David Howells | 80d65e5 | 2012-09-26 10:11:06 +0100 | [diff] [blame^] | 1 | #!/bin/sh |
| 2 | # |
| 3 | # Sign a module file using the given key. |
| 4 | # |
| 5 | # Format: sign-file <key> <x509> <src-file> <dst-file> |
| 6 | # |
| 7 | |
| 8 | scripts=`dirname $0` |
| 9 | |
| 10 | CONFIG_MODULE_SIG_SHA512=y |
| 11 | if [ -r .config ] |
| 12 | then |
| 13 | . ./.config |
| 14 | fi |
| 15 | |
| 16 | key="$1" |
| 17 | x509="$2" |
| 18 | src="$3" |
| 19 | dst="$4" |
| 20 | |
| 21 | if [ ! -r "$key" ] |
| 22 | then |
| 23 | echo "Can't read private key" >&2 |
| 24 | exit 2 |
| 25 | fi |
| 26 | |
| 27 | if [ ! -r "$x509" ] |
| 28 | then |
| 29 | echo "Can't read X.509 certificate" >&2 |
| 30 | exit 2 |
| 31 | fi |
| 32 | if [ ! -r "$x509.signer" ] |
| 33 | then |
| 34 | echo "Can't read Signer name" >&2 |
| 35 | exit 2; |
| 36 | fi |
| 37 | if [ ! -r "$x509.keyid" ] |
| 38 | then |
| 39 | echo "Can't read Key identifier" >&2 |
| 40 | exit 2; |
| 41 | fi |
| 42 | |
| 43 | # |
| 44 | # Signature parameters |
| 45 | # |
| 46 | algo=1 # Public-key crypto algorithm: RSA |
| 47 | hash= # Digest algorithm |
| 48 | id_type=1 # Identifier type: X.509 |
| 49 | |
| 50 | # |
| 51 | # Digest the data |
| 52 | # |
| 53 | dgst= |
| 54 | if [ "$CONFIG_MODULE_SIG_SHA1" = "y" ] |
| 55 | then |
| 56 | prologue="0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14" |
| 57 | dgst=-sha1 |
| 58 | hash=2 |
| 59 | elif [ "$CONFIG_MODULE_SIG_SHA224" = "y" ] |
| 60 | then |
| 61 | prologue="0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1C" |
| 62 | dgst=-sha224 |
| 63 | hash=7 |
| 64 | elif [ "$CONFIG_MODULE_SIG_SHA256" = "y" ] |
| 65 | then |
| 66 | prologue="0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20" |
| 67 | dgst=-sha256 |
| 68 | hash=4 |
| 69 | elif [ "$CONFIG_MODULE_SIG_SHA384" = "y" ] |
| 70 | then |
| 71 | prologue="0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30" |
| 72 | dgst=-sha384 |
| 73 | hash=5 |
| 74 | elif [ "$CONFIG_MODULE_SIG_SHA512" = "y" ] |
| 75 | then |
| 76 | prologue="0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40" |
| 77 | dgst=-sha512 |
| 78 | hash=6 |
| 79 | else |
| 80 | echo "$0: Can't determine hash algorithm" >&2 |
| 81 | exit 2 |
| 82 | fi |
| 83 | |
| 84 | ( |
| 85 | perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" || exit $? |
| 86 | openssl dgst $dgst -binary $src || exit $? |
| 87 | ) >$src.dig || exit $? |
| 88 | |
| 89 | # |
| 90 | # Generate the binary signature, which will be just the integer that comprises |
| 91 | # the signature with no metadata attached. |
| 92 | # |
| 93 | openssl rsautl -sign -inkey $key -keyform PEM -in $src.dig -out $src.sig || exit $? |
| 94 | signerlen=`stat -c %s $x509.signer` |
| 95 | keyidlen=`stat -c %s $x509.keyid` |
| 96 | siglen=`stat -c %s $src.sig` |
| 97 | |
| 98 | # |
| 99 | # Build the signed binary |
| 100 | # |
| 101 | ( |
| 102 | cat $src || exit $? |
| 103 | echo '~Module signature appended~' || exit $? |
| 104 | cat $x509.signer $x509.keyid || exit $? |
| 105 | |
| 106 | # Preface each signature integer with a 2-byte BE length |
| 107 | perl -e "binmode STDOUT; print pack(\"n\", $siglen)" || exit $? |
| 108 | cat $src.sig || exit $? |
| 109 | |
| 110 | # Generate the information block |
| 111 | perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" || exit $? |
| 112 | ) >$dst~ || exit $? |
| 113 | |
| 114 | # Permit in-place signing |
| 115 | mv $dst~ $dst || exit $? |