blob: e58e34e50ac549bb1d2230062ec0b55f6f03386b [file] [log] [blame]
David Howells80d65e52012-09-26 10:11:06 +01001#!/bin/sh
2#
3# Sign a module file using the given key.
4#
5# Format: sign-file <key> <x509> <src-file> <dst-file>
6#
7
8scripts=`dirname $0`
9
10CONFIG_MODULE_SIG_SHA512=y
11if [ -r .config ]
12then
13 . ./.config
14fi
15
16key="$1"
17x509="$2"
18src="$3"
19dst="$4"
20
21if [ ! -r "$key" ]
22then
23 echo "Can't read private key" >&2
24 exit 2
25fi
26
27if [ ! -r "$x509" ]
28then
29 echo "Can't read X.509 certificate" >&2
30 exit 2
31fi
32if [ ! -r "$x509.signer" ]
33then
34 echo "Can't read Signer name" >&2
35 exit 2;
36fi
37if [ ! -r "$x509.keyid" ]
38then
39 echo "Can't read Key identifier" >&2
40 exit 2;
41fi
42
43#
44# Signature parameters
45#
46algo=1 # Public-key crypto algorithm: RSA
47hash= # Digest algorithm
48id_type=1 # Identifier type: X.509
49
50#
51# Digest the data
52#
53dgst=
54if [ "$CONFIG_MODULE_SIG_SHA1" = "y" ]
55then
56 prologue="0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14"
57 dgst=-sha1
58 hash=2
59elif [ "$CONFIG_MODULE_SIG_SHA224" = "y" ]
60then
61 prologue="0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1C"
62 dgst=-sha224
63 hash=7
64elif [ "$CONFIG_MODULE_SIG_SHA256" = "y" ]
65then
66 prologue="0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20"
67 dgst=-sha256
68 hash=4
69elif [ "$CONFIG_MODULE_SIG_SHA384" = "y" ]
70then
71 prologue="0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30"
72 dgst=-sha384
73 hash=5
74elif [ "$CONFIG_MODULE_SIG_SHA512" = "y" ]
75then
76 prologue="0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40"
77 dgst=-sha512
78 hash=6
79else
80 echo "$0: Can't determine hash algorithm" >&2
81 exit 2
82fi
83
84(
85perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" || exit $?
86openssl dgst $dgst -binary $src || exit $?
87) >$src.dig || exit $?
88
89#
90# Generate the binary signature, which will be just the integer that comprises
91# the signature with no metadata attached.
92#
93openssl rsautl -sign -inkey $key -keyform PEM -in $src.dig -out $src.sig || exit $?
94signerlen=`stat -c %s $x509.signer`
95keyidlen=`stat -c %s $x509.keyid`
96siglen=`stat -c %s $src.sig`
97
98#
99# Build the signed binary
100#
101(
102 cat $src || exit $?
103 echo '~Module signature appended~' || exit $?
104 cat $x509.signer $x509.keyid || exit $?
105
106 # Preface each signature integer with a 2-byte BE length
107 perl -e "binmode STDOUT; print pack(\"n\", $siglen)" || exit $?
108 cat $src.sig || exit $?
109
110 # Generate the information block
111 perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" || exit $?
112) >$dst~ || exit $?
113
114# Permit in-place signing
115mv $dst~ $dst || exit $?