2012-04-23 10:14:42 +00:00
|
|
|
/*
|
|
|
|
|
* Copyright (C) 2012 Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
|
* as published by the Free Software Foundation; either version 3
|
|
|
|
|
* of the License, or (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
|
|
|
|
|
* USA.
|
2012-06-28 07:05:30 +00:00
|
|
|
*
|
|
|
|
|
* In addition, as a special exception, the copyright holders give
|
|
|
|
|
* permission to link the code of portions of this program with the OpenSSL
|
|
|
|
|
* library under certain conditions as described in each individual source file,
|
|
|
|
|
* and distribute linked combinations including the two.
|
|
|
|
|
*
|
|
|
|
|
* You must obey the GNU General Public License in all respects for all
|
|
|
|
|
* of the code used other than OpenSSL. If you modify file(s) with this
|
|
|
|
|
* exception, you may extend this exception to your version of the
|
|
|
|
|
* file(s), but you are not obligated to do so. If you do not wish to do
|
|
|
|
|
* so, delete this exception statement from your version. If you delete
|
|
|
|
|
* this exception statement from all source files in the program, then
|
|
|
|
|
* also delete it here.
|
2012-04-23 10:14:42 +00:00
|
|
|
*/
|
2012-04-23 09:18:34 +00:00
|
|
|
#define _GNU_SOURCE
|
|
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <stdint.h>
|
|
|
|
|
#include <unistd.h>
|
|
|
|
|
#include <sys/stat.h>
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <fcntl.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
|
|
#include <getopt.h>
|
|
|
|
|
|
2016-11-16 15:27:54 +00:00
|
|
|
#include <openssl/conf.h>
|
2012-04-23 09:18:34 +00:00
|
|
|
#include <openssl/pem.h>
|
|
|
|
|
#include <openssl/pkcs7.h>
|
|
|
|
|
#include <openssl/err.h>
|
|
|
|
|
#include <openssl/evp.h>
|
|
|
|
|
#include <openssl/asn1.h>
|
|
|
|
|
#include <openssl/asn1t.h>
|
|
|
|
|
|
|
|
|
|
#include <ccan/talloc/talloc.h>
|
|
|
|
|
|
|
|
|
|
#include "idc.h"
|
|
|
|
|
#include "image.h"
|
2012-08-03 02:36:38 +00:00
|
|
|
#include "fileio.h"
|
2012-04-23 09:18:34 +00:00
|
|
|
|
2012-05-23 03:52:22 +00:00
|
|
|
static const char *toolname = "sbsign";
|
|
|
|
|
|
2012-04-23 09:18:34 +00:00
|
|
|
struct sign_context {
|
|
|
|
|
struct image *image;
|
|
|
|
|
const char *infilename;
|
|
|
|
|
const char *outfilename;
|
|
|
|
|
int verbose;
|
2012-06-11 07:28:16 +00:00
|
|
|
int detached;
|
2012-04-23 09:18:34 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static struct option options[] = {
|
|
|
|
|
{ "output", required_argument, NULL, 'o' },
|
|
|
|
|
{ "cert", required_argument, NULL, 'c' },
|
|
|
|
|
{ "key", required_argument, NULL, 'k' },
|
2012-06-11 07:28:16 +00:00
|
|
|
{ "detached", no_argument, NULL, 'd' },
|
2012-04-23 09:18:34 +00:00
|
|
|
{ "verbose", no_argument, NULL, 'v' },
|
2012-05-23 03:52:22 +00:00
|
|
|
{ "help", no_argument, NULL, 'h' },
|
|
|
|
|
{ "version", no_argument, NULL, 'V' },
|
2012-04-23 09:18:34 +00:00
|
|
|
{ NULL, 0, NULL, 0 },
|
|
|
|
|
};
|
|
|
|
|
|
2012-05-23 03:52:22 +00:00
|
|
|
static void usage(void)
|
