From 01fdc960070bfa41c5c3ff28640956054fa0daeb Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Wed, 22 Feb 2023 12:47:30 +0100 Subject: [PATCH] [python] Add support for passphrase-protected SGX signing keys Signed-off-by: Wojtek Porczyk --- python/graminelibos/sgx_sign.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/python/graminelibos/sgx_sign.py b/python/graminelibos/sgx_sign.py index 68065a5057..0ea9f46b46 100644 --- a/python/graminelibos/sgx_sign.py +++ b/python/graminelibos/sgx_sign.py @@ -552,9 +552,11 @@ def get_tbssigstruct(manifest_path, date, libpal=SGX_LIBPAL, verbose=False): type=click.File('rb'), default=os.fspath(SGX_RSA_KEY_PATH), help='specify signing key (.pem) file') -def sign_with_file(ctx, key): +@click.option('--passphrase', '--password', '-p', metavar='PASSPHRASE', + help='optional passphrase to decrypt the key') +def sign_with_file(ctx, key, passphrase): try: - private_key = load_pem_private_key_from_file(key) + private_key = load_pem_private_key_from_file(key, passphrase) except InvalidRSAKeyError as e: ctx.fail(str(e)) @@ -579,7 +581,7 @@ def load_pem_private_key_from_file(file, passphrase=None): return private_key -def sign_with_local_key(data, key): +def sign_with_local_key(data, key, passphrase=None): """Signs *data* using *key* loaded from file. Function used to generate an RSA signature over provided data using a 3072-bit private key with @@ -589,13 +591,14 @@ def sign_with_local_key(data, key): Args: data (bytes): Data to calculate the signature over. key (str): Path to a file with RSA private key. + passphrase (str or None): Optional passphrase. Returns: (int, int, int): Tuple of exponent, modulus and signature respectively. """ with open(key, 'rb') as file: - private_key = load_pem_private_key_from_file(file) + private_key = load_pem_private_key_from_file(file, passphrase) return sign_with_rsa_key(data, private_key)