3 # Sign a module file using the given key.
5 # Format: sign-file <key> <x509> <src-file> <dst-file>
10 CONFIG_MODULE_SIG_SHA512
=y
23 echo "Can't read private key" >&2
29 echo "Can't read X.509 certificate" >&2
32 if [ ! -r "$x509.signer" ]
34 echo "Can't read Signer name" >&2
37 if [ ! -r "$x509.keyid" ]
39 echo "Can't read Key identifier" >&2
44 # Signature parameters
46 algo
=1 # Public-key crypto algorithm: RSA
47 hash= # Digest algorithm
48 id_type
=1 # Identifier type: X.509
54 if [ "$CONFIG_MODULE_SIG_SHA1" = "y" ]
56 prologue
="0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14"
59 elif [ "$CONFIG_MODULE_SIG_SHA224" = "y" ]
61 prologue
="0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1C"
64 elif [ "$CONFIG_MODULE_SIG_SHA256" = "y" ]
66 prologue
="0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20"
69 elif [ "$CONFIG_MODULE_SIG_SHA384" = "y" ]
71 prologue
="0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30"
74 elif [ "$CONFIG_MODULE_SIG_SHA512" = "y" ]
76 prologue
="0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40"
80 echo "$0: Can't determine hash algorithm" >&2
85 perl
-e "binmode STDOUT; print pack(\"C*\", $prologue)" ||
exit $?
86 openssl dgst
$dgst -binary $src ||
exit $?
87 ) >$src.
dig ||
exit $?
90 # Generate the binary signature, which will be just the integer that comprises
91 # the signature with no metadata attached.
93 openssl rsautl
-sign -inkey $key -keyform PEM
-in $src.
dig -out $src.sig ||
exit $?
94 signerlen
=`stat -c %s $x509.signer`
95 keyidlen
=`stat -c %s $x509.keyid`
96 siglen
=`stat -c %s $src.sig`
99 # Build the signed binary
103 echo '~Module signature appended~' ||
exit $?
104 cat $x509.signer
$x509.keyid ||
exit $?
106 # Preface each signature integer with a 2-byte BE length
107 perl
-e "binmode STDOUT; print pack(\"n\", $siglen)" ||
exit $?
108 cat $src.sig ||
exit $?
110 # Generate the information block
111 perl
-e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" ||
exit $?
114 # Permit in-place signing
115 mv $dst~
$dst ||
exit $?