2 .\" Copyright 2009, Sun Microsystems, Inc. All Rights Reserved
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced
6 .\" with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 .TH ELFSIGN 1 "April 9, 2016"
9 elfsign \- sign binaries
13 \fB/usr/bin/elfsign\fR sign [\fB-a\fR] [\fB-v\fR] \fB-k\fR \fIprivate_key\fR \fB-c\fR \fIcertificate_file\fR
14 \fB-e\fR \fIelf_object\fR [\fB-F\fR \fIformat\fR] [file]...
19 \fB/usr/bin/elfsign\fR sign [\fB-a\fR] [\fB-v\fR] \fB-c\fR \fIcertificate_file\fR
20 \fB-e\fR \fIelf_object\fR \fB-T\fR \fItoken_label\fR [\fB-P\fR \fIpin_file\fR] [\fB-F\fR \fIformat\fR] [file]...
25 \fB/usr/bin/elfsign\fR verify [\fB-c\fR \fIcertificate_file\fR]
26 [\fB-v\fR] \fB-e\fR \fIelf_object\fR [file]...
31 \fB/usr/bin/elfsign\fR request \fB-r\fR \fIcertificate_request_file\fR
32 {\fB-k\fR \fIprivate_key\fR | \fB-T\fR \fItoken_label\fR}
37 \fB/usr/bin/elfsign\fR \fIlist\fR \fB-f\fR \fIfield\fR \fB-c\fR \fIcertificate_file\fR
42 \fB/usr/bin/elfsign\fR \fIlist\fR \fB-f\fR \fIfield\fR \fB-e\fR \fIelf_object\fR
51 Lists on standard output information from a single certificate file or signed
52 elf object. The selected field appears on a single line. If the field specified
53 does not apply to the named file, the command terminates with no standard
54 output. This output of this subcommand is intended for use in scripts and by
64 Generates a private key and a PKCS#10 certificate request. The PKCS#10
65 certificate request for use with the Solaris Cryptographic Framework. If the
66 private key is to be created in a token device, elfsign prompts for the PIN
67 required to update the token device. The PKCS#10 certificate request should be
68 sent to the email address \fIsolaris-crypto-req@sun.com\fR to obtain a
71 Users of \fBelfsign\fR must first generate a certificate request and obtain a
72 certificate before signing binaries for use with the Solaris Cryptographic
82 Signs the elf object, using the given private key and certificate file.
91 Verifies an existing signed object. Uses the certificate given or searches for
92 an appropriate certificate in \fB/etc/crypto/certs\fR if \fB-c\fR is not given.
97 The following options are supported:
105 Generates a signed \fBELF\fR Sign Activation (\fB\&.esa\fR) file. This option
106 is used when a cryptographic provider has nonretail export approval for
107 unrestricted use and desires retail approval by restricting which export
108 sensitive callers (for example, IPsec) can use the provider. This option
109 assumes that the provider binary has previously been signed with a restricted
116 \fB\fB-c\fR \fIcertificate_file\fR\fR
120 Specifies the path to an X.509 certificate in PEM/PKCS#7 or ASN.1 BER format.
126 \fB\fB-e\fR \fIelf_object\fR\fR
130 Specifies the path to the object to be signed or verified.
132 The \fB-e\fR option can be specified multiple times for signing or verifying
139 \fB\fB-F\fR \fIformat\fR\fR
143 For the \fBsign\fR subcommand, specifies the format of the signature. The valid
148 \fB\fBrsa_md5_sha1\fR\fR
151 Default format Solaris 10 and updates, The \fBrsa_md5_sha1\fR format is
161 Default format for this release.
164 Formats other than \fBrsa_md5_sha1\fR include an informational timestamp with
165 the signature indicating when the signature was applied. This timestamp is not
166 cryptographically secure, nor is it used as part of verification.
