1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
#!/bin/bash
#
# Sign a module file using the given key.
#
# Format: sign-file <key> <x509> <keyid-script> <module>
#
scripts=`dirname $0`
CONFIG_MODULE_SIG_SHA512=y
if [ -r .config ]
then
. ./.config
fi
key="$1"
x509="$2"
keyid_script="$3"
mod="$4"
if [ ! -r "$key" ]
then
echo "Can't read private key" >&2
exit 2
fi
if [ ! -r "$x509" ]
then
echo "Can't read X.509 certificate" >&2
exit 2
fi
#
# Signature parameters
#
algo=1 # Public-key crypto algorithm: RSA
hash= # Digest algorithm
id_type=1 # Identifier type: X.509
#
# Digest the data
#
dgst=
if [ "$CONFIG_MODULE_SIG_SHA1" = "y" ]
then
prologue="0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14"
dgst=-sha1
hash=2
elif [ "$CONFIG_MODULE_SIG_SHA224" = "y" ]
then
prologue="0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1C"
dgst=-sha224
hash=7
elif [ "$CONFIG_MODULE_SIG_SHA256" = "y" ]
then
prologue="0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20"
dgst=-sha256
hash=4
elif [ "$CONFIG_MODULE_SIG_SHA384" = "y" ]
then
prologue="0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30"
dgst=-sha384
hash=5
elif [ "$CONFIG_MODULE_SIG_SHA512" = "y" ]
then
prologue="0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40"
dgst=-sha512
hash=6
else
echo "$0: Can't determine hash algorithm" >&2
exit 2
fi
(
perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" || exit $?
openssl dgst $dgst -binary $mod || exit $?
) >$mod.dig || exit $?
#
# Generate the binary signature, which will be just the integer that comprises
# the signature with no metadata attached.
#
openssl rsautl -sign -inkey $key -keyform PEM -in $mod.dig -out $mod.sig || exit $?
SIGNER="`perl $keyid_script $x509 signer-name`"
KEYID="`perl $keyid_script $x509 keyid`"
keyidlen=${#KEYID}
siglen=${#SIGNER}
#
# Build the signed binary
#
(
cat $mod || exit $?
echo '~Module signature appended~' || exit $?
echo -n "$SIGNER" || exit $?
echo -n "$KEYID" || exit $?
# Preface each signature integer with a 2-byte BE length
perl -e "binmode STDOUT; print pack(\"n\", $siglen)" || exit $?
cat $mod.sig || exit $?
# Generate the information block
perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" || exit $?
) >$mod~ || exit $?
mv $mod~ $mod || exit $?
|