2012-04-23 09:18:34 +00:00
|
|
|
{
|
2012-05-23 03:52:22 +00:00
|
|
|
printf("Usage: %s [options] --key <keyfile> --cert <certfile> "
|
2012-04-24 01:09:57 +00:00
|
|
|
"<efi-boot-image>\n"
|
2012-05-23 03:52:22 +00:00
|
|
|
"Sign an EFI boot image for use with secure boot.\n\n"
|
|
|
|
|
"Options:\n"
|
2012-04-24 01:09:57 +00:00
|
|
|
"\t--key <keyfile> signing key (PEM-encoded RSA "
|
|
|
|
|
"private key)\n"
|
|
|
|
|
"\t--cert <certfile> certificate (x509 certificate)\n"
|
2012-06-11 07:28:16 +00:00
|
|
|
"\t--detached write a detached signature, instead of\n"
|
|
|
|
|
"\t a signed binary\n"
|
2012-04-24 01:09:57 +00:00
|
|
|
"\t--output <file> write signed data to <file>\n"
|
2012-06-11 07:28:16 +00:00
|
|
|
"\t (default <efi-boot-image>.signed,\n"
|
|
|
|
|
"\t or <efi-boot-image>.pk7 for detached\n"
|
|
|
|
|
"\t signatures)\n",
|
2012-05-23 03:52:22 +00:00
|
|
|
toolname);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void version(void)
|
|
|
|
|
{
|
|
|
|
|
printf("%s %s\n", toolname, VERSION);
|
2012-04-23 09:18:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void set_default_outfilename(struct sign_context *ctx)
|
|
|
|
|
{
|
2012-06-11 07:28:16 +00:00
|
|
|
const char *extension;
|
|
|
|
|
|
|
|
|
|
extension = ctx->detached ? "pk7" : "signed";
|
|
|
|
|
|
|
|
|
|
ctx->outfilename = talloc_asprintf(ctx, "%s.%s",
|
|
|
|
|
ctx->infilename, extension);
|
2012-04-23 09:18:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int main(int argc, char **argv)
|
|
|
|
|
{
|
|
|
|
|
const char *keyfilename, *certfilename;
|
|
|
|
|
struct sign_context *ctx;
|
2012-08-03 02:03:14 +00:00
|
|
|
uint8_t *buf, *tmp;
|
|
|
|
|
int rc, c, sigsize;
|
2012-04-23 09:18:34 +00:00
|
|
|
|
|
|
|
|
ctx = talloc_zero(NULL, struct sign_context);
|
|
|
|
|
|
|
|
|
|
keyfilename = NULL;
|
|
|
|
|
certfilename = NULL;
|
|
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
|
int idx;
|
2012-06-11 11:49:28 +00:00
|
|
|
c = getopt_long(argc, argv, "o:c:k:dvVh", options, &idx);
|
2012-04-23 09:18:34 +00:00
|
|
|
if (c == -1)
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
switch (c) {
|
|
|
|
|
case 'o':
|
|
|
|
|
ctx->outfilename = talloc_strdup(ctx, optarg);
|
|
|
|
|
break;
|
|
|
|
|
case 'c':
|
|
|
|
|
certfilename = optarg;
|
|
|
|
|
break;
|
|
|
|
|
case 'k':
|
|
|
|
|
keyfilename = optarg;
|
|
|
|
|
break;
|
2012-06-11 07:28:16 +00:00
|
|
|
case 'd':
|
|
|
|
|
ctx->detached = 1;
|
|
|
|
|
break;
|
2012-06-11 06:54:57 +00:00
|
|
|
case 'v':
|
2012-04-23 09:18:34 +00:00
|
|
|
ctx->verbose = 1;
|
|
|
|
|
break;
|
2012-05-23 03:52:22 +00:00
|
|
|
case 'V':
|
|
|
|
|
version();
|
|
|
|
|
return EXIT_SUCCESS;
|
|
|
|
|
case 'h':
|
|
|
|
|
usage();
|
|
|
|
|
return EXIT_SUCCESS;
|
2012-04-23 09:18:34 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (argc != optind + 1) {
|
2012-05-23 03:52:22 +00:00
|
|
|
usage();
|
2012-04-23 09:18:34 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ctx->infilename = argv[optind];
|
|
|
|
|
if (!ctx->outfilename)
|
|
|
|
|
set_default_outfilename(ctx);
|
|
|
|
|
|
|
|
|
