1 /* Sign a module file using the given key.
3 * Copyright © 2014-2015 Red Hat, Inc. All Rights Reserved.
4 * Copyright © 2015 Intel Corporation.
6 * Authors: David Howells <dhowells@redhat.com>
7 * David Woodhouse <dwmw2@infradead.org>
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1
12 * of the licence, or (at your option) any later version.
22 #include <arpa/inet.h>
23 #include <openssl/bio.h>
24 #include <openssl/evp.h>
25 #include <openssl/pem.h>
26 #include <openssl/cms.h>
27 #include <openssl/err.h>
28 #include <openssl/engine.h>
30 struct module_signature
{
31 uint8_t algo
; /* Public-key crypto algorithm [0] */
32 uint8_t hash
; /* Digest algorithm [0] */
33 uint8_t id_type
; /* Key identifier type [PKEY_ID_PKCS7] */
34 uint8_t signer_len
; /* Length of signer's name [0] */
35 uint8_t key_id_len
; /* Length of key identifier [0] */
37 uint32_t sig_len
; /* Length of signature data */
40 #define PKEY_ID_PKCS7 2
42 static char magic_number
[] = "~Module signature appended~\n";
44 static __attribute__((noreturn
))
48 "Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]\n");
52 static void display_openssl_errors(int l
)
58 if (ERR_peek_error() == 0)
60 fprintf(stderr
, "At main.c:%d:\n", l
);
62 while ((e
= ERR_get_error_line(&file
, &line
))) {
63 ERR_error_string(e
, buf
);
64 fprintf(stderr
, "- SSL %s: %s:%d\n", buf
, file
, line
);
68 static void drain_openssl_errors(void)
73 if (ERR_peek_error() == 0)
75 while (ERR_get_error_line(&file
, &line
)) {}
78 #define ERR(cond, fmt, ...) \
80 bool __cond = (cond); \
81 display_openssl_errors(__LINE__); \
83 err(1, fmt, ## __VA_ARGS__); \
87 static const char *key_pass
;
89 static int pem_pw_cb(char *buf
, int len
, int w
, void *v
)
96 pwlen
= strlen(key_pass
);
100 strcpy(buf
, key_pass
);
102 /* If it's wrong, don't keep trying it. */
108 int main(int argc
, char **argv
)
110 struct module_signature sig_info
= { .id_type
= PKEY_ID_PKCS7
};
111 char *hash_algo
= NULL
;
112 char *private_key_name
, *x509_name
, *module_name
, *dest_name
;
113 bool save_cms
= false, replace_orig
;
114 bool sign_only
= false;
115 unsigned char buf
[4096];
116 unsigned long module_size
, cms_size
;
117 unsigned int use_keyid
= 0, use_signed_attrs
= CMS_NOATTR
;
118 const EVP_MD
*digest_algo
;
119 EVP_PKEY
*private_key
;
120 CMS_ContentInfo
*cms
;
122 BIO
*b
, *bd
= NULL
, *bm
;
125 OpenSSL_add_all_algorithms();
126 ERR_load_crypto_strings();
129 key_pass
= getenv("KBUILD_SIGN_PIN");
132 opt
= getopt(argc
, argv
, "dpk");
134 case 'p': save_cms
= true; break;
135 case 'd': sign_only
= true; save_cms
= true; break;
136 case 'k': use_keyid
= CMS_USE_KEYID
; break;
144 if (argc
< 4 || argc
> 5)
148 private_key_name
= argv
[1];
150 module_name
= argv
[3];
153 replace_orig
= false;
155 ERR(asprintf(&dest_name
, "%s.~signed~", module_name
) < 0,
160 /* Read the private key and the X.509 cert the PKCS#7 message
