|
|
@@ -4,7 +4,7 @@
|
|
|
#
|
|
|
# Format:
|
|
|
#
|
|
|
-# ./scripts/sign-file [-v] <key> <x509> <module> [<dest>]
|
|
|
+# ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]
|
|
|
#
|
|
|
#
|
|
|
use strict;
|
|
|
@@ -17,35 +17,19 @@ if ($#ARGV >= 0 && $ARGV[0] eq "-v") {
|
|
|
shift;
|
|
|
}
|
|
|
|
|
|
-die "Format: ./scripts/sign-file [-v] <key> <x509> <module> [<dest>]\n"
|
|
|
- if ($#ARGV != 2 && $#ARGV != 3);
|
|
|
+die "Format: ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n"
|
|
|
+ if ($#ARGV != 3 && $#ARGV != 4);
|
|
|
|
|
|
-my $private_key = $ARGV[0];
|
|
|
-my $x509 = $ARGV[1];
|
|
|
-my $module = $ARGV[2];
|
|
|
-my $dest = ($#ARGV == 3) ? $ARGV[3] : $ARGV[2] . "~";
|
|
|
+my $dgst = $ARGV[0];
|
|
|
+my $private_key = $ARGV[1];
|
|
|
+my $x509 = $ARGV[2];
|
|
|
+my $module = $ARGV[3];
|
|
|
+my $dest = ($#ARGV == 4) ? $ARGV[4] : $ARGV[3] . "~";
|
|
|
|
|
|
die "Can't read private key\n" unless (-r $private_key);
|
|
|
die "Can't read X.509 certificate\n" unless (-r $x509);
|
|
|
die "Can't read module\n" unless (-r $module);
|
|
|
|
|
|
-#
|
|
|
-# Read the kernel configuration
|
|
|
-#
|
|
|
-my %config = (
|
|
|
- CONFIG_MODULE_SIG_SHA512 => 1
|
|
|
- );
|
|
|
-
|
|
|
-if (-r ".config") {
|
|
|
- open(FD, "<.config") || die ".config";
|
|
|
- while (<FD>) {
|
|
|
- if ($_ =~ /^(CONFIG_.*)=[ym]/) {
|
|
|
- $config{$1} = 1;
|
|
|
- }
|
|
|
- }
|
|
|
- close(FD);
|
|
|
-}
|
|
|
-
|
|
|
#
|
|
|
# Function to read the contents of a file into a variable.
|
|
|
#
|
|
|
@@ -321,51 +305,46 @@ my $id_type = 1; # Identifier type: X.509
|
|
|
#
|
|
|
# Digest the data
|
|
|
#
|
|
|
-my ($dgst, $prologue) = ();
|
|
|
-if (exists $config{"CONFIG_MODULE_SIG_SHA1"}) {
|
|
|
+my $prologue;
|
|
|
+if ($dgst eq "sha1") {
|
|
|
$prologue = pack("C*",
|
|
|
0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
|
|
|
0x2B, 0x0E, 0x03, 0x02, 0x1A,
|
|
|
0x05, 0x00, 0x04, 0x14);
|
|
|
- $dgst = "-sha1";
|
|
|
$hash = 2;
|
|
|
-} elsif (exists $config{"CONFIG_MODULE_SIG_SHA224"}) {
|
|
|
+} elsif ($dgst eq "sha224") {
|
|
|
$prologue = pack("C*",
|
|
|
0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
|
|
|
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
|
|
|
0x05, 0x00, 0x04, 0x1C);
|
|
|
- $dgst = "-sha224";
|
|
|
$hash = 7;
|
|
|
-} elsif (exists $config{"CONFIG_MODULE_SIG_SHA256"}) {
|
|
|
+} elsif ($dgst eq "sha256") {
|
|
|
$prologue = pack("C*",
|
|
|
0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
|
|
|
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
|
|
|
0x05, 0x00, 0x04, 0x20);
|
|
|
- $dgst = "-sha256";
|
|
|
$hash = 4;
|
|
|
-} elsif (exists $config{"CONFIG_MODULE_SIG_SHA384"}) {
|
|
|
+} elsif ($dgst eq "sha384") {
|
|
|
$prologue = pack("C*",
|
|
|
0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
|
|
|
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
|
|
|
0x05, 0x00, 0x04, 0x30);
|
|
|
- $dgst = "-sha384";
|
|
|
$hash = 5;
|
|
|
-} elsif (exists $config{"CONFIG_MODULE_SIG_SHA512"}) {
|
|
|
+} elsif ($dgst eq "sha512") {
|
|
|
$prologue = pack("C*",
|
|
|
0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
|
|
|
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
|
|
|
0x05, 0x00, 0x04, 0x40);
|
|
|
- $dgst = "-sha512";
|
|
|
$hash = 6;
|
|
|
} else {
|
|
|
- die "Can't determine hash algorithm";
|
|
|
+ die "Unknown hash algorithm: $dgst\n";
|
|
|
}
|
|
|
|
|
|
#
|
|
|
# Generate the digest and read from openssl's stdout
|
|
|
#
|
|
|
my $digest;
|
|
|
-$digest = readpipe("openssl dgst $dgst -binary $module") || die "openssl dgst";
|
|
|
+$digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst";
|
|
|
|
|
|
#
|
|
|
# Generate the binary signature, which will be just the integer that comprises
|
Michal Marek