]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - scripts/sign-file.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:


720b9bc933ae05123c95463f46294b6dba9437e0
[mirror_ubuntu-artful-kernel.git] / scripts / sign-file.c
1 /* Sign a module file using the given key.
2 *
3 * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11 #define _GNU_SOURCE
12 #include <stdio.h>
13 #include <stdlib.h>
14 #include <stdint.h>
15 #include <stdbool.h>
16 #include <string.h>
17 #include <getopt.h>
18 #include <err.h>
19 #include <arpa/inet.h>
20 #include <openssl/bio.h>
21 #include <openssl/evp.h>
22 #include <openssl/pem.h>
23 #include <openssl/pkcs7.h>
24 #include <openssl/err.h>
25
26 struct module_signature {
27 uint8_t algo; /* Public-key crypto algorithm [0] */
28 uint8_t hash; /* Digest algorithm [0] */
29 uint8_t id_type; /* Key identifier type [PKEY_ID_PKCS7] */
30 uint8_t signer_len; /* Length of signer's name [0] */
31 uint8_t key_id_len; /* Length of key identifier [0] */
32 uint8_t __pad[3];
33 uint32_t sig_len; /* Length of signature data */
34 };
35
36 #define PKEY_ID_PKCS7 2
37
38 static char magic_number[] = "~Module signature appended~\n";
39
40 static __attribute__((noreturn))
41 void format(void)
42 {
43 fprintf(stderr,
44 "Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]\n");
45 exit(2);
46 }
47
48 static void display_openssl_errors(int l)
49 {
50 const char *file;
51 char buf[120];
52 int e, line;
53
54 if (ERR_peek_error() == 0)
55 return;
56 fprintf(stderr, "At main.c:%d:\n", l);
57
58 while ((e = ERR_get_error_line(&file, &line))) {
59 ERR_error_string(e, buf);
60 fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
61 }
62 }
63
64 static void drain_openssl_errors(void)
65 {
66 const char *file;
67 int line;
68
69 if (ERR_peek_error() == 0)
70 return;
71 while (ERR_get_error_line(&file, &line)) {}
72 }
73
74 #define ERR(cond, fmt, ...) \
75 do { \
76 bool __cond = (cond); \
77 display_openssl_errors(__LINE__); \
78 if (__cond) { \
79 err(1, fmt, ## __VA_ARGS__); \
80 } \
81 } while(0)
82
83 static const char *key_pass;
84
85 static int pem_pw_cb(char *buf, int len, int w, void *v)
86 {
87 int pwlen;
88
89 if (!key_pass)
90 return -1;
91
92 pwlen = strlen(key_pass);
93 if (pwlen >= len)
94 return -1;
95
96 strcpy(buf, key_pass);
97
98 /* If it's wrong, don't keep trying it. */
99 key_pass = NULL;
100
101 return pwlen;
102 }
103
104 int main(int argc, char **argv)
105 {
106 struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
107 char *hash_algo = NULL;
108 char *private_key_name, *x509_name, *module_name, *dest_name;
109 bool save_pkcs7 = false, replace_orig;
110 bool sign_only = false;
111 unsigned char buf[4096];
112 unsigned long module_size, pkcs7_size;
113 const EVP_MD *digest_algo;
114 EVP_PKEY *private_key;
115 PKCS7 *pkcs7;
116 X509 *x509;
117 BIO *b, *bd = NULL, *bm;
118 int opt, n;
119
120 OpenSSL_add_all_algorithms();
121 ERR_load_crypto_strings();
122 ERR_clear_error();
123
124 key_pass = getenv("KBUILD_SIGN_PIN");
125
126 do {
127 opt = getopt(argc, argv, "dp");
128 switch (opt) {
129 case 'p': save_pkcs7 = true; break;
130 case 'd': sign_only = true; save_pkcs7 = true; break;
131 case -1: break;
132 default: format();
133 }
134 } while (opt != -1);
135
136 argc -= optind;
137 argv += optind;
138 if (argc < 4 || argc > 5)
139 format();
140
141 hash_algo = argv[0];
142 private_key_name = argv[1];
143 x509_name = argv[2];
144 module_name = argv[3];
145 if (argc == 5) {
146 dest_name = argv[4];
147 replace_orig = false;
148 } else {
149 ERR(asprintf(&dest_name, "%s.~signed~", module_name) < 0,
150 "asprintf");
151 replace_orig = true;
152 }
153
154 /* Read the private key and the X.509 cert the PKCS#7 message
155 * will point to.
