MODSIGN: Add -s <signature> option to sign-file

This option allows to append an externally computed singature to the module. This is needed in setups, where the private key is not directly available, but a service exists that returns signatures for given files. Signed-off-by: Michal Marek <mmarek@suse.cz> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
author: Michal Marek <mmarek@suse.cz> 2013-01-24 22:11:19 -0500
committer: Rusty Russell <rusty@rustcorp.com.au> 2013-01-25 01:25:36 -0500
commit: 1c37c054a7493e0537ea3d15a59dac3a0aa63a05 (patch)
tree: f0a07f73ed8707c9843ea5f57a9366608e35af6e /scripts
parent: 4bc9410c0cf5079219bdfa3295d83dfacefe1bb2 (diff)
1 files changed, 56 insertions, 43 deletions
diff --git a/scripts/sign-file b/scripts/sign-file
index 2c2bbd18ff44..2b7c4484d46c 100755
--- a/scripts/sign-file
+++ b/scripts/sign-file
@@ -2,31 +2,41 @@
 #
 # Sign a module file using the given key.
 #
-# Format:
-#
+my $USAGE =
-#       ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]
+"Usage: scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" .
-#
+"       scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n";
-#
 use strict;
 use FileHandle;
 use IPC::Open2;
+use Getopt::Std;
-my $verbose = 0;
+my %opts;
-if ($#ARGV >= 0 && $ARGV[0] eq "-v") {
+getopts('vs:', \%opts) or die $USAGE;
-    $verbose = 1;
+my $verbose = $opts{'v'};
-    shift;
+my $signature_file = $opts{'s'};
-}
-die "Format: ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n"
+die $USAGE if ($#ARGV > 4);
-    if ($#ARGV != 3 && $#ARGV != 4);
+die $USAGE if (!$signature_file && $#ARGV < 3 || $signature_file && $#ARGV < 2);
-my $dgst = $ARGV[0];
+my $dgst = shift @ARGV;
-my $private_key = $ARGV[1];
+my $private_key;
-my $x509 = $ARGV[2];
+if (!$signature_file) {
-my $module = $ARGV[3];
+        $private_key = shift @ARGV;
-my $dest = ($#ARGV == 4) ? $ARGV[4] : $ARGV[3] . "~";
+}
+my $x509 = shift @ARGV;
+my $module = shift @ARGV;
+my ($dest, $keep_orig);
+if (@ARGV) {
+        $dest = $ARGV[0];
+        $keep_orig = 1;
+} else {
+        $dest = $module . "~";
+}
-die "Can't read private key\n" unless (-r $private_key);
+die "Can't read private key\n" if (!$signature_file && !-r $private_key);
+die "Can't read signature file\n" if ($signature_file && !-r $signature_file);
 die "Can't read X.509 certificate\n" unless (-r $x509);
 die "Can't read module\n" unless (-r $module);
@@ -340,33 +350,36 @@ if ($dgst eq "sha1") {
    die "Unknown hash algorithm: $dgst\n";
 }
-#
-# Generate the digest and read from openssl's stdout
-#
-my $digest;
-$digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst";
-#
-# Generate the binary signature, which will be just the integer that comprises
-# the signature with no metadata attached.
-#
-my $pid;
-$pid = open2(*read_from, *write_to,
-             "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
-    die "openssl rsautl";
-binmode write_to;
-print write_to $prologue . $digest || die "pipe to openssl rsautl";
-close(write_to) || die "pipe to openssl rsautl";
-binmode read_from;
 my $signature;
-read(read_from, $signature, 4096) || die "pipe from openssl rsautl";
+if ($signature_file) {
-close(read_from) || die "pipe from openssl rsautl";
+        $signature = read_file($signature_file);
+} else {
+        #
+        # Generate the digest and read from openssl's stdout
+        #
+        my $digest;
+        $digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst";
+        #
+        # Generate the binary signature, which will be just the integer that
+        # comprises the signature with no metadata attached.
+        #
+        my $pid;
+        $pid = open2(*read_from, *write_to,
+                     "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
+            die "openssl rsautl";
+        binmode write_to;
+        print write_to $prologue . $digest || die "pipe to openssl rsautl";
+        close(write_to) || die "pipe to openssl rsautl";
+        binmode read_from;
+        read(read_from, $signature, 4096) || die "pipe from openssl rsautl";
+        close(read_from) || die "pipe from openssl rsautl";
+        waitpid($pid, 0) || die;
+        die "openssl rsautl died: $?" if ($? >> 8);
+}
 $signature = pack("n", length($signature)) . $signature,
-waitpid($pid, 0) || die;
-die "openssl rsautl died: $?" if ($? >> 8);
 #
 # Build the signed binary
 #
@@ -403,6 +416,6 @@ print FD
    ;
 close FD || die $dest;
-if ($#ARGV != 3) {
+if (!$keep_orig) {
    rename($dest, $module) || die $module;
 }
author	Michal Marek <mmarek@suse.cz>	2013-01-24 22:11:19 -0500
committer	Rusty Russell <rusty@rustcorp.com.au>	2013-01-25 01:25:36 -0500
commit	1c37c054a7493e0537ea3d15a59dac3a0aa63a05 (patch)
tree	f0a07f73ed8707c9843ea5f57a9366608e35af6e /scripts
parent	4bc9410c0cf5079219bdfa3295d83dfacefe1bb2 (diff)

diff --git a/scripts/sign-file b/scripts/sign-file index 2c2bbd18ff44..2b7c4484d46c 100755 --- a/scripts/sign-file +++ b/scripts/sign-file
@@ -2,31 +2,41 @@
2	#	2	#
3	# Sign a module file using the given key.	3	# Sign a module file using the given key.
