Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1c37c054 authored by Michal Marek's avatar Michal Marek Committed by Rusty Russell
Browse files

MODSIGN: Add -s <signature> option to sign-file 



This option allows to append an externally computed singature to the
module. This is needed in setups, where the private key is not directly
available, but a service exists that returns signatures for given files.

Signed-off-by: default avatarMichal Marek <mmarek@suse.cz>
Acked-by: default avatarDavid Howells <dhowells@redhat.com>
Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
parent 4bc9410c

scripts/sign-file

+56 −43
Original line number Diff line number Diff line
@@ -2,31 +2,41 @@ 
#

# Sign a module file using the given key.

#

# Format:

#

#	./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]

#

#



my $USAGE =

"Usage: scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" .

"       scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n";



use strict;

use FileHandle;

use IPC::Open2;

use Getopt::Std;



my $verbose = 0;

if ($#ARGV >= 0 && $ARGV[0] eq "-v") {

    $verbose = 1;

    shift;

}

my %opts;

getopts('vs:', \%opts) or die $USAGE;

my $verbose = $opts{'v'};

my $signature_file = $opts{'s'};



die "Format: ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n"

    if ($#ARGV != 3 && $#ARGV != 4);

die $USAGE if ($#ARGV > 4);

die $USAGE if (!$signature_file && $#ARGV < 3 || $signature_file && $#ARGV < 2);



my $dgst = $ARGV[0];

my $private_key = $ARGV[1];

my $x509 = $ARGV[2];

my $module = $ARGV[3];

my $dest = ($#ARGV == 4) ? $ARGV[4] : $ARGV[3] . "~";

my $dgst = shift @ARGV;

my $private_key;

if (!$signature_file) {

	$private_key = shift @ARGV;

}

my $x509 = shift @ARGV;

my $module = shift @ARGV;

my ($dest, $keep_orig);

if (@ARGV) {

	$dest = $ARGV[0];

	$keep_orig = 1;

} else {

	$dest = $module . "~";

}



die "Can't read private key\n" unless (-r $private_key);

die "Can't read private key\n" if (!$signature_file && !-r $private_key);

die "Can't read signature file\n" if ($signature_file && !-r $signature_file);

die "Can't read X.509 certificate\n" unless (-r $x509);

die "Can't read module\n" unless (-r $module);
@@ -340,6 +350,10 @@ if ($dgst eq "sha1") { 
    die "Unknown hash algorithm: $dgst\n";

}



my $signature;

if ($signature_file) {

	$signature = read_file($signature_file);

} else {

	#

	# Generate the digest and read from openssl's stdout

	#
@@ -347,8 +361,8 @@ my $digest; 
	$digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst";



	#

# Generate the binary signature, which will be just the integer that comprises

# the signature with no metadata attached.

	# Generate the binary signature, which will be just the integer that

	# comprises the signature with no metadata attached.

	#

	my $pid;

	$pid = open2(*read_from, *write_to,
@@ -359,13 +373,12 @@ print write_to $prologue . $digest || die "pipe to openssl rsautl"; 
	close(write_to) || die "pipe to openssl rsautl";



	binmode read_from;

my $signature;

	read(read_from, $signature, 4096) || die "pipe from openssl rsautl";

	close(read_from) || die "pipe from openssl rsautl";

$signature = pack("n", length($signature)) . $signature,



	waitpid($pid, 0) || die;

	die "openssl rsautl died: $?" if ($? >> 8);

}

$signature = pack("n", length($signature)) . $signature,



#

# Build the signed binary
@@ -403,6 +416,6 @@ print FD 
    ;

close FD || die $dest;



if ($#ARGV != 3) {

if (!$keep_orig) {

    rename($dest, $module) || die $module;

}