summaryrefslogtreecommitdiff
path: root/scripts/sign-file.c
diff options
context:
space:
mode:
authorDavid Woodhouse <David.Woodhouse@intel.com>2015-07-20 21:16:28 +0100
committerDavid Howells <dhowells@redhat.com>2015-08-07 16:26:14 +0100
commitaf1eb2913275c3ab1598b0c24c893499092df08a (patch)
treee176ad5867a4d4ca3db433e62fb362e5fff00be8 /scripts/sign-file.c
parentcaf6fe91ddf62a96401e21e9b7a07227440f4185 (diff)
modsign: Allow password to be specified for signing key
We don't want this in the Kconfig since it might then get exposed in /proc/config.gz. So make it a parameter to Kbuild instead. This also means we don't have to jump through hoops to strip quotes from it, as we would if it was a config option. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'scripts/sign-file.c')
-rwxr-xr-xscripts/sign-file.c27
1 files changed, 26 insertions, 1 deletions
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 39aaabe89388..720b9bc933ae 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -80,6 +80,27 @@ static void drain_openssl_errors(void)
} \
} while(0)
+static const char *key_pass;
+
+static int pem_pw_cb(char *buf, int len, int w, void *v)
+{
+ int pwlen;
+
+ if (!key_pass)
+ return -1;
+
+ pwlen = strlen(key_pass);
+ if (pwlen >= len)
+ return -1;
+
+ strcpy(buf, key_pass);
+
+ /* If it's wrong, don't keep trying it. */
+ key_pass = NULL;
+
+ return pwlen;
+}
+
int main(int argc, char **argv)
{
struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
@@ -96,9 +117,12 @@ int main(int argc, char **argv)
BIO *b, *bd = NULL, *bm;
int opt, n;
+ OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
ERR_clear_error();
+ key_pass = getenv("KBUILD_SIGN_PIN");
+
do {
opt = getopt(argc, argv, "dp");
switch (opt) {
@@ -132,7 +156,8 @@ int main(int argc, char **argv)
*/
b = BIO_new_file(private_key_name, "rb");
ERR(!b, "%s", private_key_name);
- private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL);
+ private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL);
+ ERR(!private_key, "%s", private_key_name);
BIO_free(b);
b = BIO_new_file(x509_name, "rb");