KEYS: Provide a script to extract a module signature
The supplied script takes a signed module file and extracts the tailmost signature (there could theoretically be more than one) and dumps all or part of it or the unsigned file to stdout. Call as: scripts/extract-module-sig.pl -[0adnks] module-file >out where the initial flag indicates which bit of the signed file you want dumping to stdout: (*) "-0". Dumps the unsigned data with the signature stripped. (*) "-a". Dumps all of the signature data, including the magic number. (*) "-d". Dumps the signature information block as a sequence of decimal numbers in text form with spaces between (crypto algorithm type, hash type, identifier type, signer's name length, key identifier length and signature length). (*) "-n". Dumps the signer's name contents. (*) "-k". Dumps the key identifier contents. (*) "-s". Dumps the cryptographic signature contents. In the case that the signature is a PKCS#7 (or CMS) message, -n and -k will print a warning to stderr and dump nothing to stdout, but will otherwise complete okay; the entire PKCS#7/CMS message will be dumped by "-s"; and "-d" will show "0 0 2 0 0 <pkcs#7-msg-len>". Signed-off-by: David Howells <dhowells@redhat.com>
This commit is contained in:
parent
2221a6ee73
commit
4adc605edc
1 changed files with 136 additions and 0 deletions
136
scripts/extract-module-sig.pl
Executable file
136
scripts/extract-module-sig.pl
Executable file
|
@ -0,0 +1,136 @@
|
|||
#!/usr/bin/perl -w
|
||||
#
|
||||
# extract-mod-sig <part> <module-file>
|
||||
#
|
||||
# Reads the module file and writes out some or all of the signature
|
||||
# section to stdout. Part is the bit to be written and is one of:
|
||||
#
|
||||
# -0: The unsigned module, no signature data at all
|
||||
# -a: All of the signature data, including magic number
|
||||
# -d: Just the descriptor values as a sequence of numbers
|
||||
# -n: Just the signer's name
|
||||
# -k: Just the key ID
|
||||
# -s: Just the crypto signature or PKCS#7 message
|
||||
#
|
||||
use strict;
|
||||
|
||||
die "Format: $0 -[0adnks] module-file >out\n"
|
||||
if ($#ARGV != 1);
|
||||
|
||||
my $part = $ARGV[0];
|
||||
my $modfile = $ARGV[1];
|
||||
|
||||
my $magic_number = "~Module signature appended~\n";
|
||||
|
||||
#
|
||||
# Read the module contents
|
||||
#
|
||||
open FD, "<$modfile" || die $modfile;
|
||||
binmode(FD);
|
||||
my @st = stat(FD);
|
||||
die "$modfile" unless (@st);
|
||||
my $buf = "";
|
||||
my $len = sysread(FD, $buf, $st[7]);
|
||||
die "$modfile" unless (defined($len));
|
||||
die "Short read on $modfile\n" unless ($len == $st[7]);
|
||||
close(FD) || die $modfile;
|
||||
|
||||
print STDERR "Read ", $len, " bytes from module file\n";
|
||||
|
||||
die "The file is too short to have a sig magic number and descriptor\n"
|
||||
if ($len < 12 + length($magic_number));
|
||||
|
||||
#
|
||||
# Check for the magic number and extract the information block
|
||||
#
|
||||
my $p = $len - length($magic_number);
|
||||
my $raw_magic = substr($buf, $p);
|
||||
|
||||
die "Magic number not found at $len\n"
|
||||
if ($raw_magic ne $magic_number);
|
||||
print STDERR "Found magic number at $len\n";
|
||||
|
||||
$p -= 12;
|
||||
my $raw_info = substr($buf, $p, 12);
|
||||
|
||||
my @info = unpack("CCCCCxxxN", $raw_info);
|
||||
my ($algo, $hash, $id_type, $name_len, $kid_len, $sig_len) = @info;
|
||||
|
||||
if ($id_type == 0) {
|
||||
print STDERR "Found PGP key identifier\n";
|
||||
} elsif ($id_type == 1) {
|
||||
print STDERR "Found X.509 cert identifier\n";
|
||||
} elsif ($id_type == 2) {
|
||||
print STDERR "Found PKCS#7/CMS encapsulation\n";
|
||||
} else {
|
||||
print STDERR "Found unsupported identifier type $id_type\n";
|
||||
}
|
||||
|
||||
#
|
||||
# Extract the three pieces of info data
|
||||
#
|
||||
die "Insufficient name+kid+sig data in file\n"
|
||||
unless ($p >= $name_len + $kid_len + $sig_len);
|
||||
|
||||
$p -= $sig_len;
|
||||
my $raw_sig = substr($buf, $p, $sig_len);
|
||||
$p -= $kid_len;
|
||||
my $raw_kid = substr($buf, $p, $kid_len);
|
||||
$p -= $name_len;
|
||||
my $raw_name = substr($buf, $p, $name_len);
|
||||
|
||||
my $module_len = $p;
|
||||
|
||||
if ($sig_len > 0) {
|
||||
print STDERR "Found $sig_len bytes of signature [";
|
||||
my $n = $sig_len > 16 ? 16 : $sig_len;
|
||||
foreach my $i (unpack("C" x $n, substr($raw_sig, 0, $n))) {
|
||||
printf STDERR "%02x", $i;
|
||||
}
|
||||
print STDERR "]\n";
|
||||
}
|
||||
|
||||
if ($kid_len > 0) {
|
||||
print STDERR "Found $kid_len bytes of key identifier [";
|
||||
my $n = $kid_len > 16 ? 16 : $kid_len;
|
||||
foreach my $i (unpack("C" x $n, substr($raw_kid, 0, $n))) {
|
||||
printf STDERR "%02x", $i;
|
||||
}
|
||||
print STDERR "]\n";
|
||||
}
|
||||
|
||||
if ($name_len > 0) {
|
||||
print STDERR "Found $name_len bytes of signer's name [$raw_name]\n";
|
||||
}
|
||||
|
||||
#
|
||||
# Produce the requested output
|
||||
#
|
||||
if ($part eq "-0") {
|
||||
# The unsigned module, no signature data at all
|
||||
binmode(STDOUT);
|
||||
print substr($buf, 0, $module_len);
|
||||
} elsif ($part eq "-a") {
|
||||
# All of the signature data, including magic number
|
||||
binmode(STDOUT);
|
||||
print substr($buf, $module_len);
|
||||
} elsif ($part eq "-d") {
|
||||
# Just the descriptor values as a sequence of numbers
|
||||
print join(" ", @info), "\n";
|
||||
} elsif ($part eq "-n") {
|
||||
# Just the signer's name
|
||||
print STDERR "No signer's name for PKCS#7 message type sig\n"
|
||||
if ($id_type == 2);
|
||||
binmode(STDOUT);
|
||||
print $raw_name;
|
||||
} elsif ($part eq "-k") {
|
||||
# Just the key identifier
|
||||
print STDERR "No key ID for PKCS#7 message type sig\n"
|
||||
if ($id_type == 2);
|
||||
binmode(STDOUT);
|
||||
print $raw_kid;
|
||||
} elsif ($part eq "-s") {
|
||||
# Just the crypto signature or PKCS#7 message
|
||||
binmode(STDOUT);
|
||||
print $raw_sig;
|
||||
}
|
Loading…
Reference in a new issue