diff options
author | Michal Marek <mmarek@suse.cz> | 2013-01-24 22:11:12 -0500 |
---|---|---|
committer | Rusty Russell <rusty@rustcorp.com.au> | 2013-01-25 01:25:36 -0500 |
commit | 4bc9410c0cf5079219bdfa3295d83dfacefe1bb2 (patch) | |
tree | df6c60a1d43224b72ba05abb21210b6b57915fd1 /scripts/sign-file | |
parent | 227536740e5cb157fb9fa9b381178c7d34b95d3b (diff) |
MODSIGN: Specify the hash algorithm on sign-file command line
Make the script usable without a .config file.
Signed-off-by: Michal Marek <mmarek@suse.cz>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Diffstat (limited to 'scripts/sign-file')
-rwxr-xr-x | scripts/sign-file | 53 |
1 files changed, 16 insertions, 37 deletions
diff --git a/scripts/sign-file b/scripts/sign-file index 974a20b661b7..2c2bbd18ff44 100755 --- a/scripts/sign-file +++ b/scripts/sign-file | |||
@@ -4,7 +4,7 @@ | |||
4 | # | 4 | # |
5 | # Format: | 5 | # Format: |
6 | # | 6 | # |
7 | # ./scripts/sign-file [-v] <key> <x509> <module> [<dest>] | 7 | # ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>] |
8 | # | 8 | # |
9 | # | 9 | # |
10 | use strict; | 10 | use strict; |
@@ -17,36 +17,20 @@ if ($#ARGV >= 0 && $ARGV[0] eq "-v") { | |||
17 | shift; | 17 | shift; |
18 | } | 18 | } |
19 | 19 | ||
20 | die "Format: ./scripts/sign-file [-v] <key> <x509> <module> [<dest>]\n" | 20 | die "Format: ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" |
21 | if ($#ARGV != 2 && $#ARGV != 3); | 21 | if ($#ARGV != 3 && $#ARGV != 4); |
22 | 22 | ||
23 | my $private_key = $ARGV[0]; | 23 | my $dgst = $ARGV[0]; |
24 | my $x509 = $ARGV[1]; | 24 | my $private_key = $ARGV[1]; |
25 | my $module = $ARGV[2]; | 25 | my $x509 = $ARGV[2]; |
26 | my $dest = ($#ARGV == 3) ? $ARGV[3] : $ARGV[2] . "~"; | 26 | my $module = $ARGV[3]; |
27 | my $dest = ($#ARGV == 4) ? $ARGV[4] : $ARGV[3] . "~"; | ||
27 | 28 | ||
28 | die "Can't read private key\n" unless (-r $private_key); | 29 | die "Can't read private key\n" unless (-r $private_key); |
29 | die "Can't read X.509 certificate\n" unless (-r $x509); | 30 | die "Can't read X.509 certificate\n" unless (-r $x509); |
30 | die "Can't read module\n" unless (-r $module); | 31 | die "Can't read module\n" unless (-r $module); |
31 | 32 | ||
32 | # | 33 | # |
33 | # Read the kernel configuration | ||
34 | # | ||
35 | my %config = ( | ||
36 | CONFIG_MODULE_SIG_SHA512 => 1 | ||
37 | ); | ||
38 | |||
39 | if (-r ".config") { | ||
40 | open(FD, "<.config") || die ".config"; | ||
41 | while (<FD>) { | ||
42 | if ($_ =~ /^(CONFIG_.*)=[ym]/) { | ||
43 | $config{$1} = 1; | ||
44 | } | ||
45 | } | ||
46 | close(FD); | ||
47 | } | ||
48 | |||
49 | # | ||
50 | # Function to read the contents of a file into a variable. | 34 | # Function to read the contents of a file into a variable. |
51 | # | 35 | # |
52 | sub read_file($) | 36 | sub read_file($) |
@@ -321,51 +305,46 @@ my $id_type = 1; # Identifier type: X.509 | |||
321 | # | 305 | # |
322 | # Digest the data | 306 | # Digest the data |
323 | # | 307 | # |
324 | my ($dgst, $prologue) = (); | 308 | my $prologue; |
325 | if (exists $config{"CONFIG_MODULE_SIG_SHA1"}) { | 309 | if ($dgst eq "sha1") { |
326 | $prologue = pack("C*", | 310 | $prologue = pack("C*", |
327 | 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, | 311 | 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, |
328 | 0x2B, 0x0E, 0x03, 0x02, 0x1A, | 312 | 0x2B, 0x0E, 0x03, 0x02, 0x1A, |
329 | 0x05, 0x00, 0x04, 0x14); | 313 | 0x05, 0x00, 0x04, 0x14); |
330 | $dgst = "-sha1"; | ||
331 | $hash = 2; | 314 | $hash = 2; |
332 | } elsif (exists $config{"CONFIG_MODULE_SIG_SHA224"}) { | 315 | } elsif ($dgst eq "sha224") { |
333 | $prologue = pack("C*", | 316 | $prologue = pack("C*", |
334 | 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, | 317 | 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, |
335 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, | 318 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, |
336 | 0x05, 0x00, 0x04, 0x1C); | 319 | 0x05, 0x00, 0x04, 0x1C); |
337 | $dgst = "-sha224"; | ||
338 | $hash = 7; | 320 | $hash = 7; |
339 | } elsif (exists $config{"CONFIG_MODULE_SIG_SHA256"}) { | 321 | } elsif ($dgst eq "sha256") { |
340 | $prologue = pack("C*", | 322 | $prologue = pack("C*", |
341 | 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, | 323 | 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, |
342 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, | 324 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, |
343 | 0x05, 0x00, 0x04, 0x20); | 325 | 0x05, 0x00, 0x04, 0x20); |
344 | $dgst = "-sha256"; | ||
345 | $hash = 4; | 326 | $hash = 4; |
346 | } elsif (exists $config{"CONFIG_MODULE_SIG_SHA384"}) { | 327 | } elsif ($dgst eq "sha384") { |
347 | $prologue = pack("C*", | 328 | $prologue = pack("C*", |
348 | 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, | 329 | 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, |
349 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, | 330 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, |
350 | 0x05, 0x00, 0x04, 0x30); | 331 | 0x05, 0x00, 0x04, 0x30); |
351 | $dgst = "-sha384"; | ||
352 | $hash = 5; | 332 | $hash = 5; |
353 | } elsif (exists $config{"CONFIG_MODULE_SIG_SHA512"}) { | 333 | } elsif ($dgst eq "sha512") { |
354 | $prologue = pack("C*", | 334 | $prologue = pack("C*", |
355 | 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, | 335 | 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, |
356 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, | 336 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, |
357 | 0x05, 0x00, 0x04, 0x40); | 337 | 0x05, 0x00, 0x04, 0x40); |
358 | $dgst = "-sha512"; | ||
359 | $hash = 6; | 338 | $hash = 6; |
360 | } else { | 339 | } else { |
361 | die "Can't determine hash algorithm"; | 340 | die "Unknown hash algorithm: $dgst\n"; |
362 | } | 341 | } |
363 | 342 | ||
364 | # | 343 | # |
365 | # Generate the digest and read from openssl's stdout | 344 | # Generate the digest and read from openssl's stdout |
366 | # | 345 | # |
367 | my $digest; | 346 | my $digest; |
368 | $digest = readpipe("openssl dgst $dgst -binary $module") || die "openssl dgst"; | 347 | $digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst"; |
369 | 348 | ||
370 | # | 349 | # |
371 | # Generate the binary signature, which will be just the integer that comprises | 350 | # Generate the binary signature, which will be just the integer that comprises |