Commit 4adc605e authored by David Howells's avatar David Howells
Browse files

KEYS: Provide a script to extract a module signature 



The supplied script takes a signed module file and extracts the tailmost
signature (there could theoretically be more than one) and dumps all or
part of it or the unsigned file to stdout.

Call as:

	scripts/extract-module-sig.pl -[0adnks] module-file >out

where the initial flag indicates which bit of the signed file you want dumping
to stdout:

 (*) "-0".  Dumps the unsigned data with the signature stripped.

 (*) "-a".  Dumps all of the signature data, including the magic number.

 (*) "-d".  Dumps the signature information block as a sequence of decimal
     	    numbers in text form with spaces between (crypto algorithm type,
     	    hash type, identifier type, signer's name length, key identifier
     	    length and signature length).

 (*) "-n".  Dumps the signer's name contents.

 (*) "-k".  Dumps the key identifier contents.

 (*) "-s".  Dumps the cryptographic signature contents.

In the case that the signature is a PKCS#7 (or CMS) message, -n and -k will
print a warning to stderr and dump nothing to stdout, but will otherwise
complete okay; the entire PKCS#7/CMS message will be dumped by "-s"; and "-d"
will show "0 0 2 0 0 <pkcs#7-msg-len>".

Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
parent 2221a6ee

scripts/extract-module-sig.pl

0 → 100755
+136 −0
Original line number Diff line number Diff line 
#!/usr/bin/perl -w

#

# extract-mod-sig <part> <module-file>

#

# Reads the module file and writes out some or all of the signature

# section to stdout.  Part is the bit to be written and is one of:

#

#  -0: The unsigned module, no signature data at all

#  -a: All of the signature data, including magic number

#  -d: Just the descriptor values as a sequence of numbers

#  -n: Just the signer's name

#  -k: Just the key ID

#  -s: Just the crypto signature or PKCS#7 message

#

use strict;



die "Format: $0 -[0adnks] module-file >out\n"

    if ($#ARGV != 1);



my $part = $ARGV[0];

my $modfile = $ARGV[1];



my $magic_number = "~Module signature appended~\n";



#

# Read the module contents

#

open FD, "<$modfile" || die $modfile;

binmode(FD);

my @st = stat(FD);

die "$modfile" unless (@st);

my $buf = "";

my $len = sysread(FD, $buf, $st[7]);

die "$modfile" unless (defined($len));

die "Short read on $modfile\n" unless ($len == $st[7]);

close(FD) || die $modfile;



print STDERR "Read ", $len, " bytes from module file\n";



die "The file is too short to have a sig magic number and descriptor\n"

    if ($len < 12 + length($magic_number));



#

# Check for the magic number and extract the information block

#

my $p = $len - length($magic_number);

my $raw_magic = substr($buf, $p);



die "Magic number not found at $len\n"

    if ($raw_magic ne $magic_number);

print STDERR "Found magic number at $len\n";



$p -= 12;

my $raw_info = substr($buf, $p, 12);



my @info = unpack("CCCCCxxxN", $raw_info);

my ($algo, $hash, $id_type, $name_len, $kid_len, $sig_len) = @info;



if ($id_type == 0) {

    print STDERR "Found PGP key identifier\n";

} elsif ($id_type == 1) {

    print STDERR "Found X.509 cert identifier\n";

} elsif ($id_type == 2) {

    print STDERR "Found PKCS#7/CMS encapsulation\n";

} else {

    print STDERR "Found unsupported identifier type $id_type\n";

}



#

# Extract the three pieces of info data

#

die "Insufficient name+kid+sig data in file\n"

    unless ($p >= $name_len + $kid_len + $sig_len);



$p -= $sig_len;

my $raw_sig = substr($buf, $p, $sig_len);

$p -= $kid_len;

my $raw_kid = substr($buf, $p, $kid_len);

$p -= $name_len;

my $raw_name = substr($buf, $p, $name_len);



my $module_len = $p;



if ($sig_len > 0) {

    print STDERR "Found $sig_len bytes of signature [";

    my $n = $sig_len > 16 ? 16 : $sig_len;

    foreach my $i (unpack("C" x $n, substr($raw_sig, 0, $n))) {

	printf STDERR "%02x", $i;

    }

    print STDERR "]\n";

}



if ($kid_len > 0) {

    print STDERR "Found $kid_len bytes of key identifier [";

    my $n = $kid_len > 16 ? 16 : $kid_len;

    foreach my $i (unpack("C" x $n, substr($raw_kid, 0, $n))) {

	printf STDERR "%02x", $i;

    }

    print STDERR "]\n";

}



if ($name_len > 0) {

    print STDERR "Found $name_len bytes of signer's name [$raw_name]\n";

}



#

# Produce the requested output

#

if ($part eq "-0") {

    # The unsigned module, no signature data at all

    binmode(STDOUT);

    print substr($buf, 0, $module_len);

} elsif ($part eq "-a") {

    # All of the signature data, including magic number

    binmode(STDOUT);

    print substr($buf, $module_len);

} elsif ($part eq "-d") {

    # Just the descriptor values as a sequence of numbers

    print join(" ", @info), "\n";

} elsif ($part eq "-n") {

    # Just the signer's name

    print STDERR "No signer's name for PKCS#7 message type sig\n"

	if ($id_type == 2);

    binmode(STDOUT);

    print $raw_name;

} elsif ($part eq "-k") {

    # Just the key identifier

    print STDERR "No key ID for PKCS#7 message type sig\n"

	if ($id_type == 2);

    binmode(STDOUT);

    print $raw_kid;

} elsif ($part eq "-s") {

    # Just the crypto signature or PKCS#7 message

    binmode(STDOUT);

    print $raw_sig;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE