[mirror_edk2.git] / BaseTools / Source / Python / Rsa2048Sha256Sign / Rsa2048Sha256Sign.py

## @file\r
# This tool encodes and decodes GUIDed FFS sections or FMP capsule for a GUID type of\r
# EFI_CERT_TYPE_RSA2048_SHA256_GUID defined in the UEFI 2.4 Specification as\r
#   {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf}}\r
# This tool has been tested with OpenSSL 1.0.1e 11 Feb 2013\r
#\r
# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
# This program and the accompanying materials\r
# are licensed and made available under the terms and conditions of the BSD License\r
# which accompanies this distribution.  The full text of the license may be found at\r
# http://opensource.org/licenses/bsd-license.php\r
#\r
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
#\r
\r
'''\r
Rsa2048Sha256Sign\r
'''\r
from __future__ import print_function\r
\r
import os\r
import sys\r
import argparse\r
import subprocess\r
import uuid\r
import struct\r
import collections\r
from Common.BuildVersion import gBUILD_VERSION\r
\r
#\r
# Globals for help information\r
#\r
__prog__      = 'Rsa2048Sha256Sign'\r
__version__   = '%s Version %s' % (__prog__, '0.9 ' + gBUILD_VERSION)\r
__copyright__ = 'Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.'\r
__usage__     = '%s -e|-d [options] <input_file>' % (__prog__)\r
\r
#\r
# GUID for SHA 256 Hash Algorithm from UEFI Specification\r
#\r
EFI_HASH_ALGORITHM_SHA256_GUID = uuid.UUID('{51aa59de-fdf2-4ea3-bc63-875fb7842ee9}')\r
\r
#\r
# Structure definition to unpack EFI_CERT_BLOCK_RSA_2048_SHA256 from UEFI 2.4 Specification\r
#\r
#   typedef struct _EFI_CERT_BLOCK_RSA_2048_SHA256 {\r
#     EFI_GUID HashType;\r
#     UINT8 PublicKey[256];\r
#     UINT8 Signature[256];\r
#   } EFI_CERT_BLOCK_RSA_2048_SHA256;\r
#\r
EFI_CERT_BLOCK_RSA_2048_SHA256        = collections.namedtuple('EFI_CERT_BLOCK_RSA_2048_SHA256', ['HashType', 'PublicKey', 'Signature'])\r
EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT = struct.Struct('16s256s256s')\r
\r
#\r
# Filename of test signing private key that is stored in same directory as this tool\r
#\r
TEST_SIGNING_PRIVATE_KEY_FILENAME = 'TestSigningPrivateKey.pem'\r
\r
if __name__ == '__main__':\r
  #\r
  # Create command line argument parser object\r
  #\r
  parser = argparse.ArgumentParser(prog=__prog__, usage=__usage__, description=__copyright__, conflict_handler='resolve')\r
  group = parser.add_mutually_exclusive_group(required=True)\r
  group.add_argument("-e", action="store_true", dest='Encode', help='encode file')\r
  group.add_argument("-d", action="store_true", dest='Decode', help='decode file')\r
  group.add_argument("--version", action='version', version=__version__)\r
  parser.add_argument("-o", "--output", dest='OutputFile', type=str, metavar='filename', help="specify the output filename", required=True)\r
  parser.add_argument("--monotonic-count", dest='MonotonicCountStr', type=str, help="specify the MonotonicCount in FMP capsule.")\r
  parser.add_argument("--private-key", dest='PrivateKeyFile', type=argparse.FileType('rb'), help="specify the private key filename.  If not specified, a test signing key is used.")\r
  parser.add_argument("-v", "--verbose", dest='Verbose', action="store_true", help="increase output messages")\r
  parser.add_argument("-q", "--quiet", dest='Quiet', action="store_true", help="reduce output messages")\r
