scripts/sign-file

   1 #!/bin/bash
   2 #
   3 # Sign a module file using the given key.
   4 #
   5 # Format: sign-file <key> <x509> <keyid-script> <module>
   6 #
   7
   8 scripts=`dirname $0`
   9
  10 CONFIG_MODULE_SIG_SHA512=y
  11 if [ -r .config ]
  12 then
  13     . ./.config
  14 fi
  15
  16 key="$1"
  17 x509="$2"
  18 keyid_script="$3"
  19 mod="$4"
  20
  21 if [ ! -r "$key" ]
  22 then
  23     echo "Can't read private key" >&2
  24     exit 2
  25 fi
  26
  27 if [ ! -r "$x509" ]
  28 then
  29     echo "Can't read X.509 certificate" >&2
  30     exit 2
  31 fi
  32
  33 #
  34 # Signature parameters
  35 #
  36 algo=1          # Public-key crypto algorithm: RSA
  37 hash=           # Digest algorithm
  38 id_type=1       # Identifier type: X.509
  39
  40 #
  41 # Digest the data
  42 #
  43 dgst=
  44 if [ "$CONFIG_MODULE_SIG_SHA1" = "y" ]
  45 then
  46     prologue="0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14"
  47     dgst=-sha1
  48     hash=2
  49 elif [ "$CONFIG_MODULE_SIG_SHA224" = "y" ]
  50 then
  51     prologue="0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1C"
  52     dgst=-sha224
  53     hash=7
  54 elif [ "$CONFIG_MODULE_SIG_SHA256" = "y" ]
  55 then
  56     prologue="0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20"
  57     dgst=-sha256
  58     hash=4
  59 elif [ "$CONFIG_MODULE_SIG_SHA384" = "y" ]
  60 then
  61     prologue="0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30"
  62     dgst=-sha384
  63     hash=5
  64 elif [ "$CONFIG_MODULE_SIG_SHA512" = "y" ]
  65 then
  66     prologue="0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40"
  67     dgst=-sha512
  68     hash=6
  69 else
  70     echo "$0: Can't determine hash algorithm" >&2
  71     exit 2
  72 fi
  73
  74 (
  75 perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" || exit $?
  76 openssl dgst $dgst -binary $mod || exit $?
  77 ) >$mod.dig || exit $?
  78
  79 #
  80 # Generate the binary signature, which will be just the integer that comprises
  81 # the signature with no metadata attached.
  82 #
  83 openssl rsautl -sign -inkey $key -keyform PEM -in $mod.dig -out $mod.sig || exit $?
  84
  85 SIGNER="`perl $keyid_script $x509 signer-name`"
  86 KEYID="`perl $keyid_script $x509 keyid`"
  87 keyidlen=${#KEYID}
  88 siglen=${#SIGNER}
  89
  90 #
  91 # Build the signed binary
  92 #
  93 (
  94     cat $mod || exit $?
  95     echo '~Module signature appended~' || exit $?
  96     echo -n "$SIGNER" || exit $?
  97     echo -n "$KEYID" || exit $?
  98
  99     # Preface each signature integer with a 2-byte BE length
 100     perl -e "binmode STDOUT; print pack(\"n\", $siglen)" || exit $?
 101     cat $mod.sig || exit $?
 102
 103     # Generate the information block
 104     perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" || exit $?
 105 ) >$mod~ || exit $?
 106
 107 mv $mod~ $mod || exit $?