[python] Add support for passphrase-protected SGX signing keys

Signed-off-by: Wojtek Porczyk <[email protected]>

python/graminelibos/sgx_sign.py

@@ -552,9 +552,11 @@ def get_tbssigstruct(manifest_path, date, libpal=SGX_LIBPAL, verbose=False):
     type=click.File('rb'),
     default=os.fspath(SGX_RSA_KEY_PATH),
     help='specify signing key (.pem) file')
-def sign_with_file(ctx, key):
+@click.option('--passphrase', '--password', '-p', metavar='PASSPHRASE',
+    help='optional passphrase to decrypt the key')
+def sign_with_file(ctx, key, passphrase):
     try:
-        private_key = load_pem_private_key_from_file(key)
+        private_key = load_pem_private_key_from_file(key, passphrase)
     except InvalidRSAKeyError as e:
         ctx.fail(str(e))
 
@@ -579,7 +581,7 @@ def load_pem_private_key_from_file(file, passphrase=None):
     return private_key
 
 
-def sign_with_local_key(data, key):
+def sign_with_local_key(data, key, passphrase=None):
     """Signs *data* using *key* loaded from file.
 
     Function used to generate an RSA signature over provided data using a 3072-bit private key with
@@ -589,13 +591,14 @@ def sign_with_local_key(data, key):
     Args:
         data (bytes): Data to calculate the signature over.
         key (str): Path to a file with RSA private key.
+        passphrase (str or None): Optional passphrase.
 
     Returns:
         (int, int, int): Tuple of exponent, modulus and signature respectively.
     """
 
     with open(key, 'rb') as file:
-        private_key = load_pem_private_key_from_file(file)
+        private_key = load_pem_private_key_from_file(file, passphrase)
 
     return sign_with_rsa_key(data, private_key)