  parser.add_argument("--debug", dest='Debug', type=int, metavar='[0-9]', choices=range(0, 10), default=0, help="set debug level")\r
  parser.add_argument(metavar="input_file", dest='InputFile', type=argparse.FileType('rb'), help="specify the input filename")\r
\r
  #\r
  # Parse command line arguments\r
  #\r
  args = parser.parse_args()\r
\r
  #\r
  # Generate file path to Open SSL command\r
  #\r
  OpenSslCommand = 'openssl'\r
  try:\r
    OpenSslPath = os.environ['OPENSSL_PATH']\r
    OpenSslCommand = os.path.join(OpenSslPath, OpenSslCommand)\r
    if ' ' in OpenSslCommand:\r
      OpenSslCommand = '"' + OpenSslCommand + '"'\r
  except:\r
    pass\r
\r
  #\r
  # Verify that Open SSL command is available\r
  #\r
  try:\r
    Process = subprocess.Popen('%s version' % (OpenSslCommand), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
  except:\r
    print('ERROR: Open SSL command not available.  Please verify PATH or set OPENSSL_PATH')\r
    sys.exit(1)\r
\r
  Version = Process.communicate()\r
  if Process.returncode != 0:\r
    print('ERROR: Open SSL command not available.  Please verify PATH or set OPENSSL_PATH')\r
    sys.exit(Process.returncode)\r
  print(Version[0].decode('utf-8'))\r
\r
  #\r
  # Read input file into a buffer and save input filename\r
  #\r
  args.InputFileName   = args.InputFile.name\r
  args.InputFileBuffer = args.InputFile.read()\r
  args.InputFile.close()\r
\r
  #\r
  # Save output filename and check if path exists\r
  #\r
  OutputDir = os.path.dirname(args.OutputFile)\r
  if not os.path.exists(OutputDir):\r
    print('ERROR: The output path does not exist: %s' % OutputDir)\r
    sys.exit(1)\r
  args.OutputFileName = args.OutputFile\r
\r
  #\r
  # Save private key filename and close private key file\r
  #\r
  try:\r
    args.PrivateKeyFileName = args.PrivateKeyFile.name\r
    args.PrivateKeyFile.close()\r
  except:\r
    try:\r
      #\r
      # Get path to currently executing script or executable\r
      #\r
      if hasattr(sys, 'frozen'):\r
          RsaToolPath = sys.executable\r
      else:\r
          RsaToolPath = sys.argv[0]\r
      if RsaToolPath.startswith('"'):\r
          RsaToolPath = RsaToolPath[1:]\r
      if RsaToolPath.endswith('"'):\r
          RsaToolPath = RsaToolPath[:-1]\r
      args.PrivateKeyFileName = os.path.join(os.path.dirname(os.path.realpath(RsaToolPath)), TEST_SIGNING_PRIVATE_KEY_FILENAME)\r
      args.PrivateKeyFile = open(args.PrivateKeyFileName, 'rb')\r
      args.PrivateKeyFile.close()\r
    except:\r
      print('ERROR: test signing private key file %s missing' % (args.PrivateKeyFileName))\r
      sys.exit(1)\r
\r
  #\r
  # Extract public key from private key into STDOUT\r
  #\r
  Process = subprocess.Popen('%s rsa -in "%s" -modulus -noout' % (OpenSslCommand, args.PrivateKeyFileName), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
  PublicKeyHexString = Process.communicate()[0].split(b'=')[1].strip()\r
  PublicKeyHexString = PublicKeyHexString.decode('utf-8')\r
  PublicKey = ''\r
  while len(PublicKeyHexString) > 0:\r
    PublicKey = PublicKey + PublicKeyHexString[0:2]\r
    PublicKeyHexString=PublicKeyHexString[2:]\r
  if Process.returncode != 0:\r
    sys.exit(Process.returncode)\r
\r
  if args.MonotonicCountStr:\r
    try:\r
      if args.MonotonicCountStr.upper().startswith('0X'):\r
        args.MonotonicCountValue = int(args.MonotonicCountStr, 16)\r
      else:\r
        args.MonotonicCountValue = int(args.MonotonicCountStr)\r
    except:\r