172 \fB\fB-f\fR \fIfield\fR\fR
176 For the \fBlist\fR subcommand, specifies what field should appear in the
179 The valid field specifiers for a certifiicate file are:
186 Subject DN (Distinguished Name)
198 The valid field specifiers for an elf object are:
205 Format of the signature
214 Subject DN of the certificate used to sign the object
223 Time the signature was applied, in the locale's default format
231 \fB\fB-k\fR \fIprivate_key\fR\fR
235 Specifies the location of the private key file when not using a PKCS#11 token.
236 This file is an RSA Private key file in a Solaris specific format. When used
237 with the \fBrequest\fR subcommand, this is the ouput file for the newly
240 It is an error to specify both the \fB-k\fR and \fB-T\fR options.
246 \fB\fB-P\fR \fIpin_file\fR\fR
250 Specifies the file which holds the PIN for accessing the token device. If the
251 PIN is not provided in a \fIpin_file\fR, \fBelfsign\fR prompts for the PIN.
253 It is an error to specify the \fB-P\fR option without the \fB-T\fR option.
259 \fB\fB-r\fR \fIcertificate_request_file\fR\fR
263 Specifies the path to the certificate request file, which is in PKCS#10 format.
269 \fB\fB-T\fR \fItoken_label\fR\fR
273 Specifies the label of the PCKS#11 token device, as provided by \fBpktool\fR,
274 which holds the private key.
276 It is an error to specify both the \fB-T\fR and \fB-k\fR options.
286 Requests more detailed information. The additional output includes the signer
287 and, if the signature format contains it, the time the object was signed. This
288 is not stable parsable output.
293 The following operand is supported:
300 One or more elf objects to be signed or verified. At least one elf object must
301 be specified either via the -e option or after all other options.
306 \fBExample 1 \fRSigning an ELF Object Using a Key/Certificate in a File
310 example$ elfsign sign -k myprivatekey -c mycert -e lib/libmylib.so.1
316 \fBExample 2 \fRVerifying an \fBelf\fR Object's Signature
320 example$ elfsign verify -c mycert -e lib/libmylib.so.1
321 elfsign: verification of lib/libmylib.so.1 passed
327 \fBExample 3 \fRGenerating a Certificate Request
331 example$ elfsign request -k mykey -r req.pkcs10
332 Enter Company Name / Stock Symbol or some other globally
334 This will be the prefix of the Certificate DN: SUNW
336 The government of the United States of America restricts the export of
337 "open cryptographic interfaces", also known as "crypto-with-a-hole".
338 Due to this restriction, all providers for the Solaris cryptographic
339 framework must be signed, regardless of the country of origin.
341 The terms "retail" and "non-retail" refer to export classifications for
342 products manufactured in the USA. These terms define the portion of the
343 world where the product may be shipped.) Roughly speaking, "retail" is
344 worldwide (minus certain excluded nations) and "non-retail" is domestic
345 only (plus some highly favored nations).
346 If your provider is subject to USA export control, then you
347 must obtain an export approval (classification)
348 from the government of the USA before exporting your provider.
349 It is critical that you specify the obtained (or expected, when
350 used during development) classification to the following questions
351 so that your provider will be appropriately signed.
353 Do you have retail export approval for use without restrictions
354 based on the caller (for example, IPsec)? [Yes/No] \fBNo\fR
356 If you have non-retail export approval for unrestricted use of your
357 provider by callers, are you also planning to receive retail
358 approval by restricting which export sensitive callers
359 (for example, IPsec) may use your provider? [Yes/No] \fBNo\fR
367 \fBExample 4 \fRDetermining Information About an Object
371 example$ elfsign list -f format -e lib/libmylib.so.1
374 example$ elfsign list -f signer -e lib/libmylib.so.1
375 CN=VENDOR, OU=Software Development, O=Vendor Inc.
382 The following exit values are returned:
389 VALUE MEANING SUBCOMMAND
390 \fB0\fR Operation successful sign/verify/request
391 \fB1\fR Invalid arguments
392 \fB2\fR Failed to verify ELF object verify
393 3 Unable to open ELF object sign/verify
394 4 Unable to load or invalid certificate sign/verify
396 Unable to load private key, private key is invalid, or token label is invalid
398 6 Failed to add signature sign
400 Attempt to verify unsigned object or object not an ELF file
407 \fB\fB/etc/crypto/certs\fR\fR
410 Directory searched for the \fBverify\fR subcommand if the \fB-c\fR flag is not
416 See \fBattributes\fR(5) for descriptions of the following attributes:
424 ATTRIBUTE TYPE ATTRIBUTE VALUE
426 Interface Stability See below.
431 The \fBelfsign\fR command and subcommands are Committed. While applications
432 should not depend on the output format of \fBelfsign\fR, the output format of
433 the \fBlist\fR subcommand is Committed.
436 \fBdate\fR(1), \fBpktool\fR(1), \fBcryptoadm\fR(1M), \fBlibpkcs11\fR(3LIB),