xref: /openbmc/linux/scripts/sign-file.c (revision efdbd7345f8836f7495f3ac6ee237d86cb3bb6b0) 
1 /* Sign a module file using the given key.
2  *
3  * Copyright © 2014-2015 Red Hat, Inc. All Rights Reserved.
4  * Copyright © 2015      Intel Corporation.
5  *
6  * Authors: David Howells <dhowells@redhat.com>
7  *          David Woodhouse <dwmw2@infradead.org>
8  *
9  * This program is free software; you can redistribute it and/or
10  * modify it under the terms of the GNU Lesser General Public License
11  * as published by the Free Software Foundation; either version 2.1
12  * of the licence, or (at your option) any later version.
13  */
14 #define _GNU_SOURCE
15 #include <stdio.h>
16 #include <stdlib.h>
17 #include <stdint.h>
18 #include <stdbool.h>
19 #include <string.h>
20 #include <getopt.h>
21 #include <err.h>
22 #include <arpa/inet.h>
23 #include <openssl/bio.h>
24 #include <openssl/evp.h>
25 #include <openssl/pem.h>
26 #include <openssl/cms.h>
27 #include <openssl/err.h>
28 #include <openssl/engine.h>
29 
30 struct module_signature {
31 	uint8_t		algo;		/* Public-key crypto algorithm [0] */
32 	uint8_t		hash;		/* Digest algorithm [0] */
33 	uint8_t		id_type;	/* Key identifier type [PKEY_ID_PKCS7] */
34 	uint8_t		signer_len;	/* Length of signer's name [0] */
35 	uint8_t		key_id_len;	/* Length of key identifier [0] */
36 	uint8_t		__pad[3];
37 	uint32_t	sig_len;	/* Length of signature data */
38 };
39 
40 #define PKEY_ID_PKCS7 2
41 
42 static char magic_number[] = "~Module signature appended~\n";
43 
44 static __attribute__((noreturn))
45 void format(void)
46 {
47 	fprintf(stderr,
48 		"Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]\n");
49 	exit(2);
50 }
51 
52 static void display_openssl_errors(int l)
53 {
54 	const char *file;
55 	char buf[120];
56 	int e, line;
57 
58 	if (ERR_peek_error() == 0)
59 		return;
60 	fprintf(stderr, "At main.c:%d:\n", l);
61 
62 	while ((e = ERR_get_error_line(&file, &line))) {
63 		ERR_error_string(e, buf);
64 		fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
65 	}
66 }
67 
68 static void drain_openssl_errors(void)
69 {
70 	const char *file;
71 	int line;
72 
73 	if (ERR_peek_error() == 0)
74 		return;
75 	while (ERR_get_error_line(&file, &line)) {}
76 }
77 
78 #define ERR(cond, fmt, ...)				\
79 	do {						\
80 		bool __cond = (cond);			\
81 		display_openssl_errors(__LINE__);	\
82 		if (__cond) {				\
83 			err(1, fmt, ## __VA_ARGS__);	\
84 		}					\
85 	} while(0)
86 
87 static const char *key_pass;
88 
89 static int pem_pw_cb(char *buf, int len, int w, void *v)
90 {
91 	int pwlen;
92 
93 	if (!key_pass)
94 		return -1;
95 
96 	pwlen = strlen(key_pass);
97 	if (pwlen >= len)
98 		return -1;
99 
100 	strcpy(buf, key_pass);
101 
102 	/* If it's wrong, don't keep trying it. */
103 	key_pass = NULL;
104 
105 	return pwlen;
106 }
107 
108 int main(int argc, char **argv)
109 {
110 	struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
111 	char *hash_algo = NULL;
112 	char *private_key_name, *x509_name, *module_name, *dest_name;
113 	bool save_cms = false, replace_orig;
114 	bool sign_only = false;
115 	unsigned char buf[4096];
116 	unsigned long module_size, cms_size;
117 	unsigned int use_keyid = 0, use_signed_attrs = CMS_NOATTR;
118 	const EVP_MD *digest_algo;
119 	EVP_PKEY *private_key;
120 	CMS_ContentInfo *cms;
121 	X509 *x509;
122 	BIO *b, *bd = NULL, *bm;
123 	int opt, n;
124 
125 	OpenSSL_add_all_algorithms();
126 	ERR_load_crypto_strings();
127 	ERR_clear_error();
128 
129 	key_pass = getenv("KBUILD_SIGN_PIN");
130 
131 	do {
132 		opt = getopt(argc, argv, "dpk");
133 		switch (opt) {
134 		case 'p': save_cms = true; break;
135 		case 'd': sign_only = true; save_cms = true; break;
136 		case 'k': use_keyid = CMS_USE_KEYID; break;
137 		case -1: break;
138 		default: format();
139 		}
140 	} while (opt != -1);
141 
142 	argc -= optind;
143 	argv += optind;
144 	if (argc < 4 || argc > 5)
145 		format();
146 
147 	hash_algo = argv[0];
148 	private_key_name = argv[1];
149 	x509_name = argv[2];
150 	module_name = argv[3];
151 	if (argc == 5) {
152 		dest_name = argv[4];
153 		replace_orig = false;
154 	} else {
155 		ERR(asprintf(&dest_name, "%s.~signed~", module_name) < 0,
156 		    "asprintf");
157 		replace_orig = true;
158 	}
159 
160 	/* Read the private key and the X.509 cert the PKCS#7 message
161 	 * will point to.
