Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: c061853381
Branches Tags
linux-vybrid_pu...
/
scripts
/
x509keyid

x509keyid 8.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268 
  1. #!/usr/bin/perl -w
    2. 

  2. #
    3. 

  3. # Generate an identifier from an X.509 certificate that can be placed in a
    4. 

  4. # module signature to indentify the key to use.
    5. 

  5. #
    6. 

  6. # Format:
    7. 

  7. #
    8. 

  8. #	./scripts/x509keyid <x509-cert> <signer's-name> <key-id>
    9. 

  9. #
    10. 

  10. # We read the DER-encoded X509 certificate and parse it to extract the Subject
    11. 

  11. # name and Subject Key Identifier.  The provide the data we need to build the
    12. 

  12. # certificate identifier.
    13. 

  13. #
    14. 

  14. # The signer's name part of the identifier is fabricated from the commonName,
    15. 

  15. # the organizationName or the emailAddress components of the X.509 subject
    16. 

  16. # name and written to the second named file.
    17. 

  17. #
    18. 

  18. # The subject key ID to select which of that signer's certificates we're
    19. 

  19. # intending to use to sign the module is written to the third named file.
    20. 

  20. #
    21. 

  21. use strict;
    22. 

  22. 

  23. my $raw_data;
    24. 

  24. 

  25. die "Need three filenames\n" if ($#ARGV != 2);
    26. 

  26. 

  27. my $src = $ARGV[0];
    28. 

  28. 

  29. open(FD, "<$src") || die $src;
    30. 

  30. binmode FD;
    31. 

  31. my @st = stat(FD);
    32. 

  32. die $src if (!@st);
    33. 

  33. read(FD, $raw_data, $st[7]) || die $src;
    34. 

  34. close(FD);
    35. 

  35. 

  36. my $UNIV = 0 << 6;
    37. 

  37. my $APPL = 1 << 6;
    38. 

  38. my $CONT = 2 << 6;
    39. 

  39. my $PRIV = 3 << 6;
    40. 

  40. 

  41. my $CONS = 0x20;
    42. 

  42. 

  43. my $BOOLEAN	= 0x01;
    44. 

  44. my $INTEGER	= 0x02;
    45. 

  45. my $BIT_STRING	= 0x03;
    46. 

  46. my $OCTET_STRING = 0x04;
    47. 

  47. my $NULL	= 0x05;
    48. 

  48. my $OBJ_ID	= 0x06;
    49. 

  49. my $UTF8String	= 0x0c;
    50. 

  50. my $SEQUENCE	= 0x10;
    51. 

  51. my $SET		= 0x11;
    52. 

  52. my $UTCTime	= 0x17;
    53. 

  53. my $GeneralizedTime = 0x18;
    54. 

  54. 

  55. my %OIDs = (
    56. 

  56.     pack("CCC", 85, 4, 3)	=> "commonName",
    57. 

  57.     pack("CCC", 85, 4, 6)	=> "countryName",
    58. 

  58.     pack("CCC", 85, 4, 10)	=> "organizationName",
    59. 

  59.     pack("CCC", 85, 4, 11)	=> "organizationUnitName",
    60. 

  60.     pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 1) => "rsaEncryption",
    61. 

  61.     pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 5) => "sha1WithRSAEncryption",
    62. 

  62.     pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 9, 1) => "emailAddress",
    63. 

  63.     pack("CCC", 85, 29, 35)	=> "authorityKeyIdentifier",
    64. 

  64.     pack("CCC", 85, 29, 14)	=> "subjectKeyIdentifier",
    65. 

  65.     pack("CCC", 85, 29, 19)	=> "basicConstraints"
    66. 

  66. );
    67. 

  67. 

  68. ###############################################################################
    69. 

  69. #
    70. 

  70. # Extract an ASN.1 element from a string and return information about it.
    71. 

  71. #
    72. 

  72. ###############################################################################
    73. 

  73. sub asn1_extract($$@)
    74. 

  74. {
    75. 

  75.     my ($cursor, $expected_tag, $optional) = @_;
    76. 

  76. 

  77.     return [ -1 ]
    78. 

  78. 	if ($cursor->[1] == 0 && $optional);
    79. 

  79. 

  80.     die $src, ": ", $cursor->[0], ": ASN.1 data underrun (elem ", $cursor->[1], ")\n"
    81. 

  81. 	if ($cursor->[1] < 2);
    82. 

  82. 

  83.     my ($tag, $len) = unpack("CC", substr(${$cursor->[2]}, $cursor->[0], 2));
    84. 

  84. 

  85.     if ($expected_tag != -1 && $tag != $expected_tag) {
    86. 

  86. 	return [ -1 ]
    87. 

  87. 	    if ($optional);
    88. 

  88. 	die $src, ": ", $cursor->[0], ": ASN.1 unexpected tag (", $tag,
    89. 

  89. 	" not ", $expected_tag, ")\n";
    90. 

  90.     }
    91. 

