1 /* Sign a module file using the given key.
3 * Copyright © 2014-2016 Red Hat, Inc. All Rights Reserved.
4 * Copyright © 2015 Intel Corporation.
5 * Copyright © 2016 Hewlett Packard Enterprise Development LP
7 * Authors: David Howells <dhowells@redhat.com>
8 * David Woodhouse <dwmw2@infradead.org>
9 * Juerg Haefliger <juerg.haefliger@hpe.com>
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU Lesser General Public License
13 * as published by the Free Software Foundation; either version 2.1
14 * of the licence, or (at your option) any later version.
24 #include <arpa/inet.h>
25 #include <openssl/opensslv.h>
26 #include <openssl/bio.h>
27 #include <openssl/evp.h>
28 #include <openssl/pem.h>
29 #include <openssl/err.h>
30 #include <openssl/engine.h>
33 * Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to
34 * assume that it's not available and its header file is missing and that we
35 * should use PKCS#7 instead. Switching to the older PKCS#7 format restricts
36 * the options we have on specifying the X.509 certificate we want.
38 * Further, older versions of OpenSSL don't support manually adding signers to
39 * the PKCS#7 message so have to accept that we get a certificate included in
40 * the signature message. Nor do such older versions of OpenSSL support
41 * signing with anything other than SHA1 - so we're stuck with that if such is
44 #if OPENSSL_VERSION_NUMBER < 0x10000000L || defined(OPENSSL_NO_CMS)
48 #include <openssl/cms.h>
50 #include <openssl/pkcs7.h>
53 struct module_signature
{
54 uint8_t algo
; /* Public-key crypto algorithm [0] */
55 uint8_t hash
; /* Digest algorithm [0] */
56 uint8_t id_type
; /* Key identifier type [PKEY_ID_PKCS7] */
57 uint8_t signer_len
; /* Length of signer's name [0] */
58 uint8_t key_id_len
; /* Length of key identifier [0] */
60 uint32_t sig_len
; /* Length of signature data */
63 #define PKEY_ID_PKCS7 2
65 static char magic_number
[] = "~Module signature appended~\n";
67 static __attribute__((noreturn
))
71 "Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]\n");
73 " scripts/sign-file -s <raw sig> <hash algo> <x509> <module> [<dest>]\n");
77 static void display_openssl_errors(int l
)
83 if (ERR_peek_error() == 0)
85 fprintf(stderr
, "At main.c:%d:\n", l
);
87 while ((e
= ERR_get_error_line(&file
, &line
))) {
88 ERR_error_string(e
, buf
);
89 fprintf(stderr
, "- SSL %s: %s:%d\n", buf
, file
, line
);
93 static void drain_openssl_errors(void)
98 if (ERR_peek_error() == 0)
100 while (ERR_get_error_line(&file
, &line
)) {}
103 #define ERR(cond, fmt, ...) \
105 bool __cond = (cond); \
106 display_openssl_errors(__LINE__); \
108 err(1, fmt, ## __VA_ARGS__); \
112 static const char *key_pass
;
114 static int pem_pw_cb(char *buf
, int len
, int w
, void *v
)
121 pwlen
= strlen(key_pass
);
125 strcpy(buf
, key_pass
);
127 /* If it's wrong, don't keep trying it. */
133 static EVP_PKEY
*read_private_key(const char *private_key_name
)
135 EVP_PKEY
*private_key
;
137 if (!strncmp(private_key_name
, "pkcs11:", 7)) {
140 ENGINE_load_builtin_engines();
141 drain_openssl_errors();
142 e
= ENGINE_by_id("pkcs11");
143 ERR(!e
, "Load PKCS#11 ENGINE");
145 drain_openssl_errors();
147 ERR(1, "ENGINE_init");
149 ERR(!ENGINE_ctrl_cmd_string(e
, "PIN", key_pass
, 0),
151 private_key
= ENGINE_load_private_key(e
, private_key_name
,
153 ERR(!private_key
, "%s", private_key_name
);
157 b
= BIO_new_file(private_key_name
, "rb");
158 ERR(!b
, "%s", private_key_name
);
159 private_key
= PEM_read_bio_PrivateKey(b
, NULL
, pem_pw_cb
,
161 ERR(!private_key
, "%s", private_key_name
);
168 static X509
*read_x509(const char *x509_name
)
170 unsigned char buf
[2];
175 b
= BIO_new_file(x509_name
, "rb");
176 ERR(!b
, "%s", x509_name
);
178 /* Look at the first two bytes of the file to determine the encoding */
179 n
= BIO_read(b
, buf
, 2);
181 if (BIO_should_retry(b
)) {
182 fprintf(stderr
, "%s: Read wanted retry\n", x509_name
);
186 fprintf(stderr
, "%s: Short read\n", x509_name
);
189 ERR(1, "%s", x509_name
);
192 ERR(BIO_reset(b
) != 0, "%s", x509_name
);
194 if (buf
[0] == 0x30 && buf
[1] >= 0x81 && buf
[1] <= 0x84)
195 /* Assume raw DER encoded X.509 */
196 x509
= d2i_X509_bio(b
, NULL
);
198 /* Assume PEM encoded X.509 */
199 x509
= PEM_read_bio_X509(b
, NULL
, NULL
, NULL
);
202 ERR(!x509
, "%s", x509_name
);
207 int main(int argc
, char **argv
)
209 struct module_signature sig_info
= { .id_type
= PKEY_ID_PKCS7
};
210 char *hash_algo
= NULL
;
211 char *private_key_name
= NULL
, *raw_sig_name
= NULL
;
212 char *x509_name
, *module_name
, *dest_name
;
213 bool save_sig
= false, replace_orig
;
214 bool sign_only
= false;
215 bool raw_sig
= false;
216 unsigned char buf
[4096];
217 unsigned long module_size
, sig_size
;
218 unsigned int use_signed_attrs
;
219 const EVP_MD
*digest_algo
;
220 EVP_PKEY
*private_key
;
222 CMS_ContentInfo
*cms
= NULL
;
223 unsigned int use_keyid
= 0;
230 OpenSSL_add_all_algorithms();
231 ERR_load_crypto_strings();
234 key_pass
= getenv("KBUILD_SIGN_PIN");
237 use_signed_attrs
= CMS_NOATTR
;
239 use_signed_attrs
= PKCS7_NOATTR
;
243 opt
= getopt(argc
, argv
, "sdpk");
245 case 's': raw_sig
= true; break;
246 case 'p': save_sig
= true; break;
247 case 'd': sign_only
= true; save_sig
= true; break;
249 case 'k': use_keyid
= CMS_USE_KEYID
; break;
258 if (argc
< 4 || argc
> 5)
262 raw_sig_name
= argv
[0];
266 private_key_name
= argv
[1];
269 module_name
= argv
[3];
270 if (argc
== 5 && strcmp(argv
[3], argv
[4]) != 0) {
272 replace_orig
= false;
274 ERR(asprintf(&dest_name
, "%s.~signed~", module_name
) < 0,
280 if (strcmp(hash_algo
, "sha1") != 0) {
281 fprintf(stderr
, "sign-file: %s only supports SHA1 signing\n",
282 OPENSSL_VERSION_TEXT
);
287 /* Open the module file */
288 bm
= BIO_new_file(module_name
, "rb");
289 ERR(!bm
, "%s", module_name
);
292 /* Read the private key and the X.509 cert the PKCS#7 message
295 private_key
= read_private_key(private_key_name
);
296 x509
= read_x509(x509_name
);
298 /* Digest the module data. */
299 OpenSSL_add_all_digests();
300 display_openssl_errors(__LINE__
);
301 digest_algo
= EVP_get_digestbyname(hash_algo
);
302 ERR(!digest_algo
, "EVP_get_digestbyname");
305 /* Load the signature message from the digest buffer. */
306 cms
= CMS_sign(NULL
, NULL
, NULL
, NULL
,
307 CMS_NOCERTS
| CMS_PARTIAL
| CMS_BINARY
|
308 CMS_DETACHED
| CMS_STREAM
);
309 ERR(!cms
, "CMS_sign");
311 ERR(!CMS_add1_signer(cms
, x509
, private_key
, digest_algo
,
312 CMS_NOCERTS
| CMS_BINARY
|
313 CMS_NOSMIMECAP
| use_keyid
|
316 ERR(CMS_final(cms
, bm
, NULL
, CMS_NOCERTS
| CMS_BINARY
) < 0,
320 pkcs7
= PKCS7_sign(x509
, private_key
, NULL
, bm
,
321 PKCS7_NOCERTS
| PKCS7_BINARY
|
322 PKCS7_DETACHED
| use_signed_attrs
);
323 ERR(!pkcs7
, "PKCS7_sign");
330 ERR(asprintf(&sig_file_name
, "%s.p7s", module_name
) < 0,
332 b
= BIO_new_file(sig_file_name
, "wb");
333 ERR(!b
, "%s", sig_file_name
);
335 ERR(i2d_CMS_bio_stream(b
, cms
, NULL
, 0) < 0,
336 "%s", sig_file_name
);
338 ERR(i2d_PKCS7_bio(b
, pkcs7
) < 0,
339 "%s", sig_file_name
);
350 /* Open the destination file now so that we can shovel the module data
351 * across as we read it.
353 bd
= BIO_new_file(dest_name
, "wb");
354 ERR(!bd
, "%s", dest_name
);
356 /* Append the marker and the PKCS#7 message to the destination file */
357 ERR(BIO_reset(bm
) < 0, "%s", module_name
);
358 while ((n
= BIO_read(bm
, buf
, sizeof(buf
))),
360 ERR(BIO_write(bd
, buf
, n
) < 0, "%s", dest_name
);
363 ERR(n
< 0, "%s", module_name
);
364 module_size
= BIO_number_written(bd
);
368 ERR(i2d_CMS_bio_stream(bd
, cms
, NULL
, 0) < 0, "%s", dest_name
);
370 ERR(i2d_PKCS7_bio(bd
, pkcs7
) < 0, "%s", dest_name
);
375 /* Read the raw signature file and write the data to the
378 b
= BIO_new_file(raw_sig_name
, "rb");
379 ERR(!b
, "%s", raw_sig_name
);
380 while ((n
= BIO_read(b
, buf
, sizeof(buf
))), n
> 0)
381 ERR(BIO_write(bd
, buf
, n
) < 0, "%s", dest_name
);
385 sig_size
= BIO_number_written(bd
) - module_size
;
386 sig_info
.sig_len
= htonl(sig_size
);
387 ERR(BIO_write(bd
, &sig_info
, sizeof(sig_info
)) < 0, "%s", dest_name
);
388 ERR(BIO_write(bd
, magic_number
, sizeof(magic_number
) - 1) < 0, "%s", dest_name
);
390 ERR(BIO_free(bd
) < 0, "%s", dest_name
);
392 /* Finally, if we're signing in place, replace the original. */
394 ERR(rename(dest_name
, module_name
) < 0, "%s", dest_name
);