^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) /* Sign a module file using the given key.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * Copyright © 2014-2016 Red Hat, Inc. All Rights Reserved.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) * Copyright © 2015 Intel Corporation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * Copyright © 2016 Hewlett Packard Enterprise Development LP
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) * Authors: David Howells <dhowells@redhat.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) * David Woodhouse <dwmw2@infradead.org>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) * Juerg Haefliger <juerg.haefliger@hpe.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) * This program is free software; you can redistribute it and/or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) * modify it under the terms of the GNU Lesser General Public License
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) * as published by the Free Software Foundation; either version 2.1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) * of the licence, or (at your option) any later version.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) #define _GNU_SOURCE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) #include <stdio.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) #include <stdlib.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) #include <stdint.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) #include <stdbool.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) #include <string.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) #include <getopt.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) #include <err.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) #include <arpa/inet.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) #include <openssl/opensslv.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) #include <openssl/bio.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) #include <openssl/evp.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) #include <openssl/pem.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) #include <openssl/err.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) #include <openssl/engine.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) * Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) * assume that it's not available and its header file is missing and that we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) * should use PKCS#7 instead. Switching to the older PKCS#7 format restricts
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) * the options we have on specifying the X.509 certificate we want.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) * Further, older versions of OpenSSL don't support manually adding signers to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) * the PKCS#7 message so have to accept that we get a certificate included in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) * the signature message. Nor do such older versions of OpenSSL support
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) * signing with anything other than SHA1 - so we're stuck with that if such is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) * the case.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) #if defined(LIBRESSL_VERSION_NUMBER) || \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) OPENSSL_VERSION_NUMBER < 0x10000000L || \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) defined(OPENSSL_NO_CMS)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) #define USE_PKCS7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) #ifndef USE_PKCS7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) #include <openssl/cms.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) #else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) #include <openssl/pkcs7.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) struct module_signature {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) uint8_t algo; /* Public-key crypto algorithm [0] */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) uint8_t hash; /* Digest algorithm [0] */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) uint8_t id_type; /* Key identifier type [PKEY_ID_PKCS7] */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) uint8_t signer_len; /* Length of signer's name [0] */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) uint8_t key_id_len; /* Length of key identifier [0] */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) uint8_t __pad[3];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) uint32_t sig_len; /* Length of signature data */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) #define PKEY_ID_PKCS7 2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) static char magic_number[] = "~Module signature appended~\n";
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) static __attribute__((noreturn))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) void format(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) fprintf(stderr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) "Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) fprintf(stderr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) " scripts/sign-file -s <raw sig> <hash algo> <x509> <module> [<dest>]\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) exit(2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) static void display_openssl_errors(int l)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) const char *file;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) char buf[120];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) int e, line;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) if (ERR_peek_error() == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) fprintf(stderr, "At main.c:%d:\n", l);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) while ((e = ERR_get_error_line(&file, &line))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) ERR_error_string(e, buf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) static void drain_openssl_errors(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) const char *file;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) int line;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) if (ERR_peek_error() == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) while (ERR_get_error_line(&file, &line)) {}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) #define ERR(cond, fmt, ...) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) do { \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) bool __cond = (cond); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) display_openssl_errors(__LINE__); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) if (__cond) { \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) err(1, fmt, ## __VA_ARGS__); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) } \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) } while(0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) static const char *key_pass;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) static int pem_pw_cb(char *buf, int len, int w, void *v)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) int pwlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) if (!key_pass)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) pwlen = strlen(key_pass);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) if (pwlen >= len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) strcpy(buf, key_pass);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) /* If it's wrong, don't keep trying it. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) key_pass = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) return pwlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) static EVP_PKEY *read_private_key(const char *private_key_name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) EVP_PKEY *private_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) if (!strncmp(private_key_name, "pkcs11:", 7)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) ENGINE *e;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) ENGINE_load_builtin_engines();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) drain_openssl_errors();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) e = ENGINE_by_id("pkcs11");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) ERR(!e, "Load PKCS#11 ENGINE");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) if (ENGINE_init(e))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) drain_openssl_errors();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) ERR(1, "ENGINE_init");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) if (key_pass)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) "Set PKCS#11 PIN");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) private_key = ENGINE_load_private_key(e, private_key_name,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) NULL, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) ERR(!private_key, "%s", private_key_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) BIO *b;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) b = BIO_new_file(private_key_name, "rb");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) ERR(!b, "%s", private_key_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) ERR(!private_key, "%s", private_key_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) BIO_free(b);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) return private_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) static X509 *read_x509(const char *x509_name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) unsigned char buf[2];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) X509 *x509;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) BIO *b;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) int n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) b = BIO_new_file(x509_name, "rb");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) ERR(!b, "%s", x509_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) /* Look at the first two bytes of the file to determine the encoding */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) n = BIO_read(b, buf, 2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) if (n != 2) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) if (BIO_should_retry(b)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) fprintf(stderr, "%s: Read wanted retry\n", x509_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) exit(1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) if (n >= 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) fprintf(stderr, "%s: Short read\n", x509_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) exit(1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) ERR(1, "%s", x509_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) ERR(BIO_reset(b) != 0, "%s", x509_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) if (buf[0] == 0x30 && buf[1] >= 0x81 && buf[1] <= 0x84)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) /* Assume