| # Copyright 2021 Google LLC |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS-IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| # [START digital-signature-example] |
| |
| """A utility for signing and verifying files using digital signatures. |
| |
| It loads cleartext keys from disk - this is not recommended! |
| """ |
| |
| import binascii |
| |
| from absl import app |
| from absl import flags |
| from absl import logging |
| import tink |
| from tink import cleartext_keyset_handle |
| from tink import signature |
| |
| |
| FLAGS = flags.FLAGS |
| |
| flags.DEFINE_enum('mode', None, ['sign', 'verify'], |
| 'The operation to perform.') |
| flags.DEFINE_string('keyset_path', None, |
| 'Path to the keyset used for the signature operation.') |
| flags.DEFINE_string('data_path', None, |
| 'Path to the file with the input data.') |
| flags.DEFINE_string('signature_path', None, |
| 'Path to the signature file.') |
| |
| |
| def main(argv): |
| del argv # Unused. |
| |
| # Initialise Tink |
| signature.register() |
| |
| # Read the keyset into a keyset_handle |
| with open(FLAGS.keyset_path, 'rt') as keyset_file: |
| try: |
| text = keyset_file.read() |
| keyset_handle = cleartext_keyset_handle.read(tink.JsonKeysetReader(text)) |
| except tink.TinkError as e: |
| logging.exception('Error reading key: %s', e) |
| return 1 |
| |
| with open(FLAGS.data_path, 'rb') as data_file: |
| data = data_file.read() |
| |
| if FLAGS.mode == 'sign': |
| # Get the primitive |
| try: |
| cipher = keyset_handle.primitive(signature.PublicKeySign) |
| except tink.TinkError as e: |
| logging.exception('Error creating primitive: %s', e) |
| return 1 |
| |
| # Sign data |
| sig = cipher.sign(data) |
| with open(FLAGS.signature_path, 'wb') as signature_file: |
| signature_file.write(binascii.hexlify(sig)) |
| return 0 |
| |
| # Get the primitive |
| try: |
| cipher = keyset_handle.primitive(signature.PublicKeyVerify) |
| except tink.TinkError as e: |
| logging.exception('Error creating primitive: %s', e) |
| return 1 |
| |
| # Verify data |
| with open(FLAGS.signature_path, 'rb') as signature_file: |
| try: |
| expected_signature = binascii.unhexlify(signature_file.read().strip()) |
| except binascii.Error as e: |
| logging.exception('Error reading expected code: %s', e) |
| return 1 |
| try: |
| cipher.verify(expected_signature, data) |
| logging.info('Signature verification succeeded.') |
| return 0 |
| except binascii.Error as e: |
| logging.exception('Error reading expected signature: %s', e) |
| except tink.TinkError as e: |
| logging.info('Signature verification failed.') |
| return 1 |
| |
| |
| if __name__ == '__main__': |
| flags.mark_flags_as_required([ |
| 'mode', 'keyset_path', 'data_path', 'signature_path']) |
| app.run(main) |
| |
| # [END digital-signature-example] |
