Write output file that contains hash GUID, Public Key, Signature, and Input data\r
f7496d71	188	#\r
65ce860e	189	args.OutputFile = open(args.OutputFileName, 'wb')\r
00f86d89	190	args.OutputFile.write(EFI_HASH_ALGORITHM_SHA256_GUID.bytes_le)\r
4a3773e5	191	args.OutputFile.write(bytearray.fromhex(str(PublicKey)))\r
65ce860e MK	192	args.OutputFile.write(Signature)\r
	193	args.OutputFile.write(args.InputFileBuffer)\r
	194	args.OutputFile.close()\r
	195	\r
	196	if args.Decode:\r
	197	#\r
	198	# Parse Hash Type, Public Key, and Signature from the section header\r
	199	#\r
	200	Header = EFI_CERT_BLOCK_RSA_2048_SHA256._make(EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT.unpack_from(args.InputFileBuffer))\r
	201	args.InputFileBuffer = args.InputFileBuffer[EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT.size:]\r
f7496d71	202	\r
65ce860e MK	203	#\r
	204	# Verify that the Hash Type matches the expected SHA256 type\r
	205	#\r
87d2afd0	206	if uuid.UUID(bytes_le = Header.HashType) != EFI_HASH_ALGORITHM_SHA256_GUID:\r
72443dd2	207	print('ERROR: unsupport hash GUID')\r
65ce860e MK	208	sys.exit(1)\r
	209	\r
	210	#\r
	211	# Verify the public key\r
	212	#\r
1ccc4d89	213	if Header.PublicKey != PublicKey:\r
72443dd2	214	print('ERROR: Public key in input file does not match public key from private key file')\r
65ce860e MK	215	sys.exit(1)\r
65ce860e MK	216	\r
9b98c416 YZ	217	FullInputFileBuffer = args.InputFileBuffer\r
9b98c416 YZ	218	if args.MonotonicCountStr:\r
245cda66 YZ	219	format = "%dsQ" % len(args.InputFileBuffer)\r
245cda66 YZ	220	FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)\r
9b98c416	221	\r
65ce860e MK	222	#\r
	223	# Write Signature to output file\r
	224	#\r
	225	open(args.OutputFileName, 'wb').write(Header.Signature)\r
f7496d71	226	\r
65ce860e MK	227	#\r
65ce860e MK	228	# Verify signature\r
f7496d71	229	#\r
d1b77744	230	Process = subprocess.Popen('%s dgst -sha256 -prverify "%s" -signature %s' % (OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
9b98c416	231	Process.communicate(input=FullInputFileBuffer)\r
87d2afd0	232	if Process.returncode != 0:\r
72443dd2	233	print('ERROR: Verification failed')\r
65ce860e MK	234	os.remove (args.OutputFileName)\r
	235	sys.exit(Process.returncode)\r
	236	\r
	237	#\r
f7496d71 LG	238	# Save output file contents from input file\r
f7496d71 LG	239	#\r
65ce860e	240	open(args.OutputFileName, 'wb').write(args.InputFileBuffer)\r