1 /* Sign a module file using the given key.
3 * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
19 #include <arpa/inet.h>
20 #include <openssl/bio.h>
21 #include <openssl/evp.h>
22 #include <openssl/pem.h>
23 #include <openssl/pkcs7.h>
24 #include <openssl/err.h>
25 #include <openssl/engine.h>
27 struct module_signature
{
28 uint8_t algo
; /* Public-key crypto algorithm [0] */
29 uint8_t hash
; /* Digest algorithm [0] */
30 uint8_t id_type
; /* Key identifier type [PKEY_ID_PKCS7] */
31 uint8_t signer_len
; /* Length of signer's name [0] */
32 uint8_t key_id_len
; /* Length of key identifier [0] */
34 uint32_t sig_len
; /* Length of signature data */
37 #define PKEY_ID_PKCS7 2
39 static char magic_number
[] = "~Module signature appended~\n";
41 static __attribute__((noreturn
))
45 "Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]\n");
49 static void display_openssl_errors(int l
)
55 if (ERR_peek_error() == 0)
57 fprintf(stderr
, "At main.c:%d:\n", l
);
59 while ((e
= ERR_get_error_line(&file
, &line
))) {
60 ERR_error_string(e
, buf
);
61 fprintf(stderr
, "- SSL %s: %s:%d\n", buf
, file
, line
);
65 static void drain_openssl_errors(void)
70 if (ERR_peek_error() == 0)
72 while (ERR_get_error_line(&file
, &line
)) {}
75 #define ERR(cond, fmt, ...) \
77 bool __cond = (cond); \
78 display_openssl_errors(__LINE__); \
80 err(1, fmt, ## __VA_ARGS__); \
84 static const char *key_pass
;
86 static int pem_pw_cb(char *buf
, int len
, int w
, void *v
)
93 pwlen
= strlen(key_pass
);
97 strcpy(buf
, key_pass
);
99 /* If it's wrong, don't keep trying it. */
105 int main(int argc
, char **argv
)
107 struct module_signature sig_info
= { .id_type
= PKEY_ID_PKCS7
};
108 char *hash_algo
= NULL
;
109 char *private_key_name
, *x509_name
, *module_name
, *dest_name
;
110 bool save_pkcs7
= false, replace_orig
;
111 bool sign_only
= false;
112 unsigned char buf
[4096];
113 unsigned long module_size
, pkcs7_size
;
114 const EVP_MD
*digest_algo
;
115 EVP_PKEY
*private_key
;
118 BIO
*b
, *bd
= NULL
, *bm
;
121 OpenSSL_add_all_algorithms();
122 ERR_load_crypto_strings();
125 key_pass
= getenv("KBUILD_SIGN_PIN");
128 opt
= getopt(argc
, argv
, "dp");
130 case 'p': save_pkcs7
= true; break;
131 case 'd': sign_only
= true; save_pkcs7
= true; break;
139 if (argc
< 4 || argc
> 5)
143 private_key_name
= argv
[1];
145 module_name
= argv
[3];
148 replace_orig
= false;
150 ERR(asprintf(&dest_name
, "%s.~signed~", module_name
) < 0,
155 /* Read the private key and the X.509 cert the PKCS#7 message
158 if (!strncmp(private_key_name
, "pkcs11:", 7)) {
161 ENGINE_load_builtin_engines();
162 drain_openssl_errors();
163 e
= ENGINE_by_id("pkcs11");
164 ERR(!e
, "Load PKCS#11 ENGINE");
166 drain_openssl_errors();
168 ERR(1, "ENGINE_init");
170 ERR(!ENGINE_ctrl_cmd_string(e
, "PIN", key_pass
, 0), "Set PKCS#11 PIN");
171 private_key
= ENGINE_load_private_key(e
, private_key_name
, NULL
,
173 ERR(!private_key
, "%s", private_key_name
);
175 b
= BIO_new_file(private_key_name
, "rb");
176 ERR(!b
, "%s", private_key_name
);
177 private_key
= PEM_read_bio_PrivateKey(b
, NULL
, pem_pw_cb
, NULL
);
178 ERR(!private_key
, "%s", private_key_name
);
182 b
= BIO_new_file(x509_name
, "rb");
183 ERR(!b
, "%s", x509_name
);
184 x509
= d2i_X509_bio(b
, NULL
); /* Binary encoded X.509 */
187 x509
= PEM_read_bio_X509(b
, NULL
, NULL
, NULL
); /* PEM encoded X.509 */
189 drain_openssl_errors();
192 ERR(!x509
, "%s", x509_name
);
194 /* Open the destination file now so that we can shovel the module data
195 * across as we read it.
198 bd
= BIO_new_file(dest_name
, "wb");
199 ERR(!bd
, "%s", dest_name
);
202 /* Digest the module data. */
203 OpenSSL_add_all_digests();
204 display_openssl_errors(__LINE__
);
205 digest_algo
= EVP_get_digestbyname(hash_algo
);
206 ERR(!digest_algo
, "EVP_get_digestbyname");
208 bm
= BIO_new_file(module_name
, "rb");
209 ERR(!bm
, "%s", module_name
);
211 /* Load the PKCS#7 message from the digest buffer. */
212 pkcs7
= PKCS7_sign(NULL
, NULL
, NULL
, NULL
,
213 PKCS7_NOCERTS
| PKCS7_PARTIAL
| PKCS7_BINARY
| PKCS7_DETACHED
| PKCS7_STREAM
);
214 ERR(!pkcs7
, "PKCS7_sign");
216 ERR(!PKCS7_sign_add_signer(pkcs7
, x509
, private_key
, digest_algo
, PKCS7_NOCERTS
| PKCS7_BINARY
),
217 "PKCS7_sign_add_signer");
218 ERR(PKCS7_final(pkcs7
, bm
, PKCS7_NOCERTS
| PKCS7_BINARY
) < 0,
224 ERR(asprintf(&pkcs7_name
, "%s.pkcs7", module_name
) < 0, "asprintf");
225 b
= BIO_new_file(pkcs7_name
, "wb");
226 ERR(!b
, "%s", pkcs7_name
);
227 ERR(i2d_PKCS7_bio_stream(b
, pkcs7
, NULL
, 0) < 0, "%s", pkcs7_name
);
234 /* Append the marker and the PKCS#7 message to the destination file */
235 ERR(BIO_reset(bm
) < 0, "%s", module_name
);
236 while ((n
= BIO_read(bm
, buf
, sizeof(buf
))),
238 ERR(BIO_write(bd
, buf
, n
) < 0, "%s", dest_name
);
240 ERR(n
< 0, "%s", module_name
);
241 module_size
= BIO_number_written(bd
);
243 ERR(i2d_PKCS7_bio_stream(bd
, pkcs7
, NULL
, 0) < 0, "%s", dest_name
);
244 pkcs7_size
= BIO_number_written(bd
) - module_size
;
245 sig_info
.sig_len
= htonl(pkcs7_size
);
246 ERR(BIO_write(bd
, &sig_info
, sizeof(sig_info
)) < 0, "%s", dest_name
);
247 ERR(BIO_write(bd
, magic_number
, sizeof(magic_number
) - 1) < 0, "%s", dest_name
);
249 ERR(BIO_free(bd
) < 0, "%s", dest_name
);
251 /* Finally, if we're signing in place, replace the original. */
253 ERR(rename(dest_name
, module_name
) < 0, "%s", dest_name
);