[deliverable/linux.git] / scripts / sign-file

#!/bin/bash
#
# Sign a module file using the given key.
#
# Format: sign-file <key> <x509> <keyid-script> <module>
#

scripts=`dirname $0`

CONFIG_MODULE_SIG_SHA512=y
if [ -r .config ]
then
    . ./.config
fi

key="$1"
x509="$2"
keyid_script="$3"
mod="$4"

if [ ! -r "$key" ]
then
    echo "Can't read private key" >&2
    exit 2
fi

if [ ! -r "$x509" ]
then
    echo "Can't read X.509 certificate" >&2
    exit 2
fi

#
# Signature parameters
#
algo=1		# Public-key crypto algorithm: RSA
hash=		# Digest algorithm
id_type=1	# Identifier type: X.509

#
# Digest the data
#
dgst=
if [ "$CONFIG_MODULE_SIG_SHA1" = "y" ]
then
    prologue="0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14"
    dgst=-sha1
    hash=2
elif [ "$CONFIG_MODULE_SIG_SHA224" = "y" ]
then
    prologue="0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1C"
    dgst=-sha224
    hash=7
elif [ "$CONFIG_MODULE_SIG_SHA256" = "y" ]
then
    prologue="0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20"
    dgst=-sha256
    hash=4
elif [ "$CONFIG_MODULE_SIG_SHA384" = "y" ]
then
    prologue="0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30"
    dgst=-sha384
    hash=5
elif [ "$CONFIG_MODULE_SIG_SHA512" = "y" ]
then
    prologue="0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40"
    dgst=-sha512
    hash=6
else
    echo "$0: Can't determine hash algorithm" >&2
    exit 2
fi

(
perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" || exit $?
openssl dgst $dgst -binary $mod || exit $?
) >$mod.dig || exit $?

#
# Generate the binary signature, which will be just the integer that comprises
# the signature with no metadata attached.
#
openssl rsautl -sign -inkey $key -keyform PEM -in $mod.dig -out $mod.sig || exit $?

SIGNER="`perl $keyid_script $x509 signer-name`"
KEYID="`perl $keyid_script $x509 keyid`"
keyidlen=${#KEYID}
siglen=${#SIGNER}

#
# Build the signed binary
#
(
    cat $mod || exit $?
    echo '~Module signature appended~' || exit $?
    echo -n "$SIGNER" || exit $?
    echo -n "$KEYID" || exit $?

    # Preface each signature integer with a 2-byte BE length
    perl -e "binmode STDOUT; print pack(\"n\", $siglen)" || exit $?
    cat $mod.sig || exit $?

    # Generate the information block
    perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" || exit $?
) >$mod~ || exit $?

mv $mod~ $mod || exit $?
Commit	Line	Data
e2a666d5	1	#!/bin/bash
80d65e58 DH	2	#
	3	# Sign a module file using the given key.
	4	#
e2a666d5	5	# Format: sign-file <key> <x509> <keyid-script> <module>
80d65e58 DH	6	#
	7
	8	scripts=`dirname $0`
	9
	10	CONFIG_MODULE_SIG_SHA512=y
	11	if [ -r .config ]
	12	then
	13	. ./.config
	14	fi
	15
	16	key="$1"
	17	x509="$2"
e2a666d5 RR	18	keyid_script="$3"
e2a666d5 RR	19	mod="$4"
80d65e58 DH	20
	21	if [ ! -r "$key" ]
	22	then
	23	echo "Can't read private key" >&2
	24	exit 2
	25	fi
	26
	27	if [ ! -r "$x509" ]
	28	then
	29	echo "Can't read X.509 certificate" >&2
	30	exit 2
	31	fi
80d65e58 DH	32
	33	#
	34	# Signature parameters
	35	#
	36	algo=1 # Public-key crypto algorithm: RSA
	37	hash= # Digest algorithm
	38	id_type=1 # Identifier type: X.509
	39
	40	#
	41	# Digest the data
	42	#
	43	dgst=
	44	if [ "$CONFIG_MODULE_SIG_SHA1" = "y" ]
	45	then
	46	prologue="0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14"
	47	dgst=-sha1
	48	hash=2
	49	elif [ "$CONFIG_MODULE_SIG_SHA224" = "y" ]
	50	then
	51	prologue="0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1C"
	52	dgst=-sha224
	53	hash=7
	54	elif [ "$CONFIG_MODULE_SIG_SHA256" = "y" ]
	55	then
	56	prologue="0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20"
	57	dgst=-sha256
	58	hash=4
	59	elif [ "$CONFIG_MODULE_SIG_SHA384" = "y" ]
	60	then
	61	prologue="0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30"
	62	dgst=-sha384
	63	hash=5
	64	elif [ "$CONFIG_MODULE_SIG_SHA512" = "y" ]
	65	then
	66	prologue="0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40"
	67	dgst=-sha512
	68	hash=6
	69	else
	70	echo "$0: Can't determine hash algorithm" >&2
	71	exit 2
	72	fi
	73
	74	(
	75	perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" \|\| exit $?
e2a666d5 RR	76	openssl dgst $dgst -binary $mod \|\| exit $?
e2a666d5 RR	77	) >$mod.dig \|\| exit $?
80d65e58 DH	78
	79	#
	80	# Generate the binary signature, which will be just the integer that comprises
	81	# the signature with no metadata attached.
	82	#
e2a666d5 RR	83	openssl rsautl -sign -inkey $key -keyform PEM -in $mod.dig -out $mod.sig \|\| exit $?
	84
	85	SIGNER="`perl $keyid_script $x509 signer-name`"
	86	KEYID="`perl $keyid_script $x509 keyid`"
	87	keyidlen=${#KEYID}
	88	siglen=${#SIGNER}
80d65e58 DH	89
	90	#
	91	# Build the signed binary
	92	#
	93	(
e2a666d5	94	cat $mod \|\| exit $?
80d65e58	95	echo '~Module signature appended~' \|\| exit $?
e2a666d5 RR	96	echo -n "$SIGNER" \|\| exit $?
e2a666d5 RR	97	echo -n "$KEYID" \|\| exit $?
80d65e58 DH	98
	99	# Preface each signature integer with a 2-byte BE length
	100	perl -e "binmode STDOUT; print pack(\"n\", $siglen)" \|\| exit $?
e2a666d5	101	cat $mod.sig \|\| exit $?
80d65e58 DH	102
	103	# Generate the information block
	104	perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" \|\| exit $?
e2a666d5	105	) >$mod~ \|\| exit $?
80d65e58	106
e2a666d5	107	mv $mod~ $mod \|\| exit $?