MODSIGN: Add -s <signature> option to sign-file

This option allows to append an externally computed singature to the
module. This is needed in setups, where the private key is not directly
available, but a service exists that returns signatures for given files.

Signed-off-by: Michal Marek <mmarek@suse.cz>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
This commit is contained in:
Michal Marek 2013-01-25 13:41:19 +10:30 committed by Rusty Russell
parent 4bc9410c0c
commit 1c37c054a7

View File

@ -2,31 +2,41 @@
#
# Sign a module file using the given key.
#
# Format:
#
# ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]
#
#
my $USAGE =
"Usage: scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" .
" scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n";
use strict;
use FileHandle;
use IPC::Open2;
use Getopt::Std;
my $verbose = 0;
if ($#ARGV >= 0 && $ARGV[0] eq "-v") {
$verbose = 1;
shift;
my %opts;
getopts('vs:', \%opts) or die $USAGE;
my $verbose = $opts{'v'};
my $signature_file = $opts{'s'};
die $USAGE if ($#ARGV > 4);
die $USAGE if (!$signature_file && $#ARGV < 3 || $signature_file && $#ARGV < 2);
my $dgst = shift @ARGV;
my $private_key;
if (!$signature_file) {
$private_key = shift @ARGV;
}
my $x509 = shift @ARGV;
my $module = shift @ARGV;
my ($dest, $keep_orig);
if (@ARGV) {
$dest = $ARGV[0];
$keep_orig = 1;
} else {
$dest = $module . "~";
}
die "Format: ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n"
if ($#ARGV != 3 && $#ARGV != 4);
my $dgst = $ARGV[0];
my $private_key = $ARGV[1];
my $x509 = $ARGV[2];
my $module = $ARGV[3];
my $dest = ($#ARGV == 4) ? $ARGV[4] : $ARGV[3] . "~";
die "Can't read private key\n" unless (-r $private_key);
die "Can't read private key\n" if (!$signature_file && !-r $private_key);
die "Can't read signature file\n" if ($signature_file && !-r $signature_file);
die "Can't read X.509 certificate\n" unless (-r $x509);
die "Can't read module\n" unless (-r $module);
@ -340,32 +350,35 @@ if ($dgst eq "sha1") {
die "Unknown hash algorithm: $dgst\n";
}
#
# Generate the digest and read from openssl's stdout
#
my $digest;
$digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst";
#
# Generate the binary signature, which will be just the integer that comprises
# the signature with no metadata attached.
#
my $pid;
$pid = open2(*read_from, *write_to,
"openssl rsautl -sign -inkey $private_key -keyform PEM") ||
die "openssl rsautl";
binmode write_to;
print write_to $prologue . $digest || die "pipe to openssl rsautl";
close(write_to) || die "pipe to openssl rsautl";
binmode read_from;
my $signature;
read(read_from, $signature, 4096) || die "pipe from openssl rsautl";
close(read_from) || die "pipe from openssl rsautl";
$signature = pack("n", length($signature)) . $signature,
if ($signature_file) {
$signature = read_file($signature_file);
} else {
#
# Generate the digest and read from openssl's stdout
#
my $digest;
$digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst";
waitpid($pid, 0) || die;
die "openssl rsautl died: $?" if ($? >> 8);
#
# Generate the binary signature, which will be just the integer that
# comprises the signature with no metadata attached.
#
my $pid;
$pid = open2(*read_from, *write_to,
"openssl rsautl -sign -inkey $private_key -keyform PEM") ||
die "openssl rsautl";
binmode write_to;
print write_to $prologue . $digest || die "pipe to openssl rsautl";
close(write_to) || die "pipe to openssl rsautl";
binmode read_from;
read(read_from, $signature, 4096) || die "pipe from openssl rsautl";
close(read_from) || die "pipe from openssl rsautl";
waitpid($pid, 0) || die;
die "openssl rsautl died: $?" if ($? >> 8);
}
$signature = pack("n", length($signature)) . $signature,
#
# Build the signed binary
@ -403,6 +416,6 @@ print FD
;
close FD || die $dest;
if ($#ARGV != 3) {
if (!$keep_orig) {
rename($dest, $module) || die $module;
}