4	#	4	#
5	# Format:	5
6	#	6	my $USAGE =
7	# ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]	7	"Usage: scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" .
8	#	8	" scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n";
9	#	9
10	use strict;	10	use strict;
11	use FileHandle;	11	use FileHandle;
12	use IPC::Open2;	12	use IPC::Open2;
		13	use Getopt::Std;
13		14
14	my $verbose = 0;	15	my %opts;
15	if ($#ARGV >= 0 && $ARGV[0] eq "-v") {	16	getopts('vs:', \%opts) or die $USAGE;
16	$verbose = 1;	17	my $verbose = $opts{'v'};
17	shift;	18	my $signature_file = $opts{'s'};
18	}
19		19
20	die "Format: ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n"	20	die $USAGE if ($#ARGV > 4);
21	if ($#ARGV != 3 && $#ARGV != 4);	21	die $USAGE if (!$signature_file && $#ARGV < 3 \|\| $signature_file && $#ARGV < 2);
22		22
23	my $dgst = $ARGV[0];	23	my $dgst = shift @ARGV;
24	my $private_key = $ARGV[1];	24	my $private_key;
25	my $x509 = $ARGV[2];	25	if (!$signature_file) {
26	my $module = $ARGV[3];	26	$private_key = shift @ARGV;
27	my $dest = ($#ARGV == 4) ? $ARGV[4] : $ARGV[3] . "~";	27	}
		28	my $x509 = shift @ARGV;
		29	my $module = shift @ARGV;
		30	my ($dest, $keep_orig);
		31	if (@ARGV) {
		32	$dest = $ARGV[0];
		33	$keep_orig = 1;
		34	} else {
		35	$dest = $module . "~";
		36	}
28		37
29	die "Can't read private key\n" unless (-r $private_key);	38	die "Can't read private key\n" if (!$signature_file && !-r $private_key);
		39	die "Can't read signature file\n" if ($signature_file && !-r $signature_file);
30	die "Can't read X.509 certificate\n" unless (-r $x509);	40	die "Can't read X.509 certificate\n" unless (-r $x509);
31	die "Can't read module\n" unless (-r $module);	41	die "Can't read module\n" unless (-r $module);
32		42
@@ -340,33 +350,36 @@ if ($dgst eq "sha1") {
340	die "Unknown hash algorithm: $dgst\n";	350	die "Unknown hash algorithm: $dgst\n";
341	}	351	}
342		352
343	#
344	# Generate the digest and read from openssl's stdout
345	#
346	my $digest;
347	$digest = readpipe("openssl dgst -$dgst -binary $module") \|\| die "openssl dgst";
348
349	#
350	# Generate the binary signature, which will be just the integer that comprises
351	# the signature with no metadata attached.
352	#
353	my $pid;
354	$pid = open2(read_from, write_to,
355	"openssl rsautl -sign -inkey $private_key -keyform PEM") \|\|
356	die "openssl rsautl";
357	binmode write_to;
358	print write_to $prologue . $digest \|\| die "pipe to openssl rsautl";
359	close(write_to) \|\| die "pipe to openssl rsautl";
360
361	binmode read_from;
362	my $signature;	353	my $signature;
363	read(read_from, $signature, 4096) \|\| die "pipe from openssl rsautl";	354	if ($signature_file) {
364	close(read_from) \|\| die "pipe from openssl rsautl";	355	$signature = read_file($signature_file);
		356	} else {
		357	#
		358	# Generate the digest and read from openssl's stdout
		359	#
		360	my $digest;
		361	$digest = readpipe("openssl dgst -$dgst -binary $module") \|\| die "openssl dgst";
		362
		363	#
		364	# Generate the binary signature, which will be just the integer that
		365	# comprises the signature with no metadata attached.
		366	#
		367	my $pid;
		368	$pid = open2(read_from, write_to,
		369	"openssl rsautl -sign -inkey $private_key -keyform PEM") \|\|
		370	die "openssl rsautl";
		371	binmode write_to;
		372	print write_to $prologue . $digest \|\| die "pipe to openssl rsautl";
		373	close(write_to) \|\| die "pipe to openssl rsautl";
		374
		375	binmode read_from;
		376	read(read_from, $signature, 4096) \|\| die "pipe from openssl rsautl";
		377	close(read_from) \|\| die "pipe from openssl rsautl";
		378	waitpid($pid, 0) \|\| die;
		379	die "openssl rsautl died: $?" if ($? >> 8);
		380	}
365	$signature = pack("n", length($signature)) . $signature,	381	$signature = pack("n", length($signature)) . $signature,
366		382
367	waitpid($pid, 0) \|\| die;
368	die "openssl rsautl died: $?" if ($? >> 8);
369
370	#	383	#
371	# Build the signed binary	384	# Build the signed binary
372	#	385	#
@@ -403,6 +416,6 @@ print FD
403	;	416	;
404	close FD \|\| die $dest;	417	close FD \|\| die $dest;
405		418
406	if ($#ARGV != 3) {	419	if (!$keep_orig) {
407	rename($dest, $module) \|\| die $module;	420	rename($dest, $module) \|\| die $module;
408	}	421	}