Commit | Line | Data |
---|---|---|
e2a666d5 | 1 | #!/bin/bash |
80d65e58 DH |
2 | # |
3 | # Sign a module file using the given key. | |
4 | # | |
e2a666d5 | 5 | # Format: sign-file <key> <x509> <keyid-script> <module> |
80d65e58 DH |
6 | # |
7 | ||
8 | scripts=`dirname $0` | |
9 | ||
10 | CONFIG_MODULE_SIG_SHA512=y | |
11 | if [ -r .config ] | |
12 | then | |
13 | . ./.config | |
14 | fi | |
15 | ||
16 | key="$1" | |
17 | x509="$2" | |
e2a666d5 RR |
18 | keyid_script="$3" |
19 | mod="$4" | |
80d65e58 DH |
20 | |
21 | if [ ! -r "$key" ] | |
22 | then | |
23 | echo "Can't read private key" >&2 | |
24 | exit 2 | |
25 | fi | |
26 | ||
27 | if [ ! -r "$x509" ] | |
28 | then | |
29 | echo "Can't read X.509 certificate" >&2 | |
30 | exit 2 | |
31 | fi | |
80d65e58 DH |
32 | |
33 | # | |
34 | # Signature parameters | |
35 | # | |
36 | algo=1 # Public-key crypto algorithm: RSA | |
37 | hash= # Digest algorithm | |
38 | id_type=1 # Identifier type: X.509 | |
39 | ||
40 | # | |
41 | # Digest the data | |
42 | # | |
43 | dgst= | |
44 | if [ "$CONFIG_MODULE_SIG_SHA1" = "y" ] | |
45 | then | |
46 | prologue="0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14" | |
47 | dgst=-sha1 | |
48 | hash=2 | |
49 | elif [ "$CONFIG_MODULE_SIG_SHA224" = "y" ] | |
50 | then | |
51 | prologue="0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1C" | |
52 | dgst=-sha224 | |
53 | hash=7 | |
54 | elif [ "$CONFIG_MODULE_SIG_SHA256" = "y" ] | |
55 | then | |
56 | prologue="0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20" | |
57 | dgst=-sha256 | |
58 | hash=4 | |
59 | elif [ "$CONFIG_MODULE_SIG_SHA384" = "y" ] | |
60 | then | |
61 | prologue="0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30" | |
62 | dgst=-sha384 | |
63 | hash=5 | |
64 | elif [ "$CONFIG_MODULE_SIG_SHA512" = "y" ] | |
65 | then | |
66 | prologue="0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40" | |
67 | dgst=-sha512 | |
68 | hash=6 | |
69 | else | |
70 | echo "$0: Can't determine hash algorithm" >&2 | |
71 | exit 2 | |
72 | fi | |
73 | ||
74 | ( | |
75 | perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" || exit $? | |
e2a666d5 RR |
76 | openssl dgst $dgst -binary $mod || exit $? |
77 | ) >$mod.dig || exit $? | |
80d65e58 DH |
78 | |
79 | # | |
80 | # Generate the binary signature, which will be just the integer that comprises | |
81 | # the signature with no metadata attached. | |
82 | # | |
e2a666d5 RR |
83 | openssl rsautl -sign -inkey $key -keyform PEM -in $mod.dig -out $mod.sig || exit $? |
84 | ||
85 | SIGNER="`perl $keyid_script $x509 signer-name`" | |
86 | KEYID="`perl $keyid_script $x509 keyid`" | |
87 | keyidlen=${#KEYID} | |
88 | siglen=${#SIGNER} | |
80d65e58 DH |
89 | |
90 | # | |
91 | # Build the signed binary | |
92 | # | |
93 | ( | |
e2a666d5 | 94 | cat $mod || exit $? |
80d65e58 | 95 | echo '~Module signature appended~' || exit $? |
e2a666d5 RR |
96 | echo -n "$SIGNER" || exit $? |
97 | echo -n "$KEYID" || exit $? | |
80d65e58 DH |
98 | |
99 | # Preface each signature integer with a 2-byte BE length | |
100 | perl -e "binmode STDOUT; print pack(\"n\", $siglen)" || exit $? | |
e2a666d5 | 101 | cat $mod.sig || exit $? |
80d65e58 DH |
102 | |
103 | # Generate the information block | |
104 | perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" || exit $? | |
e2a666d5 | 105 | ) >$mod~ || exit $? |
80d65e58 | 106 | |
e2a666d5 | 107 | mv $mod~ $mod || exit $? |