        pass\r
\r
  if args.Encode:\r
    FullInputFileBuffer = args.InputFileBuffer\r
    if args.MonotonicCountStr:\r
      format = "%dsQ" % len(args.InputFileBuffer)\r
      FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)\r
    #\r
    # Sign the input file using the specified private key and capture signature from STDOUT\r
    #\r
    Process = subprocess.Popen('%s dgst -sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
    Signature = Process.communicate(input=FullInputFileBuffer)[0]\r
    if Process.returncode != 0:\r
      sys.exit(Process.returncode)\r
\r
    #\r
    # Write output file that contains hash GUID, Public Key, Signature, and Input data\r
    #\r
    args.OutputFile = open(args.OutputFileName, 'wb')\r
    args.OutputFile.write(EFI_HASH_ALGORITHM_SHA256_GUID.bytes_le)\r
    args.OutputFile.write(bytearray.fromhex(str(PublicKey)))\r
    args.OutputFile.write(Signature)\r
    args.OutputFile.write(args.InputFileBuffer)\r
    args.OutputFile.close()\r
\r
  if args.Decode:\r
    #\r
    # Parse Hash Type, Public Key, and Signature from the section header\r
    #\r
    Header = EFI_CERT_BLOCK_RSA_2048_SHA256._make(EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT.unpack_from(args.InputFileBuffer))\r
    args.InputFileBuffer = args.InputFileBuffer[EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT.size:]\r
\r
    #\r
    # Verify that the Hash Type matches the expected SHA256 type\r
    #\r
    if uuid.UUID(bytes_le = Header.HashType) != EFI_HASH_ALGORITHM_SHA256_GUID:\r
      print('ERROR: unsupport hash GUID')\r
      sys.exit(1)\r
\r
    #\r
    # Verify the public key\r
    #\r
    if Header.PublicKey != bytearray.fromhex(PublicKey):\r
      print('ERROR: Public key in input file does not match public key from private key file')\r
      sys.exit(1)\r
\r
    FullInputFileBuffer = args.InputFileBuffer\r
    if args.MonotonicCountStr:\r
      format = "%dsQ" % len(args.InputFileBuffer)\r
      FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)\r
\r
    #\r
    # Write Signature to output file\r
    #\r
    open(args.OutputFileName, 'wb').write(Header.Signature)\r
\r
    #\r
    # Verify signature\r
    #\r
    Process = subprocess.Popen('%s dgst -sha256 -prverify "%s" -signature %s' % (OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
    Process.communicate(input=FullInputFileBuffer)\r
    if Process.returncode != 0:\r
      print('ERROR: Verification failed')\r
      os.remove (args.OutputFileName)\r
      sys.exit(Process.returncode)\r
\r
    #\r
    # Save output file contents from input file\r
    #\r
    open(args.OutputFileName, 'wb').write(args.InputFileBuffer)\r
Commit	Line	Data
65ce860e	1	## @file\r
9b98c416	2	# This tool encodes and decodes GUIDed FFS sections or FMP capsule for a GUID type of\r
65ce860e MK	3	# EFI_CERT_TYPE_RSA2048_SHA256_GUID defined in the UEFI 2.4 Specification as\r
	4	# {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf}}\r
	5	# This tool has been tested with OpenSSL 1.0.1e 11 Feb 2013\r
	6	#\r
d1b77744	7	# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
65ce860e MK	8	# This program and the accompanying materials\r
	9	# are licensed and made available under the terms and conditions of the BSD License\r
	10	# which accompanies this distribution. The full text of the license may be found at\r
	11	# http://opensource.org/licenses/bsd-license.php\r
	12	#\r