163 if (!strncmp(private_key_name
, "pkcs11:", 7)) {
166 ENGINE_load_builtin_engines();
167 drain_openssl_errors();
168 e
= ENGINE_by_id("pkcs11");
169 ERR(!e
, "Load PKCS#11 ENGINE");
171 drain_openssl_errors();
173 ERR(1, "ENGINE_init");
175 ERR(!ENGINE_ctrl_cmd_string(e
, "PIN", key_pass
, 0), "Set PKCS#11 PIN");
176 private_key
= ENGINE_load_private_key(e
, private_key_name
, NULL
,
178 ERR(!private_key
, "%s", private_key_name
);
180 b
= BIO_new_file(private_key_name
, "rb");
181 ERR(!b
, "%s", private_key_name
);
182 private_key
= PEM_read_bio_PrivateKey(b
, NULL
, pem_pw_cb
, NULL
);
183 ERR(!private_key
, "%s", private_key_name
);
187 b
= BIO_new_file(x509_name
, "rb");
188 ERR(!b
, "%s", x509_name
);
189 x509
= d2i_X509_bio(b
, NULL
); /* Binary encoded X.509 */
191 ERR(BIO_reset(b
) != 1, "%s", x509_name
);
192 x509
= PEM_read_bio_X509(b
, NULL
, NULL
, NULL
); /* PEM encoded X.509 */
194 drain_openssl_errors();
197 ERR(!x509
, "%s", x509_name
);
199 /* Open the destination file now so that we can shovel the module data
200 * across as we read it.
203 bd
= BIO_new_file(dest_name
, "wb");
204 ERR(!bd
, "%s", dest_name
);
207 /* Digest the module data. */
208 OpenSSL_add_all_digests();
209 display_openssl_errors(__LINE__
);
210 digest_algo
= EVP_get_digestbyname(hash_algo
);
211 ERR(!digest_algo
, "EVP_get_digestbyname");
213 bm
= BIO_new_file(module_name
, "rb");
214 ERR(!bm
, "%s", module_name
);
216 /* Load the CMS message from the digest buffer. */
217 cms
= CMS_sign(NULL
, NULL
, NULL
, NULL
,
218 CMS_NOCERTS
| CMS_PARTIAL
| CMS_BINARY
| CMS_DETACHED
| CMS_STREAM
);
219 ERR(!cms
, "CMS_sign");
221 ERR(!CMS_add1_signer(cms
, x509
, private_key
, digest_algo
,
222 CMS_NOCERTS
| CMS_BINARY
| CMS_NOSMIMECAP
|
223 use_keyid
| use_signed_attrs
),
224 "CMS_sign_add_signer");
225 ERR(CMS_final(cms
, bm
, NULL
, CMS_NOCERTS
| CMS_BINARY
) < 0,
231 ERR(asprintf(&cms_name
, "%s.p7s", module_name
) < 0, "asprintf");
232 b
= BIO_new_file(cms_name
, "wb");
233 ERR(!b
, "%s", cms_name
);
234 ERR(i2d_CMS_bio_stream(b
, cms
, NULL
, 0) < 0, "%s", cms_name
);
241 /* Append the marker and the PKCS#7 message to the destination file */
242 ERR(BIO_reset(bm
) < 0, "%s", module_name
);
243 while ((n
= BIO_read(bm
, buf
, sizeof(buf
))),
245 ERR(BIO_write(bd
, buf
, n
) < 0, "%s", dest_name
);
247 ERR(n
< 0, "%s", module_name
);
248 module_size
= BIO_number_written(bd
);
250 ERR(i2d_CMS_bio_stream(bd
, cms
, NULL
, 0) < 0, "%s", dest_name
);
251 cms_size
= BIO_number_written(bd
) - module_size
;
252 sig_info
.sig_len
= htonl(cms_size
);
253 ERR(BIO_write(bd
, &sig_info
, sizeof(sig_info
)) < 0, "%s", dest_name
);
254 ERR(BIO_write(bd
, magic_number
, sizeof(magic_number
) - 1) < 0, "%s", dest_name
);
256 ERR(BIO_free(bd
) < 0, "%s", dest_name
);
258 /* Finally, if we're signing in place, replace the original. */
260 ERR(rename(dest_name
, module_name
) < 0, "%s", dest_name
);