From 74da69c7807b34c72079e75575b1842aa77c066e Mon Sep 17 00:00:00 2001
From: Hatter Jiang <jht5945@gmail.com>
Date: Sat, 19 Jul 2025 14:23:52 +0800
Subject: [PATCH] feat: external_sign supports --message-type

---
 main.go | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/main.go b/main.go
index 63023a5..eac3679 100644
--- a/main.go
+++ b/main.go
@@ -243,11 +243,16 @@ func buildExternalSignCommand() *cli.Command {
 				Usage:    "Message base64 encoded",
 				Required: true,
 			},
+			&cli.StringFlag{
+				Name:  "message-type",
+				Usage: "Message type raw(default), sha256, sha384 or sha512",
+			},
 		},
 		Action: func(ctx *cli.Context) error {
 			parameter := ctx.String("parameter")
 			alg := ctx.String("alg")
 			messageBase64 := ctx.String("message-base64")
+			messageType := ctx.String("message-type")
 			message, err := base64.StdEncoding.DecodeString(messageBase64)
 			if err != nil {
 				return err
@@ -264,21 +269,31 @@ func buildExternalSignCommand() *cli.Command {
 
 			var digest []byte
 			var hash crypto.Hash
+			expectedMessageType := ""
 			if alg == "ES256" || alg == "RS256" {
+				expectedMessageType = "sha256"
 				digest32 := sha256.Sum256(message)
 				digest = digest32[:]
 				hash = crypto.SHA256
 			} else if alg == "ES384" || alg == "RS384" {
+				expectedMessageType = "sha384"
 				sha384 := crypto.SHA384.New()
 				digest = sha384.Sum(message)
 				hash = crypto.SHA384
 			} else if alg == "ES512" || alg == "RS512" {
+				expectedMessageType = "sha512"
 				digest64 := sha512.Sum512(message)
 				digest = digest64[:]
 				hash = crypto.SHA512
 			} else {
 				return fmt.Errorf("invalid algorithm: %s", alg)
 			}
+			if messageType != "" && messageType != "raw" {
+				if messageType != expectedMessageType {
+					return fmt.Errorf("invalid message type %s vs %s", messageType, alg)
+				}
+				digest = message[:]
+			}
 
 			var signature []byte
 			var signatureErr error