  91. 

  92.     $cursor->[0] += 2;
    93. 

  93.     $cursor->[1] -= 2;
    94. 

  94. 

  95.     die $src, ": ", $cursor->[0], ": ASN.1 long tag\n"
    96. 

  96. 	if (($tag & 0x1f) == 0x1f);
    97. 

  97.     die $src, ": ", $cursor->[0], ": ASN.1 indefinite length\n"
    98. 

  98. 	if ($len == 0x80);
    99. 

  99. 

  100.     if ($len > 0x80) {
    101. 

  101. 	my $l = $len - 0x80;
    102. 

  102. 	die $src, ": ", $cursor->[0], ": ASN.1 data underrun (len len $l)\n"
    103. 

  103. 	    if ($cursor->[1] < $l);
    104. 

  104. 

  105. 	if ($l == 0x1) {
    106. 

  106. 	    $len = unpack("C", substr(${$cursor->[2]}, $cursor->[0], 1));
    107. 

  107. 	} elsif ($l = 0x2) {
    108. 

  108. 	    $len = unpack("n", substr(${$cursor->[2]}, $cursor->[0], 2));
    109. 

  109. 	} elsif ($l = 0x3) {
    110. 

  110. 	    $len = unpack("C", substr(${$cursor->[2]}, $cursor->[0], 1)) << 16;
    111. 

  111. 	    $len = unpack("n", substr(${$cursor->[2]}, $cursor->[0] + 1, 2));
    112. 

  112. 	} elsif ($l = 0x4) {
    113. 

  113. 	    $len = unpack("N", substr(${$cursor->[2]}, $cursor->[0], 4));
    114. 

  114. 	} else {
    115. 

  115. 	    die $src, ": ", $cursor->[0], ": ASN.1 element too long (", $l, ")\n";
    116. 

  116. 	}
    117. 

  117. 

  118. 	$cursor->[0] += $l;
    119. 

  119. 	$cursor->[1] -= $l;
    120. 

  120.     }
    121. 

  121. 

  122.     die $src, ": ", $cursor->[0], ": ASN.1 data underrun (", $len, ")\n"
    123. 

  123. 	if ($cursor->[1] < $len);
    124. 

  124. 

  125.     my $ret = [ $tag, [ $cursor->[0], $len, $cursor->[2] ] ];
    126. 

  126.     $cursor->[0] += $len;
    127. 

  127.     $cursor->[1] -= $len;
    128. 

  128. 

  129.     return $ret;
    130. 

  130. }
    131. 

  131. 

  132. ###############################################################################
    133. 

  133. #
    134. 

  134. # Retrieve the data referred to by a cursor
    135. 

  135. #
    136. 

  136. ###############################################################################
    137. 

  137. sub asn1_retrieve($)
    138. 

  138. {
    139. 

  139.     my ($cursor) = @_;
    140. 

  140.     my ($offset, $len, $data) = @$cursor;
    141. 

  141.     return substr($$data, $offset, $len);
    142. 

  142. }
    143. 

  143. 

  144. ###############################################################################
    145. 

  145. #
    146. 

  146. # Roughly parse the X.509 certificate
    147. 

  147. #
    148. 

  148. ###############################################################################
    149. 

  149. my $cursor = [ 0, length($raw_data), \$raw_data ];
    150. 

  150. 

  151. my $cert = asn1_extract($cursor, $UNIV | $CONS | $SEQUENCE);
    152. 

  152. my $tbs = asn1_extract($cert->[1], $UNIV | $CONS | $SEQUENCE);
    153. 

  153. my $version = asn1_extract($tbs->[1], $CONT | $CONS | 0, 1);
    154. 

  154. my $serial_number = asn1_extract($tbs->[1], $UNIV | $INTEGER);
    155. 

  155. my $sig_type = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
    156. 

  156. my $issuer = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
    157. 

  157. my $validity = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
    158. 

  158. my $subject = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
    159. 

  159. my $key = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
    160. 

  160. my $issuer_uid = asn1_extract($tbs->[1], $CONT | $CONS | 1, 1);
    161. 

  161. my $subject_uid = asn1_extract($tbs->[1], $CONT | $CONS | 2, 1);
    162. 

  162. my $extension_list = asn1_extract($tbs->[1], $CONT | $CONS | 3, 1);
    163. 

  163. 

  164. my $subject_key_id = ();
    165. 

  165. my $authority_key_id = ();
    166. 

  166. 

  167. #
    168. 

  168. # Parse the extension list
    169. 

  169. #
    170. 

  170. if ($extension_list->[0] != -1) {
    171. 

  171.     my $extensions = asn1_extract($extension_list->[1], $UNIV | $CONS | $SEQUENCE);
    172. 

  172. 

  173.     while ($extensions->[1]->[1] > 0) {
    174. 

  174. 	my $ext = asn1_extract($extensions->[1], $UNIV | $CONS | $SEQUENCE);
    175. 