162 	 */
163 	if (!strncmp(private_key_name, "pkcs11:", 7)) {
164 		ENGINE *e;
165 
166 		ENGINE_load_builtin_engines();
167 		drain_openssl_errors();
168 		e = ENGINE_by_id("pkcs11");
169 		ERR(!e, "Load PKCS#11 ENGINE");
170 		if (ENGINE_init(e))
171 			drain_openssl_errors();
172 		else
173 			ERR(1, "ENGINE_init");
174 		if (key_pass)
175 			ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
176 		private_key = ENGINE_load_private_key(e, private_key_name, NULL,
177 						      NULL);
178 		ERR(!private_key, "%s", private_key_name);
179 	} else {
180 		b = BIO_new_file(private_key_name, "rb");
181 		ERR(!b, "%s", private_key_name);
182 		private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL);
183 		ERR(!private_key, "%s", private_key_name);
184 		BIO_free(b);
185 	}
186 
187 	b = BIO_new_file(x509_name, "rb");
188 	ERR(!b, "%s", x509_name);
189 	x509 = d2i_X509_bio(b, NULL); /* Binary encoded X.509 */
190 	if (!x509) {
191 		ERR(BIO_reset(b) != 1, "%s", x509_name);
192 		x509 = PEM_read_bio_X509(b, NULL, NULL, NULL); /* PEM encoded X.509 */
193 		if (x509)
194 			drain_openssl_errors();
195 	}
196 	BIO_free(b);
197 	ERR(!x509, "%s", x509_name);
198 
199 	/* Open the destination file now so that we can shovel the module data
200 	 * across as we read it.
201 	 */
202 	if (!sign_only) {
203 		bd = BIO_new_file(dest_name, "wb");
204 		ERR(!bd, "%s", dest_name);
205 	}
206 
207 	/* Digest the module data. */
208 	OpenSSL_add_all_digests();
209 	display_openssl_errors(__LINE__);
210 	digest_algo = EVP_get_digestbyname(hash_algo);
211 	ERR(!digest_algo, "EVP_get_digestbyname");
212 
213 	bm = BIO_new_file(module_name, "rb");
214 	ERR(!bm, "%s", module_name);
215 
216 	/* Load the CMS message from the digest buffer. */
217 	cms = CMS_sign(NULL, NULL, NULL, NULL,
218 		       CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | CMS_DETACHED | CMS_STREAM);
219 	ERR(!cms, "CMS_sign");
220 
221 	ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo,
222 			     CMS_NOCERTS | CMS_BINARY | CMS_NOSMIMECAP |
223 			     use_keyid | use_signed_attrs),
224 	    "CMS_sign_add_signer");
225 	ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) < 0,
226 	    "CMS_final");
227 
228 	if (save_cms) {
229 		char *cms_name;
230 
231 		ERR(asprintf(&cms_name, "%s.p7s", module_name) < 0, "asprintf");
232 		b = BIO_new_file(cms_name, "wb");
233 		ERR(!b, "%s", cms_name);
234 		ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0, "%s", cms_name);
235 		BIO_free(b);
236 	}
237 
238 	if (sign_only)
239 		return 0;
240 
241 	/* Append the marker and the PKCS#7 message to the destination file */
242 	ERR(BIO_reset(bm) < 0, "%s", module_name);
243 	while ((n = BIO_read(bm, buf, sizeof(buf))),
244 	       n > 0) {
245 		ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name);
246 	}
247 	ERR(n < 0, "%s", module_name);
248 	module_size = BIO_number_written(bd);
249 
250 	ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name);
251 	cms_size = BIO_number_written(bd) - module_size;
252 	sig_info.sig_len = htonl(cms_size);
253 	ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name);
254 	ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name);
255 
256 	ERR(BIO_free(bd) < 0, "%s", dest_name);
257 
258 	/* Finally, if we're signing in place, replace the original. */
259 	if (replace_orig)
260 		ERR(rename(dest_name, module_name) < 0, "%s", dest_name);
261 
262 	return 0;
263 }
264