提交 4bc9410c 编写于 作者: M Michal Marek 提交者: Rusty Russell

MODSIGN: Specify the hash algorithm on sign-file command line

Make the script usable without a .config file.
Signed-off-by: NMichal Marek <mmarek@suse.cz>
Acked-by: NDavid Howells <dhowells@redhat.com>
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
上级 22753674
...@@ -723,7 +723,7 @@ ifeq ($(CONFIG_MODULE_SIG),y) ...@@ -723,7 +723,7 @@ ifeq ($(CONFIG_MODULE_SIG),y)
MODSECKEY = ./signing_key.priv MODSECKEY = ./signing_key.priv
MODPUBKEY = ./signing_key.x509 MODPUBKEY = ./signing_key.x509
export MODPUBKEY export MODPUBKEY
mod_sign_cmd = perl $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY) mod_sign_cmd = perl $(srctree)/scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
else else
mod_sign_cmd = true mod_sign_cmd = true
endif endif
......
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
# #
# Format: # Format:
# #
# ./scripts/sign-file [-v] <key> <x509> <module> [<dest>] # ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]
# #
# #
use strict; use strict;
...@@ -17,35 +17,19 @@ if ($#ARGV >= 0 && $ARGV[0] eq "-v") { ...@@ -17,35 +17,19 @@ if ($#ARGV >= 0 && $ARGV[0] eq "-v") {
shift; shift;
} }
die "Format: ./scripts/sign-file [-v] <key> <x509> <module> [<dest>]\n" die "Format: ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n"
if ($#ARGV != 2 && $#ARGV != 3); if ($#ARGV != 3 && $#ARGV != 4);
my $private_key = $ARGV[0]; my $dgst = $ARGV[0];
my $x509 = $ARGV[1]; my $private_key = $ARGV[1];
my $module = $ARGV[2]; my $x509 = $ARGV[2];
my $dest = ($#ARGV == 3) ? $ARGV[3] : $ARGV[2] . "~"; my $module = $ARGV[3];
my $dest = ($#ARGV == 4) ? $ARGV[4] : $ARGV[3] . "~";
die "Can't read private key\n" unless (-r $private_key); die "Can't read private key\n" unless (-r $private_key);
die "Can't read X.509 certificate\n" unless (-r $x509); die "Can't read X.509 certificate\n" unless (-r $x509);
die "Can't read module\n" unless (-r $module); die "Can't read module\n" unless (-r $module);
#
# Read the kernel configuration
#
my %config = (
CONFIG_MODULE_SIG_SHA512 => 1
);
if (-r ".config") {
open(FD, "<.config") || die ".config";
while (<FD>) {
if ($_ =~ /^(CONFIG_.*)=[ym]/) {
$config{$1} = 1;
}
}
close(FD);
}
# #
# Function to read the contents of a file into a variable. # Function to read the contents of a file into a variable.
# #
...@@ -321,51 +305,46 @@ my $id_type = 1; # Identifier type: X.509 ...@@ -321,51 +305,46 @@ my $id_type = 1; # Identifier type: X.509
# #
# Digest the data # Digest the data
# #
my ($dgst, $prologue) = (); my $prologue;
if (exists $config{"CONFIG_MODULE_SIG_SHA1"}) { if ($dgst eq "sha1") {
$prologue = pack("C*", $prologue = pack("C*",
0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x2B, 0x0E, 0x03, 0x02, 0x1A,
0x05, 0x00, 0x04, 0x14); 0x05, 0x00, 0x04, 0x14);
$dgst = "-sha1";
$hash = 2; $hash = 2;
} elsif (exists $config{"CONFIG_MODULE_SIG_SHA224"}) { } elsif ($dgst eq "sha224") {
$prologue = pack("C*", $prologue = pack("C*",
0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
0x05, 0x00, 0x04, 0x1C); 0x05, 0x00, 0x04, 0x1C);
$dgst = "-sha224";
$hash = 7; $hash = 7;
} elsif (exists $config{"CONFIG_MODULE_SIG_SHA256"}) { } elsif ($dgst eq "sha256") {
$prologue = pack("C*", $prologue = pack("C*",
0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
0x05, 0x00, 0x04, 0x20); 0x05, 0x00, 0x04, 0x20);
$dgst = "-sha256";
$hash = 4; $hash = 4;
} elsif (exists $config{"CONFIG_MODULE_SIG_SHA384"}) { } elsif ($dgst eq "sha384") {
$prologue = pack("C*", $prologue = pack("C*",
0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
0x05, 0x00, 0x04, 0x30); 0x05, 0x00, 0x04, 0x30);
$dgst = "-sha384";
$hash = 5; $hash = 5;
} elsif (exists $config{"CONFIG_MODULE_SIG_SHA512"}) { } elsif ($dgst eq "sha512") {
$prologue = pack("C*", $prologue = pack("C*",
0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
0x05, 0x00, 0x04, 0x40); 0x05, 0x00, 0x04, 0x40);
$dgst = "-sha512";
$hash = 6; $hash = 6;
} else { } else {
die "Can't determine hash algorithm"; die "Unknown hash algorithm: $dgst\n";
} }
# #
# Generate the digest and read from openssl's stdout # Generate the digest and read from openssl's stdout
# #
my $digest; my $digest;
$digest = readpipe("openssl dgst $dgst -binary $module") || die "openssl dgst"; $digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst";
# #
# Generate the binary signature, which will be just the integer that comprises # Generate the binary signature, which will be just the integer that comprises
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册