Commit | Line | Data |
---|---|---|
80d65e58 DH |
1 | #!/bin/sh |
2 | # | |
3 | # Sign a module file using the given key. | |
4 | # | |
5 | # Format: sign-file <key> <x509> <src-file> <dst-file> | |
6 | # | |
7 | ||
8 | scripts=`dirname $0` | |
9 | ||
10 | CONFIG_MODULE_SIG_SHA512=y | |
11 | if [ -r .config ] | |
12 | then | |
13 | . ./.config | |
14 | fi | |
15 | ||
16 | key="$1" | |
17 | x509="$2" | |
18 | src="$3" | |
19 | dst="$4" | |
20 | ||
21 | if [ ! -r "$key" ] | |
22 | then | |
23 | echo "Can't read private key" >&2 | |
24 | exit 2 | |
25 | fi | |
26 | ||
27 | if [ ! -r "$x509" ] | |
28 | then | |
29 | echo "Can't read X.509 certificate" >&2 | |
30 | exit 2 | |
31 | fi | |
32 | if [ ! -r "$x509.signer" ] | |
33 | then | |
34 | echo "Can't read Signer name" >&2 | |
35 | exit 2; | |
36 | fi | |
37 | if [ ! -r "$x509.keyid" ] | |
38 | then | |
39 | echo "Can't read Key identifier" >&2 | |
40 | exit 2; | |
41 | fi | |
42 | ||
43 | # | |
44 | # Signature parameters | |
45 | # | |
46 | algo=1 # Public-key crypto algorithm: RSA | |
47 | hash= # Digest algorithm | |
48 | id_type=1 # Identifier type: X.509 | |
49 | ||
50 | # | |
51 | # Digest the data | |
52 | # | |
53 | dgst= | |
54 | if [ "$CONFIG_MODULE_SIG_SHA1" = "y" ] | |
55 | then | |
56 | prologue="0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14" | |
57 | dgst=-sha1 | |
58 | hash=2 | |
59 | elif [ "$CONFIG_MODULE_SIG_SHA224" = "y" ] | |
60 | then | |
61 | prologue="0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1C" | |
62 | dgst=-sha224 | |
63 | hash=7 | |
64 | elif [ "$CONFIG_MODULE_SIG_SHA256" = "y" ] | |
65 | then | |
66 | prologue="0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20" | |
67 | dgst=-sha256 | |
68 | hash=4 | |
69 | elif [ "$CONFIG_MODULE_SIG_SHA384" = "y" ] | |
70 | then | |
71 | prologue="0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30" | |
72 | dgst=-sha384 | |
73 | hash=5 | |
74 | elif [ "$CONFIG_MODULE_SIG_SHA512" = "y" ] | |
75 | then | |
76 | prologue="0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40" | |
77 | dgst=-sha512 | |
78 | hash=6 | |
79 | else | |
80 | echo "$0: Can't determine hash algorithm" >&2 | |
81 | exit 2 | |
82 | fi | |
83 | ||
84 | ( | |
85 | perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" || exit $? | |
86 | openssl dgst $dgst -binary $src || exit $? | |
87 | ) >$src.dig || exit $? | |
88 | ||
89 | # | |
90 | # Generate the binary signature, which will be just the integer that comprises | |
91 | # the signature with no metadata attached. | |
92 | # | |
93 | openssl rsautl -sign -inkey $key -keyform PEM -in $src.dig -out $src.sig || exit $? | |
94 | signerlen=`stat -c %s $x509.signer` | |
95 | keyidlen=`stat -c %s $x509.keyid` | |
96 | siglen=`stat -c %s $src.sig` | |
97 | ||
98 | # | |
99 | # Build the signed binary | |
100 | # | |
101 | ( | |
102 | cat $src || exit $? | |
103 | echo '~Module signature appended~' || exit $? | |
104 | cat $x509.signer $x509.keyid || exit $? | |
105 | ||
106 | # Preface each signature integer with a 2-byte BE length | |
107 | perl -e "binmode STDOUT; print pack(\"n\", $siglen)" || exit $? | |
108 | cat $src.sig || exit $? | |
109 | ||
110 | # Generate the information block | |
111 | perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" || exit $? | |
112 | ) >$dst~ || exit $? | |
113 | ||
114 | # Permit in-place signing | |
115 | mv $dst~ $dst || exit $? |