1 /* Sign a module file using the given key.
3 * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
19 #include <arpa/inet.h>
20 #include <openssl/bio.h>
21 #include <openssl/evp.h>
22 #include <openssl/pem.h>
23 #include <openssl/pkcs7.h>
24 #include <openssl/err.h>
26 struct module_signature
{
27 uint8_t algo
; /* Public-key crypto algorithm [0] */
28 uint8_t hash
; /* Digest algorithm [0] */
29 uint8_t id_type
; /* Key identifier type [PKEY_ID_PKCS7] */
30 uint8_t signer_len
; /* Length of signer's name [0] */
31 uint8_t key_id_len
; /* Length of key identifier [0] */
33 uint32_t sig_len
; /* Length of signature data */
36 #define PKEY_ID_PKCS7 2
38 static char magic_number
[] = "~Module signature appended~\n";
40 static __attribute__((noreturn
))
44 "Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]\n");
48 static void display_openssl_errors(int l
)
54 if (ERR_peek_error() == 0)
56 fprintf(stderr
, "At main.c:%d:\n", l
);
58 while ((e
= ERR_get_error_line(&file
, &line
))) {
59 ERR_error_string(e
, buf
);
60 fprintf(stderr
, "- SSL %s: %s:%d\n", buf
, file
, line
);
64 static void drain_openssl_errors(void)
69 if (ERR_peek_error() == 0)
71 while (ERR_get_error_line(&file
, &line
)) {}
74 #define ERR(cond, fmt, ...) \
76 bool __cond = (cond); \
77 display_openssl_errors(__LINE__); \
79 err(1, fmt, ## __VA_ARGS__); \
83 static const char *key_pass
;
85 static int pem_pw_cb(char *buf
, int len
, int w
, void *v
)
92 pwlen
= strlen(key_pass
);
96 strcpy(buf
, key_pass
);
98 /* If it's wrong, don't keep trying it. */
104 int main(int argc
, char **argv
)
106 struct module_signature sig_info
= { .id_type
= PKEY_ID_PKCS7
};
107 char *hash_algo
= NULL
;
108 char *private_key_name
, *x509_name
, *module_name
, *dest_name
;
109 bool save_pkcs7
= false, replace_orig
;
110 bool sign_only
= false;
111 unsigned char buf
[4096];
112 unsigned long module_size
, pkcs7_size
;
113 const EVP_MD
*digest_algo
;
114 EVP_PKEY
*private_key
;
117 BIO
*b
, *bd
= NULL
, *bm
;
120 OpenSSL_add_all_algorithms();
121 ERR_load_crypto_strings();
124 key_pass
= getenv("KBUILD_SIGN_PIN");
127 opt
= getopt(argc
, argv
, "dp");
129 case 'p': save_pkcs7
= true; break;
130 case 'd': sign_only
= true; save_pkcs7
= true; break;
138 if (argc
< 4 || argc
> 5)
142 private_key_name
= argv
[1];
144 module_name
= argv
[3];
147 replace_orig
= false;
149 ERR(asprintf(&dest_name
, "%s.~signed~", module_name
) < 0,
154 /* Read the private key and the X.509 cert the PKCS#7 message
157 b
= BIO_new_file(private_key_name
, "rb");
158 ERR(!b
, "%s", private_key_name
);
159 private_key
= PEM_read_bio_PrivateKey(b
, NULL
, pem_pw_cb
, NULL
);
160 ERR(!private_key
, "%s", private_key_name
);
163 b
= BIO_new_file(x509_name
, "rb");
164 ERR(!b
, "%s", x509_name
);
165 x509
= d2i_X509_bio(b
, NULL
); /* Binary encoded X.509 */
168 x509
= PEM_read_bio_X509(b
, NULL
, NULL
, NULL
); /* PEM encoded X.509 */
170 drain_openssl_errors();
173 ERR(!x509
, "%s", x509_name
);
175 /* Open the destination file now so that we can shovel the module data
176 * across as we read it.
179 bd
= BIO_new_file(dest_name
, "wb");
180 ERR(!bd
, "%s", dest_name
);
183 /* Digest the module data. */
184 OpenSSL_add_all_digests();
185 display_openssl_errors(__LINE__
);
186 digest_algo
= EVP_get_digestbyname(hash_algo
);
187 ERR(!digest_algo
, "EVP_get_digestbyname");
189 bm
= BIO_new_file(module_name
, "rb");
190 ERR(!bm
, "%s", module_name
);
192 /* Load the PKCS#7 message from the digest buffer. */
193 pkcs7
= PKCS7_sign(NULL
, NULL
, NULL
, NULL
,
194 PKCS7_NOCERTS
| PKCS7_PARTIAL
| PKCS7_BINARY
| PKCS7_DETACHED
| PKCS7_STREAM
);
195 ERR(!pkcs7
, "PKCS7_sign");
197 ERR(!PKCS7_sign_add_signer(pkcs7
, x509
, private_key
, digest_algo
, PKCS7_NOCERTS
| PKCS7_BINARY
),
198 "PKCS7_sign_add_signer");
199 ERR(PKCS7_final(pkcs7
, bm
, PKCS7_NOCERTS
| PKCS7_BINARY
) < 0,
205 ERR(asprintf(&pkcs7_name
, "%s.pkcs7", module_name
) < 0, "asprintf");
206 b
= BIO_new_file(pkcs7_name
, "wb");
207 ERR(!b
, "%s", pkcs7_name
);
208 ERR(i2d_PKCS7_bio_stream(b
, pkcs7
, NULL
, 0) < 0, "%s", pkcs7_name
);
215 /* Append the marker and the PKCS#7 message to the destination file */
216 ERR(BIO_reset(bm
) < 0, "%s", module_name
);
217 while ((n
= BIO_read(bm
, buf
, sizeof(buf
))),
219 ERR(BIO_write(bd
, buf
, n
) < 0, "%s", dest_name
);
221 ERR(n
< 0, "%s", module_name
);
222 module_size
= BIO_number_written(bd
);
224 ERR(i2d_PKCS7_bio_stream(bd
, pkcs7
, NULL
, 0) < 0, "%s", dest_name
);
225 pkcs7_size
= BIO_number_written(bd
) - module_size
;
226 sig_info
.sig_len
= htonl(pkcs7_size
);
227 ERR(BIO_write(bd
, &sig_info
, sizeof(sig_info
)) < 0, "%s", dest_name
);
228 ERR(BIO_write(bd
, magic_number
, sizeof(magic_number
) - 1) < 0, "%s", dest_name
);
230 ERR(BIO_free(bd
) < 0, "%s", dest_name
);
232 /* Finally, if we're signing in place, replace the original. */
234 ERR(rename(dest_name
, module_name
) < 0, "%s", dest_name
);