aboutsummaryrefslogtreecommitdiffstats
path: root/scripts/sign-file
diff options
context:
space:
mode:
authorMichal Marek <mmarek@suse.cz>2013-01-24 22:11:12 -0500
committerRusty Russell <rusty@rustcorp.com.au>2013-01-25 01:25:36 -0500
commit4bc9410c0cf5079219bdfa3295d83dfacefe1bb2 (patch)
treedf6c60a1d43224b72ba05abb21210b6b57915fd1 /scripts/sign-file
parent227536740e5cb157fb9fa9b381178c7d34b95d3b (diff)
MODSIGN: Specify the hash algorithm on sign-file command line
Make the script usable without a .config file. Signed-off-by: Michal Marek <mmarek@suse.cz> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Diffstat (limited to 'scripts/sign-file')
-rwxr-xr-xscripts/sign-file53
1 files changed, 16 insertions, 37 deletions
diff --git a/scripts/sign-file b/scripts/sign-file
index 974a20b661b7..2c2bbd18ff44 100755
--- a/scripts/sign-file
+++ b/scripts/sign-file
@@ -4,7 +4,7 @@
4# 4#
5# Format: 5# Format:
6# 6#
7# ./scripts/sign-file [-v] <key> <x509> <module> [<dest>] 7# ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]
8# 8#
9# 9#
10use strict; 10use strict;
@@ -17,36 +17,20 @@ if ($#ARGV >= 0 && $ARGV[0] eq "-v") {
17 shift; 17 shift;
18} 18}
19 19
20die "Format: ./scripts/sign-file [-v] <key> <x509> <module> [<dest>]\n" 20die "Format: ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n"
21 if ($#ARGV != 2 && $#ARGV != 3); 21 if ($#ARGV != 3 && $#ARGV != 4);
22 22
23my $private_key = $ARGV[0]; 23my $dgst = $ARGV[0];
24my $x509 = $ARGV[1]; 24my $private_key = $ARGV[1];
25my $module = $ARGV[2]; 25my $x509 = $ARGV[2];
26my $dest = ($#ARGV == 3) ? $ARGV[3] : $ARGV[2] . "~"; 26my $module = $ARGV[3];
27my $dest = ($#ARGV == 4) ? $ARGV[4] : $ARGV[3] . "~";
27 28
28die "Can't read private key\n" unless (-r $private_key); 29die "Can't read private key\n" unless (-r $private_key);
29die "Can't read X.509 certificate\n" unless (-r $x509); 30die "Can't read X.509 certificate\n" unless (-r $x509);
30die "Can't read module\n" unless (-r $module); 31die "Can't read module\n" unless (-r $module);
31 32
32# 33#
33# Read the kernel configuration
34#
35my %config = (
36 CONFIG_MODULE_SIG_SHA512 => 1
37 );
38
39if (-r ".config") {
40 open(FD, "<.config") || die ".config";
41 while (<FD>) {
42 if ($_ =~ /^(CONFIG_.*)=[ym]/) {
43 $config{$1} = 1;
44 }
45 }
46 close(FD);
47}
48
49#
50# Function to read the contents of a file into a variable. 34# Function to read the contents of a file into a variable.
51# 35#
52sub read_file($) 36sub read_file($)
@@ -321,51 +305,46 @@ my $id_type = 1; # Identifier type: X.509
321# 305#
322# Digest the data 306# Digest the data
323# 307#
324my ($dgst, $prologue) = (); 308my $prologue;
325if (exists $config{"CONFIG_MODULE_SIG_SHA1"}) { 309if ($dgst eq "sha1") {
326 $prologue = pack("C*", 310 $prologue = pack("C*",
327 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 311 0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
328 0x2B, 0x0E, 0x03, 0x02, 0x1A, 312 0x2B, 0x0E, 0x03, 0x02, 0x1A,
329 0x05, 0x00, 0x04, 0x14); 313 0x05, 0x00, 0x04, 0x14);
330 $dgst = "-sha1";
331 $hash = 2; 314 $hash = 2;
332} elsif (exists $config{"CONFIG_MODULE_SIG_SHA224"}) { 315} elsif ($dgst eq "sha224") {
333 $prologue = pack("C*", 316 $prologue = pack("C*",
334 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 317 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
335 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 318 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
336 0x05, 0x00, 0x04, 0x1C); 319 0x05, 0x00, 0x04, 0x1C);
337 $dgst = "-sha224";
338 $hash = 7; 320 $hash = 7;
339} elsif (exists $config{"CONFIG_MODULE_SIG_SHA256"}) { 321} elsif ($dgst eq "sha256") {
340 $prologue = pack("C*", 322 $prologue = pack("C*",
341 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 323 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
342 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 324 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
343 0x05, 0x00, 0x04, 0x20); 325 0x05, 0x00, 0x04, 0x20);
344 $dgst = "-sha256";
345 $hash = 4; 326 $hash = 4;
346} elsif (exists $config{"CONFIG_MODULE_SIG_SHA384"}) { 327} elsif ($dgst eq "sha384") {
347 $prologue = pack("C*", 328 $prologue = pack("C*",
348 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 329 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
349 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 330 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
350 0x05, 0x00, 0x04, 0x30); 331 0x05, 0x00, 0x04, 0x30);
351 $dgst = "-sha384";
352 $hash = 5; 332 $hash = 5;
353} elsif (exists $config{"CONFIG_MODULE_SIG_SHA512"}) { 333} elsif ($dgst eq "sha512") {
354 $prologue = pack("C*", 334 $prologue = pack("C*",
355 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 335 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
356 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 336 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
357 0x05, 0x00, 0x04, 0x40); 337 0x05, 0x00, 0x04, 0x40);
358 $dgst = "-sha512";
359 $hash = 6; 338 $hash = 6;
360} else { 339} else {
361 die "Can't determine hash algorithm"; 340 die "Unknown hash algorithm: $dgst\n";
362} 341}
363 342
364# 343#
365# Generate the digest and read from openssl's stdout 344# Generate the digest and read from openssl's stdout
366# 345#
367my $digest; 346my $digest;
368$digest = readpipe("openssl dgst $dgst -binary $module") || die "openssl dgst"; 347$digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst";
369 348
370# 349#
371# Generate the binary signature, which will be just the integer that comprises 350# Generate the binary signature, which will be just the integer that comprises