diff options
| -rwxr-xr-x | scripts/sign-file | 99 |
1 files changed, 56 insertions, 43 deletions
diff --git a/scripts/sign-file b/scripts/sign-file index 2c2bbd18ff44..2b7c4484d46c 100755 --- a/scripts/sign-file +++ b/scripts/sign-file | |||
| @@ -2,31 +2,41 @@ | |||
| 2 | # | 2 | # |
| 3 | # Sign a module file using the given key. | 3 | # Sign a module file using the given key. |
| 4 | # | 4 | # |
| 5 | # Format: | 5 | |
| 6 | # | 6 | my $USAGE = |
| 7 | # ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>] | 7 | "Usage: scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" . |
| 8 | # | 8 | " scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n"; |
| 9 | # | 9 | |
| 10 | use strict; | 10 | use strict; |
| 11 | use FileHandle; | 11 | use FileHandle; |
| 12 | use IPC::Open2; | 12 | use IPC::Open2; |
| 13 | use Getopt::Std; | ||
| 13 | 14 | ||
| 14 | my $verbose = 0; | 15 | my %opts; |
| 15 | if ($#ARGV >= 0 && $ARGV[0] eq "-v") { | 16 | getopts('vs:', \%opts) or die $USAGE; |
| 16 | $verbose = 1; | 17 | my $verbose = $opts{'v'}; |
| 17 | shift; | 18 | my $signature_file = $opts{'s'}; |
| 18 | } | ||
| 19 | 19 | ||
| 20 | die "Format: ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" | 20 | die $USAGE if ($#ARGV > 4); |
| 21 | if ($#ARGV != 3 && $#ARGV != 4); | 21 | die $USAGE if (!$signature_file && $#ARGV < 3 || $signature_file && $#ARGV < 2); |
| 22 | 22 | ||
| 23 | my $dgst = $ARGV[0]; | 23 | my $dgst = shift @ARGV; |
| 24 | my $private_key = $ARGV[1]; | 24 | my $private_key; |
| 25 | my $x509 = $ARGV[2]; | 25 | if (!$signature_file) { |
| 26 | my $module = $ARGV[3]; | 26 | $private_key = shift @ARGV; |
| 27 | my $dest = ($#ARGV == 4) ? $ARGV[4] : $ARGV[3] . "~"; | 27 | } |
| 28 | my $x509 = shift @ARGV; | ||
| 29 | my $module = shift @ARGV; | ||
| 30 | my ($dest, $keep_orig); | ||
| 31 | if (@ARGV) { | ||
| 32 | $dest = $ARGV[0]; | ||
| 33 | $keep_orig = 1; | ||
| 34 | } else { | ||
| 35 | $dest = $module . "~"; | ||
| 36 | } | ||
| 28 | 37 | ||
| 29 | die "Can't read private key\n" unless (-r $private_key); | 38 | die "Can't read private key\n" if (!$signature_file && !-r $private_key); |
| 39 | die "Can't read signature file\n" if ($signature_file && !-r $signature_file); | ||
| 30 | die "Can't read X.509 certificate\n" unless (-r $x509); | 40 | die "Can't read X.509 certificate\n" unless (-r $x509); |
| 31 | die "Can't read module\n" unless (-r $module); | 41 | die "Can't read module\n" unless (-r $module); |
| 32 | 42 | ||
| @@ -340,33 +350,36 @@ if ($dgst eq "sha1") { | |||
| 340 | die "Unknown hash algorithm: $dgst\n"; | 350 | die "Unknown hash algorithm: $dgst\n"; |
| 341 | } | 351 | } |
| 342 | 352 | ||
| 343 | # | ||
| 344 | # Generate the digest and read from openssl's stdout | ||
| 345 | # | ||
| 346 | my $digest; | ||
| 347 | $digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst"; | ||
| 348 | |||
| 349 | # | ||
| 350 | # Generate the binary signature, which will be just the integer that comprises | ||
| 351 | # the signature with no metadata attached. | ||
| 352 | # | ||
| 353 | my $pid; | ||
| 354 | $pid = open2(*read_from, *write_to, | ||
| 355 | "openssl rsautl -sign -inkey $private_key -keyform PEM") || | ||
| 356 | die "openssl rsautl"; | ||
| 357 | binmode write_to; | ||
| 358 | print write_to $prologue . $digest || die "pipe to openssl rsautl"; | ||
| 359 | close(write_to) || die "pipe to openssl rsautl"; | ||
| 360 | |||
| 361 | binmode read_from; | ||
| 362 | my $signature; | 353 | my $signature; |
| 363 | read(read_from, $signature, 4096) || die "pipe from openssl rsautl"; | 354 | if ($signature_file) { |
| 364 | close(read_from) || die "pipe from openssl rsautl"; | 355 | $signature = read_file($signature_file); |
| 356 | } else { | ||
| 357 | # | ||
| 358 | # Generate the digest and read from openssl's stdout | ||
| 359 | # | ||
| 360 | my $digest; | ||
| 361 | $digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst"; | ||
| 362 | |||
| 363 | # | ||
| 364 | # Generate the binary signature, which will be just the integer that | ||
| 365 | # comprises the signature with no metadata attached. | ||
| 366 | # | ||
| 367 | my $pid; | ||
| 368 | $pid = open2(*read_from, *write_to, | ||
| 369 | "openssl rsautl -sign -inkey $private_key -keyform PEM") || | ||
| 370 | die "openssl rsautl"; | ||
| 371 | binmode write_to; | ||
| 372 | print write_to $prologue . $digest || die "pipe to openssl rsautl"; | ||
| 373 | close(write_to) || die "pipe to openssl rsautl"; | ||
| 374 | |||
| 375 | binmode read_from; | ||
| 376 | read(read_from, $signature, 4096) || die "pipe from openssl rsautl"; | ||
| 377 | close(read_from) || die "pipe from openssl rsautl"; | ||
| 378 | waitpid($pid, 0) || die; | ||
| 379 | die "openssl rsautl died: $?" if ($? >> 8); | ||
| 380 | } | ||
| 365 | $signature = pack("n", length($signature)) . $signature, | 381 | $signature = pack("n", length($signature)) . $signature, |
| 366 | 382 | ||
| 367 | waitpid($pid, 0) || die; | ||
| 368 | die "openssl rsautl died: $?" if ($? >> 8); | ||
| 369 | |||
| 370 | # | 383 | # |
| 371 | # Build the signed binary | 384 | # Build the signed binary |
| 372 | # | 385 | # |
| @@ -403,6 +416,6 @@ print FD | |||
| 403 | ; | 416 | ; |
| 404 | close FD || die $dest; | 417 | close FD || die $dest; |
| 405 | 418 | ||
| 406 | if ($#ARGV != 3) { | 419 | if (!$keep_orig) { |
| 407 | rename($dest, $module) || die $module; | 420 | rename($dest, $module) || die $module; |
| 408 | } | 421 | } |