	13	# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
	14	# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
	15	#\r
	16	\r
	17	'''\r
	18	Rsa2048Sha256Sign\r
	19	'''\r
1ccc4d89	20	from __future__ import print_function\r
65ce860e MK	21	\r
	22	import os\r
	23	import sys\r
f7496d71	24	import argparse\r
65ce860e MK	25	import subprocess\r
	26	import uuid\r
	27	import struct\r
	28	import collections\r
c9df168f MK	29	from Common.BuildVersion import gBUILD_VERSION\r
	30	\r
	31	#\r
	32	# Globals for help information\r
	33	#\r
	34	__prog__ = 'Rsa2048Sha256Sign'\r
	35	__version__ = '%s Version %s' % (__prog__, '0.9 ' + gBUILD_VERSION)\r
f7496d71	36	__copyright__ = 'Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.'\r
c9df168f	37	__usage__ = '%s -e\|-d [options] <input_file>' % (__prog__)\r
65ce860e MK	38	\r
	39	#\r
	40	# GUID for SHA 256 Hash Algorithm from UEFI Specification\r
	41	#\r
	42	EFI_HASH_ALGORITHM_SHA256_GUID = uuid.UUID('{51aa59de-fdf2-4ea3-bc63-875fb7842ee9}')\r
	43	\r
	44	#\r
fb0b35e0	45	# Structure definition to unpack EFI_CERT_BLOCK_RSA_2048_SHA256 from UEFI 2.4 Specification\r
65ce860e MK	46	#\r
	47	# typedef struct _EFI_CERT_BLOCK_RSA_2048_SHA256 {\r
	48	# EFI_GUID HashType;\r
	49	# UINT8 PublicKey[256];\r
	50	# UINT8 Signature[256];\r
	51	# } EFI_CERT_BLOCK_RSA_2048_SHA256;\r
	52	#\r
ccaa7754	53	EFI_CERT_BLOCK_RSA_2048_SHA256 = collections.namedtuple('EFI_CERT_BLOCK_RSA_2048_SHA256', ['HashType', 'PublicKey', 'Signature'])\r
65ce860e MK	54	EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT = struct.Struct('16s256s256s')\r
	55	\r
	56	#\r
	57	# Filename of test signing private key that is stored in same directory as this tool\r
	58	#\r
	59	TEST_SIGNING_PRIVATE_KEY_FILENAME = 'TestSigningPrivateKey.pem'\r
	60	\r
	61	if __name__ == '__main__':\r
65ce860e MK	62	#\r
65ce860e MK	63	# Create command line argument parser object\r
f7496d71	64	#\r
56ad03a5	65	parser = argparse.ArgumentParser(prog=__prog__, usage=__usage__, description=__copyright__, conflict_handler='resolve')\r
65ce860e MK	66	group = parser.add_mutually_exclusive_group(required=True)\r
	67	group.add_argument("-e", action="store_true", dest='Encode', help='encode file')\r
	68	group.add_argument("-d", action="store_true", dest='Decode', help='decode file')\r
56ad03a5	69	group.add_argument("--version", action='version', version=__version__)\r
b40286bb	70	parser.add_argument("-o", "--output", dest='OutputFile', type=str, metavar='filename', help="specify the output filename", required=True)\r
9b98c416	71	parser.add_argument("--monotonic-count", dest='MonotonicCountStr', type=str, help="specify the MonotonicCount in FMP capsule.")\r
65ce860e MK	72	parser.add_argument("--private-key", dest='PrivateKeyFile', type=argparse.FileType('rb'), help="specify the private key filename. If not specified, a test signing key is used.")\r
	73	parser.add_argument("-v", "--verbose", dest='Verbose', action="store_true", help="increase output messages")\r
	74	parser.add_argument("-q", "--quiet", dest='Quiet', action="store_true", help="reduce output messages")\r
ccaa7754	75	parser.add_argument("--debug", dest='Debug', type=int, metavar='[0-9]', choices=range(0, 10), default=0, help="set debug level")\r
65ce860e MK	76	parser.add_argument(metavar="input_file", dest='InputFile', type=argparse.FileType('rb'), help="specify the input filename")\r
	77	\r
	78	#\r
	79	# Parse command line arguments\r
f7496d71	80	#\r
