elfsign - sign binaries
/usr/bin/elfsign sign [-v] -k private_key -c certificate_file -e elf_object [-d data_range] [-F format] [file]...
/usr/bin/elfsign sign [-v] -c certificate_file -e elf_object -T token_uri [-d data_range] [-F format] [file]...
/usr/bin/elfsign sign [-v] -c certificate_file [-e elf_object] -s signature_file [-d data_range] [-F format|-O oid] [file]
/usr/bin/elfsign verify [-c certificate_file] [-v] -e elf_object [file]...
/usr/bin/elfsign list [ -f field] -c certificate_file
/usr/bin/elfsign list [ -f field] -e elf_object [file]...
/usr/bin/elfsign digest [-o digest_file] [-e elf_object] [-F format] [file]
/usr/bin/elfsign data [-o output_file] [-e elf_object] [-d data_range] [file]
Lists on standard output information from a single certificate file or signed elf object. The selected field appears on a single line. If the field specified does not apply to the named file, the command terminates with no standard output. This output of this subcommand is intended for use in scripts and by other commands.
Signs the elf object, using the given private key and certificate file, or signature and certificate file.
Verifies an existing signed object. Uses the certificate given or searches for an appropriate certificate in directories /etc/certs/elfsign and /etc/certs if –c option is not given.
Prints on standard output, the digest of the elf object in a given format. SHA-256 is the default format.
Prints to the specified output_file or to standard output, the ELF data to be signed for the given data range. The default data range is interpret.
The following options are supported:
Specifies the path to an X.509 certificate in PEM/PKCS#7 or ASN.1 BER format.
Specifies the range of ELF data to sign. The valid data_range options are:
Use the data range found in the ELF file signature. If there's no signature, use the default data range.
The data signed are interpreted according to the file type. Treats relocatable ELF files and kernel modules the same as "relobj". For executable ELF files, sign ELF headers and ELF Program segments.
The data signed are ELF headers and ELF sections (excluding the signature section). This is the default range.
The data signed are ELF sections (excludes the signature section and ELF headers). This option is for use for signing files for older releases only.
Specifies the path to the object to be signed or verified.
The –e option can be specified multiple times for signing or verifying multiple objects.
For the sign subcommand, specifies the format of the signature. The valid format options are
Use the format found in the ELF file signature. If there's no signature, use the default format.
Use the default cryptographic signature algorithm, rsa_sha256.
RSA signature of a SHA-256 digest. This is the default format if –F option is omitted.
RSA signature of a SHA-1 digest. This format is obsolete.
RSA signature of a MD5 digest of a SHA-1 digest. This format is obsolete.
Specifies the encryption algorithm's OID, in lieu of –F option. For example, "-O 1.2.840.113549.1.1.11" is equivalent to "-F rsa_sha256". The OID is not validated.
For the list subcommand, specifies what field should appear in the output.
The list subcommand supports the following option:
Lists all fields in a certificate or an ELF file. For an ELF file, the following signature information is displayed: Endianness, format, version, signer, timestamp, signature and OID.
The valid field specifiers for a certificate file are:
Subject DN (Distinguished Name)
Issuer DN
The valid field specifiers for an elf object are:
Format of the signature
Subject DN of the certificate used to sign the object
Time the signature was applied, in the locale's default format. This is no longer used.
Specifies the location of the private key file when not using a PKCS#11 token. This file is an RSA Private key file in standard PEM (base64) or DER (binary) format.
It is an error to specify both the –k and –T options.
Specifies the path to the output file to be output with the data command.
Specifies the file which holds the PIN for accessing the token device. If the PIN is not provided in a pin_file, elfsign prompts for the PIN.
It is an error to specify the –P option without the –T option.
Specifies the path to a signature file in binary or base64 encoded format. Signature file is created separately using private key and the file created by the "elfsign data" subcommand of the elf object.
Specifies the URI of the PKCS#11 token device, as provided by pktool, which holds the private key. The token label, token key label, and pin file can be specified through the token_uri; the token key label (object) is a required input attribute.
It is an error to specify both the –T and –k options.
Requests more detailed information. The additional output includes the signer and, if the signature format contains it, the time the object was signed. This is not stable parsable output.
The following operand is supported:
One or more elf objects to be signed, verified or listed. At least one elf object must be specified either via the –e option or after all other options.
example$ elfsign sign -k myprivatekey -c mycert -e lib/libmylib.so.1Example 2 Verifying an elf Object's Signature
example$ elfsign verify -c mycert -e lib/libmylib.so.1 elfsign: verification of lib/libmylib.so.1 passedExample 3 Signing an Object Specifying the Data Range
This will be the prefix of the Certificate DN: ORCL
example$ elfsign sign -d relobj -k myprivatekey -c mycert -e lib/libmylib.so.1Example 4 Determining Information About an Object
example$ elfsign list -f format -e lib/libmylib.so.1 rsa_md5_sha1 example$ elfsign list -f signer -e lib/libmylib.so.1 CN=VENDOR, OU=Software Development, O=Vendor Inc.Example 5 Signing an ELF Object Using a Token URI
example$ elfsign sign -c mycert -e lib/libmylib.so.1 -T 'pkcs11:token=Sun Software PKCS#11 softtoken; object=mykey;pinfile=/path/to/pinfile'Example 6 Signing an ELF Object Using a Token URI with interactive PIN
example$ elfsign sign -c mycert -e lib/libmylib.so.1 \ -T 'pkcs11:token=Sun Software PKCS#11 softtoken;object=mykey' Enter PIN for Sun Software PKCS#11 softtoken:Example 7 Signing an ELF Object Using a Signature File
Create file containing data to be signed from the ELF object.
example$ elfsign data -o /path/to/data_file -e /lib/libmylib.so.1
Create private key and certificate file using the openssl command.
example$ openssl genrsa -out /path/to/private_key 2048 example$ openssl req -new -x509 -days 999 -key /path/to/private_key -out /path/to/certificate_file
Create a signature file using the openssl command.
example$ openssl dgst -sha256 -binary /path/to/data_file >/path/to/digest_file
example$ openssl rsautl -sign -in /path/to/digest_file -out /path/to/signature_file -inkey /path/to/private_key
Sign the ELF object using the signature file.
example$ elfsign sign -c /path/to/certificate_file -s /path/to/signature_file -e /lib/libmylib.so.1
The following exit values are returned:
|
Directory searched for the verify subcommand if the –c flag is not used.
See attributes(7) for descriptions of the following attributes:
|
The elfsign command and subcommands are Committed. While applications should not depend on the output format of elfsign, the output format of the list subcommand is Committed.