156 */
157 b = BIO_new_file(private_key_name, "rb");
158 ERR(!b, "%s", private_key_name);
159 private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL);
160 ERR(!private_key, "%s", private_key_name);
161 BIO_free(b);
162
163 b = BIO_new_file(x509_name, "rb");
164 ERR(!b, "%s", x509_name);
165 x509 = d2i_X509_bio(b, NULL); /* Binary encoded X.509 */
166 if (!x509) {
167 BIO_reset(b);
168 x509 = PEM_read_bio_X509(b, NULL, NULL, NULL); /* PEM encoded X.509 */
169 if (x509)
170 drain_openssl_errors();
171 }
172 BIO_free(b);
173 ERR(!x509, "%s", x509_name);
174
175 /* Open the destination file now so that we can shovel the module data
176 * across as we read it.
177 */
178 if (!sign_only) {
179 bd = BIO_new_file(dest_name, "wb");
180 ERR(!bd, "%s", dest_name);
181 }
182
183 /* Digest the module data. */
184 OpenSSL_add_all_digests();
185 display_openssl_errors(__LINE__);
186 digest_algo = EVP_get_digestbyname(hash_algo);
187 ERR(!digest_algo, "EVP_get_digestbyname");
188
189 bm = BIO_new_file(module_name, "rb");
190 ERR(!bm, "%s", module_name);
191
192 /* Load the PKCS#7 message from the digest buffer. */
193 pkcs7 = PKCS7_sign(NULL, NULL, NULL, NULL,
194 PKCS7_NOCERTS | PKCS7_PARTIAL | PKCS7_BINARY | PKCS7_DETACHED | PKCS7_STREAM);
195 ERR(!pkcs7, "PKCS7_sign");
196
197 ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo, PKCS7_NOCERTS | PKCS7_BINARY),
198 "PKCS7_sign_add_signer");
199 ERR(PKCS7_final(pkcs7, bm, PKCS7_NOCERTS | PKCS7_BINARY) < 0,
200 "PKCS7_final");
201
202 if (save_pkcs7) {
203 char *pkcs7_name;
204
205 ERR(asprintf(&pkcs7_name, "%s.pkcs7", module_name) < 0, "asprintf");
206 b = BIO_new_file(pkcs7_name, "wb");
207 ERR(!b, "%s", pkcs7_name);
208 ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0, "%s", pkcs7_name);
209 BIO_free(b);
210 }
211
212 if (sign_only)
213 return 0;
214
215 /* Append the marker and the PKCS#7 message to the destination file */
216 ERR(BIO_reset(bm) < 0, "%s", module_name);
217 while ((n = BIO_read(bm, buf, sizeof(buf))),
218 n > 0) {
219 ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name);
220 }
221 ERR(n < 0, "%s", module_name);
222 module_size = BIO_number_written(bd);
223
224 ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) < 0, "%s", dest_name);
225 pkcs7_size = BIO_number_written(bd) - module_size;
226 sig_info.sig_len = htonl(pkcs7_size);
227 ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name);
228 ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name);
229
230 ERR(BIO_free(bd) < 0, "%s", dest_name);
231
232 /* Finally, if we're signing in place, replace the original. */
233 if (replace_orig)
234 ERR(rename(dest_name, module_name) < 0, "%s", dest_name);
235
236 return 0;
237 }
Ubuntu Artful kernel mirror