diff options
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/sign-file | 53 |
1 files changed, 16 insertions, 37 deletions
diff --git a/scripts/sign-file b/scripts/sign-file index 974a20b661b7..2c2bbd18ff44 100755 --- a/scripts/sign-file +++ b/scripts/sign-file | |||
| @@ -4,7 +4,7 @@ | |||
| 4 | # | 4 | # |
| 5 | # Format: | 5 | # Format: |
| 6 | # | 6 | # |
| 7 | # ./scripts/sign-file [-v] <key> <x509> <module> [<dest>] | 7 | # ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>] |
| 8 | # | 8 | # |
| 9 | # | 9 | # |
| 10 | use strict; | 10 | use strict; |
| @@ -17,36 +17,20 @@ if ($#ARGV >= 0 && $ARGV[0] eq "-v") { | |||
| 17 | shift; | 17 | shift; |
| 18 | } | 18 | } |
| 19 | 19 | ||
| 20 | die "Format: ./scripts/sign-file [-v] <key> <x509> <module> [<dest>]\n" | 20 | die "Format: ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" |
| 21 | if ($#ARGV != 2 && $#ARGV != 3); | 21 | if ($#ARGV != 3 && $#ARGV != 4); |
| 22 | 22 | ||
| 23 | my $private_key = $ARGV[0]; | 23 | my $dgst = $ARGV[0]; |
| 24 | my $x509 = $ARGV[1]; | 24 | my $private_key = $ARGV[1]; |
| 25 | my $module = $ARGV[2]; | 25 | my $x509 = $ARGV[2]; |
| 26 | my $dest = ($#ARGV == 3) ? $ARGV[3] : $ARGV[2] . "~"; | 26 | my $module = $ARGV[3]; |
| 27 | my $dest = ($#ARGV == 4) ? $ARGV[4] : $ARGV[3] . "~"; | ||
| 27 | 28 | ||
| 28 | die "Can't read private key\n" unless (-r $private_key); | 29 | die "Can't read private key\n" unless (-r $private_key); |
| 29 | die "Can't read X.509 certificate\n" unless (-r $x509); | 30 | die "Can't read X.509 certificate\n" unless (-r $x509); |
| 30 | die "Can't read module\n" unless (-r $module); | 31 | die "Can't read module\n" unless (-r $module); |
| 31 | 32 | ||
| 32 | # | 33 | # |
| 33 | # Read the kernel configuration | ||
| 34 | # | ||
| 35 | my %config = ( | ||
| 36 | CONFIG_MODULE_SIG_SHA512 => 1 | ||
| 37 | ); | ||
| 38 | |||
| 39 | if (-r ".config") { | ||
| 40 | open(FD, "<.config") || die ".config"; | ||
| 41 | while (<FD>) { | ||
| 42 | if ($_ =~ /^(CONFIG_.*)=[ym]/) { | ||
| 43 | $config{$1} = 1; | ||
| 44 | } | ||
| 45 | } | ||
| 46 | close(FD); | ||
| 47 | } | ||
| 48 | |||
| 49 | # | ||
| 50 | # Function to read the contents of a file into a variable. | 34 | # Function to read the contents of a file into a variable. |
| 51 | # | 35 | # |
| 52 | sub read_file($) | 36 | sub read_file($) |
| @@ -321,51 +305,46 @@ my $id_type = 1; # Identifier type: X.509 | |||
| 321 | # | 305 | # |
| 322 | # Digest the data | 306 | # Digest the data |
| 323 | # | 307 | # |
| 324 | my ($dgst, $prologue) = (); | 308 | my $prologue; |
| 325 | if (exists $config{"CONFIG_MODULE_SIG_SHA1"}) { | 309 | if ($dgst eq "sha1") { |
| 326 | $prologue = pack("C*", | 310 | $prologue = pack("C*", |
| 327 | 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, | 311 | 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, |
| 328 | 0x2B, 0x0E, 0x03, 0x02, 0x1A, | 312 | 0x2B, 0x0E, 0x03, 0x02, 0x1A, |
| 329 | 0x05, 0x00, 0x04, 0x14); | 313 | 0x05, 0x00, 0x04, 0x14); |
| 330 | $dgst = "-sha1"; | ||
| 331 | $hash = 2; | 314 | $hash = 2; |
| 332 | } elsif (exists $config{"CONFIG_MODULE_SIG_SHA224"}) { | 315 | } elsif ($dgst eq "sha224") { |
| 333 | $prologue = pack("C*", | 316 | $prologue = pack("C*", |
| 334 | 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, | 317 | 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, |
| 335 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, | 318 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, |
| 336 | 0x05, 0x00, 0x04, 0x1C); | 319 | 0x05, 0x00, 0x04, 0x1C); |
| 337 | $dgst = "-sha224"; | ||
| 338 | $hash = 7; | 320 | $hash = 7; |
| 339 | } elsif (exists $config{"CONFIG_MODULE_SIG_SHA256"}) { | 321 | } elsif ($dgst eq "sha256") { |
| 340 | $prologue = pack("C*", | 322 | $prologue = pack("C*", |
| 341 | 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, | 323 | 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, |
| 342 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, | 324 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, |
| 343 | 0x05, 0x00, 0x04, 0x20); | 325 | 0x05, 0x00, 0x04, 0x20); |
| 344 | $dgst = "-sha256"; | ||
| 345 | $hash = 4; | 326 | $hash = 4; |
| 346 | } elsif (exists $config{"CONFIG_MODULE_SIG_SHA384"}) { | 327 | } elsif ($dgst eq "sha384") { |
| 347 | $prologue = pack("C*", | 328 | $prologue = pack("C*", |
| 348 | 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, | 329 | 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, |
| 349 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, | 330 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, |
| 350 | 0x05, 0x00, 0x04, 0x30); | 331 | 0x05, 0x00, 0x04, 0x30); |
| 351 | $dgst = "-sha384"; | ||
| 352 | $hash = 5; | 332 | $hash = 5; |
| 353 | } elsif (exists $config{"CONFIG_MODULE_SIG_SHA512"}) { | 333 | } elsif ($dgst eq "sha512") { |
| 354 | $prologue = pack("C*", | 334 | $prologue = pack("C*", |
| 355 | 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, | 335 | 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, |
| 356 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, | 336 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, |
| 357 | 0x05, 0x00, 0x04, 0x40); | 337 | 0x05, 0x00, 0x04, 0x40); |
| 358 | $dgst = "-sha512"; | ||
| 359 | $hash = 6; | 338 | $hash = 6; |
| 360 | } else { | 339 | } else { |
| 361 | die "Can't determine hash algorithm"; | 340 | die "Unknown hash algorithm: $dgst\n"; |
| 362 | } | 341 | } |
| 363 | 342 | ||
| 364 | # | 343 | # |
| 365 | # Generate the digest and read from openssl's stdout | 344 | # Generate the digest and read from openssl's stdout |
| 366 | # | 345 | # |
| 367 | my $digest; | 346 | my $digest; |
| 368 | $digest = readpipe("openssl dgst $dgst -binary $module") || die "openssl dgst"; | 347 | $digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst"; |
| 369 | 348 | ||
| 370 | # | 349 | # |
| 371 | # Generate the binary signature, which will be just the integer that comprises | 350 | # Generate the binary signature, which will be just the integer that comprises |