diff options
author | Jeremy Kerr <jeremy.kerr@canonical.com> | 2012-06-11 15:28:16 +0800 |
---|---|---|
committer | Jeremy Kerr <jeremy.kerr@canonical.com> | 2012-06-11 15:59:48 +0800 |
commit | 3c9815acc6a7fc07c4b883a3b9051c09ce4346e6 (patch) | |
tree | af4f088283c76028f0982bdf442e3b392d124f5c | |
parent | f98a885cfab74b19085aee16840c902040f3fee5 (diff) | |
download | sbsigntools-3c9815acc6a7fc07c4b883a3b9051c09ce4346e6.tar.gz |
sbsign: Add --detached option to create detached PKCS7 signatures
Add an option (--detached) to sbsign, which creates a detached
signature, rather than embedding it in the PE/COFF signature table.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
-rw-r--r-- | image.c | 16 | ||||
-rw-r--r-- | image.h | 1 | ||||
-rw-r--r-- | sbsign.c | 23 |
3 files changed, 37 insertions, 3 deletions
@@ -362,3 +362,19 @@ out: close(fd); return !rc; } + +int image_write_detached(struct image *image, const char *filename) +{ + int fd, rc; + + fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0644); + if (fd < 0) { + perror("open"); + return -1; + } + + rc = write_all(fd, image->sigbuf, image->sigsize); + + close(fd); + return !rc; +} @@ -81,6 +81,7 @@ int image_pecoff_parse(struct image *image); int image_find_regions(struct image *image); int image_hash_sha256(struct image *image, uint8_t digest[]); int image_write_signed(struct image *image, const char *filename); +int image_write_detached(struct image *image, const char *filename); #endif /* IMAGE_H */ @@ -48,12 +48,14 @@ struct sign_context { const char *infilename; const char *outfilename; int verbose; + int detached; }; static struct option options[] = { { "output", required_argument, NULL, 'o' }, { "cert", required_argument, NULL, 'c' }, { "key", required_argument, NULL, 'k' }, + { "detached", no_argument, NULL, 'd' }, { "verbose", no_argument, NULL, 'v' }, { "help", no_argument, NULL, 'h' }, { "version", no_argument, NULL, 'V' }, @@ -69,8 +71,12 @@ static void usage(void) "\t--key <keyfile> signing key (PEM-encoded RSA " "private key)\n" "\t--cert <certfile> certificate (x509 certificate)\n" + "\t--detached write a detached signature, instead of\n" + "\t a signed binary\n" "\t--output <file> write signed data to <file>\n" - "\t (default <efi-boot-image>.signed)\n", + "\t (default <efi-boot-image>.signed,\n" + "\t or <efi-boot-image>.pk7 for detached\n" + "\t signatures)\n", toolname); } @@ -81,7 +87,12 @@ static void version(void) static void set_default_outfilename(struct sign_context *ctx) { - ctx->outfilename = talloc_asprintf(ctx, "%s.signed", ctx->infilename); + const char *extension; + + extension = ctx->detached ? "pk7" : "signed"; + + ctx->outfilename = talloc_asprintf(ctx, "%s.%s", + ctx->infilename, extension); } int main(int argc, char **argv) @@ -112,6 +123,9 @@ int main(int argc, char **argv) case 'k': keyfilename = optarg; break; + case 'd': + ctx->detached = 1; + break; case 'v': ctx->verbose = 1; break; @@ -195,7 +209,10 @@ int main(int argc, char **argv) i2d_PKCS7(p7, &buf); ERR_print_errors_fp(stdout); - image_write_signed(ctx->image, ctx->outfilename); + if (ctx->detached) + image_write_detached(ctx->image, ctx->outfilename); + else + image_write_signed(ctx->image, ctx->outfilename); talloc_free(ctx); |