summaryrefslogtreecommitdiff
path: root/scripts/sign-file
blob: e58e34e50ac549bb1d2230062ec0b55f6f03386b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
#!/bin/sh
#
# Sign a module file using the given key.
#
# Format: sign-file <key> <x509> <src-file> <dst-file>
#

scripts=`dirname $0`

CONFIG_MODULE_SIG_SHA512=y
if [ -r .config ]
then
    . ./.config
fi

key="$1"
x509="$2"
src="$3"
dst="$4"

if [ ! -r "$key" ]
then
    echo "Can't read private key" >&2
    exit 2
fi

if [ ! -r "$x509" ]
then
    echo "Can't read X.509 certificate" >&2
    exit 2
fi
if [ ! -r "$x509.signer" ]
then
    echo "Can't read Signer name" >&2
    exit 2;
fi
if [ ! -r "$x509.keyid" ]
then
    echo "Can't read Key identifier" >&2
    exit 2;
fi

#
# Signature parameters
#
algo=1		# Public-key crypto algorithm: RSA
hash=		# Digest algorithm
id_type=1	# Identifier type: X.509

#
# Digest the data
#
dgst=
if [ "$CONFIG_MODULE_SIG_SHA1" = "y" ]
then
    prologue="0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14"
    dgst=-sha1
    hash=2
elif [ "$CONFIG_MODULE_SIG_SHA224" = "y" ]
then
    prologue="0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1C"
    dgst=-sha224
    hash=7
elif [ "$CONFIG_MODULE_SIG_SHA256" = "y" ]
then
    prologue="0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20"
    dgst=-sha256
    hash=4
elif [ "$CONFIG_MODULE_SIG_SHA384" = "y" ]
then
    prologue="0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30"
    dgst=-sha384
    hash=5
elif [ "$CONFIG_MODULE_SIG_SHA512" = "y" ]
then
    prologue="0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40"
    dgst=-sha512
    hash=6
else
    echo "$0: Can't determine hash algorithm" >&2
    exit 2
fi

(
perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" || exit $?
openssl dgst $dgst -binary $src || exit $?
) >$src.dig || exit $?

#
# Generate the binary signature, which will be just the integer that comprises
# the signature with no metadata attached.
#
openssl rsautl -sign -inkey $key -keyform PEM -in $src.dig -out $src.sig || exit $?
signerlen=`stat -c %s $x509.signer`
keyidlen=`stat -c %s $x509.keyid`
siglen=`stat -c %s $src.sig`

#
# Build the signed binary
#
(
    cat $src || exit $?
    echo '~Module signature appended~' || exit $?
    cat $x509.signer $x509.keyid || exit $?

    # Preface each signature integer with a 2-byte BE length
    perl -e "binmode STDOUT; print pack(\"n\", $siglen)" || exit $?
    cat $src.sig || exit $?

    # Generate the information block
    perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" || exit $?
) >$dst~ || exit $?

# Permit in-place signing
mv $dst~ $dst || exit $?