65ce860e MK	81	args = parser.parse_args()\r
	82	\r
	83	#\r
	84	# Generate file path to Open SSL command\r
	85	#\r
	86	OpenSslCommand = 'openssl'\r
	87	try:\r
	88	OpenSslPath = os.environ['OPENSSL_PATH']\r
	89	OpenSslCommand = os.path.join(OpenSslPath, OpenSslCommand)\r
a3607b26 YZ	90	if ' ' in OpenSslCommand:\r
a3607b26 YZ	91	OpenSslCommand = '"' + OpenSslCommand + '"'\r
65ce860e MK	92	except:\r
	93	pass\r
	94	\r
	95	#\r
	96	# Verify that Open SSL command is available\r
	97	#\r
	98	try:\r
8a0933f4	99	Process = subprocess.Popen('%s version' % (OpenSslCommand), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
f7496d71	100	except:\r
72443dd2	101	print('ERROR: Open SSL command not available. Please verify PATH or set OPENSSL_PATH')\r
65ce860e	102	sys.exit(1)\r
f7496d71	103	\r
65ce860e	104	Version = Process.communicate()\r
87d2afd0	105	if Process.returncode != 0:\r
72443dd2	106	print('ERROR: Open SSL command not available. Please verify PATH or set OPENSSL_PATH')\r
65ce860e	107	sys.exit(Process.returncode)\r
d943b0c3	108	print(Version[0].decode('utf-8'))\r
f7496d71	109	\r
65ce860e MK	110	#\r
65ce860e MK	111	# Read input file into a buffer and save input filename\r
f7496d71	112	#\r
65ce860e MK	113	args.InputFileName = args.InputFile.name\r
	114	args.InputFileBuffer = args.InputFile.read()\r
	115	args.InputFile.close()\r
	116	\r
	117	#\r
b40286bb	118	# Save output filename and check if path exists\r
65ce860e	119	#\r
b40286bb YL	120	OutputDir = os.path.dirname(args.OutputFile)\r
b40286bb YL	121	if not os.path.exists(OutputDir):\r
72443dd2	122	print('ERROR: The output path does not exist: %s' % OutputDir)\r
b40286bb YL	123	sys.exit(1)\r
b40286bb YL	124	args.OutputFileName = args.OutputFile\r
65ce860e MK	125	\r
	126	#\r
	127	# Save private key filename and close private key file\r
	128	#\r
	129	try:\r
	130	args.PrivateKeyFileName = args.PrivateKeyFile.name\r
	131	args.PrivateKeyFile.close()\r
	132	except:\r
	133	try:\r
	134	#\r
	135	# Get path to currently executing script or executable\r
	136	#\r
	137	if hasattr(sys, 'frozen'):\r
	138	RsaToolPath = sys.executable\r
	139	else:\r
	140	RsaToolPath = sys.argv[0]\r
	141	if RsaToolPath.startswith('"'):\r
	142	RsaToolPath = RsaToolPath[1:]\r
	143	if RsaToolPath.endswith('"'):\r
	144	RsaToolPath = RsaToolPath[:-1]\r
	145	args.PrivateKeyFileName = os.path.join(os.path.dirname(os.path.realpath(RsaToolPath)), TEST_SIGNING_PRIVATE_KEY_FILENAME)\r
	146	args.PrivateKeyFile = open(args.PrivateKeyFileName, 'rb')\r
	147	args.PrivateKeyFile.close()\r
	148	except:\r
72443dd2	149	print('ERROR: test signing private key file %s missing' % (args.PrivateKeyFileName))\r
65ce860e MK	150	sys.exit(1)\r
	151	\r
	152	#\r
	153	# Extract public key from private key into STDOUT\r
	154	#\r
a5f26fef	155	Process = subprocess.Popen('%s rsa -in "%s" -modulus -noout' % (OpenSslCommand, args.PrivateKeyFileName), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
d943b0c3 FB	156	PublicKeyHexString = Process.communicate()[0].split(b'=')[1].strip()\r
d943b0c3 FB	157	PublicKeyHexString = PublicKeyHexString.decode('utf-8')\r
65ce860e MK	158	PublicKey = ''\r
65ce860e MK	159	while len(PublicKeyHexString) > 0:\r
4a3773e5	160	PublicKey = PublicKey + PublicKeyHexString[0:2]\r
65ce860e	161	PublicKeyHexString=PublicKeyHexString[2:]\r
87d2afd0	162	if Process.returncode != 0:\r
65ce860e	163	sys.exit(Process.returncode)\r
9b98c416 YZ	164	\r
	165	if args.MonotonicCountStr:\r
	166	try:\r
