diff options
author | Michal Marek | 2013-01-25 13:41:12 +1030 |
---|---|---|
committer | Rusty Russell | 2013-01-25 16:55:36 +1030 |
commit | 4bc9410c0cf5079219bdfa3295d83dfacefe1bb2 (patch) | |
tree | df6c60a1d43224b72ba05abb21210b6b57915fd1 | |
parent | 227536740e5cb157fb9fa9b381178c7d34b95d3b (diff) |
MODSIGN: Specify the hash algorithm on sign-file command line
Make the script usable without a .config file.
Signed-off-by: Michal Marek <mmarek@suse.cz>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
-rw-r--r-- | Makefile | 2 | ||||
-rwxr-xr-x | scripts/sign-file | 53 |
2 files changed, 17 insertions, 38 deletions
@@ -723,7 +723,7 @@ ifeq ($(CONFIG_MODULE_SIG),y) MODSECKEY = ./signing_key.priv MODPUBKEY = ./signing_key.x509 export MODPUBKEY -mod_sign_cmd = perl $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY) +mod_sign_cmd = perl $(srctree)/scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY) else mod_sign_cmd = true endif diff --git a/scripts/sign-file b/scripts/sign-file index 974a20b661b7..2c2bbd18ff44 100755 --- a/scripts/sign-file +++ b/scripts/sign-file @@ -4,7 +4,7 @@ # # Format: # -# ./scripts/sign-file [-v] <key> <x509> <module> [<dest>] +# ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>] # # use strict; @@ -17,36 +17,20 @@ if ($#ARGV >= 0 && $ARGV[0] eq "-v") { shift; } -die "Format: ./scripts/sign-file [-v] <key> <x509> <module> [<dest>]\n" - if ($#ARGV != 2 && $#ARGV != 3); +die "Format: ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" + if ($#ARGV != 3 && $#ARGV != 4); -my $private_key = $ARGV[0]; -my $x509 = $ARGV[1]; -my $module = $ARGV[2]; -my $dest = ($#ARGV == 3) ? $ARGV[3] : $ARGV[2] . "~"; +my $dgst = $ARGV[0]; +my $private_key = $ARGV[1]; +my $x509 = $ARGV[2]; +my $module = $ARGV[3]; +my $dest = ($#ARGV == 4) ? $ARGV[4] : $ARGV[3] . "~"; die "Can't read private key\n" unless (-r $private_key); die "Can't read X.509 certificate\n" unless (-r $x509); die "Can't read module\n" unless (-r $module); # -# Read the kernel configuration -# -my %config = ( - CONFIG_MODULE_SIG_SHA512 => 1 - ); - -if (-r ".config") { - open(FD, "<.config") || die ".config"; - while (<FD>) { - if ($_ =~ /^(CONFIG_.*)=[ym]/) { - $config{$1} = 1; - } - } - close(FD); -} - -# # Function to read the contents of a file into a variable. # sub read_file($) @@ -321,51 +305,46 @@ my $id_type = 1; # Identifier type: X.509 # # Digest the data # -my ($dgst, $prologue) = (); -if (exists $config{"CONFIG_MODULE_SIG_SHA1"}) { +my $prologue; +if ($dgst eq "sha1") { $prologue = pack("C*", 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14); - $dgst = "-sha1"; $hash = 2; -} elsif (exists $config{"CONFIG_MODULE_SIG_SHA224"}) { +} elsif ($dgst eq "sha224") { $prologue = pack("C*", 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1C); - $dgst = "-sha224"; $hash = 7; -} elsif (exists $config{"CONFIG_MODULE_SIG_SHA256"}) { +} elsif ($dgst eq "sha256") { $prologue = pack("C*", 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20); - $dgst = "-sha256"; $hash = 4; -} elsif (exists $config{"CONFIG_MODULE_SIG_SHA384"}) { +} elsif ($dgst eq "sha384") { $prologue = pack("C*", 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30); - $dgst = "-sha384"; $hash = 5; -} elsif (exists $config{"CONFIG_MODULE_SIG_SHA512"}) { +} elsif ($dgst eq "sha512") { $prologue = pack("C*", 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40); - $dgst = "-sha512"; $hash = 6; } else { - die "Can't determine hash algorithm"; + die "Unknown hash algorithm: $dgst\n"; } # # Generate the digest and read from openssl's stdout # my $digest; -$digest = readpipe("openssl dgst $dgst -binary $module") || die "openssl dgst"; +$digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst"; # # Generate the binary signature, which will be just the integer that comprises |