  175. 	my $x_oid = asn1_extract($ext->[1], $UNIV | $OBJ_ID);
    176. 

  176. 	my $x_crit = asn1_extract($ext->[1], $UNIV | $BOOLEAN, 1);
    177. 

  177. 	my $x_val = asn1_extract($ext->[1], $UNIV | $OCTET_STRING);
    178. 

  178. 

  179. 	my $raw_oid = asn1_retrieve($x_oid->[1]);
    180. 

  180. 	next if (!exists($OIDs{$raw_oid}));
    181. 

  181. 	my $x_type = $OIDs{$raw_oid};
    182. 

  182. 

  183. 	my $raw_value = asn1_retrieve($x_val->[1]);
    184. 

  184. 

  185. 	if ($x_type eq "subjectKeyIdentifier") {
    186. 

  186. 	    my $vcursor = [ 0, length($raw_value), \$raw_value ];
    187. 

  187. 

  188. 	    $subject_key_id = asn1_extract($vcursor, $UNIV | $OCTET_STRING);
    189. 

  189. 	}
    190. 

  190.     }
    191. 

  191. }
    192. 

  192. 

  193. ###############################################################################
    194. 

  194. #
    195. 

  195. # Determine what we're going to use as the signer's name.  In order of
    196. 

  196. # preference, take one of: commonName, organizationName or emailAddress.
    197. 

  197. #
    198. 

  198. ###############################################################################
    199. 

  199. my $org = "";
    200. 

  200. my $cn = "";
    201. 

  201. my $email = "";
    202. 

  202. 

  203. while ($subject->[1]->[1] > 0) {
    204. 

  204.     my $rdn = asn1_extract($subject->[1], $UNIV | $CONS | $SET);
    205. 

  205.     my $attr = asn1_extract($rdn->[1], $UNIV | $CONS | $SEQUENCE);
    206. 

  206.     my $n_oid = asn1_extract($attr->[1], $UNIV | $OBJ_ID);
    207. 

  207.     my $n_val = asn1_extract($attr->[1], -1);
    208. 

  208. 

  209.     my $raw_oid = asn1_retrieve($n_oid->[1]);
    210. 

  210.     next if (!exists($OIDs{$raw_oid}));
    211. 

  211.     my $n_type = $OIDs{$raw_oid};
    212. 

  212. 

  213.     my $raw_value = asn1_retrieve($n_val->[1]);
    214. 

  214. 

  215.     if ($n_type eq "organizationName") {
    216. 

  216. 	$org = $raw_value;
    217. 

  217.     } elsif ($n_type eq "commonName") {
    218. 

  218. 	$cn = $raw_value;
    219. 

  219.     } elsif ($n_type eq "emailAddress") {
    220. 

  220. 	$email = $raw_value;
    221. 

  221.     }
    222. 

  222. }
    223. 

  223. 

  224. my $id_name = $email;
    225. 

  225. 

  226. if ($org && $cn) {
    227. 

  227.     # Don't use the organizationName if the commonName repeats it
    228. 

  228.     if (length($org) <= length($cn) &&
    229. 

  229. 	substr($cn, 0, length($org)) eq $org) {
    230. 

  230. 	$id_name = $cn;
    231. 

  231. 	goto got_id_name;
    232. 

  232.     }
    233. 

  233. 

  234.     # Or a signifcant chunk of it
    235. 

  235.     if (length($org) >= 7 &&
    236. 

  236. 	length($cn) >= 7 &&
    237. 

  237. 	substr($cn, 0, 7) eq substr($org, 0, 7)) {
    238. 

  238. 	$id_name = $cn;
    239. 

  239. 	goto got_id_name;
    240. 

  240.     }
    241. 

  241. 

  242.     $id_name = $org . ": " . $cn;
    243. 

  243. } elsif ($org) {
    244. 

  244.     $id_name = $org;
    245. 

  245. } elsif ($cn) {
    246. 

  246.     $id_name = $cn;
    247. 

  247. }
    248. 

  248. 

  249. got_id_name:
    250. 

  250. 

  251. ###############################################################################
    252. 

  252. #
    253. 

  253. # Output the signer's name and the key identifier that we're going to include
    254. 

  254. # in module signatures.
    255. 

  255. #
    256. 

  256. ###############################################################################
    257. 

  257. die $src, ": ", "X.509: Couldn't find the Subject Key Identifier extension\n"
    258. 

  258.     if (!$subject_key_id);
    259. 

  259. 

  260. my $id_key_id = asn1_retrieve($subject_key_id->[1]);
    261. 

  261. 

  262. open(OUTFD, ">$ARGV[1]") || die $ARGV[1];
    263. 

  263. print OUTFD $id_name;
    264. 

  264. close OUTFD || die $ARGV[1];
    265. 

  265. 

  266. open(OUTFD, ">$ARGV[2]") || die $ARGV[2];
    267. 

  267. print OUTFD $id_key_id;
    268. 

  268. close OUTFD || die $ARGV[2];
    269.