	167	if args.MonotonicCountStr.upper().startswith('0X'):\r
af881abc	168	args.MonotonicCountValue = int(args.MonotonicCountStr, 16)\r
9b98c416	169	else:\r
af881abc	170	args.MonotonicCountValue = int(args.MonotonicCountStr)\r
9b98c416 YZ	171	except:\r
	172	pass\r
	173	\r
65ce860e	174	if args.Encode:\r
9b98c416 YZ	175	FullInputFileBuffer = args.InputFileBuffer\r
9b98c416 YZ	176	if args.MonotonicCountStr:\r
245cda66 YZ	177	format = "%dsQ" % len(args.InputFileBuffer)\r
245cda66 YZ	178	FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)\r
f7496d71	179	#\r
65ce860e MK	180	# Sign the input file using the specified private key and capture signature from STDOUT\r
65ce860e MK	181	#\r
d1b77744	182	Process = subprocess.Popen('%s dgst -sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
9b98c416	183	Signature = Process.communicate(input=FullInputFileBuffer)[0]\r
87d2afd0	184	if Process.returncode != 0:\r
65ce860e	185	sys.exit(Process.returncode)\r
f7496d71	186	\r
65ce860e MK	187	#\r
65ce860e MK	188	# Write output file that contains hash GUID, Public Key, Signature, and Input data\r
f7496d71	189	#\r
65ce860e	190	args.OutputFile = open(args.OutputFileName, 'wb')\r
00f86d89	191	args.OutputFile.write(EFI_HASH_ALGORITHM_SHA256_GUID.bytes_le)\r
4a3773e5	192	args.OutputFile.write(bytearray.fromhex(str(PublicKey)))\r
65ce860e MK	193	args.OutputFile.write(Signature)\r
	194	args.OutputFile.write(args.InputFileBuffer)\r
	195	args.OutputFile.close()\r
	196	\r
	197	if args.Decode:\r
	198	#\r
	199	# Parse Hash Type, Public Key, and Signature from the section header\r
	200	#\r
	201	Header = EFI_CERT_BLOCK_RSA_2048_SHA256._make(EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT.unpack_from(args.InputFileBuffer))\r
	202	args.InputFileBuffer = args.InputFileBuffer[EFI_CERT_BLOCK_RSA_2048_SHA256_STRUCT.size:]\r
f7496d71	203	\r
65ce860e MK	204	#\r
	205	# Verify that the Hash Type matches the expected SHA256 type\r
	206	#\r
87d2afd0	207	if uuid.UUID(bytes_le = Header.HashType) != EFI_HASH_ALGORITHM_SHA256_GUID:\r
72443dd2	208	print('ERROR: unsupport hash GUID')\r
65ce860e MK	209	sys.exit(1)\r
	210	\r
	211	#\r
	212	# Verify the public key\r
	213	#\r
d943b0c3	214	if Header.PublicKey != bytearray.fromhex(PublicKey):\r
72443dd2	215	print('ERROR: Public key in input file does not match public key from private key file')\r
65ce860e MK	216	sys.exit(1)\r
65ce860e MK	217	\r
9b98c416 YZ	218	FullInputFileBuffer = args.InputFileBuffer\r
9b98c416 YZ	219	if args.MonotonicCountStr:\r
245cda66 YZ	220	format = "%dsQ" % len(args.InputFileBuffer)\r
245cda66 YZ	221	FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)\r
9b98c416	222	\r
65ce860e MK	223	#\r
	224	# Write Signature to output file\r
	225	#\r
	226	open(args.OutputFileName, 'wb').write(Header.Signature)\r
f7496d71	227	\r
65ce860e MK	228	#\r
65ce860e MK	229	# Verify signature\r
f7496d71	230	#\r
d1b77744	231	Process = subprocess.Popen('%s dgst -sha256 -prverify "%s" -signature %s' % (OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)\r
9b98c416	232	Process.communicate(input=FullInputFileBuffer)\r
87d2afd0	233	if Process.returncode != 0:\r
72443dd2	234	print('ERROR: Verification failed')\r
65ce860e MK	235	os.remove (args.OutputFileName)\r
	236	sys.exit(Process.returncode)\r
	237	\r
	238	#\r
f7496d71 LG	239	# Save output file contents from input file\r
f7496d71 LG	240	#\r
65ce860e	241	open(args.OutputFileName, 'wb').write(args.InputFileBuffer)\r