|
if (!certfilename) {
|
|
|
|
|
fprintf(stderr,
|
|
|
|
|
"error: No certificate specified (with --cert)\n");
|
2012-05-23 03:52:22 +00:00
|
|
|
usage();
|
2012-04-23 09:18:34 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
|
}
|
|
|
|
|
if (!keyfilename) {
|
|
|
|
|
fprintf(stderr,
|
|
|
|
|
"error: No key specified (with --key)\n");
|
2012-05-23 03:52:22 +00:00
|
|
|
usage();
|
2012-04-23 09:18:34 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ctx->image = image_load(ctx->infilename);
|
|
|
|
|
if (!ctx->image)
|
|
|
|
|
return EXIT_FAILURE;
|
|
|
|
|
|
|
|
|
|
talloc_steal(ctx, ctx->image);
|
|
|
|
|
|
|
|
|
|
ERR_load_crypto_strings();
|
|
|
|
|
OpenSSL_add_all_digests();
|
2012-06-26 13:57:03 +00:00
|
|
|
OpenSSL_add_all_ciphers();
|
2016-11-16 15:27:54 +00:00
|
|
|
OPENSSL_config(NULL);
|
2014-12-19 18:59:05 +00:00
|
|
|
/* here we may get highly unlikely failures or we'll get a
|
|
|
|
|
* complaint about FIPS signatures (usually becuase the FIPS
|
|
|
|
|
* module isn't present). In either case ignore the errors
|
|
|
|
|
* (malloc will cause other failures out lower down */
|
|
|
|
|
ERR_clear_error();
|
2012-08-03 02:36:38 +00:00
|
|
|
EVP_PKEY *pkey = fileio_read_pkey(keyfilename);
|
|
|
|
|
if (!pkey)
|
2012-04-23 09:18:34 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
|
|
2012-08-03 02:36:38 +00:00
|
|
|
X509 *cert = fileio_read_cert(certfilename);
|
|
|
|
|
if (!cert)
|
2012-04-23 09:18:34 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
|
|
|
|
|
|
const EVP_MD *md = EVP_get_digestbyname("SHA256");
|
|
|
|
|
|
|
|
|
|
/* set up the PKCS7 object */
|
|
|
|
|
PKCS7 *p7 = PKCS7_new();
|
|
|
|
|
PKCS7_set_type(p7, NID_pkcs7_signed);
|
|
|
|
|
|
|
|
|
|
PKCS7_SIGNER_INFO *si = PKCS7_sign_add_signer(p7, cert,
|
|
|
|
|
pkey, md, PKCS7_BINARY);
|
2012-06-28 02:18:08 +00:00
|
|
|
if (!si) {
|
|
|
|
|
fprintf(stderr, "error in key/certificate chain\n");
|
|
|
|
|
ERR_print_errors_fp(stderr);
|
|
|
|
|
return EXIT_FAILURE;
|
|
|
|
|
}
|
2012-04-23 09:18:34 +00:00
|
|
|
|
|
|
|
|
PKCS7_content_new(p7, NID_pkcs7_data);
|
|
|
|
|
|
|
|
|
|
rc = IDC_set(p7, si, ctx->image);
|
|
|
|
|
if (rc)
|
|
|
|
|
return EXIT_FAILURE;
|
|
|
|
|
|
2012-08-03 02:03:14 +00:00
|
|
|
sigsize = i2d_PKCS7(p7, NULL);
|
|
|
|
|
tmp = buf = talloc_array(ctx->image, uint8_t, sigsize);
|
|
|
|
|
i2d_PKCS7(p7, &tmp);
|
2012-04-23 09:18:34 +00:00
|
|
|
ERR_print_errors_fp(stdout);
|
|
|
|
|
|
2012-08-03 02:03:14 +00:00
|
|
|
image_add_signature(ctx->image, buf, sigsize);
|
|
|
|
|
|
2014-12-20 00:10:34 +00:00
|
|
|
if (ctx->detached) {
|
|
|
|
|
int i;
|
|
|
|
|
uint8_t *buf;
|
|
|
|
|
size_t len;
|
|
|
|
|
|
|
|
|
|
for (i = 0; !image_get_signature(ctx->image, i, &buf, &len); i++)
|
|
|
|
|
;
|
|
|
|
|
image_write_detached(ctx->image, i - 1, ctx->outfilename);
|
|
|
|
|
} else
|
2012-06-12 02:19:08 +00:00
|
|
|
image_write(ctx->image, ctx->outfilename);
|
2012-04-23 09:18:34 +00:00
|
|
|
|
|
|
|
|
talloc_free(ctx);
|
|
|
|
|
|
|
|
|
|
return EXIT_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