raw DER encoded X.509 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) x509 = d2i_X509_bio(b, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) /* Assume PEM encoded X.509 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) x509 = PEM_read_bio_X509(b, NULL, NULL, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) BIO_free(b);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) ERR(!x509, "%s", x509_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) return x509;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) int main(int argc, char **argv)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) char *hash_algo = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) char *private_key_name = NULL, *raw_sig_name = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) char *x509_name, *module_name, *dest_name;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) bool save_sig = false, replace_orig;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) bool sign_only = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) bool raw_sig = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) unsigned char buf[4096];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) unsigned long module_size, sig_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) unsigned int use_signed_attrs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) const EVP_MD *digest_algo;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) EVP_PKEY *private_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) #ifndef USE_PKCS7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) CMS_ContentInfo *cms = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) unsigned int use_keyid = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) #else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) PKCS7 *pkcs7 = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) X509 *x509;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) BIO *bd, *bm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) int opt, n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) OpenSSL_add_all_algorithms();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) ERR_load_crypto_strings();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) ERR_clear_error();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) key_pass = getenv("KBUILD_SIGN_PIN");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) #ifndef USE_PKCS7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) use_signed_attrs = CMS_NOATTR;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) #else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) use_signed_attrs = PKCS7_NOATTR;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) do {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) opt = getopt(argc, argv, "sdpk");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) switch (opt) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) case 's': raw_sig = true; break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) case 'p': save_sig = true; break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) case 'd': sign_only = true; save_sig = true; break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) #ifndef USE_PKCS7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) case 'k': use_keyid = CMS_USE_KEYID; break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) case -1: break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) default: format();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) } while (opt != -1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) argc -= optind;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) argv += optind;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) if (argc < 4 || argc > 5)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) format();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) if (raw_sig) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) raw_sig_name = argv[0];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) hash_algo = argv[1];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) hash_algo = argv[0];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) private_key_name = argv[1];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) x509_name = argv[2];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) module_name = argv[3];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) if (argc == 5 && strcmp(argv[3], argv[4]) != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) dest_name = argv[4];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) replace_orig = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) ERR(asprintf(&dest_name, "%s.~signed~", module_name) < 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) "asprintf");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) replace_orig = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) #ifdef USE_PKCS7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) if (strcmp(hash_algo, "sha1") != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) fprintf(stderr, "sign-file: %s only supports SHA1 signing\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) OPENSSL_VERSION_TEXT);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) exit(3);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) /* Open the module file */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) bm = BIO_new_file(module_name, "rb");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) ERR(!bm, "%s", module_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) if (!raw_sig) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) /* Read the private key and the X.509 cert the PKCS#7 message
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) * will point to.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) private_key = read_private_key(private_key_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) x509 = read_x509(x509_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) /* Digest the module data. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) OpenSSL_add_all_digests();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) display_openssl_errors(__LINE__);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) digest_algo = EVP_get_digestbyname(hash_algo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) ERR(!digest_algo, "EVP_get_digestbyname");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) #ifndef USE_PKCS7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) /* Load the signature message from the digest buffer. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) cms = CMS_sign(NULL, NULL, NULL, NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) CMS_DETACHED | CMS_STREAM);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) ERR(!cms, "CMS_sign");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) CMS_NOCERTS | CMS_BINARY |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) CMS_NOSMIMECAP | use_keyid |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) use_signed_attrs),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) "CMS_add1_signer");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) < 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) "CMS_final");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) #else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) PKCS7_NOCERTS | PKCS7_BINARY |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) PKCS7_DETACHED | use_signed_attrs);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) ERR(!pkcs7, "PKCS7_sign");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) if (save_sig) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) char *sig_file_name;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) BIO *b;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) ERR(asprintf(&sig_file_name, "%s.p7s", module_name) < 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) "asprintf");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) b = BIO_new_file(sig_file_name, "wb");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) ERR(!b, "%s", sig_file_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) #ifndef USE_PKCS7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) "%s", sig_file_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) #else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) ERR(i2d_PKCS7_bio(b, pkcs7) < 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) "%s", sig_file_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) BIO_free(b);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) if (sign_only) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) BIO_free(bm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) /* Open the destination file now so that we can shovel the module data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) * across as we read it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) bd = BIO_new_file(dest_name, "wb");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) ERR(!bd, "%s", dest_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) /* Append the marker and the PKCS#7 message to the destination file */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) ERR(BIO_reset(bm) < 0, "%s", module_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) while ((n = BIO_read(bm, buf, sizeof(buf))),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) n > 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) BIO_free(bm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) ERR(n < 0, "%s", module_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) module_size = BIO_number_written(bd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) if (!raw_sig) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) #ifndef USE_PKCS7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) #else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) ERR(i2d_PKCS7_bio(bd, pkcs7) < 0, "%s", dest_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) BIO *b;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) /* Read the raw signature file and write the data to the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) * destination file
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) b = BIO_new_file(raw_sig_name, "rb");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) ERR(!b, "%s", raw_sig_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) while ((n = BIO_read(b, buf, sizeof(buf))), n > 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) BIO_free(b);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) sig_size = BIO_number_written(bd) - module_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) sig_info.sig_len = htonl(sig_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) ERR(BIO_free(bd) < 0, "%s", dest_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) /* Finally, if we're signing in place, replace the original. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) if (replace_orig)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) ERR(rename(dest_name, module_name) < 0, "%s", dest_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) }
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags
| Donate